Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Security Week: March 30th, 2015
Linux Advisory Watch: March 27th, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Setting up the boot device

3. Setting up the boot device

3.1. Creating the ramdisk

To begin with, chroot inside the encrypted partition and create the boot device mount point:

chroot /mnt/efs
mkdir /loader

Then, create the initial ramdisk (initrd), which will be needed afterwards:

dd if=/dev/zero of=initrd bs=1k count=4096
mke2fs -F initrd
mkdir ramdisk
mount -o loop initrd ramdisk

If you're using grsecurity, you may get a "Permission denied" error message; in this case you'll have to run the mount command outside chroot.

Create the filesystem hierarchy and copy the required files in it:

mkdir ramdisk/{bin,dev,lib,mnt,sbin}
cp /bin/{bash,mount} ramdisk/bin/
ln -s bash ramdisk/bin/sh
mknod -m 600 ramdisk/dev/console c 5 1
mknod -m 600 ramdisk/dev/hda2    b 3 2
mknod -m 600 ramdisk/dev/loop0   b 7 0
cp /lib/{,,} ramdisk/lib/
cp /lib/{,}    ramdisk/lib/
cp /sbin/{losetup,pivot_root} ramdisk/sbin/

It's ok if you see a message like "/lib/ No such file or directory", or "/lib/ No such file or directory"; bash only requires one of these two libraries. You can check which one is actually required with:

ldd /bin/bash

Compile the sleep program, which will prevent the password prompt being flooded by kernel messages (such as usb devices being registered).

cat > sleep.c << "EOF"
#include <unistd.h>
#include <stdlib.h>

int main( int argc, char *argv[] )
    if( argc == 2 )
        sleep( atoi( argv[1] ) );

    return( 0 );

gcc -s sleep.c -o ramdisk/bin/sleep
rm sleep.c

Create the init script:

cat > ramdisk/sbin/init << "EOF"

/bin/sleep 3

echo -n "Enter seed value: "
read SEED

/sbin/losetup -e aes256 -S $SEED /dev/loop0 /dev/hda2
/bin/mount -r -n -t ext3 /dev/loop0 /mnt

while [ $? -ne 0 ]
    /sbin/losetup -d /dev/loop0
    /sbin/losetup -e aes256 -S $SEED /dev/loop0 /dev/hda2
    /bin/mount -r -n -t ext3 /dev/loop0 /mnt

cd /mnt
/sbin/pivot_root . loader
exec /usr/sbin/chroot . /sbin/init

chmod 755 ramdisk/sbin/init

Umount the loopback device and compress the initrd:

umount -d ramdisk
rmdir ramdisk
gzip initrd
mv initrd.gz /boot/

3.2. Booting from a CD-ROM

I strongly advise you to start your system with a read-only media, such as a bootable CD-ROM.

Download and unpack syslinux:

tar -xvjf syslinux-3.07.tar.bz2

Configure isolinux:

mkdir bootcd
cp /boot/{vmlinuz,initrd.gz} syslinux-3.07/isolinux.bin bootcd
echo "DEFAULT /vmlinuz initrd=initrd.gz ro root=/dev/ram0" \
    > bootcd/isolinux.cfg

Create and burn the bootable cd-rom iso image:

mkisofs -o bootcd.iso -b isolinux.bin -c \
        -no-emul-boot -boot-load-size 4 -boot-info-table \
        -J -hide-rr-moved -R bootcd/

cdrecord -dev 0,0,0 -speed 4 -v bootcd.iso

rm -rf bootcd{,.iso}

3.3. Booting from a HD partition

The boot partition can come in handy if you happen to lose your bootable CD. Remember that hda1 is a writable media and is thus insecure; use it only in case of emergency!

Create and mount the ext2 filesystem:

dd if=/dev/zero of=/dev/hda1 bs=8192
mke2fs /dev/hda1
mount /dev/hda1 /loader

Copy the kernel and the initial ramdisk:

cp /boot/{vmlinuz,initrd.gz} /loader

If you use grub:

mkdir /loader/boot
cp -av /boot/grub /loader/boot/
cat > /loader/boot/grub/menu.lst << EOF
default 0
timeout 10
color green/black light-green/black
title Linux
    root (hd0,0)
    kernel /vmlinuz ro root=/dev/ram0
    initrd /initrd.gz
grub-install --root-directory=/loader /dev/hda
umount /loader

If you use lilo:

mkdir /loader/{boot,dev,etc}
cp /boot/boot.b /loader/boot/
mknod -m 600 /loader/dev/hda  b 3 0
mknod -m 600 /loader/dev/hda1 b 3 1
mknod -m 600 /loader/dev/hda2 b 3 2
mknod -m 600 /loader/dev/hda3 b 3 3
mknod -m 600 /loader/dev/hda4 b 3 4
mknod -m 600 /loader/dev/ram0 b 1 0
cat > /loader/etc/lilo.conf << EOF
lilo -r /loader
umount /loader



Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.