Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
luks encrypted root partition - lots of trouble (initramfs)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
platypus27
n00b
n00b


Joined: 26 Sep 2009
Posts: 11
Location: NJ, USA

PostPosted: Sat Sep 26, 2009 2:29 pm    Post subject: luks encrypted root partition - lots of trouble (initramfs) Reply with quote

(This is my first foray into Gentoo - I really like it, with the exception of...)

I'm using genkernel because of its initramfs generation. The exact command:
Code:
$ genkernel --menuconfig --luks --no-splash --no-clean --kernname=mykern## all


I'm trying to have as many features be modules as possible (why wouldn't I?) Although I have tried including everything directly into the kernel. I've also tried to be very aggressive in only including the few drivers I need, however I've also tried to be a little more lenient.

My grub entry looks like:
Code:

title   Gentoo
root   (hd0,0)
kernel   /kernel--mykern01-x86-2.6.30-gentoo-r6 root=/dev/ram0 init=/linuxrc ramdisk=8192 crypt_root=/dev/sda4 real_root=/dev/mapper/root
initrd   /initramfs-mykern01-x86-2.6.30-gentoo-r6

(I'm really not sure why the init=/linuxrc line is there. I don't have a /boot/linuxrc...)

What's happening is that when I'm prompted for my LUKS password, it's rejected. (Lets assume I'm DEFINITELY typing the correct password here). Does this have something to do with my keyboard driver? I've also tried making sure I included all of the cryptographic options.

One thing to note: I've ALWAYS included dm-crypt (under device drivers -> multiple device driver support -> device mapper -> crypt target) and I have been exluding raid in the same screen because I don't need it. But I have not been enabling cryptoloop support (as I understand it, that is something different).


While I am at it:

1) in menuconfig is there a way to search by either module name or device models that are listed in the description? It should be very easy to me to get exactly the drivers I need by looking at lshw and/or lspci -v, but I'm having trouble with menuconfig's search feature.

2) when I want to clean up my mess after failing to create a good kernel/initramfs I'm a) removing stuff from /boot, and b) removing stuff from /lib/modules, is there anything else?
Back to top
View user's profile Send private message
ndse2112
Tux's lil' helper
Tux's lil' helper


Joined: 21 May 2007
Posts: 100

PostPosted: Sat Sep 26, 2009 3:21 pm    Post subject: Reply with quote

There are a number of things going on here that could be causing your problem.

First thing i would try to make sure the key is good, as well as verify cipher support in your kernel:
run the following:

Code:
cryptsetup luksDump <physical_device>


on the device that you have encrypted, if you can read the luks header then the passhrase is working.
That dump output will show you the cipher that will be needed in your kernel.

As far as kernels go, I have a similar setup to yours, and i use the 'traditional gentoo' kernel method (built with initrd support) and then
I use genkernel to build the initrd for my kernel:

Code:
genkernel --kernel-config=/usr/src/linux/.config --luks --lvm2 initramfs


You can disable the cryptoloop support from your kernel as it is not needed for cryptsetup/luks devices and is deprecated as far as I am aware.

As far as your needed kernel drivers, boot from your live environment and run:

Code:
lspci -n


and paste the output of that command here:
http://kmuto.jp/debian/hcl/wiki/index.cgi
The results will be the kernel drivers needed for your hardware, and the minimum kernel version needed to get that driver.


As far as your boot lines in your loader, the linuxrc is in the initrd. My bootloader looks like:

Code:

title Gentoo Linux 2.6.30-gentoo-r6
root (hd0,0)
kernel (hd0,0)/kernel-2.6.30-gentoo-r6 root=/dev/ram0 init=linuxrc ramdisk=8192 crypt_root=/dev/md2 real_root=/dev/mapper/galatea_vg-root dolvm
initrd (hd0,0)/initramfs-genkernel-x86_64-2.6.30-gentoo-r6


Some of that is more than you most likely need since I am booting my machine off an md raid1 array as well as an lvm2 logical volume, but it should get you pointed in the right direction.
Back to top
View user's profile Send private message
platypus27
n00b
n00b


Joined: 26 Sep 2009
Posts: 11
Location: NJ, USA

PostPosted: Sat Sep 26, 2009 3:44 pm    Post subject: Reply with quote

ndse2112 wrote:
First thing i would try to make sure the key is good, as well as verify cipher support in your kernel:
run the following:


The key is definitely good as I can access it just fine from my boot environment (an existing Arch installation on a separate partition) as well as dump the header from within the chrooted gentoo directory using the cryptsetup located there.

ndse2112 wrote:
As far as your needed kernel drivers, boot from your live environment and run:
Code:
lspci -n


and paste the output of that command here:
http://kmuto.jp/debian/hcl/wiki/index.cgi
The results will be the kernel drivers needed for your hardware, and the minimum kernel version needed to get that driver.


