Full-Disk-Encryption

Development Development & Testing
21

Where in the file do I have to add the modules?

Will these be loaded in initramfs though or only when switching to the regular system? In the regular system, everything is already loaded, only in initramfs the module is missing. So I guess the config file is already correct and I only have to tell initramfs which modules to load or not?

22

Hmmh. Yeah I get what you are asking now. CoreELEC uses something called kernel module overlay which includes the modules early through systemd. It basically creates a symlink

23

I got a bit further with this, but stumbled upon something else entirely: does the N2 power off the microSD card on suspend (or maybe even in regular operation)? Is there a way to disable this behavior?

I unlocked my proprietary microSD in initramfs, but some time later it was locked again and kodi could not read anything anymore, which breaks all sorts of things of course.

24

I now have my first POC working. What did I do?

  1. Since I did not want to bother with loading kernel modules in initramfs, I simply included them in the kernel directly with y instead of m:
CONFIG_DM_CRYPT=y
CONFIG_BLK_DEV_DM=y
  1. Copied /sbin/cryptsetup and its required to /flash/crypt:
/lib/libcryptsetup.so.4
/lib/libdevmapper.so.1.02
/lib/libgcrypt.so.20
/lib/libpopt.so.0
/lib/libuuid.so.1
  1. Add the following script to /flash/mount-storage.sh, which then gets automatically run by init:
export LD_LIBRARY_PATH=/flash/crypt/lib
echo -n "password" | /flash/crypt/sbin/cryptsetup luksOpen --key-file=- /dev/sda storage
mount /dev/mapper/storage /storage -o noatime

That’s it, the system now boots into initramfs, unlocks the storage drive and then carries on with the regular boot and it works quite flawlessly. The way to obtain the actual password will probably differ for each user and it should obviously not be written in plaintext in the script.

I might add a more detailed write-up on how I obtain my passphrase and add a link to it here.

The remaining questions are:

  1. Would CoreELEC by willing to add the kernel modules into the kernel by default (or automatically load the modules in initramfs if they should not be always included in the kernel)? This is very important to prevent having to maintain a special CoreELEC build?
  2. Additionally, could we also add cryptsetup and its libs to initramfs? Otherwise one would have to add them to /flash as I did above. Nothing too cumbersome, but would be nice if those utilities were already part of initramfs then.

Then the stage would be set for all customizations one could think of and the resulting passphrase/keyfile can be used to unlock a drive without having to use a custom build of CoreELEC.

25

Although you did a nice job, I wonder what is the percentage of CE users who wants to use encryption. If it’s barely a handful this is not enough to include it in CE IMHO.

26

Probably not many and I see your point. Although:

  1. maybe there are no users, because it’s not so easy to actually get it working (see my steps above)
  2. it does not really hurt to include it: the initramfs (and system image to include cryptsetup also on the running system) increases by 1.4mb, the kernel by 0.1mb
27

Yeah that’s not a big footprint actually :wink:

28

One million four hundred thousand bytes… sound bigger. :slight_smile:
I started to programming computers in machine language and when only kilobytes of memory available then every byte counts. Fortunately those times are gone.

29

I still have a ZX81 with 1KB free ram :slightly_smiling_face:

30

I’ll try to remove the need for the kernel config patch and load the required kernel modules from init instead, then we probably don’t even have to change anything in CE.

The only ‘problem’ then would be if the binaries and kernel modules in the /flash partition (which only get created once and not updated during a system update) would get incompatible with the kernel somehow. I suspect this to be very very rare, though.

31

Success! It is quite trivial actually, I just have to load dm-mod and dm-crypt via:

insmod /flash/crypt/dm-mod.ko
insmod /flash/crypt/dm-crypt.ko

at the top of my mount_storage.sh and keep the remaining steps 2) and 3) from above and everything works with stock CoreELEC.

32

So this means you got luks working? I am using CE on a Beelink GT king, and would be very much interested in using luks for external hdd-s as all my hdd-s are encrypted. (I use linux exclusively, but I have never compiled anything, and the steps you took are beyond my current knowledge level.)

33

Yes, I use LUKS now and everything works just fine. How do you want to unlock your encrypted drives? If you only want to unlock them after booting into CE, then you can simply install cryptsetup and its tools and don’t have to change anything else on your system.

34

Are you sure a custom kernel is not required?

