luks testing and source deb pkg

luks testing and source deb pkg

[James M. Leddy]

Hi,

I've successfully tested the luks code in ubuntu using a modified grub2 
package. You can test yourself if you're already using crypted root and 
separate /boot by rsying the /boot dev to the root filesyste, removing 
the /etc/fstab entry, and running:

# GRUB_CRYPTODISK_ENABLE=y grub-install --debug --modules=configfile 
--modules=gcry_sha1 --modules=gcry_sha256 --modules=fshelp 
--modules=biosdisk --modules=part_msdos --modules=linux --modules=ext2 
--modules=help --modules=minicmd --modules=crypto --modules=cryptodisk 
--modules=gcry_rijndael --modules=luks /dev/sda
# GRUB_CRYPTODISK_ENABLE=y update-grub


The merged source is available here:

https://code.launchpad.net/~jm-leddy/+junk/grub-luks

just do a :

    $ bzr branch lp:~jm-leddy/+junk/grub-luks
    $ cd grub-luks
$ bzr builddeb

Re: luks testing and source deb pkg

[Lukas Anzinger]

Hi,

I'm currently also trying to use to the luks code from trunk by using
a modified Debian package and the latest source from the Bazaar
repository.

However after entering the password, the grub menu doesn't show up and
it states that the password is incorrect. I used 12345 which is
obviously very hard to misspell repeatedly. I then tried to insert the
master password from the LUKS partition directly into the source code
and luckily succeeded with that! I'll post the snippet and my
modifications to the package tomorrow if someone is interested. Since
there is practically no information about this in the internet, I'll
probably write a tutorial on how to do a full system encryption
"TrueCrypt style" (i.e. with an encrypted /boot partition).

So my question is, James, how did you create your encrypted partition
and what file system did you use?

I always use "cryptsetup luksFormat /dev/sda1" (on Debian Sid) which
uses aes-cbc-essiv as a default value AFAIK and ext3.

Could you also append your tared "debian" folder which generates the
grub package(s)?

Regards,

Lukas

On Tue, Nov 1, 2011 at 23:56, James M. Leddy <james.leddy@canonical.com> wrote:
> Hi,
>
> I've successfully tested the luks code in ubuntu using a modified grub2
> package. You can test yourself if you're already using crypted root and
> separate /boot by rsying the /boot dev to the root filesyste, removing the
> /etc/fstab entry, and running:
>
> # GRUB_CRYPTODISK_ENABLE=y grub-install --debug --modules=configfile
> --modules=gcry_sha1 --modules=gcry_sha256 --modules=fshelp
> --modules=biosdisk --modules=part_msdos --modules=linux --modules=ext2
> --modules=help --modules=minicmd --modules=crypto --modules=cryptodisk
> --modules=gcry_rijndael --modules=luks /dev/sda
> # GRUB_CRYPTODISK_ENABLE=y update-grub
>
>
> The merged source is available here:
>
> https://code.launchpad.net/~jm-leddy/+junk/grub-luks
>
> just do a :
>
>   $ bzr branch lp:~jm-leddy/+junk/grub-luks
>   $ cd grub-luks
> $ bzr builddeb
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
>

Re: luks testing and source deb pkg

[Vladimir 'φ-coder/phcoder' Serbinenko]

[-- Attachment #1: Type: text/plain, Size: 2630 bytes --]

On 02.11.2011 18:59, Lukas Anzinger wrote:
> Hi,
>
> I'm currently also trying to use to the luks code from trunk by using
> a modified Debian package and the latest source from the Bazaar
> repository.
>
> However after entering the password, the grub menu doesn't show up and
> it states that the password is incorrect. I used 12345 which is
> obviously very hard to misspell repeatedly. I then tried to insert the
> master password from the LUKS partition directly into the source code
> and luckily succeeded with that! I'll post the snippet and my
> modifications to the package tomorrow if someone is interested. Since
> there is practically no information about this in the internet, I'll
> probably write a tutorial on how to do a full system encryption
> "TrueCrypt style" (i.e. with an encrypted /boot partition).
>
Could you make a small 1MiB example image, compress and send it to me?
> So my question is, James, how did you create your encrypted partition
> and what file system did you use?
>
> I always use "cryptsetup luksFormat /dev/sda1" (on Debian Sid) which
> uses aes-cbc-essiv as a default value AFAIK and ext3.
>
> Could you also append your tared "debian" folder which generates the
> grub package(s)?
>
> Regards,
>
> Lukas
>
> On Tue, Nov 1, 2011 at 23:56, James M. Leddy <james.leddy@canonical.com> wrote:
>> Hi,
>>
>> I've successfully tested the luks code in ubuntu using a modified grub2
>> package. You can test yourself if you're already using crypted root and
>> separate /boot by rsying the /boot dev to the root filesyste, removing the
>> /etc/fstab entry, and running:
>>
>> # GRUB_CRYPTODISK_ENABLE=y grub-install --debug --modules=configfile
>> --modules=gcry_sha1 --modules=gcry_sha256 --modules=fshelp
>> --modules=biosdisk --modules=part_msdos --modules=linux --modules=ext2
>> --modules=help --modules=minicmd --modules=crypto --modules=cryptodisk
>> --modules=gcry_rijndael --modules=luks /dev/sda
>> # GRUB_CRYPTODISK_ENABLE=y update-grub
>>
>>
>> The merged source is available here:
>>
>> https://code.launchpad.net/~jm-leddy/+junk/grub-luks
>>
>> just do a :
>>
>>   $ bzr branch lp:~jm-leddy/+junk/grub-luks
>>   $ cd grub-luks
>> $ bzr builddeb
>>
>> _______________________________________________
>> Grub-devel mailing list
>> Grub-devel@gnu.org
>> https://lists.gnu.org/mailman/listinfo/grub-devel
>>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel


-- 
Regards
Vladimir 'φ-coder/phcoder' Serbinenko



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 294 bytes --]

Re: luks testing and source deb pkg

[James M. Leddy]

On 11/02/2011 01:59 PM, Lukas Anzinger wrote:
> Hi,
>
> I'm currently also trying to use to the luks code from trunk by using
> a modified Debian package and the latest source from the Bazaar
> repository.

Please let me know where I can find this tree so that I can test myself. 
Additionally, if you know if it should "just work" to just install the 
Debian version to Ubuntu, please let me know. I'm a recent convert from 
Fedora so a lot of this is new to me.

>
> However after entering the password, the grub menu doesn't show up and
> it states that the password is incorrect. I used 12345 which is
> obviously very hard to misspell repeatedly. I then tried to insert the
> master password from the LUKS partition directly into the source code
> and luckily succeeded with that! I'll post the snippet and my
> modifications to the package tomorrow if someone is interested. Since
> there is practically no information about this in the internet, I'll
> probably write a tutorial on how to do a full system encryption
> "TrueCrypt style" (i.e. with an encrypted /boot partition).

Expect one from me as well @ jmleddy.wordpress.com
>
> So my question is, James, how did you create your encrypted partition
> and what file system did you use?
>
> I always use "cryptsetup luksFormat /dev/sda1" (on Debian Sid) which
> uses aes-cbc-essiv as a default value AFAIK and ext3.

That's exactly what I did, except with ext4. The file system shouldn't 
matter in evaluating the password. From dmsetup table:

aes-cbc-essiv:sha256

> Could you also append your tared "debian" folder which generates the
> grub package(s)?

Sure thing when I have a little more time.

>
> Regards,
>
> Lukas
>
> On Tue, Nov 1, 2011 at 23:56, James M. Leddy<james.leddy@canonical.com>  wrote:
>> Hi,
>>
>> I've successfully tested the luks code in ubuntu using a modified grub2
>> package. You can test yourself if you're already using crypted root and
>> separate /boot by rsying the /boot dev to the root filesyste, removing the
>> /etc/fstab entry, and running:
>>
>> # GRUB_CRYPTODISK_ENABLE=y grub-install --debug --modules=configfile
>> --modules=gcry_sha1 --modules=gcry_sha256 --modules=fshelp
>> --modules=biosdisk --modules=part_msdos --modules=linux --modules=ext2
>> --modules=help --modules=minicmd --modules=crypto --modules=cryptodisk
>> --modules=gcry_rijndael --modules=luks /dev/sda
>> # GRUB_CRYPTODISK_ENABLE=y update-grub
>>
>>
>> The merged source is available here:
>>
>> https://code.launchpad.net/~jm-leddy/+junk/grub-luks
>>
>> just do a :
>>
>>    $ bzr branch lp:~jm-leddy/+junk/grub-luks
>>    $ cd grub-luks
>> $ bzr builddeb
>>
>> _______________________________________________
>> Grub-devel mailing list
>> Grub-devel@gnu.org
>> https://lists.gnu.org/mailman/listinfo/grub-devel
>>
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel

Re: luks testing and source deb pkg

[Lukas Anzinger]

[-- Attachment #1: Type: text/plain, Size: 1854 bytes --]

I attached the contents of my debian folder which I used to build
proper packages out of revision 3520 from trunk. It's only tested on
x86 and the efi parts have been *removed* from the Debian package.
This is due to a bug in the grub build system (?) which I reported
here (http://lists.gnu.org/archive/html/grub-devel/2011-10/msg00048.html).
I didn't investigate any further since I don't need it. I removed some
patches that have already been applied to upstream (i.e. trunk) and
some patches that would need further work.

