Differences

This shows you the differences between two versions of the page.

--- home:backtrack_4_r-evolution [2012/11/04 09:49]
zes
+++ home:backtrack_4_r-evolution [2012/12/21 17:02] (current)
zes [fix initrd]
@@ Line 1: / Line 1: @@
-====== back|track 4 [r]evolution ======
+====== back|track 4 [r]evolution [uniq edition] ======
+this small howto explains how to install a live system from an iso file [e.g. bt4.235R2.iso] to an usb stick with multiple boot options.
-===== howto install [linux] =====
+it also shows, howto encrypt your squashfs and changes partition.
 ===== howto install [windoof] =====
+  - Download Unetbootin from http://unetbootin.sourceforge.net
+  - Start Unetbootin and select the diskimage (e.g. the backtrack ISO you just downloaded)
+  - Select the first partition of your USB drive and click “OK” for creating a bootable BackTrack USB drive
+  - you are finished, and may **Reboot** from your usb stick now.
+===== howto install [linux] =====
+Download Unetbootin from http://unetbootin.sourceforge.net/ or do
+<code>
+  wget http://santa.fnord.cx/bt4_bh/unetbootin-linux-494
+</code>
+  - Start Unetbootin by typing **unetbootin** in a shell and select diskimage (e.g. the backtrack ISO you just downloaded)
+  - Select the first partition of your USB drive and click “OK” for creating a bootable BackTrack USB drive
+  - you are finished, and may **Reboot** from your usb stick now.
+====== back|track 4 [r]evolution - Xtras ======
+===== howto install grub =====
+grub is already onh the system preinstalled, we just need to rewrite our **mbr** to install grub to our usb
+to find our usb stick we do
+  mount | grep cdrom0 | cut -d' ' -f1
+if we see that our usb is for e.g. sdb1 we have to remount it **rw** first, that we can write to it
+  mount -o remount,rw /dev/sdb1
+then we install grub to **sdb** (NOT sdb1) :
+  grub-install --recheck --force-lba --root-directory=/media/cdrom0/ /dev/sdb
+and always remember: **every stick is bootable!**
+====== NOT FINISHED FROM HERE -> this will kill your livestick !!! ======
+===== howto encrypt squashfs =====
+==== load modules ====
+Depending on what distro you are using, you may have to load a kernel module. It doesn't hurt anything if it is already loaded.
+  modprobe aes-i586
+  modprobe sha512
+or if you want other cyphers ....
+  modprobe twofish
+  modprobe serpent
+  modprobe xts
+see if all is loaded, and list your encryption possibilities with
+  cat /proc/crypto | grep name
+==== encrypt squashfs ====
+** !!! this will only work on ntfs or ext3 partitions !!! ** - [ because the cryptocontainer is larger than 4GB which FAT32 can't handle ]
+Now we encrypt the filesystem.squashfs file. To do this we will create a luks container that is **slightly bigger** than the filesystem.squashfs file. Here we will use 4 GB but you are free to choose any size, as long as it is larger than the filesystem.squashfs size of course, and create it in am temporary directory. we used /mnt/uniq_tmp. you can do this from inside the running system.\\
+**!!! just make shure you have enough space in your tmp folder !!!**
+make a temp folder
+  mkdir /media/yourhardrive/uniq_tmp -v
+We will first make the container. The size is dictated by the count parameter in the dd command (in megabytes). Feel free to use /dev/random instead of urandom.\\
+**Note that this will take a few minutes.**
+  dcfldd if=/dev/urandom of=/media/yourhardrive/uniq_tmp/cryptosys bs=1M count=4200
+then
+  losetup /dev/loop2 /media/yourhardrive/uniq_tmp/cryptosys -v
+Choose a strong passPHRASE here. It's pointless to go through all this trouble to encrypt everything and then choose a weak password.
+  cryptsetup -y -i 2351 --cipher aes-cbc-plain:sha512 --key-size 256 -T 4 luksFormat /dev/loop2
+Now that we have our container lets open it, put a filesystem in it, and put the filesystem.squashfs file in.
+<code>
+cryptsetup luksOpen /dev/loop2 uniq
+mkfs.ext3 /dev/mapper/uniq -L "uniq"
+mkdir /mnt/uniq -v
+mount /dev/mapper/uniq /mnt/uniq -v
+rsync -a --progress /media/cdrom0/casper/filesystem.squashfs /mnt/uniq
+</code>
+**!!! NOTE : if __rsync fails__, your cryptosys file was to small. -> do the __clean up__ below, start again from __dcfldd__ and use a __higher count__!!!**
+==== clean up ====
+  umount /mnt/uniq -v
+  rm -rfv  /mnt/uniq
+  cryptsetup luksClose /dev/mapper/uniq
+  losetup -d -v /dev/loop2
+==== rename / move container ====
+We have the filesystem.squashfs file encrypted inside the uniq crypto container. Now we only have to rename and move it to its final destionation on our stick. For that, we need to know where our stick is mounted. If you don't know that, try:
+  mount | grep cdrom0 | cut -d' ' -f1
+now we see, that our stick is at e.g. **/dev/sdb1**. we use that knowlege to **remount** our usb writeable, so we can put our uniq crypto container there.
