Hi: Please commit the attached patch.
--Tushar. ----- Forwarded message from [EMAIL PROTECTED] ----- From: [EMAIL PROTECTED] Subject: [update] eswap hint Date: Thu, 14 Apr 2005 04:08:50 +0000 To: [email protected] X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] X-Original-To: [email protected] Delivered-To: [email protected] X-Mailer: Medianet/v2.0 X-BeenThere: [email protected] X-Mailman-Version: 2.1.2 Precedence: list List-Id: Hints submission and maintenance list <hints.linuxfromscratch.org> List-Unsubscribe: <http://linuxfromscratch.org/mailman/listinfo/hints>, <mailto:[EMAIL PROTECTED]> List-Archive: <http://linuxfromscratch.org/pipermail/hints> List-Post: <mailto:[email protected]> List-Help: <mailto:[EMAIL PROTECTED]> List-Subscribe: <http://linuxfromscratch.org/mailman/listinfo/hints>, <mailto:[EMAIL PROTECTED]> Errors-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on belgarath.linuxfromscratch.org X-Spam-Level: X-Spam-Status: No, hits=0.2 required=5.0 tests=NO_REAL_NAME,UPPERCASE_25_50 autolearn=no version=2.63 Hi, Here is an update for the encrypted swap hint To update: eswap.txt http://ngc891.blogdns.net/projects/hlfs/eswap.txt To remove: linux-2.6.11.6-loop_AES-3.0c.patch To add: linux-2.6.11.7-loop_AES-3.0c.patch http://ngc891.blogdns.net/projects/hlfs/patches/linux-2.6.11.7-loop_AES-3.0c.patch Regards, -- Jerome Pinot http://ngc891.blogdns.net/projects/hlfs AUTHOR: Jerome Pinot <[EMAIL PROTECTED]> DATE: 2005-04-14 LICENSE: GNU Free Documentation License Version 1.2 SYNOPSIS: Encrypting swap partition DESCRIPTION: Here is a way to enable disk encryption on HLFS system. Aim is to provide native swap encryption and possibility to encrypt the root partition later, with third-part software. ATTACHMENTS: * http://ngc891.blogdns.net/projects/hlfs/hlfs-461-eswap-1.patch * http://www.linuxfromscratch.org/patches/downloads/util-linux/util-linux-2.12q-loop_AES-3.0c.patch * http://www.linuxfromscratch.org/patches/downloads/linux/linux-2.6.11.7-loop_AES-3.0c.patch * http://www.linuxfromscratch.org/patches/downloads/gnupg/gnupg-1.4.1-loop_AES-3.0c.patch PREREQUISITES: This hint is written for HLFS but can be easily applied to LFS. You should have some basic knowledge about devices and using swap. HINT: I. About encrypting disk ------------------------ A Linux system already provides some basic security environment including users and groups, passwords, permissions, and now access control via SELinux project. However, this could be not enough in some cases like attackers with physical access. If someone can physically access your hard drive and mount it in an other computer, he overpasses the system and can read whatever he wants. The problem is the same with the swap partition. It stores short lifetime data including most of the things you have just done with the computer and that didn't fit in the RAM. The system continously overwrite this partition and there is no easy structure inside but an attacker could seek in for passwords and other data you just typed. One protection against this kind of attack is swap encryption. It means cipher your data with an algorithm, so you need a passphrase and/or a key to access clearly to it. Even, some ciphers like AES provide you "plausible deniability". It means there is no way to know that the partition is actually encrypted because it looks just like trash, like an empty partition. So, there is no more problem for th e system being overpassed by physical access. Encrypting your partitions could increase drastically your data security. II. How to do? -------------- There is several ways to encrypt disk on Linux, including cryptoloop, dm-crypt, loop-AES and StegFS. StegFS is a special encrypted file system. It's sounds really great but is still under development and needs big modifications of the base system. Cryptoloop was a special loop device included in the kernel that provides access to encrypted device by loopback. Everybody was happy to have such an easy way to access encrypted device, but unfortunately, it was found that cryptoloop has a flaw and cannot be trust. If you can find cryptoloop in some linux distribution, it