Encrypted (LUKS) and ramdisk overlay for Asus EeePC

news

update 2008-07-10: I believe the corruption I was seeing was due to pulling the card too early - according to the Debian wiki,

Do not ask for a reboot (instead of shutdown) and remove the media between shutdown and automatic reboot.

update 2008-01-21: when using an encrypted overlay, the EeePC's non-Sys-V "fastinit" doesn't sem to be flushing the LUKS device correctly before powering off - as a result filesystem corruption occurs that's beyond the power of ext3's journal to repair. until this is corrected, DO NOT USE ENCRYPTED OVERLAY.

update 2008-01-11: when booting with a ramdisk overlay ("eee_user=ram") we create the user's home directory with an empty ".firstrundone" file to suppress the configuration wizard.

downloads

• walkthrough of setting up an SD card for use as encrypted overlay (on a Ubuntu box)
• just the EeePC initramfs
• my syslinux.cfg
• my modified /init, if you want to see what I've done
• a tarfile of my boot device, including stock kernel, this initramfs, my syslinux.cfg and other supporting junk

instructions

boot the Asus kernel with this initramfs. It expects an additional entry on the kernel command line - "eee_user=foo" where foo is either "sdb2" for overlay on SD, "sdc2" for overlay on USB, or "ram" for overlay in a ramdisk. I have a 2MB boot filesystem as the first thing on my SD card with syslinux as the loader, and the rest is a single ext3 filesystem in a LUKS container.

I am assuming you know how to create a bootable device and install/configure your bootloader of choice, as well as setting up your chosen overlay filesystem. You will also need to be able to restore/repair/recover the overlay on your own - I have removed these features from the initramfs since they were called from the base OS image (so I can't change them) and they're hardwired to use sda2 (the internal SSD overlay).

overview

Here's an afternoon's worth of hack - an initramfs for the Asus EeePC that allows the user overlay filesystem (where all your personal data goes) to be on either the internal SSD as usual, on an SD or USB card, or in a ramdisk. If the specified overlay partition is formatted as an encrypted container with LUKS the user is prompted for their passphrase during boot and the encrypted partition used.

This is *NOT* an alternate linux distribution. It uses the factory-supplied OS as it's base, exactly as the stock firmware does. The only difference is that your data is written to some other device, possibly encrypted or possibly in RAM.

Design criteria were:

• be completely non-destructive to the supplied OS image
• work just like the supplied OS image (as far as possible)
• change as little as possible
• build as little as possible

Changes from the stock initramfs are:

• added busybox symlinks for several modules compiled in but not exposed via /bin ([[, ash, hexdump, more, rmdir)
• added symlink from /bin/cryptsetup to /mnt-system/sbin/cryptsetup so it works without specifying the full path (because I'm lazy)
• added device nodes to support SD/USB/crypted overlay device (sdb2, sdc2, dm-0, urandom)
• symlinked the dynamic loader and a bunch of libraries into /lib from /mnt-system/lib in order to make libc binaries work (cryptsetup in particular)
• included home-built modules for device mapper support to /modules (dm-mod.ko, dm-crypt.ko)
• updated /init to understand and use these things

• remove splash (interferes with LUKS password prompt)
• remove overlay scan/restore (these are in the base OS image, and are hardwired to sda2)
• load a bunch of modules for SD/USB/LUKS support
• allow overlay on ramdisk
• deal with slow probing for SD/USB overlay
• detect and handle encrypted overlay partition

contact

feedback? questions? russm at this domain is the easiest way to reach me.