View previous topic :: View next topic |
Author |
Message |
hulk2nd Guru
Joined: 25 Mar 2003 Posts: 512 Location: Freiburg, Germany
|
Posted: Sun Jan 18, 2004 10:39 pm Post subject: |
|
|
hi there,
i'm terribly sorry, but my gentoo is broken atm, so i can't answer some question. you know, nearly almost you have to sit in front of your computer to understand a problem and that is sadly impossible for me atm. hopefully there's somebody else out there who can help you.
@viperlin
for me this looks like as if you forgot either to include the filesystem of your root partition or devfs support. i would check the kernel config and the build-initrd.sh again. which method did you chose?
greets,
hulk _________________ Linux: "Free as in free speech, not as in free beer" |
|
Back to top |
|
|
viperlin Veteran
Joined: 15 Apr 2003 Posts: 1319 Location: UK
|
Posted: Sun Jan 18, 2004 10:55 pm Post subject: |
|
|
erm, none, if you read the post you would know i'm trying to read an encrypted DVD, i can read other DVD's so i have filesystem support.
i have no initrd as i dont use encrypted filesystems for harddrives on this PC, only my old backups.
trying not to sound insultive but, well. |
|
Back to top |
|
|
hulk2nd Guru
Joined: 25 Mar 2003 Posts: 512 Location: Freiburg, Germany
|
Posted: Mon Jan 19, 2004 10:18 am Post subject: |
|
|
oh indeed, sorry about that!
ok then did you have a look at this tutorial? i saw it once so maybe this could help you!
greets,
hulk _________________ Linux: "Free as in free speech, not as in free beer" |
|
Back to top |
|
|
viperlin Veteran
Joined: 15 Apr 2003 Posts: 1319 Location: UK
|
Posted: Mon Jan 19, 2004 6:00 pm Post subject: |
|
|
hulk2nd wrote: | oh indeed, sorry about that!
ok then did you have a look at this tutorial? i saw it once so maybe this could help you!
greets,
hulk |
yep it gave me the original idea , but thanks i'll keep experimenting |
|
Back to top |
|
|
revoohc Tux's lil' helper
Joined: 12 Oct 2002 Posts: 128
|
Posted: Wed Jan 21, 2004 1:25 am Post subject: |
|
|
I need some help. I followed the instructions for building a clean encrypted system. I have used a 2.6 kernel (gentoo-dev-sources) and everything seemed to go well. However, when I try to boot into gentoo, it does not accempt my password. Any ideas what might be going on? I can boot back into Knoppix and am able to load the encrypted root file system w/o a problem
Any advice would be appreciated.
Thanks,
revoohc |
|
Back to top |
|
|
hulk2nd Guru
Joined: 25 Mar 2003 Posts: 512 Location: Freiburg, Germany
|
Posted: Wed Jan 21, 2004 1:34 pm Post subject: |
|
|
maybe you used another keyboard layout in knoppix than the default one that is chosen when booting into gentoo?
what is the exact error message you get?
greets,
hulk _________________ Linux: "Free as in free speech, not as in free beer" |
|
Back to top |
|
|
kritip n00b
Joined: 03 Jan 2004 Posts: 56 Location: Nuneaton, Warks, UK
|
Posted: Wed Jan 21, 2004 6:05 pm Post subject: |
|
|
The latest util-linux in portage, util-linux-2.12-r4.ebuild, has the following references:
Code: | IUSE="crypt nls static pam selinux" |
Code: | CRYPT_PATCH_P="${P}-cryptoapi-losetup"
SELINUX_PATCH="util-linux-2.12-selinux.diff.bz2"
DESCRIPTION="Various useful Linux utilities"
SRC_URI="mirror://kernel/linux/utils/${PN}/${P}.tar.gz
ftp://ftp.cwi.nl/pub/aeb/${PN}/${P}.tar.gz
crypt? ( mirror://gentoo/${CRYPT_PATCH_P}.patch.bz2 )"
HOMEPAGE="http://www.kernel.org/pub/linux/utils/util-linux/"
|
If i have crypt in my global use flags, then will the encryption patch be applied to the install, or is this something different??
