Arch Linux User Repository

To build this package you need to install one of the following: linux-headers: if you are using Arch's kernel linux-lts-headers: if you are using Arch's LTS kernel

That makes sense, I thought about creating an hybrid image but from my point of view it wasn't worth the additional effort because we really want secure boot support anyway, possibly using something like cryptboot[1] to sign the image. I still didn't implement secure boot in my helper because I still have to figure out the best way to accomplish it, especially if I really want to use something like cryptboot. Any idea? [1]https://github.com/xmikos/cryptboot

@darkbasic I'll include your first patch to unbreak building (again) until upstream fixes the problem[1]. In Arch we don't have linux versions below 4.4 so we don't really need the conditionals but I'll include it as is as most probably that is what upstream will use. Regarding the uefi image creation script, I have been working on a new script which will create hybrid images (bios+uefi) and I'm planning to move away from separate scripts for bios and uefi which means I will not use your script, but I thank you for taking the time to implement and test it, I can serve as an alternative/reference for other people. I'm also planning to move the sources to github, I have been contacted by email regarding that and I'll probably do it after upstream releases a new version, for now I'll just push my changes and fix building. [1] https://github.com/Drive-Trust-Alliance/sedutil/pull/56#issuecomment-263739472

I created an helper to make the PBA image with EFI support, please add it to the pkgbuild as mklinuxpba-efi: https://paste.pound-python.org/show/1mka8Z0H4v7iDHdNkg0V/

To fix the issue I removed your patch and added this one: https://github.com/bcarmo-caio/sedutil/commit/5ca6100917a025f6e11ae20838e1e37e7db2d587.patch Now it compiles flawlessly.

g++ -m64 -Wall -D_FORTIFY_SOURCE=2 -O2 -c -Werror -I.. -I../../Common -I../../Common/pbdkf2 -std=c++11 -MMD -MP -MF "build/Release_x86_64/GNU-Linux/_ext/5c0/DtaDevOS.o.d" -o build/Release_x86_64/GNU-Linux/_ext/5c0/DtaDevOS.o ../DtaDevOS.cpp In file included from ../DtaDevLinuxNvme.h:21:0, from ../DtaDevLinuxNvme.cpp:33: /usr/lib/modules/4.8.13-1-ARCH/build/include/linux/nvme.h: In function ‘bool nvme_is_write(nvme_command*)’: /usr/lib/modules/4.8.13-1-ARCH/build/include/linux/nvme.h:858:57: error: ‘unlikely’ was not declared in this scope if (unlikely(cmd->common.opcode == nvme_fabrics_command)) ^ make[2]: *** [nbproject/Makefile-Release_x86_64.mk:184: build/Release_x86_64/GNU-Linux/_ext/5c0/DtaDevLinuxNvme.o] Error 1 make[2]: *** Waiting for unfinished jobs.... In file included from ../DtaDevLinuxNvme.h:21:0, from ../DtaDevOS.cpp:36: /usr/lib/modules/4.8.13-1-ARCH/build/include/linux/nvme.h: In function ‘bool nvme_is_write(nvme_command*)’: /usr/lib/modules/4.8.13-1-ARCH/build/include/linux/nvme.h:858:57: error: ‘unlikely’ was not declared in this scope if (unlikely(cmd->common.opcode == nvme_fabrics_command)) ^ make[2]: *** [nbproject/Makefile-Release_x86_64.mk:194: build/Release_x86_64/GNU-Linux/_ext/5c0/DtaDevOS.o] Error 1 make[2]: Leaving directory '/tmp/yaourt-tmp-niko/aur-sedutil/src/sedutil-1.12/linux/CLI' make[1]: *** [nbproject/Makefile-Release_x86_64.mk:80: .build-conf] Error 2 make[1]: Leaving directory '/tmp/yaourt-tmp-niko/aur-sedutil/src/sedutil-1.12/linux/CLI' make: *** [nbproject/Makefile-impl.mk:40: .build-impl] Error 2 linux-headers is installed.

To build this package you need to install one of the following: linux-headers: if you are using Arch's kernel linux-lts-headers: if you are using Arch's LTS kernel

@jarondl I was looking into this and I haven't found yet a way to makedepend on either linux-headers or linux-lts-headers. Those are the headers packages for the two kernels in [core], so making it a hard dependency on either of them is not right. For now I'll make a comment sticky warning that one of them needs to be installed.

Hi, Could you add a dependency on linux-headers? Thanks

NEWS: I've created a new article in the Arch Wiki: Self-Encrypting Drives (SED) https://wiki.archlinux.org/index.php/Self-Encrypting_Drives_(SED) (note; the link comes out broken here, don't click - copy & paste the whole line) It specifically covers usage of sedutil. I've tried making it as complete as I could, but it needs review. Discuss at this forum thread: https://bbs.archlinux.org/viewtopic.php?pid=1611886 (+ at the article's talk page) Thanks everyone!

I've been wanting to create a wiki page explaining how all this is setup but haven't gotten around to it yet. The package installs sedutil, the pba program that is used in the upstream pba images and a few arch specific scripts and configuration files. You will need to configure your console keymap properly [1] (this was my main motivation, you can pick your own keymap), edit /etc/linuxpba/linuxpba.conf and configure it to your liking (the comments there should explain what each option does), create a keyring file at /etc/linuxpba/keyring.luks and then create the pba images with mklinuxpba-bios. mklinuxpba-bios calls mklinuxpba-initramfs to generate the initramfs and then mklinuxpba-bios used the current linux and pba initramfs to create the pba image. I had a draft text file with rough instructions on how to configure the keyring but I can't find it right now :( I'll point you to the pages I've looked into to make this work. It is the same procedure as described here [2], and for enrolling your yubikey I have done it in a very similar way to this project [3]. In my case I've done all the steps manually (look inside the yubikey-luks-enroll script near the end). The difference from [2] is that you have to zero your luks device and then echo your admin1 password to the luks device. You might want to refer to the wiki on how to configure and boot a luks encrypted root with the key on a usb drive as the procedure is the same, specifically this [4]. The options KFNAME, KFSKIP and KFSIZE map to device, offset and size. If I manage to find the text file with rough instructions I'll drop it here, but I'm afraid I might have to start writing it from scratch. [1] https://wiki.archlinux.org/index.php/Keyboard_configuration_in_console [2] https://wiki.gentoo.org/wiki/Custom_Initramfs#Encrypted_keyfile [3] https://github.com/cornelinux/yubikey-luks [4] https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration#cryptkey Edit: I found the file :) This assumes three keys will be used, one in a sd card, one in a usb flash drive and a yubikey. truncate -s 1053184 keyring.luks #for luks default config truncate -s 2068992 keyring.luks #for luks -c aes-xts-plain64 -h sha512 -s 512 Use one of the following two: cryptsetup --align-payload=1 --use-random --key-file sdcard_luks_key -i 2000 luksFormat keyring.luks cryptsetup --align-payload=1 --use-random -c aes-xts-plain64 -h sha512 -s 512 --key-file sdcard_luks_key -i 2000 luksFormat keyring.luks cryptsetup --key-file sdcard_luks_key luksAddKey keyring.luks flash_luks_key cryptsetup --key-file sdcard_luks_key luksAddKey keyring.luks yubikey_luks_key cryptsetup --key-file sdcard_luks_key open --type luks keyring.luks keyring dd if=/dev/zero of=/dev/mapper/keyring echo your_admin1_password > /dev/mapper/keyring cryptsetup close keyring Put your keyring.luks in /etc/linuxpba and run mklinuxpba-bios. Don't forget to test your pba image before committing it to the SSD.