aaf0454956
The rumpkernel based tools are intended to be used by executing 'tool/rump'. Since it covers the most common use cases for these tools, this script is comparatively extensive, hence giving a short tutorial seems reasonable: * Format a disk image with Ext2: To format a disk image with the Ext2 file system, first prepare the actual image by executing dd: ! dd if=/dev/zero of=/path/to/disk_image bs=1M count=128 Second, use 'tool/rump' to format the disk image: ! rump -f -F ext2fs /path/to/disk_image Afterwards the just created file system may be populated with the content of another directory by executing ! rump -F ext2fs -p /path/to/another_dir /path/to/disk_image The content of the file system image can be listed by executing ! rump -F ext2fs -l /path/to/disk_image * Create a encrypted disk image: Creating a cryptographic disk image based on cgd(4) is done by executing the following command: ! rump -c /path/to/disk_image This will generate a key that may be used to decrypt the image later on. Since this command will _only_ generate a key and NOT initialize the disk image, it is highly advised to prepare the disk image by using '/dev/urandom' instead of '/dev/zero' (only new blocks that will be written to the disk image are encrypted). In addition while generating the key a temporary configuration file will be created. Although this file has proper permissions, it may leak the generated key if it is created on persistent storage. To specify a more secure directory the '-t' option should be used: ! rump -c -t /path/to/secure/directory /path/to/disk_image Decrypting the disk image requires the key generated in the previous step: ! rump -c -k <key> /path/to/disk_image For now this key has to specified as command line argument. This is an issue if the shell, which is used, is maintaing a history of executed commands. For completness sake let us put all examples together by creating a encrypted Ext2 image that will contain all files of Genode's _demo_ scenario: ! dd if=/dev/urandom of=/tmp/demo.img bs=1M count=16 ! $(GENODE_DIR)/tool/rump -c -t /ramfs -F ext2fs /tmp/demo.img > \ ! /ramfs/key # key is printed out to stdout ! $(GENODE_DIR)/tool/rump -c -t /ramfs -F ext2fs -k <key> \ ! -p $(BUILD_DIR)/var/run/demo /tmp/demo.img To check if the image was populated succesfully, execute the following: ! $(GENODE_DIR)/tool/rump -c -t /ramfs -F ext2fs -k <key> -l \ ! /tmp/demo.img
114 lines
2.0 KiB
Bash
Executable File
114 lines
2.0 KiB
Bash
Executable File
#!/bin/sh
|
|
#
|
|
# \brief Create cgdconfig(8) configuration file from key or extract the key
|
|
# from the specified configuration file
|
|
# \author Josef Soentgen
|
|
# \date 2014-04-29
|
|
#
|
|
#
|
|
# Note: This script is merely just a awk(1) wrapper and only generates a
|
|
# aes-cbc 256 storedkey configuration and expects the given key to
|
|
# be a proper base64 encoded key generated by cgdconfig(8).
|
|
#
|
|
|
|
|
|
#
|
|
# Print usage
|
|
#
|
|
print_usage() {
|
|
local help=$1
|
|
printf "usage: $PROG_NAME [-h] <-f file|-k key>\n"
|
|
if [ "$help" != "" ]; then
|
|
printf "\t-h show this help screen\n"
|
|
printf "\t-k key generate config file from key and print "
|
|
printf "to stdout\n"
|
|
printf "\t-f file extract key from config file and print "
|
|
printf "to stdout\n"
|
|
fi
|
|
}
|
|
|
|
|
|
#
|
|
# Parse arguments given on the commandline
|
|
#
|
|
parse_arguments() {
|
|
local args="$(getopt hf:k: ${*})"
|
|
|
|
[ $? != 0 ] && exit 1
|
|
if [ $# -lt 1 ]
|
|
then
|
|
print_usage
|
|
exit 1
|
|
fi
|
|
set -- $args
|
|
while [ $# -ge 0 ]; do
|
|
case "$1" in
|
|
-h)
|
|
print_usage "help"
|
|
exit 0;;
|
|
-k) ARG_KEY="$2"; shift; shift;;
|
|
-f) ARG_FILE="$2"; shift; shift;;
|
|
--) shift; break;;
|
|
esac
|
|
done
|
|
}
|
|
|
|
|
|
#
|
|
# Extract the key string from the configuration file
|
|
#
|
|
extract_key() {
|
|
local cgd_file="$1"
|
|
|
|
awk 'BEGIN { found=0 }
|
|
{
|
|
if (found == 1) key=key $1
|
|
if ($1 == "keygen") { found=1; key=$4 }
|
|
}
|
|
END { sub(/;$/, "", key); print key }' $cgd_file
|
|
}
|
|
|
|
|
|
#
|
|
# Generate a proper cgd(8) configuration file from the given key
|
|
#
|
|
generate_conf() {
|
|
local key="$1"
|
|
|
|
printf "$key" | awk '{ key=$0 }
|
|
END {
|
|
printf("algorithm aes-cbc;\n")
|
|
printf("iv-method encblkno1;\n")
|
|
printf("keylength 256;\n")
|
|
printf("verify_method none;\n")
|
|
printf("keygen storedkey key ")
|
|
printf("%s \\\n", substr(key, 1, 30))
|
|
printf(" %s;\n", substr(key, 31))
|
|
}'
|
|
}
|
|
|
|
|
|
main() {
|
|
parse_arguments "$@"
|
|
|
|
if [ "$ARG_FILE" != "" ]; then
|
|
extract_key "$ARG_FILE"
|
|
fi
|
|
|
|
if [ "$ARG_KEY" != "" ]; then
|
|
generate_conf "$ARG_KEY"
|
|
fi
|
|
}
|
|
|
|
|
|
PROG_NAME=$(basename $0)
|
|
|
|
ARG_FILE=
|
|
ARG_KEY=
|
|
|
|
main "$@"
|
|
|
|
exit 0
|
|
|
|
# End of file
|