unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* [PATCH] DISCUSSION: Jookia's Libreboot+LUKS+LVM FDE patch.
@ 2016-03-10  0:36 Jookia
  2016-03-10  7:48 ` Taylan Ulrich Bayırlı/Kammer
  2016-03-10 16:10 ` Ludovic Courtès
  0 siblings, 2 replies; 11+ messages in thread
From: Jookia @ 2016-03-10  0:36 UTC (permalink / raw)
  To: guix-devel

DISCLMAIMER: This commit isn't meant for merging, so donut merge it.
It's meant for people to use until we get something better. There's
also code I haven't fully checked is needed (particularly mknodes)
so there's duplicates. Use this at the risk of having to ask me
to fix it and possibly have me say no.

So I've come up with the following hack commit that effectively
stops any sort of dependency management and adds some new targets
for LVM and LUKS with a keyfile.

Here's my current setup, take note that order of mapped devices
matter since there's no dependency management:

  (mapped-devices (list (mapped-device
                          (source "/dev/sda")
                          (target "hdd")
                          (type (luks-device-keyfile-mapping
                                  (local-file "/root/keyfile"))))
                        (mapped-device
                          (source "/dev/mapper/hdd")
                          (target "matrix")
                          (type lvm-device-mapping))))

  (file-systems (cons (file-system
                        (device "/dev/mapper/matrix-root")
                        (title 'device)
                        (mount-point "/")
                        (type "ext4"))
                      %base-file-systems))

  (swap-devices '("/dev/mapper/matrix-swap"))

This shouldn't break existing installs, but don't rely on this
behaviour or API unless you're willing to maintain it.

You'll note that I'm using a keyfile. It gets copied to initramfs,
but you generate it like so:

  dd bs=512 count=4 if=/dev/urandom of=/root/keyfile iflag=fullblock

Then you add it to your cryptsetup device like:

  cryptsetup luksAddKey /dev/sda /root/keyfile

I'm assuming you're using /dev/sda. But you might not be? Anyways
that means you only have the enter the password to decrypt root
once (at GRUB) instead of twice.

BE WARNED THAT YOUR DRIVE CAN BE DECRYPTED BY USING THE COPY OF YOUR
KEYFILE IN /GNU/STORE OR YOUR INITRAMFS IN /GNU/STORE.

  root@t400-apparent-situation ~# ls /gnu/store | grep keyfile
  rfwrwxpcvqqw8az8c6k37bqzqvgzrh34-keyfile

IF YOU ARE LOOKING FOR SECURITY IT IS NOT HERE. ANY APPLICATION YOU
RUN CAN READ /GNU/STORE. YOU HAVE BEEN WARNED.

Also you can do something like this to autologin, making it only one
password to get in to your system (GRUB):

(services (modify-services %desktop-services
  (slim-service-type config =>
		     (slim-configuration
		       (inherit config)
		       (auto-login? #t)
		       (default-user "jookia")
		       (auto-login-session
			#~(string-append #$xfce "/bin/startxfce4"))))))

Cheers,
Jookia.
---
 gnu/services/base.scm       |  8 +----
 gnu/system.scm              | 73 ++++++++++++++++++++++++++++++++++++---------
 gnu/system/linux-initrd.scm | 15 +++++++++-
 3 files changed, 74 insertions(+), 22 deletions(-)

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 9b3dc73..cb248fc 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1200,15 +1200,9 @@ gexp, to open it, and evaluate @var{close} to close it."
   (shepherd-service-type
    'swap
    (lambda (device)
-     (define requirement
-       (if (string-prefix? "/dev/mapper/" device)
-           (list (symbol-append 'device-mapping-
-                                (string->symbol (basename device))))
-           '()))
-
      (shepherd-service
       (provision (list (symbol-append 'swap- (string->symbol device))))
-      (requirement `(udev ,@requirement))
+      (requirement `(udev root-file-system))
       (documentation "Enable the given swap device.")
       (start #~(lambda ()
                  (restart-on-EINTR (swapon #$device))
diff --git a/gnu/system.scm b/gnu/system.scm
index 5be24ba..922e1f0 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -44,6 +44,7 @@
   #:use-module (gnu packages compression)
   #:use-module (gnu packages firmware)
   #:autoload   (gnu packages cryptsetup) (cryptsetup)
+  #:autoload   (gnu packages linux) (lvm2)
   #:use-module (gnu services)
   #:use-module (gnu services shepherd)
   #:use-module (gnu services base)
@@ -103,7 +104,9 @@
             %base-packages
             %base-firmware
 
-            luks-device-mapping))
+            luks-device-mapping
+            luks-device-keyfile-mapping
+            lvm-device-mapping))
 
 ;;; Commentary:
 ;;;
@@ -194,6 +197,46 @@
    (open open-luks-device)
    (close close-luks-device)))
 
+;;; HACK HACK HACCKK
+
+(define (open-luks-device-keyfile key-file)
+  "Return a gexp that maps SOURCE to TARGET as a LUKS device, using
+'cryptsetup'."
+  (lambda (source target)
+    #~(zero? (system* (string-append #$cryptsetup "/sbin/cryptsetup")
+                        "open" "--type" "luks"
+                        (string-append "--key-file=" #$key-file)
+                        #$source #$target))))
+
+(define (luks-device-keyfile-mapping key-file)
+  ;; The type of LUKS mapped devices.
+  (mapped-device-kind
+   (open (open-luks-device-keyfile key-file))
+   (close close-luks-device)))
+
+(define (open-lvm-device source target)
+  "Return a gexp that opens the TARGET logical volume on the SOURCE device,
+using 'cryptsetup'." ;; TODO: fix
+  #~(and (zero? (system* (string-append #$lvm2 "/sbin/dmsetup")
+                    "mknodes"))
+         (zero? (system* (string-append #$lvm2 "/sbin/vgchange")
+                    "-ay" #$target "--verbose"))
+         (zero? (system* (string-append #$lvm2 "/sbin/vgscan")
+                    "--mknodes" "--verbose"))))
+
+(define (close-lvm-device source target)
+  "Return a gexp that closes the TARGET logical volume."
+  #~(zero? (system* (string-append #$lvm2 "/sbin/lvchange")
+                    "-an" #$target)))
+
+(define lvm-device-mapping
+  ;; The type of LUKS mapped devices.
+  (mapped-device-kind
+   (open open-lvm-device)
+   (close close-lvm-device)))
+
+;;; HACK HACK HACCKK
+
 (define (other-file-system-services os)
   "Return file system services for the file systems of OS that are not marked
 as 'needed-for-boot'."
@@ -233,23 +276,25 @@ as 'needed-for-boot'."
 (define (operating-system-user-mapped-devices os)
   "Return the subset of mapped devices that can be installed in
 user-land--i.e., those not needed during boot."
-  (let ((devices      (operating-system-mapped-devices os))
-        (file-systems (operating-system-file-systems os)))
-   (filter (lambda (md)
-             (let ((user (mapped-device-user md file-systems)))
-               (or (not user)
-                   (not (file-system-needed-for-boot? user)))))
-           devices)))
+  '())
+  ;(let ((devices      (operating-system-mapped-devices os))
+  ;      (file-systems (operating-system-file-systems os)))
+  ; (filter (lambda (md)
+  ;           (let ((user (mapped-device-user md file-systems)))
+  ;             (or (not user)
+  ;                 (not (file-system-needed-for-boot? user)))))
+  ;         devices)))
 
 (define (operating-system-boot-mapped-devices os)
   "Return the subset of mapped devices that must be installed during boot,
 from the initrd."
-  (let ((devices      (operating-system-mapped-devices os))
-        (file-systems (operating-system-file-systems os)))
-   (filter (lambda (md)
-             (let ((user (mapped-device-user md file-systems)))
-               (and user (file-system-needed-for-boot? user))))
-           devices)))
+  (operating-system-mapped-devices os))
+  ;(let ((devices      (operating-system-mapped-devices os))
+  ;      (file-systems (operating-system-file-systems os)))
+  ; (filter (lambda (md)
+  ;           (let ((user (mapped-device-user md file-systems)))
+  ;             (and user (file-system-needed-for-boot? user))))
+  ;         devices)))
 
 (define (device-mapping-services os)
   "Return the list of device-mapping services for OS as a list."
diff --git a/gnu/system/linux-initrd.scm b/gnu/system/linux-initrd.scm
index 8ca7410..70a2e4a 100644
--- a/gnu/system/linux-initrd.scm
+++ b/gnu/system/linux-initrd.scm
@@ -207,6 +207,9 @@ loaded at boot time in the order in which they appear."
                   file-systems)
             (list e2fsck/static)
             '())
+      ,@(if #t ;(lvm-mapping-used? mapped-devices)
+            (list lvm2)
+            '())
       ,@(if volatile-root?
             (list unionfs-fuse/static)
             '())))
@@ -237,7 +240,17 @@ loaded at boot time in the order in which they appear."
 
          (boot-system #:mounts '#$(map file-system->spec file-systems)
                       #:pre-mount (lambda ()
-                                    (and #$@device-mapping-commands))
+                                    (and #$@device-mapping-commands
+                                    ;; If we activated any volume group, we
+                                    ;; need to ensure that device nodes are
+                                    ;; created.  Add code here to call it
+                                    ;; once for all activations.
+                                    #$(when #t ;(lvm-mapping-used? mapped-devices)
+                                        #~(zero?
+                                           (system* (string-append
+                                                     #$lvm2
+                                                     "/sbin/vgscan")
+                                                     "--mknodes")))))
                       #:linux-modules '#$linux-modules
                       #:linux-module-directory '#$kodir
                       #:qemu-guest-networking? #$qemu-networking?
-- 
2.7.0

^ permalink raw reply related	[flat|nested] 11+ messages in thread
* [PATCH] DISCUSSION: Jookia's Libreboot+LUKS+LVM FDE patch.
@ 2016-03-10  0:36 Jookia
  0 siblings, 0 replies; 11+ messages in thread
From: Jookia @ 2016-03-10  0:36 UTC (permalink / raw)
  To: guix-devel

DISCLMAIMER: This commit isn't meant for merging, so donut merge it.
It's meant for people to use until we get something better. There's
also code I haven't fully checked is needed (particularly mknodes)
so there's duplicates. Use this at the risk of having to ask me
to fix it and possibly have me say no.

So I've come up with the following hack commit that effectively
stops any sort of dependency management and adds some new targets
for LVM and LUKS with a keyfile.

Here's my current setup, take note that order of mapped devices
matter since there's no dependency management:

  (mapped-devices (list (mapped-device
                          (source "/dev/sda")
                          (target "hdd")
                          (type (luks-device-keyfile-mapping
                                  (local-file "/root/keyfile"))))
                        (mapped-device
                          (source "/dev/mapper/hdd")
                          (target "matrix")
                          (type lvm-device-mapping))))

  (file-systems (cons (file-system
                        (device "/dev/mapper/matrix-root")
                        (title 'device)
                        (mount-point "/")
                        (type "ext4"))
                      %base-file-systems))

  (swap-devices '("/dev/mapper/matrix-swap"))

This shouldn't break existing installs, but don't rely on this
behaviour or API unless you're willing to maintain it.

You'll note that I'm using a keyfile. It gets copied to initramfs,
but you generate it like so:

  dd bs=512 count=4 if=/dev/urandom of=/root/keyfile iflag=fullblock

Then you add it to your cryptsetup device like:

  cryptsetup luksAddKey /dev/sda /root/keyfile

I'm assuming you're using /dev/sda. But you might not be? Anyways
that means you only have the enter the password to decrypt root
once (at GRUB) instead of twice.

BE WARNED THAT YOUR DRIVE CAN BE DECRYPTED BY USING THE COPY OF YOUR
KEYFILE IN /GNU/STORE OR YOUR INITRAMFS IN /GNU/STORE.

  root@t400-apparent-situation ~# ls /gnu/store | grep keyfile
  rfwrwxpcvqqw8az8c6k37bqzqvgzrh34-keyfile

IF YOU ARE LOOKING FOR SECURITY IT IS NOT HERE. ANY APPLICATION YOU
RUN CAN READ /GNU/STORE. YOU HAVE BEEN WARNED.

