Re: [gentoo-catalyst] Using catalyst to build encrypted livecd's

[Chris Gianelloni <wolf31o2@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 2368 bytes --]

On Sun, 2007-04-08 at 14:28 +0000, Nelson Batalha wrote:
> I chose Luks, since seems genkernel is supporting it (no docs though), 
> however this will force us to use two loops, (performance issues?). An 
> alternative is loop-aes -> one loop only.

Why do you need two loops?  I'm just asking, since I don't know the
details of the differing methods and have only looked over the patches
as I've applied them for correctness, not for functionality.  Also, make
sure there aren't any patches assigned to genkernel that won't help with
this.  There's at least one or two more LUKS-related patches/bugs in
bugzilla.

> On gk arguments we would add initramfs a cryptsetup binary with 
> --initramfs-overlay; we would also add a custom initrc that would put our 
> encrypted squashfs file in a loop, and cryptsetup would unencrypt it in a 
> different loop - and call it our root.

OK.  You're already steering off course.  If you add cryptsetup to
boot/kernel/$kname/packages, genkernel will include it with --luks, so
you don't need to do anything in an initramfs overlay.  We also do
decryption in genkernel already.

> The patch to catalyst would allow us to write a script to convert the 
> squashfs in a encrypted one. First we knew the final squashfs size, so it 
> would just create a file with dd with that size from /dev/zero. Then it 
> would mount this file in a loop, cryptsetup would use it and open it in a 
> different loop, and then we would mksquashfs the contents in it.

I'm not sure I'm following, but everything that goes into the squashfs
is already available to catalyst.  We don't need to copy it all *again*
since it is at (by
default) /var/tmp/catalyst/tmp/default/livecd-stage2-whatever already.

> Any problems, comments or alternatives? Would you accept this patch? My bash 
> is ok now, gonna take some time to write the python stuff.

I would accept it if it were done right.  You'll want to look more into
both what catalyst and what genkernel are already capable of doing.  I
would much rather incorporate the support in catalyst directly, rather
than adding yet another spec file key that isn't necessarily a
single-purpose key.

-- 
Chris Gianelloni
Release Engineering Strategic Lead
Alpha/AMD64/x86 Architecture Teams
Games Developer/Council Member/Foundation Trustee
Gentoo Foundation

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]