Puppy Linux Discussion Forum

[wdef]

HOW TO - REBUILD PUPPY WITH LOOP-AES AND CIPHERS SUPPORT


Most recently updated 28/5/07


Here's approximately how I rebuilt Puppy-214 with loop-aes and cipher support.

NB: It would almost certainly be easier to build the kernel, modules and loop-aes on a hd install, then put these into a livecd. But that's not how I did it for some reason. Apologies if I've left anything out in this account.

Anyway ...

I did a two-phase build using livecds only.

PHASE A.

1. The kernel.

mv /lib/modules /lib/modules.old

Rebuild Puppy kernel and modules with CONFIG_BLK_DEV_LOOP=n using Barry's prepatched sources.

I first made sure these were clean sources (probably overkill):

make clean; make distclean; make clean; make mrproper

Copied the .config file over from /lib/modules/2.6.18.1, manually set CONFIG_BLK_DEV_LOOP=n, and did:

make oldconfig
make bzImage
make modules
make modules_install

2. The utilities.

Backup the mount script:

cp /bin/mount /bin/mount.bak

Download, patch, compile and install util-linux as per the loop-aes readme. http://loop-aes.sourceforge.net
This will install a new mount, losetup, swapon and swapoff. But of course Puppy has this weird thing with both full and Busybox versions of some utilities, so do this:

rm -f /bin/mount-FULL
mv /bin/mount /bin/mount-FULL
mv /bin/mount.bak /bin/mount

and similarly for the new umount:

mv /bin/umount /bin/umount-FULL
ln -s /bin/busybox /bin/umount

mkdir /mnt/sda1/SFS_REMASTER
cd !$
cp -a /mnt/dev_ro2 .

Now copy the new files into this system copy:

cp /bin/mount-FULL bin
cp /sbin/losetup sbin
etc

The new patched losetup has different commandline switches to the standard losetup-FULL,in particular it lacks the -f (find unused) switch.

So I've just let it overwrite the busybox losetup symlink instead and left losetup-FULL alone on the assumption that Puppy may use that for eg the -f option somewhere.

AFAIKT this doesn't seem to have negative consequences.

[ UPDATE: Puppy-216 has now removed the losetup symplink to Busybox - losetup is now a symlink to losetup-FULL. This makes no difference for the above. ]

3. We also need gnupg to make encrypted keys (I actually did this sometime before this stage).

To compile gnupg-2.0.4, first compile and install (in this order):


libgpg-error (ftp://ftp.gnupg.org/gcrypt/libgpg-error/)
libgcrypt (ftp://ftp.gnupg.org/gcrypt/libgcrypt/)
libksba (ftp://ftp.gnupg.org/gcrypt/libksba/)
libpth (ftp://ftp.gnu.org/somewhere ?)
libpinentry (ftp://ftp.ngupg.org/gcrypt/pinentry/)
libassuan (ftp://ftp.gnupg.org/gcrypt/libassuan/)

Not hard. I did this with --build=i386 but I now recall Puppy is built for i486.

Then gnupg-2.0.4 builds ok.

The binary for gnupg-2 is no longer called 'gpg' (how silly is that?) - it's now called gpg2.

So do ln -s /usr/local/bin/gpg2 /usr/local/bin/gpg in the new system to avoid breaking anything that looks for gpg, like loop-aes.

You need to get gpg into the new cd - my process was a bit messier than as set out here, I think I did a remaster at some stage after building gpg to put it in the iso.

4. An interim loop driver.

Now, there is no loop support in this kernel, so we need a loop driver to use in Puppy. Unpack and compile the current loop-aes sources against this kernel to make an interim loop.ko driver:

make clean
make LINUX_SOURCE=/path/to/your/kernel/source

This will put the driver in /lib/modules/2.6.18.1/block

At this stage we're not interested in the encryption capabilities of this driver, we just need a loop driver that works so Puppy can boot.


5. Rebuild the livecd.

rm -rf lib/modules
and copy all of /lib/modules over to /mnt/sda1/SFS_REMASTER as well

cd ..
squashfs SFS_REMASTER puppy_214.sfs.aes.new

This kernel doesn't have loop compiled in, so we need to load loop.ko at the beginning of boot or Puppy won't work.

I made a directory called LOOPAES_CD somewhere, and copied all the files off the mounted livecd there. Now we will replace the old puppy_214.sfs with our new .sfs, replace the kernel vmlinuz, and edit initrd.gz so it contains our new loop driver, new modules compiled with our kernel, and edited init script.

Put a loop driver in initrd.gz using Edit-initrd, and to be on the safe side, replace all the modules here with the new ones from your /lib/modules dir.

run Edit-Initrd on the initrd.gz in LOOPAES_CD:
copy loop.ko from /lib/modules/2.6.18.1/block to lib/modules/2.6.18.1 in initrd, then
compress with gzip -9 loop.ko

etc

The only one I didn't replace was unionfs and it seems to be working ok.

