From: Jookia <166291@gmail.com>
To: guix-devel@gnu.org
Subject: [PATCH] DISCUSSION: Jookia's Libreboot+LUKS+LVM FDE patch.
Date: Thu, 10 Mar 2016 11:36:45 +1100 [thread overview]
Message-ID: <56e0c4ef.8c1f190a.f76e5.0ba9@mx.google.com> (raw)
DISCLMAIMER: This commit isn't meant for merging, so donut merge it.
It's meant for people to use until we get something better. There's
also code I haven't fully checked is needed (particularly mknodes)
so there's duplicates. Use this at the risk of having to ask me
to fix it and possibly have me say no.
So I've come up with the following hack commit that effectively
stops any sort of dependency management and adds some new targets
for LVM and LUKS with a keyfile.
Here's my current setup, take note that order of mapped devices
matter since there's no dependency management:
(mapped-devices (list (mapped-device
(source "/dev/sda")
(target "hdd")
(type (luks-device-keyfile-mapping
(local-file "/root/keyfile"))))
(mapped-device
(source "/dev/mapper/hdd")
(target "matrix")
(type lvm-device-mapping))))
(file-systems (cons (file-system
(device "/dev/mapper/matrix-root")
(title 'device)
(mount-point "/")
(type "ext4"))
%base-file-systems))
(swap-devices '("/dev/mapper/matrix-swap"))
This shouldn't break existing installs, but don't rely on this
behaviour or API unless you're willing to maintain it.
You'll note that I'm using a keyfile. It gets copied to initramfs,
but you generate it like so:
dd bs=512 count=4 if=/dev/urandom of=/root/keyfile iflag=fullblock
Then you add it to your cryptsetup device like:
cryptsetup luksAddKey /dev/sda /root/keyfile
I'm assuming you're using /dev/sda. But you might not be? Anyways
that means you only have the enter the password to decrypt root
once (at GRUB) instead of twice.
BE WARNED THAT YOUR DRIVE CAN BE DECRYPTED BY USING THE COPY OF YOUR
KEYFILE IN /GNU/STORE OR YOUR INITRAMFS IN /GNU/STORE.
root@t400-apparent-situation ~# ls /gnu/store | grep keyfile
rfwrwxpcvqqw8az8c6k37bqzqvgzrh34-keyfile
IF YOU ARE LOOKING FOR SECURITY IT IS NOT HERE. ANY APPLICATION YOU
RUN CAN READ /GNU/STORE. YOU HAVE BEEN WARNED.
Also you can do something like this to autologin, making it only one
password to get in to your system (GRUB):
(services (modify-services %desktop-services
(slim-service-type config =>
(slim-configuration
(inherit config)
(auto-login? #t)
(default-user "jookia")
(auto-login-session
#~(string-append #$xfce "/bin/startxfce4"))))))
Cheers,
Jookia.
---
gnu/services/base.scm | 8 +----
gnu/system.scm | 73 ++++++++++++++++++++++++++++++++++++---------
gnu/system/linux-initrd.scm | 15 +++++++++-
3 files changed, 74 insertions(+), 22 deletions(-)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 9b3dc73..cb248fc 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1200,15 +1200,9 @@ gexp, to open it, and evaluate @var{close} to close it."
(shepherd-service-type
'swap
(lambda (device)
- (define requirement
- (if (string-prefix? "/dev/mapper/" device)
- (list (symbol-append 'device-mapping-
- (string->symbol (basename device))))
- '()))
-
(shepherd-service
(provision (list (symbol-append 'swap- (string->symbol device))))
- (requirement `(udev ,@requirement))
+ (requirement `(udev root-file-system))
(documentation "Enable the given swap device.")
(start #~(lambda ()
(restart-on-EINTR (swapon #$device))
diff --git a/gnu/system.scm b/gnu/system.scm
index 5be24ba..922e1f0 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -44,6 +44,7 @@
#:use-module (gnu packages compression)
#:use-module (gnu packages firmware)
#:autoload (gnu packages cryptsetup) (cryptsetup)
+ #:autoload (gnu packages linux) (lvm2)
#:use-module (gnu services)
#:use-module (gnu services shepherd)
#:use-module (gnu services base)
@@ -103,7 +104,9 @@
%base-packages
%base-firmware
- luks-device-mapping))
+ luks-device-mapping
+ luks-device-keyfile-mapping
+ lvm-device-mapping))
;;; Commentary:
;;;
@@ -194,6 +197,46 @@
(open open-luks-device)
(close close-luks-device)))
+;;; HACK HACK HACCKK
+
+(define (open-luks-device-keyfile key-file)
+ "Return a gexp that maps SOURCE to TARGET as a LUKS device, using
+'cryptsetup'."
+ (lambda (source target)
+ #~(zero? (system* (string-append #$cryptsetup "/sbin/cryptsetup")
+ "open" "--type" "luks"
+ (string-append "--key-file=" #$key-file)
+ #$source #$target))))
+
+(define (luks-device-keyfile-mapping key-file)
+ ;; The type of LUKS mapped devices.
