Rudolf Deilmann <rudolf.deilmann@xxxxxxxxx> wrote:
> ok - a second try. Hopefully, my mail come trough this time and you
> don't get it twice.
Got it once. Mail me plenty, that´s ok :-)
> It works even without building your own kernel.
True, to some extend. I prepared a usb-stick the way you told me. So far the standard Kubuntu kernel and its initrd can boot the (unencrypted) machine from that usb-stick.
It took a while until I remembered your explainations when I addressed this keymap issue in connection with Kubuntu 7.04 ...
However, there is one thing popping up: size of the initrd!
How large is the initrd you built? Doing it the hard way as I did, I got a tiny 2.6 kb initrd - just as it is supposed to be.
Consider, I rebuilt the kernel to include ext3, usb{core,storage},sata and the like. Isn´t it true that your initrd has to include all these modules and so will end up being several mega bytes large?
I just ask, because my kernel-recompiling shows disadvantages in connection with proprietary drivers (nvidia) and of course I can´t update my kernel with the SuSE updater / ubuntu´s adept.
> Of course: http://mail.nl.linux.org/linux-crypto/2007-06/msg00015.html;
> but I never heard of any problems with own-build modules and
> Ubuntu,....
>
> 1) loop-aes installation
>
> $ rmmod loop
> $ apt-get install loop-aes-utils
> # loop-aes-utils are in the universe-section
> $ cd /PATH/TO/LOOP_AES_SOURCE
> $ make LINUX_SOURCE=/lib/modules/KERNEL_VERSION/build/
> # KEYSCRUB=y EXTRA_CIPHERS=y
> The loop-AES modules are installed
> to /lib/modules/KERNEL_VERSION/extras/. Create a new
> directory /lib/modules/KERNEL_VERSION/updates (if it doesn't exist) and
> move the loop modules to it. After that execute 'depmod'.
>
> Type 'modinfo loop'. The first line of the output should show something
> like this:
> ---
> filename: /lib/modules/KERNEL_VERSION/updates/loop.ko
> ---
> and not:
> ---
> filename: /lib/modules/KERNEL_VERSION/kernel/drivers/block/loop.ko
> ---
> (this is your old loop-module, you don't wan't to use any longer)
>
> Check, if the installation succeded:
> $ make tests
> $ # make tests EXTRA_CIPHERS=y
>
> Some versions of ubuntu (dapper, but not 7.10) even ships with
> loop-aes-source. You can simply install it with 'module-assistant'.
>
> If you want to compile your own kernel, you can use the original
> conifg-file of Ubuntu and just change this values:
> CONFIG_BLK_DEV_LOOP=n
> CONFIG_BLK_DEV_CRYPTOLOOP=n
> CONFIG_DEBUG_INFO=n
>
> Other changes are not necessary, if you use initramfs-tools instead of
> build-initrd.sh. The initramfs-tools are more powerful and flexible,
> easier to use, and installed at default.
> You won't have any problem with wrong keymap - it seems to be done
> automatically in the right way the by initramfs-tools (according your
> system settings). (at least, I don't remember, that I've changed any
> further configuration file regarding this issue after the first
> installation of Ubuntu. I can use german umlauts and euro/ms-signs as
> part of my passphrase without any problems) And it doesn't matter,
> if /dev/sdb or /dev/sdc is your usb-stick. You can simply copy any
> files, that are needed to setup up your encrypted root device during
> system startup, to the initial ramdisk. The boot loader loads the
> kernel program and the content of your initial ramdisk into memory.
>
> You just need to edit/create 3 small scripts/configuration files, to
> use root-encryption with loop-aes.
>
> (I assume, that /dev/sda6 is your [up to now
> unencrypted] root partition and /dev/loop6 will be your root partition
> according to fstab. /dev/sdg is your usb-stick and /etc/keys/root.gpg
> is your symmetric(!) encrypted gpg-keyfile for the root-partition.)
>
> a) /etc/initramfs-tools/scripts/local-top/loopcrypt
> ( This script will be executed at each boot process, before the
> root-partition is mounted. The purpose of the script is to load the
> loop module(s) in the kernel and setup your encrypted loop-device. )
> ---
> #!/bin/sh
>
> PREREQ="udev"
> HD="/dev/sda6"
>
> prereqs()
> {
> echo "$PREREQ"
> }
>
> case "$1" in
> prereqs)
> prereqs
> exit 0
> ;;
> esac
>
> echo "Waiting for crypted root device..."
