| View previous topic :: View next topic |
| Author |
Message |
jbiggs12
n00b
Joined: 09 Mar 2012
Posts: 27
|
 Posted: Sat Mar 10, 2012 2:28 am Post subject: Initramfs doesn't support Luks despite flag with genkernel? |
 |
|
Hi all,
I'm attempting to install a Luks-encrypted lvm system on my computer, and I'm having a bit of difficulty with booting. I compile the kernel, specifically selecting the appropriate options in the menuconfig, and then running genkernel with the --luks flag. Despite this, whenever I boot into the kernel the ramdisk complains that it doesn't support Luks, and then gives up the ghost. Shouldn't the initramfs support this if genkernel generates it (which it did)? I looked into creating an initramfs myself and it blew my socks off. I suppose I could learn it if I really put myself to it, but it'd be nice if I could fix this by adding / removing a single option with genkernel / menuconfig.[/b] |
|
| Back to top |
|
 |
cach0rr0
Moderator
Joined: 13 Nov 2008
Posts: 4117
Location: Houston, Republic of Texas
|
|
| Back to top |
|
|
jbiggs12
n00b
Joined: 09 Mar 2012
Posts: 27
|
| Posted: Sat Mar 10, 2012 2:38 am Post subject: |
|
|
| So genkernel just won't do it, period? |
|
| Back to top |
|
|
cach0rr0
Moderator
Joined: 13 Nov 2008
Posts: 4117
Location: Houston, Republic of Texas
|
| Posted: Sat Mar 10, 2012 4:27 am Post subject: |
|
|
for *me* it was epic fail trying to get genkernel to do it, when i first tried way back in the day, and my most recent attempt ~2 years ago
so i finally bashed out a way to make a very simple small one of my own
the doc says it's supported - maybe other people have had better experiences than myself, so i cant write it off completely
| Code: |
--luks: Includes support for Linux Unified Key Setup or LUKS. This will allow you to use a device encrypted by LUKS which contains the root filesystem. On the bootloader, you then set that encrypted device as the value of crypt_root (and real_root shall be the unencrypted device LUKS creates).
|
e.g.
| Code: |
root=/dev/ram0 crypt_root=/dev/sda3 real_root=/dev/mapper/crypt-root
|
either way I'd always preferred tuning the kernel myself over genkernel, and since genkernel's test failed for me, once in finally figured out an easy way to make my own initramfs, genkernel was deemed massive overkill.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
| Back to top |
|
|
jbiggs12
n00b
Joined: 09 Mar 2012
Posts: 27
|
| Posted: Sat Mar 10, 2012 6:03 am Post subject: |
|
|
| Seems doable. I take it that if I want LVM support I have to copy all of the lvm-related binaries as well? |
|
| Back to top |
|
|
cach0rr0
Moderator
Joined: 13 Nov 2008
Posts: 4117
Location: Houston, Republic of Texas
|
| Posted: Sat Mar 10, 2012 6:25 am Post subject: |
|
|
| jbiggs12 wrote: | | Seems doable. I take it that if I want LVM support I have to copy all of the lvm-related binaries as well? |
if you build lvm with USE="static" it should greatly simplify the task, as youre not having to ldd ./blah and figure out what depends on what
but yeah, basically. use lvm? copy the binaries needed to activate your lvm volumes, then add the lines needed to do so in the 'init' script. The latter will basically be the same as, "after the latest failure, whatever youre typing whenever you boot from a livecd in order to get your root partition mounted and try again - whether theyre commands for lvm, mdadm, cryptsetup, or whatever else - put in init, in the same order you typed them. once root is mount ro, switch_root"
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
| Back to top |
|
|
jbiggs12
n00b
Joined: 09 Mar 2012
Posts: 27
|
| Posted: Sat Mar 10, 2012 8:52 pm Post subject: |
|
|
| Tried your guide, the kernel keeps insisting that init isn't there despite me using chmod +x, then trying chmod 777, then trying passing a path to the kernel with init=. I'm going to try compiling it into the kernel to see if I can get any different results. |
|
| Back to top |
|
|
jbiggs12
n00b
Joined: 09 Mar 2012
Posts: 27
|
| Posted: Sat Mar 10, 2012 9:52 pm Post subject: |
|
|
Update: Tried compiling it in with the kernel, but it still doesn't work. I'm also noticing that before it says it couldn't find init, it complains that it was "unable to open an initial console." I double checked and I enabled in-kernel initramfs. Is there some option that I'm missing? (Once I boot onto my livecd I'll post my kernel config)
edit: Kernel config: http://paste.pocoo.org/show/563954/
menu.lst: http://paste.pocoo.org/show/563955/ |
|
| Back to top |
|
|
cach0rr0
Moderator
Joined: 13 Nov 2008
Posts: 4117
Location: Houston, Republic of Texas
|
| Posted: Sun Mar 11, 2012 4:36 am Post subject: |
|
|
in your menu.lst there is no 'initrd' line.
what did you namethe initramfs?
