| View previous topic :: View next topic |
| Author |
Message |
redwood
Guru
Joined: 27 Jan 2006
Posts: 306
|
 Posted: Mon Sep 10, 2018 2:53 pm Post subject: grub2 encrypted btrfs root |
 |
|
Hi,
I have a gentoo system which has been running 24x7 on a pair of WD caviar drives for the last 5+ years. As they're getting long in the tooth, I decided to add a new pair of WD RE4 2T drives and move my old system over while reorganizing. My old raid1 system was a mix of mdadm + LVM. The new system would be btrfs raid1.
I followed roughly the guide https://wiki.gentoo.org/wiki/Full_Encrypted_Btrfs/Native_System_Root_Guide[url]
I partitioned both new drives as follows:
| Code: |
Number Start (sector) End (sector) Size Code Name
1 2048 8191 3.0 MiB EF02 grub2biosboot
2 8192 6299647 3.0 GiB 8200 swap
3 6299648 3907029134 1.8 TiB 8300 Linux
|
I encrypted the 3rd partition and formatted as btrfs.
I chroot'd into the new system and rebuild kernel with btrfs and luks ciphers built-in following the guide and installed grub2 to the MBR of both new drives.
Rebooting into my new system, grub2 asks me to unlock my encrypted partitions by providing the passphrase, which I do, and it's successful.
When grub2 presents me with the boot options (current, advanced), I enter 'c' to drop to a command line and can see that "ls /" shows my 3 btrfs subvolumes and I can browse the files on them:
| Code: |
boot activeroot home
|
When loading the new kernel/initramfs, though, I run into an infinite loop with dracut saying it's doing a btrfs device scan, getting an error trying to read from the floppy drive fd0, then trying another btrfs device scan, .... This is an old system and actually does have a floppy drive which I haven't used in ages. Still, I hunted around for an old 3.5" disk and shoved it in just to see if that would satisfy dracut, but didn't work.
One caveat, the Guide was using systemd/udev. My system is eudev. I also am using genkernel like the guide does, but haven't tried genkernel-next. I did use dracut as in the guide to add /root/secretkey to the initramfs.
I backed up my new shiny initramfs-genkernel-x86-4.9.76-gentoo-r to initramfs-current then added the encryption key with dracut:
| Code: |
dracut -f -I /dev/secretkey /boot/initramfs-genkernel-x86-4.9.76-gentoo-r
|
The Guide shows their /etc/default/grub lines but doesn't actually show what /boot/grub/grub.cfg generated.
My /etc/default/grub:
| Code: |
GRUB_DISTRIBUTOR="Gentoo"
GRUB_ENABLE_CRYPTODISK=y
GRUB_CMDLINE_LINUX_DEFAULT="real_init=/sbin/init rd.luks=1 rd.luks.key=/root/secretkey rd.luks.uuid=luks-90745598-1d10-42cd-9944-be3d6a763b21 rd.luks.uuid=luks-2111d050-9209-4956-a835-a803bcef6aa6"
|
Not sure what real_init should be.
The 1st boot entry in the generated /etc/grub/grub.cfg is
| Code: |
### BEGIN /etc/grub.d/10_linux ###
menuentry 'Gentoo GNU/Linux' --class gentoo --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-5487d18b-bd2f-45c9-b2c7-893d269977c9' {
load_video
insmod gzio
insmod part_gpt
insmod part_gpt
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod btrfs
cryptomount -u 907455981d1042cd9944be3d6a763b21
cryptomount -u 2111d05092094956a835a803bcef6aa6
set root='cryptouuid/907455981d1042cd9944be3d6a763b21'
set root='cryptouuid/2111d05092094956a835a803bcef6aa6'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='cryptouuid/907455981d1042cd9944be3d6a763b21' --hint='cryptouuid/2111d05092094956a835a803bcef6aa6' 5487d18b-bd2f-45c9-b2c7-893d269977c9
else
search --no-floppy --fs-uuid --set=root 5487d18b-bd2f-45c9-b2c7-893d269977c9
fi
echo 'Loading Linux x86-4.9.76-gentoo-r1 ...'
linux /boot/kernel-genkernel-x86-4.9.76-gentoo-r1 root=/dev/mapper/luks-1
/dev/mapper/luks-2 ro rootflags=subvol=activeroot real_init=/sbin/init rd.luks=1 rd.luks.key=/root/secretkey rd.luks.uuid=luks-90745598-1d10-42cd-9944-be3d6a763b21 rd.luks.uuid=luks-2111d050-9209-4956-a835-a803bcef6aa6
echo 'Loading initial ramdisk ...'
initrd /boot/initramfs-genkernel-x86-4.9.76-gentoo-r1
}
|
When booting, grub says it doesn't understand the command "/dev/mapper/luks-2" and "ro"
so I entered edit mode and deleted both. Presumably, mounting one btrfs filesystem should be enough to mount all the raid devices.
