--- lofi-crypto-lofiadm.1m.orig Tue Jan 2 17:53:09 2007 +++ lofi-crypto-lofiadm.1m Tue Jan 2 17:52:52 2007 @@ -1,528 +1,569 @@ System Administration Commands lofiadm(1M) NAME lofiadm - administer files available as block devices through lofi SYNOPSIS /usr/sbin/lofiadm -a file [device] + /usr/sbin/lofiadm -a -c file [device] + /usr/sbin/lofiadm -a -c -k file [device] + /usr/sbin/lofiadm -a -c -T file [device] + /usr/sbin/lofiadm -a -c -T \ + -k file [device] + /usr/sbin/lofiadm -a -c -e file [device] /usr/sbin/lofiadm -d file | device /usr/sbin/lofiadm [ file | device] DESCRIPTION lofiadm administers lofi(7D), the loopback file driver. lofi(7D) allows a file to be associated with a block device. That file can then be accessed through the block device. This is useful when the file contains an image of some filesystem (such as a floppy or CD-ROM image), because the block device can then be used with the normal system utili- ties for mounting, checking or repairing filesystems. See fsck(1M) and mount(1M). Use lofiadm to add a file as a loopback device, remove such an association, or print information about the current asso- ciations. OPTIONS The following options are supported: -a file [device] Add file as a block device. If device is not specified, an available device is picked. If device is specified, lofiadm attempts to assign it to file. device must be available or lofiadm will fail. The abil- ity to specify a device is provided for use in scripts that wish to re-establish a particular set of associations. SunOS 5.11 Last change: 17 Nov 1999 1 System Administration Commands lofiadm(1M) -d file | device Remove an association by file or device name, if the associated block device is not busy, and deallocates the block dev- ice. + -c + Specify the algorithm name, this is mandatory when encryption + is enabled since the algorithm is not stored in the disk image. + -k | + Path to raw or wrapped key, if a PKCS#11 object is also + given then the key is wrapped by that object. + If -t is not specified the key is used raw. + + -T + The key in a PKCS#11 token to use for the encryption or + unwrapping the key file. + + If -k is also specified this is a wrapping key. + +-e Generate an empheral key + + OPERANDS The following operands are supported: file Print the block device associated with file. device Print the file name associated with the block device device. Without arguments, print a list of the current asso- ciations. Filenames must be valid absolute path- names. When a file is added, it is opened for reading or writing by root. Any restrictions apply (such as restricted root access over NFS). The file is held open until the association is removed. It is not actually accessed until the block device is used, so it will never be written to if the block device is only opened read-only. + crypto_algorithm + One of: aes128-cbc, aes192-cbc, aes256-cbc + raw_key_file + Path to a file of the appropriate length of bits to use + as a raw AES key + wrapped_key_file + Path to file containing an AES key wrapped by the key + specified by -T. + + token_key + PKCS#11 token object in the format: + token:manuf:serial:label + + All but the label are optional and maybe empty. + For example specifiying only the label: + -t :::MylofiKey + + EXAMPLES Example 1 Mounting an Existing CD-ROM Image You should ensure that Solaris understands the image before creating the CD. lofi allows you to mount the image and see if it works. This example mounts an existing CD-ROM image (sparc.iso), of the Red Hat 6.0 CD which was downloaded from the Internet. SunOS 5.11 Last change: 17 Nov 1999 2 System Administration Commands lofiadm(1M) It was created with the mkisofs utility from the Internet. Use lofiadm to attach a block device to it: # lofiadm -a /home/mike_s/RH6.0/sparc.iso /dev/lofi/1 lofiadm picks the device and prints the device name to the standard output. You can run lofiadm again by issuing the following command: # lofiadm Block Device File /dev/lofi/1 /home/mike_s/RH6.0/sparc.iso Or, you can give it one name and ask for the other, by issu- ing the following command: # lofiadm /dev/lofi/1 /home/mike_s/RH6.0/sparc.iso Use the mount command to mount the image: # mount -F hsfs -o ro /dev/lofi/1 /mnt Check to ensure that Solaris understands the image: # df -k /mnt Filesystem kbytes used avail capacity Mounted on /dev/lofi/1 512418 512418 0 100% /mnt # ls /mnt ./ RedHat/ doc/ ls-lR rr_moved/ SunOS 5.11 Last change: 17 Nov 1999 3 System Administration Commands lofiadm(1M) ../ TRANS.TBL dosutils/ ls-lR.gz sbin@ .buildlog bin@ etc@ misc/ tmp/ COPYING boot/ images/ mnt/ usr@ README boot.cat* kernels/ modules/ RPM-PGP-KEY dev@ lib@ proc/ Solaris can mount the CD-ROM image, and understand the filenames. The image was created properly, and you can now create the CD-ROM with confidence. As a final step, unmount and detach the images: # umount /mnt # lofiadm -d /dev/lofi/1 # lofiadm Block Device File Example 2 Mounting a Floppy Image This is similar to Example 1. Using lofi to help you mount files that contain floppy images is helpful if a floppy disk contains a file that you need, but the machine which you are on does not have a floppy drive. It is also helpful if you do not want to take the time to use the dd command to copy the image to a floppy. This is an example of getting to MDB floppy for Solaris on an x86 platform: # lofiadm -a /export/s28/MDB_s28x_wos/latest/boot.3 /dev/lofi/1 # mount -F pcfs /dev/lofi/1 /mnt # ls /mnt ./ COMMENT.BAT* RC.D/ SOLARIS.MAP* ../ IDENT* REPLACE.BAT* X/ APPEND.BAT* MAKEDIR.BAT* SOLARIS/ SunOS 5.11 Last change: 17 Nov 1999 4 System Administration Commands lofiadm(1M) # umount /mnt # lofiadm -d /export/s28/MDB_s28x_wos/latest/boot.3 Example 3 Making a UFS Filesystem on a File Making a UFS filesystm on a file can be useful, particularly if a test suite requires a scratch filesystem. It can be painful (or annoying) to have to re-partition a disk just for the test suite, but you do not have to. You can newfs a file with lofi Create the file: # mkfile 35m /export/home/test Attach it to a block device. You also get the character dev- ice that newfs requires, so newfs that: # lofiadm -a /export/home/test /dev/lofi/1 # newfs /dev/rlofi/1 newfs: construct a new file system /dev/rlofi/1: (y/n)? y /dev/rlofi/1: 71638 sectors in 119 cylinders of 1 tracks, 602 sectors 35.0MB in 8 cyl groups (16 c/g, 4.70MB/g, 2240 i/g) super-block backups (for fsck -F ufs -o b=#) at: 32, 9664, 19296, 28928, 38560, 48192, 57824, 67456, Note that ufs might not be able to use the entire file. Mount and use the filesystem: # mount /dev/lofi/1 /mnt # df -k /mnt Filesystem kbytes used avail capacity Mounted on /dev/lofi/1 33455 9 30101 1% /mnt # ls /mnt ./ ../ lost+found/ # umount /mnt # lofiadm -d /dev/lofi/1 SunOS 5.11 Last change: 17 Nov 1999 5 System Administration Commands lofiadm(1M) Example 4 Creating a PC (FAT) File System on a Unix File The following series of commands creates a FAT file system on a Unix file. The file is associated with a block device created by lofiadm. # mkfile 10M /export/test/testfs # lofiadm -a /export/test testfs /dev/lofi/1 Note use of rlofi, not lofi, in following command. # mkfs -F pcfs -o nofdisk,size=20480 /dev/rlofi/1 Construct a new FAT file system on /dev/rlofi/1: (y/n)? y # mount -F pcfs /dev/lofi/1 /mnt # cd /mnt # df -k . Filesystem kbytes used avail capacity Mounted on /dev/lofi/1 10142 0 10142 0% /mnt ENVIRONMENT VARIABLES See environ(5) for descriptions of the following environment variables that affect the execution of lofiadm: LC_CTYPE, LC_MESSAGES and NLSPATH. EXIT STATUS The following exit values are returned: 0 Successful completion. >0 An error occurred. ATTRIBUTES See attributes(5) for descriptions of the following attri- butes: SunOS 5.11 Last change: 17 Nov 1999 6 System Administration Commands lofiadm(1M) ____________________________________________________________ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | |_____________________________|_____________________________| | Availability | SUNWcsu | |_____________________________|_____________________________| SEE ALSO fsck(1M), mount(1M), mount_ufs(1M), newfs(1M), attri- butes(5), lofi(7D), lofs(7FS) NOTES Just as you would not directly access a disk device that has mounted file systems, you should not access a file associ- ated with a block device except through the lofi file driver. It might also be appropriate to ensure that the file has appropriate permissions to prevent such access. Associations are not persistant across reboots. A script can be used to re-establish them if required. The abilities of lofiadm, and who can use them, are con- trolled by the permissions of /dev/lofictl. Read-access allows query operations, such as listing all the associa- tions. Write-access is required to do any state-changing operations, like adding an association. As shipped, /dev/lofictl is owned by root, in group sys, and mode 0644, so all users can do query operations but only root can change anything. The administrator can give users write- access, allowing them to add or delete associations, but that is very likely a security hole and should probably only be given to a trusted group. When mounting a filesystem image, take care to use appropri- ate mount options. In particular, the nosuid mount option might be appropriate for UFS images whose origin is unknown. Also, some options might not be useful or appropriate, like logging or forcedirectio for UFS. For compatibility pur- poses, a raw device is also exported along with the block device. For example, newfs(1M) requires one. SunOS 5.11 Last change: 17 Nov 1999 7 System Administration Commands lofiadm(1M) The output of lofiadm (without arguments) might change in future releases. SunOS 5.11 Last change: 17 Nov 1999 8