| View previous topic :: View next topic |
| Author |
Message |
markkazakov
n00b
Joined: 09 May 2025
Posts: 6
|
 Posted: Fri May 09, 2025 10:38 am Post subject: LUKS root + UEFI - Dracut fails to include cryptsetup |
 |
|
Hi,
I'm trying to set up Gentoo with:
- LUKS encrypted root partition
- UEFI boot
- OpenRC (not systemd)
- Distribution kernel (sys-kernel/gentoo-kernel)
Current setup:
- /dev/nvme0n1p1 : EFI partition (mounted at /boot/efi)
- /dev/nvme0n1p2 : swap
- /dev/nvme0n1p3 : LUKS encrypted root
My dracut configuration (/etc/dracut.conf.d/):
| Code: |
# crypto.conf
install_items="/sbin/cryptsetup"
# drivers.conf
add_drivers="i915 nvme"
# modules.conf
add_dracutmodules="crypt rootfs-block"
force_drivers="dm-crypt"
# uefi.conf
uefi=yes
early_microcode=yes
|
Issue:
When booting, dracut drops to debug shell after ~10 minutes with:
| Code: |
dracut Warning: Could not boot.
dracut Warning: /dev/mapper/cryptroot does not exist
|
In the dracut shell, `cryptsetup` command is not available despite being specified in install_items. The NVMe device is visible (/dev/nvme0n1p3 exists), but I can't unlock the LUKS container without cryptsetup.
I've tried:
- Regenerating initramfs with --uefi flag
- Different dracut configurations
- Verifying UUIDs are correct
Current EFI boot entry (via efibootmgr):
| Code: |
efibootmgr --create --disk /dev/nvme0n1 --part 1 \
--label "Gentoo Linux" \
--loader "\EFI\Gentoo\kernel-6.12.21-gentoo-dist.efi" \
--unicode "root=UUID=e5c27ed6-607e-4caf-b27b-4467d855ef1c rd.luks.uuid=b802cba-013e-4ef4-a43b-27dd55f2e1a9"
|
This is the logs I get before falling into the dracut shell:
| Code: |
[8.746774] usb 3-3.5: new high-speed USB device number 8 using xhci_hcd
8.828880] usb 3-3.5: New USB device found, idVendor=2109, idProduct=8884, bcdDevice= 1.00
8.829631] usb 3-3.5: New USB device strings: Mfr=1, Product=2, SerialNumber=3
8.830327] usb 3-3.5: Product: Dell DA305
8.830927] usb 3-3.5: Manufacturer: VIA Labs, Inc.
8.831455] usb 3-3.5: SerialNumber: 0000000000000001
9.708116] ucs1_acpi USBC000:00: unknown error 0
9.709375] ucs1_acpi USBC000:00: UCSI_GET_PDOS failed (-5)
10.081422] ucs1_acpi USBC000:00: unknown error 0
10.082192] ucs1_acpi USBC000:00: UCSI_GET_PDOS failed (-5)
10.877775] ucs1_acpi USBC000:00: unknown error 0
10.878539] ucs1_acpi USBC000:00: UCSI_GET_PDOS failed (-5)
13.399573] ucs1_acpi USBC000:00: unknown error 0
13.400366] ucs1_acpi USBC000:00: UCSI_GET_PDOS failed (-5)
[ 197.924334] dracut Warning: Could not boot.
dracut Warning: Could not boot.
[ 197.935377] dracut Warning: /dev/mapper/cryptroot does not exist
dracut Warning: /dev/mapper/cryptroot does not exist
Generating "/run/initramfs/rdsosreport.txt"
You might want to save "/run/initramfs/rdsosreport.txt" to a USB stick or /boot
after mounting them and attach it to a bug report.
To get more debug information in the report,
reboot with "rd.debug" added to the kernel command line.
Dropping to debug shell.
dracut:/#
dracut:/#
dracut:/#
dracut:/#
|
Any help would be appreciated. Let me know if you need any additional information.
Also, I asked a few questions on irc. People there have advised me to use a bootloader.
