[gentoo-catalyst] Using catalyst to build encrypted livecd's

[gentoo-catalyst] Using catalyst to build encrypted livecd's

[Nelson Batalha]

Hi,

Chris Gianelloni, can't thank enough.

Everyone: in the last days, since I couldn't find anyone that has built 
encrypted cd's with catalyst, I researched and studied lots -> theoretically 
I think everything is worked out. (Unless you know of one, then please stop 
reading and post your experiences :).

I was hoping to discuss here the best way to do encrypted livecd's seamless 
with catalyst, with a minimal catalyst patch! (as it stands I don't think 
it's possible to make one)

I chose Luks, since seems genkernel is supporting it (no docs though), 
however this will force us to use two loops, (performance issues?). An 
alternative is loop-aes -> one loop only.

What I came up with would require just a trivial patch to Catalyst: to add 
the livecd-stage2 specs an argument, like livecd/fsscript: but would run a 
script in the real cd root, just before the iso creation. Why? These are the 
steps:

On gk arguments we would add initramfs a cryptsetup binary with 
--initramfs-overlay; we would also add a custom initrc that would put our 
encrypted squashfs file in a loop, and cryptsetup would unencrypt it in a 
different loop - and call it our root.

The patch to catalyst would allow us to write a script to convert the 
squashfs in a encrypted one. First we knew the final squashfs size, so it 
would just create a file with dd with that size from /dev/zero. Then it 
would mount this file in a loop, cryptsetup would use it and open it in a 
different loop, and then we would mksquashfs the contents in it.

Any problems, comments or alternatives? Would you accept this patch? My bash 
is ok now, gonna take some time to write the python stuff.

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

-- 
gentoo-catalyst@gentoo.org mailing list

Re: [gentoo-catalyst] Using catalyst to build encrypted livecd's

[Chris Gianelloni]

[-- Attachment #1: Type: text/plain, Size: 2368 bytes --]

On Sun, 2007-04-08 at 14:28 +0000, Nelson Batalha wrote:
> I chose Luks, since seems genkernel is supporting it (no docs though), 
> however this will force us to use two loops, (performance issues?). An 
> alternative is loop-aes -> one loop only.

Why do you need two loops?  I'm just asking, since I don't know the
details of the differing methods and have only looked over the patches
as I've applied them for correctness, not for functionality.  Also, make
sure there aren't any patches assigned to genkernel that won't help with
this.  There's at least one or two more LUKS-related patches/bugs in
bugzilla.

> On gk arguments we would add initramfs a cryptsetup binary with 
> --initramfs-overlay; we would also add a custom initrc that would put our 
> encrypted squashfs file in a loop, and cryptsetup would unencrypt it in a 
> different loop - and call it our root.

OK.  You're already steering off course.  If you add cryptsetup to
boot/kernel/$kname/packages, genkernel will include it with --luks, so
you don't need to do anything in an initramfs overlay.  We also do
decryption in genkernel already.

> The patch to catalyst would allow us to write a script to convert the 
> squashfs in a encrypted one. First we knew the final squashfs size, so it 
> would just create a file with dd with that size from /dev/zero. Then it 
> would mount this file in a loop, cryptsetup would use it and open it in a 
> different loop, and then we would mksquashfs the contents in it.

I'm not sure I'm following, but everything that goes into the squashfs
is already available to catalyst.  We don't need to copy it all *again*
since it is at (by
default) /var/tmp/catalyst/tmp/default/livecd-stage2-whatever already.

> Any problems, comments or alternatives? Would you accept this patch? My bash 
> is ok now, gonna take some time to write the python stuff.

I would accept it if it were done right.  You'll want to look more into
both what catalyst and what genkernel are already capable of doing.  I
would much rather incorporate the support in catalyst directly, rather
than adding yet another spec file key that isn't necessarily a
single-purpose key.

-- 
Chris Gianelloni
Release Engineering Strategic Lead
Alpha/AMD64/x86 Architecture Teams
Games Developer/Council Member/Foundation Trustee
Gentoo Foundation

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-catalyst] Using catalyst to build encrypted livecd's

[Nelson Batalha]

>On Sun, 2007-04-08 at 14:28 +0000, Nelson Batalha wrote:
> > I chose Luks, (...) this will force us to use two loops, (performance 
>issues?). An
> > alternative is loop-aes -> one loop only.
>
>Why do you need two loops?


It's the way they work. Luks is ment for devices only, so we need to make 
one for him to work with, and then he unencrypts it in a new one. loop-aes 
is embedded in losetup, so when mounting squashfs we just need to give it a 
key ;).


>OK.  You're already steering off course.  If you add cryptsetup to
>boot/kernel/$kname/packages, genkernel will include it with --luks, so
>you don't need to do anything in an initramfs overlay.

