RE : Full Disk Encryption (including

RE : Full Disk Encryption (including

[Arbiel]

[-- Attachment #1: Type: text/plain, Size: 3096 bytes --]

Hi

Did'nt you forget a "/" between the disk's UUID and the variable holding the file name in the linux command ?

Arbiel




Envoyé depuis Samsung Galaxy NoteSurvey Response <survey.response@live.com> a écrit :Hi,

On my USB drive, I have encrypted the entire disk as a single LUKS encrypted partition. I have the grub files on this partition with an ISO image for a Debian-live based distribution. I compiled Grub 2.00 with the necessary crypto modules and left a larger embedding zone before the first LUKS partition to accommodate the larger second-stage bootloader (my core.img is about 44K). When I boot off this USB drive, GRUB asks me the password initially for the encrypted drive and then gets to the point where it brings up the menu, but I couldn't get it to load the kernel since I need to pass the kernel the system device for the ISO image (the live-media and fromiso boot parameters below) and I notice that the devices are not available at the time of loading the kernel (or later, for that matter). Can somebody help me figure out what I am doing wrong? Would be much obliged, since I have been spending some time trying to figure this out.

Here is my grub.cfg

menuentry 'FDE Live' {
        
        set isofile="/ISOs/linux.iso"

        # The UUID for the encrypted LUKS partition as obtained by running blkid
        set encryptedfs_uuid="377da6816e9a4c7092ae9016a719d04d" 

        # The UUID for the decrypted ext4 fs in the LUKS partition
        set decryptedfs_uuid="a8604976-269b-4ab1-8ecc-63960f60f008"

        insmod part_msdos
        insmod loopback
        insmod iso9660
        insmod cryptodisk
        insmod luks

        echo 'Mounting encrypted disk ...' 
        cryptomount -u ${encryptedfs_uuid}

        echo 'Searching for the root fs in the decrypted fs...'
        set root=(cryptouuid/${encryptedfs_uuid})
        search --no-floppy --fs-uuid --set=root ${decryptedfs_uuid}

        echo 'Setting up a loopback device to the CD image'
        loopback loop $root/$isofile
        set root=loop

        echo 'Loading Linux Kernel ...'
        linux  /live/vmlinuz boot=live live-media=/dev/disk/by-uuid/${decryptedfs_uuid} fromiso=/dev/disk/by-uuid/${decryptedfs_uuid}$isofile initrd=/live/initrd.img config debug video=640x480 fbcon=scrollback:128

        echo 'Loading initial ramdisk ...'
        initrd /live/initrd.img
}

From the debugging output on the console, I see that /dev/disk/by-uuid/a8604976-269b-4ab1-8ecc-63960f60f008 (the decryptedfs_uuid) does not exist at the time the linux kernel is being loaded. I can access this folder from the grub command line using the Grub drive (cyrptuuid/377da6816e9a4c7092ae9016a719d04d)/ISOs/linux.iso, but I need to be able to reference this in a way the linux kernel would understand.

Once again, thanks for any help. Pardon any newbie mistakes I may be making. It's a learning experience for me and I am hoping this would be a good exercise in understanding how it all works.

Thanks,
Steve

[-- Attachment #2: Type: text/html, Size: 4532 bytes --]

RE: RE : Full Disk Encryption (including

[Survey Response]

[-- Attachment #1: Type: text/plain, Size: 3555 bytes --]


Hi Arbiel,
The isofile is set with the leading "/" . The problem appears to be caused by the fact that the system devices are not created at the time the kernel is loaded. The LUKS partition appears to be decrypted, since I can list the ISO folder under (crypt0), but there is no equivalent device under /dev that I can pass to the linux command.
Thanks,Steve

Date: Sun, 9 Sep 2012 14:38:12 +0200
Subject: RE : Full Disk Encryption (including
From: arbiel.perlacremaz@laposte.net
To: survey.response@live.com; grub-devel@gnu.org