Great resource. Thanks!

ndse2112 wrote:

As far as your boot lines in your loader, the linuxrc is in the initrd.

Yeah I figured out that init= was relative to the initramfs, not the boot partition when I extracted one of the initramfs's to look through it.


How can I check that I have the right ciphers in the initramfs environment? Something in /proc?
Back to top
View user's profile Send private message
ndse2112
Tux's lil' helper
Tux's lil' helper


Joined: 21 May 2007
Posts: 100

PostPosted: Sat Sep 26, 2009 3:52 pm    Post subject: Reply with quote

Code:
zcat /proc/config.gz | grep -i crypto | grep "=y"


should give you a list of ciphers that the kernel has support built for.
Back to top
View user's profile Send private message
platypus27
n00b
n00b


Joined: 26 Sep 2009
Posts: 11
Location: NJ, USA

PostPosted: Sun Sep 27, 2009 1:10 am    Post subject: Reply with quote

I tried having all of the cryptographic stuff as modules and built in. Both times in busybox during the boot process, I tried to look at /proc/crypto and there wasn't anything that refered to AES or CBC or even SHA* for that matter.
Back to top
View user's profile Send private message
platypus27
n00b
n00b


Joined: 26 Sep 2009
Posts: 11
Location: NJ, USA

PostPosted: Sun Sep 27, 2009 3:25 pm    Post subject: Reply with quote

So if I've narrowed the issue down to the Cryptographic API features not showing up in initramfs, would be it appropriate to start a new post in the Kernel subforum with a more specific title? I'm not sure if this is an issue specific to genkernel and it's creation of initramfs... I guess my appropriately: an issue with MY use of genkernel....
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 9167

PostPosted: Sun Sep 27, 2009 3:43 pm    Post subject: Reply with quote

Your most recent two posts seem contradictory. The first of them implies that you included everything, and it did not work. Your second of them seems to say that you found a way to make it work, otherwise you would not be certain that it was a problem with the kernel's cryptographic API options. It would be helpful to us to see the cryptographic configuration used in the installation kernel, which I assume works to let you create and install in the encrypted root, and of the boot kernel that you created, which is unable to open the encrypted root. It would also be good to see the output of cryptsetup luksDump physical-volume | head -n6, so that we can see what cipher and hash algorithm you selected. Since that is encoded in the LUKS header and accessible without a password, disclosing it publicly does not affect your security.

If adding or removing kernel cryptographic features is the difference between success and failure, then the problem is specific to your choice of kernel configuration, not to your choice of initramfs options. The initramfs contains tools to use the kernel features, but the included cryptsetup will be the same binary regardless of what cryptographic options your kernel supports.
Back to top
View user's profile Send private message
platypus27
n00b
n00b


Joined: 26 Sep 2009
Posts: 11
Location: NJ, USA

PostPosted: Sun Sep 27, 2009 4:45 pm    Post subject: Reply with quote

Sorry for any confusion, the posts should amount to: no matter what I try the boot fails. I created the luks volume from my existing Arch Linux environment, so when I'm in the chrooted gentoo tree, I CAN manipulate the luks volume because I'm using the crypto features of my arch kernel, not the gentoo kernel. I don't think cryptsetup matters here. The reason I felt that I had narrowed down the issue was because the correct stuff wasn't showing up in /proc/crypto, even though I had included them in menuconfig.

In any event, here is my LUKS header:
Code:
Version:          1
Cipher name:      aes
Cipher mode:      cbc-essiv:sha256
Hash spec:        sha1


And just an update of my own efforts, I tried using just the genkernel defaults with a clean source tree. Didn't work:
Code:
$ genkernel --luks --no-splash all
Back to top
View user's profile Send private message
ndse2112
Tux's lil' helper
Tux's lil' helper


Joined: 21 May 2007
Posts: 100

PostPosted: Mon Sep 28, 2009 12:36 am    Post subject: Reply with quote

Is that cipher active in your genkernel compiled gentoo kernel?


