Custom initramfs

143 views
Skip to first unread message

Raphael Susewind

unread,
Aug 25, 2016, 9:55:38 AM8/25/16
to qubes...@googlegroups.com
Dear all,

how can I create a custom initramfs for dom0, using the current one as
template? I was hoping for something like initramfs-tools in Debian...

The aim is to include yubikey-luks in the FDE unlocking:
https://github.com/cornelinux/yubikey-luks

There might be other usecases, too - perhaps make a FAQ entry on this?

Thanks,
Raphael

Andrew David Wong

unread,
Aug 25, 2016, 5:19:00 PM8/25/16
to Raphael Susewind, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
This is somewhat related to your aim, so you might find it helpful or at least
interesting:

https://www.qubes-os.org/doc/yubi-key/

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXv2C6AAoJENtN07w5UDAwqlsP+wTIbjHN+cRrn9Ui8WmVYp75
+q5dvxlal/W73LeZbzsuL8Y6BHv3wzZoEpHOt46V2xVM+wI9T0TDkbioIZBcIRLi
fWnl/p7h1vnc3vq2i46E4APuIL6OWp0WS0BRVAtGaWWWgXONFDvdFc0HUqnWM6yE
9Y+W+VquRoQoZpAxz9P96krRT0+XDTozNudZeTdZh2FgXRwvkAjrzhb+4HgykzxT
QEOeGmfl4yN/9rcVT+gpPmystUNwcicTqfVs5kvaL/9xO/xOgyhcyCJaWVTo+YN+
9yCoycOaYWLRMfiUp3m40oS5ykx4j3W4kp5DNEJZeumagLeABTXDd5f641RBve2h
iXqPtJ2U4DYuSUruc0I1H2GMj4DuaYz6ajZBG/N5TsNfIFGFbSDLzVHCoyEYxakN
1WjEa3qwXXP3/n8doBmli7Ho61KsZGujeG6EH7PtokUrQxpW2tv/0q/NMDS9K1Ae
YJh2fYTJFboSAeyCQAy/bjvxzyGIzzB2bZAVJsIC6dbmpNCzFlfO7vsFDkor0QzB
KpYP/cF6UevnGPIf664EfRQOrfPV1kkXIrMO2RiF48PIM40XqTj1r6uQWYc3zv2d
N0S661ThB1xAH3o/Aq4QngFcIy0+fAKe39ngkj7098hCZ3OvyHLteWDzOak5WtjY
/w4qlqUJH//qjO3Y5Jt9
=hZU0
-----END PGP SIGNATURE-----

Connor Page

unread,
Aug 26, 2016, 7:34:57 PM8/26/16
to qubes-users
this is an interesting idea. initramfs is generated by dracut. read this https://github.com/nj0y/ykfde/blob/master/README-dracut.md

Raphael Susewind

unread,
Aug 27, 2016, 6:53:37 AM8/27/16
to qubes...@googlegroups.com
> this is an interesting idea. initramfs is generated by dracut. read this https://github.com/nj0y/ykfde/blob/master/README-dracut.md

Yes, I gave ykfde a try. Problem is that Qubes still shows its custom
FDE password screen on startup, and never the ykfde second factor one...

(possibly - but just a hunch - because the only way to get rid of the
Qubes dialog is unlocking the drive, following which ykfde is unnecessary).

Let me know if you get it to work - I gave up for now (dont want to mess
up my dracut setup too much given my lack of experience)

Connor Page

unread,
Aug 27, 2016, 11:04:22 AM8/27/16
to qubes-users
after giving it a thought I decided keep usb devices out of dom0. the solution for debian is real 2FA but ykfde is for lazy people. I gave it as an example of dracut hooks. theoretically you can rearrange hooks so that yubikey authentification happens before rd.qubes.hide_all_usb is processed but there is a risk that qubes hooks might fail and leave usb controllers in dom0. if you already have a controller in dom0 then perhaps it wouldn't make security worse.
while initially I thought it would be interesting to try, the only situation when yubikey could actually improve security is having to boot a Qubes PC under unavoidable surveilance.

Raphael Susewind

unread,
Aug 29, 2016, 1:34:11 AM8/29/16
to qubes...@googlegroups.com
> while initially I thought it would be interesting to try, the only situation when yubikey could actually improve security is having to boot a Qubes PC under unavoidable surveilance.

came to the same conclusion - probably not worth the security
tradeoff... Perhaps one can implement a 2FA solution for FDE using
something like paperkey? It would still be the 'someone peeks over my
shoulder in a cafe' kind of scenario, but without the USB compromise

joev...@gmail.com

unread,
Sep 10, 2017, 6:02:24 PM9/10/17
to qubes-users

It is not just 'unavoidable surveillance'.
Qubes doesn't just run on Laptops. Think about Desktops. They require USB Keyboards since most modern desktop systems don't have PS/2. And since they require USB Keyboards to enter the LUKS Passphrase, that means the "rd.qubes.hide_all_usb" option in the bootloader will render the whole system inaccessible. So USB security at boot time is not an option, therefore, not a tradeoff with 2FA.

It isn't for the "lazy" people either. 2FA means that I don't have to weaken my passphrase so its memorable. And if snooped by some Evil Maid attack methods, they'll need to pull the token from my cold dead hands too.

I am hoping someone will finish this idea and make it available, especially for desktop users with yubikey.
Unfortunately, I don't have much knowledge on initramfs or dracut to produce something usable myself. I have searched all over, and only find the same abandoned ideas, or directions to using Yubikey for something other than LUKS, or on a Debian based system.

Please help.
Thank you.

cooloutac

unread,
Sep 18, 2017, 11:32:53 PM9/18/17
to qubes-users

almost all motherboards still come with ps/2. only budget gaming ones don't. but even most gaming ones do.

joev...@gmail.com

unread,
Sep 19, 2017, 11:37:28 PM9/19/17
to qubes-users

Fair point. I was thinking more in my price range. Dell XPS 8900.

My solution so far is to use YKLUKS from here: https://github.com/the2nd/ykluks

It does include a grub2 "rd.ykluks.hide_all_usb" feature to only temporarily turn on USBs during the
https://groups.google.com/forum/#!msg/qubes-users/hB0XaquzBAg/aPQmmLBwBgAJ
"Besides the yubikey/luks stuff the module handles the rd.qubes.hide_all_usb stuff via its own rd.ykluks.hide_all_usb command line parameter because the yubikey is connected via USB and needs to be accessable until we got the challenge from it. i am still unsure if this is the best method to implement this. So if anyone with a deeper knowledge of qubes/dracut does have a better/more secure solution i happy about any help."

It works. I think its the best I can do since I am more concerned with 2FA than bad USB devices.

Reply all
Reply to author
Forward
0 new messages