Hi
Did'nt you forget a "/" between the disk's UUID and the variable holding the file name in the linux command ?
Arbiel



Envoyé depuis Samsung Galaxy Note 
Survey Response <survey.response@live.com> a écrit :

Hi,
On my USB drive, I have encrypted the entire disk as a single LUKS encrypted partition. I have the grub files on this partition with an ISO image for a Debian-live based distribution. I compiled Grub 2.00 with the necessary crypto modules and left a larger embedding zone before the first LUKS partition to accommodate the larger second-stage bootloader (my core.img is about 44K). When I boot off this USB drive, GRUB asks me the password initially for the encrypted drive and then gets to the point where it brings up the menu, but I couldn't get it to load the kernel since I need to pass the kernel the system device for the ISO image (the live-media and fromiso boot parameters below) and I notice that the devices are not available at the time of loading the kernel (or later, for that matter). Can somebody help me figure out what I am doing wrong? Would be much obliged, since I have been spending some time trying to figure this out.
Here is my grub.cfg
menuentry 'FDE Live' {                set isofile="/ISOs/linux.iso"
        # The UUID for the encrypted LUKS partition as obtained by running blkid        set encryptedfs_uuid="377da6816e9a4c7092ae9016a719d04d" 
        # The UUID for the decrypted ext4 fs in the LUKS partition        set decryptedfs_uuid="a8604976-269b-4ab1-8ecc-63960f60f008"
        insmod part_msdos        insmod loopback        insmod iso9660        insmod cryptodisk        insmod luks
        echo 'Mounting encrypted disk ...'         cryptomount -u ${encryptedfs_uuid}
        echo 'Searching for the root fs in the decrypted fs...'        set root=(cryptouuid/${encryptedfs_uuid})        search --no-floppy --fs-uuid --set=root ${decryptedfs_uuid}
        echo 'Setting up a loopback device to the CD image'        loopback loop $root/$isofile        set root=loop
        echo 'Loading Linux Kernel ...'        linux  /live/vmlinuz boot=live live-media=/dev/disk/by-uuid/${decryptedfs_uuid} fromiso=/dev/disk/by-uuid/${decryptedfs_uuid}$isofile initrd=/live/initrd.img config debug video=640x480 fbcon=scrollback:128
        echo 'Loading initial ramdisk ...'        initrd /live/initrd.img}
From the debugging output on the console, I see that /dev/disk/by-uuid/a8604976-269b-4ab1-8ecc-63960f60f008 (the decryptedfs_uuid) does not exist at the time the linux kernel is being loaded. I can access this folder from the grub command line using the Grub drive (cyrptuuid/377da6816e9a4c7092ae9016a719d04d)/ISOs/linux.iso, but I need to be able to reference this in a way the linux kernel would understand.
Once again, thanks for any help. Pardon any newbie mistakes I may be making. It's a learning experience for me and I am hoping this would be a good exercise in understanding how it all works.
Thanks,Steve 		 	   		   		 	   		  

[-- Attachment #2: Type: text/html, Size: 5339 bytes --]

Grub with LUKS support: Passing a reference to the decrypted filesystem to the "linux" command

[Steve R]

[-- Attachment #1: Type: text/plain, Size: 5369 bytes --]


Hi,
Haven't heard back any suggestions on how to work my way around this problem. Hoping the changed subject line is more specific as to the problem I am running into and would attract some more eyeballs to help me figure this one out.
To recap,I am trying to use Grub 2.00 (with Luks support enabled) to boot a Debian-live system from an encrypted LUKS partition. /boot is also located in the encrypted Partition. I am using grub.cfg like below, and things work fine (With Grub requesting a password for the encrypted file system and parsing grub.cfg, displaying the menu, etc.. The problem arises with the linux command to load the kernel. Loading the Debian-live based OS requires passing a reference to the file system hosting the file system, via the live-media kernel command-line parameter. I am passing this reference as /dev/disk/by-uuid/<uuid-of-the-decrypted-fs> . The UUID I am using is the one read by blkid when I mounted and decrypted this encrypted partition from another Linux host. However, this does not work and from the debugging output on the console, it appears to be because the path to the decrypted fs device is invalid. If I mount and decrypt the LUKS partition from a running Linux OS, this device is always created with the same UUID, so I expected this to happen when GRUB decrypts the LUKS partition. Turns out not to be the case.
Could someone please point me in the right direction or examples showing grub.cfg for fully encrypted Debian-live based systems (including /boot) ?
Thanks in advance, and apologies for any newbie questions. I am learning as I go.
Regards,Steve.