>
> slumber=1800
> while [ ${slumber} -gt 0 -a ! -e "$HD" ]; do
> /bin/sleep 0.1
> slumber=$(( ${slumber} - 1 ))
> done
>
> TEST=1
> while [ 0 != $TEST ] ; do
> losetup -e AES256 -K /root.gpg -G / /dev/loop6 "$HD"
> # or losetup -e SERPENT128 -K /root.gpg -G / /dev/loop0 "$HD"
> # or whatever
> TEST=$?
> done
> ---
>
> b)
> /etc/initramfs-tools/modules
> ---
> # List of modules that you want to include in your initramfs.
> #
> # Syntax: module_name [args ...]
> loop
> #loop_blowfish
> #loop_sepent
> #loop_twofish
> #perhaps, you need more modules. for example, the following modules
> #are necessary, if you want higher resolution during system start:
> #fbcon
> #vesafb
> ---
This means I have to list all modules here which I would otherwise build into the kernel to make it work? I remember there was an issue with the initrd to be small in size as its space in memory cannot be freed.
> c) /etc/initramfs-tools/hooks/hloopcrypt
> ( This script will be executed during each creation of a initial
> ramdisk. Its purpose is to create the necessary folders, and copy the
> programs and files, that are needed at the beginning of the boot
> process, to the initial ramdisk. )
> ---
> #!/bin/sh -e
>
> . /usr/share/initramfs-tools/hook-functions
>
> mkdir -p ${DESTDIR}/sbin
> mkdir -p ${DESTDIR}/usr/bin
>
> cp -p /etc/keys/root.gpg ${DESTDIR}/
>
> copy_exec /sbin/losetup /sbin
> copy_exec /usr/bin/gpg /usr/bin
> ---
>
> Now type 'update-initramfs -u'. This command creates a new initial
> ramdisk (with the new configuration files) and put it
> to /boot/initrdXXX . Each time you've updated the initramfs-scripts or
> configuration files, changed the password of /etc/keys/root.gpg or
> installed a new version of the programs in your initial ramdisk, you
> have to execute this commands again. If you want to know in detail,
> what's included in the initial ramdisk, you can unpack it with this
> command: 'cat /boot/initrdxxxx | gzip -d | cpio -i'
A bunch of modules is listed. The standard initrd with 7 MB is way to large.
> 2) bootable usb-stick:
>
> a) Prepare your USB-Stick (/dev/sdg)
> (all data on your stick will be lost!)
> $ dd if=/dev/zero of=/dev/sdg bs=8192 count=22
> $ mkdosfs /dev/sdg
> $ syslinux /dev/sdg
> USB-Sticks without partition table works best at most motherboards,...
>From what do you know this? Do you have experience with a large number of motherboards or is there some kind of documentation for this?
> b) create the syslinux configuration file 'syslinux.cfg'
> --
> default linux
> label linux
> kernel vmlinuz
> append initrd=initrd root=/dev/loop6 quiet
> --
> /dev/loop6 must be your root-partition according to /etc/fstab!
>
> c) copy the files to your stick
> $ mount /dev/sdg /mnt/stick
> $ cp /boot/initrd.your.version /mnt/stick/initrd
> $ cp /boot/vmlinuz-your.version /mnt/stick/vmlinuz
> $ cp /path/to/syslinux.cfg /mnt/stick/syslinux.cfg
> $ sync
> $ umount /mnt/stick
>
> After you have edited your /etc/fstab, created a new
> initial ramdisk and a new boot medium (need to be done in one step,
> without rebooting), you can boot from live-cd and encrypt /dev/sda6.
> After that, you can boot your system with the usb-stick...
>
> That's all. You don't need to compile your own kernel, you don't need
> to statically link any program and you won't have any problems with
> your keymap ;)
That sounds just too fantastic! Actually SuSE fails to decrypt a gpg key in the terminal which was generated in the konsole when using special characters. Fortunately Kubuntu 7.10 64bit accomplished this task 1 Minute ago! :-)
Kind regards
Peter
--
GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
