| View previous topic :: View next topic |
| Author |
Message |
keen4e
n00b
Joined: 20 Nov 2021
Posts: 19
|
 Posted: Fri Nov 26, 2021 10:04 pm Post subject: Custom initramfs with luks encrypted drive |
 |
|
I am trying to setup an encrypted Gentoo with custom initramfs. I already managed to boot the system using genkernel, but I am having trouble when trying to make the init script myself.
I have been following https://wiki.gentoo.org/wiki/Full_Disk_Encryption_From_Scratch_Simplified and https://wiki.gentoo.org/wiki/Custom_Initramfs
Just in case it matters, I am using the binary distribution kernel 5.10.78.
I have emerged busybox and cryptsetup with the flags static and I copied them to /usr/src/initramfs/bin and /usr/scr/initramfs/sbin
I have copied /dev/sdb3 where the encrypted root partition is to /usr/src/initramfs/dev
My script /usr/src/initramfs/init
Looks like this:
| Code: |
#!/bin/busybox sh
rescue_shell() {
echo "Something went wrong. Dropping you to a shell."
busybox --install -s
exec /bin/sh
}
# Mount the /proc and /sys filesystems.
mount -t proc none /proc
mount -t sysfs none /sys
# Do your stuff here.
echo "Enter your password to decrypt the system."
# Mount the crypted file.
cryptsetup --tries 5 luksOpen /dev/sdb3 root
# Mount the root filesystem.
mount -o ro /dev/mapper/root /mnt/root || rescue_shell
# Clean up.
umount /proc
umount /sys
# Boot the real thing.
exec switch_root /mnt/root /sbin/init
|
My /etc/default/grub looks like this
| Code: |
GRUB_DISTRIBUTOR="Gentoo"
GRUB_CMDLINE_LINUX="crypt_root=/dev/sdb3"
GRUB_CMDLINE_LINUX_DEFAULT=''
GRUB_GFXMODE=1920x1080x32
GRUB_GFXPAYLOAD_LINUX=keep
# Default menu entry
GRUB_DEFAULT=3
GRUB_DISABLE_OS_PROBER=false
GRUB_ENABLE_CRYPTODISK=true
# Boot the default entry this many seconds after the menu is displayed
GRUB_TIMEOUT=5
|
Finally the entry in the grub config corresponding to the Gentoo kernel: in the decrypted /boot partition
| Quote: |
## BEGIN /etc/grub.d/10_linux ###
menuentry 'Gentoo GNU/Linux' --class gentoo --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-223198e6-ba25-47da-9d8b-828dffb0c252' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_gpt
insmod fat
set root='hd1,gpt1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd1,gpt1 --hint-efi=hd1,gpt1 --hint-baremetal=ahci1,gpt1 324F-00E9
else
search --no-floppy --fs-uuid --set=root 324F-00E9
fi
echo 'Loading Linux 5.10.78-gentoo-dist ...'
linux /vmlinuz-5.10.78-gentoo-dist root=/dev/mapper/root crypt_root=/dev/sdb3
echo 'Loading initial ramdisk ...'
initrd /custom-initramfs.cpio.gz
}
|
I don't think it is possible to get a log when the disk doesn't even get decrypted (I don't know where such a log would be written), but basically the prompt doesnt show the echo in the initscript and doesn't ask me for the decription password either.
I basically just get something along the lines that the device /dev/root doesn't exist and then it freezes on a kernel panic.
As I mentionned the system boots up normally if I generate the initramfs with genkernel but not my own.
Thank you for any suggestions as I don't know at all how to move on from here. |
|
| Back to top |
|
 |
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54237
Location: 56N 3W
|
| Posted: Sat Nov 27, 2021 8:05 pm Post subject: |
|
|
keen4e,
The initrd is a very lonely place. Just you, the kernel and whatever you put in the initrd.
How does /dev get mounted in the initrd, its not lusted in your init script?