+ (mapped-device-kind
+ (open (open-luks-device-keyfile key-file))
+ (close close-luks-device)))
+
+(define (open-lvm-device source target)
+ "Return a gexp that opens the TARGET logical volume on the SOURCE device,
+using 'cryptsetup'." ;; TODO: fix
+ #~(and (zero? (system* (string-append #$lvm2 "/sbin/dmsetup")
+ "mknodes"))
+ (zero? (system* (string-append #$lvm2 "/sbin/vgchange")
+ "-ay" #$target "--verbose"))
+ (zero? (system* (string-append #$lvm2 "/sbin/vgscan")
+ "--mknodes" "--verbose"))))
+
+(define (close-lvm-device source target)
+ "Return a gexp that closes the TARGET logical volume."
+ #~(zero? (system* (string-append #$lvm2 "/sbin/lvchange")
+ "-an" #$target)))
+
+(define lvm-device-mapping
+ ;; The type of LUKS mapped devices.
+ (mapped-device-kind
+ (open open-lvm-device)
+ (close close-lvm-device)))
+
+;;; HACK HACK HACCKK
+
(define (other-file-system-services os)
"Return file system services for the file systems of OS that are not marked
as 'needed-for-boot'."
@@ -233,23 +276,25 @@ as 'needed-for-boot'."
(define (operating-system-user-mapped-devices os)
"Return the subset of mapped devices that can be installed in
user-land--i.e., those not needed during boot."
- (let ((devices (operating-system-mapped-devices os))
- (file-systems (operating-system-file-systems os)))
- (filter (lambda (md)
- (let ((user (mapped-device-user md file-systems)))
- (or (not user)
- (not (file-system-needed-for-boot? user)))))
- devices)))
+ '())
+ ;(let ((devices (operating-system-mapped-devices os))
+ ; (file-systems (operating-system-file-systems os)))
+ ; (filter (lambda (md)
+ ; (let ((user (mapped-device-user md file-systems)))
+ ; (or (not user)
+ ; (not (file-system-needed-for-boot? user)))))
+ ; devices)))
(define (operating-system-boot-mapped-devices os)
"Return the subset of mapped devices that must be installed during boot,
from the initrd."
- (let ((devices (operating-system-mapped-devices os))
- (file-systems (operating-system-file-systems os)))
- (filter (lambda (md)
- (let ((user (mapped-device-user md file-systems)))
- (and user (file-system-needed-for-boot? user))))
- devices)))
+ (operating-system-mapped-devices os))
+ ;(let ((devices (operating-system-mapped-devices os))
+ ; (file-systems (operating-system-file-systems os)))
+ ; (filter (lambda (md)
+ ; (let ((user (mapped-device-user md file-systems)))
+ ; (and user (file-system-needed-for-boot? user))))
+ ; devices)))
(define (device-mapping-services os)
"Return the list of device-mapping services for OS as a list."
diff --git a/gnu/system/linux-initrd.scm b/gnu/system/linux-initrd.scm
index 8ca7410..70a2e4a 100644
--- a/gnu/system/linux-initrd.scm
+++ b/gnu/system/linux-initrd.scm
@@ -207,6 +207,9 @@ loaded at boot time in the order in which they appear."
file-systems)
(list e2fsck/static)
'())
+ ,@(if #t ;(lvm-mapping-used? mapped-devices)
+ (list lvm2)
+ '())
,@(if volatile-root?
(list unionfs-fuse/static)
'())))
@@ -237,7 +240,17 @@ loaded at boot time in the order in which they appear."
(boot-system #:mounts '#$(map file-system->spec file-systems)
#:pre-mount (lambda ()
- (and #$@device-mapping-commands))
+ (and #$@device-mapping-commands
+ ;; If we activated any volume group, we
+ ;; need to ensure that device nodes are
+ ;; created. Add code here to call it
+ ;; once for all activations.
+ #$(when #t ;(lvm-mapping-used? mapped-devices)
+ #~(zero?
+ (system* (string-append
+ #$lvm2
+ "/sbin/vgscan")
+ "--mknodes")))))
#:linux-modules '#$linux-modules
#:linux-module-directory '#$kodir
#:qemu-guest-networking? #$qemu-networking?
--
2.7.0
next reply other threads:[~2016-03-10 0:51 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-10 0:36 Jookia [this message]
-- strict thread matches above, loose matches on Subject: below --
2016-03-10 0:36 [PATCH] DISCUSSION: Jookia's Libreboot+LUKS+LVM FDE patch Jookia
2016-03-10 7:48 ` Taylan Ulrich Bayırlı/Kammer
2016-03-10 12:36 ` Jookia
2016-03-10 16:10 ` Ludovic Courtès
2016-03-10 21:11 ` Jookia
2016-03-11 14:30 ` Ludovic Courtès
2016-03-11 16:42 ` Jookia
2016-03-15 14:40 ` Ludovic Courtès
2016-03-16 1:23 ` Jookia
2016-03-14 21:40 ` Jean Louis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56e0c4ef.8c1f190a.f76e5.0ba9@mx.google.com \
--to=166291@gmail.com \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).