Before you can create the packages, you have to sync the translations
to the "po" directory of grub. Just read the README in the "po"
directory. After installation you have to add
"GRUB_CRYPTODISK_ENABLE=y" to /etc/default/grub.

# grub-install --debug
# update-grub

Make sure that the contents of your fstab file is correct and
everything is encrypted!

On Wed, Nov 2, 2011 at 19:31, James M. Leddy <james.leddy@ubuntu.com> wrote:
> Please let me know where I can find this tree so that I can test myself.
> Additionally, if you know if it should "just work" to just install the
> Debian version to Ubuntu, please let me know. I'm a recent convert from
> Fedora so a lot of this is new to me.

You could try, however, I would never do it on a production system but
rather in an VM.

2011/11/2 Vladimir 'φ-coder/phcoder' Serbinenko <phcoder@gmail.com>:
> Could you make a small 1MiB example image, compress and send it to me?

Do you mean the core.img created from the latest revision without any
modifications?

On Tue, Nov 1, 2011 at 23:56, James M. Leddy <james.leddy@canonical.com> wrote:
> $ bzr branch lp:~jm-leddy/+junk/grub-luks

Seems to me that you used the luks branch from grub. luks has already
been integrated into trunk there is no need to do that.

Regards,

Lukas

[-- Attachment #2: grub2-3520-debian.tgz --]
[-- Type: application/x-gzip, Size: 298217 bytes --]

Re: luks testing and source deb pkg

[Vladimir 'φ-coder/phcoder' Serbinenko]

[-- Attachment #1: Type: text/plain, Size: 265 bytes --]

On 03.11.2011 07:47, Lukas Anzinger wrote:
> Do you mean the core.img created from the latest revision without any
> modifications?
No, I mean to send to me a LUKS image with which GRUB2 doesn't work.

-- 
Regards
Vladimir 'φ-coder/phcoder' Serbinenko



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 294 bytes --]

Re: luks testing and source deb pkg

[Lukas Anzinger]

On Wed, Nov 2, 2011 at 18:59, Lukas Anzinger <l.anzinger@gmail.com> wrote:
> However after entering the password, the grub menu doesn't show up and
> it states that the password is incorrect. I used 12345 which is
> obviously very hard to misspell repeatedly.

It seems that the function grub_getpassword() has problems with
numbers coming from the numpad. I added some debugging printfs to the
luks code and found out that the passphrase variable always contained
an empty string.

I then investigated the problem further and found out that it also
happens if I place the password 12345 in the grub.cfg:

##
set superuser="foo"
password foo 12345
##

I can only edit a boot entry if I enter 12345 *NOT* via the num pad.

This seems to be a bug in grub_password_get() or one of the functions
it calls, like grub_getkey().

Regards,

Lukas

Re: luks testing and source deb pkg

[Lukas Anzinger]

Works for me now, if I disable num lock and enable it afterwards.
Strange problem, VirtualBox could als be at fault, though.

On Thu, Nov 3, 2011 at 10:38, Lukas Anzinger <l.anzinger@gmail.com> wrote:
> On Wed, Nov 2, 2011 at 18:59, Lukas Anzinger <l.anzinger@gmail.com> wrote:
> I can only edit a boot entry if I enter 12345 *NOT* via the num pad.

Re: luks testing and source deb pkg

[Vladimir 'φ-coder/phcoder' Serbinenko]

[-- Attachment #1: Type: text/plain, Size: 1196 bytes --]

On 03.11.2011 10:38, Lukas Anzinger wrote:
> On Wed, Nov 2, 2011 at 18:59, Lukas Anzinger <l.anzinger@gmail.com> wrote:
>> However after entering the password, the grub menu doesn't show up and
>> it states that the password is incorrect. I used 12345 which is
>> obviously very hard to misspell repeatedly.
> It seems that the function grub_getpassword() has problems with
> numbers coming from the numpad. I added some debugging printfs to the
> luks code and found out that the passphrase variable always contained
> an empty string.
>
> I then investigated the problem further and found out that it also
> happens if I place the password 12345 in the grub.cfg:
>
> ##
> set superuser="foo"
> password foo 12345
> ##
>
> I can only edit a boot entry if I enter 12345 *NOT* via the num pad.
>
Stupid question: numlock?
> This seems to be a bug in grub_password_get() or one of the functions
> it calls, like grub_getkey().
>
> Regards,
>
> Lukas
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
>


-- 
Regards
Vladimir 'φ-coder/phcoder' Serbinenko



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 294 bytes --]

Re: luks testing and source deb pkg

[Lukas Anzinger]

2011/11/3 Vladimir 'φ-coder/phcoder' Serbinenko <phcoder@gmail.com>:
> Stupid question: numlock?

Not stupid but I checked it. :-) The led shines and it only works if I
press "num" twice ... but as I said, maybe it's just my keyboard or
VirtualBox...