Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
set up hardened gentoo with dm-crypt,LVM, /boot on USB-stick
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
LoTeK
Apprentice
Apprentice


Joined: 26 Jul 2012
Posts: 270

PostPosted: Sun Jan 27, 2013 4:30 pm    Post subject: set up hardened gentoo with dm-crypt,LVM, /boot on USB-stick Reply with quote

hi,
because I had several problems when I first tried to install hardened gentoo on a fully encrypted SSD with LVM2 on top of it and the unencrypted boot partition /boot on a separate USB-stick, I've documented my second installation rigorously.

objective of the installation:
    unencrypted /boot on a separate USB-stick containing at least one kernel-image, an initramfs and grub-legacy
    fully encrypted hard drive
    LVM2 on top of the encrypted harddrive
    /, /usr, /tmp, /var, /opt, /home and swap on separate logical volumes

ASSUMPTIONS:
    I've installed gentoo this way on a T420s, therefore the assumed architecture is amd64, but AFAIK it should work with any other supported architecture.

    I've created a bootable USB-stick with a "install-amd64-minimal.iso" to do the installation, but from this thread: http://forums.gentoo.org/viewtopic-t-943466-highlight-.htmlI know that this is not necessary the best way to do it.

    I will document how I did it and therefore exists maybe several other ways to achieve the same set up. If I did something very inelegant or even wrong I'm sorry and I would appreciate constructive critics.

START:
First create a bootable USB-stick with for example unetbootin (this program should be available for every distribution). You'll have to make a DOS-filesystem with:
Code:
mkdosfs /dev/sdX1

Then download the latest iso-image, verify it and launch unetbootin. after creating the stick umount it, start your target machine and boot from the stick.

Then follow the gentoo handbook until chapter 4.

Now create a partition with fdisk and add the "8e" flag (or create any other partition table you want)
Then according to: [url]en.gentoo-wiki.com/wiki/Root_filesystem_over_LVM2,_DM-Crypt_and_RAID [/url] encrypt the partition with:
Code:
cryptsetup -y --cipher aes-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda1


of course there are other algorithms then aes and I've read that it doesn't make sense to write random number on the SSD before the encryption:
Quote:
Note: using an SSD to store confidential data needs more consideration because of the way that an SSD relocates data in order to provide "wear levelling". Should an attacker have unfettered physical access to the drive, they will be able to read data that the operating system appeared to have overwritten by bypassing the flash controller. Even if you filled the entire disk, there's a large amount of "hidden" space for wear levelling that will contain previously written and now discarded data. You should instead consider using an SSD that does its own encryption.


from this website: http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS#Filling_the_disk_with_random_data

the following is nearly one to one from: http://en.gentoo-wiki.com/wiki/Root_filesystem_over_LVM2,_DM-Crypt_and_RAID#DM-Crypt
afterwards open the encrypted device:
Code:
cryptsetup luksOpen /dev/sda1 cypher (instead of "cypher" you can use any name you like)


then create a physical volume that contains the encrypted device:

Code:
pvcreate /dev/mapper/cypher

then a volume group:

Code:
vgcreate vg /dev/mapper/cypher


and afterwards the logical volumes:

Code:
lvcreate -L1G -nroot vg
lvcreate -L25G -nusr vg
lvcreate -L10G -nvar vg
lvcreate -L5G -ntmp vg
lvcreate -L30G -nhome vg
lvcreate -L5G -nopt vg
lvcreate -L10G -nswap vg


Then create the filesystems: (I've used ext4, but last time I've used xfs, which was good too)
Code:
mkfs.ext4 /dev/mapper/vg-root
mkfs.ext4 /dev/mapper/vg-usr
mkfs.ext4 /dev/mapper/vg-var
mkfs.ext4 /dev/mapper/vg-tmp
mkfs.ext4 /dev/mapper/vg-opt
mkfs.ext4 /dev/mapper/vg-home
mkswap /dev/mapper/vg-swap


after this, mount everything:
Code:
swapon /dev/mapper/vg-swap
mount /dev/mapper/vg-root /mnt/gentoo
mkdir /mnt/gentoo/usr
mount /dev/mapper/vg-usr /mnt/gentoo/usr
mkdir /mnt/gentoo/var
mount /dev/mapper/vg-var /mnt/gentoo/var
mkdir /mnt/gentoo/tmp
mount /dev/mapper/vg-tmp /mnt/gentoo/tmp
mkdir /mnt/gentoo/opt
mount /dev/mapper/vg-opt /mnt/gentoo/opt
mkdir /mnt/gentoo/home
mount /dev/mapper/vg-home /mnt/gentoo/home


