slowpoke well

route 33 to the future

Love Football, Hate the World Cup

It’s not really a secret that I don’t really get Football (or Soccer, for you crazy Americans), and don’t really understand what’s so interesting about watching twenty-two people in mostly single-sex teams chasing a round object. I do understand it’s a thing a lot of people apparently find interesting, though, and I respect that. Other people might not understand why people gather at various places in weird clothing to listen to loud, abrasive music, or hold entire congresses devoted to creative usage of computers and ethical considerations of technology. Or any of the other diverse things the uncountable subcultures on this planet do.

What I do not respect, however, are people who go on to claim that any of the aforementioned things are not political. Nothing is not political, especially if it involves a gigantic international sporting event with several billion dollars of corporate sponsorship and governmental aid behind it – aid that’s missing in so many other areas, like education – in a country where street kids are being murdered by the police to “clean up the city” for the influx of foreign visitors, slums are raided to crack down on drug trafficking without actually trying to fix the problems behind it, child prostitution is common, and social unrest is met with violence and repression by the government.

This is as political as it will ever get. Every conscious supporter of the World Cup, every sponsor, every athlete playing in it, every artist associated with it, and every football fan who doesn’t boycott it are as guilty of the crimes happening in Brazil as the perpetrators – they have the blood of countless innocent victims on their hands, murdered and abandoned for the entertainment of the rest of the world. It’s an insult to any conceivable definition of sportspersonship. And don’t get me started on the braindead surge of nationalism, xenophobia and racism it causes – especially here in Germany.

If you are truly a football fan, if you really love the sport, it is your duty to boycott the World Cup. Instead, go support a cool local football club (i.e. one without a fan scene full of homophobic, racist macho nutjobs). Or better yet: go campaign and protest against the capitalist abuse of your favorite sport.

Fun with UEFI

As a matter of fact, the title of this post is not meant in a sarcastic fashion. If you’ve come here thinking this is a rant about (U)EFI, I’ve got to disappoint you. :)

Anyways, since my SSD recently died and my backups were, ahem, lackluster, I had to set up my system from scratch. Since I didn’t really like the previous setup (LVM on LUKS) anyways, I figured I might as well try root on ZFS again. And if I’m at it, boot the whole thing with UEFI.

Now, I’ve heard some people curse UEFI like it’s the second coming of Bill Gates, and that it’s a royal pain in the ass to get working, etc. As I’m currently writing this from my shiny, new system booting from UEFI, you might guess that I can’t confirm this notion – though your mileage might vary.

Setup

Let’s get started, by stating the initial goal of the install:

  • a shiny new Gentoo GNU/Linux
  • booting entirely off ZFS
  • from within an encrypted LUKS partition
  • without a bootloader
  • and nothing besides the kernel outside of the crypted partition

For the most part, I’ve followed the UEFI Quick Install Guide and the excellent Gentoo Handbook, with a bit of duck-fu on the side. This worked pretty smoothly, and I had no noteworthy problems with getting the entire thing to work.

Now, the interesting part, and the question that most of you will probably have had while reading the list of goals:

“How in the name of Eris are you supposed to boot an encrypted system running off ZFS without a bootloader or an initram?”

How it works

Enter two (more ore less) little-known Linux kernel configuration options: CONFIG_INITRAMFS_SOURCE and CONFIG_CMDLINE. What do they do? Let’s start with the latter: CONFIG_CMDLINE specifies a built-in kernel command line for Linux. Normally, you’d pass options to the kernel from the bootloader, but you can also compile a fixed default one into the kernel. Here is mine (stripped of a few uninteresting things):

CONFIG_CMDLINE="crypt_root=UUID=blahblah real_root=ZFS=KOS-MOS/ROOT/gentoo dozfs=force ro"

The options you see here are used by an initram generated with Gentoo’s genkernel utility, which brings us directly to the other option, CONFIG_INITRAMFS_SOURCE. This option takes a path to a cpio-compressed initram, and builds it directly into the kernel – and that is pretty much the entire magic behind this setup.

Implications

This setup has a few cool side effects, but the most important one is that there is only a single attack vector outside of the encrypted partition (well, two if you count the UEFI implementation). I’ve not tried this yet, but it should be possible to sign the kernel and activate Secure Boot, which would enable a completely trusted boot chain. I’m gonna fuck around with kernel signing a bit this week and maybe post a follow-up.

Caveats

I’m not gonna lie, this setup has its downsides, too. First of all, it’s a pain in the ass to have to recompile (parts of) the kernel if you need to change the boot options. The same goes for changing something in the initram (though I only have to do this very rarely). It’s severely inflexible.

Let’s try that again.

The blogging thing.

This is a temporary solution – and hopefully not one of the permanent temporary ones. I plan to host my own blog soon enough, but for now, I need a place to write. Thus, a WordPress it is – the internationally famous remote shell with blogging plugin. Well, I’m not hosting it, so I don’t care.

It’s sorta fun how much herpaderp I had to disable, though. All the social media idiocy, tweet this, share that, like it, nobody cares. Does nobody fucking know how to just post a link anymore? Or use an RSS reader?

Also, no comments. I try not to read comments, and neither should you. They are a waste of perfectly good time which you could spend in an infinite amount of more productive ways. That’s why they are disabled.