Blueprints. Securing Sensitive Files With TPM Keys
|
|
- Annis Grant
- 6 years ago
- Views:
Transcription
1 Blueprints Securing Sensitive Files With TPM Keys
2
3 Blueprints Securing Sensitive Files With TPM Keys
4 Note Before using this information and the product it supports, read the information in Notices on page 39. First Edition (December 2009) Copyright IBM Corporation US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
5 Contents Chapter 1. Scope, requirements, and support Chapter 2. Overview Chapter 3. Determining if you have the right hardware Chapter 4. Installing and configuring Trusted Computing software Chapter 5. Generating a Trusted State sealed key Chapter 6. Setting up the dm-crypt loopback partition Overview Determining if you have the right hardware Installing and configuring Trusted Computing software Generating a Trusted State sealed key Setting up the dm-crypt loopback partition Securing sensitive files using a script Making the changes persistent across reboots Appendix A. Verify whether the secured partition is really secured Appendix B. Troubleshooting Notices Trademarks Chapter 7. Securing sensitive files using a script Chapter 8. Making the changes persistent across reboots Chapter 9. Securing sensitive files with TPM keys Scope, requirements, and support Copyright IBM Corp iii
6 iv Blueprints: Securing Sensitive Files With TPM Keys
7 Chapter 1. Scope, requirements, and support This blueprint applies to System x running Linux. You can learn more about this blueprint, including the intended audience, the scope and purpose, the hardware and software requirements for the tasks detailed in this blueprint, and the types of support available to you. Systems to which this information applies System x running Linux Intended audience This blueprint targets Enterprise Linux administrators or users with an intermediate level of expertise. Scope and purpose This Blueprint provides the steps necessary to setup a loopback dm-crypt partition encrypted with a key sealed to a TPM 1.2 platform configuration register (PCR). Instructions for setting up TPM for other security functions are outside the scope of this blueprint. Test environment These instructions were tested on IBM System x 8212 running SLES11 and RHEL5.4 respectively. Hardware requirements To be able to use the functions of TPM, your hardware must be built with a Trusted Platform Module (TPM) chip of version 1.2 or above. The TPM chip can usually be found in the current System x machines and Lenovo ThinkPad systems. To determine if your hardware can support TPM, follow the instructions in section Chapter 3, Determining if you have the right hardware, on page 5. Software requirements v SuSE Linux Enterprise System version 11 or above C/C++ Compiler and Tools package groups gettext-tools (Requirement for building tpm_tools v from source) v Red Hat Enterprise Linux version 5.3 or above Development Tools and Development Libraries package groups gettext-devel (Requirement for building tpm_tools v from source) grub v0.97 (Requirement for building trustedgrub v1.1.3 from source. This software is included with RHEL5.3 and 5.4 If your distribution does not have the correct version, you can also use the one included in trustedgrub v source package.) Other considerations It is important to note that the creation of TPM key demonstrated here is sealed with the PCRs that measures the MBR information, bootloader, boot command line, and the kernel image. If any of these changed, all files secured by this method will be inaccessible. Copyright IBM Corp
8 Author names Rajiv Andrade George Wilson Other contributors Monza Lui Subrata Modak Kersten Richter IBM Services Linux offers flexibility, options, and competitive total cost of ownership with a world class enterprise operating system. Community innovation integrates leading-edge technologies and best practices into Linux. IBM is a leader in the Linux community with over 600 developers in the IBM Linux Technology Center working on over 100 open source projects in the community. IBM supports Linux on all IBM servers, storage, and middleware, offering the broadest flexibility to match your business needs. For more information about IBM and Linux, go to ibm.com/linux ( IBM Support Questions and comments regarding this documentation can be posted on the developerworks Security Blueprint Community Forum: The IBM developerworks discussion forums let you ask questions, share knowledge, ideas, and opinions about technologies and programming techniques with other developerworks users. Use the forum content at your own risk. While IBM will attempt to provide a timely response to all postings, the use of this developerworks forum does not guarantee a response to every question that is posted, nor do we validate the answers or the code that are offered. Typographic conventions The following typographic conventions are used in this Blueprint: Bold Italics Monospace Identifies commands, subroutines, keywords, files, structures, directories, and other items whose names are predefined by the system. Also identifies graphical objects such as buttons, labels, and icons that the user selects. Identifies parameters whose actual names or values are to be supplied by the user. Identifies examples of specific data values, examples of text like what you might see displayed, examples of portions of program code like what you might write as a programmer, messages from the system, or information you should actually type. 2 Blueprints: Securing Sensitive Files With TPM Keys
9 Chapter 2. Overview Automatic logins can be realized by saving your password as a file and then reading that file when authorization is needed. To make sure this file is not compromised, the best practice is to combine cryptography and directory access control (DAC) by encrypting the password file and setting the proper authorization to it. However most automatic login software expect a plain password file. You can potentially automate the decryption of the password file when that file is needed during automatic logins, but then you will need yet another encrypted password file to decrypt the previous password file. Trusted Platform Module (TPM) provides a clean solution for this recursive problem. This solution makes use of a set of Platform Configuration Registers (PCRs) that can only be written by the TPM_extend operation. The TPM_extend operation makes the new PCR a hash of the concatenation of the current value with the new hash that is provided. By design, assigning an arbitrary value to an PCR isn't allowed and makes this TPM_extend operation very unique. This design makes key sealing possible. In a key sealing scenario, the PCR can store a signature of the data that you are extending. The key is sealed by tying it to a particular PCR value in a way that the key can only be retrieved later from the TPM. A key can also be sealed to more than one PCR. In this blueprint, you will seal a key to five PCRs (MBR information, bootloader, boot command line, or the kernel image). If any of these PCRs/parameters changes, mounting of the encrypted partition will not be possible. This feature prevents anyone from mounting the partition to other installed operating systems other than the one the partition was originally mounted to, making rootkit impossible. Note that if you need to change any of these five PCR values, after following the instructions in this blueprint, you will need to plan for migration. In the following sections, you will install needed software, create a sealed key, and then use the sealed key to set up the dm-crypt loopback partition. Then you will learn how to use a script to encrypt any file and save it in the dm-crypt partition while the original location of the file is replaced by a symbolic link to the encrypted file. In the last section, you will set up to automatically mount the dm-crypt loopback partition in each reboot. The following table listed the files and directories that are used in the instructions. You may prefer to use a different set of files and directories. If you do, make sure these files and directories have the correct DAC authorization. You can use the following table to record where you want these files and directories for easy reference. Table 1. Reference table for files and directories Description File to temporarily hold the key File of the sealed key Directory used to mount loopback device Mapper device of your secured partition Note: This device is always created in the mapper device directory File/Directory used in This Blueprint /home/temp_plain_key /home/sealed_key /home/secret_dir /dev/mapper/secret File/Directory you used /dev/mapper/ Copyright IBM Corp
10 Table 1. Reference table for files and directories (continued) Description Directory mapped to the above device, where your secured files will be made available to you in plain form File/Directory used in This Blueprint /home/plain File/Directory you used Related reference: Chapter 1, Scope, requirements, and support, on page 1 This blueprint applies to System x running Linux. You can learn more about this blueprint, including the intended audience, the scope and purpose, the hardware and software requirements for the tasks detailed in this blueprint, and the types of support available to you. 4 Blueprints: Securing Sensitive Files With TPM Keys
11 Chapter 3. Determining if you have the right hardware Use this information to determine if you have the right hardware to use TPM and to determine which TPM chip version you have in your hardware. Determining TPM-readiness You can determine if your hardware is TPM-ready by looking at your BIOS. Note that the term TCG is sometimes used interchangeably with the term TPM in the BIOS. Make sure that the TCG/TPM feature is active and is cleared if available by following these steps: 1. Enter the BIOS and activate the TCG Feature. Steps to do so depends on the BIOS version. In this example, press F1 during power on. Then, from the main menu, choose Security TCG Feature Setup. The feature could be named differently, for example, Security Chip, in other BIOS versions. Note: If you cannot find similar feature in your BIOS, your hardware might not be equipped with any TPM chip. 2. Set TCG Security Feature option to Active and Clear TCG Security Feature option to Yes. Copyright IBM Corp
