View previous topic :: View next topic |
Author |
Message |
LoTeK Apprentice
Joined: 26 Jul 2012 Posts: 270
|
Posted: Sun Jan 27, 2013 4:30 pm Post subject: set up hardened gentoo with dm-crypt,LVM, /boot on USB-stick |
|
|
hi,
because I had several problems when I first tried to install hardened gentoo on a fully encrypted SSD with LVM2 on top of it and the unencrypted boot partition /boot on a separate USB-stick, I've documented my second installation rigorously.
objective of the installation:
unencrypted /boot on a separate USB-stick containing at least one kernel-image, an initramfs and grub-legacy
fully encrypted hard drive
LVM2 on top of the encrypted harddrive
/, /usr, /tmp, /var, /opt, /home and swap on separate logical volumes
ASSUMPTIONS:
I've installed gentoo this way on a T420s, therefore the assumed architecture is amd64, but AFAIK it should work with any other supported architecture.
I've created a bootable USB-stick with a "install-amd64-minimal.iso" to do the installation, but from this thread: https://forums.gentoo.org/viewtopic-t-943466-highlight-.htmlI know that this is not necessary the best way to do it.
I will document how I did it and therefore exists maybe several other ways to achieve the same set up. If I did something very inelegant or even wrong I'm sorry and I would appreciate constructive critics.
START:
First create a bootable USB-stick with for example unetbootin (this program should be available for every distribution). You'll have to make a DOS-filesystem with:
Then download the latest iso-image, verify it and launch unetbootin. after creating the stick umount it, start your target machine and boot from the stick.
Then follow the gentoo handbook until chapter 4.
Now create a partition with fdisk and add the "8e" flag (or create any other partition table you want)
Then according to: [url]en.gentoo-wiki.com/wiki/Root_filesystem_over_LVM2,_DM-Crypt_and_RAID [/url] encrypt the partition with:
Code: | cryptsetup -y --cipher aes-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda1 |
of course there are other algorithms then aes and I've read that it doesn't make sense to write random number on the SSD before the encryption:
Quote: | Note: using an SSD to store confidential data needs more consideration because of the way that an SSD relocates data in order to provide "wear levelling". Should an attacker have unfettered physical access to the drive, they will be able to read data that the operating system appeared to have overwritten by bypassing the flash controller. Even if you filled the entire disk, there's a large amount of "hidden" space for wear levelling that will contain previously written and now discarded data. You should instead consider using an SSD that does its own encryption. |
from this website: http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS#Filling_the_disk_with_random_data
the following is nearly one to one from: http://en.gentoo-wiki.com/wiki/Root_filesystem_over_LVM2,_DM-Crypt_and_RAID#DM-Crypt
afterwards open the encrypted device: Code: | cryptsetup luksOpen /dev/sda1 cypher (instead of "cypher" you can use any name you like) |
then create a physical volume that contains the encrypted device:
Code: | pvcreate /dev/mapper/cypher |
then a volume group:
Code: | vgcreate vg /dev/mapper/cypher |
and afterwards the logical volumes:
Code: | lvcreate -L1G -nroot vg
lvcreate -L25G -nusr vg
lvcreate -L10G -nvar vg
lvcreate -L5G -ntmp vg
lvcreate -L30G -nhome vg
lvcreate -L5G -nopt vg
lvcreate -L10G -nswap vg |
Then create the filesystems: (I've used ext4, but last time I've used xfs, which was good too)
Code: | mkfs.ext4 /dev/mapper/vg-root
mkfs.ext4 /dev/mapper/vg-usr
mkfs.ext4 /dev/mapper/vg-var
mkfs.ext4 /dev/mapper/vg-tmp
mkfs.ext4 /dev/mapper/vg-opt
mkfs.ext4 /dev/mapper/vg-home
mkswap /dev/mapper/vg-swap |
after this, mount everything:
Code: | swapon /dev/mapper/vg-swap
mount /dev/mapper/vg-root /mnt/gentoo
mkdir /mnt/gentoo/usr
mount /dev/mapper/vg-usr /mnt/gentoo/usr
mkdir /mnt/gentoo/var
mount /dev/mapper/vg-var /mnt/gentoo/var
mkdir /mnt/gentoo/tmp
mount /dev/mapper/vg-tmp /mnt/gentoo/tmp
mkdir /mnt/gentoo/opt
mount /dev/mapper/vg-opt /mnt/gentoo/opt
mkdir /mnt/gentoo/home
mount /dev/mapper/vg-home /mnt/gentoo/home |
Now continue with the handbook (if you want to install hardened gentoo, then instead of Code: | emerge gentoo-sources | do: Code: | emerge hardened-sources |
and take the latest stage-3 hardened tarball: ../releases/amd64/current-iso/hardened/stage-3-amd64-hardened-*.tar.bz2
I configured the kernel according to:
don't install genkernel, because we will create our own initramfs (if you don't want to create your own you can go on genkernel, but when I did it this way it didn't worked)
after compiling the kernel wait with:
Code: | cp arch/x86_64/boot/bzImage /boot/<kernelname> |
because we don't have a /boot partition yet.
/etc/fstab: Code: | # <fs> <mountpoint> <type> <opts> <dump/pass>
LABEL=boot_stick /boot ext2 noauto,noatime 1 2
/dev/mapper/vg-root / ext4 noatime 0 1
/dev/mapper/vg-usr /usr ext4 noatime 0 2
/dev/mapper/vg-var /var ext4 noatime 0 2
/dev/mapper/vg-tmp /tmp ext4 noatime 0 2
/dev/mapper/vg-opt /opt ext4 noatime 0 2
/dev/mapper/vg-home /home ext4 noatime 0 2
/dev/mapper/vg-swap none swap sw 0 0
/dev/cdrom /mnt/cdrom auto noauto,ro 0 0 |
after reaching the end of chapter 9 of the handbook, don't follow chapter 10 but do:
(follow the steps exactly, because the first time I didn't create all directories in /usr/src/initramfs and it didn't worked until I've created them)
Code: | mkdir /usr/src/initramfs
cd /usr/src/initramfs
mkdir -p bin lib dev etc mnt/root proc root sbin sys
cp -a /dev/null /usr/src/initramfs/dev/
cp -a /dev/console /usr/src/initramfs/dev/
cp -a /dev/tty /usr/src/initramfs/dev/
cp -a /dev/sda1 /usr/src/initramfs/dev/
USE="static -pam -savedconfg" emerge -av busybox
cp -a /bin/busybox /usr/src/initramfs/bin/busybox
USE="static-libs static" emerge sys-fs/lvm2
cp -a /sbin/lvm.static /usr/src/initramfs/sbin
USE="static-libs static" emerge sys-fs/cryptsetup
cp -a /sbin/cryptsetup /usr/src/initramfs/sbin
cp -a /dev/random /usr/src/initramfs/dev
cp -a /dev/urandom /usr/src/initramfs/dev |
Now we create init:
Code: | #!/bin/busybox sh
rescue_shell () {
echo "something went wrong. dropping you to a shell."
busybox --install -s
exec /bin/sh
}
mount -t proc none /proc
mount -t sysfs none /sys
mount -t devtmpfs none /dev
# quiet kernel
echo 0 > /proc/sys/kernel/printk
# enter password
/sbin/cryptsetup -T 5 luksOpen /dev/sda1 cypher
# enable kernel messages
echo 1 > /proc/sys/kernel/printk
# activate lvm
/sbin/lvm.static vgscan --mknodes
/sbin/lvm.static vgchange -a y
mount -o ro /dev/mapper/vg-root /mnt/root || rescue_shell
# clean up
umount /proc
umount /sys
umount /dev
umount /usr
exec switch_root /mnt/root /sbin/init |
Now we are creating the boot stick with our /boot partition and grub-legacy:
Quote: |
You'll have to create the partition that will be later used for storing GRUB and kernel images. GRUB is around 1MB, kernel around 5MB, so even a very small partition will get you going. However, unless you're actually trying to boot from a stone age 16MB USB stick, you should make the partition a lot bigger for comfort, so you can have more than just one kernel and maybe even additional software like memtest86 on it. If you have a really big stick, you could even add the Gentoo LiveDVD as a rescue system to it later.
In this example, /dev/sdu is the USB stick.
