Filesystem security - LUKS and InitRamFS

Context

In this laboratory, we will explore the security implications of disk encryption using LUKS (Linux Unified Key Setup), as well as the use of InitRamFS. You have a NanoPi device with a buildroot Linux system installed. Since the u-boot lab you have a working Linux system on your NanoPi with the following configuration:

Preparation tasks

The goal of this lab part is to setup your NanoPi with a LUKS encrypted rootfs partition and to integrate the necessary parts to use initramfs.

For this you will need to:

Setup cryptsetup in your buildroot configuration so that it is available on your NanoPi
Setup initramfs support in your buildroot configuration so that it is available

Setup `cryptsetup` in your buildroot configuration so that it is available on your NanoPi:

cd /buildroot2
make menuconfig

   Go to: target packages 
      → hardware handling → [*] cryptsetup
      → Miscellaneous → [*] haveged //Pseudo random generator



cd /buildroot2
make linux-menuconfig

   Go to: device driver → <*> Multiple Devices drivers support (RAID and LVM) 
      → <*>Device mapper support
      → <*> Crypt target support

   # double check with the slides of the course, what are all the dependencies to have cryptsetup working

Important

Add these filesystems inside the kernel <*>, not as module <M>

Have a look at the slides of the course to check all dependencies for a proper LUKS support.

Setup `initramfs` support in your buildroot configuration so that it is available on your NanoPi:

cd /buildroot2
make linux-menuconfig

   Go to: General setup ---> [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support

   Go to: Device Drivers → Generic Drivers options
      → [*] Maintain a devtmpfs filesystem to mount at /dev
      → [*] Automount a devtmpfs at /dev, after the kernel mounted the rootfs

Important

Add these filesystems inside the kernel <*>, not as module <M>

Build and flash

Build your buildroot with the new configuration and flash it to your NanoPi as in the previous labs.

Questions 1: rootfs in a luks partition

The goal of this question is to have an encrypted rootfs on partition 3

Steps to follow:

On the host PC (not on the NanoPi), follow these steps:

Generate a random passphrase in a file: Use dd and /dev/urandom to generate the random file. The name of this file is passphrase. The file length must be 64 bytes.
Initialize a LUKS partion (partition 3) with these options:
- Size of the partition = 536‘870‘912 bytes (512MB)
- Pbkdf=pbkdf2
- Authentication with the passphrase file
- Format the LUKS partition as ext4
Mount the /buildroot/output/image/rootfs.ext4 and copy all files of your rootfs to the rootfs.luks partition
Flash the sdcard and mount the rootfs.luks partition on the NanoPi
- This can take quite some time (1-2 minutes) on the NanoPi, due to limited CPU power, be patient. What could you do to speed up this process? Try it out and explain your solution.
Write an init script (/etc/S40luks) in order to mount automatically this additional partition 3

Questions 2: initramfs

On your host PC create an initramfs, on which the /init script does not execute the exec switch_root command, but executes exec sh:

mount -t proc none /proc
mount -t sysfs none /sys
mount -n -t devtmpfs devtmpfs /dev
mount -t ext4 /dev/mmcblk0p2 /newroot
mount -n -t devtmpfs devtmpfs /newroot/dev

exec sh
#exec switch_root /newroot /sbin/init

Now start your NanoPi with this initramfs and check that you get a shell prompt from the initramfs. Play around in this reduced root environment. Then finally launch manually the exec switch_root command to switch to the new root filesystem.

Important remark

Use this boot.scr (not the one from a FIT file):

setenv bootargs console=ttyS0,115200n8 earlyprintk root=/dev/mmcblk0p2 rootwait
ext4load mmc 0 $kernel_addr_r Image
ext4load mmc 0 $fdt_addr_r sun50i-h5-nanopi-neo-plus2.dtb
ext4load mmc 0 0x50000000 uInitrd
booti $kernel_addr_r 0x50000000 $fdt_addr_r

Of course, you can also try to create a FIT file with the initramfs integrated.

Question 3: initramfs-LUKS partition

From the shell on the initramfs (exec sh), mount the partition 3 (the LUKS partition) as rootfs
Start manually the exec switch_root command to switch to this encrypted rootfs partition
(Optional) Write a script in order to start automatically the encrypted rootfs partition