Using the Opal SED built-in encryption is really orthogonal to dm-crypt. You could use both at the same time if you were really paranoid though. You need a partitioned bootable disk image with MBR bootcode and a bootloader to load into the SED with "msed --loadPBAimage". That image must be smaller than about 7MB, or certain SED's (mainly Crucial) won't load the image successfully. If dracut can make such an image, I supposed it could be used. However, I think the default Fedora kernel image alone (not including kernel modules) is already too big by itself for this to be possible. On Sun, Jul 26, 2015 at 11:20:04AM -0400, Subhendu Ghosh wrote: > Adding Harald to thread. > > Seems to be nominally related boot path with deo and dm-crypt. > > Adding to Dracut might be preferable to creating a separate PBA > > Subhendu > > On Jul 23, 2015 10:20 AM, "Chuck Anderson" <cra@xxxxxxx> wrote: > > > > I originally sent this to the packaging list, but there was no > > response there so I'm posting to devel now. > > > > I've also opened a review request for the non-controversial packaging > > of the "msed" utilities. Would anyone care to do a review swap? > > > > Review Request: msed - Tools to manage the activation and use of self > encrypting drives > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1245640 > > > > Thanks. > > > > Date: Tue, 21 Jul 2015 18:48:27 -0400 > > From: Chuck Anderson <cra@xxxxxxx> > > To: packaging@xxxxxxxxxxxxxxxxxxxxxxx > > Subject: [Fedora-packaging] building an embedded Linux distro into a RPM > package > > Precedence: list > > Reply-To: Discussion of RPM packaging standards and practices for Fedora < > packaging@xxxxxxxxxxxxxxxxxxxxxxx> > > > > I would like to submit a new package that provides a Pre-Boot > > Authorization (PBA) image. The PBA is a "bootloader" of sorts that > > prompts the user for the passphrase to unlock a Self-Encrypting Drive > > (SED) using the TCG OPAL command set, and then either chainloads to > > the real OS or reboots to allow the BIOS to boot the real OS. The > > image gets installed to the OPAL SED as a sort of "shadow MBR/shadow > > disk image" using a special command "msed" (Manage Self-Encrypting > > Drive) that I also plan to submit a package for. > > > > In my case, I've developed a tiny embedded Linux-based PBA image [1] > > using Buildroot [2] and the MSED software [3]. The final image is a > > MBR-partitioned disk image with VFAT filesystem containing the > > specially built Linux kernel (vmlinuz), initramfs (rootfs.gz), and the > > installed syslinux bootloader. > > > > Before you ask, I can't use even a stripped-down Fedora image for this > > purpose, because it must be TINY and it only exists to run a single > > command (linuxpba), then reboot. My image is 4MB and could be made > > even smaller. See the reasoning in [1] for why it must be so small. > > > > [1] https://github.com/cranderson/buildroot-linuxpba > > [2] http://buildroot.uclibc.org/ > > [3] http://www.r0m30.com/msed > > > > Now I know there are several challenges to using the Buildroot > > approach to building software for Fedora. Buildroot downloads > > software from the Internet, unpacks, patches, configures, and builds > > it. The build environment is built first, so gcc, uClibc, busybox, > > etc. and then the packages you want to include are built in that > > environment. > > > > What is the best approach I should use that is acceptable to Fedora? > > > > Would it be acceptable to bundle source packages, Buildroot itself, > > and my Buildroot configuration into one SRPM so everything is > > self-contained and can be built without requiring network > > connectivity? This means I would have to bundle the source code for > > gcc, the linux kernel, uClibc, busybox, etc. > > > > Or is there some way to pull in SRPM packages that already exist in > > Fedora, and use those as part of my build process so that I don't have > > to bundle all the source code? Additionally, I could made separate > > SRPM packages for Buildroot itself, any components needed (uClibc is > > already in the distro), the Buildroot build scripts for > > buildroot-linuxpba, and the actual package I need (msed). -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
