building an embedded Linux distro into a RPM package
cra at WPI.EDU
Sun Jul 26 17:26:36 UTC 2015
Using the Opal SED built-in encryption is really orthogonal to
dm-crypt. You could use both at the same time if you were really
You need a partitioned bootable disk image with MBR bootcode and a
bootloader to load into the SED with "msed --loadPBAimage". That
image must be smaller than about 7MB, or certain SED's (mainly
Crucial) won't load the image successfully. If dracut can make such
an image, I supposed it could be used. However, I think the default
Fedora kernel image alone (not including kernel modules) is already
too big by itself for this to be possible.
On Sun, Jul 26, 2015 at 11:20:04AM -0400, Subhendu Ghosh wrote:
> Adding Harald to thread.
> Seems to be nominally related boot path with deo and dm-crypt.
> Adding to Dracut might be preferable to creating a separate PBA
> On Jul 23, 2015 10:20 AM, "Chuck Anderson" <cra at wpi.edu> wrote:
> > I originally sent this to the packaging list, but there was no
> > response there so I'm posting to devel now.
> > I've also opened a review request for the non-controversial packaging
> > of the "msed" utilities. Would anyone care to do a review swap?
> > Review Request: msed - Tools to manage the activation and use of self
> encrypting drives
> > https://bugzilla.redhat.com/show_bug.cgi?id=1245640
> > Thanks.
> > Date: Tue, 21 Jul 2015 18:48:27 -0400
> > From: Chuck Anderson <cra at WPI.EDU>
> > To: packaging at lists.fedoraproject.org
> > Subject: [Fedora-packaging] building an embedded Linux distro into a RPM
> > Precedence: list
> > Reply-To: Discussion of RPM packaging standards and practices for Fedora <
> packaging at lists.fedoraproject.org>
> > I would like to submit a new package that provides a Pre-Boot
> > Authorization (PBA) image. The PBA is a "bootloader" of sorts that
> > prompts the user for the passphrase to unlock a Self-Encrypting Drive
> > (SED) using the TCG OPAL command set, and then either chainloads to
> > the real OS or reboots to allow the BIOS to boot the real OS. The
> > image gets installed to the OPAL SED as a sort of "shadow MBR/shadow
> > disk image" using a special command "msed" (Manage Self-Encrypting
> > Drive) that I also plan to submit a package for.
> > In my case, I've developed a tiny embedded Linux-based PBA image 
> > using Buildroot  and the MSED software . The final image is a
> > MBR-partitioned disk image with VFAT filesystem containing the
> > specially built Linux kernel (vmlinuz), initramfs (rootfs.gz), and the
> > installed syslinux bootloader.
> > Before you ask, I can't use even a stripped-down Fedora image for this
> > purpose, because it must be TINY and it only exists to run a single
> > command (linuxpba), then reboot. My image is 4MB and could be made
> > even smaller. See the reasoning in  for why it must be so small.
> >  https://github.com/cranderson/buildroot-linuxpba
> >  http://buildroot.uclibc.org/
> >  http://www.r0m30.com/msed
> > Now I know there are several challenges to using the Buildroot
> > approach to building software for Fedora. Buildroot downloads
> > software from the Internet, unpacks, patches, configures, and builds
> > it. The build environment is built first, so gcc, uClibc, busybox,
> > etc. and then the packages you want to include are built in that
> > environment.
> > What is the best approach I should use that is acceptable to Fedora?
> > Would it be acceptable to bundle source packages, Buildroot itself,
> > and my Buildroot configuration into one SRPM so everything is
> > self-contained and can be built without requiring network
> > connectivity? This means I would have to bundle the source code for
> > gcc, the linux kernel, uClibc, busybox, etc.
> > Or is there some way to pull in SRPM packages that already exist in
> > Fedora, and use those as part of my build process so that I don't have
> > to bundle all the source code? Additionally, I could made separate
> > SRPM packages for Buildroot itself, any components needed (uClibc is
> > already in the distro), the Buildroot build scripts for
> > buildroot-linuxpba, and the actual package I need (msed).
More information about the devel