Do you have any message for us?

To avoid posts by spam, a message body without the word #FuguIta is rejected. Please include the word in your message text.
URLs in the body of the message will also be judged as spam. If you wish to express a URL, please omit the scheme (http://, https://, etc.).






Full Disk Encryption of FuguIta LiveUSB

kaw (2023-01-24 (Tue) 13:31:31)

FuguIta can remaster LiveUSB using the newdrive function of the usbfadm utility.
However, in this case, the data storage partition can be encrypted, but the area where the operating system is stored can't.
This is so that FuguIta's fresh boot (boot modes 0, 1, and 2) can be used without a passphrase even though the data storage partition is encrypted.

In contrast, the entire media on which FuguIta LiveUSB is stored can also be encrypted.

The procedure is almost identical to OpenBSD's full-disk encryption, roughly as follows.

1. Initialize the desired disk and create an encrypted volume.
2. Apply the newdrive function of the usbfadm utility to the encrypted volume.

The specific steps are as follows

Note: The following procedure is valid only for Legacy BIOS boot; further investigation is required for UEFI boot.

Create encrypted volume
The work is done with root privileges. In the following example, sd1 is the volume to be encrypted.

First, write random data to the entire disk.

test# dd if=/dev/urandom of=/dev/rsd1c bs=1m
dd: /dev/rsd1c: end of device
2049+0 records in
2048+0 records out
2147483648 bytes transferred in 42.961 secs (49986618 bytes/sec)

Next, initialize the fdisk partition.

test# fdisk -iy sd1
Writing MBR at offset 0.

Create a RAID partition using the disklabel command.

test# disklabel -E sd1
Label editor (enter '?' for help at any prompt)
sd1> a a
offset: [64]
size: [4194240] *
FS type: [4.2BSD] raid
sd1*> w
sd1> q
No label changes.

Create an encrypted volume in the RAID partition you just created.

test# bioctl -c C -l /dev/sd1a softraid0
New passphrase:
Re-type passphrase:
softraid0: CRYPTO volume attached as sd2
test# dd if=/dev/zero of=/dev/rsd2c bs=1m count=1
dd: /dev/rsd2c: short write on character device
dd: /dev/rsd2c: end of device
2048+0 records in
2047+1 records out
2147180544 bytes transferred in 70.967 secs (30255841 bytes/sec)
test#

The encrypted volume sd2 has now been created.

Installing FuguIta LiveUSB on an encrypted volume
Installation of FuguIta LiveUSB on the encrypted volume sd2 is the same as the normal remastering of FuguIta LiveUSB.

test# usbfadm

Welcome to usbfadm.
USB flash drive administration tool for FuguIta

 Version/Arch: 7.2/amd64  (FuguIta-7.2-amd64-202301181)
    Boot mode: manual
Target device: not set
Data saved as: not set

readline capability available
TAB to complete the reserved words

Type ? for help.

? : ? ->newdrive

Please make sure the device inserted.
Then press ENTER ->

==== disk(s) and vnode devices	============================
sd0 at scsibus1 targ 0 lun 0: <VirtIO, Block Device, >
sd0: 2048MB, 512 bytes/sector, 4194304 sectors
sd1 at scsibus1 targ 0 lun 0: <VirtIO, Block Device, >
sd1: 2048MB, 512 bytes/sector, 4194304 sectors
sd2 at scsibus4 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006>
sd2: 2047MB, 512 bytes/sector, 4193712 sectors
vnd0: not in use
vnd1: not in use
vnd2: not in use
vnd3: not in use
vnd4: not in use
vnd5: covering /sysmedia/fuguita-7.2-amd64.ffsimg on sd0a, inode 48172
============================================================
Enter the name of device which FuguIta will be installed->sd2

Since the entire disk is encrypted, there is no need to encrypt the partition for user data storage.

user data encryption? [y/N] ->n


Confirmation of operation
Confirm that when you boot the created FuguIta LiveUSB, it asks you for your passphrase before the boot prompt.

Using drive 0, partition 3
Loading......
probing: pc0 com0 mem[638K 2046M a20=on]
disk: hd0+ sr0*
>> OpenBSD/amd64 BOOT 3.55
Passphrase:
/
>> bsd-fi.mp is for
>> multiprocessor kernel (default).
>> Enter 'bsd-fi' for Uniprocessor.

boot>
cannot open sr0a:/etc/random.seed: No such file or directory
booting sr0a:/bsd-fi.mp: 15754520+3781648+2256928+0+1179648[1141593+128+1231680+932473]=0x19125a0
entry point at 0xffffffff81001000
[ using 3306912 bytes of bsd ELF symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993
	The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2022 OpenBSD. All rights reserved.  https://www.OpenBSD.org

OpenBSD 7.2-stable (RDROOT.MP) #23: Wed Jan 18 09:09:22 JST 2023
    root@nimbus12.localnet:/opt/fi/7.2/sys/arch/amd64/compile/RDROOT.MP
real mem = 2130694144 (2031MB)
avail mem = 2046828544 (1952MB)

setting MFS/TMPFS to mount on /ram (202212272)

kaw (2022-12-28 (Wed) 01:30:25)