Now continue with the handbook (if you want to install hardened gentoo, then instead of
Code:
emerge gentoo-sources
do:
Code:
emerge hardened-sources

and take the latest stage-3 hardened tarball: ../releases/amd64/current-iso/hardened/stage-3-amd64-hardened-*.tar.bz2

I configured the kernel according to:

don't install genkernel, because we will create our own initramfs (if you don't want to create your own you can go on genkernel, but when I did it this way it didn't worked)

after compiling the kernel wait with:
Code:
cp arch/x86_64/boot/bzImage /boot/<kernelname>

because we don't have a /boot partition yet.

/etc/fstab:
Code:
# <fs>         <mountpoint>   <type>      <opts>      <dump/pass>
LABEL=boot_stick   /boot      ext2      noauto,noatime  1 2

/dev/mapper/vg-root   /      ext4      noatime      0 1
/dev/mapper/vg-usr   /usr      ext4      noatime      0 2
/dev/mapper/vg-var   /var      ext4      noatime      0 2
/dev/mapper/vg-tmp   /tmp      ext4      noatime      0 2
/dev/mapper/vg-opt   /opt      ext4      noatime      0 2
/dev/mapper/vg-home   /home      ext4      noatime      0 2

/dev/mapper/vg-swap   none      swap      sw      0 0

/dev/cdrom      /mnt/cdrom   auto      noauto,ro   0 0



after reaching the end of chapter 9 of the handbook, don't follow chapter 10 but do:
(follow the steps exactly, because the first time I didn't create all directories in /usr/src/initramfs and it didn't worked until I've created them)

Code:
mkdir /usr/src/initramfs
cd /usr/src/initramfs
mkdir -p bin lib dev etc mnt/root proc root sbin sys

cp -a /dev/null /usr/src/initramfs/dev/
cp -a /dev/console  /usr/src/initramfs/dev/
cp -a /dev/tty /usr/src/initramfs/dev/
cp -a /dev/sda1 /usr/src/initramfs/dev/

USE="static -pam -savedconfg" emerge -av busybox
cp -a /bin/busybox /usr/src/initramfs/bin/busybox

USE="static-libs static" emerge sys-fs/lvm2
cp -a /sbin/lvm.static /usr/src/initramfs/sbin

USE="static-libs static" emerge sys-fs/cryptsetup
cp -a /sbin/cryptsetup /usr/src/initramfs/sbin

cp -a /dev/random /usr/src/initramfs/dev
cp -a /dev/urandom /usr/src/initramfs/dev


Now we create init:
Code:
nano init

Code:
#!/bin/busybox sh

rescue_shell () {
   echo "something went wrong. dropping you to a shell."
   busybox --install -s
   exec /bin/sh
}

mount -t proc none /proc
mount -t sysfs none /sys
mount -t devtmpfs none /dev

# quiet kernel
echo 0 > /proc/sys/kernel/printk

# enter password
/sbin/cryptsetup -T 5 luksOpen /dev/sda1 cypher

# enable kernel messages
echo 1 > /proc/sys/kernel/printk

# activate lvm
/sbin/lvm.static vgscan --mknodes
/sbin/lvm.static vgchange -a y

mount -o ro /dev/mapper/vg-root /mnt/root || rescue_shell

# clean up
umount /proc
umount /sys
umount /dev
umount /usr

exec switch_root /mnt/root /sbin/init


Now we are creating the boot stick with our /boot partition and grub-legacy:

Quote:

You'll have to create the partition that will be later used for storing GRUB and kernel images. GRUB is around 1MB, kernel around 5MB, so even a very small partition will get you going. However, unless you're actually trying to boot from a stone age 16MB USB stick, you should make the partition a lot bigger for comfort, so you can have more than just one kernel and maybe even additional software like memtest86 on it. If you have a really big stick, you could even add the Gentoo LiveDVD as a rescue system to it later.

In this example, /dev/sdu is the USB stick.
Create a bootable primary partition using cfdisk, 128MB in size:

Code:
 cfdisk /dev/sdu
mkfs.ext2 /dev/sdu1


Label the boot partition:
Code:
 e2label /dev/sdu1 boot_stick

Quote:
The label may only be detected when you reconnect the USB stick. Since hot pluggable devices get a different device name every time, it can be hard to identify the boot partition properly. This problem is avoided by giving the ext2 file system an unique label. When plugging in the USB stick, you should be able to access the correct device as /dev/disk/by-label/boot_stick. You can also create a proper fstab entry for your boot partition, which allows it to be mounted properly later. Now you can mount boot and install grub onto it.

