Full-Disk-Encryption

loffovy · 4 February 2020 23:29

@nioncode, would be great if you could have a look at below.

I’ve cryptesetup with all libs as reported by strace put in what I export as LD_LIBRARY_PATH=/flash/crypt/lib

The /flash/crypt/sbin/cryptsetup exists too though everytime I try to run it error says "not found". This is rather weird message and smells like something is missing on busybox side to start.
Insmod is done, there is no such string in cryptsetup.
The cryptsetup I’ve is one retrieved using opkg install cryptsetup. It is 2.1.0-2.

I’m getting a bit clueless for the moment.

Content of /flash/crypt/ is:
./dm-mod.ko
./sbin
./sbin/cryptsetup
./dm-crypt.ko
./lib
./lib/libpopt.so.0
./lib/libgcrypt.so.20
./lib/libuuid.so.1
./lib/libcryptsetup.so.12
./lib/libm.so.6
./lib/libdevmapper.so.1.02
./lib/libblkid.so.1
./lib/libcrypto.so.1.1
./lib/libgcc_s.so.1
./lib/libpthread.so.0
./lib/libc.so.6
./lib/libssl.so.1.1
./lib/libjson-c.so.4
./lib/libdl.so.2

Thanks in advance.

#UPDATE:
Managed to get statically linked strace from (as later trail&error shows - some basic libraries are missing still):

Using it I’m getting this:
execve("/flash/crypt/sbin/cryptsetup", ["/flash/crypt/sbin/cryptsetup", “–version”], [/* 19 vars */]) = -1 ENOENT (No such file or directory)
write(2, "/flash/bin/strace_static: exec: "…, 58/flash/bin/strace_static: exec: No such file or directory
) = 58
mprotect(0x7f7d109000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x7f7d109000, 4096, PROT_READ) = 0
mprotect(0x7f7d109000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x7f7d109000, 4096, PROT_READ) = 0
munmap(0x7f7d109000, 4096) = 0
exit_group(1) = ?
+++ exited with 1 +++

UPDATE2:

with trail&error approach I’ve figured out that the list of libraries I’d need to put on the flash is much longer though even if this list it doesn’t work:
ld-2.27.so
ld-linux-aarch64.so.1 -> ld-2.27.so
libblkid.so.1 -> libblkid.so.1.1.0
libblkid.so.1.1.0
libc-2.27.so
libc.so.6 -> libc-2.27.so
libcrypto.so.1.1
libcryptsetup.so.12 -> libcryptsetup.so.12.4.0
libcryptsetup.so.12.4.0
libdevmapper.so.1.02
libdl-2.27.so
libdl.so.2 -> libdl-2.27.so
libgcc_s.so.1
libjson-c.so.4 -> libjson-c.so.4.0.0
libjson-c.so.4.0.0
libm-2.27.so
libm.so.6 -> libm-2.27.so
libpopt.so.0 -> libpopt.so.0.0.0
libpopt.so.0.0.0
libpthread-2.27.so
libpthread.so.0 -> libpthread-2.27.so
librt-2.27.so
librt.so.1 -> librt-2.27.so
libssl.so.1.1
libuuid.so.1 -> libuuid.so.1.3.0
libuuid.so.1.3.0

nioncode · 23 March 2020 07:38

Sorry, haven’t been active in the forum for quite a while and only saw your response just now. Did you figure it out by now? Something is definitely a bit wrong in your setup, since you should not have to add all these libraries to your /flash/crypt/lib directory (especially things like libc), because they should be picked up from the regular initramfs.

Do you use the N2 or another device? Can you post your mount-storage.sh script and possibly the error output from a boot session?

loffovy · 25 March 2020 22:25

N2 and for the interim switched over to hdd storage encryption.
Will pick up a fresh sdcard for tests to be able to post some more details (might take days, as N2 became a core device in network and everybody is at home all days long - hence no time to take the system down).
I might pick a route of testing it via qemu.

Many thanks for your reply. I’ll return to it.

kris007 · 3 September 2022 14:09

thank you for being able to use cryptsetup and encrypt my usb disk

Canary9899 · 26 September 2023 20:39

@nioncode how are you retrieving the passphrase ? Is it possible to do a http call in initram, or maybe just a simple netcat to get it from a tcp stream ?

I will try to do this on the weekend with a Homatik Box R 4K Plus which boots corelec from usb.

Canary9899 · 30 September 2023 19:49

So right now I’m stuck with getting binaries working within initram e.g. curl, cryptsetup etc. and the link you posted is outdated, could you update it to a direct commit, so it stays up-to-date ?

edit: so I think you meant mount_sysroot(), but technically sysroot should already be mounted when /flash/mount-storage.sh is run, but for some reason it isn’t, at least i get /usr/bin/curl not found, /usr/sbin/modprobe not found, etc.

edit2: now using /sysroot/usr/bin/curl I’m getting: error while loading shared libraries: libcurl.so.4 no such file or directory

edit3: i now have all binaries working in initram but have no network, although i added ip=dhcp to /flash/config.ini and am connected via ethernet

edit4: cat /proc/cmdline does not list ip=dhcp, so /flash/config.ini is wrong ? I hope I don’t need to compile the kernel myself…

edit5: so i just ended up setting up the network statically within initram/busybox, retrieving the passphrase from a remote host works ! now only one thing is left, Cannot initialize device-mapper. Is dm_mod kernel module loaded…

edit 6: loading crypt modules dynamically everything works now and it’s completely undependent of coreelec, so should work fine with updates