I may be starting to encrypt my PC, so i may give the standard portage util-linux a go unless anyone corrects me, and this is to do with something completly different??!!
Cheers,
Kristian
[/code] _________________ Signature?? I don't want a signature! |
|
Back to top |
|
|
hulk2nd Guru
Joined: 25 Mar 2003 Posts: 512 Location: Freiburg, Germany
|
Posted: Wed Jan 21, 2004 8:28 pm Post subject: |
|
|
i'm nearly sure that is not the needed patch. you can try that easily: emerge util-linux and then type losetup. keep the output in your mind or on another console and then install util-linux after the tutorial (by hand) and type losetup. if the one installed by hand gives you another output (a few more options and a few more lines) then it is still needed to install it by hand. otherwise use the one from the portage tree.
greets,
hulk _________________ Linux: "Free as in free speech, not as in free beer" |
|
Back to top |
|
|
kritip n00b
Joined: 03 Jan 2004 Posts: 56 Location: Nuneaton, Warks, UK
|
Posted: Wed Jan 21, 2004 9:03 pm Post subject: |
|
|
hulk2nd wrote: | i'm nearly sure that is not the needed patch. you can try that easily: emerge util-linux and then type losetup. keep the output in your mind or on another console and then install util-linux after the tutorial (by hand) and type losetup. if the one installed by hand gives you another output (a few more options and a few more lines) then it is still needed to install it by hand. otherwise use the one from the portage tree.
greets,
hulk |
Yep, i think you are correct, so i have gone ahead and manually patched and installed it. Got a quick question though, at present i have the following entry in grub.conf:
Code: | title Gentoo Testing (2.6.1-mm5)
root (hd0,0)
kernel (hd0,0)/boot/2.6.1-mm5 root=/dev/hde3 vga=792
|
and the guide states to change it to:
Code: | title=Gentoo/GNU Linux 1.4 Encrypted ROOT
root (hd0,0)
kernel (hd0,0)/bzImage root=/dev/ram0 init=/linuxrc rootfstype=minix
initrd=/initrd.gz |
so do i omit the /boot/2.6.1-mm5 and just change it to /bzImage??
I presume the kernel is the one i have built but will not be mounted under /boot so should i have /2.6.1-mm5 ??
IE. To this:
Code: | title Gentoo Testing Encrypted (2.6.1-mm5)
root (hd0,0)
kernel (hd0,0)/2.6.1-mm5 root=/dev/ram0 init=/linuxrc rootfstype=minix
initrd=/initrd.gz
|
Cheers for your help, and please forgive my lack of knowledge, i just want to check that im gonna do this right!!
Cheers,
Kristian _________________ Signature?? I don't want a signature! |
|
Back to top |
|
|
hulk2nd Guru
Joined: 25 Mar 2003 Posts: 512 Location: Freiburg, Germany
|
Posted: Wed Jan 21, 2004 9:28 pm Post subject: |
|
|
i think you can leave the kernel part as it is. i assume you use genkernel? i have no experience with that, but if you compile your kernel on your own, it is always kernel (hd0,0)/bzImage or kernel (hd0,0)/boot/bzImage. it does not make any difference if you have the /boot in the line or not.
so, i think it is ok the way it is already. changes according to the place of your kernel are not needed for the whole encryption thing.
greets,
hulk _________________ Linux: "Free as in free speech, not as in free beer" |
|
Back to top |
|
|
kritip n00b
Joined: 03 Jan 2004 Posts: 56 Location: Nuneaton, Warks, UK
|
Posted: Wed Jan 21, 2004 9:34 pm Post subject: |
|
|
hulk2nd wrote: | i think you can leave the kernel part as it is. i assume you use genkernel? i have no experience with that, but if you compile your kernel on your own, it is always kernel (hd0,0)/bzImage or kernel (hd0,0)/boot/bzImage. it does not make any difference if you have the /boot in the line or not.
so, i think it is ok the way it is already. changes according to the place of your kernel are not needed for the whole encryption thing.
greets,
hulk |
Ok, cheers. I don't use genkernel but i manualy compile it, and then rename it to the kernel version and patch level, hence the name of it. I think i have it sorted, i shal probably know by tommorrow.
