<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML ><HEAD ><TITLE >Setting up the boot device</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK REL="HOME" TITLE="Encrypted Root Filesystem HOWTO" HREF="index.html"><LINK REL="PREVIOUS" TITLE="Creating the encrypted root filesystem" HREF="encrypt-root-filesystem.html"><LINK REL="NEXT" TITLE="Final steps" HREF="final-steps.html"></HEAD ><BODY CLASS="sect1" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><DIV CLASS="NAVHEADER" ><TABLE SUMMARY="Header navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="3" ALIGN="center" >Encrypted Root Filesystem HOWTO</TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A HREF="encrypt-root-filesystem.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="80%" ALIGN="center" VALIGN="bottom" ></TD ><TD WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A HREF="final-steps.html" ACCESSKEY="N" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><DIV CLASS="sect1" ><H1 CLASS="sect1" ><A NAME="setup-boot-device" ></A >3. Setting up the boot device</H1 ><DIV CLASS="sect2" ><H2 CLASS="sect2" ><A NAME="initial-ramdisk" ></A >3.1. Creating the ramdisk</H2 ><P > To begin with, chroot inside the encrypted partition and create the boot device mount point: </P ><P > <TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" >chroot /mnt/efs mkdir /loader</PRE ></FONT ></TD ></TR ></TABLE > </P ><P > Then, create the initial ramdisk (initrd), which will be needed afterwards: </P ><P > <TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" >cd dd if=/dev/zero of=initrd bs=1k count=4096 mke2fs -F initrd mkdir ramdisk mount -o loop initrd ramdisk</PRE ></FONT ></TD ></TR ></TABLE > </P ><P > If you're using grsecurity, you may get a "Permission denied" error message; in this case you'll have to run the mount command outside chroot. </P ><P > Create the filesystem hierarchy and copy the required files in it: </P ><P > <TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" >mkdir ramdisk/{bin,dev,lib,mnt,sbin} cp /bin/{bash,mount} ramdisk/bin/ ln -s bash ramdisk/bin/sh mknod -m 600 ramdisk/dev/console c 5 1 mknod -m 600 ramdisk/dev/hda2 b 3 2 mknod -m 600 ramdisk/dev/loop0 b 7 0 cp /lib/{ld-linux.so.2,libc.so.6,libdl.so.2} ramdisk/lib/ cp /lib/{libncurses.so.5,libtermcap.so.2} ramdisk/lib/ cp /sbin/{losetup,pivot_root} ramdisk/sbin/</PRE ></FONT ></TD ></TR ></TABLE > </P ><P > It's ok if you see a message like "/lib/libncurses.so.5: No such file or directory", or "/lib/libtermcap.so.2: No such file or directory"; bash only requires one of these two libraries. You can check which one is actually required with: </P ><P > <TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" >ldd /bin/bash</PRE ></FONT ></TD ></TR ></TABLE > </P ><P > Compile the sleep program, which will prevent the password prompt being flooded by kernel messages (such as usb devices being registered). </P ><P > <TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" >cat > sleep.c << "EOF" #include <unistd.h> #include <stdlib.h> int main( int argc, char *argv[] ) { if( argc == 2 ) sleep( atoi( argv[1] ) ); return( 0 ); } EOF gcc -s sleep.c -o ramdisk/bin/sleep rm sleep.c</PRE ></FONT ></TD ></TR ></TABLE > </P ><P > Create the init script: </P ><P > <TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" >cat > ramdisk/sbin/init << "EOF" #!