Mount the boot partition.
Code:
mount LABEL=boot_stick /mnt/gentoo/boot

Create a boot -> . symlink
Code:
ln -s . /mnt/gentoo/boot/boot

Run grub-install.
Code:
grub-install --root-directory=/mnt/gentoo/boot /dev/sdu

Create a menu.lst -> grub.conf symlink
Code:
ln -s grub.conf /mnt/gentoo/boot/grub/menu.lst


Now we have to edit grub.conf:
Code:
default 0
timeout 5
#splashimage=(hd0,0)/boot/grub/splash.xpm.gz

title Gentoo Linux Kernel 3.7.0 (hardened)
root (hd0,0)
kernel /boot/linux-3.7.0-hardened
initrd /boot/initramfs.cpio.gz

title Gentoo Linux Kernel 3.6.11 (rescue)
root (hd0,0)
kernel /boot/kernel-3.6.11-gentoo-standard init=/bin/bb

after that:
Code:
cp /usr/src/linux/arch/x86_64/boot/bzImage /boot/<kernel>

Code:
chmod +x init

emerge cpio

find . -print0 | cpio --null -ov --format=newc | gzip -9 > /boot/initramfs.cpio.gz


finally do:
Code:
exit
umount -l /mnt/gentoo/dev{/shm, /pts}
umount -l /mnt/gentoo{/boot, /proc}
umount /mnt/gentoo/boot
umount /mnt/gentoo/usr
umount /mnt/gentoo/var
umount /mnt/gentoo/tmp
umount /mnt/gentoo/opt
umount /mnt/gentoo/home
reboot

and log into your system!

While writing this document I began to recognize that nearly all I'm doing is "copy-paste and merging", but on the other hand I would have liked it to have such a compendium.
Moreover I've just read the guidelines:
Quote:
Provide detailed information about what your tip or trick does, and how it works.
Note: Please do not merely link to another website.
So I'll post it and if it's not appreciated I'll delete it again...
_________________
"I want to see gamma rays! I want to hear X-rays! Do you see the absurdity of what I am? I can't even express these things properly because I have to conceptualize complex ideas in this stupid limiting spoken language!"


Last edited by LoTeK on Mon Feb 11, 2013 10:00 pm; edited 4 times in total
Back to top
View user's profile Send private message
SlashBeast
Moderator
Moderator


Joined: 23 May 2006
Posts: 2799

PostPosted: Sun Jan 27, 2013 7:03 pm    Post subject: Reply with quote

shameless self adversation: you can use mine better-initramfs, you can get precompiled images from https://bitbucket.org/piotrkarbowski/better-initramfs/downloads just be sure to read readme.

I know about a few dozen people using it everyday, it does offer way more that you need in this very example but maybe its worth using instead of re-inventing the wheel.
_________________
BitBucket -- better-initramfs to address many usecases and linux's limitations.
Back to top
View user's profile Send private message
LoTeK
Apprentice
Apprentice


Joined: 26 Jul 2012
Posts: 270

PostPosted: Sun Jan 27, 2013 7:35 pm    Post subject: Reply with quote

Quote:
shameless self adversation

well if its better, than its better! :) Do you think I should add it to my modest documentation?
_________________
"I want to see gamma rays! I want to hear X-rays! Do you see the absurdity of what I am? I can't even express these things properly because I have to conceptualize complex ideas in this stupid limiting spoken language!"
Back to top
View user's profile Send private message
SlashBeast
Moderator
Moderator


Joined: 23 May 2006
Posts: 2799

PostPosted: Sun Jan 27, 2013 9:47 pm    Post subject: Reply with quote

Depends on one's taste, give a try and decide.
_________________
BitBucket -- better-initramfs to address many usecases and linux's limitations.
Back to top
View user's profile Send private message
Earthwings
Administrator
Administrator


Joined: 14 Apr 2003
Posts: 7750
Location: Karlsruhe, Germany

PostPosted: Sun Mar 03, 2013 1:03 pm    Post subject: Reply with quote

Split off Nothing but a single data point
_________________
KDE 4.12 - Get It While It's Hot!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum