lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Thu, 17 Jan 2008 16:50:53 +0100
From:	Christoph Anton Mitterer 
	<christoph.anton.mitterer@...sik.uni-muenchen.de>
To:	linux-kernel@...r.kernel.org
Subject: kexec, initramdisk and dmcrypt questions

Hi.

I'd like to setup a system where all partitions (including the root file
system) are encrypted using dmcrypt.
Of course I need some place where I can boot from, and I intended to use
an USB-stick for that purpose.

Now I think there are (at least) the following two ways of doing this:

1) Traditional way
Boot from the USB-Stick with and initramsdisk,.. that sets up dmcrypt
and mounts the root-filesystem.

-Has the advantages that it's pretty well supported by some distros
(e.g. Debian) and it's very easy to setup.
-Has the disadvantages, that I'll always have to update the contents of
the stick when I install a new kernel (btw: does anybody know of an
write-once USB-Stick? ;) )

After booting it should be possible to just plug out the stick (as the
kernel and the modules are already loaded), or not?



2) using kexec.
I could imagine that my USB-stick serves just as loader,... having a
kernel and initrd that sets up dmcrypt/mounts root and calls kexec for
the "real" working kernel and the corresponding initramdisk, that are
both stored encrypted on e.g. the root filesystem in /boot/ or so...
The initrd of the working kernel contains the dmcrypt keys and
automatically sets up the mappings and mounts the filesystems.

-Has the advantage that this is nearly transparent for the system,
especially for tools that automatically create the initramdisk (stuff
like update-initramfs in Debian)
-And I would (nearly) never have to change the contents of the
loader-USB-stick.

Now I've read through the kexec documentation and I wonder wheter using
kexec might have some negative impact?
As the firmware is already initialised (by the loader kernel??) and the
working kernel must be put on different addresses.

I'm also not sure how to use the "architecture options" from the kexec
userspace tools?

Any ideas, help, suggestions, or threads ;) ?

Thanks and best wishes,
Chris.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