From: survey.response@live.com
To: arbiel.perlacremaz@laposte.net; grub-devel@gnu.org
Subject: RE: RE : Full Disk Encryption (including
Date: Sun, 9 Sep 2012 08:23:48 -0700





Hi Arbiel,
The isofile is set with the leading "/" . The problem appears to be caused by the fact that the system devices are not created at the time the kernel is loaded. The LUKS partition appears to be decrypted, since I can list the ISO folder under (crypt0), but there is no equivalent device under /dev that I can pass to the linux command.
Thanks,Steve

Date: Sun, 9 Sep 2012 14:38:12 +0200
Subject: RE : Full Disk Encryption (including
From: arbiel.perlacremaz@laposte.net
To: survey.response@live.com; grub-devel@gnu.org

Hi
Did'nt you forget a "/" between the disk's UUID and the variable holding the file name in the linux command ?
Arbiel



Envoyé depuis Samsung Galaxy Note 
Survey Response <survey.response@live.com> a écrit :

Hi,
On my USB drive, I have encrypted the entire disk as a single LUKS encrypted partition. I have the grub files on this partition with an ISO image for a Debian-live based distribution. I compiled Grub 2.00 with the necessary crypto modules and left a larger embedding zone before the first LUKS partition to accommodate the larger second-stage bootloader (my core.img is about 44K). When I boot off this USB drive, GRUB asks me the password initially for the encrypted drive and then gets to the point where it brings up the menu, but I couldn't get it to load the kernel since I need to pass the kernel the system device for the ISO image (the live-media and fromiso boot parameters below) and I notice that the devices are not available at the time of loading the kernel (or later, for that matter). Can somebody help me figure out what I am doing wrong? Would be much obliged, since I have been spending some time trying to figure this out.
Here is my grub.cfg
menuentry 'FDE Live' {                set isofile="/ISOs/linux.iso"
        # The UUID for the encrypted LUKS partition as obtained by running blkid        set encryptedfs_uuid="377da6816e9a4c7092ae9016a719d04d" 
        # The UUID for the decrypted ext4 fs in the LUKS partition        set decryptedfs_uuid="a8604976-269b-4ab1-8ecc-63960f60f008"
        insmod part_msdos        insmod loopback        insmod iso9660        insmod cryptodisk        insmod luks
        echo 'Mounting encrypted disk ...'         cryptomount -u ${encryptedfs_uuid}
        echo 'Searching for the root fs in the decrypted fs...'        set root=(cryptouuid/${encryptedfs_uuid})        search --no-floppy --fs-uuid --set=root ${decryptedfs_uuid}
        echo 'Setting up a loopback device to the CD image'        loopback loop $root/$isofile        set root=loop
        echo 'Loading Linux Kernel ...'        linux  /live/vmlinuz boot=live live-media=/dev/disk/by-uuid/${decryptedfs_uuid} fromiso=/dev/disk/by-uuid/${decryptedfs_uuid}$isofile initrd=/live/initrd.img config debug video=640x480 fbcon=scrollback:128
        echo 'Loading initial ramdisk ...'        initrd /live/initrd.img}
From the debugging output on the console, I see that /dev/disk/by-uuid/a8604976-269b-4ab1-8ecc-63960f60f008 (the decryptedfs_uuid) does not exist at the time the linux kernel is being loaded. I can access this folder from the grub command line using the Grub drive (cyrptuuid/377da6816e9a4c7092ae9016a719d04d)/ISOs/linux.iso, but I need to be able to reference this in a way the linux kernel would understand.
Once again, thanks for any help. Pardon any newbie mistakes I may be making. It's a learning experience for me and I am hoping this would be a good exercise in understanding how it all works.
Thanks,Steve 		 	   		   		 	   		   		 	   		  

