Bubba overlay for Gentoo

[Gordon]

For those interested in moving to Gentoo, using Sakaki's excellent Live USB, I'm setting up an overlay to add functions that you will not find in the regular repository.

The overlay can be found HERE

Content:

• bubba (version 2.6_pre150625)
  A meta package for the Bubba OS on Gentoo. Installs bubba-buttond and bubba-frontend with all its dependencies
• bubba-frontend (version 2.6_pre150707)
  First beta of the bubba webinterface
• bubba-buttond (version 1.4-r3)
  A listener service for the power button on the B3 - enables graceful shutdown when the B3 can't be accessed over the net
  • in this revision the helper application write-magic is moved away from /sbin, but a symlink is provided if you do not have sysvinit-9999::bubba installed
• bubba-easyfind (version 2.6-r4)
  The easyfind service - rewritten for current perl and to use the mybubba.org servers for updating your IP.
  • in this revision USE flags have been added to control what methods you want to install:
    - dhcp : allows automatic renewal of your easyfind record when you receive a new IP
    - remote-router : installs the easyfind service that periodically checks the IP of your router
    Both options are enabled by default - edit package.use to disable
    
• sysvinit (version 9999)
  The sysvinit package patched to work with your B3. Allows you to use the normal shutdown and halt commands. Improved sanity check now prevents installation on other systems.
  • Changes towards the original version in the Gentoo tree is a revised /etc/inittab and /sbin/shutdown. If you use this on other systems you will have no console and it will only reboot instead of halt or power off
• Logitech Media Server (version 7.8.0)
  For those that own Squeezebox devices
• Domoticz (version 9999/rolling - check domoticz.com for actual current revision)
  A home automation system
• Openssl with cryptodev support (version 1.02_pre150212)
  For those that feel adventurous or simply want to try. You'll need to accept keywords '**' for this version as it is experimental. More info on running this on a B3 can be found HERE
• Cryptodev (version 1.6)
  The accompanying build for openssl-1.02_pre150212 . For obvious reasons I've also set this one up to require you to accept keywords '**'.

[Binkem]

Hi Gordon,

These are very interesting developments. I would like to update my B3, but I do need a fully functional system or i'll have an angry family. I'm very interested in the proceedings.

Yours,

Martijn

[Gordon]

Hi Martijn,

I had a similar issue, but I found that it is actually very easy to switch between Gentoo and the original installation. It does require some work to prepare the disk though.

So here's what I did:

• I created a backup of my data
• booting from the Live USB, I used fdisk to delete /dev/sda2 and /dev/sda3 and created three new partitions:
  /dev/sda2 : +1GiB size, type linux swap
  /dev/sda3 : +10GiB size
  /dev/sda4 : the remainder of the disk (make sure to select primary)
• created swap on /dev/sda2 and ext4 filesystems on /dev/sda3 and /dev/sda4
• mounted /dev/sda1 and changed etc/fstab on it like this:

  Code: Select all

  /dev/sda1	/	ext3	noatime,defaults	0	1
  /dev/sda2	none	swap	sw	0	0
  /dev/sda4	/home	ext4	acl,noatime	0	2
  /proc	/proc	proc	defaults	0	0
  usbfs	/proc/bus/usb	usbfs	defaults	0	0
  

  (drop acl on /home if you have no use for it)
• mounted /dev/sda3 and copied the Gentoo files to it as described in the instructions from Sakaki, but did NOT copy the bootfiles to /dev/sda1
• rebooted to the original system and restored the backup of /home.
• made a copy of /boot in /home/gordon/kernels/debian
• mounted /dev/sda3 and put a copy of root/sda3_nodelay in /home/gordon/kernels/gentoo
• changed etc/fstab on /dev/sda3 to match my disk layout

  Code: Select all

  /dev/sda1               /boot           ext3            noauto,noatime  1 2
  /dev/sda3               /               ext4            noatime         0 1
  /dev/sda2               none            swap            sw              0 0
  /dev/sda4               /home           ext4            acl,noatime     0 2
  /proc                   /proc           proc            defaults        0 0
  usbfs                   /proc/bus/usb   usbfs           defaults        0 0
  

Now switching between Gentoo when you're alone and Debian Squeeze when your family is home is as simple as copying the right kernel to /dev/sda1

Switching to Gentoo:

Code: Select all

cp -a /home/gordon/kernels/gentoo/* /boot/
sync
reboot

Switching to Debian Squeeze:

Code: Select all

mount /boot
cp -a /home/gordon/kernels/debian/* /boot/boot/
sync
reboot

(Yes, that is a double /boot)

I thought of rearranging the first three partitions when I'm done, but I decided I'm going to leave it as is. The 10GiB Debian partition is only 0.5% of my 2TB disk and Gentoo will also sit happily in the 10GiB space I gave it in /dev/sda3.

[Gordon]

Added easyfind to the repository

New release as of 19 February 2015, fixing an issue with the key having trailing empty characters that cause the easyfind server to discard your updates.

[Gordon]

For those that feel adventurous the overlay contains a build for openssl with cryptodev support.

Do note that the hardware cryptographic engine on the B3 apparently only supports aes-128-cbc cipher. To use this with openssh version 6.7 you'll need to enable this cipher in sshd_config, because it is disabled by default. According to my own tests, the hardware cryptographic engine is not so much quicker but it allows you to use the CPU to run other stuff in parallel. You may find this useful in your usage case(s), but for me there was no real gain.

[sakaki]

As I understand it, the issue is that all CBC (cipher block chaining) crypto has been disabled in openssh 6.7 (see this post). Essentially, openssh has chosen to allow (by default) only counter modes for block ciphers. Must admit I'm not quite sure what the recent underlying concern here is, unless it is a final closure on the ssh plaintext recovery issue...

Sadly, the B3's crypto accelerator (CESA) doesn't support (directly in hardware) any of these counter modes (such as aes256-ctr).

Those interested in the B3's crypto engine can find more info in the functional spec document from Marvell (for the Feroceon 88FR131 = Kirkwood 88F6281 SoC, I think ^-^); it is downloadable from this page, or direct link here. See section 10 (pp. 174 ff).

Incidentally, hardware AES with 256 bit keys and CBC (cipher block chaining) should be possible on the B3 (AES always uses a 128 bit block size, but can use 128, 192 or 256-bit key length (= aes128-xyz, aes192-xyz, aes256-xyz)). See also this post. Whether or not the cryptodev package supports this is a different point, of course.

Outside of the ssh realm, protocols that use TLS (although not SSLv3!!) and/or a sensible encrypt-then-mac approach should be perfectly fine to keep using CBC mode ciphers (e.g., openvpn).

Best, sakaki

[Gordon]

Hi,

Yes, that is the correct SoC.

As for what cryptodev supports or does not support: from my test I would conclude that cryptodev is simply a software hub that distributes cryptographic protocols to the engine that has the highest priority for handling that specific protocol. This becomes apparent because when you load the cryptodev module you instantly get a different response on aes cbc packets (seriously slower on blocks with length 16) which you can improve by explicitly specifying that you are using that cipher (thus eliminating the cipher identification logic), but still not get anywhere near regular CPU performance.

As stated, I found the results to be disappointing. But if anyone else can find better use for this, please do share your experiences.