Boot it at check what you have in /dev
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
spica
Apprentice
Joined: 04 Jun 2021
Posts: 287
|
| Posted: Sat Nov 27, 2021 9:41 pm Post subject: |
|
|
| Call rescue_shell first in your init script. Boot and then try the commands manually. This way you will find what is missing. |
|
| Back to top |
|
|
keen4e
n00b
Joined: 20 Nov 2021
Posts: 19
|
| Posted: Sun Nov 28, 2021 12:27 am Post subject: |
|
|
| spica wrote: | | Call rescue_shell first in your init script. Boot and then try the commands manually. This way you will find what is missing. |
I tried to do that. The shell didn't start, I got the kernel panic first about /dev/mapper/crypto not being a correct root. It seems like the init script isn't getting executed at all. |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3136
|
| Posted: Sun Nov 28, 2021 1:15 am Post subject: |
|
|
Is your init exacutable?
You might try doing something more manual too. Initramfs is a compressed cpio archive, so:
Enter an empty directory and extract it with <decompress> | cpio -i
Modify whatever you want there
create a new archive with find . | cpio -o -H newc | <compress> > ../initramfs
I suggest using bzip2 or gzip for compression. Kernel's implementation of xz is (or at least was) incomplete and, although genkernel's compressed images worked fine, those compressed by me wouldn't.
So, have a look at the contents of initramfs, and then get back to patching it genkernel's way. Perhaps you could even inspect your modified initramfs and look for obvious mistakes without rebooting.
As a bonus, `cat | cpio -t` will list contents of the archive without extracting it, you can compare those lists to quickly get an idea what impact your actions have on the resulting image.
| Quote: | | The initrd is a very lonely place |
I call it "serene"  |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54237
Location: 56N 3W
|
| Posted: Sun Nov 28, 2021 7:25 pm Post subject: |
|
|
szatox,
Ye olde make an empty file, format the file as ext2, loop mount it, put whatever you want in the file, gzip it, still works.
ext2 might not be such a good idea these days but the concept is good.
You can even chroot into it, if you are careful what you do.
keen4e,
You can chroot into your unpacked initrd, however it was made.
Is busybox statically linked or did you include all the libraries you need too?
| Code: | $ lddtree /bin/busybox
/bin/busybox (interpreter => None) |
is statically linked.
| Code: | $ ldd /sbin/lvm
linux-vdso.so.1 (0x00007fffd29f9000)
libdevmapper-event.so.1.02 => /lib64/libdevmapper-event.so.1.02 (0x00007f7c079de000)
libreadline.so.8 => /lib64/libreadline.so.8 (0x00007f7c07987000)
libblkid.so.1 => /lib64/libblkid.so.1 (0x00007f7c07950000)
libaio.so.1 => /lib64/libaio.so.1 (0x00007f7c0794b000)
libc.so.6 => /lib64/libc.so.6 (0x00007f7c07753000)
libdevmapper.so.1.02 => /lib64/libdevmapper.so.1.02 (0x00007f7c076f7000)
libtinfow.so.6 => /lib64/libtinfow.so.6 (0x00007f7c076b5000)
/lib64/ld-linux-x86-64.so.2 (0x00007f7c07f4d000)
libm.so.6 => /lib64/libm.so.6 (0x00007f7c075de000) |
is all the libs that lvm needs.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Last edited by NeddySeagoon on Sun Nov 28, 2021 7:31 pm; edited 1 time in total |
|
| Back to top |
|
|
keen4e
n00b
Joined: 20 Nov 2021
Posts: 19
|
| Posted: Sun Nov 28, 2021 7:28 pm Post subject: |
|
|
After realizing I compressed my initramfs wrong, I was able to at least get the init script to start. I can get into the rescue shell, but I still cannot decrypt the disk. Whenever I run cryptsetup luksOpen on /dev/sdb3, I get the error message:
| Code: |
device-mapper: table: 253.0: crypt: unknown target type
device-mapper: ioctl: error adding target to table
|
Last edited by keen4e on Sun Nov 28, 2021 7:36 pm; edited 1 time in total |
|
| Back to top |
|
|
Goverp
Advocate
Joined: 07 Mar 2007
Posts: 2007
|
| Posted: Sun Nov 28, 2021 7:29 pm Post subject: |
|
|
| keen4e wrote: | | spica wrote: | | Call rescue_shell first in your init script. Boot and then try the commands manually. This way you will find what is missing. |
I tried to do that. The shell didn't start, I got the kernel panic first about /dev/mapper/crypto not being a correct root. It seems like the init script isn't getting executed at all. |
With a hand-written initramfs, that can be a symptom of missing terminal devices in your initramfs /dev tree - usual solution is to use the kernel devtmpfs, or to put /dev, /dev/console and /dev/tty0 (AFAIR) in the cpio list.
