20
Jan
2013

Installing Hardened Gentoo with Full Disk Encryption

These notes document an ongoing project and are not yet complete.

Install Log

  • Booted into the Gentoo minimal install live-cd.
  • Check hard drive (/dev/sda) for bad sectors: /sbin/badblocks -c 10240 -n -t random -v /dev/sda. Bad sectors can contain old information that could compromise data. This took several hours. No bad blocks were found.
  • Overwrite hard drive with random data: dd if=/dev/urandom of=/dev/sda. This operation took 74220.1 seconds, or about 20.6 hours. Creating random numbers must be hard work.
  • While I did this I set up wpasupplicant to connect to my wireless network. Don't forget to start dhcpcd.
  • Partitioned disk. This is the first linux install where I haven't had to work around pre-existing partitions :)
    PartitionDeviceSizeReason for size
    /boot/dev/sda1512 MBHold several kernel images
    swap/dev/sda28 GB2 GB Swap + (4 real + 2 swap) image
    //dev/sda3311.5 GBRemainder of drive
  • Load encryption modules: for i in dm-crypt dm-mod serpent sha256 blowfish;do modprobe $i;done
  • Running cryptsetup --help reveals that my live CD has the cryptsetup-luks executable
  • Set-up swap encryption for use during installation (from wiki page): 
cryptsetup -c blowfish -h sha256 -d /dev/random create swap /dev/sda2 
mkswap /dev/mapper/swap
swapon /dev/mapper/swap
  • I want 64-bit AES module: modprobe aes_x86_64
  • Encrypt root partition with keyphrase generated using Diceware:

cryptsetup -y --cipher serpent-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda3

  • Create root mapping: cryptsetup luksOpen /dev/sda3 root
  • Format root to ext3: /sbin/mkfs.ext3 -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/root
  • Format boot to ext2: mkfs.ext2 /dev/sda1
  • Mount root: mount -t ext3 /dev/mapper/root /mnt/gentoo
  • Go to root: cd /mnt/gentoo
  • Downloaded stage3-amd64-hardened-20130110.tar.bz2 from a mirror. links http://www.gentoo.org/main/en/mirrors.xml
  • Checked tar.bz2 integrity with sha512sum.
  • Extract files: tar xvpjf stage3-amd64-hardened-20130110.tar.bz2
  • Created /mnt/gentoo/etc/portage/make.conf: 
CFLAGS="-O2 -pipe -mtune=athlon64"
CXXFLAGS="${CFLAGS}"
MAKEOPTS="-j3"
  • Set mirrors in make.conf: ~mirrorselect -i -o >> /mnt/gentoo/etc/portage/make.conf

&& mirrorselect -i -r -o >> /mnt/gentoo/etc/portage/make.conf~. This had no effect. I will skip this step and come back later if it turns out I really needed it. TODO

  • Copy DNS info: cp -L /etc/resolv.conf /mnt/gentoo/etc/
  • Mount proc, sys, and dev: 
mount -t proc none /mnt/gentoo/proc
mount --rbind /sys /mnt/gentoo/sys
mount --rbind /dev /mnt/gentoo/dev
  • Chroot! 
chroot /mnt/gentoo /bin/bash
source /etc/profile
export PS1="(chroot) $PS1"
  • Unpack portage snapshot: mkdir /usr/portage && emerge-webrsync
  • I set the profile to "hardened/inux/amd64/" using eselect.
  • Set USE flags in make.conf.
  • Emerge the kernel sources: emerge -av gentoo-sources.
  • Update portage for good measure emerge -av portage.
  • Create an initramfs archive for early userspace: 
cd /usr/portage/sys-apps/busybox
BUSYBOX_TARGET=`emerge -pvO busybox | grep -o "busybox-[-0-9.r]*"`
ebuild $BUSYBOX_TARGET.ebuild clean
ebuild $BUSYBOX_TARGET.ebuild unpack
cd /var/tmp/portage/sys-apps/$BUSYBOX_TARGET/work/busybox*
make defconfig
sed -i -e "s|# CONFIG_STATIC is not set|CONFIG_STATIC=y|" .config
sed -i -e "s|# CONFIG_INSTALL_NO_USR is not set|CONFIG_INSTALL_NO_USR=y|" .config

make # this failed at first, with output of
# > Failed: -Wl,--start-group -lcrypt -lm -Wl,--end-group
# > As a shot in the dark, I ran
emerge -av app-crypt/ccrypt # and
revdep-rebuild
# then running
make # resulted in
# > Trying libraries: crypt m
# >  Library crypt is not needed, excluding it
# >   Library m is need, can't exclude it (yet)
# But it built :)

make busybox.links
mkdir /build_initramfs
./applets/install.sh /build_initramfs --symlinks
# used links to download http://waku.info/uploads/misc/crypt_guide/init to /build_initramfs
cd ./build_initramfs
chmod 755 init
mkdir {proc,sys,new-root,etc,dev}
mknod --mode=0660 ./dev/null c 1 3 # note the dot in ./dev/null
mknod --mode=0600 ./dev/console c 5 1 # note the dot in ./dev/console
USE="static" emerge -av cryptsetup # I need it to be statically linked for the initramfs
cp -p `which cryptsetup` /build_initramfs/sbin/
# Then you need to do the equivalent of
# > cp /path/to/applets /path/to/build_initramfs/etc/ 
# I did this from the original busybox directory, using screen
sed -i -e 's/\/bin\/sh/\/bin\/ash/g' init # replace /bin/sh with /bin/ash in init
# script due to Busybox not including a /bin/sh applet in busybox >= busybox-1.1.3
find . | cpio --quiet -o -H newc | gzip -9 >/boot/initramfs-gentoo-crypt
  • Configure kernel as per http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS#Kernel_Configuration
    • cd /usr/src/linux && make menuconfig
    • Couldn't find the "Initial RAM disk (initramfs/initrd) support" though.
    • Update: the option got moved to the "General Options menu".
    • Update: letting the kernel make initramfs. Gave it "/buildinitramfs".
  • Compiled kernal: make && make modules_install && make install for /usr/src/linux
  • Created /etc/fstab as per http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS#.2Fetc.2Ffstab
  • Followed steps from 8b to 10 in Gentoo install manual.
  • emerge -av grub
  • Created /boot/grub/grub.conf TODO post the file contents
  • Ran grub-install /dev/sda
  • Cleaned-up and rebooted … and blank prompt. Thinking back on it, I'm pretty sure I didn't mount /dev/sda1 before creating /boot, which means grubs config file is actually on /dev/sda3, not /dev/sda1 where it needs to be. Oops.
  • Fixed that. Now I get a grub boot menu.
  • Kernel panic - not syncing: No init found. Try passing init= option to kernel. Great.
  • Did some troubleshooting and found that the init script link on the wiki page was broken. Copied the script in its entirety to deckeraa.github.com/init.

Target System

  • Gateway NV5211u
  • AMD Athlon 64 X2 QL-65