WEBVTT

00:00.000 --> 00:14.080
Okay, good morning and welcome to my talk about silver blue with disc

00:14.080 --> 00:25.080
encryption and with spicy side story or yeah the main story how I almost lost

00:25.080 --> 00:31.720
everything but going much with them now and the side story about the map tool

00:31.720 --> 00:39.400
and the DDSQ and why you shouldn't be using the DDSQ that's about me I

00:39.400 --> 00:47.520
joined coaching class year and they're working on embedded Linux stuff lately and

00:48.440 --> 00:54.400
using fedora til liplug as a daily driver since I think about five years

00:57.760 --> 01:03.840
okay so what happened you know just casual morning

01:05.440 --> 01:08.080
kind of hacking around with some embedded stuff

01:09.360 --> 01:15.840
have this fancy routes carok 5b board which can boot from all kinds of stuff so you're

01:15.840 --> 01:28.320
imaging scenes back and forth to various devices USB and NVMe wow embedded has NVMe

01:28.320 --> 01:37.560
now as well not fancy stuff anyway somehow you know not fully awake yet I typed

01:37.560 --> 01:51.400
to do the DDSQ of the NVMe but in the wrong terminal which well yeah and at first I

01:51.400 --> 01:56.840
thought well not a big deal that image it's an embedded image just like eight

01:56.840 --> 02:02.960
gigabytes no big deal my SSD's like two terabytes I mean who cares about eight

02:03.120 --> 02:12.520
gigabytes I hope you guys learn something today because if you're not prepared that

02:12.520 --> 02:21.760
can be basically the end of your two terabytes that's what this is basically so

02:21.760 --> 02:31.560
I mean if you look at the default kind of setup if you install silver blue or

02:31.560 --> 02:39.240
I guess any other destroyer usually does it similar you have some kind of some boot

02:39.240 --> 02:47.520
partition stuff if I probably another partition boot where you have the kernel and

02:47.520 --> 02:53.280
things like that in silver blue this is special as you basically have your deployment

02:53.280 --> 03:05.240
there not so you can have multiple things you can have multiple kernels and you can go

03:05.240 --> 03:14.880
back and forth and stuff like that and all atomic but yeah so what happens basically

03:14.880 --> 03:22.560
if eight terabytes you override this whole boot chain and then you have like your

03:22.600 --> 03:27.640
system partition which nowadays you have it encrypted of course because who knows

03:27.640 --> 03:35.280
somebody stills your notebook you don't want all your confidential data to be gone so

03:35.280 --> 03:42.280
it has a looks partition there and of course the first part of that also got wiped

03:42.280 --> 03:51.120
but let's first look because I have the journal of this really nice event not so it's

03:51.120 --> 03:57.600
kind of funny to look at that I mean I did a lot of yoga and stuff so I'm over it

03:57.600 --> 04:03.440
now so I can I could talk about it now it's fine so basically you can see it was

04:03.440 --> 04:15.240
October 2 930 I just docked in because that I had some USB message so then yeah I

04:15.240 --> 04:22.800
was playing with this image stuff I like I said so I actually even was also looking at

04:22.800 --> 04:31.880
some of this disk image so I did some LL set up stuff just to look at this disk

04:31.880 --> 04:38.600
images of these embedded devices and kind of poke those I mounted some loop

04:38.600 --> 04:46.280
mounted some stuff things like that and then I plugged in a USB stick not

04:46.280 --> 04:55.280
because I wanted to basically that was what I wanted to write to not so very nice

04:55.280 --> 05:03.240
and then yeah I don't know whether you also do this 30 trick stuff I usually kind of

05:03.240 --> 05:09.040
hate when you have all these convoluted pseudo stuff and then it it asks you about

05:09.040 --> 05:15.440
the password in the middle there so I just kind of prime my terminal to be a pseudo

05:15.440 --> 05:21.080
terminal by just doing like pseudo LS or something I don't know maybe not a good idea

05:21.080 --> 05:29.560
about it and then just kind of copy paste it casually is on command but yeah I was in

05:29.560 --> 05:37.840
the wrong terminal of course yeah and then it's kind of cool you can see that yeah

05:37.840 --> 05:43.880
you this team and immediately kind of woo so if it is happening not know this

05:43.880 --> 05:51.400
is pretty quick but yeah and then I even flush the stuff but I actually flush the USB