+  mount -o remount,rw /dev/sdb1
+the next line is for paranoid people, who want to enhance their crypto : [may take a while]
+  wipe /media/cdrom0/casper/filesystem.squashfs
+then we move the container
+  mv -fv /media/yourhardrive/uniq_tmp/cryptosys /media/cdrom0/casper/filesystem.squashfs
+and unmount our 2nd usb partition ...
+  umount -fv /media/yourhardrive/uniq_tmp/
+Alright. Now we have the filesystem.squashfs file encrypted and on the right place back on our stick. Half way there.\\
+Next thing we need to do is to fix our initrd, so it can open our container.
+==== fix initrd ====
+We now have everything encrypted but this won't do us any good because our initrd doesn't know that what it is looking for is encrypted. Let's fix that. We will be using the initrd.gz that we downloaded and extracted from the BT iso earlier. First lets copy the initrd.gz file to its own directory and extract it.
+  mkdir ~/initrd -v
+  cp /media/cdrom0/boot/initrd.gz ~/initrd/ -v
+  cd ./initrd
+  gunzip -v ./initrd.gz
+  cpio -idv < ./initrd
+While we're at it, delete the archives we just extracted so they don't get in the way when we compress everything again.
+  rm -v ./initrd
+Now we can edit the startup script files.
+  cd ./scripts
+if you want to start qour changes via but don't know how to find the right uuid, try:
+  vol_id -u /dev/sdb2
+Open "casper-helpers" for editing.
+  kate ./casper-helpers
+Starting on line 122 and ending at line 166 is the "setup_loop" function.
+We need to make that function look like below\\
+**NOTE:** do not forget to change the UUID to the UUID of your hardrive!
+<code>
+setup_loop() {
+    local fspath=$1
+    local module=$2
+    local pattern=$3
+    local offset=$4
+    modprobe ${MP_QUIET} -b "$module"
+    /sbin/udevadm settle
+    if [ "$module" = loop ]; then
+        if [ ! -e /dev/loop0 ]; then
+            # temporary workaround for kernel bug
+            for i in 0 1 2 3 4 5 6 7; do
+                mknod "/dev/loop$i" b 7 "$i" || true
+            done
+        fi
+        dev="$(losetup -f)"
+        if [ "$dev" ]; then
+            if [ -n "$offset" ]; then
+                losetup -o "$offset" "$dev" "$fspath"
+            else
+        # Encryption squashfs Begin
+        mkdir /mnt
+        losetup "$dev" "$fspath"
+        echo "Password: " >&6
+        cryptsetup luksOpen "$dev" luksloop >&6
+        # workaround (part 2):
+        mount -t ext3 /dev/mapper/luksloop /mnt
+        dev="$(losetup -f)"
+        losetup "$dev" /mnt/filesystem.squashfs
+        # Encryption squashfs End
+        #encryption changes
+        echo "Password changes: " >&7
+        #load encrypted changes
+        #cryptsetup luksOpen /dev/sdb2 casper-rw >&7
+        #load encrypted changes via uuid
+        cryptsetup luksOpen /dev/disk/by-uuid/25017ed5-aab5-your-uuid-0a1b22c23510 casper-rw >&7
+            fi
+            echo "$dev"
+            return 0
+        else
+            panic "No loop devices available"
+        fi
+    else
+        for loopdev in $pattern; do
+            if [ "$(cat $loopdev/size)" -eq 0 ]; then
+                dev=$(sys2dev "${loopdev}")
+                if [ -n "$offset" ]; then
+                    losetup -o "$offset" "$dev" "$fspath"
+                else
+                    losetup "$dev" "$fspath"
+                fi
+                echo "$dev"
+                return 0
+            fi
+        done
+        panic "No loop devices available"
+    fi
+}
+</code>
+My changes are marked between the comments "Encryption changes begin/end".
+ Either replace the whole function with what I have posted above or just add in my changes between the two comments mentioned.
+===== copy files =====
+copy boot
+  cp -frvp /media/cdrom0/boot /mnt/h00dy
+rename the initrd
+  mv -fv /mnt/h00dy/boot/initrd.gz /mnt/h00dy/boot/initrd.nocrypt.gz
+zip your initrd back together, and copy it
+  cd ..
+  find . | cpio -o -H newc --verbose | gzip -9 > /root/initrd.gz
+copy boot
+  mv -fv /root/initrd.gz /mnt/h00dy/boot/
+  cp -fvp /media/cdrom0/{l,m,s,u}* /mnt/h00dy/
+so far so good, we are nearly there ...
+==== checksum verifycation ====
+sha512sum
+<code>
+#!/bin/sh
+checksum () {
+	echo "Checking file: $1"
+	echo "Using $2 file: $1.$2"
+	file1=`openssl $2 $1 | awk -F " " '{print $2}'`
+	file2=`cut -d* -f1 $1.$2`
+	echo $file1
+	echo $file2
+	if [ $file1 != $file2 ]
+	then
+	    echo "$2 sums mismatch"
+	else
+	    echo "$2 checksums OK"
+	fi
+}
+if [ -n "$1" ]
+then
+  root_dir=$1
+else
+  root_dir=.
+fi
+for file in $root_dir/*.jar $root_dir/*.tar.gz $root_dir/*.zip; do
+    checksum $file 'md5'
+    checksum $file 'sha1'
+    echo "GPG verification output"
+    gpg --verify $file.asc $file
+    echo "~~~~~~~~~~~~~~~~~~~~~~~"
+done
+</code>
+===== howto encrypt the rest [changes] =====
+==== will follow, soon .... :-)====