was actually removed from the official Linux kernel source code [1]. dm-crypt is an encrypted device mapper created to replace cryptoloop [2]. You can find it in the official source, under the device mapper sub-section. It is supposed to avoid the flaw of cryptoloop, but actually, it fails. You can find on the web more informations about that [3]. So even if it's available natively in the kernel it should be avoid for more security. So there is loop-AES. It is stable and modular and needs few modifications to the base system. It consists of patches to apply to the kernel (2.4 and 2.6) and some utilities. Using multi-key with loop-AES avoids the flaw of cryptoloop and dm-crypt. It uses the AES algorithm which is known to be one of the strongest available. Moreover, there is already an LFS hint for encrypting root partition using loop-AES [4]. You can find loop-AES here: http://sourceforge.net/projects/loop-aes/ [1] http://lwn.net/Articles/67216/ [2] http://kerneltrap.org/node/2433 [3] http://mareichelt.de/pub/texts.cryptoloop.php [4] http://linuxfromscratch.org/~devine/erfs-howto.html III. Encrypting swap -------------------- It's a matter of applying 2 patches and changing a little the /etc/fstab file. The easiest way is to patch the svn version of the book like this: -- Optiona l -- wget http://ngc891.blogdns.net/projects/hlfs/hlfs-461-eswap-1.patch cd HLFS patch -Np1 -i ../hlfs-461-eswap-1.patch -- Optional -- Unfortunatly, it can be out of date so you have choice to follow the other way: 1. First you need to apply the util-linux-2.12q-loop_AES-3.0c.patch to the util-linux before building it during chapter 6. This patch enables the use of mount, umount, and swapon for encrypted devices. $ patch -Np1 -i ../util-linux-2.12q-loop_AES-3.0c.patch 2. You need to change the line about swap file in the /etc/fstab (chapter 7) from: /dev/[yyy] swap swap pri=1 0 0 to: /dev/[yyy] swap swap sw,loop=/dev/loop7,encryption=AES128,pri=1 0 0 The swap will be mount using a loopback device with a multikeys AES encryption. It uses the last loop device so you will be able to use from /dev/loop0 to /dev/loop6 for other purpose. 3. Finally, you must patch your kernel source before "make menuconfig" in chapter 7: patch -Np1 -i ../linux-2.6.11.7-loop_AES-3.0c.patch Then, during "make me nuconfig", you MUST select loop-AES under loop item of the block sub-section or your swap partition may not be available. You should enable BLK_DEV_LOOP_AES and BLK_DEV_LOOP_KEYSCRUB. IV. Setting up third-part software ---------------------------------- You can find the following packages in http://ngc891.blogdns.net/projects/hlfs/packages 1. GnuPG 1.4.1 patch -Np1 -i ../gnupg-1.4.1-loop_AES-3.0c.patch sed -e 's/^CFLAGS .*$/& -pie -fpie/' -i `find . -name Makefile.in` ./configure --prefix=/usr --enable-static-rnd=linux \ --libexecdir=/usr/lib --enable-noexecstack && make && make install 2. Sharutils 4.3.78 We need sharutils for uuencode to convert randon binary data from /dev/urandom to random ascii data for keys generation. sed -e 's/^CFLAGS .*$/& -pie -fpie/' -i `find . -name Makefile.in` && ./configure --prefix=/usr && make && make install 3. Aespipe 2.3b Add some flags and build aespipe: sed -e 's/^LINK .*$/& -nointl/' -i Makefile.in sed -e '10,0s/^/CFLAGS+=-pie -fpie\n&/' -i Make file.in && ./configure --prefix=/usr && make && make install ACKNOWLEDGEMENTS: Thanks to the author of loop-AES, Jari Ruusu CHANGELOG: [2005-04-14] * updated for Linux 2.6.11.7 * update the HLFS patch to r461 [2005-03-27] * updated for loop-AES 3.0c [2005-03-18] * updated for Linux 2.6.11.4 and GnuPG 1.4.1 * added hlfs book patch * some fixes [2005-02-27] * Added Sharutils and aespipe * Some fixes [2005-02-19] * Added GnuPG compilation guide * Few fixes [2005-02-13] * Initial version -- http://linuxfromscratch.org/mailman/listinfo/hints FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page ----- End forwarded message ----- -- Tushar Teredesai http://www.linuxfromscratch.org/~tushar/ http://www.geocities.com/tushar/ -- http://linuxfromscratch.org/mailman/listinfo/patches FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