As another question, when you use knoppix, the only special program is losetup, so could you not just boot off any rescuse cd, mount /boot which is home to losesetup that was compiled and copied during the install, and just use that insted??
Kristian _________________ Signature?? I don't want a signature! |
|
Back to top |
|
|
hulk2nd Guru
Joined: 25 Mar 2003 Posts: 512 Location: Freiburg, Germany
|
Posted: Wed Jan 21, 2004 9:59 pm Post subject: |
|
|
yes, it should be possible to use the losetup binary in combination with every other rescue cd, but i have not tested it.
greets,
hulk _________________ Linux: "Free as in free speech, not as in free beer" |
|
Back to top |
|
|
kritip n00b
Joined: 03 Jan 2004 Posts: 56 Location: Nuneaton, Warks, UK
|
Posted: Wed Jan 21, 2004 11:05 pm Post subject: |
|
|
Well, i found a Knoppix CD lying about v3.3 so i used that in the end. After running the DD command, it stated:
Code: | I/O error
30623+1 records in
30623+1 records out...
|
it listed the duration (about 30 minns) and it then said it was successul or something along those lines, great i thought.
Upon rebooting, the kernel begins to load, loads my drivers, mounts /dev, then says freeing space form kernl (157K) or something like that, and hangs.
I does state it found a ram disk and a compressed image at 0 and seems to uncompress it. I get no prompt for a password as it hangs though
Now im not sure if its something i've done or to do with the error that was liseted when i ran dd ......
I guess i will have to fiddle tommorrow to try and fix it. Any ideas would be more than welcome though
Cheers,
Kristian _________________ Signature?? I don't want a signature! |
|
Back to top |
|
|
lghman Guru
Joined: 29 Nov 2002 Posts: 548 Location: Florida
|
Posted: Thu Jan 22, 2004 2:41 am Post subject: |
|
|
Just wanted to say thanks hulk2nd. Freakin excellent job on the howto, worked like a damn charm for me!
--sonik _________________ "What a distressing contrast there is between the radiant intelligence of a child and the feeble mentality of the average adult" --Freud |
|
Back to top |
|
|
hulk2nd Guru
Joined: 25 Mar 2003 Posts: 512 Location: Freiburg, Germany
|
Posted: Thu Jan 22, 2004 11:22 pm Post subject: |
|
|
kritip wrote: | Code: | I/O error
30623+1 records in
30623+1 records out...
|
|
i don't remember that i/o error ...
in fact it doesn't look very well. i'm very sorry about that, i have no idea what to do ...
hope you backupped the important data ...
sorry
@sonikntails
glad to hear that. you're welcome _________________ Linux: "Free as in free speech, not as in free beer" |
|
Back to top |
|
|
franklin n00b
Joined: 29 Dec 2003 Posts: 7 Location: Montreal, Canada
|
Posted: Fri Jan 23, 2004 2:25 am Post subject: |
|
|
Have you look the file /etc/conf.d/crypto-loop?
Could I have more info about it, since the link to it is down.
And, where can I find build-initrd.sh? |
|
Back to top |
|
|
kritip n00b
Joined: 03 Jan 2004 Posts: 56 Location: Nuneaton, Warks, UK
|
Posted: Fri Jan 23, 2004 7:19 am Post subject: |
|
|
hulk2nd wrote: | kritip wrote: | Code: | I/O error
30623+1 records in
30623+1 records out...
|
|
i don't remember that i/o error ...
in fact it doesn't look very well. i'm very sorry about that, i have no idea what to do ...
hope you backupped the important data ...
sorry |
Very odd, i poseted a big reply yesterday and it is nowhere to be seen!! Perhaps i hit preview and then closed the browser!!???