Your menu.lst/grub.conf should look very similar to this:
| Code: |
title Gentoo Linux 2.6.32.58-grsec
root (hd0,0)
kernel /vmlinuz-2.6.32.58-grsec
initrd /initramfs.cpio.gz
|
With the 'initrd' pointing to wherever youve put the custom initramfs youve made. The ideal place for it to go is in the same directory as the kernel.
NB: is your /boot partition /dev/sda3 ? Because that's what hd0,2 is
whereas hd0,0 is /dev/sda1 (that's not *entirely* true - there are cases where when one has two disks, what grub sees as the first disk is different from what linux sees as the first disk. hd0,2 *really* means is 'third partition on the first disk your BIOS identifies, is where i should look for the kernel and initramfs youre telling me to use')
One other thing to point out. Your uncommented, second entry in menu.lst has all of this stuff on the kernel command line
| Code: |
kernel /vmlinuz-2.6.32.58-grsec keymap=dvorak crypt_root=/dev/sda4 real_root=/dev/vg/root
|
the way this works: these entries, such as keymap, crypt_root, etc, all get stored as-is in /proc/cmdline. Some 'init' scripts will parse /proc/cmdline and store its contents within the script's own internal variables. So, for example, 'init' might be coded to do a convoluted "cut" command on /proc/cmdline, and store the output in a variable called ${REAL_ROOT}. Then later in init you'll see a 'switch_root /mnt/root ${REAL_ROOT}". It might do a cut on /proc/cmdline to grab crypt_root and store it in ${CRYPT_ROOT}, so that it can do a 'cryptsetup luksOpen ${CRYPT_ROOT} root' which will take the drive passed on the kernel command-line to the crypt_root variable, and try to luksOpenit.
(if that makes sense?)
To see what I mean, have a look at the example 'init' here - http://en.gentoo-wiki.com/wiki/Root_filesystem_over_LVM2,_DM-Crypt_and_RAID#Hierarchy
Notice how it has the "CMDLINE=`cat /proc/cmdline`" which gives it a variable that can be accessed later via ${CMDLINE}
One could, for example, run a 'cut' command against ${CMDLINE} in order to get different variables, e.g.
| Code: |
CRYPTROOT=`cut -d blahblahblah ${CMDLINE}`
|
So that they could later do an luksOpen of ${CRYPTROOT} instead of having to hard-code a volume like e.g. /dev/sda3
In other words, you have one immediate problem:
-you didnt put an 'initrd' line in your menu.lst
And one problem that may surface after you correct the above
-unless you code your 'init' to pluck through /proc/cmdline, your "keymap" "crypt_root" and "real_root" are all going to be meaningless.
So once you fix your menu.lst you will probably want to re-bundle your initramfs, and make the 'init' look something like:
| Code: |
#!/bin/sh
mount -t proc none /proc
mount -t sysfs none /sys
mount -t devtmpfs none /dev
#assuming youve copied the keymap into the initramfs /etc directory and named it 'dvorak'
loadkmap < /etc/dvorak
#assuming your luks volume that houses your LVM is /dev/sda4, and that you've named it such that it will be at /dev/mapper/rootlv
/bin/cryptsetup luksOpen /dev/sda4 rootlv
#doing your luksOpen should give you /dev/mapper/rootlv.
#LVM should be configured to look within /dev/mapper/rootlv for LVM data, in this case a volume group named 'vg'
/bin/vgscan
/bin/vgchange -ay vg
#the results of your vgchange above should give you a '/dev/vg/root', which is *finally* your actual root partition
#assuming your actual root is /dev/vg/root. Actual as in, has all of your data on it, as in /dev/vg/root is an ext3/ext4/whateverfs volume
mount -r /dev/vg/root /mnt/root
umount /sys
umount /proc
#now that youve done an luksOpen to get to your LV, and mounted your LV at /mnt/root, you do the switch_root
#and execute /sbin/init
exec switch_root /mnt/root /sbin/init
|
Notice that this 'init' has all sorts of stuff hard-coded, such as the partition with your luks volume (/dev/sda4) and the name of your root vg (/dev/vg/root)
The whole point of putting extra stuff in menu.lst after the 'kernel /somevmlinux' is so that init can access it and look for things you might have wanted to pass to init. The kernel itself has its own 'init' routine that supports different things passed on the command line, and it will parse these out in a similar fashion; however the kernel's own init doesnt look for crypto related things, ergo the need to make your own initramfs with your own init. A custom 'init' bundled into an initramfs can make use of this extra appended data just as easily, however it doesnt *have* to, if youre happy to hard-code certain bits and bobs into the init, as I've done, and as the examples I've done will show.
