[BitVisor-users-en:12] Re: Howto for Windows

Katsuya MATSUBARA matsu at igel.co.jp
Mon Nov 26 12:20:49 JST 2012 

 Hi Sandy,

From: Katsuya MATSUBARA <matsu at igel.co.jp>
Date: Sun, 25 Nov 2012 07:53:21 +0900 (JST)

> From: Sandy Herman <sandyherman at gmx.net>
> Date: Sat, 24 Nov 2012 20:27:41 +0100
> 
>> Now I could install Bitvisor on "/dev/sda2" via GRUB2. It worked,
>> Bitvisor asks the password, but the disk "/dev/sda1" remains
>> unencrypted.
>> sda1: LBA(63,467419135)
>> Attached my "bitvisor.conf"
> 
>  You must enable the ATA driver if your disk is connected
>  through SATA/PATA.
> 
>  vmm.driver.ata=1

 Let me give some additional information.

 The disk encryption in BitVisor requires capturing disk access
 that is issued by guest OS and BIOS.
 Unfortunately I know there exist some BIOSs which access cannot
 be captured by BitVisor; Lenovo ThinkPad X220 for example.

 You can check your BIOS with the following quick test.

 1. Enable the disk encyption for the *whole* disk,
    that includes the sector 0 (MBR), in your bitvisor.conf.

 storage.encryptionKey0.place=./StorageKey0
 storage.conf0.lba_low=0
 storage.conf0.lba_high=99999999
 vmm.driver.ata=1

 2. Boot BitVisor through grub.

 RESULT1:
 If BitVisor reports an error as below,
 it means BitVisor *could* capture BIOS access and then
 decrypted data though it has not been encrypted.

 panic(CPU0): Fatal error: Unimplemented vector 0x6
 ...
 
 RESULT2:
 If grub returns normally even after BitVisor booted,
 this means BitVisor could *not* capture BIOS's access
 to the sector 0.

 In the latter case, you can apply the disk encryption *only*
 for DATA partitions, that do not consist of bootable guest OS
 and boot loader.

 Thanks.
---
 Katsuya Matsubara / IGEL Co., Ltd
 matsu at igel.co.jp

>> Am 13.11.2012 08:52, schrieb Katsuya MATSUBARA:
>>>   Hi Sandy,
>>>
>>> From: Sandy Herman <sandyherman at gmx.net>
>>> Date: Fri, 09 Nov 2012 22:53:38 +0100
>>>
>>>> Is there a chance to encrypt the harddisk running an
>>>> Ubuntu live System?
>>>> I can install Bitvisor (with background-encryption-patch),
>>>> but the harddisk is not encrypted - and remains unencrypted.
>>>   Please see the attached file.
>>>   This is an example configuration for the background encyption.
>>>
>>>   This configuration is 'defconfig'-sytled.
>>>   You should modify the 'storage' section in your defconfig,
>>>   that exists at root of the source code tree, using the example.
>>>   Especilly you must adjust the 'data_lba', 'keys', 'lba-low' and
>>>   'lba-high' parameters for your environment.
>>>   Then you can rebuild bitvisor.elf with the modified defconfig.
>>>
>>>   You cannot use the boot/login-simple and the boot/login
>>>   if you want to validate 'defconfig' since bitvisor.conf overwrites
>>>   the whole parameters defined by defconfig.
>>>   If you would like to use the login authentication, you can try to
>>>   rewrite the example for bitvisor.conf.
>>>   Unfortunately I have never tried to enable/configure the
>>>   background encyption with bitvisor.conf, but it must work.
>>>
>>>   Thanks,
>>> ---
>>>   Katsuya Matsubara / IGEL Co. Ltd.
>>>   matsu at igel.co.jp
>>>
>>

More information about the BitVisor-users-en mailing list