I tried to setup grub without success.
So ideally I would like to install the system with grub bootloader. |
|
| Back to top |
|
 |
pingtoo
Veteran
Joined: 10 Sep 2021
Posts: 1671
Location: Richmond Hill, Canada
|
| Posted: Fri May 09, 2025 12:45 pm Post subject: Re: LUKS root + UEFI - Dracut fails to include crryptsetup |
|
|
Wecome to Gentoo,
| markkazakov wrote: | Current EFI boot entry (via efibootmgr):
| Code: |
efibootmgr --create --disk /dev/nvme0n1 --part 1 \
--label "Gentoo Linux" \
--loader "\EFI\Gentoo\kernel-6.12.21-gentoo-dist.efi" \
--unicode "root=UUID=e5c27ed6-607e-4caf-b27b-4467d855ef1c rd.luks.uuid=b802cba-013e-4ef4-a43b-27dd55f2e1a9"
|
|
Have you notice your create statement did not include "initrd=XXXX"? Could it be that you are not booting with correct entry? Or the kernel image "\EFI\Gentoo\kernel-6.12.21-gentoo-dist.efi" have its own initrd embedded in the image file therefor it is not using the one you generated? |
|
| Back to top |
|
|
markkazakov
n00b
Joined: 09 May 2025
Posts: 6
|
| Posted: Fri May 09, 2025 1:14 pm Post subject: |
|
|
Hi Ppingtoo,
Thanks for answering, Gentoo seems amazing, so far really impressed by the quality of the documentation!
I got lost while trying many things, so I will start from a bootable drive with gui to have a real browser.
Then attempt to reinstall with grub and all the good stuff.
I know that the current install is crooked. |
|
| Back to top |
|
|
pingtoo
Veteran
Joined: 10 Sep 2021
Posts: 1671
Location: Richmond Hill, Canada
|
| Posted: Fri May 09, 2025 1:23 pm Post subject: |
|
|
I ask the question just want to know if that is your intention or simply oversight. Nowadays with UEFI and efi-stub there are more than one way to load initrd. So I just want to make sure I understand the condition correctly.
Indeed using a boot loader (GRUB) could simplify the configuration of boot much easier.
So either way should you encounter any difficulty please don't hesitate to put in more information about booting questions. I am interesting in solve boot sequence problem. |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23405
|
| Posted: Fri May 09, 2025 1:53 pm Post subject: |
|
|
Reinstalling the entire system is very rarely necessary, though in some cases that can be faster than fixing what is broken.
Since you managed to boot the kernel and it has the dracut-generated initramfs (albeit not a usable initramfs), I think that:- There is no need to reinstall the system.
- There is no need to change bootloaders.
- Using live media to re-enter the existing system, and from there fixing how the initramfs is generated, is likely sufficient.
As to how to fix the initramfs, I cannot help with that, at least yet. Hopefully, someone more familiar with dracut will join in.
If your bootloader were misconfigured, we would either not see Linux boot at all (and thus no initramfs could have run) or we would see the kernel come up without an initramfs, and would never reach the stage where dracut prints an error, since dracut is in the initramfs. Therefore, I think the bootloader is fine as-is. |
|
| Back to top |
|
|
markkazakov
n00b
Joined: 09 May 2025
Posts: 6
|
| Posted: Fri May 09, 2025 2:21 pm Post subject: |
|
|
Hu,
Thanks for the advice. Yes indeed it is a long process reinstalling, I will listen to your advice. And attempt to fix it from chroot.
Once I have a new bootable stick I'll upgrade with more details on what works and what doesn't. |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5659
Location: Bavaria
|
|
| Back to top |
|
|
zen_desu
Apprentice
Joined: 25 Oct 2024
Posts: 252
|
|
| Back to top |
|
|
markkazakov
n00b
Joined: 09 May 2025
Posts: 6
|
| Posted: Mon May 12, 2025 9:47 am Post subject: |
|
|
So,
After a while of tinkering I still didn't manage to boot.