05:51.400 --> 05:58.160
stick which doesn't really do much because I didn't write that one but yeah what else

05:58.200 --> 06:04.400
is going on yeah I mean I removed the USB stick and of course I tried it then and

06:04.400 --> 06:12.520
I better device but somehow what what Schlock I mean yeah didn't boot I so it was stupid

06:12.520 --> 06:27.400
thing bad morning no so I actually read tried it again very good didn't kind of I don't

06:27.480 --> 06:38.680
know blurry vision or something flush it again very good remove it again and then I kind

06:38.680 --> 06:45.000
of got mad about the USB stick you know USB sticks they just kind of sock not I don't

06:45.000 --> 06:50.800
know I have so many go bad meanwhile if you're like I don't know 30 years in the carrier

06:50.800 --> 07:02.560
I have an even collector I don't know what you do with broken USB sticks anyway so

07:02.560 --> 07:10.440
I blocked in another one could be Sam these Casabad day try Kingston okay but then

07:10.440 --> 07:19.200
okay wait a minute I started to look into the mask you never know something doesn't

07:19.240 --> 07:31.440
feel right not okay you undo it let's look further I looked at my partitions and kind

07:31.440 --> 07:39.680
of start to realize what happened and then actually it's kind of fun not it's a

07:39.840 --> 07:48.000
rife like half an hour with that but then it had boot partition when started to go bad not

07:50.000 --> 07:56.400
and then that's just a kind of life not in the background it's even doing some updates of course

07:56.400 --> 08:05.040
you want to be up to date doesn't really help in that case because that partition is not too

08:05.120 --> 08:12.720
healthy anymore so yeah a few minutes later the system partition also kind of goes bad

08:14.240 --> 08:24.080
and you know I wear it and the kernel is doing the right thing not remounting it read only

08:24.640 --> 08:28.880
and that's the end of the channel because you don't write any channels to read only drives

08:29.440 --> 08:40.800
yeah that's basically it so how about this description now but imagine at that point in time I

08:40.800 --> 08:48.080
thought well I still thought well not a big deal 8 gigabyte of two terabytes I will just reboot

08:48.080 --> 08:54.480
with some life thing not and just kind of get it going again I mean not a big deal just a

08:55.200 --> 09:01.600
casual morning of some Linux guy not that basically you have around a little bit no problem

09:03.440 --> 09:11.280
but then yeah during installation it sounds really easy not you check this on

09:11.280 --> 09:20.880
crypto system checkbox automatic partitioning anyway lazy not I mean hopefully all the other

09:20.880 --> 09:29.680
guys working on it have chosen good defaults for me not how ever so how does it work

09:31.360 --> 09:40.160
block device encryption not it transparently and creeps the creeps all your stuff and so the

09:41.280 --> 09:49.520
underlying block device only is encrypted data so if you have that data you cannot do anything with it

09:49.520 --> 09:59.040
not until you need the passphrase to mount it and of course it's nice if you get stolen nobody

09:59.040 --> 10:12.000
can decrypt it without the passphrase and now it's basically DM creep looks not a Linux unified keys

10:12.160 --> 10:22.720
it up it's basically specification for this whole encryption things and it specifies on this format

10:22.720 --> 10:31.520
of this and also has the passphrase key management policy all this kind of stuff and

10:31.520 --> 10:41.920
underneath it uses the kernel device map so the subsystem via DM creeped and basically handles

10:42.000 --> 10:50.640
the low level stuff not and for user level operations there are the creep setup utilities

10:52.640 --> 11:00.880
and the op I guess you guys who have no uses it as well that system startup you get kind of presented

11:00.880 --> 11:06.880
with passphrase prompt you entered it and then it's continuous regular good

11:07.040 --> 11:20.000
looks at encryption type block device and it protects content so even if you would remove the storage

11:20.000 --> 11:32.000
device or have a removable storage device you can use it on there and basically it doesn't care about

11:32.000 --> 11:40.400
what data you then put not it transparently just encrypted so you can also use it for swap

11:41.680 --> 11:47.760
that way not not even something can leak if you kind of suspend it and have a swap

11:47.760 --> 11:55.760
partitioners of like that even that is then also encrypted you can also use it for special data like

11:56.480 --> 12:03.440
if you have data bases that use their own you know special format block device whatever

12:04.480 --> 12:11.840
because it transparently encrypts it's underneath and device map are the good thing about that