You might give the handbook method of building a kernel a try (adding initrd support of course),
and enabling the ciphers that you needs in the kernel (not as modules). Then use genkernel to build the initrd.


Code:

genkernel --luks --config=/usr/src/linux/.config initramfs
Back to top
View user's profile Send private message
platypus27
n00b
n00b


Joined: 26 Sep 2009
Posts: 11
Location: NJ, USA

PostPosted: Mon Sep 28, 2009 1:14 am    Post subject: Reply with quote

I've been following the handbook very carefully. I think what you're saying is equivalent to the --menuconfig option, which I've been using. You can also load in config files from menuconfig, and I've tried a number of config options.
Back to top
View user's profile Send private message
platypus27
n00b
n00b


Joined: 26 Sep 2009
Posts: 11
Location: NJ, USA

PostPosted: Tue Sep 29, 2009 1:02 am    Post subject: Reply with quote

Is there no more help or direction I can get with this issue? I REALLY want to switch to Gentoo but this is a deal breaker for my laptop.
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 9167

PostPosted: Tue Sep 29, 2009 3:19 am    Post subject: Reply with quote

platypus27 wrote:
Is there no more help or direction I can get with this issue? I REALLY want to switch to Gentoo but this is a deal breaker for my laptop.

With the information available, I do not see what else we can tell you. It seems highly likely that your problem is with the wrong selection of options in the kernel cryptographic menu, but since you have not provided the kernel configuration for the working or failing cases, we cannot suggest corrective action. Based on the cryptsetup luksDump output you provided, I would guess that at a minimum, you need CRYPTO_SHA1=y, CRYPTO_SHA256=y, CRYPTO_AES=y, and CRYPTO_CBC=y. You may need others.
Back to top
View user's profile Send private message
platypus27
n00b
n00b


Joined: 26 Sep 2009
Posts: 11
Location: NJ, USA

PostPosted: Tue Sep 29, 2009 4:13 am    Post subject: Reply with quote

Thanks for checking in on me, Hu:

Well, like I said, I've not only included those crypto options but pretty much EVERY option available - including dm-crypt in the device drivers section. I've tried including all of these as modules and built into the kernel (and various combinations thereof). When I include them as modules, I can see a long list of things being loaded as the initramfs starts. When I build them in, only a few modules load. In both cases my /proc/crypto shows only a couple of listings like DES and MD5. No AES.

Again, it has NEVER worked. My only access to the encrypted partition has been through my existing Arch installation and also the Gentoo minimal install cd.

I will try again and post my config file to be 100% clear in my explanation. However, IYO, am I better off including the crypto support as a module or building it into the kernel? For dm-crypt? Is there anything else other than /proc/crypto that would be useful to see from busybox in the initramfs?
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 9167

PostPosted: Wed Sep 30, 2009 2:39 am    Post subject: Reply with quote

Anything that you will need available continuously should be built into the kernel for simplicity. Since this is the root volume, you will never unmount it, so build in the cryptographic modules you need. Same for dm-crypt. It will be in use as long as you have the root filesystem open, so build it in.

I have never experienced the particular problem you have, so I am unsure what would be most helpful in debugging it. My encrypted rootfs worked the first time. The kernel configuration and /proc/crypto are both reasonable choices. You should check dmesg after a failed luksOpen, though I am unsure if there will be anything of value there.
Back to top
View user's profile Send private message
platypus27
n00b
n00b


Joined: 26 Sep 2009
Posts: 11
Location: NJ, USA

PostPosted: Wed Sep 30, 2009 10:55 pm    Post subject: Reply with quote

Ok, so I ran
Code:
$ genkernel --luks --no-splash --menuconfig all

From there I loaded this config file: http://pastebin.com/f12060097 which is a direct copy of /proc/config.gz when running from the install cd. The one exception is that I changed the processor type to pentium-m.

From the install CD, /proc/crypto lists AES and I can manipulate the luks volume just fine.

While booting the kernel that was made using the config from the install cd, I cannot access my luks volume and /proc/crypto only shows DES and MD5 (maybe one other thing, but certainly no CBC, AES, or SHA*)
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 9167

PostPosted: Thu Oct 01, 2009 3:23 am    Post subject: Reply with quote

Check for AES in the .config that was saved when you exited menuconfig. You probably jumped kernel versions, in which case a symbol could have moved, which would deselect the option.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum