[dm-crypt] Patches supporting a different network config while ssh un-lockeding a crypted rootfs

Karl O. Pinc kop at meme.com
Wed Jul 10 04:06:21 CEST 2013


Hi,

I've put together some patches for Debian which allow
the network configuration in the initramfs to differ
from the normal network config.  I imagine it should
work on other distros as well, but just how well
depends on the construction of the initramfs and
how that differs from Debian's approach.  The underlying
klibc patches are distro agnostic.

I'm looking for feedback, good and bad.  Are there
other distro's which support this already?
Is it dumb to bring interfaces down while
still running the initramfs?  (Root NFS mounts
excepted! ;-)

Allowing the initramfs to have it's own network
configuration makes possible a variety of benefits to a
network-unlocked crypted rootfs.  The gateway address can be
omitted so that the box can only be unlocked from the local
LAN.  The IP number can differ from that of the running
system; since the initramfs is unencrypted it's ssh host
keys may differ from the running system's and having a
different IP in the initramfs aids with host key
management/checking.  And I believe there are security
benefits to putting the initramfs on an entirely separate
network if there's a layer 3 switch involved to provide
access control to the networked initramfs.

With the patches the initramfs can be configured to
bring down the network interface brought up
via bootloader/kernel ip= command line arg --
after the crypted rootfs is unlocked and mounted.
Because the interface is down
the usual (sysV/whatever) boot process can
bring the network back up with a different
configuration.


For further detail see the upstream klibc mailing
list post archived at:
http://www.zytor.com/pipermail/klibc/2013-July/003430.html

For klibc patches see:
http://www.zytor.com/pipermail/klibc/2013-July/003432.html
or the "ipconfig_down" branch at github:
https://github.com/kpinc/klibc.git

For dropbear/initramfs-tools patches see Bug#715048:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=715048

For documentation patches (cryptsetup) see Bug#715487:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=715487
and the related Bug#714952:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714952


----------------------------------------
Testing involves 2 things, adding script to an
initramfs which brings the interface down
at the right time, and getting an updated
klibc ipconfig command into the initramfs.
I opted to manually install
a staticlly linked ipconfig into the initramfs
instead of e.g., rebuilding the klibc packages
with the patch applied.  It probably makes more
sense to apply patches and rebuild all the .debs
now that the patches are developed.  The manual
approach lets me stop and test along the way.

The approach I used to test (from memory):

Make sure you've access to some sort of console
that gives you access to the boot sequence or
if you break things your system will be unavailable.

Remember: Kernel source/headers must match the
running kernel must match the kernel loaded
by the bootloader.  (Technically, the running
kernel does mot matter but I use "uname -r"
below.)

Start by following the 
/usr/share/doc/cryptsetup/README.initramfs.gz
and configuring your system to unlock the rootfs
remotely with ssh.  The patch to this readme
in Bug#714952 might help.  (Assuming you've not
done this already.)

Get the latest klibc with git, apply the klibc
patches and run make.  A static ipconfig will
be produced.  You'll need the kernel-source package
for your kernel and will need to follow the
usr/klibc/README.klibc directions.  (I used
the "make help" way of designating the location
of the kernel headers -- I couldn't get the
symlink method to work.)

Manually extract the 2 initramfs-tools files
from the Bug#715048 patch and install the
files.  Call them /etc/initramfs-tools/conf.d/dropbear
and /etc/initramfs-tools/scripts/local-bottom/dropbear.

Edit /etc/initramfs-tools/conf.d/dropbear and
configure to bring down the network interface
brought up by the kernel command line.
(Documentation for this is in the Bug#715487
patch, although it should be obvious.)

Make a new initramfs containing the dropbear
files, place it in /tmp/:
# update-initramfs -c -b /tmp -k $(uname -r)

Extract the initramfs:
# mkdir /tmp/foo
# cd /tmp/foo
# gunzip -c /tmp/initrd.img-* \
    | cpio -i --no-absolute-filenames -H newc

Replace the ipconfig command in the old initramfs
with the staticlly linked patched version of
ipconfig:
# cp -p /my/klibc/usr/kinit/ipconfig/static/ipconfig \
        /tmp/foo/bin/ipconfig
# cd /tmp/foo
# find . | cpio -o -H newc | gzip -c -9 > /boot/testinitrd

Make a bootloader entry.  With grub you can:
 Edit /etc/grub.d/40_custom, copying into it
an entry from /boot/grub/grub.cfg.  
  (Presumeably
   this entry has an ip= kernel command line,
   modify it as desired.)
  Modify the initrd line to read: initrd /testinitrd
  Modify the menuentry line as desired.
 Edit /etc/default/grub and change the GRUB_DEFAULT
to boot your custom configuration.
Remember this is 0 based.
 Run update-grub and check that /boot/grub/grub.cfg
looks right and that your GRUB_DEFAULT is right.

Reboot.
----------------------------------------

It wouldn't
hurt to send the feedback through the debian bug tracking
system either.  Although there's no single bug this
might help get the patches included in (or rejected by)
Debian.  (There's also the upstream klibc mailing list.)

Regards,

Karl <kop at meme.com>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein


More information about the dm-crypt mailing list