12:11.840 --> 12:23.280
it's well proven tested subsystem not because also for example LBM uses it and it also has passphrase

12:23.280 --> 12:31.280
strengthening and some protection against dictionary attacks and stuff like that and you can

12:31.280 --> 12:42.080
have multiple key slots so you can have like backup keys or stuff like that however it's not

12:42.080 --> 12:48.240
sweet that you would kind of use that for multiple uses or something like that to have all

12:48.240 --> 12:56.880
their keys not it doesn't really usually only have eight slots of this key passphrase stuff

12:58.880 --> 13:04.400
also not sweet but for kind of file-level encryption things there are other tools for that

13:06.080 --> 13:16.000
the tooling creeps that up and usually the way to reboot and stuff it's handled it's with system

13:16.000 --> 13:24.640
the creep set up so you don't really have to do anything it's all transparently not integrated

13:24.640 --> 13:41.920
into these rows so fedora silver blue less in slurned basically yeah if you wipe your

13:42.560 --> 13:49.920
looks better you're basically gone so you can not really decorate I mean yeah I could wait I still

13:49.920 --> 13:55.680
have a backup of that two terabyte is not maybe with some quantum computer you could

13:55.680 --> 14:04.320
decrypt it in the future but if you don't have the header it's basically just really random

14:04.320 --> 14:14.080
and creep the data you can not do anything that's what I learned and then one thing that I

14:14.640 --> 14:22.720
now did and recommend to do anyway the default boot partition one gigabyte is anyway way too small

14:22.720 --> 14:29.360
if you want to keep multiple deployments in silver blue not I usually keep some deployments of every

14:29.440 --> 14:34.880
kernel version so if I want to try something or things like that I can easily go back not

14:35.680 --> 14:41.360
and then over the years you have fedora version updates and you can capture three

14:41.360 --> 14:53.040
ly go back and decily boot again into whatever old version not so this one gigabyte default just limits

14:53.200 --> 15:00.720
amount of deployments and also in such a disaster case it is rather small so you override the

15:00.720 --> 15:07.040
whole thing and into your system partition so I now did the bigger one I suggest using at least

15:07.040 --> 15:14.320
like 16 gigabytes and then of course the most important thing is backup your loop setter

15:15.280 --> 15:23.280
because I mean honestly that one goes corrupt or whatever you saw it we found that you can not

15:23.280 --> 15:31.360
decrypt your thing it's just come basically there is no way to you to decrypt you this without this header

15:33.600 --> 15:42.160
and it would be only 16 megabyte in size not too big but it's crucial

15:44.560 --> 15:50.640
and of course also backup your keys usually one also does that but and I did and even

15:50.640 --> 15:58.080
printed them but that they're useless without the header you can hang it up on the wall

16:00.480 --> 16:06.320
together with the two terabyte SSD now it's too expensive I'm still using that one

16:07.040 --> 16:17.360
it didn't hurt the SSD basically not it doesn't care using it as a daily driver for the

16:17.360 --> 16:26.000
one of the other blue of course you get used to you just do your things in a with flat pack or in

16:26.000 --> 16:36.560
a toolbox or I think you got denying to two px just relax usually it works not with flat

16:36.560 --> 16:44.960
pack if you have some weirdo issues usually flat seal might help so you can open some things like

16:45.840 --> 16:51.200
at times I have some printing doesn't work or things like that just hack around with

16:51.200 --> 16:57.280
flat seal usually that helps and then of course as a embedded guy you have some kind of

16:57.280 --> 17:08.880
system tools that yeah you basically one problem is if you're in a toolbox of course it's

17:08.880 --> 17:16.880
this root less stuff not so you cannot do real root things on your real system from a toolbox

17:17.600 --> 17:24.240
so there I'm just usually lazy and copy the tool out and just run it like that not I will also show

17:24.240 --> 17:31.280
that later in the in the B map usage that kind of hurts fine because you could also lay your

17:31.280 --> 17:38.880
stuff but I usually avoid doing that too much I mean you could RPM always really lay it not you could

17:39.040 --> 17:44.960
can also install some tools there but it's just I don't know it's not worth it for me

17:46.080 --> 17:57.600
can for tight and stuff with the anyway just use a VM not and then that's another thing I don't know

17:57.600 --> 18:05.600
my ice get worse so and I think it still doesn't default to these fractional scaling stuff but

18:05.680 --> 18:12.880
that's one of the commands I usually enable this and then you can scale it whatever you like not

18:16.080 --> 18:22.240
and with flat tap I usually use an upstream flat top I don't know why fedora

18:23.120 --> 18:29.920
does it their own thing with flat pack or why right as everybody have to do that just use I don't get it

18:30.000 --> 18:39.040
why would you use that anyway so I just flat pack remove everything when I do a new install

18:39.040 --> 18:47.360
and delete this fedora I think feed and just install it from flat up I don't know

18:50.880 --> 18:58.720
then of course silver blue lipohestry previously just called oestry 3ly nice not

18:59.920 --> 19:06.640
from pro check that topic for those guys that's still remember not I also run it on the server

19:06.640 --> 19:17.440
by the way there it's called nowadays core OS where it's fine so you can look at the status of

19:17.440 --> 19:28.960
the early deployments you can look at the oestry lock you can deploy one of the you know available

19:29.040 --> 19:37.360
things and you can look at remote refs and you can basically replace so that's how you

19:38.560 --> 19:46.160
basically change between fedora versions you just do a RPMOS 3 rebase not until reboot and you can

19:46.160 --> 19:54.400
just switch between fedora versions like this nap not and then you can even pin them that way they don't get

19:55.120 --> 20:04.080
basically removed with a further future update not so you can pin and unpin deployments

20:06.320 --> 20:14.400
and yeah it's basically deed for operating system behind it is not so you have versioned

20:14.480 --> 20:25.200
updates for limit space operating system one thing of course I'm also kind of a network I

20:25.200 --> 20:37.760
playing with open WRT a lot and one thing you install wire shark with flat pack and then

20:37.760 --> 20:48.560
you're wondering but how do you now do that because it doesn't show you any interfaces or anything

20:50.480 --> 20:58.880
turns out it's works fairly easily you just separately do your TCP don't match it and then type it into

20:58.880 --> 21:11.920
your flat pack via shark and that you just need to have a cheat sheet how you do that of course

21:11.920 --> 21:22.320
but that works beautifully and yeah you basically missed my USB talk if you're wondering how that works

21:22.320 --> 21:34.320
not I showed it there life with an embedded system and another tour for example melt I use a lot

21:34.320 --> 21:43.360
you know you review code you defeat and you can also do that you just do an ally yes that

21:43.680 --> 21:52.560
basically runs the flat pack stuff underneath yeah watch my other talks with some of this

21:53.360 --> 22:06.960
tips not and this is the bonus track how you do for example the HCPTFTP for embedded use on a silver

22:07.520 --> 22:15.840
where you don't really you know want to kind of lay here some other tools or whatever not it's

22:15.840 --> 22:24.560
actually all ready there you just you have network miniature usually I use some intelligent switch with

22:24.560 --> 22:33.440
wheel hands not and you just have your developer network not wheel and definite you create that

22:34.880 --> 22:42.400
you must create that you add your in the firewall you open the HCP DNS TFP whatever other stuff

22:42.960 --> 22:57.280
and then you just do the meta chair that means it will share that Milan to your regular

22:57.280 --> 23:02.320
so it shares your regular interconnect connections so the embedded device even also can get to the

23:02.320 --> 23:09.920
internet button and then for key of the people you create some folder where you put your stuff

23:09.920 --> 23:20.240
make sure you have to write access stuff as well and then basically with network miniature DNS

23:20.240 --> 23:28.720
mask is integrated not and you can just have this confile and you just in there you say enable TFTP

23:28.720 --> 23:35.920
then it also does TFTP you can give it that folder that you have prepared and you can say what

23:35.920 --> 23:43.840
file it by default should serve and you can even give you know if you know the MAC address of

23:43.840 --> 23:49.840
your embedded devices you can give them their IP addresses and basically do that statically not

23:52.240 --> 24:03.520
works very well okay let's have a look at the side story b map tool

24:04.080 --> 24:15.120
pretty cool it's a generic tool it basically creates block maps for a file and then it allows you

24:15.120 --> 24:22.880
copying files using that block map and of course that is then much faster and more reliable for

24:22.880 --> 24:29.600
large files or such raw system image files that you encounter in embedded use not

24:29.920 --> 24:39.520
original it was created for the ties navi project and it's written in Python of course faster

24:39.520 --> 24:49.360
depends on various factors not the right speed image size and of course how full an image is the so-called

24:49.440 --> 25:02.880
sparseness but in general it proves around 5 to 7 times faster how about integrity usability of it

25:02.880 --> 25:12.720
it verifies data while flashing and it also note this is a possible corruption immediately

25:12.720 --> 25:19.840
and the usability it reads directly also allows directly reading from remote service or you

25:19.840 --> 25:27.840
wouldn't have to copy them locally they images and use the data is protected because it kind of

25:29.120 --> 25:36.080
yeah protect you from such stupidity that I did because it wronged it block device names or

25:36.080 --> 25:44.080
things like that it checks whether a device is mounted and would then you know warn you to really

25:44.080 --> 25:56.960
want to do that not because usually you don't that's how you can use it like I said I just usually

25:56.960 --> 26:05.680
copied out from a regular thing I mean from a toolbox where I installed it and then you can easily

26:05.680 --> 26:15.600
also use that from your regular not toolbox thing where you can run as route which you'd have to

26:15.600 --> 26:23.040
if you want to access a block device not and you can just specify the Python path and run it like that

26:24.000 --> 26:31.200
and it has basically two commands to create to basically take us at a raw image and

26:33.200 --> 26:41.040
investigate it and find out what its sparseness is not and it generates the block map and the copy is then to

26:41.040 --> 26:48.080
actually write once you have the image and the block map right it to a block device

26:48.400 --> 26:57.920
from concept point of view it's the spars files so file system maps blocks of file data to these

26:57.920 --> 27:05.520
sectors not and usually there is a disk index that points to this map blocks and of course if you

27:05.520 --> 27:13.760
have free area that is not mapped yet you basically have holes not in your files and they don't occupy space

27:14.720 --> 27:21.200
and the block map is just an XML file that contains a list of these map area and the raw image is

27:21.920 --> 27:29.600
I mean if you have for embedded systems actually skimiches they hardly ever are fully mapped not

27:29.600 --> 27:36.160
that usually there you might have much bigger storage device than actual data not

27:36.320 --> 27:46.000
and spars files so they have help safety space and when you read from such a file it returns

27:46.000 --> 27:54.640
zeros and when you write to it basically you destroy the whole and sectors get all okay to then not

27:55.600 --> 28:07.200
and notice that some not all tooling handle spars files one of the tools is for example

28:07.200 --> 28:20.480
SCP so if you SCP file it allocates also the whole basically and sparseness is gone and some other tools

28:20.480 --> 28:30.400
require that you explicitly specify that you want to use or keep the sparseness for example

28:30.400 --> 28:39.360
if tar and the arsenic and underneath there are multiple implementations how that is handled in

28:39.360 --> 28:47.600
Linux there are two iocontrols for to find map and on map areas there is the old FIP map

28:48.400 --> 28:54.240
but that requires root privilege so it's not too well-seeded depending on what you want to do

28:54.240 --> 29:04.160
then as there is the newer FIE map and there is also lcc has the vents argument you can use c-call

29:04.160 --> 29:11.760
or c-data that's how you can basically position in the file to the next whole or the next

29:11.760 --> 29:21.920
map area of a file there is also FLK there you can do an FLK default punch-o and that basically

29:22.800 --> 29:32.080
allows on mapping area in the file but one thing you have to also know is not all files system

29:32.080 --> 29:39.280
support all of these variants or even one of the variants there are files systems that basically don't

29:39.360 --> 29:47.120
have a concept of spars files so if you copy a file onto such a file system the whole sparseness

29:47.120 --> 29:55.840
is also gone and even the holes are basically occupying space and it really writes every zero

29:55.840 --> 30:03.680
and everything then not that's basically the real world so depending on some tooling you have to be

30:03.760 --> 30:16.720
really careful DDSQ that is basically when you use it to read stuff I recommend using that because

30:16.720 --> 30:27.120
if you ever have some problems errors then that helps because it automatically does the

30:27.200 --> 30:35.040
writing and reads all the blocks that are still good and then it also has a you have a lock file and

30:35.040 --> 30:54.240
you can do further passes on it and don't use DD because I think you saw that very good time is up

30:54.240 --> 31:04.800
don't know any questions so far and live them or we skip that but basically that is the

31:04.800 --> 31:09.680
life them or not thank you very much