Am Sun, 20 Jan 2008 00:12:23 +0100
schrieb Peter_22@xxxxxx:
>Then I would like to ask if it is a good idea to run "lsmod"
> on a fresh installation. This shows all loaded modules. When these
> are listed in /etc/initramfs-tools/modules wouldn´t that result in a
> smaller initrd with little effort?
It should work. But I'm not convinced, that this effort is necessary.
The post, that you mention, dates back several years ago.
Possibly, things have changed....
> Some choices of .built-initrd.sh
> are missing. What about setting up loop-devices instead of
> partitions? The script can use a loop device with offset and size
> limit so that the partition table can be abandoned.
yes, the scripts are normal shell scripts. You can modify it as you
like. Encrypt your key 'gpg -d /etc/keys/root.gpg >/tmp/upscript' and
edit it as follow:
---
PASSES='KdhS&J....YZeZFxtRTHm
T5wZL...ue1paoLJq0QD
Pa/4C.....GhqsDnDymP
sDnDy.....mP+80Mg1In
....................
qcb/n.....HfrvI5Wu34'
echo -e -n "$PASSES" | losetup -e AES256 -o @XXXXX -s XXXXX -p0 /dev/loop6 /dev/sda
----
encrypt it again:
$ gpg -c --cipher-algo AES256 --s2k-mode 3 --s2k-digest-algo SHA512 \
--s2k-count 65011712 --compress-algo bzip2 -z 9 upscript
$ cp upscript.gpg /etc/keys/
$ chown root:root -R /etc/keys
$ chmod 400 /etc/keys/upscript.gpg
In this way, you avoid to store the begin and the end of your "root"
partition in cleartext on your stick (and which cipher is used, if all
modules are loaded before,...)
/etc/initramfs-tools/scripts/local-top/loopcrypt (changed)
---
#!/bin/bash
# bash instead of sh/dash!
PREREQ="udev"
HD="/dev/sda" #root partition
prereqs()
{
echo "$PREREQ"
}
case "$1" in
prereqs)
prereqs
exit 0
;;
esac
echo "Waiting for crypted root device..."
slumber=1800
while [ ${slumber} -gt 0 -a ! -e "$HD" ]; do
/bin/sleep 0.1
slumber=$(( ${slumber} - 1 ))
done
TEST=1
while [ 0 != $TEST ] ; do
echo "password:"
read -s PASS # gpg can't read the passphrase itself ....
PLAIN=$(cat "/upscript.gpg" | gpg --decrypt --no-tty --quiet \
--passphrase-fd 8 8<<<"$PASS")
PASS=''
if [ ${#PLAIN} -ge 30 ]; then
TEST=0
else
echo "try it again..."
fi
done
oldIFS="$IFS"
IFS="${Newline}"
eval "$PLAIN"
IFS="$oldIFS"
---
/etc/initramfs-tools/hooks/hloopcrypt (changed)
---
#!/bin/sh -e
. /usr/share/initramfs-tools/hook-functions
mkdir -p ${DESTDIR}/sbin
mkdir -p ${DESTDIR}/usr/bin
mkdir -p ${DESTDIR}/bin
mkdir -p ${DESTDIR}/gnupg
mkdir -p ${DESTDIR}/.gnupg
cp -p /etc/keys/upscript.gpg ${DESTDIR}/
# gnupg prints error-messages, if this files aren't
# present,...
cp -p /usr/share/gnupg/options.skel ${DESTDIR}/gnupg
cp -p /usr/share/gnupg/options.skel ${DESTDIR}/.gnupg/gpg.conf
copy_exec /bin/bash /bin
copy_exec /sbin/losetup /sbin
copy_exec /usr/bin/gpg /usr/bin
---
Depend on your system settings, you need to change/create some scripts
at /etc/rcS.d (for your home partition, swap and tmp)
An you have to overwrite all data before, after and between(!) your
former "partitions" with random data.
> Apart from that one might wish to have more than 8 loops in some
> cases. (LOOPMODPARAMS="max_loop=16 lo_prealloc=125,5,200) Where could
> these points be accounted for?
You have to add the loop modules by hand
in /etc/initramfs-tools/scripts/local-top/loopcrypt (before the
while/for - loop)
First remove the modules 'rmmod loop_serpent',...,'rmmod loop', and
then add them again 'modprobe loop max_loop=16
lo_prealloc=125,5,200' ...
> Since loop-aes builds other cipher
> modules as well I´d be interested in setting up root encryption with
> 2 layers.
> One time aes and a second on top of the first with twofish
> or such. Would be nice to see the script for that and make a test.
I never tested it, becaue I don't think this is a good idea.
But it should work, too - just change your upscript:
--
PASSES1='qjUCOJ61w....YZeZFxtRTHm
T5wZL...ue1paoLJq0QD
Pa/4C.....GhqsDnDymP
sDnDy.....mP+80Mg1In
....................
qcb/n.....HfrvI5Wu34'
PASSES2='61w....asdf243
.....
'
# two independent keys!
echo -e -n "$PASSES1" | losetup -e AES256 -o @XXXXX -s XXXXX
-p0 /dev/loop5 /dev/sda
echo -e -n "$PASSES2" | losetup -e TWOFISH256
-o @XXXXX -s XXXXX -p0 /dev/loop6 /dev/loop5
---
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