Thanks, I wasn't sure how it worked, so I just mentioned a hack for now (it 
wasn't stupid :P).

http://bugs.gentoo.org/show_bug.cgi?id=173766

>I'm not sure I'm following, but everything that goes into the squashfs
>is already available to catalyst.  We don't need to copy it all *again*
>since it is at (by
>default) /var/tmp/catalyst/tmp/default/livecd-stage2-whatever already.

I follow you, but the problem is that we need to know the size of the final 
squashfs.

Thing is, with luks, we need a "stupid" file initially that is going to be 
looped to be formatted in a squashfs. To create it, we need to know its 
size, preferebly not greater then necessary, since I *think* it's not 
possible to change the size of a file in a loop.

*Unless* we know an estimate of how big will the squashfs be, the option is 
to make one and then create that file with the exact size. The problem is 
not *getting* the files, is to make the *exact* room for them ;).

>I would much rather incorporate the support in catalyst directly, rather
>than adding yet another spec file key that isn't necessarily a 
>single-purpose key.

Cool, I'll look into it. If anyone offers to patch the *.py files I can do 
the rest and specify what it needs to be done.

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

-- 
gentoo-catalyst@gentoo.org mailing list

Re: [gentoo-catalyst] Using catalyst to build encrypted livecd's

[Philipp Riegger]

On 09.04.2007, at 18:25, Nelson Batalha wrote:

> It's the way they work. Luks is ment for devices only, so we need  
> to make one for him to work with, and then he unencrypts it in a  
> new one.

Can't you partition a CD-ROM?
-- 
gentoo-catalyst@gentoo.org mailing list

Re: [gentoo-catalyst] Using catalyst to build encrypted livecd's

[Andrew Gaffney]

Philipp Riegger wrote:
> 
> On 09.04.2007, at 18:25, Nelson Batalha wrote:
> 
>> It's the way they work. Luks is ment for devices only, so we need to 
>> make one for him to work with, and then he unencrypts it in a new one.
> 
> Can't you partition a CD-ROM?

Eh, not exactly. You can have multiple ISO9660 filesystems one after the other 
on the CD, but there is no "partition table" (at least not one that will be 
understood on x86/amd64).

-- 
Andrew Gaffney                            http://dev.gentoo.org/~agaffney/
Gentoo Linux Developer                                   Installer Project
-- 
gentoo-catalyst@gentoo.org mailing list

Re: [gentoo-catalyst] Using catalyst to build encrypted livecd's

[Nelson Batalha]

Nelson wrote:
>Cool, I'll look into it. If anyone offers to patch the *.py files I can do 
>the rest and specify what it needs to be done.

Sorry, I thought you ment look into support encryption directly on catalyst 
:S.

Like I said, I think it's not possible without a patch. Yes, luks is 
provided by genkernel, I wasn't sure how so I mentioned a (temp) hack. But 
the compressed image cannot be touched by Catalyst now. The alternative is 
make a neatly integrated support on it, with fields like encryption/seed.

>There's at least one or two more LUKS-related patches/bugs in
>bugzilla.

Considering that and the 2 loops requir., maybe it's better to stick to 
loop-aes.

I made a simple picture, just for those not following, with a simple 
correction (no need to do mksquashfs twice, we just dd it to the open loop):


----------------------------------------------
----------------------------------------------


---(X)---> means "mapped" to by X.
%%%%%%%%%%%%%

Crypt (luks):

Step 1: random_file (made with dd, same size as squashfs) ---(losetup)---> 
/dev/loop1----(luks)----> /dev/mapper/root (this is the unencrypted dev 
where we put the root)

step 2: image.squashfs ----(dd)----> /dev/mapper/root

%%%%%

Crypt (loop-aes)

step1:
random_file_as_above ----(loop+aes)----> /dev/loop0 (the unencrypted dev 
where we put the root);
step2:
image.squashfs ----(dd)----> /dev/loop0


%%%%%%%%%%%%%

Uncrypt:

luks:
encrypted_squashfs ---(losetup)---> /dev/loop0 ---(luks)---> 
/dev/mapper/cd_root

loop+aes:
encrypted_squashfs ---(losetup+aes)---> /dev/cd_root.

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

-- 
gentoo-catalyst@gentoo.org mailing list

Re: [gentoo-catalyst] Using catalyst to build encrypted livecd's

[Nelson Batalha]

Ok, I'm working on this.

http://mega.ist.utl.pt/~nhqb/gentoo/catalyst/

Hopefully the linuxrc and initrd.scripts are done. Would accept these as the 
default genkernel scripts?

I'm doing the rest. Can anyone help me implement the "python_instructions" 
for the *py files?

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

-- 
gentoo-catalyst@gentoo.org mailing list