From: Arnout Vandecappelle <arnout@mind.be>
To: buildroot@busybox.net
Subject: [Buildroot] Persistent dropbear keys
Date: Sat, 9 Jan 2016 02:10:21 +0100 [thread overview]
Message-ID: <56905DFD.30706@mind.be> (raw)
In-Reply-To: <87mvsgdkxy.fsf@dell.be.48ers.dk>
On 08-01-16 18:45, Peter Korsgaard wrote:
>>>>>> "Thomas" == Thomas De Schampheleire <patrickdepinguin@gmail.com> writes:
>
> > Hello,
> > Commit e7d04dd2df8bb935c61f7c814ee88eba7e75b5e4 (package/dropbear: fix
> > generating keys on RO file systems) (+ some subsequent commits)
> > changed the handling of the /etc/dropbear directory. Previously
> > /etc/dropbear was a real directory in the rootfs, now it initially is
> > a link to /var/run/dropbear. During S50dropboar, the link is replaced
> > with a real (empty) directory (if rootfs is writable) or a warning is
> > given.
>
> > I understand all this. However, what I do not understand is how you
> > are then creating persistent dropbear keys. From how I understand the
> > code, the keys are persistent across reboots, but not between upgrades
> > of the rootfs, because after an upgrade a new empty /etc/dropbear is
> > created.
>
> If your upgrade overwrites /etc/dropbear, then yes.
>
> E.G. I use a persistent writable unionfs on /etc, so changes to /etc are
> not lost after an upgrade.
>
>
> > In my case, the rootfs is an initramfs, but mounted rw at boot time.
>
> > The solution I have been using is with an S49dropbear_keys script that:
> > - at 'stop', verifies the correctness of the keys in /etc/dropbear
> > (with dropbearkey) and if ok copies them to a real persistent medium,
> > - at 'start', verifies if there are any keys on the persistent medium,
> > verify their correctness, and if ok copies them to /etc/dropbear.
>
> Why don't you just make /etc/dropbear a symlink to your persistent
> medium?
We should probably add some explanation in the help text about this possibility.
I'll try to cook something up.
Regards,
Arnout
--
Arnout Vandecappelle arnout at mind be
Senior Embedded Software Architect +32-16-286500
Essensium/Mind http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint: 7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF
next prev parent reply other threads:[~2016-01-09 1:10 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-08 13:43 [Buildroot] Persistent dropbear keys Thomas De Schampheleire
2016-01-08 17:45 ` Peter Korsgaard
2016-01-09 1:10 ` Arnout Vandecappelle [this message]
2016-01-11 8:56 ` Thomas De Schampheleire
2016-01-11 9:49 ` Peter Korsgaard
2016-01-13 8:16 ` Thomas De Schampheleire
2016-01-14 12:11 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56905DFD.30706@mind.be \
--to=arnout@mind.be \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.