[TUHS] Unix install & "standalone" package

Steffen Nurpmeso steffen at sdaoden.eu
Sat Sep 9 09:38:54 AEST 2023

Michael Kjörling wrote in
 <f948d06c-14f4-40bd-8e32-4db1c5b1dd21 at home.arpa>:
 |On 5 Sep 2023 17:53 +0200, from steffen at sdaoden.eu (Steffen Nurpmeso):
 |> Unfortunately cryptsetup is needed even though, i think, the
 |> kernel has anything needed; you just cannot access it.  cryptsetup
 |> is only needed for "$cs open $PART_ROOT p_root --key-file -".
 |> Of course i am no real Linux expert but only a do-it-yourself guy.
 |If your need is restricted to a highly specific use case and you are
 |trying to keep it as small as possible, then it should be possible to
 |write a custom wrapper around whatever libcryptsetup functionality you
 |need and avoid the extra code that you get with cryptsetup proper.

It is nicely documented, and my Linux distribution ships the
static library anyhow.  But i am a lazy sort regarding such,
i just take the thing of my distribution and copy it over (they do
build it statically also by default).
You know, things change, and if you do not follow closely, you
stand in the rain.  I am not a paid Linux engineer that follows
this rapidly moving target in the end.
For example the (no longer) new random developer chose to disable
feeding entropy via /dev/urandom, here (distribution) still is

  # Load random seed
  /bin/cat /var/lib/urandom/seed > /dev/urandom

for almost two decades (it is a rather young one), but the code
path was mutilated (i read the kernel source once he had rewritten
that to be blake2/some 32-byte block thing based), now one needs
to use some ioctl interface fwiw.
Or once here cryptsetup was updated to use OpenSSL 3.0 suddenly
ripemd160 was no longer available on EFI (aka purely static,
without the filesystem avaialable), even though its release notes
explicitly mentioned the problem as solved, and OpenSSL 3's
libcrypto.a _had_ ripemd160...  I had to switch to sha512 .. then
to sha256 once cryptsetup started warning args had to be explicit
in the future.  Mind you, i in fact use it twice, also for
encrypted swap, i only wrongly searched for $cs

    $2 open --type plain --cipher aes --key-size 256 \
      --hash sha256 $PART_SWAP p_swap --key-file - &&

i said on IRC

  cryptsetup does EVP_DigestInit_ex(h->md, h->hash_id, NULL),
  i presume that does load additional things.

That surely is it, i did not track it further.
So no, to answer you, i have no highly specific use case at all.
This is only an encrypted volume with my own boot-style that
requires no boot loader but Linux itself.
Maybe i should really look deeply in how cryptsetup then attaches
a LUKS2 volume to the kernel, maybe it actually _would_ be
possible to do this simply in some other way.
But truly writing a program?  I feel much saver in the horde, with
so many people, specialists even, working on Linux, LUKS2,
cryptsetup, OpenSSL, .. these are all moving targets.
(I mean, i am lucky if i _can_ do a bit of programming on at least
the MUA i maintain; so much to do!  And roff hopefully somewhere
on the horizon, somewhen; today it was zero minutes.)

|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

More information about the TUHS mailing list