12 3. Save and Exit from the BIOS. Determining TPM version To determine which TPM chip version you have in your hardware, load the TPM modules. Follow these steps: 1. Insert tpm_tis module by running the following command: # modprobe tpm_tis # lsmod grep tpm tpm_tis tpm tpm_infineon,tpm_tis tpm_bios tpm 2. Determine the TCG version by issuing the following command: # cat /sys/devices/pnp0/00\:0*/caps Manufacturer: 0x4e534d20 TCG version: 1.2 Firmware version: 1.6 The above output shows that the TPM/TCG chip version is 1.2. Related reference: Chapter 1, Scope, requirements, and support, on page 1 This blueprint applies to System x running Linux. You can learn more about this blueprint, including the intended audience, the scope and purpose, the hardware and software requirements for the tasks detailed in this blueprint, and the types of support available to you. 6 Blueprints: Securing Sensitive Files With TPM Keys
13 Chapter 4. Installing and configuring Trusted Computing software The TCG has standardized a software stack that acts above the TPM chip and includes the TPM device driver and TSS. TSS is a Trusted Computing API that provides applications access to the TPM trusted computing functions. About this task The steps below explains how to install an open source implementation of such API, named TrouSerS, together with a group of userland tools that use this interface to implement various Trusted Computing solutions, including the one you are accomplishing. This table displays the four software programs that you will install in this section and where they should be installed from. Distro is defined as the software that comes with the distribution whereas source means you will have to download the software from sourceforge.net and build it from the source: Table 2. Installing software locations SLES11+ RHEL5.3+ Software Install Software From: TrouSerS distro distro tpm_tools v source source trustedgrub distro source cryptsetup distro distro Procedure 1. Check if your hardware and software requirements are fulfilled. See Hardware requirements on page 1 and Software requirements on page 1 in the Introduction. Also see Chapter 3, Determining if you have the right hardware, on page Install TrouSerS and its development packages. This tool is required for installing tpm-tools. To install TrouSerS, follow these steps: On SLES11, run: # yast -i trousers trousers-devel On RHEL5.4, run: # yum install trousers trousers-devel 3. Tpm-tools or above is required because of the data unsealing tool included in the package. The tpm-tools packages that come with SLES11 and RHEL5.4, however, do not fulfill this requirement. Therefore you need to download the latest tpm-tools package from trousers. For other distributions, use the version of tpm-tools that comes with your distribution, if it is or higher. The following instructions download and install tpm-tools # wget # tar xzf tpm-tools tar.gz # cd tpm-tools # sh bootstrap.sh #./configure --prefix=/usr # make # make install 4. Install the Trusted GRUB package. This package enables you to seal the encryption/decryption key to a PCR in later steps. Copyright IBM Corp
14 On SLES11: # yast -i trustedgrub Choose to uninstall the following two packages if asked: deinstallation of grub i586 deinstallation of bootcycle i586 On RHEL5.4: Build Trustedgrub from source. The latest version is downloadable from projects/trustedgrub/files/. At the time of the writing of this blueprint, version is the most current version. To install this version, follow these steps: # wget TrustedGRUB-1.1.3/TrustedGRUB-1.1.3/TrustedGRUB tgz/download # wget TrustedGRUB-1.1.3/TrustedGRUB-1.1.3/008_all_grub-0.97-AM_PROG_AS.patch/download # tar zvxf TrustedGRUB tgz # cd TrustedGRUB #./build_tgrub.sh # cp default /boot/grub # cd TrustedGRUB # cp../../008_all_grub-0.97-am_prog_as.patch. # patch -p0 < 008_all_grub-0.97-AM_PROG_AS.patch # make install # rm -rf /boot/grub/stage* # rm -rf /boot/grub/*1_5 # cp stage1/stage1 /boot/grub # cp stage2/stage2 /boot/grub # ls /boot/grub/ default grub.conf menu.lst stage1 stage2 The last step to install Trusted GRUB is to issue a grub command. This step needs a little explanation. You will use the grub command to tell Trusted GRUB which is the boot partition and disk. Before doing so, you need to determine what they are. Follow these steps: a. Determine which are the boot partition and disk by issuing the following: # fdisk -l Disk /dev/sda: GB, bytes 255 heads, 63 sectors/track, cylinders Units = cylinders of * 512 = bytes Device Boot Start End Blocks Id System /dev/sda1 * Linux /dev/sda e Linux LVM From the above output, /dev/sda1 is the boot partition (see the * under the Boot column). Whereas, /dev/sda is the disk. b. Translate the device name to understandable terms for grub. For example, replace /dev/sda by hd0 and /dev/sdb by hd1. Also, replace /dev/sda1 by hd0,0 and /dev/sdb3 by hd1,2. For example, the boot partition is /dev/sda1, which translates to hd0,0 and the disk is /dev/sda, which translates to hd0. c. Issue the grub command to get into the grub interface # grub d. Issue the following command to tell grub which is the boot partition: grub> root (hd0,0) e. Issue the following command to tell grub which is the disk: grub> setup (hd0) f. Issue the following command to exit grub: grub> quit 5. Install cryptsetup package so that the dm_crypt partition can be set up later. On SLES11: 8 Blueprints: Securing Sensitive Files With TPM Keys
15 #yast -i cryptsetup On RHEL5.4: # yum install cryptsetup-luks 6. Start the tcsd daemon. The tcsd daemon manages Trusted Computing related resources. #/etc/init.d/tcsd start Starting tcsd done # /etc/init.d/tcsd status Checking for service tcsd running 7. Take ownership of your TPM using the tpm_takeownership tool from the tpm_tools package. By including the -z flag, the storage root key (SRK) secret is set to 20 bytes of zeros (TSS_WELL_KNOWN_SECRET). You will be required to set owner password. Note that this password is in the top level of the keychain inside the TPM and will be used for permission to other TPM functions: #tpm_takeownership -z Enter owner password: Confirm owner password: 8. Perform a full power cycle (power off and then power on). What to do next You have now installed and configured the Trusted computing software needed. Related reference: Chapter 1, Scope, requirements, and support, on page 1 This blueprint applies to System x running Linux. You can learn more about this blueprint, including the intended audience, the scope and purpose, the hardware and software requirements for the tasks detailed in this blueprint, and the types of support available to you. Chapter 4. Installing and configuring Trusted Computing software 9
16 10 Blueprints: Securing Sensitive Files With TPM Keys
17 Chapter 5. Generating a Trusted State sealed key In this section, you will create a key (/home/sealed_key) that will be used to open the loopback dm-crypt partition. You will then seal this key to five different PCRs that were extended to MBR information, bootloader stage2 part1, bootloader stage2 part2, boot command line, and the kernel image. Once a key is sealed to a PCR, TPM will only allow the key to be retrieved if the content of the PCR remained the same as it was at the moment of the key sealing. Because the key will be sealed to five different PCRs, anyone who attempts to boot the partition/machine from a different installed operating system will not succeed as the content of these PCRs will be different. About this task Care should be taken because if one of the parameters the key was sealed to (MBR information, bootloader, boot command line, or the kernel image) changes, you will be unable to unseal the key and all encrypted file in the dm-crypted directory will be inaccessible. Note that you will create a random key and save it temporarily to /home/temp_plain_key. From it we will seal the key to the five PCRs discussed above and create the /home/sealed_key. You will use this key in the next section to set up the lookback dm-crypt partition. Procedure 1. Insert the TPM modules again and start tcsd daemon. # modprobe tpm_tis # /etc/init.d/tcsd start 2. Create your random 256 bits (32 bytes) AES key and save it temporarily to /home/temp_plain_key file: # dd if=/dev/urandom of=/home/temp_plain_key bs=1 count= records in 32+0 records out 32 bytes (32 B) copied, s, 66.3 kb/s 3. Seal the temporary key to PCRs 4, 8, 9, 12 and 14 and outputs a sealed key to /home/sealed_key. The PCRs store the measurements of MBR information, bootloader stage2 part1, bootloader stage2 part2, boot command line, and the kernel image respectively. # cat /home/temp_plain_key tpm_sealdata -z -p 4 -p 8 -p 9 -p 12 -p14 -o /home/sealed_key 4. Back up the plain key to a secure storage and remove the on-system plain key. # cp /home/temp_plain_key <Some secure storage such as a USB drive> # rm -rf /home/temp_plain_key Related reference: Chapter 1, Scope, requirements, and support, on page 1 This blueprint applies to System x running Linux. You can learn more about this blueprint, including the intended audience, the scope and purpose, the hardware and software requirements for the tasks detailed in this blueprint, and the types of support available to you. Copyright IBM Corp
18 12 Blueprints: Securing Sensitive Files With TPM Keys
19 Chapter 6. Setting up the dm-crypt loopback partition In this section, you will initiate an available loopback device (/dev/loop0) by associating it to a directory (/home/secret_dir). Then you will set up the device to be a LUKS-encrypted partition using the sealed key (/home/sealed_key) created in the last section. This partition will then be mapped to a mapper device (/dev/mapper/secret) and mounted at a plain directory (/home/plain) for use. About this task This example uses a loopback device to demonstrate how to set up a dm-crypt partition. However you can easily adopt these steps to set up an available physical device for the dm-crypt partition. You can do this by skipping any losetup steps and change the device name used in the commands from /dev/loop0 to your physical device name. Procedure 1. Set up the loopback device. a. Determine the first unused loopback device: # losetup -f /dev/loop0 b. Create a directory (/home/secret_dir) for initiating the loopback device. # dd if=/dev/urandom of=/home/secret_dir bs=1m count= records in 50+0 records out bytes (52 MB) copied, s, 3.5 MB/s c. Initiate your choice of an unused loopback device by associating it with the directory you just created: # losetup /dev/loop0 /home/secret_dir 2. Ensure that the dm_crypt was loaded. # modprobe dm_crypt On SLES11, you should see the following output: # lsmod grep -i dm_crypt dm_crypt crypto_blkcipher dm_crypt dm_mod dm_crypt On RHEL5.4, you should see the following output: # lsmod grep -i dm_crypt dm_crypt dm_mod dm_crypt,dm_mirror,dm_multipath,dm_raid45,dm_log 3. Unseal and retrieve the key (/home/sealed_key) from the TPM and use it to initialize the loopback device (/dev/loop0) to be a Linux Unified Key Setup (LUKS) partition. # tpm_unsealdata -z -i /home/sealed_key cryptsetup luksformat --key-file=- /dev/loop0 Command successful. Similar to taking ownership of the TPM, specify the -z flag in the tpm_unsealdata command to use the TSS_WELL_KNOWN_SECRET SRK as the SRK password to decrypt (using the SRK) and unseal our key, thus avoided being prompted for password. The tpm_unsealdata command returns the value of the unsealed key if the PCRs contains the proper values. This unsealed (and plain) key is then used to format the loopback device as an encrypted device. 4. Unseal the key (/home/sealed_key) from the TPM and use it to mount the LUKS-encrypted device (/dev/loop0) to a device-mapper device (secret). The mapping will appear under the /dev/mapper/ directory. 6. Create a directory and mount it to the mapped LUKS-encrypted device. This directory will contain the decrypted version of your secret files when successfully mounted. Copyright IBM Corp
