Hi, I've put together some patches for Debian which allow the network configuration in the initramfs to differ from the normal network config. I imagine it should work on other distros as well, but just how well depends on the construction of the initramfs and how that differs from Debian's approach. The underlying klibc patches are distro agnostic. I'm looking for feedback, good and bad. Are there other distro's which support this already? Is it dumb to bring interfaces down while still running the initramfs? (Root NFS mounts excepted! ;-) Allowing the initramfs to have it's own network configuration makes possible a variety of benefits to a network-unlocked crypted rootfs. The gateway address can be omitted so that the box can only be unlocked from the local LAN. The IP number can differ from that of the running system; since the initramfs is unencrypted it's ssh host keys may differ from the running system's and having a different IP in the initramfs aids with host key management/checking. And I believe there are security benefits to putting the initramfs on an entirely separate network if there's a layer 3 switch involved to provide access control to the networked initramfs. With the patches the initramfs can be configured to bring down the network interface brought up via bootloader/kernel ip= command line arg -- after the crypted rootfs is unlocked and mounted. Because the interface is down the usual (sysV/whatever) boot process can bring the network back up with a different configuration. For further detail see the upstream klibc mailing list post archived at: http://www.zytor.com/pipermail/klibc/2013-July/003430.html For klibc patches see: http://www.zytor.com/pipermail/klibc/2013-July/003432.html or the "ipconfig_down" branch at github: https://github.com/kpinc/klibc.git For dropbear/initramfs-tools patches see Bug#715048: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=715048 For documentation patches (cryptsetup) see Bug#715487: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=715487 and the related Bug#714952: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714952 ---------------------------------------- Testing involves 2 things, adding script to an initramfs which brings the interface down at the right time, and getting an updated klibc ipconfig command into the initramfs. I opted to manually install a staticlly linked ipconfig into the initramfs instead of e.g., rebuilding the klibc packages with the patch applied. It probably makes more sense to apply patches and rebuild all the .debs now that the patches are developed. The manual approach lets me stop and test along the way. The approach I used to test (from memory): Make sure you've access to some sort of console that gives you access to the boot sequence or if you break things your system will be unavailable. Remember: Kernel source/headers must match the running kernel must match the kernel loaded by the bootloader. (Technically, the running kernel does mot matter but I use "uname -r" below.) Start by following the /usr/share/doc/cryptsetup/README.initramfs.gz and configuring your system to unlock the rootfs remotely with ssh. The patch to this readme in Bug#714952 might help. (Assuming you've not done this already.) Get the latest klibc with git, apply the klibc patches and run make. A static ipconfig will be produced. You'll need the kernel-source package for your kernel and will need to follow the usr/klibc/README.klibc directions. (I used the "make help" way of designating the location of the kernel headers -- I couldn't get the symlink method to work.) Manually extract the 2 initramfs-tools files from the Bug#715048 patch and install the files. Call them /etc/initramfs-tools/conf.d/dropbear and /etc/initramfs-tools/scripts/local-bottom/dropbear. Edit /etc/initramfs-tools/conf.d/dropbear and configure to bring down the network interface brought up by the kernel command line. (Documentation for this is in the Bug#715487 patch, although it should be obvious.) Make a new initramfs containing the dropbear files, place it in /tmp/: # update-initramfs -c -b /tmp -k $(uname -r) Extract the initramfs: # mkdir /tmp/foo # cd /tmp/foo # gunzip -c /tmp/initrd.img-* \ | cpio -i --no-absolute-filenames -H newc Replace the ipconfig command in the old initramfs with the staticlly linked patched version of ipconfig: # cp -p /my/klibc/usr/kinit/ipconfig/static/ipconfig \ /tmp/foo/bin/ipconfig # cd /tmp/foo # find . | cpio -o -H newc | gzip -c -9 > /boot/testinitrd Make a bootloader entry. With grub you can: Edit /etc/grub.d/40_custom, copying into it an entry from /boot/grub/grub.cfg. (Presumeably this entry has an ip= kernel command line, modify it as desired.) Modify the initrd line to read: initrd /testinitrd Modify the menuentry line as desired. Edit /etc/default/grub and change the GRUB_DEFAULT to boot your custom configuration. Remember this is 0 based. Run update-grub and check that /boot/grub/grub.cfg looks right and that your GRUB_DEFAULT is right. Reboot. ---------------------------------------- It wouldn't hurt to send the feedback through the debian bug tracking system either. Although there's no single bug this might help get the patches included in (or rejected by) Debian. (There's also the upstream klibc mailing list.) Regards, Karl <kop@xxxxxxxx> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