Also you can do something like this to autologin, making it only one
password to get in to your system (GRUB):

(services (modify-services %desktop-services
  (slim-service-type config =>
		     (slim-configuration
		       (inherit config)
		       (auto-login? #t)
		       (default-user "jookia")
		       (auto-login-session
			#~(string-append #$xfce "/bin/startxfce4"))))))

Cheers,
Jookia.
---
 gnu/services/base.scm       |  8 +----
 gnu/system.scm              | 73 ++++++++++++++++++++++++++++++++++++---------
 gnu/system/linux-initrd.scm | 15 +++++++++-
 3 files changed, 74 insertions(+), 22 deletions(-)

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 9b3dc73..cb248fc 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1200,15 +1200,9 @@ gexp, to open it, and evaluate @var{close} to close it."
   (shepherd-service-type
    'swap
    (lambda (device)
-     (define requirement
-       (if (string-prefix? "/dev/mapper/" device)
-           (list (symbol-append 'device-mapping-
-                                (string->symbol (basename device))))
-           '()))
-
      (shepherd-service
       (provision (list (symbol-append 'swap- (string->symbol device))))
-      (requirement `(udev ,@requirement))
+      (requirement `(udev root-file-system))
       (documentation "Enable the given swap device.")
       (start #~(lambda ()
                  (restart-on-EINTR (swapon #$device))
diff --git a/gnu/system.scm b/gnu/system.scm
index 5be24ba..922e1f0 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -44,6 +44,7 @@
   #:use-module (gnu packages compression)
   #:use-module (gnu packages firmware)
   #:autoload   (gnu packages cryptsetup) (cryptsetup)
+  #:autoload   (gnu packages linux) (lvm2)
   #:use-module (gnu services)
   #:use-module (gnu services shepherd)
   #:use-module (gnu services base)
@@ -103,7 +104,9 @@
             %base-packages
             %base-firmware
 
-            luks-device-mapping))
+            luks-device-mapping
+            luks-device-keyfile-mapping
+            lvm-device-mapping))
 
 ;;; Commentary:
 ;;;
@@ -194,6 +197,46 @@
    (open open-luks-device)
    (close close-luks-device)))
 
+;;; HACK HACK HACCKK
+
+(define (open-luks-device-keyfile key-file)
+  "Return a gexp that maps SOURCE to TARGET as a LUKS device, using
+'cryptsetup'."
+  (lambda (source target)
+    #~(zero? (system* (string-append #$cryptsetup "/sbin/cryptsetup")
+                        "open" "--type" "luks"
+                        (string-append "--key-file=" #$key-file)
+                        #$source #$target))))
+
+(define (luks-device-keyfile-mapping key-file)
+  ;; The type of LUKS mapped devices.
+  (mapped-device-kind
+   (open (open-luks-device-keyfile key-file))
+   (close close-luks-device)))
+
+(define (open-lvm-device source target)
+  "Return a gexp that opens the TARGET logical volume on the SOURCE device,
+using 'cryptsetup'." ;; TODO: fix
+  #~(and (zero? (system* (string-append #$lvm2 "/sbin/dmsetup")
+                    "mknodes"))
+         (zero? (system* (string-append #$lvm2 "/sbin/vgchange")
+                    "-ay" #$target "--verbose"))
+         (zero? (system* (string-append #$lvm2 "/sbin/vgscan")
+                    "--mknodes" "--verbose"))))
+
+(define (close-lvm-device source target)
+  "Return a gexp that closes the TARGET logical volume."
+  #~(zero? (system* (string-append #$lvm2 "/sbin/lvchange")
+                    "-an" #$target)))
+
+(define lvm-device-mapping
+  ;; The type of LUKS mapped devices.
+  (mapped-device-kind
+   (open open-lvm-device)
+   (close close-lvm-device)))
+
+;;; HACK HACK HACCKK
+
 (define (other-file-system-services os)
   "Return file system services for the file systems of OS that are not marked
 as 'needed-for-boot'."
@@ -233,23 +276,25 @@ as 'needed-for-boot'."
 (define (operating-system-user-mapped-devices os)
   "Return the subset of mapped devices that can be installed in
 user-land--i.e., those not needed during boot."
-  (let ((devices      (operating-system-mapped-devices os))
-        (file-systems (operating-system-file-systems os)))
-   (filter (lambda (md)
-             (let ((user (mapped-device-user md file-systems)))
-               (or (not user)
-                   (not (file-system-needed-for-boot? user)))))
-           devices)))
+  '())
+  ;(let ((devices      (operating-system-mapped-devices os))
+  ;      (file-systems (operating-system-file-systems os)))
+  ; (filter (lambda (md)
+  ;           (let ((user (mapped-device-user md file-systems)))
+  ;             (or (not user)
+  ;                 (not (file-system-needed-for-boot? user)))))
+  ;         devices)))
 