20 # tpm_unsealdata -z -i /home/sealed_key cryptsetup luksopen --key-file=- /dev/loop0 secret key slot 0 unlocked. Command successful. 5. Format the mapped device as normal block device so that it can be used to hold files you would like to encrypt. # mkfs.ext3 /dev/mapper/secret 6. Create a directory and mount it to the mapped LUKS-encrypted device. This directory will contain the decrypted version of your secret files when successfully mounted. # mkdir -p /home/plain # mount /dev/mapper/secret /home/plain Verify the mount is successful by running the following command: # mount /dev/sda4 on / type ext3 (rw,acl,user_xattr) /proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) debugfs on /sys/kernel/debug type debugfs (rw) udev on /dev type tmpfs (rw) devpts on /dev/pts type devpts (rw,mode=0620,gid=5) fusectl on /sys/fs/fuse/connections type fusectl (rw) securityfs on /sys/kernel/security type securityfs (rw) /dev/mapper/secret on /home/plain type ext3 (rw) 7. If you want to unmount the partition, run these commands: # umount /home/plain # cryptsetup remove secret # losetup -d /dev/loop0 Note: Never forget to remove the mapped device (secret). If you do not, anyone can mount it later without being prompted for any authorization data. 8. If you want to mount the partition again at a later time, run these commands: # losetup /dev/loop0 /home/secret_dir # tpm_unsealdata -z -i /home/sealed_key cryptsetup luksopen --key-file=- /dev/loop0 secret # mount /dev/mapper/secret /home/plain Related reference: Chapter 1, Scope, requirements, and support, on page 1 This blueprint applies to System x running Linux. You can learn more about this blueprint, including the intended audience, the scope and purpose, the hardware and software requirements for the tasks detailed in this blueprint, and the types of support available to you. 14 Blueprints: Securing Sensitive Files With TPM Keys
21 Chapter 7. Securing sensitive files using a script After you have set up the dm-crypt loopback partition, move your sensitive files to this partition and replace the original file by a symbolic link to the new location. This practice centralizes your secured files and removes the need to encrypt each file separately. Note that if the plain partition is unmounted and any parameter sealed in the key (MBR information, bootloader, boot command line, or the kernel image) changes, the symbolic link will not work and the files will not be accessible. About this task The following shell script automates moving a particular file to the decrypted loopback partition (/home/plain) and replaces the original file location with a symbolic link to the loopback path. You will need to edit this script if your secured partition does not reside at /home/plain. #!/bin/sh # # PATH=$PATH:/sbin/bin PLAIN_DIR=/home/plain #Vertify if the plain directory is mounted # Change to name of your dm-crypt loopback partition if[-f$1] then if (mount grep $PLAIN_DIR) then mv $1 $PLAIN_DIR; else echo "dm_crypt partition not mounted" exit $RETVAL fi #create our symbolic link ln -s $PLAIN_DIR/`basename $1` `echo $1 sed "s \./ $PWD/ " ` else echo "File not found" fi To use this script: Procedure 1. Copy this script to a file. For example, centralize_secure_file.sh. 2. Edit the script with the name of your dm-crypt loopback partition if you are not using /home/plain. 3. Give the script the permission to be executed, for example: # chmod 700 centralize_secure_file.sh 4. Run the script against files you want to encrypt. #./centralize_secure_file.sh <sensitive_file> For example: #./centralize_secure_file.sh mysecret 5. Check if the file is now moved to your dm-crypt loopback partition and if a symbolic link is created in place of the original file location, for example: # ls /home/plain mysecret # ls -l mysecret lrwxrwxrwx 1 root root :26 mysecret -> /home/plain/mysecret Copyright IBM Corp
22 Related reference: Chapter 1, Scope, requirements, and support, on page 1 This blueprint applies to System x running Linux. You can learn more about this blueprint, including the intended audience, the scope and purpose, the hardware and software requirements for the tasks detailed in this blueprint, and the types of support available to you. 16 Blueprints: Securing Sensitive Files With TPM Keys
23 Chapter 8. Making the changes persistent across reboots Follow these steps in order to make this change persistent. Procedure 1. Automate insertion of the TPM related modules. On SLES11: Edit the /etc/sysconfig/kernel file to include the TPM device driver module (tpm_tis) to the MODULES_LOADED_ON_BOOT list. Module names should be separated by a space in this list. Create the file if it does not exist. The following entry shows an example where e1000e and tpm_tis modules will be loaded automatically on boot: MODULES_LOADED_ON_BOOT="e1000e tpm_tis On RHEL5.4: Edit the /etc/rc.modules file to include a line with modprobe tpm_tis. Create the file if it does not exist and assign execution permission. The following entry shows an example /etc/rc.modules file: # cat /etc/rc.modules modprobe tpm_tis # chmod 755 /etc/rc.modules 2. Add the TSS daemon to boot at all runlevel operations. On SLES11, do the following: #insserv /etc/init.d/tcsd On RHEL5.4, run the following commands: # chkconfig --level tcsd on # chkconfig --list tcsd tcsd 0:on 1:on 2:on 3:on 4:on 5:on 6:on 3. Automate setting up of the dm-crypt loopback partition on every boot. a. Create the file /etc/init.d/dm_crypt_sealed_mount with the following code: #!/bin/sh # # dm-crypt encrypted partition handling # ### BEGIN INIT INFO # Provides: dm_crypt_sealed_mount # Required-Start: tcsd # Required-Stop: # Should-Start: tcsd # Default-Start: 3 5 # Default-Stop: 0126 # Short-Description: Handles a sealed dm_crypt loopback partition ### END INIT INFO PATH=/sbin:/bin:/usr/bin:$PATH SECRET_DIR=/home/secret_dir PLAIN_DIR=/home/plain SEALED_KEY=/home/sealed_key case "$1" in start "") if (mount grep $PLAIN_DIR) then echo "dm_crypt sealed partition is already mounted." else losetup /dev/loop0 $SECRET_DIR tpm_unsealdata -z -i /home/sealed_key cryptsetup luksopen --key-file=- /dev/loop0 secret Copyright IBM Corp
24 mount /dev/mapper/secret $PLAIN_DIR fi ;; stop "") if (mount grep $PLAIN_DIR) then umount $PLAIN_DIR cryptsetup remove secret losetup -d /dev/loop0 echo "dm_crypt partition umounted" else echo "dm_crypt sealed partition ins t mounted." fi ;; *) echo "Usage: $0 [start stop]" exit ;; esac exit b. Edit the script with the names of the files and directories you used to replace /home/secret_dir (the directory where the loopback device associate with), /home/plain (the directory where the secured files are saved to), and /home/sealed_key (the sealed key file). c. Set the script to the right permission: # chmod 755 /etc/init.d/dm_crypt_sealed_mount d. Unmount the dm-crypt loopback partition so that you can test the script # umount /home/plain # cryptsetup remove secret # losetup -d /dev/loop0 e. Test the script to see if it works: # /etc/init.d/dm_crypt_sealed_mount key slot 0 unlocked. Command successful. f. Verify if the script is working: # mount /dev/sda4 on / type ext3 (rw,acl,user_xattr) /proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) debugfs on /sys/kernel/debug type debugfs (rw) udev on /dev type tmpfs (rw) devpts on /dev/pts type devpts (rw,mode=0620,gid=5) fusectl on /sys/fs/fuse/connections type fusectl (rw) securityfs on /sys/kernel/security type securityfs (rw) /proc on /var/lib/ntp/proc type proc (ro) /dev/mapper/secret on /home/plain type ext3 (rw) g. Add the script to all runlevel operations so it can be run when the system boots. On SLES11 execute this: # insserv /etc/init.d/dm_crypt_sealed_mount On RHEL5.4, add entry /etc/init.d/dm_crypt_sealed_mount to /etc/rc.d/rc.local: # cat /etc/rc.d/rc.local #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don t # want to do the full Sys V style init stuff. touch /var/lock/subsys/local /etc/init.d/dm_crypt_sealed_mount 4. Reboot the machine: 18 Blueprints: Securing Sensitive Files With TPM Keys
25 # reboot 5. After your machine has finished rebooting, you will see the same output as when you verified the script in step 3.f: # cat /etc/mtab /dev/sda4 on / type ext3 (rw,acl,user_xattr) /proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) debugfs on /sys/kernel/debug type debugfs (rw) udev on /dev type tmpfs (rw) devpts on /dev/pts type devpts (rw,mode=0620,gid=5) fusectl on /sys/fs/fuse/connections type fusectl (rw) securityfs on /sys/kernel/security type securityfs (rw) /dev/mapper/secret on /home/plain type ext3 (rw) What to do next Your dm-crypt loopback partition is now set up to persist across a reboot. Next you can use the script created in the section Chapter 7, Securing sensitive files using a script, on page 15 to move your sensitive files to the secured partition. Remember that any changes to the five parameters (MBR information, bootloader, boot command line, and the kernel image) correspond to the PCRs will cause the sealed key to become invalid. Extreme care must be taken to avoid the situation where data is unrecoverable. Related reference: Chapter 1, Scope, requirements, and support, on page 1 This blueprint applies to System x running Linux. You can learn more about this blueprint, including the intended audience, the scope and purpose, the hardware and software requirements for the tasks detailed in this blueprint, and the types of support available to you. Chapter 8. Making the changes persistent across reboots 19
26 20 Blueprints: Securing Sensitive Files With TPM Keys
27 Chapter 9. Securing sensitive files with TPM keys Support for the Trusted Platform Module (TPM) has been available in enterprise Linux distributions since SLES 11 and RHEL5.3. TPM is implemented based on Trusted Computing Group (TCG) specification and one of its many useful applications is to handle dm-crypt passphrases. When using encrypted partitions, one must typically enter one or more passphrases during the boot sequence to allow the kernel to decrypt them. While this is perhaps a desirable characteristic for laptops, it is an impediment to automation in the server environment. TPM can be used in this environment to wrap the passphrases and provide them automatically to the cryptsetup command. This blueprint describes how to realize TPM-protected dm-crypt passphrases on your system. Scope, requirements, and support This blueprint applies to System x running Linux. You can learn more about this blueprint, including the intended audience, the scope and purpose, the hardware and software requirements for the tasks detailed in this blueprint, and the types of support available to you. Systems to which this information applies System x running Linux Intended audience This blueprint targets Enterprise Linux administrators or users with an intermediate level of expertise. Scope and purpose This Blueprint provides the steps necessary to setup a loopback dm-crypt partition encrypted with a key sealed to a TPM 1.2 platform configuration register (PCR). Instructions for setting up TPM for other security functions are outside the scope of this blueprint. Test environment These instructions were tested on IBM System x 8212 running SLES11 and RHEL5.4 respectively. Hardware requirements To be able to use the functions of TPM, your hardware must be built with a Trusted Platform Module (TPM) chip of version 1.2 or above. The TPM chip can usually be found in the current System x machines and Lenovo ThinkPad systems. To determine if your hardware can support TPM, follow the instructions in section Chapter 3, Determining if you have the right hardware, on page 5. Software requirements v SuSE Linux Enterprise System version 11 or above C/C++ Compiler and Tools package groups gettext-tools (Requirement for building tpm_tools v from source) v Red Hat Enterprise Linux version 5.3 or above Development Tools and Development Libraries package groups gettext-devel (Requirement for building tpm_tools v from source) Copyright IBM Corp
28 grub v0.97 (Requirement for building trustedgrub v1.1.3 from source. This software is included with RHEL5.3 and 5.4 If your distribution does not have the correct version, you can also use the one included in trustedgrub v source package.) Other considerations It is important to note that the creation of TPM key demonstrated here is sealed with the PCRs that measures the MBR information, bootloader, boot command line, and the kernel image. If any of these changed, all files secured by this method will be inaccessible. Author names Rajiv Andrade George Wilson Other contributors Monza Lui Subrata Modak Kersten Richter IBM Services Linux offers flexibility, options, and competitive total cost of ownership with a world class enterprise operating system. Community innovation integrates leading-edge technologies and best practices into Linux. IBM is a leader in the Linux community with over 600 developers in the IBM Linux Technology Center working on over 100 open source projects in the community. IBM supports Linux on all IBM servers, storage, and middleware, offering the broadest flexibility to match your business needs. For more information about IBM and Linux, go to ibm.com/linux ( IBM Support Questions and comments regarding this documentation can be posted on the developerworks Security Blueprint Community Forum: The IBM developerworks discussion forums let you ask questions, share knowledge, ideas, and opinions about technologies and programming techniques with other developerworks users. Use the forum content at your own risk. While IBM will attempt to provide a timely response to all postings, the use of this developerworks forum does not guarantee a response to every question that is posted, nor do we validate the answers or the code that are offered. Typographic conventions The following typographic conventions are used in this Blueprint: Bold Italics Identifies commands, subroutines, keywords, files, structures, directories, and other items whose names are predefined by the system. Also identifies graphical objects such as buttons, labels, and icons that the user selects. Identifies parameters whose actual names or values are to be supplied by the user. 22 Blueprints: Securing Sensitive Files With TPM Keys
29 Monospace Identifies examples of specific data values, examples of text like what you might see displayed, examples of portions of program code like what you might write as a programmer, messages from the system, or information you should actually type. Overview Automatic logins can be realized by saving your password as a file and then reading that file when authorization is needed. To make sure this file is not compromised, the best practice is to combine cryptography and directory access control (DAC) by encrypting the password file and setting the proper authorization to it. However most automatic login software expect a plain password file. You can potentially automate the decryption of the password file when that file is needed during automatic logins, but then you will need yet another encrypted password file to decrypt the previous password file. Trusted Platform Module (TPM) provides a clean solution for this recursive problem. This solution makes use of a set of Platform Configuration Registers (PCRs) that can only be written by the TPM_extend operation. The TPM_extend operation makes the new PCR a hash of the concatenation of the current value with the new hash that is provided. By design, assigning an arbitrary value to an PCR isn't allowed and makes this TPM_extend operation very unique. This design makes key sealing possible. In a key sealing scenario, the PCR can store a signature of the data that you are extending. The key is sealed by tying it to a particular PCR value in a way that the key can only be retrieved later from the TPM. A key can also be sealed to more than one PCR. In this blueprint, you will seal a key to five PCRs (MBR information, bootloader, boot command line, or the kernel image). If any of these PCRs/parameters changes, mounting of the encrypted partition will not be possible. This feature prevents anyone from mounting the partition to other installed operating systems other than the one the partition was originally mounted to, making rootkit impossible. Note that if you need to change any of these five PCR values, after following the instructions in this blueprint, you will need to plan for migration. In the following sections, you will install needed software, create a sealed key, and then use the sealed key to set up the dm-crypt loopback partition. Then you will learn how to use a script to encrypt any file and save it in the dm-crypt partition while the original location of the file is replaced by a symbolic link to the encrypted file. In the last section, you will set up to automatically mount the dm-crypt loopback partition in each reboot. The following table listed the files and directories that are used in the instructions. You may prefer to use a different set of files and directories. If you do, make sure these files and directories have the correct DAC authorization. You can use the following table to record where you want these files and directories for easy reference. Table 3. Reference table for files and directories Description File to temporarily hold the key File of the sealed key Directory used to mount loopback device Mapper device of your secured partition Note: This device is always created in the mapper device directory File/Directory used in This Blueprint /home/temp_plain_key /home/sealed_key /home/secret_dir /dev/mapper/secret File/Directory you used /dev/mapper/ Chapter 9. Securing sensitive files with TPM keys 23
30 Table 3. Reference table for files and directories (continued) Description Directory mapped to the above device, where your secured files will be made available to you in plain form File/Directory used in This Blueprint /home/plain File/Directory you used Related reference: Chapter 1, Scope, requirements, and support, on page 1 This blueprint applies to System x running Linux. You can learn more about this blueprint, including the intended audience, the scope and purpose, the hardware and software requirements for the tasks detailed in this blueprint, and the types of support available to you. Determining if you have the right hardware Use this information to determine if you have the right hardware to use TPM and to determine which TPM chip version you have in your hardware. Determining TPM-readiness You can determine if your hardware is TPM-ready by looking at your BIOS. Note that the term TCG is sometimes used interchangeably with the term TPM in the BIOS. Make sure that the TCG/TPM feature is active and is cleared if available by following these steps: 1. Enter the BIOS and activate the TCG Feature. Steps to do so depends on the BIOS version. In this example, press F1 during power on. Then, from the main menu, choose Security TCG Feature Setup. The feature could be named differently, for example, Security Chip, in other BIOS versions. Note: If you cannot find similar feature in your BIOS, your hardware might not be equipped with any TPM chip. 2. Set TCG Security Feature option to Active and Clear TCG Security Feature option to Yes. 24 Blueprints: Securing Sensitive Files With TPM Keys
31 3. Save and Exit from the BIOS. Determining TPM version To determine which TPM chip version you have in your hardware, load the TPM modules. Follow these steps: 1. Insert tpm_tis module by running the following command: # modprobe tpm_tis # lsmod grep tpm tpm_tis tpm tpm_infineon,tpm_tis tpm_bios tpm 2. Determine the TCG version by issuing the following command: # cat /sys/devices/pnp0/00\:0*/caps Manufacturer: 0x4e534d20 TCG version: 1.2 Firmware version: 1.6 The above output shows that the TPM/TCG chip version is 1.2. Related reference: Chapter 1, Scope, requirements, and support, on page 1 This blueprint applies to System x running Linux. You can learn more about this blueprint, including the intended audience, the scope and purpose, the hardware and software requirements for the tasks detailed in this blueprint, and the types of support available to you. Installing and configuring Trusted Computing software The TCG has standardized a software stack that acts above the TPM chip and includes the TPM device driver and TSS. TSS is a Trusted Computing API that provides applications access to the TPM trusted computing functions. Chapter 9. Securing sensitive files with TPM keys 25
32 About this task The steps below explains how to install an open source implementation of such API, named TrouSerS, together with a group of userland tools that use this interface to implement various Trusted Computing solutions, including the one you are accomplishing. This table displays the four software programs that you will install in this section and where they should be installed from. Distro is defined as the software that comes with the distribution whereas source means you will have to download the software from sourceforge.net and build it from the source: Table 4. Installing software locations SLES11+ RHEL5.3+ Software Install Software From: TrouSerS distro distro tpm_tools v source source trustedgrub distro source cryptsetup distro distro Procedure 1. Check if your hardware and software requirements are fulfilled. See Hardware requirements on page 1 and Software requirements on page 1 in the Introduction. Also see Chapter 3, Determining if you have the right hardware, on page Install TrouSerS and its development packages. This tool is required for installing tpm-tools. To install TrouSerS, follow these steps: On SLES11, run: # yast -i trousers trousers-devel On RHEL5.4, run: # yum install trousers trousers-devel 3. Tpm-tools or above is required because of the data unsealing tool included in the package. The tpm-tools packages that come with SLES11 and RHEL5.4, however, do not fulfill this requirement. Therefore you need to download the latest tpm-tools package from trousers. For other distributions, use the version of tpm-tools that comes with your distribution, if it is or higher. The following instructions download and install tpm-tools # wget # tar xzf tpm-tools tar.gz # cd tpm-tools # sh bootstrap.sh #./configure --prefix=/usr # make # make install 4. Install the Trusted GRUB package. This package enables you to seal the encryption/decryption key to a PCR in later steps. On SLES11: # yast -i trustedgrub Choose to uninstall the following two packages if asked: deinstallation of grub i586 deinstallation of bootcycle i586 On RHEL5.4: Build Trustedgrub from source. The latest version is downloadable from projects/trustedgrub/files/. At the time of the writing of this blueprint, version is the most current version. To install this version, follow these steps: 26 Blueprints: Securing Sensitive Files With TPM Keys
33 # wget TrustedGRUB-1.1.3/TrustedGRUB-1.1.3/TrustedGRUB tgz/download # wget TrustedGRUB-1.1.3/TrustedGRUB-1.1.3/008_all_grub-0.97-AM_PROG_AS.patch/download # tar zvxf TrustedGRUB tgz # cd TrustedGRUB #./build_tgrub.sh # cp default /boot/grub # cd TrustedGRUB # cp../../008_all_grub-0.97-am_prog_as.patch. # patch -p0 < 008_all_grub-0.97-AM_PROG_AS.patch # make install # rm -rf /boot/grub/stage* # rm -rf /boot/grub/*1_5 # cp stage1/stage1 /boot/grub # cp stage2/stage2 /boot/grub # ls /boot/grub/ default grub.conf menu.lst stage1 stage2 The last step to install Trusted GRUB is to issue a grub command. This step needs a little explanation. You will use the grub command to tell Trusted GRUB which is the boot partition and disk. Before doing so, you need to determine what they are. Follow these steps: a. Determine which are the boot partition and disk by issuing the following: # fdisk -l Disk /dev/sda: GB, bytes 255 heads, 63 sectors/track, cylinders Units = cylinders of * 512 = bytes Device Boot Start End Blocks Id System /dev/sda1 * Linux /dev/sda e Linux LVM From the above output, /dev/sda1 is the boot partition (see the * under the Boot column). Whereas, /dev/sda is the disk. b. Translate the device name to understandable terms for grub. For example, replace /dev/sda by hd0 and /dev/sdb by hd1. Also, replace /dev/sda1 by hd0,0 and /dev/sdb3 by hd1,2. For example, the boot partition is /dev/sda1, which translates to hd0,0 and the disk is /dev/sda, which translates to hd0. c. Issue the grub command to get into the grub interface # grub d. Issue the following command to tell grub which is the boot partition: grub> root (hd0,0) e. Issue the following command to tell grub which is the disk: grub> setup (hd0) f. Issue the following command to exit grub: grub> quit 5. Install cryptsetup package so that the dm_crypt partition can be set up later. On SLES11: #yast -i cryptsetup On RHEL5.4: # yum install cryptsetup-luks 6. Start the tcsd daemon. The tcsd daemon manages Trusted Computing related resources. #/etc/init.d/tcsd start Starting tcsd # /etc/init.d/tcsd status Checking for service tcsd done running Chapter 9. Securing sensitive files with TPM keys 27
34 7. Take ownership of your TPM using the tpm_takeownership tool from the tpm_tools package. By including the -z flag, the storage root key (SRK) secret is set to 20 bytes of zeros (TSS_WELL_KNOWN_SECRET). You will be required to set owner password. Note that this password is in the top level of the keychain inside the TPM and will be used for permission to other TPM functions: #tpm_takeownership -z Enter owner password: Confirm owner password: 8. Perform a full power cycle (power off and then power on). What to do next You have now installed and configured the Trusted computing software needed. Related reference: Chapter 1, Scope, requirements, and support, on page 1 This blueprint applies to System x running Linux. You can learn more about this blueprint, including the intended audience, the scope and purpose, the hardware and software requirements for the tasks detailed in this blueprint, and the types of support available to you. Generating a Trusted State sealed key In this section, you will create a key (/home/sealed_key) that will be used to open the loopback dm-crypt partition. You will then seal this key to five different PCRs that were extended to MBR information, bootloader stage2 part1, bootloader stage2 part2, boot command line, and the kernel image. Once a key is sealed to a PCR, TPM will only allow the key to be retrieved if the content of the PCR remained the same as it was at the moment of the key sealing. Because the key will be sealed to five different PCRs, anyone who attempts to boot the partition/machine from a different installed operating system will not succeed as the content of these PCRs will be different. About this task Care should be taken because if one of the parameters the key was sealed to (MBR information, bootloader, boot command line, or the kernel image) changes, you will be unable to unseal the key and all encrypted file in the dm-crypted directory will be inaccessible. Note that you will create a random key and save it temporarily to /home/temp_plain_key. From it we will seal the key to the five PCRs discussed above and create the /home/sealed_key. You will use this key in the next section to set up the lookback dm-crypt partition. Procedure 1. Insert the TPM modules again and start tcsd daemon. # modprobe tpm_tis # /etc/init.d/tcsd start 2. Create your random 256 bits (32 bytes) AES key and save it temporarily to /home/temp_plain_key file: # dd if=/dev/urandom of=/home/temp_plain_key bs=1 count= records in 32+0 records out 32 bytes (32 B) copied, s, 66.3 kb/s 3. Seal the temporary key to PCRs 4, 8, 9, 12 and 14 and outputs a sealed key to /home/sealed_key. The PCRs store the measurements of MBR information, bootloader stage2 part1, bootloader stage2 part2, boot command line, and the kernel image respectively. # cat /home/temp_plain_key tpm_sealdata -z -p 4 -p 8 -p 9 -p 12 -p14 -o /home/sealed_key 4. Back up the plain key to a secure storage and remove the on-system plain key. 28 Blueprints: Securing Sensitive Files With TPM Keys
Blueprints. Installing Linux on a Multipath iscsi LUN on an IP Network
Blueprints Installing Linux on a Multipath iscsi LUN on an IP Network Blueprints Installing Linux on a Multipath iscsi LUN on an IP Network Note Before using this information and the product it supports,
More informationBlueprints. Protecting your data at rest with Red Hat Enterprise Linux on System x
Blueprints Protecting your data at rest with Red Hat Enterprise Linux on System x Blueprints Protecting your data at rest with Red Hat Enterprise Linux on System x Note Before using this information and
More informationBlueprints. Quick Start Guide for installing and running KVM
Blueprints Quick Start Guide for installing and running KVM Blueprints Quick Start Guide for installing and running KVM Note Before using this information and the product it supports, read the information
More informationSirrix AG security technologies. TPM Laboratory I. Marcel Selhorst etiss 2007 Bochum Sirrix AG
TPM Laboratory I Marcel Selhorst m.selhorst@sirrix.com etiss 2007 Bochum What's this? 00 00 DC 76 4A 0B 1E 53 2F FF 81 13 92 5D A8 33 E4 2 C4 00 FC 8E 81 E1 24 6F 09 79 EA 84 32 9B 67 C8 76 00 0C C6 FD
More informationTestOut Linux Pro - English 4.0.x OBJECTIVE MAPPING: CompTIA Linux+ LX0-103
TestOut Linux Pro - English 4.0.x OBJECTIVE MAPPING: CompTIA Linux+ LX0-103 CompTIA Linux+ Powered by LPI LX0-103 Objectives The Linux+ Powered by LPI Exam: LX0-103 exam covers the following topics. #
More informationInstallation of the OS
Lab 1 Installation of the OS 1.1 Objectives The goal of this first session is to install a Debian/Linux operating system from scratch on a Intel x86- based computer. The installation will be made on a
More informationProtecting your system from the scum of the universe
Protecting your system from the scum of the universe Gilad Ben-Yossef gilad@benyossef.com Twitter: @giladby About me My name is Gilad Ben-Yossef. I work on applied cryptography and security of the upstream
More informationSecure, Trusted and Trustworthy Computing
http://www.trust.cased.de Assignments for the Course Secure, Trusted and Trustworthy Computing WS 2011/2012 Prof. Dr.-Ing. Ahmad-Reza Sadeghi Authors: Sven Bugiel Based on work by: B.Cubaleska, L. Davi,
More informationProtecting your system from the scum of the universe
Protecting your system from the scum of the universe Gilad Ben-Yossef gilad@benyossef.com Twitter: @giladby About me My name is Gilad Ben-Yossef. I work on applied cryptography and security of the upstream
More informationDisk-Level Encryption
2011-2017 Percona, Inc. 1 / 19 Disk-Level Encryption http://www.percona.com/training/ 2011-2017 Percona, Inc. 2 / 19 Introduction Clients in the PCI, HIPPA, or PHI space Encrypted "at rest" MySQL 5.7 InnoDB
More informationLinux Howtos. Fedora 9 Install (114) CIS Fall Fedora 9 Install (114) Fedora 9 installation with custom partitions.
