• MichaelSchöne
• FreeBSD with Geli Encrypted Root on Sheevaplug

Acknowledgements

This tutorial is mainly based on the great & exhaustive work of Nicole Reid - http://cooltrainer.org/projects/freebsd-kirkwood/ and the patch and script for embedding a geli master key directly into the FreeBSD Kernel provided by Olivier Houchard <cognet@FreeBSD.org> (cognet@ at IRC) . Special thanks also go out to the folks at #bsdmips chatroom @efnet.xs4all.nl and ##freebsd @freenode.net.

What we will have

An USB-Stick with two partitions:

1. Fat Partition with the kernel (& embedded Master Key) (this can be put onto an SD-Card as well, which can be removed after booting)

2. Encrypted UFS Root Partition with FreeBSD 8.2 Stable

Prerequisites

• Marvell Sheevaplug
• 2GB USB Drive
• Working FreeBSD 8.2 (e.g. in a VM) with sources at /usr/src for Building

Prepare a Drive

Delete any existing partitions on USB Stick

# gpart delete -i 1 da0
da0s1 deleted
# gpart destroy da0
da0 destroyed

Then create a 32MiB FAT partition (for booting the kernel) and fill the rest of the drive with a FreeBSD slice (this will be the root partition).

# gpart create -s MBR da0
da0 created
# gpart add -s 32M -t freebsd da0
da0s1 added
# newfs_msdos /dev/da0s1 ### create fat partition
# gpart add -t freebsd da0
da0s2 added

Init encrypted root Partition

# dd if=/dev/random of=/dev/da0s2 bs=1m  ### write random data on the partition (obfuscating encrypted data space)
# kldload geom_eli ### load geli kernel module
# dd if=/dev/random of=/root/da0s2.key bs=256 count=1    ###  prepare Master Key File 256bit key; 128bit or else is possible too
# geli init -b -s 4096 -K /root/da0s2.key /dev/da0s2  ### init encrypted partition with Key File
Enter new passphrase:
Reenter new passphrase:
# geli attach -k /root/da0s2.key /dev/da0s2  ### attach encrypted partition
Enter passphrase:
# ls /dev/da0s2*
/dev/da0s2  /dev/da0s2.eli  ### The new plaintext device will be named /dev/da0s2.eli.
# newfs /dev/da0s2.eli ### new fs inside encrypted partition

* TODO: use bsdlabel to label the encrypted partition ...

Patching the source

apply the patches from https://github.com/okeeblow/FreeBSD-kirkwood

Build world

Build it, but don't install anything

# cd /usr/src
# make -j 8 buildworld TARGET_ARCH=arm

Patching the Kernel

use this Kernel Conf SHEEVAPLUG_ELI

# cp /root/SHEEVAPLUG_ELI /usr/src/sys/arm/conf/

Patches from cognet@bsdmips cognet@freebsd.freenode.org. You will be able to define option GELI_PROVIDER & GELI_KEY_SIZE in the kernel conf. GELI_PROVIDER is the name of the partition we initialised with geli init (da0s2 in this case) and GELI_KEY_SIZE is to be set to the size of the Master Key File you created earlier.

MichaelSchöne/hardcode_geli_key.patch ### based on http://people.freebsd.org/~cognet/hardcode_geli_key.diff

Build the Kernel

# cd /usr/src
# make buildkernel TARGET_ARCH=arm KERNCONF=SHEEVAPLUG_ELI

embed geli key into the kernel

get the script from cognet to embed the geli key into the kernel ### http://people.freebsd.org/~cognet/embed_gelikey.sh

# cd /root
# cp /usr/obj/arm/usr/src/sys/SHEEVAPLUG_ELI/kernel.bin ./
# sh embed_gelikey.sh kernel.bin /root/da0s2.key

Install the Kernel

# mount -tmsdosfs /dev/da0s1 /mnt
# cp kernel.bin /mnt
# umount /mnt

Install World

# mount /dev/da0s2.eli /mnt ### mount encrypted partition
# setenv DESTDIR /mnt
# cd /usr/src
# make installworld distrib-dirs distribution TARGET_ARCH=arm

Configure some Niceties

Set the hostname, turn on DHCP, and enable SSHd.

# echo 'hostname="my_preferred_hostname"' >> $DESTDIR/etc/rc.conf
# echo 'ifconfig_mge0="DHCP"' >> $DESTDIR/etc/rc.conf
# echo 'sshd_enable="YES"' >> $DESTDIR/etc/rc.conf

Enable automatic fsck, so we can get back into the OS in the event of power loss or an unclean shutdown.

# echo 'fsck_y_enable="YES"' >> $DESTDIR/etc/rc.conf
# echo 'background_fsck="NO"' >> $DESTDIR/etc/rc.conf
# echo 'force_fsck="YES"' >> $DESTDIR/etc/rc.conf
# echo 'force_fsck_list="/"' >> $DESTDIR/etc/rc.conf

# echo 'ntpd_enable="YES"' >> $DESTDIR/etc/rc.conf
# echo 'ntpd_sync_on_start="YES"' >> $DESTDIR/etc/rc.conf

Tell Ports not to build X11.

# echo 'WITHOUT_X11=yes' >> $DESTDIR/etc/make.conf

Set some mount options for our root filesystem. Disabling clustered reads and writes is Reccommended on ARM

# echo '# Device  Mountpoint  FStype  Options                 Dump    Pass#' > $DESTDIR/etc/fstab
# echo '/dev/da0s2.eli /           ufs     rw,noclusterr,noclusterw    1       1' >> $DESTDIR/etc/fstab
# umount /mnt 

Setting up U-boot to boot from USB Stick

Connect your Sheevaplug to your Computer via miniUSB and start a console. Update the boot command: (as i memorize it ...)

set bootcmd 'usb start; fatload usb 0:1 0x900000 kernel.bin; go 0x900000;'