9.3 KiB
9.3 KiB
| keywords | |||
|---|---|---|---|
|
secureboot
Most of the distributions are delievered with a microsoft-signed SHIM bootloader, which should allow the boot with active secureboot without deleting OEM keys. the SHIM bootloader gets controlled with mokutil.
- systemctl reboot --firmware
- bootctl
- efibootmgr -v
- mokutil --sb-state
- mokutil --list-enrolled
- mokutil --enable-validation
ubuntu
ubuntu provides a update-secureboot-policy script to generate and enroll a secureboot mok, but this needs an already active secureboot with MS keys and this needs to be active through booting the installer
cryptsetup luks
crypsetup luksDump /dev/sdaX cryptsetup luksChangeKey /dev/sdaX cryptsetup luksErase
ressource: http://jk.ozlabs.org/docs/sbkeysync-maintaing-uefi-key-databases/
lkrg - linux kernel runtime guard
archlinux can build with AUR, debian/ubuntu can use the *.deb precompiled package. It should be available for x64, arm64 and arm
data integrity aka bitrot
General kernel awareness: https://github.com/torvalds/linux/blob/master/Documentation/block/data-integrity.rst the solution so far to omit endusers hardware limitations (like ECC RAM grml) https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/device-mapper/dm-integrity.rst So it should be more or less equal to use integrity with or without encryption:
- RAID1 preferred
- heavily perfomance issues caused by the journal ( none or bitmap as dangerous alternative) https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/device-mapper/dm-crypt.rst
the used strcuture to get this done: block device -> dm-integrity -> mdadm/lvm2 (RAID1) -> btrfs block device -> dm-integrity -> cryptsetup(mdadm/lvm2 (RAID1)) -> btrfs
- cryptsetup benchmark
- GPT formatted block devices to get recognized properly under windows
- complete header backup
- block device sector size
- blcok device support for SCT/ERC
smartctl -a /dev/sda | grep SCT
Model Family: Seagate Samsung SpinPoint M9T
Device Model: ST1500LM006 HN-M151RAD
Serial Number: S34QJ9CG700688
LU WWN Device Id: 5 0004cf 210088b47
Firmware Version: 2BC10008
User Capacity: 1.500.301.910.016 bytes [1,50 TB]
Sector Sizes: 512 bytes logical, 4096 bytes physical
Rotation Rate: 5400 rpm
Form Factor: 2.5 inches
Device is: In smartctl database [for details use: -P show]
ATA Version is: ATA8-ACS T13/1699-D revision 6
SATA Version is: SATA 3.0, 6.0 Gb/s (current: 6.0 Gb/s)
Local Time is: Thu Jun 9 21:48:00 2022 CEST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled
[..]
SCT capabilities: (0x003f) SCT Status supported.
SCT Error Recovery Control supported.
SCT Feature Control supported.
SCT Data Table supported.
=== START OF INFORMATION SECTION ===
Model Family: Seagate Laptop SSHD
Device Model: ST500LM000-SSHD-8GB
Serial Number: W762L1TL
LU WWN Device Id: 5 000c50 07cb8f1cc
Firmware Version: LIV5
User Capacity: 500.107.862.016 bytes [500 GB]
Sector Sizes: 512 bytes logical, 4096 bytes physical
Rotation Rate: 5400 rpm
Form Factor: 2.5 inches
Device is: In smartctl database 7.3/5319
ATA Version is: ATA8-ACS, ACS-3 T13/2161-D revision 3b
SATA Version is: SATA 3.0, 6.0 Gb/s (current: 6.0 Gb/s)
Local Time is: Thu Jun 9 22:02:40 2022 CEST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled
sudo smartctl -a /dev/sda | grep SCT
SCT capabilities: (0x1081) SCT Status supported.
Model Family: Toshiba 2.5" HDD MQ01ABD...
