Sysadmin Sunday: Encrypted Swap Space in FreeBSD

New research shows that cold boot attacks can compromise encryption by giving you access to the RAM's contents. This even applies to full-disk encryption that encrypts swap space and whatnot. We'll probably talk more about that in our podcast.

Physical access almost always means that a total compromise of security is somehow possible. Sensitive data could be at risk long after the data in RAM decays into oblivion. Encryption keys, large documents, and other files containing data you don't want falling into the wrong hands will almost certainly see their fair share of time in virtual memory. That means pages of RAM will be written, for better or worse, to the hard drive.

Encrypting just your swap space can be easier than switching to full-disk encryption and makes it more difficult for an attacker to obtain sensitive data as it gets shuffled in and out of RAM.

OpenBSD encrypts swap by default without any further action. To the best of my knowledge it's alone in that fact. I can't outline how to encrypt swap space in every operating system, but since FreeBSD's the flavor-du-jour, I'll show you how easy it can be.

First, disable swap:

[axon@floaty-fbsd ~]$ sudo swapoff -a
swapoff: /dev/ad0s1b: Cannot allocate memory

Whoops! If there's too much stuff running to fit in RAM without swap, you'll need to cut back. Close your applications, stop the X Window system or whatever you have to do. Let's try that again.

[axon@floaty-fbsd ~]$ sudo swapoff -a

Now, find the swap partition and over-write it using dd(1) to stream /dev/urandom to it. It could take a while depending on the size of the swap partition. Yes, this is a paranoia countermeasure and nothing more. Keep in mind that only freshly-used parts of swap will be encrypted once we're finished. Right now, there could be (ab)usable data out there. Not for long!

[axon@floaty-fbsd ~]$ grep swap /etc/fstab
/dev/ad0s1b none swap sw 0 0
[axon@floaty-fbsd ~]$ sudo dd if=/dev/urandom of=/dev/ad0s1b
dd: /dev/ad0s1b: end of device
464657+0 records in
464656+0 records out
237903872 bytes transferred in 88.835558 secs (2678025 bytes/sec)

To enable GEOM ELI on your swap partition, edit /etc/fstab and add ".eli" to the end of the swap device.

[axon@floaty-fbsd ~]$ sudo vi /etc/fstab
change this line:
/dev/ad0s1b none swap sw 0 0
to this:
/dev/ad0s1b.eli none swap sw 0 0

You have to reboot for this to take effect. Once it comes back online, use kldstat and swapinfo to verify that the geom_eli.ko module is loaded and that the new swap device is being used.

[axon@floaty-fbsd ~]$ kldstat
Id Refs Address Size Name
1 10 0xc0400000 7b2d2c kernel
2 1 0xc0bb3000 6974 snd_ich.ko
3 2 0xc0bba000 239a8 sound.ko
4 1 0xc0bde000 5c304 acpi.ko
5 1 0xc1f19000 e000 geom_eli.ko
6 1 0xc1f27000 19000 crypto.ko
7 1 0xc1f40000 a000 zlib.ko
8 1 0xc21ec000 2000 warp_saver.ko
[axon@floaty-fbsd ~]$ swapinfo
Device 1K-blocks Used Avail Capacity
/dev/ad0s1b.eli 232328 0 232328 0%

Voila!

Homebrew geeky UNIX screen saver

For the past 7 years or so, I've been doing fun things with XScreensaver to make custom screen savers that display useful information. My favorite XScreensaver mode is Phosphor, which renders olde-school green text on your screen. By default, it just displays information about your system such as system load and host name. While that's fun and all, it's pretty boring for a desktop system.

So, I'm a weather geek. Part of the reason is because I like being outdoors, but even when I'm cowering inside on a blustery February morning, I like to know what the weather is doing. On my FreeBSD lab machine, I configured Phosphor to display the hourly National Weather Service data for my area.

Obviously, you need to download and install XScreensaver first. You can do this using whatever means you want, but on FreeBSD, it's as simple as "sudo pkg_add -r xscreensaver".

Then, I put an entry in my crontab that looks like this (all on one line, though):

7 * * * * /usr/local/bin/lynx -dump -nolist "http://www.crh.noaa.gov/product.php?site=EAX&issuedby=EAX&product=RWR&format=txt" | tail +16 | head -n 15 > ~/.wx.txt

This fetches the weather data (without a list of links and stripped of HTML) for the eastern KS/northwest MO region, grabs the lines I want, then puts it in the .wx file in my home directory. This runs 7 minutes after the hour, every hour, every day.

Of course, you could use a similar script to do an hourly scrape of the front page of your favorite news site, or run any program that will generate a text file for Phosphor on a regular basis.

Now that we have the weather data (or whatever else you want) coming to us every hour, it's time to configure xscreensaver. First, make sure "xscreensaver&" is included before the window manager starts up in your .xinitrc or .xsession file, depending on if you're using an X Display manager or just startx to launch X.

Run "xscreensaver-demo" to access the configuration screen, and set it up to use only one screen saver, choose Phospor, then tell it to read the text file ~/.wx, as shown in the screen shots below:





Notice how the display has that cheesy-yet-familiar phosphor persistent delay? I love it!





Sorry this didn't capture very much of the screensaver, I'm trying to figure out why xvidcap keeps crashing on FreeBSD.

More FreeBSD love and some fun stuff

I'm working on a fun project for HiR that involves a little bit of CAD (computer aided design/drafting) work. QCAD Community Edition is the GPL version of RibbonSoft's inexpensive QCAD software. It comes without RibbonSoft's technical support and lacks certain features that they reserve for QCAD Professional.

RibbonSoft claims that QCAD is usable right out of the gate even by people who have never used CAD before. I haven't touched CAD since I tinkered with AutoCAD Lite back in 8th grade shop class. I'd like to think I'm technically minded as well. QCAD is NOT easy to get the hang of. Maybe compared to AutoCAD or CADKey, but you can ask my wife and she'll tell you I've spent the better part of three whole days just getting my bearings straight with QCAD. I think I've got it mostly figured out now, though.

By the way, QCAD is available as a binary package or in the Ports tree for both FreeBSD 6.2 and OpenBSD 4.2. I've been using it on both platforms. FreeBSD works really well with QCAD despite my somewhat anemic workstation. My Logitech Revolution VX is a life-saver for precision CAD work. With its smooth-scrolling wheel and high-resolution laser optical tracker, it fits the bill perfectly. I'm really glad that FreeBSD and XOrg play nice with this mouse.

As for the project I'm working on, I'll just say it's mischievous and delightfully fun. I'll release the .DXF file for this project when the time comes.

FreeBSD 6.3 on the desktop - Update

This is part of an ongoing series of reviews of FreeBSD 6.3 on the desktop.  

Well, FreeBSD isn't as peppy as I originally thought.  It's no worse than any other Desktop OS would be on this kind of hardware.  AJAX-based web pages and applications are sluggish.  Heavy media  applications like VideoLAN VLC and Amarok run fine as long as they're the only things running.  I'll admit, the slowness keeps sending me back to my happy MacBook on occasion.  This might be easily resolved by building a new(er) computer from parts that aren't about 5 years old.

Yesterday, I got to spend some quality time with FreeBSD, though.   Still enamored with the simplicity of Free's package management, I got gtkam to work quickly and easily to get some photos off of my Canon PowerShot A540 with ease.  That surprised me quite a bit, but gtkam is definitely no replacement for my beloved iPhoto.  FreeBSD had some trouble with one of my SD card readers, but I managed to get it worked out by making sure the card was inserted before attaching the reader.  

I had to build VLC from source via the ports tree, and that took several hours but worked without any problems.  Amarok is a slick audio player, almost as nifty as iTunes or Windows Media Player for my MP3 collection.  It's just terribly bloated.  

I'm also disappointed that secure shell isn't enabled by default.  I needed to get some data from this machine earlier today, and was unable to reach it.  It's alive, but SSHd isn't up and running.  I guess I'm all for leaving as many services disabled as possible, but even OpenBSD asks if you want to enable SSH during the installation.  That's not so much a gripe about FreeBSD on the desktop as it is about its network services out of the box, though.

I'm pleased, but I wish I had a little better machine to throw at the project.  My relatively powerful notebook has spoiled me.

FreeBSD 6.3 - Initial Impact

So, I've been playing with FreeBSD 6.3 for a few days and there are certainly some good things, and definitely some bad things. All in all, though, I like what I've seen. A few days isn't long enough to really get a feel for an operating system on the desktop, so this is the first in a series of reviews I'll be giving FreeBSD 6.3 as I shoe-horn it into my daily life as my main desktop operating system at home. Keep in mind that while I'm on the go, I'm dealing exclusively with Mac OS X on my MacBook, and OpenBSD 4.2 within Parallels when the task at hand calls for something more serious than what OS X can deliver.

The Good:

• The package management woes I had with 5.0 are completely gone. pkg_add -r [package-name] (ex: bash, firefox, windowmaker, nmap, etc) just works right out of the box. The problem I was having before was that they had converted to bzipped packages (.tbz) however pkg_add was still, for some reason, expecting gzipped packages (.tgz). That's all over now, and probably has been for a long time.
• The installation is a breeze. I mentioned this before as well, but the textmode-driven menu really does just work. No, it's not as intuitive as a GUI installer, but it's not as sluggish as GUI, either.
• The OS and Xorg find my snazzy wireless Logitech VX Revolution mouse and all the major features (left, right, center click and vertical scrolling) work without any configuration changes at all. Mouse setup used to be a bit of a chore with FreeBSD.
• It is oh-so-peppy. As lean and mean as I remember it, I'm not exactly running FreeBSD on a powerhouse workstation. It's a lowly Pentium 3 desktop with a mere half-gigabyte of RAM. Compared to Kubuntu, which was installed prior to this, FreeBSD simply hauls ass.
  

The Bad:

• Where in the hell is xorgcfg, the graphical Xorg configuration tool? And why isn't there a somewhat working xorg.conf file installed by default? OpenBSD handles Xorg by default just fine. Playing with FreeBSD 6.2, I know I used xorgcfg to get Xorg up and running, but it's nowhere to be found in 6.3 (at least the way I installed it!) Fortunately, I'm good with xorgconfig, the text configuration tool for Xorg, and got X up and running on my lab machine on the second try.
• Mozilla Firefox, when installed from binary packages, for some reason creates the .mozilla directory in your homedir owned by root the first time you run it, and then can't start. The easy fix, of course, is to change the owner back to yourself before starting Firefox again, but this boggles my mind. What's more peculiar is that after creating a second user to test this with, Firefox starts fine. Hmm...
• I really, really miss OpenBSD's monolithic kernel and on-the-fly reconfiguration. FreeBSD forces you to enable kernel modules to get a lot of "optional" hardware to work.
  

Alas, I digress.

To get sound working, I had to go into /boot/defaults/loader.conf and set the proper sound module to "YES" (in my case, it was the snd_ich_load line) The "proper" way to do this would be to add snd_ich_load="YES" to /boot/loader.conf, but I am lazy and this works. I cheated again and just manually loaded the module from the command-line (kldload snd_ich) and voila! My MP3 player software worked like a charm. To get a guess as to what sound driver you'll need, run pciconf -lv and look for your sound device. Then look through the nondescript driver files (/boot/GENERIC/snd_*.ko) to see if there's a logical choice. Experimenrt if needed.

Despite what a pain in the butt it is, it's little things like this that remind me why I chose FreeBSD in the first place. It really is back to basics. At the same time, projects like OpenBSD are certainly just as minimalist but without the same kind of impact on out-of-box usability. Unfortunately, I've been spoiled, and OpenBSD is now the gold standard by which I measure things of this nature. It's not looking too good for FreeBSD with that minor exception of truly elegant binary package management. And oh, their package management is slick. It's admittedly low-tech, even. But it simply works well, and that's all I ask of it.

With what seems to be all of the major out-of-box problems solved (graphical interface, sound, boot options), I'm hopefully free of any more show-stoppers. Stay tuned next week to see how things are progressing.

Giving FreeBSD another shot

I fell in love with FreeBSD for the first time around the early part of 1998. Although I'd heard of FreeBSD before, my roommate, Xeroline, introduced me to it formally. I'd been tinkering with Red Hat Linux and had grown tired of both the wild-goose-chase of RPM dependencies as well as the patchwork of software compiles that often had their own dependency problems. FreeBSD seemed, at the time, to be the answer to my prayers.

FreeBSD 2.2.8 was lean, mean, and very basic. It also brought with it the concept of the Ports system: a skeletal tree of software directories where one could simply utter the words "make install" and then sit back -- often for a very long time -- and watch software compile automatically and usually error-free. Initially, that's all I wanted. It was FreeBSD that pried me away from my Linux addiction, and I'd say that it's also FreeBSD that shaped much of what I've come to expect from a UNIX desktop OS. In short, I didn't want an easy, graphical install. I wanted an OS that would get up and running quickly, be quick on its toes, and give me as clean of a slate as possible from which to begin my adventures. I wanted a system that could be wrought from bare metal.

As time passed, FreeBSD got better, then worse. I had been using OpenBSD for servers since early 1999, and Shortly after the 5.x series came out, I got sick of FreeBSD and switched to OpenBSD 3.2 on the desktop and some of my laptops. That was more than 5 years ago. I seriously haven't touched FreeBSD since February of 2003. Until now.

I almost messed with FreeBSD 6.2 a few months ago. I downloaded the ISO images but never got around to burning them. The target install environment was going to be my Pentium 3 lab box, but at the time I was using it to do research for my Linux LVM2 article. The very same machine, in fact, kept getting re-purposed for various HiR research projects. The time has come, though, for me to square off against my quondam favorite desktop OS.

I've only been tinkering with it for about a day now, so I still have a way to go before I'm ready to give this a full review. All I can say is to stay on the lookout for some more FreeBSD love. I can immediately tell that they've worked out some of the major kinks in their package installation tools. The installation doesn't seem like it's changed much since the 4.x releases. For that, I'm thankful. It's just friendly enough for almost anyone to figure out, but not made of bloated graphics like the Ubuntu installer that takes forever to load.

I have a feeling I might start really liking FreeBSD again. Did anyone else feel alienated by the 5.x series, only to come back and try 6.2 or 6.3 and really like it?