[-- Attachment #2: Type: text/html, Size: 7557 bytes --]

Re: Grub with LUKS support: Passing a reference to the decrypted filesystem to the "linux" command

[Vladimir 'φ-coder/phcoder' Serbinenko]

[-- Attachment #1: Type: text/plain, Size: 6285 bytes --]

On 12.09.2012 04:34, Steve R wrote:

> Hi,
> 
> Haven't heard back any suggestions on how to work my way around this
> problem. Hoping the changed subject line is more specific as to the
> problem I am running into and would attract some more eyeballs to help
> me figure this one out.
> 
> To recap,
> I am trying to use Grub 2.00 (with Luks support enabled) to boot a
> Debian-live system from an encrypted LUKS partition. /boot is also
> located in the encrypted Partition. I am using grub.cfg like below, and
> things work fine (With Grub requesting a password for the encrypted file
> system and parsing grub.cfg, displaying the menu, etc.. The problem
> arises with the linux command to load the kernel. Loading the
> Debian-live based OS requires passing a reference to the file system
> hosting the file system, via the live-media kernel command-line
> parameter. I am passing this reference as
> /dev/disk/by-uuid/<uuid-of-the-decrypted-fs> . The UUID I am using is
> the one read by blkid when I mounted and decrypted this encrypted
> partition from another Linux host. However, this does not work and from
> the debugging output on the console, it appears to be because the path
> to the decrypted fs device is invalid. If I mount and decrypt the LUKS
> partition from a running Linux OS, this device is always created with
> the same UUID, so I expected this to happen when GRUB decrypts the LUKS
> partition. Turns out not to be the case.
> 
> Could someone please point me in the right direction or examples showing
> grub.cfg for fully encrypted Debian-live based systems (including /boot) ?
> 
> Thanks in advance, and apologies for any newbie questions. I am learning
> as I go.
> 
> Regards,
> Steve.
> 
> ------------------------------------------------------------------------
> From: survey.response@live.com
> To: arbiel.perlacremaz@laposte.net; grub-devel@gnu.org
> Subject: RE: RE : Full Disk Encryption (including
> Date: Sun, 9 Sep 2012 08:23:48 -0700
> 
> Hi Arbiel,
> 
> The isofile is set with the leading "/" . The problem appears to be
> caused by the fact that the system devices are not created at the time
> the kernel is loaded. The LUKS partition appears to be decrypted, since
> I can list the ISO folder under (crypt0), but there is no equivalent
> device under /dev that I can pass to the linux command.
> 
> Thanks,
> Steve
> 
> 
> ------------------------------------------------------------------------
> Date: Sun, 9 Sep 2012 14:38:12 +0200
> Subject: RE : Full Disk Encryption (including
> From: arbiel.perlacremaz@laposte.net
> To: survey.response@live.com; grub-devel@gnu.org
> 
> Hi
> 
> Did'nt you forget a "/" between the disk's UUID and the variable holding
> the file name in the linux command ?
> 
> Arbiel
> 
> 
> 
> 
> Envoyé depuis Samsung Galaxy Note
> 
> Survey Response <survey.response@live.com> a écrit :
> Hi,
> 
> On my USB drive, I have encrypted the entire disk as a single LUKS
> encrypted partition. I have the grub files on this partition with an ISO
> image for a Debian-live based distribution. I compiled Grub 2.00 with
> the necessary crypto modules and left a larger embedding zone before the
> first LUKS partition to accommodate the larger second-stage bootloader
> (my core.img is about 44K). When I boot off this USB drive, GRUB asks me
> the password initially for the encrypted drive and then gets to the
> point where it brings up the menu, but I couldn't get it to load the
> kernel since I need to pass the kernel the system device for the ISO
> image (the live-media and fromiso boot parameters below) and I notice
> that the devices are not available at the time of loading the kernel (or
> later, for that matter). Can somebody help me figure out what I am doing
> wrong? Would be much obliged, since I have been spending some time
> trying to figure this out.
> 
> Here is my grub.cfg
> 
> menuentry 'FDE Live' {
>         
>         set isofile="/ISOs/linux.iso"
> 
>         # The UUID for the encrypted LUKS partition as obtained by
> running blkid
>         set encryptedfs_uuid="377da6816e9a4c7092ae9016a719d04d" 
> 
>         # The UUID for the decrypted ext4 fs in the LUKS partition
>         set decryptedfs_uuid="a8604976-269b-4ab1-8ecc-63960f60f008"
> 
>         insmod part_msdos
>         insmod loopback
>         insmod iso9660
>         insmod cryptodisk
>         insmod luks
> 
>         echo 'Mounting encrypted disk ...' 
>         cryptomount -u ${encryptedfs_uuid}
> 
>         echo 'Searching for the root fs in the decrypted fs...'
>         set root=(cryptouuid/${encryptedfs_uuid})
>         search --no-floppy --fs-uuid --set=root ${decryptedfs_uuid}
> 
>         echo 'Setting up a loopback device to the CD image'
>         loopback loop $root/$isofile
>         set root=loop
> 
>         echo 'Loading Linux Kernel ...'
>         linux  /live/vmlinuz boot=live
> live-media=/dev/disk/by-uuid/${decryptedfs_uuid}
> fromiso=/dev/disk/by-uuid/${decryptedfs_uuid}$isofile
> initrd=/live/initrd.img config debug video=640x480 fbcon=scrollback:128
> 
>         echo 'Loading initial ramdisk ...'
>         initrd /live/initrd.img
> }
> 
> From the debugging output on the console, I see that
> /dev/disk/by-uuid/a8604976-269b-4ab1-8ecc-63960f60f008 (the
> decryptedfs_uuid) does not exist at the time the linux kernel is being
> loaded. I can access this folder from the grub command line using the
> Grub drive (cyrptuuid/377da6816e9a4c7092ae9016a719d04d)/ISOs/linux.iso,
> but I need to be able to reference this in a way the linux kernel would
> understand.
> 