_________________
Greybeard |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54237
Location: 56N 3W
|
| Posted: Sun Nov 28, 2021 7:34 pm Post subject: |
|
|
keen4e,
is DMCRYPT built into your kernel or is it a module?
If its a module, you need to put it into the initrd and load it.
Hand rolled initrds should not need to load kernel modules or they are tied to kernel versions.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
keen4e
n00b
Joined: 20 Nov 2021
Posts: 19
|
| Posted: Sun Nov 28, 2021 7:41 pm Post subject: |
|
|
| NeddySeagoon wrote: | keen4e,
is DMCRYPT built into your kernel or is it a module?
If its a module, you need to put it into the initrd and load it.
Hand rolled initrds should not need to load kernel modules or they are tied to kernel versions. |
How do I check that? I downloaded the binary distribution kernel 5.10.78 with: emerge sys-kernel/gentoo-kernel-bin |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54237
Location: 56N 3W
|
| Posted: Sun Nov 28, 2021 7:47 pm Post subject: |
|
|
keen4e,
Binary kernel are normally fully modular, so they work anywhere but don't have a huge memory footprint,
In my kernel | Code: | $ grep DM_CRYPT /usr/src/linux/.config
# CONFIG_DM_CRYPT is not set |
Boot the kernel and try | Code: | | zgrep DM_CRYPT /proc/config.gz |
-- edit -- fixed typo. , to .
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
keen4e
n00b
Joined: 20 Nov 2021
Posts: 19
|
| Posted: Sun Nov 28, 2021 8:06 pm Post subject: |
|
|
NeddySeagoon
I checked trough the file /usr/linux/.config and CONFIG_DM_CRYPT is set to m, which I presume means it is a module?
If so, do you have any reference I could read on how to load and run modules in initramfs?
Thanks a lot for the help. |
|
| Back to top |
|
|
spica
Apprentice
Joined: 04 Jun 2021
Posts: 287
|
| Posted: Sun Nov 28, 2021 8:30 pm Post subject: |
|
|
I can share my scripts I used to create initramfs for lvm on luks setup, I hope this will help to find the missing things.
I do not use the 'static' flag, and in mk_initramfs.sh you can see that I collect *.so files with ldd.
Also I do not put modules inside initramfs, that is not practical in day to day use, and this means all the modules which are required for luks/lvm – must be compiled into kernel. I'm not sure which exact options, you can start looking here https://wiki.gentoo.org/wiki/Dm-crypt
/boot is fat32 unencrypted, everything else is inside luks.
If you do not use lvm then lvm related commands need to be omitted.
I didn't ran the scripts for a half of year. It is enough to create initramfs file one time.
init:
| Code: | #!/bin/busybox sh
rescue_shell() {
echo "Something went wrong. Dropping to a shell."
setsid cttyhack sh
}
mount -n -t proc none /proc
mount -n -t sysfs none /sys
mount -n -t devtmpfs none /dev
mount -n -t tmpfs tmpfs /run
# setfont -C /dev/console /usr/share/consolefonts/ter-u24b.psf.gz
cryptsetup luksOpen /dev/nvme0n1p3 vg0 || rescue_shell
lvm vgscan --mknodes || rescue_shell "vgscan failed."
lvm vgchange --sysinit -a ly || rescue_shell "vgchange failed."
lvm vgscan --mknodes || rescue_shell "vgscan failed."