I also tried changing "root=/dev/mapper/luks-1" to "root=UUID=907455981d1042cd9944be3d6a763b21
I also tried commenting out the loading of the initramfs. If grub2 successfully decrypts (cryptodisk) my drives and can see my btrfs subvolumes not sure why when loading the kernel it can't find those same already unencrypted drives. My old system had lots of separate lvm volumes for {home, var, usr, portage, distfiles, ...} but my non-systemd system could boot without an initramfs (but missing fancy bootup graphics). My new btrfs has just 3 subvolumes (boot, activeroot and home) so the entire filesystem is right there in the activeroot. Well, commenting out the loading of the initramfs resulted in a kernel panic. so no dice.
So I've now booted back into my old system on the old pair of drives and have mounted my chroot system again:
| Code: |
cryptsetup open -d /root/secretkey /dev/sda3 luks-1
cryptsetup open -d /root/secretkey /dev/sdb3 luks-2
btrfs device scan /dev/sda3; btrfs device scan /dev/sdb3
mount -t btrfs -o defaults,noatime,compress=lzo,autodefrag,subvol=activeroot /dev/mapper/luks-1 /mnt/newroot
mount -t btrfs -o defaults,noatime,compress=lzo,autodefrag,subvol=home /dev/mapper/luks-1 /mnt/newroot/home
mount -t btrfs -o defaults,noatime,subvol=boot /dev/mapper/luks-1 /mnt/newroot/boot
btrfs filesystem show
cp -L /etc/resolv.conf /mnt/newroot/etc/
mount -t proc proc /mnt/newroot/proc
mount --rbind /sys /mnt/newroot/sys
mount --rbind /dev /mnt/newroot/dev
mount --make-rslave /mnt/newroot/sys
mount --make-rslave /mnt/newroot/dev
chroot /mnt/newroot /bin/bash
env-update && source /etc/profile
export PS1="(chroot) $PS1"
|
Thanks in advance for any ideas on solving this.[/url] |
|
| Back to top |
|
 |
redwood
Guru
Joined: 27 Jan 2006
Posts: 306
|
| Posted: Tue Sep 11, 2018 6:08 pm Post subject: |
|
|
Think I'm mixing apples & oranges, genkernel and dracut images.
Since I usually use genkernel, I decided to unpack to /usr/src/initramfs:
| Code: |
cd /usr/src/initramfs
xzcat /boot/initramfs.img | cpio -idmv
|
Then copy /root/secretkey to the initramfs and repack
| Code: |
find . 2>/dev/null | cpio --quiet -c -o | xz -9 --format=lzma > /boot/initramfs-genkernel-x86-4.9.76-gentoo-r1-new
|
Will modify /etc/default/grub
once I get a working grub2
Going to try something like this:
| Code: |
echo 'Loading Linux x86-4.9.76-gentoo-r1 ...'
linux /boot/kernel-genkernel-x86-4.9.76-gentoo-r1 root=/dev/ram0 root_key=/root/secretkey crypto_root=5487d18b-bd2f-45c9-b2c7-893d269977c9 rootfstype=btrfs key_timeout=0 init=/linuxrc ramdisk=8192 real_root=/dev/mapper/luks-1 rootflags=subvol=activeroot vga=0x318 video=v86d:ywrap,mtrr,1024x768-32@72 splash=silent,fadein,theme:livecd-2006.0,tty:12 quiet CONSOLE=/dev/tty1 dolvm dobtrfs
echo 'Loading initial ramdisk ...'
initrd /boot/initramfs-genkernel-x86-4.9.76-gentoo-r1-new
|
Not sure if I need to specify root_keydev= if just storing secretkey in the initramfs
Will specify root_key=/root/secretkey
ran blkid on /dev/mapper/luks-1 inside chroot
| Code: |
/dev/mapper/luks-1: LABEL="BTROOT" UUID="5487d18b-bd2f-45c9-b2c7-893d269977c9" UUID_SUB="48cd26c0-741f-4370-845b-5d000cda96a4" TYPE="btrfs"
|
Guess the first UUID is correct?
Don't need "dolvm" unless booting old system but left it here anyhow.
Not sure about the real_root=/dev/mapper/luks-1
Does genkernel have a default naming convention for when it unencrypts a drive? |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Installing Gentoo
