Pmbootstrap: Make full disk encryption optional

Created on 14 Jun 2017  路  8Comments  路  Source: postmarketOS/pmbootstrap

For performance reasons, the full disk encryption should become optional.

Required changes:

  • pmbootstrap install:

    • Add a --no-fde switch (or something like that)

    • Always assign a partition label to the postmarketOS root partition (this is something we should do anyway)

  • postmarketos-mkinitfs:

    • Instead of searching for a cryptsetup partition, find the postmarketOS root partition by device label

    • When it was found, check whether it is encrypted or not. If it isn't, directly boot from it

enhancement
Source
picture ollieparanoid

All 8 comments

I would advise this to be opt-out by default. Thoughts?

PMaynard picture PMaynard on 15 Jun 2017

As in: you need to explicitly disable encryption? That's how I would like to have it, too.

ollieparanoid picture ollieparanoid on 15 Jun 2017
👍1

I'm working on it here

https://github.com/PabloCastellano/pmbootstrap/tree/optional_full_disk_encryption

PabloCastellano picture PabloCastellano on 17 Jun 2017
👍1

Short update: the code from your PR made my i9100 go into a boot loop (which has to do with its sdcard, and the way mount_subpartitions() mounts all partitions from the sdcard twice, so the right one needs to be used to mount as real root file system, because the other one will appear as busy).
I'll try to put a better documentation in the source. Also the telnet hook did not work anymore with the unencrypted root file system, because /dev/pts only gets mounted in the usb-unlock hook.

I'm refactoring this, so it works for the i9100 and the telnet hook is also working. And it is understandable, that this broke, because it is really hard to test. I am grateful for your contribution! This is just to let you know why mainlining it will take some more time.

While I'm working on this, I have documented initramfs development (and as an excuse to store my script for testing there). I have also added this ticket to my Milestones list.

ollieparanoid picture ollieparanoid on 25 Jun 2017

Hi. I'm sorry to hear that. Tell me how can I help you.
I don't have any device with sdcard to test it. Can you paste the output of the kpartx -l command? Do you need some testing with something else?

PabloCastellano picture PabloCastellano on 26 Jun 2017

I don't have the output right here, but if you want to help testing, I could tell you when I refactored that sd-card related part, then you could test it. That feedback would be very valuable :)

ollieparanoid picture ollieparanoid on 26 Jun 2017

I have refactored it! But I need to rebase the branch on master, lots of conflicts now. Anyway, if you want to, you can already test it:

https://github.com/postmarketOS/pmbootstrap/tree/optional-full-disk-encryption

(I'd like to have the rebased version tested by 2 or 3 people, before we push it to master.)

ollieparanoid picture ollieparanoid on 27 Jun 2017

I just build and flashed my hammerhead from the optional-fde branch and it seems to work perfectly

MartijnBraam picture MartijnBraam on 28 Jun 2017
🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ata2001 picture ata2001  路  4Comments
Decatf picture Decatf  路  4Comments
montvid picture montvid  路  3Comments
ollieparanoid picture ollieparanoid  路  5Comments
pavelmachek picture pavelmachek  路  7Comments