mount -o ro /dev/mapper/vg0-root /mnt/root || rescue_shell
umount /proc
umount /sys
umount /dev
umount /run
exec switch_root /mnt/root /sbin/init
rescue_shell "switch_root failed" |
mk_initramfs.sh:
| Code: | #!/bin/bash
PREFIX="/usr/src/initramfs"
FILES_TO_COPY=""
deep_copy() {
file="$1"
FILES_TO_COPY="${FILES_TO_COPY}
$1"
for i in `ldd "${file}" | grep ' => ' | cut -f3 -d' '`
do
FILES_TO_COPY="${FILES_TO_COPY}\n$i"
done
}
copy_file_real() {
file="$1"
base_dir=$(dirname "${file}")
mkdir -p "${PREFIX}/${base_dir}"
cp -aL "${file}" "${PREFIX}/${file}"
}
copy_file() {
FILES_TO_COPY="${FILES_TO_COPY}\n$1"
}
mkdir --parents ${PREFIX}/{bin,dev,etc,lib,lib64,mnt/root,proc,root,sbin,sys,run}
cp --archive /dev/{null,console,tty,urandom,random} ${PREFIX}/dev/
copy_file /bin/busybox
cp /etc/ld.so.cache ${PREFIX}/etc/
cp init ${PREFIX}/init
chmod +x ${PREFIX}/init
deep_copy /sbin/cryptsetup
deep_copy /sbin/lvm
copy_file /lib64/ld-linux-x86-64.so.2
copy_file /lib64/ld-2.32.so
# copy_file /usr/share/consolefonts/ter-u24b.psf.gz
# copy_file /usr/lib64/locale/locale-archive
mkdir -p "${PREFIX}/etc/lvm"
cp -a /etc/lvm ${PREFIX}/etc/
cp ./lvm.conf "${PREFIX}/etc/lvm/lvm.conf"
for file in `echo -e "${FILES_TO_COPY}" | uniq`
do
copy_file_real "${file}"
done
cp /boot/initramfs.img{,.old}
cd "${PREFIX}"
find . -print0 | cpio --null --create --verbose --format=newc | gzip --best > /boot/initramfs.img |
Edit: this is how I update UEFI bootloader (I do not use GRUB to save a few seconds on boot):
| Code: | #!/usr/bin/env bash
KERNEL_VERSION="5.10.76"
KERNEL_FILE="vmlinuz-5.10.76-gentoo-r1"
efibootmgr --create \
--disk /dev/nvme0n1 \
--part 2 \
--label "Gentoo ${KERNEL_VERSION}" \
--loader "\\${KERNEL_FILE}" \
--unicode 'dolvm initrd=\initramfs.img cryptdevice=UUID=fb6d783b-61ae-416d-bf45-2d55f97cbff5 root=/dev/mapper/vg0-root'
|
Some options (dolvm, cryptdevice) are not necessary, they remain since the time I used genkernel-next which is obsoleted.
Last edited by spica on Sun Nov 28, 2021 8:57 pm; edited 6 times in total |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54237
Location: 56N 3W
|
| Posted: Sun Nov 28, 2021 8:38 pm Post subject: |
|
|
spica,
I guess that you don't have kernel modules in the initrd?
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
spica
Apprentice
Joined: 04 Jun 2021
Posts: 287
|
| Posted: Sun Nov 28, 2021 8:44 pm Post subject: |
|
|
Yes, Neddy, no modules in initrd,
the required things are compiled into kernel.
Benefits of this: I do not need to regenerate initrd file after new kernel is build and installed. |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54237
Location: 56N 3W
|
| Posted: Sun Nov 28, 2021 8:57 pm Post subject: |
|
|
spica,
Yep. That's why my 2009 initrd. was still working until I retired the system in September.
I'm fairly sure that sys-kernel/gentoo-kernel-bin will be fully modular, so that will be a problem.
From the ebuild, there is a .config file in the package.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
keen4e
n00b
Joined: 20 Nov 2021
Posts: 19
|
| Posted: Mon Nov 29, 2021 1:53 am Post subject: |
|
|
I managed to finally boot into my encrypted Gentoo. Thank you all for your kind help.
It looks like the problem was with the dmcrypt module not being loaded all along. I copied all the files from the initramfs generated by genkernel and added a modprobe dmcrypt command.
I am still not quite yet completely satisfied, as my initramfs now feels unecessarily bloated and I would really just like to only have the tools needed to decrypt the disk and boot. If anyone has any tips on how to load kernel modules in initramfs please let me know. |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54237
Location: 56N 3W
|
| Posted: Mon Nov 29, 2021 9:58 am Post subject: |
|
|
keen4e,
Make your own kernel so that modules in the initrd are not required.
You initrd changes with every kernel as as the kernel can identify its own modules and will not load modules from another kernel.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
|
Installing Gentoo