Linux simply doesn't have such a way. You need to get Linux guys to add
it first. Or to do something with initramfs

> Once again, thanks for any help. Pardon any newbie mistakes I may be
> making. It's a learning experience for me and I am hoping this would be
> a good exercise in understanding how it all works.
> 
> Thanks,
> Steve
> 
> 
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel



-- 
Regards
Vladimir 'φ-coder/phcoder' Serbinenko


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 294 bytes --]

Re: Grub with LUKS support: Passing a reference to the decrypted filesystem to the "linux" command

[Chris Murphy]

On Sep 11, 2012, at 11:39 PM, Vladimir 'φ-coder/phcoder' Serbinenko wrote:

> Linux simply doesn't have such a way. You need to get Linux guys to add
> it first. Or to do something with initramfs.

There may be some confusion between encrypted /boot and "secure boot" and "trusted boot". There isn't anything particularly private or secret about the contents of /boot so encryption doesn't seem to be indicated. But there's some legitimacy to concerns about whether the code being booted is valid (from the user's perspective).

Chris Murphy

RE: RE : Full Disk Encryption (including

[James Courtier-Dutton]

[-- Attachment #1: Type: text/plain, Size: 365 bytes --]

>
> Once again, thanks for any help. Pardon any newbie mistakes I may be
making. It's a learning experience for me and I am hoping this would be a
good exercise in understanding how it all works.
>
my guess is this is one of two things:
1) the initramfs does not have the correct usb drivers to see the device at
boot time.
2) the device id you are using is wrong.

[-- Attachment #2: Type: text/html, Size: 415 bytes --]