I have vanilla 9.2.0 and installed cryptsetup via opkg but I get the following when mounting an encrypted USB drive:

cryptsetup open /dev/disk/by-id/ata-ST4000LM024 myseagate1
Enter passphrase for /dev/disk/by-id/ata-ST4000LM024:
Cannot initialize device-mapper. Is dm_mod kernel module loaded?

Have I missed installing a package via opkg?

35

Try loading this module manualy

modprobe dm-mod
36

CoreELEC:~ # modprobe dm-mod
modprobe: FATAL: Module dm-mod not found.

:frowning:

CoreELEC:~ # lsmod
Module Size Used by
sha1_generic 2492 0
8021q 21855 0
ir_lirc_codec 5340 0
lirc_dev 11896 1 ir_lirc_codec
ir_sanyo_decoder 3115 0
ir_mce_kbd_decoder 5212 0
ir_sony_decoder 2649 0
ir_jvc_decoder 2799 0
ir_rc6_decoder 3823 0
ir_nec_decoder 3615 0
ir_rc5_decoder 2735 0
meson_ir 4389 0
mali 224255 5
rc_core 19532 11 lirc_dev,meson_ir,ir_lirc_codec,ir_rc5_decoder,ir_nec_decoder,ir_sony_decoder,ir_mce_kbd_decoder,ir_jvc_decoder,ir_rc6_decoder,ir_sanyo_decoder
wifi_dummy 894 0
amlvideodri 13210 0
videobuf_res 5690 1 amlvideodri
videobuf_core 18248 2 amlvideodri,videobuf_res
videodev 144588 1 amlvideodri
dwc_otg 261556 0
fbcon 40863 0
bitblit 4820 1 fbcon
softcursor 1344 1 bitblit
font 7399 1 fbcon

I am using an Odroid C2

37

Seems this stuff is enabled on on 4.9 kernel for never devices :frowning:

38

Ah. So I tried to add the modules, similar to how I have done on LibereElec 8.2.1 in:

./projects/Amlogic/linux/linux.aarch64.conf

Building for the Odroid C2 using 9.2.0 source:

PROJECT=Amlogic make image

But the compile errors at:

package_worker 2 63 284 ‘install device-trees-amlogic’

Multiple devices driver support (RAID and LVM) (MD) [Y/n/?] y
RAID support (BLK_DEV_MD) [N/m/y/?] (NEW) aborted!

Console input/output is redirected. Run ‘make oldconfig’ to update configuration.

Odd because I am pretty sure BLK_DEV_MD is not new in this kernel. And was in my options for Kernel 3.14.29 on LibreElec.

make oldconfig failed with no valid conf file

Grateful for any pointers on how to proceed

39

After you edit the file linux.aarch64.conf run

PROJECT=Amlogic ./scripts/clean linux
PROJECT=Amlogic ./scripts/build linux

It will ask you for some other options you missed. When it is done compare file linux.aarch64.conf and build.CoreELEC-Amlogic…/linux-…/.config and copy required stuff back from .config to linux.aarch64.conf. And then repeat clean/build step.

1 Like
40

Thanks that worked.

For the record on 9.2.0 for Odroid C2 to enable encryption edit the following file:

./projects/Amlogic/linux/linux.aarch64.conf

I added the following lines:

CONFIG_CRYPTO_LRW=m
CONFIG_CRYPTO_PCBC=m
CONFIG_CRYPTO_XTS=y
CONFIG_MD=y
CONFIG_DM_BUFIO=m
CONFIG_DM_BIO_PRISON=m
CONFIG_DM_PERSISTENT_DATA=m
CONFIG_DM_CRYPT=m
CONFIG_DM_SNAPSHOT=m
CONFIG_DM_THIN_PROVISIONING=m
CONFIG_DM_MIRROR=m
CONFIG_DM_RAID=m
CONFIG_BLK_DEV_DM_BUILTIN=y
CONFIG_BLK_DEV_DM=y
CONFIG_MD=y
CONFIG_DM_LOG_WRITES=m
CONFIG_DM_VERITY_AVB=m

Then:

PROJECT=Amlogic ./scripts/clean linux
PROJECT=Amlogic ./scripts/build linux

And finally

PROJECT=Amlogic make image

Then install cryptsetup via opkg.

Would be nice if encryption module was part of the official build for Odroid C2 like it is for devices on the newer kernels.