* [Buildroot] building a kernel+ramdisk separate from rootfs for using dm_crypt filesystem
@ 2021-03-31 21:02 Tim Harvey
2021-04-01 1:21 ` Tian Yuanhao
0 siblings, 1 reply; 3+ messages in thread
From: Tim Harvey @ 2021-03-31 21:02 UTC (permalink / raw
To: buildroot
Greetings,
I'm using buildroot to build a kernel and rootfs but now need to
implement dm_crypt for a secure filesystem.
I'm not all that familiar with dm_crypt but it would appear that I
need to use an initramfs to open (unlock) the encrypted filesystem and
mount it.
Do I need to build a separate buildroot config for the initramfs image
from the buildroot config that builds my traditional kernel and
rootfs? I was hoping to be able to build this all as a single project.
Perhaps there is a way of using dm_crypt without an initramfs that I'm
not aware of.
Perhaps I don't even need dm_crypt and there are other simple ways to
secure my root filesystem? I am working with a system that is secure
up to and including the bootloader and am using U-Boot verified boot
to boot a signed kernel from a FIT image.
Any suggestions?
Best regards,
Tim
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] building a kernel+ramdisk separate from rootfs for using dm_crypt filesystem
2021-03-31 21:02 [Buildroot] building a kernel+ramdisk separate from rootfs for using dm_crypt filesystem Tim Harvey
@ 2021-04-01 1:21 ` Tian Yuanhao
2021-04-02 19:29 ` Tim Harvey
0 siblings, 1 reply; 3+ messages in thread
From: Tian Yuanhao @ 2021-04-01 1:21 UTC (permalink / raw
To: buildroot
Hi Tim,
On 2021/4/1 ??5:02, Tim Harvey wrote:
> Greetings,
>
> I'm using buildroot to build a kernel and rootfs but now need to
> implement dm_crypt for a secure filesystem.
>
> I'm not all that familiar with dm_crypt but it would appear that I
> need to use an initramfs to open (unlock) the encrypted filesystem and
> mount it.
>
> Do I need to build a separate buildroot config for the initramfs image
> from the buildroot config that builds my traditional kernel and
> rootfs? I was hoping to be able to build this all as a single project.
I am also doing similar work. I found two ways:
1. Treat initramfs as a package. Write your own init shell script.
?? a. Compile all dependent packages (mainly busybox) statically.
?? b. Compile all dependent packages non-statically. Use lddtree.sh to
identify dependent libraries from TARGET_DIR.
2. Write a Makefile like this:
```
# your-image.mk
$(eval $(info $(pkgname)))
.PHONY: your-image
YOUR_IMAGE_DEPENDENCIES = package-a package-b
your-image: $(YOUR_IMAGE_DEPENDENCIES) target-finalize
??????? @$(call MESSAGE,"Generating filesystem image $@")
??????? do something here
TARGETS_ROOTFS += your-image
PACKAGES += $(YOUR_IMAGE_DEPENDENCIES)
```
My final choice is method 1-a. Because the initramfs I need is not that
complicated.
Regards,
Yuanhao
>
> Perhaps there is a way of using dm_crypt without an initramfs that I'm
> not aware of.
>
> Perhaps I don't even need dm_crypt and there are other simple ways to
> secure my root filesystem? I am working with a system that is secure
> up to and including the bootloader and am using U-Boot verified boot
> to boot a signed kernel from a FIT image.
>
> Any suggestions?
>
> Best regards,
>
> Tim
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] building a kernel+ramdisk separate from rootfs for using dm_crypt filesystem
2021-04-01 1:21 ` Tian Yuanhao
@ 2021-04-02 19:29 ` Tim Harvey
0 siblings, 0 replies; 3+ messages in thread
From: Tim Harvey @ 2021-04-02 19:29 UTC (permalink / raw
To: buildroot
On Wed, Mar 31, 2021 at 6:21 PM Tian Yuanhao <tianyuanhao@aliyun.com> wrote:
>
> Hi Tim,
>
> On 2021/4/1 ??5:02, Tim Harvey wrote:
> > Greetings,
> >
> > I'm using buildroot to build a kernel and rootfs but now need to
> > implement dm_crypt for a secure filesystem.
> >
> > I'm not all that familiar with dm_crypt but it would appear that I
> > need to use an initramfs to open (unlock) the encrypted filesystem and
> > mount it.
> >
> > Do I need to build a separate buildroot config for the initramfs image
> > from the buildroot config that builds my traditional kernel and
> > rootfs? I was hoping to be able to build this all as a single project.
>
> I am also doing similar work. I found two ways:
>
> 1. Treat initramfs as a package. Write your own init shell script.
> a. Compile all dependent packages (mainly busybox) statically.
> b. Compile all dependent packages non-statically. Use lddtree.sh to
> identify dependent libraries from TARGET_DIR.
>
> 2. Write a Makefile like this:
> ```
> # your-image.mk
> $(eval $(info $(pkgname)))
>
> .PHONY: your-image
>
> YOUR_IMAGE_DEPENDENCIES = package-a package-b
>
> your-image: $(YOUR_IMAGE_DEPENDENCIES) target-finalize
> @$(call MESSAGE,"Generating filesystem image $@")
> do something here
>
> TARGETS_ROOTFS += your-image
> PACKAGES += $(YOUR_IMAGE_DEPENDENCIES)
> ```
>
> My final choice is method 1-a. Because the initramfs I need is not that
> complicated.
>
Yuanhao,
Thanks for the feedback! I did find that creating an initramfs was
pretty easy and so started doing it with a script. Thanks for the
pointer to lddtree - that helped me figure out how to deal with
copying the right files.
Tim
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-04-02 19:29 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-03-31 21:02 [Buildroot] building a kernel+ramdisk separate from rootfs for using dm_crypt filesystem Tim Harvey
2021-04-01 1:21 ` Tian Yuanhao
2021-04-02 19:29 ` Tim Harvey
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.