building an embedded Linux distro into a RPM package

Sun Jul 26 17:26:36 UTC 2015

Using the Opal SED built-in encryption is really orthogonal to
dm-crypt.  You could use both at the same time if you were really
paranoid though.

You need a partitioned bootable disk image with MBR bootcode and a
bootloader to load into the SED with "msed --loadPBAimage".  That
image must be smaller than about 7MB, or certain SED's (mainly
Crucial) won't load the image successfully.  If dracut can make such
an image, I supposed it could be used.  However, I think the default
Fedora kernel image alone (not including kernel modules) is already
too big by itself for this to be possible.

On Sun, Jul 26, 2015 at 11:20:04AM -0400, Subhendu Ghosh wrote:
> Adding Harald to thread.
> 
> Seems to be nominally related boot path with deo and dm-crypt.
> 
> Adding to Dracut might be preferable to creating a separate PBA
> 
> Subhendu
> 
> On Jul 23, 2015 10:20 AM, "Chuck Anderson" <cra at wpi.edu> wrote:
> >
> > I originally sent this to the packaging list, but there was no
> > response there so I'm posting to devel now.
> >
> > I've also opened a review request for the non-controversial packaging
> > of the "msed" utilities.  Would anyone care to do a review swap?
> >
> > Review Request: msed - Tools to manage the activation and use of self
> encrypting drives
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1245640
> >
> > Thanks.
> >
> > Date: Tue, 21 Jul 2015 18:48:27 -0400
> > From: Chuck Anderson <cra at WPI.EDU>
> > To: packaging at lists.fedoraproject.org
> > Subject: [Fedora-packaging] building an embedded Linux distro into a RPM
> package
> > Precedence: list
> > Reply-To: Discussion of RPM packaging standards and practices for Fedora <
> packaging at lists.fedoraproject.org>
> >
> > I would like to submit a new package that provides a Pre-Boot
> > Authorization (PBA) image.  The PBA is a "bootloader" of sorts that
> > prompts the user for the passphrase to unlock a Self-Encrypting Drive
> > (SED) using the TCG OPAL command set, and then either chainloads to
> > the real OS or reboots to allow the BIOS to boot the real OS.  The
> > image gets installed to the OPAL SED as a sort of "shadow MBR/shadow
> > disk image" using a special command "msed" (Manage Self-Encrypting
> > Drive) that I also plan to submit a package for.
> >
> > In my case, I've developed a tiny embedded Linux-based PBA image [1]
> > using Buildroot [2] and the MSED software [3].  The final image is a
> > MBR-partitioned disk image with VFAT filesystem containing the
> > specially built Linux kernel (vmlinuz), initramfs (rootfs.gz), and the
> > installed syslinux bootloader.
> >
> > Before you ask, I can't use even a stripped-down Fedora image for this
> > purpose, because it must be TINY and it only exists to run a single
> > command (linuxpba), then reboot.  My image is 4MB and could be made
> > even smaller.  See the reasoning in [1] for why it must be so small.
> >
> > [1] https://github.com/cranderson/buildroot-linuxpba
> > [2] http://buildroot.uclibc.org/
> > [3] http://www.r0m30.com/msed
> >
> > Now I know there are several challenges to using the Buildroot
> > approach to building software for Fedora.  Buildroot downloads
> > software from the Internet, unpacks, patches, configures, and builds
> > it.  The build environment is built first, so gcc, uClibc, busybox,
> > etc. and then the packages you want to include are built in that
> > environment.
> >
> > What is the best approach I should use that is acceptable to Fedora?
> >
> > Would it be acceptable to bundle source packages, Buildroot itself,
> > and my Buildroot configuration into one SRPM so everything is
> > self-contained and can be built without requiring network
> > connectivity?  This means I would have to bundle the source code for
> > gcc, the linux kernel, uClibc, busybox, etc.
> >
> > Or is there some way to pull in SRPM packages that already exist in
> > Fedora, and use those as part of my build process so that I don't have
> > to bundle all the source code?  Additionally, I could made separate
> > SRPM packages for Buildroot itself, any components needed (uClibc is
> > already in the distro), the Buildroot build scripts for
> > buildroot-linuxpba, and the actual package I need (msed).