I don't believe in fairly common practice of "trying out" something new on a VM - it just don't work for me, probably because I see it as a stupid and posintless thing on some subconscious level, so I've decided to put it onto one of my two laptops, which kinda needed a good cleanup anyway.
While at it, I thought it'd be a good idea to finally dump that stupid practice of entering fs-password on boot, yet I did like the idea of encrypted fs, especially in case of laptop, so I've needed to devise reasonably secure yet paswordless boot method.
Boot sequence comes down to these:
- Mount pseudofs like proc/sys, get encrypted partition dev and real-rootfs signature (for findfs tool, like label or uuid) from cmdline.
- Init openct, find smartcard in /sys by hardcoded product id and attach it to openct.
- Mount persistent key-material storage (same /boot in my case).
- Read "old" key, replace it with a hashed version, aka "new key".
- Sign old key using smartcard, open fs with the resulting key.
- Drop this key from LUKS storage, add a signed "new" key to it.
- Kill openct processes, effectively severing link with smartcard.
- Detect and activate LVM volume groups.
- Find (findfs) and mount rootfs among currently-available partitions.
- Umount proc/sys, pivot_root, chroot.
- Here comes the target OS' init.
Took me some time to assemble and test this stuff, although it was fun playing with linux+busybox mini-OS. Makes me somewhat wonder about what takes several GiBs of space in a full-fledged OS when BB contains pretty much everything in less than one MiB ;)
And it's probably a good idea to put some early check of /boot partition (hashes, mounts, whatever) into booted OS init-scripts to see if it was not altered in any significant way. Not really a guarantee that something nasty weren't done to it (and then cleaned up, for example) plus there's no proof that actual OS was booted up from it and the kernel isn't tainted in some malicious way, but should be enough against some lame tampering or pranks, should these ever happen.
Anyway, here's the repo with all the initrd stuff, should anyone need it.