From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jookia <166291@gmail.com> Subject: [PATCH] DISCUSSION: Jookia's Libreboot+LUKS+LVM FDE patch. Date: Thu, 10 Mar 2016 11:36:45 +1100 Message-ID: <56e0c4cf.08d0190a.6a127.0d35@mx.google.com> Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:37160) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from <166291@gmail.com>) id 1adooB-00082i-57 for guix-devel@gnu.org; Wed, 09 Mar 2016 19:50:32 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from <166291@gmail.com>) id 1adoo5-0002U8-Rx for guix-devel@gnu.org; Wed, 09 Mar 2016 19:50:30 -0500 Received: from mail-lb0-x22d.google.com ([2a00:1450:4010:c04::22d]:34335) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <166291@gmail.com>) id 1adoo5-0002U2-EK for guix-devel@gnu.org; Wed, 09 Mar 2016 19:50:25 -0500 Received: by mail-lb0-x22d.google.com with SMTP id xr8so86834406lbb.1 for ; Wed, 09 Mar 2016 16:50:25 -0800 (PST) Received: from localhost (cm-84.215.131.93.getinternet.no. [84.215.131.93]) by smtp.gmail.com with ESMTPSA id h8sm159532lfg.10.2016.03.09.16.50.20 for (version=TLSv1/SSLv3 cipher=OTHER); Wed, 09 Mar 2016 16:50:23 -0800 (PST) List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: guix-devel@gnu.org DISCLMAIMER: This commit isn't meant for merging, so donut merge it. It's meant for people to use until we get something better. There's also code I haven't fully checked is needed (particularly mknodes) so there's duplicates. Use this at the risk of having to ask me to fix it and possibly have me say no. So I've come up with the following hack commit that effectively stops any sort of dependency management and adds some new targets for LVM and LUKS with a keyfile. Here's my current setup, take note that order of mapped devices matter since there's no dependency management: (mapped-devices (list (mapped-device (source "/dev/sda") (target "hdd") (type (luks-device-keyfile-mapping (local-file "/root/keyfile")))) (mapped-device (source "/dev/mapper/hdd") (target "matrix") (type lvm-device-mapping)))) (file-systems (cons (file-system (device "/dev/mapper/matrix-root") (title 'device) (mount-point "/") (type "ext4")) %base-file-systems)) (swap-devices '("/dev/mapper/matrix-swap")) This shouldn't break existing installs, but don't rely on this behaviour or API unless you're willing to maintain it. You'll note that I'm using a keyfile. It gets copied to initramfs, but you generate it like so: dd bs=512 count=4 if=/dev/urandom of=/root/keyfile iflag=fullblock Then you add it to your cryptsetup device like: cryptsetup luksAddKey /dev/sda /root/keyfile I'm assuming you're using /dev/sda. But you might not be? Anyways that means you only have the enter the password to decrypt root once (at GRUB) instead of twice. BE WARNED THAT YOUR DRIVE CAN BE DECRYPTED BY USING THE COPY OF YOUR KEYFILE IN /GNU/STORE OR YOUR INITRAMFS IN /GNU/STORE. root@t400-apparent-situation ~# ls /gnu/store | grep keyfile rfwrwxpcvqqw8az8c6k37bqzqvgzrh34-keyfile IF YOU ARE LOOKING FOR SECURITY IT IS NOT HERE. ANY APPLICATION YOU RUN CAN READ /GNU/STORE. YOU HAVE BEEN WARNED. Also you can do something like this to autologin, making it only one password to get in to your system (GRUB): (services (modify-services %desktop-services (slim-service-type config => (slim-configuration (inherit config) (auto-login? #t) (default-user "jookia") (auto-login-session #~(string-append #$xfce "/bin/startxfce4")))))) Cheers, Jookia. --- gnu/services/base.scm | 8 +---- gnu/system.scm | 73 ++++++++++++++++++++++++++++++++++++--------- gnu/system/linux-initrd.scm | 15 +++++++++- 3 files changed, 74 insertions(+), 22 deletions(-) diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 9b3dc73..cb248fc 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -1200,15 +1200,9 @@ gexp, to open it, and evaluate @var{close} to close it." (shepherd-service-type 'swap (lambda (device) - (define requirement - (if (string-prefix? "/dev/mapper/" device) - (list (symbol-append 'device-mapping- - (string->symbol (basename device)))) - '())) - (shepherd-service (provision (list (symbol-append 'swap- (string->symbol device)))) - (requirement `(udev ,@requirement)) + (requirement `(udev root-file-system)) (documentation "Enable the given swap device.") (start #~(lambda () (restart-on-EINTR (swapon #$device)) diff --git a/gnu/system.scm b/gnu/system.scm index 5be24ba..922e1f0 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -44,6 +44,7 @@ #:use-module (gnu