Don't forget to compress all these initrd modules with gzip -9 somemodule.ko except for usb-storage.ko
Also need to edit sbin/init in initrd so the loop driver gets loaded early in the boot as follows:

<snip>

####LOAD MODULES###########################################
# Load kernel modules:
echo -n "Loading kernel modules..." >/dev/console #AAA


# *****ADDED FOR LOOP-AES ****************
# Load loop driver - no loop support compiled into kernel
[ -f /lib/modules/${KERNVER}/loop.ko.gz ] && zcat /lib/modules/${KERNVER}/loop.ko.gz | insmod -

</snip>

Now build a new iso as usual containing the files in LOOPAES_CD.

Burn this interim cd and reboot using our new kernel and modules.

PHASE B.

We're not finished.

Our loop driver works as far as Puppy goes, but it wasn't actually compiled against sources that EXACTLY matched the running kernel. Whether this matters or not, the loop-aes developer is very adamant that it's *bad*.

SO: we need to recompile the loop driver again. But this time we'll enable building the extra ciphers as well, and enable keyscrubbing.

NB: keyscrubbing, which makes a point of erasing keys from ram, only currently works with the aes cipher.


The shenanigans concerning combining the sources (EDITED 28/5/07) in the former version of this howto are NO LONGER NEEDED as of the new loop-aes release, which combines loopaes and the ciphers sources into one package.

After unpacking the current loop-aes tarball from http://loop-aes.sourceforge.net

At the time of writing, you needed to replace the three instances of tr -d -c '0-9' in this new Makefile with:

sed -e 's/[^0-9]//g'

because Puppy's Busybox 'tr' mucks everything up. (This may no longer be needed).

Now compile the modules:

make EXTRA_CIPHERS=y LINUX_SOURCE=/path/to/kernelsources KEYSCRUB=y

This should install 4 new modules into /lib/modules/2.6.18.1/extra:

loop.ko
loop_serpent.ko
loop_blowfish.ko
loop_twofish.ko

Move these to /lib/modules/2.6.18.1/block, overwriting the old loop.ko, and run depmod -a

Repeat the steps in the previous section to place the new loop.ko in initrd.gz and the 3 other ciphers modules and modules.dep in pup_214.sfs in the right locations, and build a new iso. You don't have to replace any other modules this time.

Also, put the following in ~/.gnupg/gpg.conf:

s2k-count 8388608

This will harden gpg-encrypted keys by increasing the number of hash iterations.

Now we're finished.

TESTING

I'm not sure 'make tests' works on the combined sources above. Presumably it will in the next release of loop-aes, which will combine these.

All these do anyway is check that it's actually doing its stuff, which you can do by trying to use it anyway.


USING

You might like to try my script "tripl" http://www.murga-linux.com/puppy/viewtopic.php?t=18104 for an easy-to-use, commandline front-end for loop-aes and ciphers.

It makes multiple encryption (optional) as easy as single encryption, and by default embeds separate encrypted keys so you only need one external key.

Once ~/.triplrc is configured for your set up, all you do is:

tripl -mkkey # make a key
tripl -new # prepare a new encrypted partition
tripl -m # mount the encrypted partition

And, when you're finished:

tripl -u # unmount the partition.

(While testing for the first time, be sure to check dmesg for any ugly messages).

Try it out on a floppy or small unused partition first to get the hang of it.


MISC


Puppy has 7 loop devices instead of 8 (WHY?). If you are running out of loop devices do:

# mknod /dev/loop7 b: 7 7

to make the 8th and last device /dev/loop7

If there's sufficient interest in this post, I can provide all the key binaries somewhere, or perhaps my iso itself.

[wdef]

Just a note re gpg2 while I think of ti:

Not all apps using gpg apparently have support for gpg2 yet.

I came across this post re Seahorse - it contains a link to a wrapper to emulate gpg v1xx behavior so that Seahorse works with gpg2:

http://article.gmane.org/gmane.comp.gnome.apps.seahorse.devel/10

[PaulBx1]

I'd love to see Puppy with even stronger encryption. Looks like loop-aes is one of the two candidates for this, the other being dmcrypt. John Doe played with the latter for a while until he ran into a snag; you may have seen the threads in the "cutting edge" board.

wdef, did you happen to figure out how much larger this made your iso?

Your recipe is a bit too much for me to follow. I will have to stick with the standard Puppy encryption for now. It's good to see you got this running though. I'm guessing it won't get into standard Puppy because cryptoloop has taken much of the pressure for encryption off, even if it is lacking in some respects. Is that why you bothered getting this going - because of the issues with cryptoloop?

[John Doe]

[PaulBx1]

All we need is a pet package, for either of these upgraded encryption methods. That's assuming standard Puppy has all the hooks in place to make them work. Might take a little lobbying to make that happen, and we still need to worry how much the hooks add to the size of Puppy.

I hope we don't need to have yet another alternative Puppy to get these working. That makes it much less useful to people - for one thing the upgrades get behind the standard Puppy, sometimes way behind.

I know what you mean about waiting for winter. I ought to be out repairing fences right now...