blob: e768aae471cd22ccfdee90753b38bf84d0b53806 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
[[!meta title="Bootless: anti-tampering bootloader"]]
**WARNING** - this pre-alpha software with [portuguese-only docs](index.pt)!
* Bootless is a scheme allowing a computer with encrypted disk to stay without attached bootloader in order to make more difficult to tamper the initialization process.
* Bootless is a bootloader installed in a removable media and used to initialize computers.
* It is based on [git-annex](http://git-annex.branchable.com/) and [GNU Grub](https://www.gnu.org/software/grub/).
* Initial support is targeted to Debian like operating systems.
* Bootless currently used in the [Hydra Suite](https://git.sarava.org/?p=hydra.git;a=summary).
Index
-----
[[!toc levels=4]]
TODO
----
- Test:
- [Full disk encryption with LUKS (including /boot) · Pavel Kogan](http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/).
- [Full-Crypto setup with GRUB2](http://michael-prokop.at/blog/2014/02/28/full-crypto-setup-with-grub2/) ([2](http://archimedesden.wordpress.com/2011/10/21/yet-another-full-disk-encryption-with-ubuntu-11-10/)), which could simplify everything!
- Cleanup and translate docs.
- Document `cryptopts` ([1](http://www.c3l.de/linux/howto-completly-encrypted-harddisk-including-suspend-to-encrypted-disk-with-ubuntu-6.10-edgy-eft.html), [2](http://manpages.ubuntu.com/manpages/lucid/man8/initramfs-tools.8.html), [3](http://solvedlinuxissues.blogspot.com.br/2011/11/encrypted-ubuntu-filesystem-on-logical.html), [4](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=348147), [5](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=358452)), see `/usr/share/doc/cryptsetup/README.initramfs.gz` for details.
- Setup issue tracker.
- Add contact information.
- Split bootless script from hydra suite but preserve integration.
- Add pre-built and signed images.
- Integrate with [anti-evil-maid](http://theinvisiblethings.blogspot.com.br/2011/09/anti-evil-maid.html).
Design
------
We consider that a person has at least a single USB thumb drive which will be used to boot multiple operating systems in multiple machines for multiple different projects/farms (personal, work, hackerspace, etc). Then, the bootless ecosystem will be composed of several repositories glued together:
1. The bootless software repository (if you did not installed it using a package).
2. Main repository, used to glue together the repositories that follows.
3. Bootloader repository (eg. GRUB modules). Does this need to be manager by git or can be generated using grub?
4. Image repositories (can be multiple repositories).
Workflow
--------
Initialize:
bootless init <folder>
Include an image repository:
bootless add name <path|url>
Check repository signatures:
bootless check
Remove an image repository:
bootless rm name
Write image to thumb drive
boootless image <device>
References
----------
Git:
* http://kerneltrap.org/mailarchive/git/2007/10/7/331471
* http://stackoverflow.com/questions/37219/how-do-you-remove-a-specific-revision-in-the-git-history
* http://www.alexrothenberg.com/2009/06/changing-history-with-git-rebase-how-to.html
* http://stackoverflow.com/questions/250238/collapsing-a-git-repositorys-history
Grub:
* [Bootable grub USB stick (EFI and BIOS for Intel)](http://debian-administration.org/users/dkg/weblog/112).
* [Grub2](https://help.ubuntu.com/community/Grub2) (Ubuntu Help).
* [GRUB2 Manual](http://grub.enbug.org/Manual) (Wiki).
* [Using GRUB to Set Up the Boot Process](http://www.linuxfromscratch.org/lfs/view/development/chapter08/grub.html).
* [GNU Grub Manual](http://www.gnu.org/software/grub/manual/grub.html).
Boot:
* [Auto-booting and Securing a Linux Server with an Encrypted Filesystem](http://serverfault.com/questions/34794/auto-booting-and-securing-a-linux-server-with-an-encrypted-filesystem).
* [Smartmonster](https://github.com/ioerror/smartmonster) / [chkboot](https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#chkboot).
* [#348147 - Allow subscripts to alter ROOT (was: Add support for cryptoroot) - Debian Bug report logs](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=348147) ([crypt_root and real_root on gentoo](http://wiki.gentoo.org/wiki/Genkernel)).
Images:
* [How can I mount a disk image?](http://superuser.com/questions/344899/how-can-i-mount-a-disk-image).
* [GRUB 2 - OSDev](http://wiki.osdev.org/GRUB_2): instalando o grub em várias mídias distintas.
* [Disk mounting](http://www.noah.org/wiki/Disk_mounting).
* [Loop-mounting partitions from a disk image](http://madduck.net/blog/2006.10.20:loop-mounting-partitions-from-a-disk-image/).
UEFI:
* [gummiboot](http://freedesktop.org/wiki/Software/gummiboot/).
* [booting a self-signed Linux kernel | The Linux Foundation](http://www.linuxfoundation.org/news-media/blogs/browse/2013/09/booting-self-signed-linux-kernel).
Security:
* [implementing the evil maid attack on linux with Luks - Pollux's blog](https://www.wzdftpd.net/blog/index.php?post/2009/10/28/44-implementing-the-evil-maid-attack-on-linux-with-luks).
|
