The contents of this website are Copyright (c)2006 by Brian Manning <brian at antlinux dot com>. Please do not reuse any of the content on this website without permission from the author.

Related Links

• Naranja Todos
• Naranja Done Todos
• Project Naranja page on the main Antlinux website.
• My notes from testing encrypting filesystems using the VIA Padlock encryption engine
• Linux Encryption page
• The Naranja kernel building page
  • Building initramfs images
  • Using the 'buildroot' package
• LVM Mini-HOWTO
• LVM + Encryption HOWTO
• debootstrap page in the HowTos section, with a link to the Debian mirrors page

Misc. Operations

Generating GPG keys via a batch file

 sh gnupg-batch.sh --wordlist ~/diceware.en.txt --dicepath ~/src/perl_scripts \ 
 --output /dev/shm/output --count 5100 --tempdir /dev/shm/keys --tempnum 510 \ 
 --challenge

Sorting GPG Keys

• Figure out how many keys each directory holds:

 for DIR in *;do echo "ls of $DIR is:"; ls $DIR | wc -l; done

• take 500 keys from the first directory; ls -t sorts the directory listing by most recent

 ls -t source_dir/ | grep -v keylist.txt | head -n 1000 \ 
 | xargs -i -t mv source_dir/{} target_dir/{}

• then grab the passphrases for those keys; tail -n 500 grabs the last 500 entries from the key file

 tail -n 500 source_dir/keylist.txt > target_dir/keylist.txt

• go back to the keylist file in source_dir and prune out the keys that have been used from the keylist file; HINT: look for the oldest filename in target_dir, search for that key ID # in the keylist, then delete to the end of the source_dir keylist file
• when copying keys from the second directory, make sure you APPEND keys to the new keylist file, try not to overwrite the existing keylist

See also start to finish key generation

Problems Encountered

• When using losetup to mount the partion meant for LVM2 via the loopback interface, losetup for some reason looks for root's home directory; in a normal system, this directory is obtained by making a call to libnss (part of GNU libc). Since libnss is not on this system, the equivalent functions were enabled in busybox ( Login/Password Management Utilities -> Use internal password and group functions rather than system functions ), but they didn't work, the NSS utils need to be part of the image.
• ext2/ext3 filesystem utilities want a metric fuckton of extra libraries; busybox has some ext2 functionality built in. Turn it on and use it instead of bundling libraries?
• getting busybox init to run from initramfs; the rcS script is now put on the initramfs image as /init, and in the /etc/inittab file the :sysinit: stanza was removed so that the rcS script started up the system, and also executed busybox init should the user call for it with a run=init flag as part of the kernel boot arguments
• switch_root.c source file does too many dissimilar checks on things like /init and whether or not the root filesystem is a TMPFS or RAMFS filesystem. I ended up separating the checks and making multiple checks in order to better diagnose issues with how the system is set up prior to running switch_root. The patched source file lives in $CVS/antlinux/builds/antlinux/switch_root.c.
• testing of farkhttpd.pl reveals that something is hangning Perl when it has the socket open in SSL mode
• you can't symlink the files in the tftp directory to locations outside of that directory since you're chroot'ing tftpd; when the daemon starts and executes chroot, it will no longer be able to resolve symlinks that point to files outside of the chroot jail
• PHP5 configure string for simple CGI functionality; the resultant PHP binary was about 11 megabytes

 ./configure --disable-short-tags --disable-libxml --disable-dom \ 
 --disable-simplexml --disable-xml --disable-xmlreader --disable-xmlwriter \ 
 --without-pear --with-config-file-path=/etc/php

• farkhttpd.pl is an interesting idea, but there are already webservers out there that work, why re-invent the wheel
• boa, thttpd, and shttpd were all tried in the initramfs image, but only thttpd managed to work with no issues; boa had problems with name resolution, and I forget what the issue was with shttpd
• thttpd does not log STDERR from the Perl scripts, which is sucky because at that point you have to run the script by hand with perl -c to make sure it will compile, then run it as a CGI under thttpd and hope you get a meaninful error message.
• Using the following use directive to load CGI::Carp helps a lot with thttpd:

 use CGI::Carp qw(fatalsToBrowser);

farkhttpd.pl

farkhttpd.pl is a SSL-enabled webserver with a CGI script that accepts the keys and authentication, and dumps them after the filesystem is mounted. farkhttpd.pl is no longer being developed, as the webserver wheel should not be re-invented.

• Use the key signature as part of the URL; you call http://www.someserver.com/?key=0x1234abcd, the system then brings up a key passphrase screen and prompts you to enter the passphrase.
• SSL certificate generation is contained in the build_apache2.txt file in CVS
• Show the system uptime on the inital connect webpage output (/proc/uptime, how should it be parsed?)
• Have farkhttpd.pl log the number of connection attempts, and print the log on the screen or with a special URL/password combination

farkhttpd.pl todos:

• run multiple ports/SSL objects to get around the current limitation/problem with the server (reading data from the client blocks)
• disable forking in farkhttpd (for now)
• modularize the httpd code so it can be run as a separate process from the init script?
• start thinking about how to apply the user's request to use a specific key to a page that will load up and prompt for the key passphrase, then use that passphrase to unlock the encrypted partition
• try adding fork() to the ssl demo script to see if it's an SSL libs issue
• try using Crypt::MatrixSSL instead of OpenSSL? for SSL support