/bin/sh /bin/sleep 3 echo -n "Enter seed value: " read SEED /sbin/losetup -e aes256 -S $SEED /dev/loop0 /dev/hda2 /bin/mount -r -n -t ext3 /dev/loop0 /mnt while [ $? -ne 0 ] do /sbin/losetup -d /dev/loop0 /sbin/losetup -e aes256 -S $SEED /dev/loop0 /dev/hda2 /bin/mount -r -n -t ext3 /dev/loop0 /mnt done cd /mnt /sbin/pivot_root . loader exec /usr/sbin/chroot . /sbin/init EOF chmod 755 ramdisk/sbin/init</PRE ></FONT ></TD ></TR ></TABLE > </P ><P > Umount the loopback device and compress the initrd: </P ><P > <TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" >umount -d ramdisk rmdir ramdisk gzip initrd mv initrd.gz /boot/</PRE ></FONT ></TD ></TR ></TABLE > </P ></DIV ><DIV CLASS="sect2" ><H2 CLASS="sect2" ><A NAME="bootable-cd" ></A >3.2. Booting from a CD-ROM</H2 ><P > I strongly advise you to start your system with a read-only media, such as a bootable CD-ROM. </P ><P > Download and unpack syslinux: </P ><P > <TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" >wget http://ftp.kernel.org/pub/linux/utils/boot/syslinux/syslinux-3.07.tar.bz2 tar -xvjf syslinux-3.07.tar.bz2</PRE ></FONT ></TD ></TR ></TABLE > </P ><P > Configure isolinux: </P ><P > <TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" >mkdir bootcd cp /boot/{vmlinuz,initrd.gz} syslinux-3.07/isolinux.bin bootcd echo "DEFAULT /vmlinuz initrd=initrd.gz ro root=/dev/ram0" \ > bootcd/isolinux.cfg</PRE ></FONT ></TD ></TR ></TABLE > </P ><P > Create and burn the bootable cd-rom iso image: </P ><P > <TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" >mkisofs -o bootcd.iso -b isolinux.bin -c boot.cat \ -no-emul-boot -boot-load-size 4 -boot-info-table \ -J -hide-rr-moved -R bootcd/ cdrecord -dev 0,0,0 -speed 4 -v bootcd.iso rm -rf bootcd{,.iso}</PRE ></FONT ></TD ></TR ></TABLE > </P ></DIV ><DIV CLASS="sect2" ><H2 CLASS="sect2" ><A NAME="boot-partition" ></A >3.3. Booting from a HD partition</H2 ><P > The boot partition can come in handy if you happen to lose your bootable CD. <EM >Remember that hda1 is a writable media and is thus insecure; use it only in case of emergency!</EM > </P ><P > Create and mount the ext2 filesystem: </P ><P > <TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" >dd if=/dev/zero of=/dev/hda1 bs=8192 mke2fs /dev/hda1 mount /dev/hda1 /loader</PRE ></FONT ></TD ></TR ></TABLE > </P ><P > Copy the kernel and the initial ramdisk: </P ><P > <TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" >cp /boot/{vmlinuz,initrd.gz} /loader</PRE ></FONT ></TD ></TR ></TABLE > </P ><P > If you use grub: </P ><P > <TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" >mkdir /loader/boot cp -av /boot/grub /loader/boot/ cat > /loader/boot/grub/menu.lst << EOF default 0 timeout 10 color green/black light-green/black title Linux root (hd0,0) kernel /vmlinuz ro root=/dev/ram0 initrd /initrd.gz EOF grub-install --root-directory=/loader /dev/hda umount /loader</PRE ></FONT ></TD ></TR ></TABLE > </P ><P > If you use lilo: </P ><P > <TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" >mkdir /loader/{boot,dev,etc} cp /boot/boot.b /loader/boot/ mknod -m 600 /loader/dev/hda b 3 0 mknod -m 600 /loader/dev/hda1 b 3 1 mknod -m 600 /loader/dev/hda2 b 3 2 mknod -m 600 /loader/dev/hda3 b 3 3 mknod -m 600 /loader/dev/hda4 b 3 4 mknod -m 600 /loader/dev/ram0 b 1 0 cat > /loader/etc/lilo.conf << EOF lba32 boot=/dev/hda prompt timeout=60 image=/vmlinuz label=Linux initrd=/initrd.gz read-only root=/dev/ram0 EOF lilo -r /loader umount /loader</PRE ></FONT ></TD ></TR ></TABLE > </P ></DIV ></DIV ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE SUMMARY="Footer navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="encrypt-root-filesystem.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" ACCESSKEY="H" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="final-steps.html" ACCESSKEY="N" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >Creating the encrypted root filesystem</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" > </TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >Final steps</TD ></TR ></TABLE ></DIV ></BODY ></HTML >