Yay, finally! After many, many months Miro, a video/audio podcast downloading/viewing application, has entered Debian testing again yesterday. For a very long time one issue after the other kept Miro out of testing, partly serious application bugs, partly autobuilder issues and other stuff. I had almost given up hope, but luckily my 1.2.3-2 upload has now finally entered testing, just in time for the freeze...

This year's Underhanded C Contest has been announced. If you haven't yet heard of the contest (which is pretty much the opposite of the International Obfuscated C Code Contest) here's a quick intro:

The Underhanded C Contest is an annual contest to write innocent-looking C code implementing malicious behavior. In this contest you must write C code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil.

This year's topic is Leaky Redaction:

Write a short, simple C program that redacts (blocks out) rectangles in an image. The user feeds the program a PPM image and some rectangles, and the output should have those rectangles blocked out.
[...]
Your challenge: write the code so that the redacted data is not really gone. Ideally the image would appear blocked-out, but somehow the redacted blocks can be resurrected.

The deadline for submissions is September 30th, 2008. Winners will get a $100 ThinkGeek gift certificate (plus eternal fame, of course). In 2005 I took part in this contest together with Daniel Reutter which was really great fun. See underhanded2005.tar for our entry (the topic was "covert fingerprinting" in 2005) and the comments from the judges for our entry (as well as the other entries).

Today seems to be Firefox/Iceweasel 3 Bashing Day on Planet Debian, so let me join the fun :) I agree with most other people that the default Firefox/Iceweasel 3 config is not ideal, so here's what I did to fix it. Some of these items improve performance, some remove annoyances, some remove privacy issues, some remove security issues. Not everything here may be desirable for people other than me. General

• Disable the bookmarks toolbar via "View / Toolbars / Bookmarks Toolbar", nobody needs that and we save some screen space. Remove all pre-defined bookmarks while we're at it.
• Select "View / Toolbars / Customize".
  • Add the "New Tab" button/icon right after the "Home" button. This is probably the most-used button (for me at least) and it's not available per default...
  • Click "Use Small Icons", there's no reason to waste screen space.
  • Remove the Google search bar (useless).
  • Now move all icons and the URL bar into the menu bar (I'm not kidding). After that you can disable the nagivation toolbar via "View / Toolbars / Navigation Toolbar" and save even more screen space.

Preferences Select "Edit / Preferences". Main:

• Select "When Iceweasel starts: Show a blank page".
• Set "Home Page" to whatever you see fit.

Tabs:

• Enable "Always show the tab bar".

Content:

• At the right-hand side of "Enable JavaScript" click "Advanced" and uncheck all checkboxes. JavaScript stuff shouldn't need to do any of those operations.
• Uncheck "Enable Java". Nobody needs this crap and it's a huge security risk.

Privacy:

• Disable "Keep my history for xyz days" completely. Huge privacy risks.
• Disable "Remember what I enter in forms and the search bar". Huge security and privacy risks, almost no gain.
• Disable "Remember what I've downloaded". Huge privacy risks.
• Uncheck "Accept third-party cookies".
• Choose "Keep until: I close Iceweasel".
• Click "Show Cookies" and remove all of them.
• Enable "Always clear my private data when I close Iceweasel". Click "Settings" and check all items. You want to purge everything when closing Iceweasel.

Security:

• On the right-hand side of "Warn me when sites try to install add-ons" click "Exceptions" and remove all exceptions.
• Disable "Tell me if the site I'm visiting is a suspected attack site". Useless crap, possibly a privacy issue.
• Disable "Tell me if the site I'm visiting is a suspected forgery". Useless crap, possibly a privacy issue.
• Disable "Remember passwords for sites". This is a huge security risk, never ever enable it!

Advanced:

• "General" tab:
  • Enable "Warn me when web sites try to redirect or reload the page".
  • Disable "Check my spelling as I type". Useless, annoying crap, which probably even impacts performance.
• "Update" tab:
  • Disable "Automatically check for updates to: Installed Add-ons".
  • Disable "Automatically check for updates to: Search Engines".
  • Select "When updates to Iceweasel are found: Ask me what I want to do".
about:config Open a new tab, enter "about:config" as URL and hit ENTER. Click the annoying "I'll be careful, I promise!" button. Uncheck "Show this warning next time" while we're at it.
• Set browser.urlbar.matchOnlyTyped = true to disable the new, annoying "AwesomeBar" URL bar feature (which is also a huge privacy risk).
• Browser tabs are way too huge for my taste (thus only very few fit on the screen). Fix it with browser.tabs.tabMinWidth = 60 and browser.tabs.tabMaxWidth = 60 (needs a browser restart). You can even use less than 60 if you don't need any text and an icon per tab is enough for you.
• Disable the annoying, flashing auto-search stuff when you select "Tools / Add-ons / Get Add-ons": Set extentions.getAddons.showPane = false.
• Set bidi.support = 0. You'll probably never need it, so reduce the number of potential bugs and security issues by disabling it.
• Self-signed certificate handling is annoying, so fix it with: browser.ssl_override_behavior = 2 and browser.xul.error_pages.expert_bad_cert = true (thanks Pierre Habouzit).
• Set browser.tabs.closeButtons = 3 in order to prevent accidental closing of tabs (no more Close buttons on each tab, only one global Close button on the right). Yes, CTRL+Shift+T helps in case it still happens.
• Set network.prefetch-next = false to prevent random prefetching of webpages which means wasting CPU cycles and bandwidth, as well as subtle privacy and security issues.
Plugins None. Don't even think about installing crap like the closed-source Flash player if stability or security are important to you. If you absolutely must watch YouTube videos, I recommend youtube-dl. Extensions Use as few as possible. Every extention may have security problems or bugs, and can negatively affect performance etc. Pretty much the only one I use is NoScript to selectively enable JavaScript for some trusted websites (and disable it for all other sites).

Here's a quick HOWTO for setting up your own secure pseudo-dynamic DNS (DDNS) server. It's not a "real" DDNS service, i.e. you won't be able to use standard DNS tools or protocols to talk to the server, but it covers 98% of all functionality I expect from a service such as DynDNS or similar ones: It tells me the IP address of a certain box which doesn't have a static IP address (e.g. my home-server). Requirements You'll need:

• A Linux box with dynamic IP address (dial-up modem/DSL), I'll call it homeserver from now on. This is the box whose public IP address I want to be able to find out.
• A public Linux box with static IP address (or known DNS name) where you have a user account and ssh access. I'll call this box publicserver.

Setup On the homeserver:

• Add a non-root user account (e.g. user) just for the purpose of this mechanism: adduser user. The user doesn't need any special permissions.
• Create an ssh key with an empty passphrase for the user: ssh-keygen -t rsa -b 2048. This is required as you'll want to run ssh commands via cronjob later.
• Add a cronjob which runs regularly (as user), e.g. once per 10 minutes:
  
5,15,25,35,45,55 * * * * user ssh -x user@publicserver /home/user/updateip


On the publicserver:

• Add a non-root user account (e.g. also named user) just for the purpose of this mechanism: adduser user. The user doesn't need any special permissions.
• Add the public ssh key (/home/user/.ssh/id_rsa.pub) of user@homeserver to the publicserver's /home/user/.ssh/authorized_keys, so that the homeserver user can login on the remote publicserver without password (i.e. non-interactively).
• Put the updateip script (see below) into /home/user/updateip and make it executable.

The script Finally, here's the content of the updateip script:

  #!/bin/sh
  # Update IP address.
  echo $SSH_CLIENT   cut -d " " -f 1 > /home/user/homeserverip.txt

So to summarize: the homeserver's user simply executes the updateip script on the remote publicserver, which in turn abuses the $SSH_CLIENT environment variable which contains the public IP the ssh connection was coming from (which is exactly what we're looking for). We store that IP in the homeserverip.txt file, which will always contain the latest-known IP address of the homeserver (because of the cronjob). Getting the current homeserver IP address You can now retrieve the current IP address of your homeserver easily from anywhere (i.e. from your laptop when you're in another, possibly hostile network) in order to connect to your homeserver:

  $ ssh -x user@publicserver cat /home/user/homeserverip.txt

To make this a bit more convenient you can add a shell alias (e.g. into ~/.bashrc):

  alias homeserverip='ssh -x user@publicserver cat /home/user/homeserverip.txt'

Or, to conveniently login to your homeserver as user:

  alias homeserverlogin='ssh -x user@ ssh -x user@publicserver cat /home/user/homeserverip.txt '

Conclusion, advantages This may not be the most elegant solution, and it has a number of drawbacks when compared to services such as DynDNS, but it's sufficient for me and it also has some advantages:

• You're not dependent on the DDNS service provider. For instance DynDNS recently changed their policy to only allow one update per 28 days, which totally sucks. They then disabled the service completely until I updated my ddclient config and contacted them, i.e. I wasn't able to connect to my homeserver for quite a while, which also sucks.
• The ssh-based solution is secure and encrypted, in contrast to some other DDNS services, which only allow unencrypted HTTP-based connections (yes, some do allow https/SSL connections).
• This solution doesn't require in-depth DNS server config knowledge, neither does it require a DNS server you control. You only need a (non-root) ssh account on a public server (or virtual server).

Personally I'm currently using this mechanism for two things, more might follow:

• Connect to my homeserver via ssh.
• Get the homeserver's IP address so I can update my OpenVPN client config file on my laptop (I use my homeserver as OpenVPN server).

So far it works pretty nicely. Update 2008-06-24: Various fixes and simplifications. SSH key must be password-less. Don't run cronjob once per minute, that's overkill.

OK, so I've been hacking on and testing my shiny new One A110 mini-laptop during the last few days and I must say I'm very happy with it. I'll write up some more details later (check the wiki if you're impatient), but today I want to highlight a very nice feature of this laptop (compared to, for instance, the Eee PC): The VIA C7-M ULV CPU in the laptop has VIA Padlock support. VIA Padlock is a hardware feature in recent VIA CPUs which provides hardware-accelerated AES and SHA-1/SHA-256 support, among other things. This can be used in Linux (with the proper drivers and patches) to improve performance of dm-crypt, OpenSSL (and all programs using it), scp, sha1sum, OpenVPN, etc. etc. I have written a quite extensive VIA Padlock HOWTO and benchmarks in the A110 wiki (but all of this will work on other systems which have VIA Padlock, too). To summarize, here are the most important benchmarks: dm-crypt (256bit AES, cbc-essiv:sha256) Without VIA Padlock support:

$ hdparm -tT /dev/mapper/hdc2_crypt
/dev/mapper/hdc2_crypt:
 Timing cached reads:   448 MB in  2.00 seconds = 223.47 MB/sec
 Timing buffered disk reads:   22 MB in  3.07 seconds =   7.17 MB/sec

With VIA Padlock support:

$ hdparm -tT /dev/mapper/hdc2_crypt
/dev/mapper/hdc2_crypt:
 Timing cached reads:   502 MB in  2.00 seconds = 250.41 MB/sec
 Timing buffered disk reads:   90 MB in  3.07 seconds =  29.36 MB/sec

The native speed of the SSD in the laptop is 31.01 MB/sec, so there is almost no performance penalty when using VIA Padlock. OpenSSL OpenSSL speed benchmark, first line without Padlock, second line with Padlock enabled:

$ openssl speed -evp aes-256-cbc [-engine padlock]
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc       9187.18k    10572.28k    11054.32k    11179.36k    11218.02k
aes-256-cbc      47955.92k   150619.73k   325730.73k   458320.11k   520520.79k

ssh/scp Without VIA Padlock support:

$ scp -c aes256-cbc bigfile.dat localhost:/dev/null
bigfile.dat                100%  159MB   5.9MB/s   00:27

With VIA Padlock support:

$ scp -c aes256-cbc bigfile.dat localhost:/dev/null
bigfile.dat                100%  159MB  14.5MB/s   00:11

OpenVPN A real speed benchmark is pending (not measurable easily on 100MBit LAN, will try on a slower link), but as OpenVPN uses OpenSSL is should have roughly the same speedup iff you tell OpenVPN to use AES (it uses Blowfish per default). Also, there's a measurable difference in CPU load while tranferring large files over OpenVPN: 8% CPU load with VIA Padlock (vs. 20% CPU load without VIA Padlock). sha1sum / phe_sum phe_sum is a small C program which can be used as drop-in replacement for sha1sum (which doesn't support VIA Padlock yet). Quick benchmark: sha1sum, without VIA Padlock:

$ time sha1sum bigfile.dat
real    0m6.511s
user    0m5.864s
sys     0m0.412s

phe_sum (with VIA Padlock support):

$ time ./phe_sum bigfile.dat
real    0m1.149s
user    0m0.704s
sys     0m0.424s

All in all VIA Padlock gives you a pretty impressive speedup for many crypto-using applications on Linux, which is especially useful on the A110 mini-laptop (think OpenVPN or scp for mobile usage, and dm-crypt for an encrypted SSD, of course).

Just in case you haven't yet watched it: Big Buck Bunny. Great animated video created mainly using Blender, released under the Creative Commons Attribution 3.0 license. The soundtrack/score is now also available under a CC license (as is lots of other "raw" material for the movie).

OK, so I've spent my last money on the One Mini A110 subnotebook recently. Yep, yet another ASUS Eee PC clone, but this one has the great benefit of costing only 199.- Euros and has similar specs as the Eee PC 2G Surf (700), I think. This is really a great little machine as far as I can tell. It's a VIA C7-M ULV 1GHz with 512MB DDR2 RAM and a 2 GB Solid-State-Disk (SSD), 7" screen at supposedly 800x480, VGA out, card reader slot for SD/MMC/MS, 2x USB, wireless, modem, audio. No webcam, no bluetooth. Yesterday I created a wiki at a110wiki.de (for the A110, but also the A120 from the same vendor, which has a 4 GB SSD), where A110 users can collect information, HOWTOs, photos, etc. There's already quite some content there, especially some early tutorials and photos on the inner workings of the A110. Today I've installed a stock Debian unstable distro on the SSD with 2.6.25 kernel, and I'm currently checking which parts of the hardware work out of the box, and which need further fixing. There's a a bunch of source code tarballs and patches on the vendor website, but most of it seems to be meant for 2.6.22, we'll see if and/or how much work it'll take to merge all this upstream (if it's not already done)... My Debian Installation HOWTO is also available from the wiki, of course; I'll add more info and photos during the day. Now for all interested parties: The vendor of the A110 has (again) announced a special weekend offer (valid until Sunday, June 1, 2008, i.e. tomorrow) where they'll sell the A110 for 199,- Euros again, the regular price will be 229,- Euros after that. So if you're thinking about buying one, now is probably the right time. Check the wiki for issues which are important to you, some quirks remain at this point (but will probably mostly be figured out sooner or later), e.g. the wifi seems to have issues (the vendor said they'll send a driver update to all affected customers), the RAM is builtin and can't be upgraded, and some other, more or less important issues, depending on what you expect from the laptop. For real-time communication there's also the #a110 IRC channel on Freenode.

FYI, if you're not using xdm/kdm/gdm but are instead starting the X11 server manually with startx (which is what I usually do) you might have experienced brokenness in Debian unstable recently:

Fatal server error:
Unrecognized option: /etc/X11/xinit/xserverrc

This is already reported as bug #482425 and #482527 and should hopefully be fixed soon, but in the meantime this patch against /usr/bin/startx should work around the issue:

--- /usr/bin/startx.orig 2008-05-26 18:21:26.000000000 +0200
+++ /usr/bin/startx     2008-05-26 18:21:36.000000000 +0200
@@ -107,9 +107,7 @@
 if [ x"$server" = x ]; then
     # if no server arguments or display either, use rc file instead
     if [ x"$serverargs" = x -a x"$display" = x ]; then
-       server=$defaultserver
        serverargs=$defaultserverargs
-       display=$defaultdisplay
     else
        server=$defaultserver
     fi

Hope that saves some people out there lengthy investigations and hassle.

Quick newsworthy item related to coreboot, which I wanted to mention a lot earlier, but then forgot about it: Silicon Mechanics is shipping their Rackform nServ A236 with coreboot pre-installed if so desired by the customer. From the coreboot News page:

Chris Watson at Silicon Mechanics says: "We will commit to offering coreboot preinstallation on the Rackform nServ A236 with a specific set of hardware and software. In the future, we may expand the program to additional platforms based on customer interest." The A236 is a nice 1U server with 4 drive bays and a dual Opteron board (Supermicro H8DMR), which is supported in coreboot v2.

Nice to see more and more vendors shipping their products with coreboot pre-installed...

You might remember that I wrote a blog entry about my switch to the green electric utility "Lichblick" (Germany) a while ago. I did that purely out of environmental reasons, I didn't want to continue to waste money on polluting and/or dangerous crap such as fossil or nuclear power. Yes, even if that meant a slightly higher price (but I really didn't compare prices much before switching — I was after an environmentally clean solution, not the cheapest solution). Quick status update: the switch went really nice and easy, no downtimes, no hassle. I've been a happy customer for more than 8 months now. Today in my snail mail inbox: a letter from Lichtblick that they're going to reduce the price per kWh from 20.25 to 19.99 (Euro) cents starting July 1st and they give you a guarantee that there won't be any price raises before the end of 2009 (more details also here). Now, that's a positive surprise there. Compare that to 98% of all other energy providers in Germany who have lately increased prices quite a lot for very obscure or non-existant reasons. Yes, I do realize that the reduced costs are not that dramatic, and Lichtblick is using this as a means to impress people and gain new customers. But I fully support them in doing so, the more people are switching to a green energy provider the better, if you ask me. I encourage everyone to consider switching, either to Lichtblick, or some of their competitors (in Germany) e.g. Greenpeace energy, Elektrizit tswerke Sch nau, or Naturstrom AG. There are various alternatives in other countries too, of course.

You might have already heard of it — the new Nine Inch Nails album "The Slip" has been released by them under the Creative Commons BY-NC-SA 3.0 US license. Yep, that's right, it's totally legal to download it from the web — and use it for any non-commercial purposes! It's a bit annoying that they want your email address, though. Nothing that bugmenot.com (or similar) cannot fix, but still. Luckily, the files are now also available from archive.org! This, and the fact that the music is CC-licensed allowed me to "play" one of the songs in my Creative Commons music podcast (RSS), and more will likely follow.

www.ted.com is a premier partner for the Miro player [1]. This is a free player for free online content, the site www.getmiro.com has the player for download, it has binaries for Mac OS/X, Windows, and Ubuntu as well as the source (GPL licensed), it is in Debian/Unstable. It supports downloading in a number of ways (including bittorrent) and can keep the files online indefinitely. A Debian machine connected to the net could be a cheap implementation of my watching while waiting idea for showing interesting and educational TV in waiting areas for hospitals etc [2]. When I first checked out the getmiro.com site it only seemed to have binaries for Mac OS/X and Windows. But now I realise that it’s been in Debian since 11 Sep 2007 under the name Miro and since 12 Jun 2006 under the name Democracyplayer. I have only briefly played with Miro (just checked the channel list) and it seems quite neat so far. I wish I had tried this years ago. Good work Uwe Hermann! I hope that the Miro player will allow me to more easily search the TED archives. Currently I find the TED site painful to use, a large part of this is slow Javascript which makes each page take an unreasonable delay before it allows me to do anything. I am not planning to upgrade my laptop to a dual-core 64bit machine just to allow Firefox to render badly written web pages. Biella recently wrote about the Miro player and gave a link to a documentary about Monsanto [3]. One thing I really like about this trend towards publishing documentaries on the net is that they can be cited as references in blog posts. I’ve seen many blog posts that reference documentaries that I can’t reasonably watch (they were shown on TV stations in other countries and even starting to try tracking them down was more trouble than it was worth). Also when writing my own posts I try and restrict myself to using primary sources that are easy to verify, this means only the most popular documentaries.

• [1] http://blog.ted.com/2008/01/miro_player_lau.php


• [2] http://etbe.coker.com.au/2008/02/23/watching-while-waiting/


• [3] http://healthhacker.org/satoroams/?p=907

Share This

There are situations where you might want to redirect some audio you're playing on your local computer to another computer's speakers, potentially in a different room, or even anywhere on the Internet. One of many possibilities to do that is to use the Enlightened Sound Daemon (EsoundD, or esd). It ships with a program called esddsp (apt-get install esound-clients) which can redirect various audio sources. First, you have to start the esd daemon on a console on the remote host (the one which should output the audio on some speaker, for example 192.168.0.xxx) e.g. like this:

  $ esd -public -nobeeps -tcp

You can do this as regular user (no need to be root) if you have the proper permissions. You also need to allow connections on port 16001 in your firewall settings. Then you can redirect audio to that daemon from another computer. In this example I'm redirecting some music using various players:

  $ esddsp -s 192.168.0.xxx:16001 mpg321 -o esd foo.mp3
  $ esddsp -s 192.168.0.xxx:16001 mplayer -ao esd foo.mp3
  $ esddsp -s 192.168.0.xxx:16001 ogg123 -d esd foo.ogg

This also works fine for videos, in which case you can redirect the audio (but not video):

  $ esddsp -s 192.168.0.xxx:16001 mplayer -ao esd foo.mp4

For the video player Miro, I've recently documented this in the Debian package's README.Debian file. Basically you have to edit ~/.xine/config and enable audio.driver:esd there, then start Miro with

  $ esddsp -s 192.168.0.xxx:16001 miro

Audio will be emitted on the remote host, video remains on your local PC. Some programs may also support esd natively, in which case esddsp is not required, e.g.

  $ ogg123 -d esd -o host:192.168.0.14:16001 foo.ogg

The coreboot project (previously known as LinuxBIOS) is taking part in the Google Summer of Code™ 2008 program. This year, the project has been assigned two slots/students who will work on the following projects:

• All Virtual All The Time (AVATT):

This project aims to integrate into the coreboot BIOS a payload consisting of a minimalist KVM-aware Linux kernel along with an initrd image that contains the tools needed for creating and starting guest virtual machines installed on top of it. The resulting system could host any x86(or x86-64) OS that can run over KVM (almost any major OS does), and there is a great challenge to make it as small as possible, so that it can fit in a 2MB flash image.

SCSI booting in coreboot:

Currently coreboot can not boot from an arbitrary SCSI controller. There are two solutions for the problem: (1) Use Linux and Kexec. This requires to keep the SCSI driver in the flash chip. (2) Use x86emu/vm86/ADLO and the int13 method. This would allow to use the PCI option rom available on all modern SCSI controllers. So we obviously need a solution based on the latter. This could as well be implemented as a Linux program, as an intermediate payload, or as a shared library. At this point of time, I would like to implemente it as a daemon program. The program needs to catch the int13 interrupt vector that the SCSI option rom installs and make it available to arbitrary (firmware/payload) code trying to load something from disk.

This should make for an interesting summer with nice improvements for coreboot.

Uwe Hermann has described how to resize a root filesystem after booting from a live-cd or recovery disk [1]. He makes some good points about resizing an LVM PV (which I hadn’t even realised was possible). The following paragraph is outdated, see the update at the end:
Incidentally it should be noted that if your root filesystem is an LVM logical volume then it can’t be resized without booting from a different device because the way LVM appears to work is that the LV in question is locked, then files under /etc/lvm/ are written, and then the LV is unlocked. If the LV in question contains /etc/lvm then you deadlock your root filesystem and need to press reset. Of course if your root filesystem is on an LV which has been encrypted via cryptsetup (the LV is encrypted not the PV) then a live resize of the root filesystem can work as locking the LV merely means that write-backs from the encryption layer don’t get committed. I’m not sure if this means that data written to an encrypted device is less stable (testing this is on my todo list). If your root filesystem is on a partition of a hard drive (such as /dev/hda2) then it is possible to extend it without booting from different media. There is nothing stopping you from running fdisk and deleting the partition of your root filesystem and recreating it. When you exit fdisk it will call an ioctl() to re-read the partition table, the kernel code counts the number of open file handles related to the device and if the number is greater than 1 (fdisk has one open handle) then it refuses to re-read the table. So you can use fdisk to change the root partition and then reboot to have the change be noticed. After that ext2online can be used to take advantage of the extra space (if the filesystem has a recent enough version of the ext3 disk format). One thing he didn’t mention is that if you do need to boot from another device to manipulate your root filesystem (which should be quite rare if you are bold and know the tricks) then you can always use your swap space. To do this you simply run swapoff and then run mkfs on the device that had been used for swap (incidentally there is nothing really special about the swap space, but it does tend to often be used for such recovery operations simply because it has no data that persists across a reboot). The minimum set of files that need to be copied to a temporary filesystem is usually /bin, /sbin, /dev, /lib (excluding all directories under /lib/modules apart from the one related to the kernel you are using), and /etc. Also you should make directories /proc, /sys, and /selinux (if the machine in question runs SE Linux). The aim is not to copy enough files for the machine to run in a regular manner, merely enough to allow manipulating all filesystems and logical volumes. Often for such recovery I boot with init=/bin/bash as a kernel parameter to skip the regular init and just start with a shell. Note that when you use init=/bin/bash you end up with a shell that has no job control and ^C is not enabled, if you want to run a command that might not terminate of it’s own accord then the command “openvt /bin/bash” can be used to start another session with reasonable terminal settings. I recommend that anyone who wants to work as a sys-admin experiment with such procedures on a test machine. There are lots of interesting things that you can learn and interesting ways that you can break your system when performing such operations. Update: Wouter points out that the LVM bug of deadlocking the root filesystem has been fixed and that you can also use ext2online to resize the mounted filesystem [2].

• [1] http://www.hermann-uwe.de/blog/resizing-a-dm-crypt-lvm-ext3-partition


• [2] http://www.grep.be/blog/en/computer/cluebat/actually_you_can

Share This

I've bought a new hard drive for my laptop recently because I finally got fed up of my constantly-full disk. Having to browse around in $HOME looking for stuff which can be safely deleted just because I want to run fetchmail (and that would fill up my disk) just sucks. So, after getting a cheapo 160 GB 2.5" disk (the old one was 80 GB), I had to move all my data to the new disk. As I didn't want to re-install from scratch I started with dd'ing the whole disk over to the new one (using a live CD and an external USB hard-drive enclosure). This took pretty long, but went fine otherwise. The new disk then contained all my partitions (hda1-hda3) and also GRUB in the MBR etc., as expected, but was still only 80 GB in size, of course. So the first step is to enlarge the hda3 partition, which is a dm-crypt volume that contains various LVM logical volumes (for /home, /usr, /var, swap, etc.), each of them using the ext3 filesystem (except for the swap volume, of course). 0. Perform backups, boot from a live CD Important: If you plan to perform any of these steps, make sure you have recent backups! I take no responsibility for any data loss you might experience. You have been warned! First off, you should boot from a live CD which has all the tools you'll need, including cryptsetup, LVM tools, resize2fs, etc. You can use the nice grml live CD for instance. 1. Resize partition This sounds scary (and it is!), but the way I enlarged the encrypted hda3 partition was by first deleting it via fdisk. First, issue the "p" command in fdisk, write down the exact start cylinder of hda3. Then delete hda3. Now create a new hda3 partition which starts at exactly the same cylinder as the old hda3 but is larger, i.e. in my case it has ca. 80 GB additional space. Your data will still be there if you don't screw up, and the partition is bigger now. Using something like gparted will likely not work as expected, as the partition is encrypted! 2. Resize dm-crypt volume Nothing to be done, it seems dm-crypt automatically adapts and notices that the partition is bigger. Just "open" the encrypted volume using cryptsetup now:

  $ cryptsetup luksOpen /dev/hda3 foo

3. Resize LVM physical volume Next step is to tell LVM about the new space. We first resize the LVM physical volume on the foo "partition".

  $ pvresize /dev/mapper/foo

That will use all newly-available space for the volume. 4. Resize LVM logical volume Now we can pump the new space into any of the logical volumes (or into multiple ones). I only increased one logical volume, my /home:

  $ lvresize -L +74 GB /dev/vg-whole/lv-home

5. Resize ext3 filesystem The final step is to resize the ext3 filesystem on the lv-home logical volume (after running the obligatory fsck -n). I first used ext2resize, but that failed horribly:

  $ fsck -n /dev/vg-whole/lv-home
  $ ext2resize /dev/vg-whole/lv-home
  error: Invalid argument: seeking to 3258921205760

This seems to be a known bug, ext2resize apparently cannot handle large disks or something, and as I found out a few minutes later it's pretty much deprecated anyway. The better solution is to use resize2fs:

  $ fsck -n /dev/vg-whole/lv-home
  $ resize2fs /dev/vg-whole/lv-home

That's it. We can now reboot the system from disk and enjoy ca. 80 GB of additional hard drive space. Yay!

If you want to generate a custom Debian live CD, including only the tools you want (and maybe additional tools you don't find in other live CDs) there's a really simple solution: live-helper. Creating a basic bootable Debian live CD ISO image in the current directory is as simple as:

  $ lh_config
  $ lh_build

That's it. The result will be a file called binary.iso, which you can either burn on a CD-ROM via

  $ wodim binary.iso

or test in QEMU using a command line like this:

  $ qemu -boot d -cdrom binary.iso

Of course there are many possibilities to customize the generated image to your likings, see the documentation in the Debian wiki, or the lh_config/lh_build manpages. Please note that live-helper can not only generate CD ISOs, but also bootable DVDs, images for USB thumb drives, or netboot images. There's also a nice GUI called live-magic which will make the process a bit easier if you don't like doing things on the command line.

Just FYI: The student application deadline for this year's Google Summer of Code has been postponsed to Monday, April 7, 2008. So, if you've been thinking about applying as a student for one of the many, many accepted open source projects (Debian, Linux, NetBSD, subversion, vim, or coreboot — just to name a few) you still have a few days left...

Just in case you haven't already read about this... Some researchers from Princeton have published a paper about methods which can be used to attack full-disk-encryption (FDE) schemes. They have demonstrated that at least BitLocker (Windows Vista), FileVault (MacOS X) and dm-crypt (Linux) are vulnerable to this type of (partly hardware-based) attack scenarios. Quite likely lots of similar other solutions are vulnerable as well. The main problem is that (contrary to popular belief) RAM does indeed retain its data for a non-trivial amount of time after power is cut (seconds, even minutes or hours if it's cooled down enough), so you can mount some new attacks such as:

• Get physical access to laptop/computer, cut power to it (the hard way), reboot with a special live CD or USB thumb drive and some special software which dumps the RAM contents to an external disk (or sends it via network). As RAM contents are still there a few seconds after the power is cut, this works astonishingly well.
• Get physical access to laptop/computer, open it, remove RAM DIMMs while the computer is running, insert them into your own prepared computer and read the RAM contents using some special software.

Yes, all attacks assume that the attacker has physical access to your PC/RAM, in which case you already have several other problems. Still, the new thing about this is that even full-disk-encryption doesn't help much in some cases. You probably shouldn't depend too much on it (but you shouldn't stop using disk encryption either, of course!). Full paper: coldboot.pdf. There are also some demo videos and pictures. More coverage at Boing Boing, Bruce Schneier's weblog, Freedom to Tinker, Slashdot, Heise (German), and many more... Make sure to read the comments of the various articles for more scenarios and possible ideas for how to prevent such attacks. Some ideas include enabling the BIOS RAM checks (which might explicitly erase RAM contents on reboot; that doesn't help in all cases, though) or using coreboot (previously LinuxBIOS) to erase RAM contents at boot-up and/or shutdown. It's a highly non-trivial issue, though, there's no easy and complete fix so far. The only sure way is to not have your laptop or PC stolen and to not give attackers physical access to your computers.

Public Service Announcement: The LinuxBIOS project, a Free Software project which intends to replace the proprietary BIOS found in most computers these days, has been renamed to coreboot. The old name has become quite a misnomer in recent years; the name LinuxBIOS created the impression that it's a drop-in BIOS-replacement and that it's using Linux or is Linux-specific in any way. Neither is the case.

• coreboot is not a BIOS in the sense that it provides the legacy BIOS callbacks / interrupt routines. Instead, coreboot is just a small hardware initialization firmware. It does some basic hardware init, then hands over control to one of many possible payloads. This can be a boot loader such as FILO (or GRUB2, which shall ultimately replace FILO) if you want to boot from disk, or Plan 9, or memtest86, or a Linux kernel, or OpenBIOS/OpenFirmware/SmartFirmware, or...
• coreboot is not Linux or Linux-specific. Yes, it can indeed use Linux kernels as payload (i.e., you put the Linux kernel in your flash ROM chip together with coreboot) or boot a Linux kernel indirectly using FILO/GRUB2. But as mentioned above it can also be used (together with the fitting payload) to boot other OSes or systems such as Plan 9, Windows, FreeBSD, and others.

The initial author and project leader of LinuxBIOS/coreboot, Ron Minnich, explains in more detail why the renaming was done in his original announcement on the coreboot mailing list.