Create a bootable primary partition using cfdisk, 128MB in size: |
Code: | cfdisk /dev/sdu
mkfs.ext2 /dev/sdu1 |
Label the boot partition:
Code: | e2label /dev/sdu1 boot_stick |
Quote: | The label may only be detected when you reconnect the USB stick. Since hot pluggable devices get a different device name every time, it can be hard to identify the boot partition properly. This problem is avoided by giving the ext2 file system an unique label. When plugging in the USB stick, you should be able to access the correct device as /dev/disk/by-label/boot_stick. You can also create a proper fstab entry for your boot partition, which allows it to be mounted properly later. Now you can mount boot and install grub onto it. |
Mount the boot partition.
Code: | mount LABEL=boot_stick /mnt/gentoo/boot |
Create a boot -> . symlink
Code: | ln -s . /mnt/gentoo/boot/boot |
Run grub-install.
Code: | grub-install --root-directory=/mnt/gentoo/boot /dev/sdu |
Create a menu.lst -> grub.conf symlink
Code: | ln -s grub.conf /mnt/gentoo/boot/grub/menu.lst |
Now we have to edit grub.conf:
Code: | default 0
timeout 5
#splashimage=(hd0,0)/boot/grub/splash.xpm.gz
title Gentoo Linux Kernel 3.7.0 (hardened)
root (hd0,0)
kernel /boot/linux-3.7.0-hardened
initrd /boot/initramfs.cpio.gz
title Gentoo Linux Kernel 3.6.11 (rescue)
root (hd0,0)
kernel /boot/kernel-3.6.11-gentoo-standard init=/bin/bb |
after that:
Code: | cp /usr/src/linux/arch/x86_64/boot/bzImage /boot/<kernel> |
Code: | chmod +x init
emerge cpio
find . -print0 | cpio --null -ov --format=newc | gzip -9 > /boot/initramfs.cpio.gz |
finally do:
Code: | exit
umount -l /mnt/gentoo/dev{/shm, /pts}
umount -l /mnt/gentoo{/boot, /proc}
umount /mnt/gentoo/boot
umount /mnt/gentoo/usr
umount /mnt/gentoo/var
umount /mnt/gentoo/tmp
umount /mnt/gentoo/opt
umount /mnt/gentoo/home
reboot |
and log into your system!
While writing this document I began to recognize that nearly all I'm doing is "copy-paste and merging", but on the other hand I would have liked it to have such a compendium.
Moreover I've just read the guidelines:
Quote: | Provide detailed information about what your tip or trick does, and how it works.
Note: Please do not merely link to another website. | So I'll post it and if it's not appreciated I'll delete it again... _________________ "I want to see gamma rays! I want to hear X-rays! Do you see the absurdity of what I am? I can't even express these things properly because I have to conceptualize complex ideas in this stupid limiting spoken language!"
Last edited by LoTeK on Mon Feb 11, 2013 10:00 pm; edited 4 times in total |
|
Back to top |
|
|
SlashBeast Retired Dev
Joined: 23 May 2006 Posts: 2922
|
Posted: Sun Jan 27, 2013 7:03 pm Post subject: |
|
|
shameless self adversation: you can use mine better-initramfs, you can get precompiled images from https://bitbucket.org/piotrkarbowski/better-initramfs/downloads just be sure to read readme.
I know about a few dozen people using it everyday, it does offer way more that you need in this very example but maybe its worth using instead of re-inventing the wheel. |
|
Back to top |
|
|
LoTeK Apprentice
Joined: 26 Jul 2012 Posts: 270
|
Posted: Sun Jan 27, 2013 7:35 pm Post subject: |
|
|
Quote: | shameless self adversation |
well if its better, than its better! Do you think I should add it to my modest documentation? _________________ "I want to see gamma rays! I want to hear X-rays! Do you see the absurdity of what I am? I can't even express these things properly because I have to conceptualize complex ideas in this stupid limiting spoken language!" |
|
Back to top |
|
|
SlashBeast Retired Dev
Joined: 23 May 2006 Posts: 2922
|
Posted: Sun Jan 27, 2013 9:47 pm Post subject: |
|
|
Depends on one's taste, give a try and decide. |
|
Back to top |
|
|
Earthwings Bodhisattva
Joined: 14 Apr 2003 Posts: 7753 Location: Germany
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|