Anyway, the I/O error seemed to be no problem as i am now running unencrypted again after not being able to successfully boot. I tried rebuilding my kernel twice, checking all the options, rebuilding losetup with the aes patch twice, messing around with boot commands in grub, all to no avail!!! I even read in build-initrd.sh that i shouldn't use the root= line in grub as i use devfs and 2.6 kernel, so i ran rdev /kerenl-version /dev/ram0 and removed the root= line, but it did exactly the same!
It just hung on freeing kernel memory!
I have given up for now, the only thing it think i could be is the HPT374 controller my drives sit on, although it is compiled into my kernel, or that in buil-inintrd.sh i specified /dev/discs/disc0/part3 whereas my mount command gives me /dev/ide/host2/bus0/target0/lun0/part3, both exist though!!??
Cheers anyway for the great guide, it was an experience, and i will try again in a few weeks,
Kristian _________________ Signature?? I don't want a signature! |
|
Back to top |
|
|
kritip n00b
Joined: 03 Jan 2004 Posts: 56 Location: Nuneaton, Warks, UK
|
Posted: Fri Jan 23, 2004 7:20 am Post subject: |
|
|
franklin wrote: | Have you look the file /etc/conf.d/crypto-loop?
Could I have more info about it, since the link to it is down.
And, where can I find build-initrd.sh? |
build-initrd.sh will be in your /tmp/enc/loop-AES-v2.0d/ directory, or whever you exxtracted it.
Kristian _________________ Signature?? I don't want a signature! |
|
Back to top |
|
|
TheCoop Veteran
Joined: 15 Jun 2002 Posts: 1814 Location: Where you least expect it
|
Posted: Fri Jan 23, 2004 10:44 pm Post subject: |
|
|
so does the current util-linux-2.12-r4 work properly so you can run an encrypted root, or do you still need to install your own version? why doesnt util-linux just include the patch you patch yourself? _________________ 95% of all computer errors occur between chair and keyboard (TM)
"One World, One web, One program" - Microsoft Promo ad.
"Ein Volk, Ein Reich, Ein Führer" - Adolf Hitler
Change the world - move a rock |
|
Back to top |
|
|
franklin n00b
Joined: 29 Dec 2003 Posts: 7 Location: Montreal, Canada
|
Posted: Sat Jan 24, 2004 6:05 pm Post subject: |
|
|
Since it is not recommended to use a journaling filesystem, I would like to know what type of filesystem you use on your encrypted root partition. |
|
Back to top |
|
|
kritip n00b
Joined: 03 Jan 2004 Posts: 56 Location: Nuneaton, Warks, UK
|
Posted: Sat Jan 24, 2004 8:37 pm Post subject: |
|
|
franklin wrote: | Since it is not recommended to use a journaling filesystem, I would like to know what type of filesystem you use on your encrypted root partition. |
I belive it is not any type of journalled file system, just certain ones, depending on how they write data to the disk. I believe that Reiserfs and XFS are OK in the way they order the data in their default configuration, but i do not have any references to hand, so don't solely rely on my information. I persoanlly tried it with Reiserfs 3.6 and succesfully encrytpted, used, and then decryted my root partition.
Kristian _________________ Signature?? I don't want a signature! |
|
Back to top |
|
|
franklin n00b
Joined: 29 Dec 2003 Posts: 7 Location: Montreal, Canada
|
Posted: Sat Jan 24, 2004 10:12 pm Post subject: |
|
|
kritip wrote: | franklin wrote: | Since it is not recommended to use a journaling filesystem, I would like to know what type of filesystem you use on your encrypted root partition. |
I belive it is not any type of journalled file system, just certain ones, depending on how they write data to the disk. I believe that Reiserfs and XFS are OK in the way they order the data in their default configuration, but i do not have any references to hand, so don't solely rely on my information. I persoanlly tried it with Reiserfs 3.6 and succesfully encrytpted, used, and then decryted my root partition.
Kristian |
Thx for the info, I will try it with Reiserfs |
|
Back to top |
|
|
nx12 Apprentice
Joined: 14 Jan 2004 Posts: 193
|
Posted: Thu Jan 29, 2004 10:33 pm Post subject: |
|
|
One question: somebody have working software suspend on encrypted swap?
I'm going to try it out, but can't find any materials about that. On swsusp.sourceforge.net they write that it's supported but I could not find anything neither in google nor in their mailing archives.
So it could be great if someone posted his experiences with encrypted swsusp. _________________ signature sucks |
|
Back to top |
|
|
gmoney n00b
Joined: 04 Aug 2003 Posts: 20 Location: Santa Barbara
|
Posted: Sat Jan 31, 2004 5:57 pm Post subject: loop.ko |
|
|
Just a word of advice, if you're doing this with the 2.6 kernel and your modules end with .ko instead of .o, you need to change the build-initrd.sh script so that it will look for loop.ko instead of loop.o (if you're using the loop module and not the in-kernel crypto). I've been stumped on this for an hour but it's working fine now. I was using the loop-aes 2.0d so maybe they've fixed this in the latest version but if not, just change line 389. Other that that, fantastic guide and great work to the loop-aes guys. I owe you a beer if you're ever in Santa Barbara, CA, USA. |
|
Back to top |
|
|
sciwhiz007 n00b
Joined: 01 Jan 2004 Posts: 31 Location: /dev/random
|
Posted: Sun Feb 01, 2004 3:38 pm Post subject: |
|
|
Two things, a question and a word of advice.
Where does it say that journalling file systems are not recommended for our purposes? If you read through the loop-AES readme, it specifically states this:
Quote: | 2.2. Use of journaling file systems on loop device
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't use a journaling file system on top of file backed loop device, unless
underlying file system is journaled and guarantees data=ordered or
data=journal. Device backed loop device can be used with journaling file
systems as device backed loops guarantee that writes reach disk platters in
order required by journaling file system (write caching must be disabled on
the disk drive, of course). With file backed loop devices, correct write
ordering may extend only to page cache (which resides in RAM) of underlying
file system. VM can write such pages to disk in any order it wishes, and
thus break write order expectation of journaling file system.
|
What this means is that you can have a journalling file system on a loop device that's backed by a device, such as /dev/hda1 or /dev/sda1, but it is not recommended to have a journalling file system on a file backed loop device, such as one you create by typing this in.
Code: | dd if=/dev/zero of=loop.img bs=1k count=65536
losetup -e AES128 -S XXXXXX -T /dev/loop1 loop.img
mke2fs /dev/loop1
mount -t ext2 /dev/loop1 /mnt/loop
|
Now for my tip, which may not be useful to most people. But just in case you've been trying to patch the hardened-sources kernel with the loop-AES patch and haven't had much success, you could try what I did. Essentially what I'm doing is removing the cryptoloop patch applied to the hardened-sources kernel and then patching it with loop-AES.
Code: | cd /usr/src
cp /usr/portage/distfiles/patches-2.4.22-hardened.tar.bz2 ./
tar -xjvpf patches*.bz2
wget http://aleron.dl.sourceforge.net/sourceforge/loop-aes/loop-AES-v2.0e.tar.bz2
tar -xjvpf loop-A*.bz2
cd linux
patch -Rp1 -i ../2.4.22-hardened/70_crypto*.patch # Remove the patch
patch -Np1 -i ../loop-A*/kernel-2.4.24.diff # Apply the new patch
rm -rf ../*.bz2 ../2.4.22-hardened ../loop*
make menuconfig
|
Of course, I make a number of assumptions in the above code. I assume that you're patching hardened-sources-2.4.22 (any release), that your /usr/src/linux symlink correctly points to /usr/src/linux-2.4.22-hardened and that your portage distfiles are located at /usr/portage/distfiles. If any of this doesn't apply to you, you'll obviously have to change the code to suit your needs. Also, if you want to see whether a patch applies successfully, you can use the --dry-run switch with patch.
Hope that helps! _________________ You can take a horse to water but you can't make it drink.
You can give a person facts, but you can't make them think. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|