Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[FDE] how to fix encrypted boot double password promt
View unanswered posts
View posts from last 24 hours

Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message

Joined: 23 Nov 2018
Posts: 1

PostPosted: Fri Nov 23, 2018 3:03 pm    Post subject: [FDE] how to fix encrypted boot double password promt Reply with quote

So what am I trying to do is to create a secured gentoo linux setup, but this must be a bit similar with other linux distro's.
The problem that I'm facing is closing Evil Maid Attack vector, which malicios bootloader or linux kernel/initramfs being replaced
So far I've found 2 solutions:
1) not to use any bootloader except use UEFI firwware to load signed kernel with use of a Secure Boot, my UEFI doesnt support passing arguments("grub kernel parameters") so I would need to include initramfs and kernel parametrs in kernel, also updating kernel becomes so painfull
2) boot with signed grub (secure boot again) and encrypt my /boot partition and enable grub's LVM and LUKS support in config file, I managed to successfully setup my system with OpenRC
!!! but when GRUB loads kernel it does not passes unencrypted storage to kernel so it asks for password one more time, thats what I am trying to fix
and to fix that I need include encryption key in my initramfs, which I know is possible with such tools as dracut or genkernel-next but its unknown to me how can I configure those tools to do that
please let me know if there are other ways to close that attack vector or if there a solution to double password promt
Back to top
View user's profile Send private message

Joined: 26 May 2018
Posts: 4

PostPosted: Mon Dec 31, 2018 11:49 am    Post subject: Reply with quote

Okay, so if I understand correctly you want the in-memory kernel to be able to unlock your encrypted partition. Here is how I did it : (A long time ago, so I don't know if genkernel natively support this or not now)

-I made a folder holding files I want to add to the genkernel initramfs: /usr/local/src/initramfs/fs_content_overlay
-This folder contains a LUKS keyfile and a custom linuxrc shell script (sh)
-There are two ways:
*you can copy the default genkernel linuxrc and modify it to make it use the bundled keyfile.
*you write your own custom linuxrc
I did the latter.

The linuxrc is the script ran by the kernel from the initramfs after it just finished booting (or more accuratly -with genkernel- it runs the init script which is a symlink to linuxrc)

I intented to write a detailed post on the forum as a HOW TO guide but because I'm lazy I did not even start it yet.

Here is an example linuxrc :
(Because I KNOW someone is going to ask me to do it, I put a license explicitly, but I'm not even sure if i can, because I think some parts come from the wiki)

#!/bin/busybox sh

#Copyright (C) 2018  Kimitsune

#This program is free software: you can redistribute it and/or modify
#it under the terms of the GNU General Public License as published by
#the Free Software Foundation, either version 3 of the License, or
#(at your option) any later version.

#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#GNU General Public License for more details.

#You should have received a copy of the GNU General Public License
#along with this program. If not, see <>.

rescue_shell() {
   echo "Something went wrong.  Here is a shell. Fix it."
   echo $@ >&2
   /bin/busybox --install -s
   exec /bin/sh

if [ "$$" != '1' ]
   echo '/linuxrc has to be run as the init process as the one'
   echo 'with a PID of 1. Try adding init="/linuxrc" to the'
   echo 'kernel command line or running "exec /linuxrc".'
   rescue_shell "Not PID 1: Investigate."

mount -t devtmpfs none /dev
mount -t proc none /proc
mount -t sysfs none /sys

# Prevent superfluous printks from being printed to the console
echo 1 > /proc/sys/kernel/printk

# Set up symlinks
/bin/busybox --install -s || rescue_shell "Busybox failed"


for x in $(cat /proc/cmdline); do
   case $x in
      rescue_shell "Dropping to shell according to kernel command line"

mkdir -p /mnt/root || rescue_shell "Cannot mkdir /mnt/root"

cryptsetup luksOpen /dev/XXXXX XXXXX --key-file /XXXXXX || rescue_shell "Unable to mount LUKS container with keyfile"


#support resume from disk
#EDIT HERE TOO, put your swap device
local device=$(ls -lL "/dev/XXXXX" | sed 's/\  */ /g' | cut -d \  -f 5-6 | sed 's/,\ */:/')
echo "${device}" > /sys/power/resume

sleep 2

#If you want swap mounted before full userspace is ready, uncomment this line
#swapon /dev/XXXX || rescue_shell "Unable to mount swap"

if [ -z ${skipfsck+x} ]; then #checking if skipfsck is unset
    echo "Checking filesystem"
    e2fsck -pv -C0 /dev/XXXXX || (echo "fsck failed on root." ; sleep 5)
    echo "Skipping filesystem checking according to command line"

mount -o "${mntopts}" /dev/XXXXX  /mnt/root || rescue_shell "Unable to mount root"

echo "Moving special system mounts before entering switch_root"

mount --move /proc /mnt/root/proc || rescue_shell "Unable to move mounts"
mount --move /sys /mnt/root/sys || rescue_shell "Unable to move mounts"
mount --move /dev /mnt/root/dev || rescue_shell "Unable to move mounts"

exec switch_root /mnt/root /sbin/init

echo "A fatal error has occured since /sbin/init did not"
echo "boot correctly. Trying to open a shell..."

exec /bin/bash
exec /bin/sh
exec /bin/ash
exec /bin/dash
exec sh

Read VERY carefully the script and edit each time the devices names with your own.
It requires the kernel to be compiled with the devtmpfs option.

-Then to build the initramfs you use :
genkernel --initramfs-overlay=/usr/local/src/initramfs/fs_content_overlay/ --linuxrc=/usr/local/src/initramfs/fs_content_overlay/linuxrc --luks --busybox --e2fsprogs initramfs
(If you need more options feel free to add them, in my case btrfs and luks)

And voila. It works well for me.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum