Return to cgdroot.mdwn CVS log

Up to [NetBSD Developer Wiki] / wikisrc / security

Annotation of wikisrc/security/cgdroot.mdwn, revision 1.2

1.1       khorben     1: Root filesystem encryption
                      2: ==========================
                      3: 
                      4: It is possible to run NetBSD with ![complete root filesystem encryption][1], thanks to the `cgdroot.kmod` kernel module. It really is a memory disk (also knows as RAM disk) that is expected to be loaded in the kernel while booting.
                      5: 
                      6: It still requires one unencrypted partition to boot from (typically `wd0a`).
                      7: 
                      8: The boot process
                      9: ----------------
                     10: 
                     11: Instead of booting normally the GENERIC kernel and using the root filesystem, a
                     12: kernel module is loaded at boot-time containing a memory disk. It contains a
                     13: minimal filesystem image, which is then considered the actual root filesystem:
                     14: 
                     15: The boot partition on disk only needs to contain:
                     16: * `boot(8)`, the second-stage bootloader
                     17: * `boot.cfg(5)`, the configuration file for the bootloader (optional)
                     18: * a GENERIC kernel
                     19: * the `cgdroot.kmod` kernel module
                     20: * configuration and encryption key for the encrypted volume to start from (`cgd.conf`)
                     21: 
                     22: Once loaded the memory disk mounts the `wd0a` partition onto `/etc/cgd`, and asks for the encryption passphrase as usual (with `cgdconfig(8)`). If successful, the `cgd0a` volume configured is mounted on `/altroot`, and `init(8)` is told via `sysctl(7)` to chroot into this volume before actually booting. The system then starts normally.
                     23: 
                     24: In practice the memory disk remains the real root, and the regular system is
                     25: really ran from a chroot in `/altroot`.
                     26: 
                     27: Obtaining the kernel module
                     28: ---------------------------
                     29: 
                     30: The `cgdroot.kmod` kernel module is part of the regular NetBSD releases since NetBSD 7.0. It can be found in the `<arch>/installation/miniroot` folder from the release. For instance, for the amd64 architecture on the German mirror for the 7.0.1 release, download it at (ftp://ftp.de.netbsd.org/pub/NetBSD/NetBSD-7.0.1/amd64/installation/miniroot/cgdroot.kmod).
                     31: 
                     32: Configuring the kernel module
                     33: -----------------------------
                     34: 
                     35: The kernel module needs to be available in the boot partition, alongside the desired kernel. The bootloader configuration in `/boot.cfg` should be modified to load the module, as in this example:
                     36: <pre>
                     37: menu=Boot normally:rndseed /etc/entropy-file;load /cgdroot.kmod;boot /netbsd.gz -z
                     38: </pre>
                     39: 
                     40: Building the kernel module
                     41: --------------------------
                     42: 
                     43: The kernel module can be compiled in two steps from within the source tree for the NetBSD base system, once the distribution has been built. Change to the `distrib/<arch>/ramdisks/ramdisk-cgdroot` and use `nbmake-<arch>` to build:
                     44: 
                     45: <pre>
1.2     ! khorben    46: src/distrib/amd64/ramdisks/ramdisk-cgdroot$ /path/to/tooldir/bin/nbmake-amd64
1.1       khorben    47: [...]
                     48:      create  ramdisk-cgdroot/ramdisk-cgdroot.fs
                     49: Calculated size of `ramdisk-cgdroot.fs.tmp': 5120000 bytes, 85 inodes
                     50: Extent size set to 4096
                     51: ramdisk-cgdroot.fs.tmp: 4.9MB (10000 sectors) block size 4096, fragment size 512
                     52:         using 1 cylinder groups of 4.88MB, 1250 blks, 96 inodes.
                     53: super-block backups (for fsck -b #) at:
                     54:  32,
                     55: Populating `ramdisk-cgdroot.fs.tmp'
                     56: Image `ramdisk-cgdroot.fs.tmp' complete
                     57: </pre>
                     58: 
                     59: Then the kernel module can be built:
                     60: 
                     61: <pre>
1.2     ! khorben    62: src/distrib/amd64/kmod-cgdroot$ /path/to/tooldir/bin/nbmake-amd64
1.1       khorben    63: </pre>
                     64: 
                     65: Caveats
                     66: -------
                     67: 
                     68: The biggest (known) issue with this setup occurs when firmware needs to be loaded early in the boot process (such as graphics drivers for the console). At the moment they need to be built as part of the memory disk. Some network interfaces, of which some wireless devices in particular, also require loading firmware to work properly.
                     69: 
                     70: This setup is not entirely safe against physical attacks. An attacker can modify the boot process to store the passphrase for later retrieval, or insert a backdoor while booting.
                     71: 
                     72: References
                     73: ----------
                     74: 
                     75: [1]: http://permalink.gmane.org/gmane.os.netbsd.current/61341 "Full Disk Encryption with cgd (well, almost)"