Linux Howtos Fedora 9 Install (114) CIS 191 - Fall 2008 Fedora 9 Install (114) Fedora 9 installation with custom partitions. Requirements: Fedora 9 DVD ISO files http://iso.linuxquestions.org/ VMWare Server
More informationLPIC-1 System Administrator
LPIC-1 System Administrator The world s largest and most recognized Linux Certification LPIC-1 is the first certification in LPI s multi-level Linux professional certification program. The LPIC-1 will
More informationCross-compilation with Buildroot
Instituto Superior de Engenharia do Porto Mestrado em Engenharia Eletrotécnica e de Computadores Arquitetura de Computadores Cross-compilation with Buildroot Introduction Buildroot is a tool that can be
More informationPlease choose the best answer. More than one answer might be true, but choose the one that is best.
Introduction to Linux and Unix - endterm Please choose the best answer. More than one answer might be true, but choose the one that is best. SYSTEM STARTUP 1. A hard disk master boot record is located:
More informationWelcome to getting started with Ubuntu Server. This System Administrator Manual. guide to be simple to follow, with step by step instructions
Welcome to getting started with Ubuntu 12.04 Server. This System Administrator Manual guide to be simple to follow, with step by step instructions with screenshots INDEX 1.Installation of Ubuntu 12.04
More informationCSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak
CSN08101 Digital Forensics Lecture 4: System Level Disk Control Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Essential Linux for Forensics You will learn in this lecture: Command Summary:
More informationCST8177 Linux II. Linux Boot Process
CST8177 Linux II Linux Boot Process Reference information from the text, http://www.linuxdoc.org and several other web sites Linux Boot Process Topics covered in this slide-set Basic definition of the
More informationSecure Storage with Encrypted file systems
2018/02/18 01:06 1/10 Secure Storage with Encrypted file systems Secure Storage with Encrypted file systems Encryption is done through dm-crypt using LUKS as the key setup using kernel crypto API. Linux
More informationRocketRAID 2680/2684 SAS Controller Red Hat Enterprise/CentOS Linux Installation Guide
RocketRAID 2680/2684 SAS Controller Red Hat Enterprise/CentOS Linux Installation Guide Version 1.0 Copyright 2008 HighPoint Technologies, Inc. All rights reserved. Last updated on November 13, 2008 Table
More informationFedora Linux Installation Guide
RocketRAID 2640/2642 SAS Controller Fedora Linux Installation Guide Version 1.2 Copyright 2012HighPoint Technologies, Inc. All rights reserved. Last updated on August 10, 2012 Table of Contents 1 Overview...
More informationUsing grub to Boot various Operating Systems
Operating Systems and Systems Integration Using grub to Boot various Operating Systems Contents 1 Aim 2 2 What You Will Do 2 3 Background 2 3.1 Installing grub in MBR from a floppy, and from the OS........
More informationNew RHEL 7.5 features: VDO, USBGuard, NBDE and AIDE. RHUG Q Marc Skinner Principal Solutions Architect 3/21/2018
New RHEL 7.5 features: VDO, USBGuard, NBDE and AIDE RHUG Q1.2018 Marc Skinner Principal Solutions Architect 3/21/2018 RHEL7.5beta :: New Features Storage - Virtual Data Optimizer (VDO) Security - NBDE
More informationEnabling DM_Crypt Functionality in SDK release 5.07
Enabling DM_Crypt Functionality in SDK release 5.07 This document lists steps to enable DM_Crypt functionality in SDK 05.07 Note: This document is intended for use with SDK release 5.07 and Ubuntu 10.04LTS.
More informationRocketRAID 2310/2300 Controller Fedora Linux Installation Guide
RocketRAID 2310/2300 Controller Fedora Linux Installation Guide Version 1.1 Copyright 2006 HighPoint Technologies, Inc. All rights reserved. Last updated on Jan 20, 2006 Table of Contents 1 Overview...1
More informationRocketRAID 231x/230x SATA Controller Red Hat Enterprise/CentOS Linux Installation Guide
RocketRAID 231x/230x SATA Controller Red Hat Enterprise/CentOS Linux Installation Guide Version 1.0 Copyright 2008 HighPoint Technologies, Inc. All rights reserved. Last updated on November 5, 2008 Table
More informationRocketRAID 231x/230x SATA Controller Fedora Linux Installation Guide
RocketRAID 231x/230x SATA Controller Fedora Linux Installation Guide Version 1.0 Copyright 2008 HighPoint Technologies, Inc. All rights reserved. Last updated on April 7, 2009 Table of Contents 1 Overview...1
More informationThis is Lab Worksheet 13 - not an Assignment. Boot Process and GRUB
This is Lab Worksheet 13 - not an Assignment This Lab Worksheet contains some practical examples that will prepare you to complete your Assignments. You do not have to hand in this Lab Worksheet. Make
More informationSection 1. A zseries Linux file system test script
Section 1. A zseries Linux file tem test script 1.1 Overview I was presented with a question regarding disk space efficiency, small files and block sizes with ext3 file tems on zseries Linux. I decided
More informationFull file at https://fratstock.eu
Guide to UNIX Using Linux Fourth Edition Chapter 2 Solutions Answers to the Chapter 2 Review Questions 1. Your company is discussing plans to migrate desktop and laptop users to Linux. One concern raised
More informationThe Early System Start-Up Process. Group Presentation by: Tianyuan Liu, Caiwei He, Krishna Parasuram Srinivasan, Wenbin Xu
The Early System Start-Up Process Group Presentation by: Tianyuan Liu, Caiwei He, Krishna Parasuram Srinivasan, Wenbin Xu 1 Boot Process Booting is the initialization of a computerized system In Linux,
More informationRH133. Red Hat Linux System Administration
RH133 Red Hat Linux System Administration Version 3.5 QUESTION NO: 1 RH133 John works as a Network Administrator for Perfect Solutions Inc. The company has a Linux-based network. He is working as a root
More informationVeritas System Recovery 18 Linux Edition README
Veritas System Recovery 18 Linux Edition README ===================================================================== ====== Veritas(TM) System Recovery 18 Linux Edition README =====================================================================
More informationDisk-Level Encryption
2011-2017 Percona, Inc. 1 / 25 Disk-Level Encryption http://www.percona.com/training/ 2011-2017 Percona, Inc. 2 / 25 Disk-Level Encryption OVERVIEW 2011-2017 Percona, Inc. 3 / 25 Introduction Security,
More informationCST8207: GNU/Linux Operating Systems I Lab Ten Boot Process and GRUB. Boot Process and GRUB
Student Name: Lab Section: Boot Process and GRUB 1 Due Date - Upload to Blackboard by 8:30am Monday April 16, 2012 Submit the completed lab to Blackboard following the Rules for submitting Online Labs
More informationChapter 6. Linux File System
Chapter 6 Linux File System 1 File System File System management how to store informations on storage devices The Hierarchical Structure Types of file Common File system Tasks 2 The Hierarchical Structure
More informationRHCSA BOOT CAMP. Filesystem Administration
RHCSA BOOT CAMP Filesystem Administration PARTITIONING What is partitioning? Splitting up a hard drive into organizable chunks Why? Isolates filesystem corruption Simplifies/speeds backups Allows optimizing
More informationManually Mount Usb Flash Drive Linux Command Line Redhat
Manually Mount Usb Flash Drive Linux Command Line Redhat How to Format USB in Linux using Command Line. This article will help you to format USB Flash drive in Ubuntu systems via Command line. So first
More informationCompTIA Linux+/LPIC-1 COPYRIGHTED MATERIAL
CompTIA Linux+/LPIC-1 COPYRIGHTED MATERIAL Chapter System Architecture (Domain 101) THE FOLLOWING COMPTIA LINUX+/LPIC-1 EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER: 101.1 Determine and Configure hardware
More informationPowerVM Lx86 for x86 Linux Applications Administration Guide
PowerVM Lx86 for x86 Linux Applications Administration Guide SA38-0650-03 PowerVM Lx86 for x86 Linux Applications Administration Guide SA38-0650-03 Note Before using this information and the product it
More informationUpgrade Cisco Interface Module for LoRaWAN IXM using the Console
Upgrade Cisco Interface Module for LoRaWAN IXM using the Console Contents Introduction Prerequisites Requirements Components Used Background Information Configure Step 1. Prepare the firmware images (and
More informationFedora Linux Installation Guide
RocketRAID 276x SAS Controller Fedora Linux Installation Guide Version 1.1 Copyright 2012 HighPoint Technologies, Inc. All rights reserved. Last updated on May 29, 2012 Table of Contents 1 Overview...
