Building POTTS

• POTTS Sources
• How to manually build the USB live system?
  • Downloading the required components
  • Building all components
  • Creating a custom Arch installer image
  • Preparing the USB drive
  • Installing TrustedGRUB
• How was the TrustedGRUB test image created?

POTTS Sources

Download: potts-src.tar.gz (182 kB)

How to manually build the USB live system?

WARNING: This will probably consume a lot of time, disk space and patience.

To build a POTTS variant like our provided USB image, you will need an x86_64 Arch Linux system.

Something will most likely fail and you will have to rebuild some things, therefore you might want to install and setup ccache to reduce compile times.

It should also be possible to build POTTS with other Linux distributions. To that end you will need to analyse how our archiso and mkinitcpio configurations and scripts work and build a similar solution.

Downloading the required components

Run the downloader script.

./getter.sh

This downloads all packages described in packages.sh into directory ./dl/ and verifies their checksums.

(To make sure that all downloads have been completed successfully, just run the script a second time - output will be much nicer.)

If the checksums of some packages do not match this might be due to new versions (especially for the AUR packages). Make sure this is the case, then update the checksums in packages.sh to allow those packages anyways.

Building all components

Run the builder script.

./builder.sh

It will build

• TrouSerS
• opencryptoki
• tpm-tools
• debootstrap (if you want to try to install Debian from the Live system)
• packer (we wanted to install some AUR packages in our stage 2 system)
• potts-ui
• TrustedGRUB
• both Linux kernels (stage 1 (POTTS) and stage 2 (target system))

If you do not have trousers or opencryptoki installed, the build will fail. Install the new previously built packages and restart the script to fix this:

sudo pacman -U archiso-potts/repo/trousers-0.3.10-3-x86_64.pkg.tar.xz
./builder.sh
sudo pacman -U archiso-potts/repo/opencryptoki-2.4.2-11-x86_64.pkg.tar.xz
./builder.sh

If something else fails, examine the error messages and the builder.sh script to get clues how to fix it.

Attention: Re-running the builder script deletes and rebuilds everything.

Note: With a cold ccache this may take over an hour to complete (e.g. on a i5-2520M cpu).

Creating a custom Arch installer image

Make sure the complete path to the archiso-potts/build.sh script does not contain a '_' character, as this could disrupt a "sed" command within the script.

Run the archiso script. It requires root privileges.

cd archiso-potts
sudo ./build.sh -v
cd ..

If the script fails because of corrupted packages, this may be due to having built a new package with builder.sh while still having an old version in the package cache. Re-running sudo ./build.sh -v once should fix this.

Preparing the USB drive

We assume /dev/sdc is your USB drive. Most of the following operations require root privileges, use su or sudo.

Create an empty partition on the USB drive:

fdisk /dev/sdc  # create one partition, about 512 MB in size
                # for our image, we chose 511 MB (fdisk: n, p, 2048, +511M, w)
mkfs.ext2 -L POTTS_USB_LIVE /dev/sdc1

(Note: If the partition is not properly aligned, boot duration may suffer severely. If this is important to you, you might want to try out different aligments and compare boot times. See also http://lwn.net/Articles/428584/ and http://goo.gl/97slC.)

Mount the USB drive:

mount /dev/sdc1 /mnt/sdc1

Mount the generated installer ISO.

mount archiso-potts/out/potts-archlinux-2013.XX.XX.iso /mnt/tmp

Copy /arch from the ISO to your USB drive.

cp -r /mnt/tmp/arch /mnt/sdc1

Create the directory where POTTS will store its data (encrypted DEK, monces, container path, etc.):

mkdir /mnt/sdc1/potts

Installing TrustedGRUB

(We assume /dev/sdc1 is still mounted.)

Create a directory for TrustedGRUB and copy all required components, as well as the provided menu.lst:

mkdir -p /mnt/sdc1/boot/grub/
cp build-tgrub/bin/stage? /mnt/sdc1/boot/grub/
cp menu.lst /mnt/sdc1/boot/grub/

Setup TrustedGRUB:

./build-tgrub/bin/grub
    device (hd0) /dev/sdc
    root (hd0,0)
    setup (hd0)
    quit

Umount & unplug the USB drive:

umount /mnt/sdc1

Try to boot from the USB drive on a machine with a TPM chip.

How was the TrustedGRUB test image created?

    dd if=/dev/zero bs=1k count=10k of=test.img
    cfdisk test.img
    sudo losetup /dev/loop7 test.img
    sudo partx -a /dev/loop7
    # we need to hold TrustedGRUB's hand here...
    sudo ln -s /dev/loop7p1 /dev/loop71
    mkfs.ext2 /dev/loop7p1
    mkdir mnttmp
    sudo mount /dev/loop7p1 mnttmp
    sudo touch mnttmp/TPM_TEST_IMG
    sudo mkdir mnttmp/grub
    sudo cp stage? mnttmp/grub/
    sudo umount mnttmp
    sudo ./grub
Probing devices to guess BIOS drives. This may take a long time.


    Trusted GRUB 1.1.5 (http://trustedgrub.sf.net)
    [ TPM detected! ] (640K lower / 3072K upper memory)

 [ Minimal BASH-like line editing is supported.  For the first word, TAB
   lists possible command completions.  Anywhere else TAB lists the possible
   completions of a device/filename. ]
grub> device (hd0) /dev/loop7
device (hd0) /dev/loop7
grub> find /TPM_TEST_IMG
find /TPM_TEST_IMG
 (hd0,0)
grub> root (hd0,0)
root (hd0,0)
grub> setup (hd0)
setup (hd0)
 Checking if "/boot/grub/stage1" exists... no
 Checking if "/grub/stage1" exists... yes
 Checking if "/grub/stage2" exists... yes
 Checking if "/grub/e2fs_stage1_5" exists... no
 Running "install /grub/stage1 (hd0) /grub/stage2 p /grub/menu.lst "... succeeded
Done.
grub> quit
quit
    sudo rm -v /dev/loop71
    sudo partx -d /dev/loop7
    sudo losetup -d /dev/loop7

    gzip --best test.img

Installation:

sudo dd if=/dev/sdc bs=1k count=20k of=backup.img
gzip -d < test.img.gz | sudo dd of=/dev/sdc

Restoring the USB device after a test:

sudo dd if=backup.img of=/dev/sdc