[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-hardened
Subject:    Re: [gentoo-hardened] Hardened Laptops / Talk is cheap
From:       "mike () flyn ! org" <mike () flyn ! org>
Date:       2003-08-25 6:11:22
[Download RAW message or body]

I agree with all of Ned's points, so here is a start...

Enclosed you should find an initrd build environment (I'm in Iraq and 
can't get to my webserver so I enclosed it in this email).  The initrd image
it creates will mount an encrypted root directory.  This is very rough
right now.  The process needs to be *automated* more.  The method of
providing a filesystem key needs to be more flexible.  It may not even
work for you without quite a bit of fiddling.

In order to try this stuff out:

0.  Download busybox and install in ./busybox.
1.  Update src/etc/modules.initrd to include any modules needed to boot.
2.  Make sure you use literal = "root=/dev/ram0 init=/linuxrc rw" or LILO 
    eqiv. on x86.
3.  Ensure romfs is compiled in your kernel (not a module).

Then "make" and copy initrd.img.gz to where your bootloader expects it.

The Makefile does a few things:

1.  Configures and builds busybox.
2.  Creates devices in src/dev.
3.  Generates a filesystem key at src/etc/efsk (encrypted with openssl and 
    a passphrase).
4.  Collects some programs, libraries and kernel modules.

Here is how you should create your encrypted root:

openssl enc -d -aes-256-ecb -in /etc/efsk | losetup -p0 -e aes /dev/loop0 
/dev/hdXY
mkfs.Z /dev/loop0

Code contributions are very welcome!

--
Mike

["initrd.tar.gz" (application/octet-stream)]

--
gentoo-hardened@gentoo.org mailing list

[prev in list] [next in list] [prev in thread] [next in thread]