 (define (operating-system-boot-mapped-devices os)
   "Return the subset of mapped devices that must be installed during boot,
 from the initrd."
-  (let ((devices      (operating-system-mapped-devices os))
-        (file-systems (operating-system-file-systems os)))
-   (filter (lambda (md)
-             (let ((user (mapped-device-user md file-systems)))
-               (and user (file-system-needed-for-boot? user))))
-           devices)))
+  (operating-system-mapped-devices os))
+  ;(let ((devices      (operating-system-mapped-devices os))
+  ;      (file-systems (operating-system-file-systems os)))
+  ; (filter (lambda (md)
+  ;           (let ((user (mapped-device-user md file-systems)))
+  ;             (and user (file-system-needed-for-boot? user))))
+  ;         devices)))
 
 (define (device-mapping-services os)
   "Return the list of device-mapping services for OS as a list."
diff --git a/gnu/system/linux-initrd.scm b/gnu/system/linux-initrd.scm
index 8ca7410..70a2e4a 100644
--- a/gnu/system/linux-initrd.scm
+++ b/gnu/system/linux-initrd.scm
@@ -207,6 +207,9 @@ loaded at boot time in the order in which they appear."
                   file-systems)
             (list e2fsck/static)
             '())
+      ,@(if #t ;(lvm-mapping-used? mapped-devices)
+            (list lvm2)
+            '())
       ,@(if volatile-root?
             (list unionfs-fuse/static)
             '())))
@@ -237,7 +240,17 @@ loaded at boot time in the order in which they appear."
 
          (boot-system #:mounts '#$(map file-system->spec file-systems)
                       #:pre-mount (lambda ()
-                                    (and #$@device-mapping-commands))
+                                    (and #$@device-mapping-commands
+                                    ;; If we activated any volume group, we
+                                    ;; need to ensure that device nodes are
+                                    ;; created.  Add code here to call it
+                                    ;; once for all activations.
+                                    #$(when #t ;(lvm-mapping-used? mapped-devices)
+                                        #~(zero?
+                                           (system* (string-append
+                                                     #$lvm2
+                                                     "/sbin/vgscan")
+                                                     "--mknodes")))))
                       #:linux-modules '#$linux-modules
                       #:linux-module-directory '#$kodir
                       #:qemu-guest-networking? #$qemu-networking?
-- 
2.7.0

^ permalink raw reply related	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2016-03-16  8:23 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-03-10  0:36 [PATCH] DISCUSSION: Jookia's Libreboot+LUKS+LVM FDE patch Jookia
2016-03-10  7:48 ` Taylan Ulrich Bayırlı/Kammer
2016-03-10 12:36   ` Jookia
2016-03-10 16:10 ` Ludovic Courtès
2016-03-10 21:11   ` Jookia
2016-03-11 14:30     ` Ludovic Courtès
2016-03-11 16:42       ` Jookia
2016-03-15 14:40         ` Ludovic Courtès
2016-03-16  1:23           ` Jookia
2016-03-14 21:40       ` Jean Louis
  -- strict thread matches above, loose matches on Subject: below --
2016-03-10  0:36 Jookia

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).