When remastering LiveUSB using usbfadm, you can now specify whether MFS or TMPFS is the file system to mount on /ram. The default is MFS.

fugu-demo# usbfadm
  :
sd1d : fugu-demo ->newdrive
  :
Type of /ram:
  1: [MFS]
  2:  TMPFS
->
  :

Also, when creating LiveDVD images with remaster_dvd.sh, the command line option -m can now be used to specify the same.

fugu-demo# remaster_dvd.sh -h
Usage: remaster_dvd.sh [-m mfs|tmpfs]

fugu-demo# remaster_dvd.sh -m tmpfs
Changing file system of /ram: from mfs to tmpfs
mkhybrid 1.12b5.1
Scanning .
Scanning ./etc
  :

#FuguIta


TMPFS optionally enabled at 202212191

kaw (2022-12-19 (Mon) 15:35:41)

A few weeks ago, a fix was committed for kernel panics caused by TMPFS operations.
https://marc.info/?l=openbsd-cvs&m=166853221306810&w=2

Therefore, in this release FuguIta-*-202212191, TMPFS is now enabled on the FuguIta kernel.

At boot time, /ram is mounted with MFS as before, but to enable TMPFS mounting instead, rewrite the value of memfstype in the system image file fuguita-7.2-ARCH.ffsimg.
The procedure is as follows

To modify LiveUSB, on running FuguIta LiveUSB:

# mount -uw /sysmedia
# mount -uw /fuguita
# sed -i.bak -e '/memfstype=/s/=mfs/=tmpfs/' /fuguita/etc/fuguita/global.conf   <-- or use your preferred editor
# cat /fuguita/etc/fuguita/global.conf 
fuguita_sys_mb=1010  # size of media.img
memfstype=tmpfs        # 'mfs' or 'tmpfs'  <-- make sure memfstype is set to tmpfs
mfs_max_mb=30720     # mfs hard limit - 30GB
# mount -ur /fuguita
# mount -ur /sysmedia
# reboot

To generate modified ISO image, on running FuguIta LiveUSB or LiveDVD:

# cd /
# pax -rwpe sysmedia WORKDIR  <-- WORKDIR is the directory that can have the capacity more than about 2GB
# cd WORKDIR/sysmedia
# vnconfig vnd0 fuguita-7.2-amd64.ffsimg
vnd0
# mount /dev/vnd0a /mnt
# sed -i.bak -e '/memfstype=/s/=mfs/=tmpfs/' /mnt/etc/fuguita/global.confg  <-- or use your preferred editor
# cat /mnt/etc/fuguita/global.conf
fuguita_sys_mb=1010  # size of media.img
memfstype=tmpfs	       # 'mfs' or 'tmpfs'  <-- make sure memfstype is set to tmpfs
mfs_max_mb=30720     # mfs hard limit - 30GB
# umount /mnt
# vnconfig -u vnd0
# remaster_dvd.sh  <-- generate ISO image
mkhybrid 1.12b5.1
Scanning .
Scanning ./etc

Size of boot image is 4 sectors -> No-emulation CD boot sector
Total translation table size: 0
Total rockridge attributes bytes: 1028
Total directory bytes: 2048
Path table size(bytes): 22
512769 extents written (1001 Mb)
# ls -l ..  <-- the ISO image is generated at parent directory
total 2052114
-rw-r--r--  1 root  wheel  1050150912 Dec 18 06:13 FuguIta-7.2-amd64-202212181.iso
drwxr-xr-x  3 root  wheel	  512 Oct 22 17:09 sysmedia

When booting with modified media, size of tmpfs is prompted.

available memory: 239M

Enter tmpfs size (0M is auto).
  You can add suffix K, M, or G.
  % is a percentage of memory size.
  and %% is a percentage of the total memory and swap.
  otherwise considered "megabytes"

[default: 0M] ->
set tmpfs size to 0MB

With the procedures described above, you can use FuguIta with TMPFS. Although note that TMPFS is not completely stable. TMPFS may cause kernel panic when it is heavily being paged out and in. For example, this problem can be reproduced by executing following test script.

#!/bin/sh

# test directory located in tmpfs
#
testdir=/ram  # in case of FuguIta
cd $testdir || exit 1

df -h
swapctl -lk

blk=64  # block size of dd write in MB
i=1
while [[ $(df -h | awk '$6 ~ /\/ram$/ { print 0+$5 }') < 95 ]]; do
    echo "====trying ${i}*${blk}MB ===="
    dd if=/dev/zero of=zerofill_${i} bs=1m count=$blk || break
    df -h
    swapctl -lk
    i=$((i+1))
done
realdevice_panic.jpg
Click to enlarge


Former articles are at FuguIta/BBS/12.


Front page   New Page list Search Recent changes   Help   RSS of recent changes