|
version 1.2, 2016/06/22 00:50:29
|
version 1.3, 2016/06/22 07:40:39
|
|
Line 1
|
Line 1
|
| Root filesystem encryption |
Root filesystem encryption |
| ========================== |
========================== |
| |
|
| It is possible to run NetBSD with ![complete root filesystem encryption][1], thanks to the `cgdroot.kmod` kernel module. It really is a memory disk (also knows as RAM disk) that is expected to be loaded in the kernel while booting. |
It is possible to run NetBSD with [complete root filesystem encryption][1], thanks to the `cgdroot.kmod` kernel module. It really is a memory disk (also knows as RAM disk) that is expected to be loaded in the kernel while booting. |
| |
|
| It still requires one unencrypted partition to boot from (typically `wd0a`). |
It still requires one unencrypted partition to boot from (typically `wd0a`). |
| |
|
|
Line 13 kernel module is loaded at boot-time con
|
Line 13 kernel module is loaded at boot-time con
|
| minimal filesystem image, which is then considered the actual root filesystem: |
minimal filesystem image, which is then considered the actual root filesystem: |
| |
|
| The boot partition on disk only needs to contain: |
The boot partition on disk only needs to contain: |
| * `boot(8)`, the second-stage bootloader |
* [[!template id=man name="boot" section="8"]], the second-stage bootloader |
| * `boot.cfg(5)`, the configuration file for the bootloader (optional) |
* [[!template id=man name="boot.cfg" section="5"]], the configuration file for the bootloader (optional) |
| * a GENERIC kernel |
* a GENERIC kernel |
| * the `cgdroot.kmod` kernel module |
* the `cgdroot.kmod` kernel module |
| * configuration and encryption key for the encrypted volume to start from (`cgd.conf`) |
* configuration and encryption key for the encrypted volume to start from (`cgd.conf`) |
| |
|
| Once loaded the memory disk mounts the `wd0a` partition onto `/etc/cgd`, and asks for the encryption passphrase as usual (with `cgdconfig(8)`). If successful, the `cgd0a` volume configured is mounted on `/altroot`, and `init(8)` is told via `sysctl(7)` to chroot into this volume before actually booting. The system then starts normally. |
Once loaded the memory disk mounts the `wd0a` partition onto `/etc/cgd`, and asks for the encryption passphrase as usual (with [[!template id=man name="cgdconfig" section="8"]]). If successful, the `cgd0a` volume configured is mounted on `/altroot`, and [[!template id=man name="init" section="8"]] is told via [[!template id=man name="sysctl" section="7"]] to chroot into this volume before actually booting. The system then starts normally. |
| |
|
| In practice the memory disk remains the real root, and the regular system is |
In practice the memory disk remains the real root, and the regular system is |
| really ran from a chroot in `/altroot`. |
really ran from a chroot in `/altroot`. |
|
Line 33 Configuring the kernel module
|
Line 33 Configuring the kernel module
|
| ----------------------------- |
----------------------------- |
| |
|
| The kernel module needs to be available in the boot partition, alongside the desired kernel. The bootloader configuration in `/boot.cfg` should be modified to load the module, as in this example: |
The kernel module needs to be available in the boot partition, alongside the desired kernel. The bootloader configuration in `/boot.cfg` should be modified to load the module, as in this example: |
| <pre> |
|
| |
[[!template id=filecontent name="/boot.cfg" text=""" |
| menu=Boot normally:rndseed /etc/entropy-file;load /cgdroot.kmod;boot /netbsd.gz -z |
menu=Boot normally:rndseed /etc/entropy-file;load /cgdroot.kmod;boot /netbsd.gz -z |
| </pre> |
"""]] |
| |
|
| Building the kernel module |
Building the kernel module |
| -------------------------- |
-------------------------- |
| |
|
| The kernel module can be compiled in two steps from within the source tree for the NetBSD base system, once the distribution has been built. Change to the `distrib/<arch>/ramdisks/ramdisk-cgdroot` and use `nbmake-<arch>` to build: |
The kernel module can be compiled in two steps from within the source tree for the NetBSD base system, once the distribution has been built. Change to the `distrib/<arch>/ramdisks/ramdisk-cgdroot` and use `nbmake-<arch>` to build: |
| |
|
| <pre> |
[[!template id=programlisting text=""" |
| src/distrib/amd64/ramdisks/ramdisk-cgdroot$ /path/to/tooldir/bin/nbmake-amd64 |
src/distrib/amd64/ramdisks/ramdisk-cgdroot$ /path/to/tooldir/bin/nbmake-amd64 |
| [...] |
[...] |
| create ramdisk-cgdroot/ramdisk-cgdroot.fs |
create ramdisk-cgdroot/ramdisk-cgdroot.fs |
|
Line 54 super-block backups (for fsck -b #) at:
|
Line 55 super-block backups (for fsck -b #) at:
|
| 32, |
32, |
| Populating `ramdisk-cgdroot.fs.tmp' |
Populating `ramdisk-cgdroot.fs.tmp' |
| Image `ramdisk-cgdroot.fs.tmp' complete |
Image `ramdisk-cgdroot.fs.tmp' complete |
| </pre> |
"""]] |
| |
|
| Then the kernel module can be built: |
Then the kernel module can be built: |
| |
|
| <pre> |
[[!template id=programlisting text=""" |
| src/distrib/amd64/kmod-cgdroot$ /path/to/tooldir/bin/nbmake-amd64 |
src/distrib/amd64/kmod-cgdroot$ /path/to/tooldir/bin/nbmake-amd64 |
| </pre> |
"""]] |
| |
|
| Caveats |
Caveats |
| ------- |
------- |
|
Line 72 This setup is not entirely safe against
|
Line 73 This setup is not entirely safe against
|
| References |
References |
| ---------- |
---------- |
| |
|
| [1]: http://permalink.gmane.org/gmane.os.netbsd.current/61341 "Full Disk Encryption with cgd (well, almost)" |
[1]: https://mail-index.netbsd.org/current-users/2013/03/21/msg022311.html "Full Disk Encryption with cgd (well, almost)" |
![[BACK]](/icons/back.gif){kind=icon}
Return to cgdroot.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc / security