[SOLVED] Full Disk Encryption Chromebook

This forum is for supported devices using an ARMv7 Samsung SoC.

[SOLVED] Full Disk Encryption Chromebook

Postby Polichronucci » Sat Apr 05, 2014 4:11 pm

Hello everyone,
I want to encrypt my system but there is no initramfs to handle the hooks.... I found I need to modify the /boot/boot.scr.uimg file so U-Boot sees my initramfs file but I have no idea what to change in the file. Do I have to compile a custom kernel as well? Sorry if I havent provided enough info and please tell me what info I need to specify.

Thanks in advance.
Last edited by Polichronucci on Sun May 25, 2014 10:38 am, edited 2 times in total.
Polichronucci
 
Posts: 31
Joined: Wed Oct 09, 2013 10:47 am

Re: Full Disk Encryption Chromebook

Postby WarheadsSE » Sat Apr 05, 2014 8:23 pm

Custom boot.scr is necessary. Simply look into "add initrd to uboot"
No, you don't need your own kernel, you just need to activate initrd creation, and when it does that, wrap up the new initrd for uboot.
Core Developer
Remember: Arch Linux ARM is entirely community donation supported!
WarheadsSE
Developer
 
Posts: 6807
Joined: Mon Oct 18, 2010 2:12 pm

Re: Full Disk Encryption Chromebook

Postby Polichronucci » Sat Apr 05, 2014 11:45 pm

Thank you for you reply,
but I cant seem to find any info on how to modify boot.scr.uimg. The only thing I found is to add the "initrd=0xc1180000,4M" option but what address do I add? Could someone explain how to set the options in boot.scr.uimg or post a link I could find info.
Polichronucci
 
Posts: 31
Joined: Wed Oct 09, 2013 10:47 am

Re: Full Disk Encryption Chromebook

Postby Polichronucci » Sun Apr 06, 2014 12:41 am

Ok so I got a bit further. I made an image with mkinitcpio and then wraped it as a u-boot image. I added to the boot.scr.uimg in the bootargs section the option initrd=0xc1180000,2M as 0xc1180000 is the load address and entry point and the file is 2MB, I also found out I can specify the file itself in the initrd option (initrd=/uImage). But in the boot process I get kernel panic and it suggests setting the option init= in the kernel.
Any ideas...
Polichronucci
 
Posts: 31
Joined: Wed Oct 09, 2013 10:47 am

Re: Full Disk Encryption Chromebook

Postby Polichronucci » Mon Apr 07, 2014 12:54 pm

I got a bit further today and got my chromebook to boot. The problem had nothing to do with initrd but with the definition of the root partition witch was wrong :-/ . I'll update once I get to the encryption part, and hopefully at the end I will write how I managed all this to hopefully help others.

Thanks...
Polichronucci
 
Posts: 31
Joined: Wed Oct 09, 2013 10:47 am

Re: Full Disk Encryption Chromebook

Postby Polichronucci » Mon Apr 07, 2014 1:44 pm

Is there a way to know for sure if initrd is actually loaded? I ran dmesg -HL and searched for RAMDISK but with no luck. My /proc/cmdline : root=/dev/mmcblk0p2 rootfstype=ext4 rootwait ro initrd=/uInitrd.
imho initrd isnt loaded on boot, if I'm correct does anyone have an idea why?
Polichronucci
 
Posts: 31
Joined: Wed Oct 09, 2013 10:47 am

Re: Full Disk Encryption Chromebook

Postby Polichronucci » Mon Apr 07, 2014 2:24 pm

I tried booting with initrd=0x0,4M and I get an error in dmesg :
0x00000000+0x00400000 is not a memory region - disabling initrd
I dont get an error even if I point to an unexisting file. So I surpose my scr.uimg is wrong. How do I specify the initrd option?
Last edited by Polichronucci on Mon Apr 07, 2014 4:34 pm, edited 1 time in total.
Polichronucci
 
Posts: 31
Joined: Wed Oct 09, 2013 10:47 am

Re: Full Disk Encryption Chromebook

Postby Polichronucci » Mon Apr 07, 2014 4:34 pm

Has anyone done this before? is it doable?
Polichronucci
 
Posts: 31
Joined: Wed Oct 09, 2013 10:47 am

Re: Full Disk Encryption Chromebook

Postby Polichronucci » Sun Apr 13, 2014 7:15 pm

Ok so I successfully booted with initramfs image. I did it by manuallly entering in the U-Boot cmdline the following:

setenv bootargs root=/dev/mmcblk0p2 rootfstype=ext4 rootwait ro
mmc dev 0
ext2load mmc 0:1 42000000 vmlinux.uimg
(heres the change I had to do)
ext2load mmc 0:1 44000000 uInitrd.uimg
bootm 42000000 44000000

Now in dmsg I have:

Unpacking initramfs...
Freeing initrd memory: 3624K
...
Running in initial RAM disk.

So I think everything works as it should. I found the details here:
http://git.denx.de/?p=u-boot.git;a=blob ... ME;hb=HEAD

Now I have to create an ArchLinux USB stick so that I can format the SSD drive to use encryption.
Polichronucci
 
Posts: 31
Joined: Wed Oct 09, 2013 10:47 am

Re: Full Disk Encryption Chromebook

Postby Polichronucci » Sat May 17, 2014 11:23 pm

Ok so I successfully encrypted my eMMC, where my roots sits. This will be an journal of my experience. (flashed nv-uboot REQUIRED)

Warning: This process is very dangerous and could lead to an unbootable device if your not sure what your doing. You are the only one responsible for any damage which may occur.

First I had to create an initrd.
To do this I had to install mkinitcpio and uboot-mkimage, and edit the /etc/mkinitcpio.conf line HOOKS
$this->bbcode_second_pass_code('', '
HOOKS="base udev autodetect modconf block encrypt filesystems keyboard keymap consolefont shutdown fsck"
')
then you have to make the initrd image and wrap it up as a uboot image
$this->bbcode_second_pass_code('', '
# mkinitcpio -g ~/uInitrd.img
# mkimage -A arm -T ramdisk -C none -n initramfs -d ~/uInitrd.img /boot/uInitrd.uimg
')
Now is a tricky part which depends on your configuration. I used the Arch-wiki guide https://wiki.archlinux.org/index.php/Samsung_Chromebook_(ARM) and have ALARM on my eMMC and have flashed nv-uboot, so to boot with initrd I followed the steps I posted on the PREVIOUS POST. If you followed the ALARM guide http://archlinuxarm.org/platforms/armv7/samsung/samsung-chromebook I have no idea how you can continue with this step :/

You should now have a working initramfs with an encrypt hook.

The linux-chromebook kernel does not support all the available ciphers so you'll have to compile your own kernel with cipher support.
Its a fairly easy task to accomplish.
First configure makepkg to compile packages in your eMMC, SDcard or USBstick because compilation of the kernel package wont fit in RAM.
Edit the /etc/makepkg.conf line BUILDDIR.
$this->bbcode_second_pass_code('', '
BUILDDIR=~/makepkg
')
Then download the PKGBUILDs of the ALARM.
$this->bbcode_second_pass_code('', '
$ cd /tmp
$ git clone git://github.com/archlinuxarm/PKGBUILDs.git
$ cd PKGBUILDs/core/linux-chromebook/
')
Download and extract source of package.
$this->bbcode_second_pass_code('', '
$ makepkg --nobuild
$ cd ~/makepkg/linux-chromebook/src/chromeos-3.4/
')
Configure new kernel to support all available ciphers.
$this->bbcode_second_pass_code('', '
$ make menuconfig
')
Now an ncurses window apears. Go down to the 'Cryptographic API' tab and hit Enter. Now include all options in the new kernel(press 'y' for each option). Besides one that autocofigures its self as a module(Testing module).
Press right arrow and select 'Exit'. Now go down and save the configuration with the default name provided, and exit.
Go back to the PKGBUILD directory and compile the kernel. (if you have another computer I would strongly recoment to set up distributed cross compiling as the time to compile the kernel only on the chromebook is about 45mins, and the device will get HOT)
$this->bbcode_second_pass_code('', '
$ cd /tmp/PKGBUILDs/core/linux-chromebook/
$ makepkg --skipchecksums --noextract
')
I would recommend making a backup of your current kernel image.
$this->bbcode_second_pass_code('', '
$ cd /boot
# cp vmlinux.uimg vmlinuxORIGINAL.uimg
')
Install the kernel and header packages.
$this->bbcode_second_pass_code('', '
# pacman -U linux-chromebook-[version]-armv7h.pkg.tar.xz linux-headers-chromebook-[version]-armv7h.pkg.tar.xz
')
Now reboot your system and test if everything went fine.
$this->bbcode_second_pass_code('', '
# cryptosetup benchmark
')
If all is ok you should see something lie this:

PBKDF2-sha1 209715 iterations per second
PBKDF2-sha256 154202 iterations per second
PBKDF2-sha512 37236 iterations per second
PBKDF2-ripemd160 184608 iterations per second
PBKDF2-whirlpool 26319 iterations per second
# Algorithm | Key | Encryption | Decryption
aes-cbc 128b 57.1 MiB/s 59.7 MiB/s
serpent-cbc 128b 35.2 MiB/s 34.6 MiB/s
twofish-cbc 128b 47.9 MiB/s 50.7 MiB/s
aes-cbc 256b 44.5 MiB/s 45.7 MiB/s
serpent-cbc 256b 35.4 MiB/s 34.6 MiB/s
twofish-cbc 256b 48.1 MiB/s 50.5 MiB/s
aes-xts 256b 60.6 MiB/s 60.2 MiB/s
serpent-xts 256b 35.9 MiB/s 34.5 MiB/s
twofish-xts 256b 50.1 MiB/s 46.3 MiB/s
aes-xts 512b 46.3 MiB/s 45.9 MiB/s
serpent-xts 512b 36.4 MiB/s 34.7 MiB/s
twofish-xts 512b 50.5 MiB/s 50.6 MiB/s

Now follow the ArchWiki guides on how to encrypt your drive.
https://wiki.archlinux.org/index.php/Encryption

I also have pacman ignore the chromebook-kernel package so I wont override my kernel with an official ALARM kernel but still get notified by pacman if a newer version is avaolable so I can update.
Edit the /etc/pacman.conf line IgnorePkg.
$this->bbcode_second_pass_code('', '
IgnorePkg = linux-chromebook linux-headers-chromebook
')
For me all works fine so far with no problems but one. If I try to close a luks device I get an error message 'Device busy' even if its unmounted and completely idle, the ony way to come around this is a reboot. This has no sideffects on something crucial but its the only problem I came across.

I hope this has been a helpfull guide. Dont hesitate to ask any question I might be able to help you with.
Polichronucci
 
Posts: 31
Joined: Wed Oct 09, 2013 10:47 am


Return to Samsung

Who is online

Users browsing this forum: No registered users and 3 guests