...so yeah, hopefully that makes it clearer and not more muddy.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
| Back to top |
|
|
jbiggs12
n00b
Joined: 09 Mar 2012
Posts: 27
|
| Posted: Sun Mar 11, 2012 4:42 am Post subject: |
|
|
| I left the initrd blank because I embedded the initramfs into the kernel. Do I still need to put an initrd line? Here's the init script that I used: http://paste.pocoo.org/show/564053/ |
|
| Back to top |
|
|
cach0rr0
Moderator
Joined: 13 Nov 2008
Posts: 4117
Location: Houston, Republic of Texas
|
| Posted: Sun Mar 11, 2012 5:07 am Post subject: |
|
|
your init has no line to mount anything at /dev
ergo things like urandom, console, null, sda, arent going to be accessible
I see you unmounting it, but not mounting it. You *do* have devtmpfs support in the kernel, so all your missing is a line like this below your proc/sys mounts:
| Code: |
mount -t devtmpfs none /dev
|
put that into init at line 15, before your cryptsetup call, rebundle up the initramfs, and have another go
that's actually another good reason *not* to try and use an initramfs embedded into the kernel; pain in the ass having to rebuild the kernel every time you want to change something in your initramfs. Especially when you know your kernel is fine
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
| Back to top |
|
|
jbiggs12
n00b
Joined: 09 Mar 2012
Posts: 27
|
| Posted: Sun Mar 11, 2012 3:43 pm Post subject: |
|
|
I went with your advice and am now passing an image to the kernel instead, and when I recompiled the kernel I got rid of devtmpfs support and just populated it manually, hence the absence of the line. It's still saying "Failed to execute init -- no init found", despite my best efforts. I'm going to get on the livecd and repost the init script, menu.lst, and the output of ls -liaR.
edit:
ls -liaR /usr/src/initramfs/: http://paste.pocoo.org/show/564235/
/init: http://paste.pocoo.org/show/564233/
menu.lst: http://paste.pocoo.org/show/564234/
edit of the edit:I noticed that lvm isn't in sbin, I'm moving it there now. I doubt that this was the cause of the problem, though, because it's not finding the init. |
|
| Back to top |
|
|
jbiggs12
n00b
Joined: 09 Mar 2012
Posts: 27
|
| Posted: Sun Mar 11, 2012 9:24 pm Post subject: |
|
|
*d'oh* turns out I didn't emerge busybox with USE=static. It boots now, but gives me the error "cannot open device /dev/sda4 for read-only access", which, from some simple googling, appears to be the result of unsupported hardware. I'll dig through my kernel config to see if I've left anything out; here's lspci -n:
| Code: | 00:00.0 0600: 8086:2a00 (rev 03)
00:01.0 0604: 8086:2a01 (rev 03)
00:1a.0 0c03: 8086:2834 (rev 04)
00:1a.1 0c03: 8086:2835 (rev 04)
00:1a.7 0c03: 8086:283a (rev 04)
00:1b.0 0403: 8086:284b (rev 04)
00:1c.0 0604: 8086:283f (rev 04)
00:1c.2 0604: 8086:2843 (rev 04)
00:1c.4 0604: 8086:2847 (rev 04)
00:1c.5 0604: 8086:2849 (rev 04)
00:1d.0 0c03: 8086:2830 (rev 04)
00:1d.1 0c03: 8086:2831 (rev 04)
00:1d.2 0c03: 8086:2832 (rev 04)
00:1d.7 0c03: 8086:2836 (rev 04)
00:1e.0 0604: 8086:2448 (rev f4)
00:1f.0 0601: 8086:2815 (rev 04)
00:1f.1 0101: 8086:2850 (rev 04)
00:1f.2 0101: 8086:2828 (rev 04)
00:1f.3 0c05: 8086:283e (rev 04)
01:00.0 0300: 10de:0407 (rev a1)
0b:00.0 0280: 14e4:4328 (rev 05)
0c:00.0 0200: 11ab:436a (rev 13)
0d:03.0 0c00: 104c:8025 (rev 02) |
edit: Got it to work, but USB HID isn't supported (my laptop uses a USB keyboard), so I'm not able to type anything. I tried compiling full USB HID support into the kernel, but it wouldn't let me. Is there a way to do this so that I can actually type my password in? Thanks. |
|
| Back to top |
|
|
jbiggs12
n00b
Joined: 09 Mar 2012
Posts: 27
|
| Posted: Sun Mar 11, 2012 11:15 pm Post subject: |
|
|
I got it to work!  I followed the instructions of the in-kernel component of this guide: http://forums.gentoo.org/viewtopic.php?t=79. Working now, although the kernel spits out a bunch of nonsense regarding the usb devices that I can probably just suppress with quiet. Thanks for your help with the initramfs guide, I really wouldn't have made it otherwise. |
|
| Back to top |
|
|
cach0rr0
Moderator
Joined: 13 Nov 2008
Posts: 4117
Location: Houston, Republic of Texas
|
| Posted: Mon Mar 12, 2012 1:20 am Post subject: |
|
|
wicked. good feeling isnt it?
even better if over the course of fighting with it you figured out more or less how things piece together. which should make the next time you have to do this a bit easier (knock on wood)
thing is, all of these automated tools....if they work the first time out of the box, great, that's a major time saver. But when they dont, it can be a PITA trying to dig through them and troubleshoot. For example, if there's something wrong with the 'init' that you need to change, is it easier to spot in a 2,000 line automagic init that tries to account for every single possible different setup any human on the planet might use? Or is it easier to spot in a 20 line init that you made for your own hardware?
When you do things yourself, in somewhat of a minimalist fashion, there are only so many "moving parts", so youre only looking 5 or 6 different spots for where something might be broken.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Installing Gentoo