More informationIBM 4765 PCIe Cryptographic Coprocessor CCA Utilities User Guide
IBM 4765 PCIe Cryptographic Coprocessor CCA Utilities User Guide Note: Before using this information and the products it supports, be sure to read the general information under Notices on page 23. Fifth
More informationCourse 55187B Linux System Administration
Course Outline Module 1: System Startup and Shutdown This module explains how to manage startup and shutdown processes in Linux. Understanding the Boot Sequence The Grand Unified Boot Loader GRUB Configuration
More informationShifter Configuration Guide 1.0
Shifter Configuration Guide 1.0 Contents Contents About Shifter Configuration Guide...3 Configure the Docker Daemon...4 Configure Shifter...7 Rebuild the Compute Node initramfs and cpio Files...10 Configure
More information1. Set up the storage to allow access to the LD(s) by the server following the NEC storage user guides.
Overview Server running Red Hat Enterprise Linux (RHEL) must be configured to recognize and work with NEC storage systems. The following procedure demonstrates the steps necessary to configure multipath
More informationInstalling Red Hat Enterprise Linux AS 4 Update 3 on the IBM System p5 185 or IBM Intellistation POWER 185
Installing Red Hat Enterprise Linux AS 4 Update 3 on the IBM System p5 185 or IBM Intellistation POWER 185 A change in the IBM (R) System p5 (TM) 185 and IBM Intellistation (R) POWER (TM) 185 requires
More informationOracle 1Z Enterprise Linux System Administration. Download Full Version :
Oracle 1Z0-403 Enterprise Linux System Administration Download Full Version : http://killexams.com/pass4sure/exam-detail/1z0-403 B. It does not provide any protection to remote X connections. C. It allows
More informationMethod of Procedure to Upgrade RMS OS to Red Hat Enterprise Linux 6.7
First Published: November 20, 2015 Contents Scope of MOP... 4 Release Components... 4 Pre Requisites... 4 Assumptions... 4 Process Information... 5 Upgrade Timing... 5 Requirements... 5 Pre Maintenance...
More informationIBM Client Security Solutions. Client Security Software Version 1.0 Administrator's Guide
IBM Client Security Solutions Client Security Software Version 1.0 Administrator's Guide December 1999 1 Before using this information and the product it supports, be sure to read Appendix A - U.S. export
More informationBasic Linux Command Line Interface Guide
This basic Linux Command-Line Interface (CLI) Guide provides a general explanation of commonly used Bash shell commands for the Barracuda NG Firewall. You can access the command-line interface by connecting
More informationAt course completion. Overview. Audience profile. Course Outline. : 55187B: Linux System Administration. Course Outline :: 55187B::
Module Title Duration : 55187B: Linux System Administration : 4 days Overview This four-day instructor-led course is designed to provide students with the necessary skills and abilities to work as a professional
More information. Fill in the Blank: A directory named mydir has just been... Points:10. Add Question Success: 64 questions added as a copy.
. Fill in the Blank: A directory named mydir has just been... Success: 64 questions added as a copy. A directory named mydir has just been created with the touch command. Nochmod commands have been issued
More informationDisks, Filesystems 1
Disks, Filesystems 1 sudo and PATH (environment) disks partitioning formatting file systems: mkfs command checking file system integrity: fsck command /etc/fstab mounting file systems: mount command unmounting
More informationThis is Worksheet and Assignment 12. Disks, Partitions, and File Systems
This is Worksheet and Assignment 12 This is a combined Worksheet and Assignment.. Quizzes and tests may refer to work done in this Worksheet and Assignment; save your answers. You will use a checking program
More informationUpgrading Prime Optical
CHAPTER 6 You cannot perform a full upgrade from an earlier Cisco Transport Manager (CTM) or Prime Optical release. This section describes how to use the Cisco Prime Optical 9.8 Data Migrator wizard to
More informationLinux Howtos. Red Hat 9 and Trouble (116) CIS Fall Red Hat 9 and Trouble (116)
Linux Howtos Red Hat 9 and Trouble (116) CIS 191 - Fall 2008 Red Hat 9 and Trouble (116) Troubleshoot booting and rooting problems with Jim Griffin s troublemaker. A VM has been created using Red Hat 9
More informationWorking with Basic Linux. Daniel Balagué
Working with Basic Linux Daniel Balagué How Linux Works? Everything in Linux is either a file or a process. A process is an executing program identified with a PID number. It runs in short or long duration
More informationBasic Linux Command Line Interface Guide
This basic Linux Command-Line Interface (CLI) Guide provides a general explanation of commonly used Bash shell commands for the Barracuda NG Firewall. You can access the command-line interface by connecting
More informationHow to Dual-Boot OS X and Ubuntu
How to Dual-Boot OS X and Ubuntu Nailen Matschke - nailen@caltech.edu 10/3/2015 What you need: 1. A USB drive with at least 2 GB of space, that you don t mind wiping 2. A copy of Ubuntu (available here),
More informationINSTALLATION. Security of Information and Communication Systems
Security of Information and Communication Systems INSTALLATION Table of contents 1.Introduction...2 2.Installation...3 2.1.Hardware requirement...3 2.2.Installation of the system...3 2.3.Installation of
More informationHow to Back-Up a fit-pc2 Using Only a USB Stick (and some creative partitioning)
This process allows you to back up your fit-pc2 workstation (or any USB-bootable computer) so you can quickly and easily restore your computer to its original state in the event of a hard drive failure,
More informationRocketRAID 231x/230x SATA Controller Debian Linux Installation Guide
RocketRAID 231x/230x SATA Controller Debian Linux Installation Guide Version 1.0 Copyright 2008 HighPoint Technologies, Inc. All rights reserved. Last updated on September 17, 2008 Table of Contents 1
More informationLinux Operating System Environment Computadors Grau en Ciència i Enginyeria de Dades Q2
Linux Operating System Environment Computadors Grau en Ciència i Enginyeria de Dades 2017-2018 Q2 Facultat d Informàtica de Barcelona This first lab session is focused on getting experience in working
More informationEmbedded Linux Systems. Bin Li Assistant Professor Dept. of Electrical, Computer and Biomedical Engineering University of Rhode Island
Embedded Linux Systems Bin Li Assistant Professor Dept. of Electrical, Computer and Biomedical Engineering University of Rhode Island Generic Embedded Systems Structure User Sensors ADC microcontroller
More informationAndroid Bootloader and Verified Boot
Android Bootloader and Verified Boot Lecture 7 Security of Mobile Devices 2018 SMD Android Bootloader and Verified Boot, Lecture 7 1/38 Bootloader Recovery Verified Boot Bibliography SMD Android Bootloader
More informationFilesystem Hierarchy Operating systems I800 Edmund Laugasson
Filesystem Hierarchy Operating systems I800 Edmund Laugasson edmund.laugasson@itcollege.ee There has been used materials from Margus Ernits, Katrin Loodus when creating current slides. Current document
More informationChapter 6. Boot time configuration. Chapter 6 Boot time configuration
Chapter 6. Boot time configuration Chapter 6 Boot time configuration Last revised: 20/6/2004 Chapter 6 Outline In this chapter we will learn about: How the system boots How to configure the boot loaders
More information"Charting the Course... MOC B: Linux System Administration. Course Summary
Description Course Summary This four-day instructor-led course is designed to provide students with the necessary skills and abilities to work as a professional Linux system administrator. The course covers
More informationAIM Enterprise Platform Software IBM z/transaction Processing Facility Enterprise Edition 1.1.0
z/tpf V1.1 Title: z/tpf File System Review Subtitle: Our Greatest Hits Name: Stephen Record Venue: DBDF Subcommittee AIM Enterprise Platform Software IBM z/transaction Processing Facility Enterprise Edition
More informationRocketRAID 2522 SATA Controller Ubuntu Linux Installation Guide
RocketRAID 2522 SATA Controller Ubuntu Linux Installation Guide Version 1.0 Copyright 2008 HighPoint Technologies, Inc. All rights reserved. Last updated on February 16, 2009 Table of Contents 1 Overview...1
