--- wikisrc/security/cgdroot.mdwn 2016/06/22 00:50:29 1.2 +++ wikisrc/security/cgdroot.mdwn 2016/06/22 07:40:39 1.3 @@ -1,7 +1,7 @@ Root filesystem encryption ========================== -It is possible to run NetBSD with ![complete root filesystem encryption][1], thanks to the `cgdroot.kmod` kernel module. It really is a memory disk (also knows as RAM disk) that is expected to be loaded in the kernel while booting. +It is possible to run NetBSD with [complete root filesystem encryption][1], thanks to the `cgdroot.kmod` kernel module. It really is a memory disk (also knows as RAM disk) that is expected to be loaded in the kernel while booting. It still requires one unencrypted partition to boot from (typically `wd0a`). @@ -13,13 +13,13 @@ kernel module is loaded at boot-time con minimal filesystem image, which is then considered the actual root filesystem: The boot partition on disk only needs to contain: -* `boot(8)`, the second-stage bootloader -* `boot.cfg(5)`, the configuration file for the bootloader (optional) +* [[!template id=man name="boot" section="8"]], the second-stage bootloader +* [[!template id=man name="boot.cfg" section="5"]], the configuration file for the bootloader (optional) * a GENERIC kernel * the `cgdroot.kmod` kernel module * configuration and encryption key for the encrypted volume to start from (`cgd.conf`) -Once loaded the memory disk mounts the `wd0a` partition onto `/etc/cgd`, and asks for the encryption passphrase as usual (with `cgdconfig(8)`). If successful, the `cgd0a` volume configured is mounted on `/altroot`, and `init(8)` is told via `sysctl(7)` to chroot into this volume before actually booting. The system then starts normally. +Once loaded the memory disk mounts the `wd0a` partition onto `/etc/cgd`, and asks for the encryption passphrase as usual (with [[!template id=man name="cgdconfig" section="8"]]). If successful, the `cgd0a` volume configured is mounted on `/altroot`, and [[!template id=man name="init" section="8"]] is told via [[!template id=man name="sysctl" section="7"]] to chroot into this volume before actually booting. The system then starts normally. In practice the memory disk remains the real root, and the regular system is really ran from a chroot in `/altroot`. @@ -33,16 +33,17 @@ Configuring the kernel module ----------------------------- The kernel module needs to be available in the boot partition, alongside the desired kernel. The bootloader configuration in `/boot.cfg` should be modified to load the module, as in this example: -
+
+[[!template id=filecontent name="/boot.cfg" text="""
 menu=Boot normally:rndseed /etc/entropy-file;load /cgdroot.kmod;boot /netbsd.gz -z
-
+"""]] Building the kernel module -------------------------- The kernel module can be compiled in two steps from within the source tree for the NetBSD base system, once the distribution has been built. Change to the `distrib//ramdisks/ramdisk-cgdroot` and use `nbmake-` to build: -
+[[!template id=programlisting text="""
 src/distrib/amd64/ramdisks/ramdisk-cgdroot$ /path/to/tooldir/bin/nbmake-amd64
 [...]
      create  ramdisk-cgdroot/ramdisk-cgdroot.fs
@@ -54,13 +55,13 @@ super-block backups (for fsck -b #) at:
  32,
 Populating `ramdisk-cgdroot.fs.tmp'
 Image `ramdisk-cgdroot.fs.tmp' complete
-
+"""]] Then the kernel module can be built: -
+[[!template id=programlisting text="""
 src/distrib/amd64/kmod-cgdroot$ /path/to/tooldir/bin/nbmake-amd64
-
+"""]] Caveats ------- @@ -72,4 +73,4 @@ This setup is not entirely safe against References ---------- -[1]: http://permalink.gmane.org/gmane.os.netbsd.current/61341 "Full Disk Encryption with cgd (well, almost)" +[1]: https://mail-index.netbsd.org/current-users/2013/03/21/msg022311.html "Full Disk Encryption with cgd (well, almost)"