Device Model: TOSHIBA MQ01ABD100
Serial Number: 24RNSMGLS
LU WWN Device Id: 5 000039 55610b282
Firmware Version: AX001U
User Capacity: 1.000.204.886.016 bytes [1,00 TB]
Sector Sizes: 512 bytes logical, 4096 bytes physical
Rotation Rate: 5400 rpm
Form Factor: 2.5 inches
Device is: In smartctl database 7.3/5319
ATA Version is: ATA8-ACS (minor revision not indicated)
SATA Version is: SATA 2.6, 3.0 Gb/s (current: 3.0 Gb/s)
Local Time is: Fri Jun 10 19:12:49 2022 CEST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled
AAM feature is: Unavailable
APM level is: 128 (minimum power consumption without standby)
Rd look-ahead is: Enabled
Write cache is: Enabled
DSN feature is: Unavailable
ATA Security is: Disabled, NOT FROZEN [SEC1]
Wt Cache Reorder: Unknown
=== START OF INFORMATION SECTION ===
Model Family: Crucial/Micron Client SSDs
Device Model: CT1000MX500SSD1
Serial Number: 2211E619654F
LU WWN Device Id: 5 00a075 1e619654f
Firmware Version: M3CR043
User Capacity: 1.000.204.886.016 bytes [1,00 TB]
Sector Sizes: 512 bytes logical, 4096 bytes physical
Rotation Rate: Solid State Device
Form Factor: 2.5 inches
TRIM Command: Available
Device is: In smartctl database 7.3/5319
ATA Version is: ACS-3 T13/2161-D revision 5
SATA Version is: SATA 3.3, 6.0 Gb/s (current: 3.0 Gb/s)
Local Time is: Fri Jun 10 19:20:34 2022 CEST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled
AAM feature is: Unavailable
APM level is: 254 (maximum performance)
Rd look-ahead is: Enabled
Write cache is: Enabled
DSN feature is: Unavailable
ATA Security is: Disabled, NOT FROZEN [SEC1]
Wt Cache Reorder: Unknown
RPI2
=== START OF INFORMATION SECTION ===
Model Family: Western Digital Blue Mobile (SMR)
Device Model: WDC WD10SPZX-24Z10T0
Serial Number: WD-WX41A485FYC1
LU WWN Device Id: 5 0014ee 6b3473413
Firmware Version: 01.01A01
User Capacity: 1,000,204,886,016 bytes [1.00 TB]
Sector Sizes: 512 bytes logical, 4096 bytes physical
Rotation Rate: 5400 rpm
Form Factor: 2.5 inches
TRIM Command: Available, deterministic
Device is: In smartctl database [for details use: -P show]
ATA Version is: ACS-3 T13/2161-D revision 5
SATA Version is: SATA 3.1, 6.0 Gb/s (current: 6.0 Gb/s)
Local Time is: Tue Jun 14 21:25:10 2022 CEST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled
AAM feature is: Unavailable
APM level is: 254 (maximum performance)
Rd look-ahead is: Enabled
Write cache is: Enabled
DSN feature is: Unavailable
ATA Security is: Disabled, NOT FROZEN [SEC1]
Wt Cache Reorder: Enabled
smartctl -a /dev/sda | grep SCT
SCT capabilities: (0x303d) SCT Status supported.
SCT Error Recovery Control supported.
SCT Feature Control supported.
SCT Data Table supported.
related issues
- https://gitlab.com/cryptsetup/cryptsetup/-/issues/632 xxHASH64 support, needs separate
--tag-size 8 - https://gitlab.com/cryptsetup/cryptsetup/-/issues/668 dm-integrity documentation with setting recommendation
- https://gitlab.com/cryptsetup/cryptsetup/-/issues/620 systemd LUKS key mgmnt integration
- https://gitlab.com/cryptsetup/cryptsetup/-/issues/573 issues with caching the flag "recalculating"
- https://raid.wiki.kernel.org/index.php/Drive_Data_Sheets#Non-Raid_drives