Booster

From ArchWiki
Jump to navigation Jump to search

Booster is a fast initramfs generator similar to mkinitcpio and dracut. Booster is inspired by distri project and aims to create a small and fast init image.

Booster consists of two major components:

  • Initramfs generator /usr/bin/booster user-space tool. It is responsible for initramfs image generation.
  • Generated images that are usually located at /boot/ and used by the system boot loader to boot Linux OS.

Install

Install booster. The package installation hook will generate initramfs images, one per installed kernel (e.g. for linux, linux-lts). The images are located under /boot directory:

$ ls -lh /boot/booster*
-rwxr-xr-x 1 root root 4.0M Dec 16 16:20 /boot/booster-linux.img

Or the image can be built manually:

$ booster -output mybooster.img

Configuration

Booster generator configuration is located at /etc/booster.yaml. If there is no configuration file then the default configuration (host-specific images, no network) is used.

The configuration file helps to override the default behaviour. See booster(1) § CONFIG FILE for detailed information.

Regenerate booster images

Once you are done with booster configuration you need to update booster images at /boot. An image can be generated manually with booster -output booster-foo.img or using a convenience script /usr/lib/booster/regenerate_images that iterates over all installed kernels and generates booster image for each of them.

Boot loader configuration

Once the image is generated it is time to configure the boot loader.

rEFInd

If the configuration relies on automatic detection already, no additional configuration change is necessary. rEFInd supports initrd files named booster*.

If you specify the initramfs path manually, either in refind.conf or in manual boot stanzas, make sure to use the correct files names. I.e. booster-linux.img instead of initramfs-linux.img.

systemd-boot

To enable the new initramfs image with systemd-boot simply create a new boot loader entry like this one:

/boot/loader/entries/booster.conf
title Arch Linux with booster
linux /vmlinuz-linux
initrd /booster-linux.img
options root=UUID=08f83949-bcbb-47bb-bc17-089aaa59e17e rw

Where the root filesystem is referenced by UUID=08f83949-bcbb-47bb-bc17-089aaa59e17e. To find your root device UUID run blkid /dev/ROOTDEVICE.

Enable encryption

Booster supports LUKS based full disk encryption out of the box. Generator does not need any extra configuration. And for initramfs you need to append information about the LUKS partition where the root resides. This is done with either rd.luks.uuid=LUKSUUID or rd.luks.name=LUKSUUID=LUKSNAME kernel parameter that you need to specify in your boot loader configuration file. LUKSUUID specifies UUID of the encrypted LUKS partition that needs to be unlocked by booster. Pay attention that the UUID does not contain any quotes. LUKSNAME specifies name of the unlocked partition (as in /dev/mapper/NAME).

No image rebuild is required. Once the boot loader configuration is done, reboot the computer. After that you will see a Enter passphrase for YOURROOT: prompt at the boot time asking for a password for the encrypted root partition.

Clevis encryption

Note: Create a separate page for non-booster specific clevis information

Passwords manually entered by a user is a traditional and widely used way to unlock encrypted LUKS partitions. But it has a few disadvantages:

  • It requires manual intervention and thus does not work with setups that require automatic boot (e.g. a large server farm).
  • An average human brain is capable of remembering relatively simple passwords (~20-30 bits of entropy) that are much weaker than keys used for modern block ciphers (128/256 bits).

A solution for it would be encrypting data with a strong key stored securely somewhere else, for example at your TPM chip or YubiKey or some network service. Clevis is a framework that implements this idea. It allows to encrypt (in terms of clevis bind) data with a pluggable pin. Currently clevis implements 3 pins:

Booster supports all 3 types of pin.

To use clevis please install clevis package. Here is an example of data binding with TPM2 (works only if you have a TPM chip at your computer):