packages compression) #:use-module (gnu packages firmware) #:autoload (gnu packages cryptsetup) (cryptsetup) + #:autoload (gnu packages linux) (lvm2) #:use-module (gnu services) #:use-module (gnu services shepherd) #:use-module (gnu services base) @@ -103,7 +104,9 @@ %base-packages %base-firmware - luks-device-mapping)) + luks-device-mapping + luks-device-keyfile-mapping + lvm-device-mapping)) ;;; Commentary: ;;; @@ -194,6 +197,46 @@ (open open-luks-device) (close close-luks-device))) +;;; HACK HACK HACCKK + +(define (open-luks-device-keyfile key-file) + "Return a gexp that maps SOURCE to TARGET as a LUKS device, using +'cryptsetup'." + (lambda (source target) + #~(zero? (system* (string-append #$cryptsetup "/sbin/cryptsetup") + "open" "--type" "luks" + (string-append "--key-file=" #$key-file) + #$source #$target)))) + +(define (luks-device-keyfile-mapping key-file) + ;; The type of LUKS mapped devices. + (mapped-device-kind + (open (open-luks-device-keyfile key-file)) + (close close-luks-device))) + +(define (open-lvm-device source target) + "Return a gexp that opens the TARGET logical volume on the SOURCE device, +using 'cryptsetup'." ;; TODO: fix + #~(and (zero? (system* (string-append #$lvm2 "/sbin/dmsetup") + "mknodes")) + (zero? (system* (string-append #$lvm2 "/sbin/vgchange") + "-ay" #$target "--verbose")) + (zero? (system* (string-append #$lvm2 "/sbin/vgscan") + "--mknodes" "--verbose")))) + +(define (close-lvm-device source target) + "Return a gexp that closes the TARGET logical volume." + #~(zero? (system* (string-append #$lvm2 "/sbin/lvchange") + "-an" #$target))) + +(define lvm-device-mapping + ;; The type of LUKS mapped devices. + (mapped-device-kind + (open open-lvm-device) + (close close-lvm-device))) + +;;; HACK HACK HACCKK + (define (other-file-system-services os) "Return file system services for the file systems of OS that are not marked as 'needed-for-boot'." @@ -233,23 +276,25 @@ as 'needed-for-boot'." (define (operating-system-user-mapped-devices os) "Return the subset of mapped devices that can be installed in user-land--i.e., those not needed during boot." - (let ((devices (operating-system-mapped-devices os)) - (file-systems (operating-system-file-systems os))) - (filter (lambda (md) - (let ((user (mapped-device-user md file-systems))) - (or (not user) - (not (file-system-needed-for-boot? user))))) - devices))) + '()) + ;(let ((devices (operating-system-mapped-devices os)) + ; (file-systems (operating-system-file-systems os))) + ; (filter (lambda (md) + ; (let ((user (mapped-device-user md file-systems))) + ; (or (not user) + ; (not (file-system-needed-for-boot? user))))) + ; devices))) (define (operating-system-boot-mapped-devices os) "Return the subset of mapped devices that must be installed during boot, from the initrd." - (let ((devices (operating-system-mapped-devices os)) - (file-systems (operating-system-file-systems os))) - (filter (lambda (md) - (let ((user (mapped-device-user md file-systems))) - (and user (file-system-needed-for-boot? user)))) - devices))) + (operating-system-mapped-devices os)) + ;(let ((devices (operating-system-mapped-devices os)) + ; (file-systems (operating-system-file-systems os))) + ; (filter (lambda (md) + ; (let ((user (mapped-device-user md file-systems))) + ; (and user (file-system-needed-for-boot? user)))) + ; devices))) (define (device-mapping-services os) "Return the list of device-mapping services for OS as a list." diff --git a/gnu/system/linux-initrd.scm b/gnu/system/linux-initrd.scm index 8ca7410..70a2e4a 100644 --- a/gnu/system/linux-initrd.scm +++ b/gnu/system/linux-initrd.scm @@ -207,6 +207,9 @@ loaded at boot time in the order in which they appear." file-systems) (list e2fsck/static) '()) + ,@(if #t ;(lvm-mapping-used? mapped-devices) + (list lvm2) + '()) ,@(if volatile-root? (list unionfs-fuse/static) '()))) @@ -237,7 +240,17 @@ loaded at boot time in the order in which they appear." (boot-system #:mounts '#$(map file-system->spec file-systems) #:pre-mount (lambda () - (and #$@device-mapping-commands)) + (and #$@device-mapping-commands + ;; If we activated any volume group, we + ;; need to ensure that device nodes are + ;; created. Add code here to call it + ;; once for all activations. + #$(when #t ;(lvm-mapping-used? mapped-devices) + #~(zero? + (system* (string-append + #$lvm2 + "/sbin/vgscan") + "--mknodes"))))) #:linux-modules '#$linux-modules #:linux-module-directory '#$kodir #:qemu-guest-networking? #$qemu-networking? -- 2.7.0