This week I found out that hexdump(1) on Linux doesn't seem to work with bytes but with half-words. I found out because I compared a byte-by-byte binary dump (output of a separate program) to the output of hexdump(1) (dumping the same data) and noticed that hexdump(1)'s output always swapped two adjacent bytes.
Maybe I haven't found the right parameters, though.
Friday, January 30, 2009
Tuesday, December 16, 2008
An Encrypted File-backed File System on FreeBSD
The following is a compilation of information, largely based on the FreeBSD Handbook, Section 18.13 and Section 18.16. This post describes how a file-backed, encrypted file system can be built and used on FreeBSD.
Now create a partition table which, e.g. one with an automatic layout:
Now the encrypted device can be attached by running
Prerequisites
In order to follow the steps below, the following prerequisites must be met:- md(4) in the Kernel
- gbde(4) in the Kernel, i.e. kldload geom_bde
- The /etc/gbde directory must exist
First time installation
After those requirements are fullfilled, it's time to take the first step which is creating a file that will serve as the basis for the file system. There is no support for growing images so you need to allocate all space now. This command creates a 128 MByte file filled with zeros:$ dd if=/dev/zero of=encrypted.img bs=4k count=32768Next, create a memory disk which is based on the the image file created above. As root, do:
# mdconfig -a -t vnode -f encrypted.img -u <unit>In the example above, the parametr -u <unit> is optional and specifies a number which determines the number of the md(4) device. For example, if you use 4, then md4 will be created.
Now create a partition table which, e.g. one with an automatic layout:
# bsdlabel -w md<unit> autoAt this point, you have the equivalent of a hard disk w/ one or more FreeBSD partitions on it. Note that there is no filesystem, yet. In order to create an encrypted file system, an initialization step must be performed:
# gbde init /dev/md0c -i -L /etc/gbde/encrypted.lockThe initialization step opens an editor where the user is asked to enter a few parameters. Most notably it is probably sensible to change the sector_size to 4096, i.e. the page size on i386. When the editor is closed, the gbde(8) program asks for a password. This password will be used to encrypt the disk, so do not lose it. Note that the /dev/md0c parameter corresponds to the md(4) device which was previously created. The file of the lock name can be arbitrarily named as long as its ending is .lock. Also note that the lock file must be backed up as the file system cannot be easily accessed without the file.
Now the encrypted device can be attached by running
# gbde attach /dev/md0c -l /etc/gbde/encrypted.lockYou'll be prompted for the password set in the previous step. If the password is accepted, you'll end up with a new disk device at /dev/md0c.bde on which you can operate the same way as on a regular disk. That means you'll need to create a file system, first.
# newfs -U -O2 /dev/md0c.bdeMake sure you use the .bde device node and not the raw memory disk as you'd end up without encryption. When you're done, it's time to mount the file system:
# mkdir /encrypted # mount /dev/md0c.bde /encrypted
Unmounting the encrypted file system
Unmounting the file system is easy, but the gbde(4) device needs to be detached before the md(4) device can be destroyed.# umount /encrypted # gbde detach /dev/md0c # mdconfig -d -u 0
Re-mounting an encrypted file system
Re-mounting is simple, but note that the FreeBSD handbook suggests that the file system be checked for errors before mounting:# mdconfig -a -t vnode -f encrypted.img md0 # gbde attach /dev/md0c -l /etc/gbde/encrypted.lock # fsck -p -t ffs /dev/md0c.bde # mount /dev/md0c.bde encrypted
Saturday, November 22, 2008
Generating random passwords
Here are a couple of ways of generating random passwords without using a "password generator". First, generate a random string like this:
Update (Dec 12th, 2008): Fixed error. cut(1) must be used, not cat(1).
$ dd if=/dev/urandom count=500 bs=1 | tr "\n" " " | sed 's/[^a-zA-Z0-9]//g'or like this
$ dd if=/dev/urandom count=500 bs=1 | md5Then adjust the length by piping the output through cut(1):
... | cut -c-8While the first option is more to type, it generates lower and upper case letters. The second option is easier to type but only generates lower-case passwords.
Update (Dec 12th, 2008): Fixed error. cut(1) must be used, not cat(1).
Thursday, November 13, 2008
Big R Radio 90's Alternative
Just to save the link somewhere... This command tunes in on the Big R Radio 90's Alternative station.
mplayer http://livestream2.bigrradio.com/90salt
Friday, November 7, 2008
The new GenFw Tool
I've re-written the GenFw tool part of the TianoCore BaseTools project. The source code can be found here. In order to use the tool, the file Source/C/GenFw/GenFw.c must be replaced with the re-written one. Then, the base tools must be re-built. After that, the EDK2 build process can be started. It will automatically pick up the new tool which will brand an ELF file with an UEFI file type.
Currently, the re-written tool will not compile on Linux. The reason is that Linux lacks implementations of err(3), errx(3), warn(3), etc. library functions which the BSDs have. It should be easy to add some compatibility macros using a combination of fprintf(3), strerror(3) and exit(3). I might add those should the need arise.
Update (Dec 3rd, 2008): I've added the compatibility macros for Linux. An updated version of the source code can be downloaded here.
Currently, the re-written tool will not compile on Linux. The reason is that Linux lacks implementations of err(3), errx(3), warn(3), etc. library functions which the BSDs have. It should be easy to add some compatibility macros using a combination of fprintf(3), strerror(3) and exit(3). I might add those should the need arise.
Update (Dec 3rd, 2008): I've added the compatibility macros for Linux. An updated version of the source code can be downloaded here.
Subscribe to:
Posts (Atom)