$ clevis encrypt tpm2 '{}' <<< 'hello, world'
eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoidHBtMiIsInRwbTIiOnsiaGFzaCI6InNoYTI1NiIsImp3a19wcml2IjoiQU80QUlJQkxxT3FVenVDU1FmWkprNmdDN2wzMW43V3M2Y2FZd0VZS1BSR3Q0OHJEQUJBV2Z4M3pTUUNUTmtHZE9BM2FZd2RTZk9GcXZWdnVlQ3lPamFsWldCT2R4RlJKSzl5ZVRCM0pkNFktcF9HalhhNmlnLWxxNmtmMHZTWWkzOWMxVEpES1RYRVZTdnlXSlpEbGdxQ0JPMVNxeGJBd2tfSnIyRlRNY3hvNGtpSmNtMEVjbWd5dFdyME00QmcySlg4aVo3MEt1MTVjNzFORU5Ra3RjdGMtREhBVGFQcHJ2VzI2Z3d1YmUxckRfX19aV2tHaG9mX053M0M1OHlOcXF2RUpPZUwzNTZHNXJHNVVtYmUtWWV4Ujl2SEppZWlua3ZaNTJoMFVRYWVNSm9LYjJuNjlVTGZHb2J1NElTN20iLCJqd2tfcHViIjoiQUM0QUNBQUxBQUFFMGdBQUFCQUFJQ2poWDBVeTJKZVpSNU9pRU0ySktSeEtnUElYQ3dGNnRNR09NTDZ0ZnE5aiIsImtleSI6ImVjYyJ9fSwiZW5jIjoiQTI1NkdDTSJ9..1P2Emag_4k-GlhyY.MuQQYPa8QHrysZ74uA.0ddDxfZA3R-cCmaKu5yUZA

This long base64-encoded message is our text encrypted with an internal TPM key. It can be decrypted at the current computer only. Trying to decrypt it from another computer (or rather with another TPM chip) will return an error.

$ clevis decrypt tpm2 '{}' <<< 'eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoidHBtMiIsInRwbTIiOnsiaGFzaCI6InNoYTI1NiIsImp3a19wcml2IjoiQU80QUlJQkxxT3FVenVDU1FmWkprNmdDN2wzMW43V3M2Y2FZd0VZS1BSR3Q0OHJEQUJBV2Z4M3pTUUNUTmtHZE9BM2FZd2RTZk9GcXZWdnVlQ3lPamFsWldCT2R4RlJKSzl5ZVRCM0pkNFktcF9HalhhNmlnLWxxNmtmMHZTWWkzOWMxVEpES1RYRVZTdnlXSlpEbGdxQ0JPMVNxeGJBd2tfSnIyRlRNY3hvNGtpSmNtMEVjbWd5dFdyME00QmcySlg4aVo3MEt1MTVjNzFORU5Ra3RjdGMtREhBVGFQcHJ2VzI2Z3d1YmUxckRfX19aV2tHaG9mX053M0M1OHlOcXF2RUpPZUwzNTZHNXJHNVVtYmUtWWV4Ujl2SEppZWlua3ZaNTJoMFVRYWVNSm9LYjJuNjlVTGZHb2J1NElTN20iLCJqd2tfcHViIjoiQUM0QUNBQUxBQUFFMGdBQUFCQUFJQ2poWDBVeTJKZVpSNU9pRU0ySktSeEtnUElYQ3dGNnRNR09NTDZ0ZnE5aiIsImtleSI6ImVjYyJ9fSwiZW5jIjoiQTI1NkdDTSJ9..1P2Emag_4k-GlhyY.MuQQYPa8QHrysZ74uA.0ddDxfZA3R-cCmaKu5yUZA'
hello, world

Clevis allows to bind LUKS partitions as well, e.g.

# clevis luks bind -d /dev/nvme0n1p2 tpm2 '{}'

Creates a LUKS slot with a password encrypted by your TPM chip. It can be verified by running

# cryptsetup luksDump /dev/nvme0n1p2
...
Tokens:
 0: clevis
   Keyslot:  1
...

It shows that one clevis token appeared. LUKS uses these tokens to store metadata about passwords stored somewhere else (e.g. at TPM chip). Please refer to clevis documentation for more information.

Booster is able to read the LUKS tokens, decode clevis information, reconstruct the password and unlock the partition automatically.

Partitions bound to tpm2 or sss pins do not require any booster-side configuration. Tang (network binding) pin requires network enabled. Please refer to #Configuration section for more information on network configuration.

YubiKey binding

Clevis allows binding a LUKS partition using YubiKey's challenge-response mode. To bind a LUKS partition, run

# clevis luks bind -d /dev/sdb2 yubikey '{"slot":1}'

Install yubikey-personalization. Edit the configuration file and add following option:

/etc/booster.yaml
extra_files: ykchalresp

Regenerate the booster images. Booster will detect this configuration during boot and use the present YubiKey to unlock the drive.

Debug

If booster has issues and does not work as expected then please enable debug output that provides extra information about what is going on:

  • for generator there is a -debug command line flag: booster -debug.
  • for init there is a booster.debug=1 kernel parameter.

If you believe it is an issue with booster itself then please file a ticket here https://github.com/anatol/booster/issues

Gotchas

Booster generator fails with "too many open files" error

If you enabled strip and universal and see an error like this /usr/lib/modules/glue_helper.ko: pipe2: too many open files then you need to increase per-process limit for open files Limits.conf#nofile

See also