More informationExam LFCS/Course 55187B Linux System Administration
Exam LFCS/Course 55187B Linux System Administration About this course This four-day instructor-led course is designed to provide students with the necessary skills and abilities to work as a professional
More informationLinux and Network Administra3on. Lorenzo Bracciale Marco Bonola
Linux and Network Administra3on Lorenzo Bracciale Marco Bonola What is Linux? Outline Who is this guy? Who is this guy? Compiler Editor Human Interface Filesystem Networking OS Kernel Scheduler Device
More informationclient X11 Linux workstation
LPIC1 LPIC Linux: System Administrator LPIC 1 LPI command line LPIC-1 Linux LPIC-1 client X11 Linux workstation Unix GNU Linux Fundamentals Unix and its Design Principles FSF and GNU GPL - General Public
More informationLab E2: bypassing authentication and resetting passwords
Lab E2: bypassing authentication and resetting passwords TTM4175 September 7, 2015 The purpose of this lab is to learn about techniques for bypassing the authentication and access control of Windows and
More informationSUSE Linux Enterprise 11 Administration Workbook
SUSE Linux Enterprise 11 Administration Workbook 3102 Novell Training Services AUTHORIZED COURSEWARE www.novell.com Novell Training Services (en) 15 April 2009 Part # 100-005204-001-REV A Novell Training
More informationFile systems and Filesystem quota
File systems and Filesystem quota 8.1 Unit objectives After completing this unit, you should be able to: Describe what a file is Describe what a file system is List possible file systems Describe i-nodes
More informationIntroduction to Linux
Introduction to Linux Prof. Jin-Soo Kim( jinsookim@skku.edu) TA - Kisik Jeong (kisik@csl.skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu What is Linux? A Unix-like operating
More informationBackup, File Backup copies of individual files made in order to replace the original file(s) in case it is damaged or lost.
Glossary A Active Directory a directory service that inventories, secures and manages the users, computers, rules and other components of a Microsoft Windows network. This service is typically deployed
More informationTECHNICAL WHITE PAPER. Using Stateless Linux with Veritas Cluster Server. Linux
TECHNICAL WHITE PAPER Using Stateless Linux with Veritas Cluster Server Linux Pranav Sarwate, Assoc SQA Engineer Server Availability and Management Group Symantec Technical Network White Paper Content
More informationPOWER7+ Accelerated Encryption and Random Number Generation for Linux
POWER7+ Accelerated Encryption and Random Number Generation for Linux Kent Yoder IBM Linux Technology Center February 22, 2013 Contents 1 Introduction 2 2 Hardware Architecture
More informationInstallation of Fedora 12 with CD
Prepared by investech.wordpress.com Installation of Fedora 12 with Net Install CD Version 1.0 investech.wordpress.com 07-12-09 This document is produced under Creative Common License (Attribution No Derivatives).
More informationPL-I Assignment Broup B-Ass 5 BIOS & UEFI
PL-I Assignment Broup B-Ass 5 BIOS & UEFI Vocabulary BIOS = Basic Input Output System UEFI = Unified Extensible Firmware Interface POST= Power On Self Test BR = Boot Record (aka MBR) BC =Boot Code (aka
More informationLinux+ Guide to Linux Certification, Third Edition. Chapter 2 Linux Installation and Usage
Linux+ Guide to Linux Certification, Third Edition Chapter 2 Linux Installation and Usage Objectives Install Red Hat Fedora Linux using good practices Outline the structure of the Linux interface Enter
More informationEncryption Security Recommendations
Basic Concepts Sensitive data should be encrypted while in transit and stored. All communication between clients and servers, and between servers (Web server to app server, app server to database server,
More informationLinux Kung Fu. Stephen James UBNetDef, Spring 2017
Linux Kung Fu Stephen James UBNetDef, Spring 2017 Introduction What is Linux? What is the difference between a client and a server? What is Linux? Linux generally refers to a group of Unix-like free and
More informationSA2 v6 Linux System Administration II Net Configuration, Software, Troubleshooting
SA2 v6 Linux System Administration II Net Configuration, Software, Troubleshooting Synopsis: This is the second System Administration class, a follow-on class for new administrators with limited networking
More informationChapter Two. Lesson A. Objectives. Exploring the UNIX File System and File Security. Understanding Files and Directories
Chapter Two Exploring the UNIX File System and File Security Lesson A Understanding Files and Directories 2 Objectives Discuss and explain the UNIX file system Define a UNIX file system partition Use the
More informationINSTALLING INSTALLING INSTALLING
Architect Version 2.0 Release Notes July 2009 0898600-2.0 READ READ READ ME ME ME BEFORE BEFORE BEFORE INSTALLING INSTALLING INSTALLING THIS THIS THIS PRODUCT PRODUCT PRODUCT Disclaimer The information
More informationLinux/Citrix Virtual Environment Documentation
Linux/Citrix Virtual Environment Documentation Purpose This document provides information on creating a bootable Ubuntu flash drive, customizing the interface, and using basic commands. Contents Bootable
More informationOverview LEARN. History of Linux Linux Architecture Linux File System Linux Access Linux Commands File Permission Editors Conclusion and Questions
Lanka Education and Research Network Linux Architecture, Linux File System, Linux Basic Commands 28 th November 2016 Dilum Samarasinhe () Overview History of Linux Linux Architecture Linux File System
More informationNASA Lab. Partition/Filesystem/Bootloader. TinRay, Yu-Chuan
NASA Lab Partition/Filesystem/Bootloader TinRay, Yu-Chuan Agenda Conceptual Storage Structure Bootloader Practical & \Exercise/ Linux Device File Storage Related Commands Boot Related Commands 2 Before
More informationHow To Resize ext3 Partitions Without Losing Data
By Falko Timme Published: 2007-01-07 17:12 How To Resize ext3 Partitions Without Losing Data Version 1.0 Author: Falko Timme Last edited 12/31/2006 This article is about
More informationAccurate study guides, High passing rate! IT TEST BOOK QUESTION & ANSWER. Ittestbook provides update free of charge in one year!
IT TEST BOOK QUESTION & ANSWER Ittestbook provides update free of charge in one year! Accurate study guides, High passing rate! Exam : RH133 Title : Red Hat Linux System Administration Version : Demo 1
More informationLinux Essentials Objectives Topics:
Linux Essentials Linux Essentials is a professional development certificate program that covers basic knowledge for those working and studying Open Source and various distributions of Linux. Exam Objectives
More informationLecture Secure, Trusted and Trustworthy Computing Trusted Platform Module
1 Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Germany Winter Term 2016/17 Roadmap: TPM
More informationInsight Control Server Provisioning Capturing and Installing SUSE Enterprise Linux 12 System Images
Technical white paper Insight Control Server Provisioning Capturing and Installing SUSE Enterprise Linux 12 System Images Table of contents Summary 2 Preparing for image capture 2 Sanitizing server image
More informationLinux Systems Security. Backup and Change Management NETS Fall 2016
Linux Systems Security Backup and Change Management NETS1028 - Fall 2016 Backup Security breaches can cast doubt on entire installations or render them corrupt Files or entire systems may have to be recovered
More informationDisks, Filesystems, Booting Todd Kelley CST8177 Todd Kelley 1
Disks, Filesystems, Booting Todd Kelley kelleyt@algonquincollege.com CST8177 Todd Kelley 1 sudo and PATH (environment) disks partitioning formatting file systems: mkfs command checking file system integrity:
More informationCSE 265: System and Network Administration
CSE 265: System and Network Administration System startup and shutdown Bootstrapping Booting PCs Boot loaders Booting into single user mode Startup scripts Rebooting and shutting down Bootstrapping i.e.,
More informationCSE 265: System and Network Administration
CSE 265: System and Network Administration System startup and shutdown Bootstrapping Booting PCs Boot loaders Booting into single user mode Startup scripts Rebooting and shutting down Bootstrapping i.e.,
More information