I have decided to go for a grub install.
I use luks2:
| Code: |
cryptsetup luksDump /dev/nvme0n1p3 | grep -E "Version|PBKDF"
Version: 2
PBKDF: argon2id
|
From what I understand grub is not able to decrypt luks 2. And I guess that that parts needs to be handled by initramfs.
Here are various commands and configs I have run to attempt to setup my boot sequence:
| Code: |
#/etc/default/grub
GRUB_DISTRIBUTOR="Gentoo encrypted"
GRUB_ENABLE_CRYPTODISK=n
GRUB_DISABLE_OS_PROBER=true
GRUB_CMDLINE_LINUX="root=/dev/mapper/luks-e5c27ed6-607e-4caf-b27b-4467d855ef1c rootfstype=ext4 rd.luks=1 rd.luks.uuid=b8020cba-013e-4ef4-a43b-27dd55f2e1a9"
GRUB_PRELOAD_MODULES="part_gpt part_msdos fat ext2"
GRUB_INITRD="/boot/efi/EFI/Gentoo/initramfs-6.12.21-gentoo-dist.img"
# Default menu entry
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_TERMINAL_OUTPUT="gfxterm"
|
| Code: |
cat /boot/efi/EFI/Gentoo/grub-debug.cfg
insmod part_gpt
insmod fat
insmod ext2
insmod all_video
insmod gfxterm
set timeout=5
set default=0
terminal_output gfxterm
menuentry "Gentoo Linux Debug" {
search --no-floppy --fs-uuid --set=root 7F5D-C323
echo 'Loading Linux kernel...'
linux /EFI/Gentoo/kernel-6.12.21-gentoo-dist.efi root=/dev/mapper/luks-e5c27ed6-607e-4caf-b27b-4467d855ef1c rootfstype=ext4 rd.luks=1 rd.luks.uuid=b8020cba-013e-4ef4-a43b-27dd55f2e1a9 rd.debug rd.shell rd.break=pre-mount
echo 'Loading initial ramdisk...'
initrd /EFI/Gentoo/initramfs-debug.img
}
|
| Code: |
cat /etc/dracut.conf.d/01-base.conf
# Basic configuration
compress="gzip"
hostonly="yes"
hostonly_cmdline="yes"
|
| Code: |
cat /etc/dracut.conf.d/10-drivers.conf
# Hardware drivers
add_drivers+=" i915 nvme nvme-core "
|
| Code: |
cat /etc/dracut.conf.d/20-modules.conf
# Dracut modules to include
add_dracutmodules+=" crypt dm rootfs-block "
|
| Code: |
cat /etc/dracut.conf.d/30-luks.conf
add_dracutmodules+=" crypt dm "
force_drivers+=" dm-crypt "
install_items+=" /sbin/cryptsetup "
kernel_cmdline+=" root=/dev/mapper/luks-e5c27ed6-607e-4caf-b27b-4467d855ef1c rootfstype=ext4 rd.luks=1 rd.luks.uuid=b8020cba-013e-4ef4-a43b-27dd55f2e1a9 "
|
| Code: |
cat /etc/dracut.conf.d/40-uefi.conf
uefi=yes
early_microcode=yes
|
| Code: |
cat /etc/dracut.conf.d/99-crypt.conf
# Force inclusion of crypto modules
force_drivers+=" dm-crypt aes_x86_64 aes_generic xts sha256 "
# Ensure cryptsetup is included
install_items+=" /sbin/cryptsetup /sbin/dmsetup "
# Add required dracut modules
add_dracutmodules+=" crypt dm "
# Enable debugging
#rdinfo=yes
#rdinitdebug=yes
# Disable host-only for testing
#hostonly="no"
|
| Code: |
grub-mkimage -c /boot/efi/EFI/Gentoo/grub-debug.cfg -o /boot/efi/EFI/Gentoo/grubx64-debug.efi -O x86_64-efi -p /EFI/Gentoo part_gpt fat ext2 normal search search_fs_uuid echo linux all_video gfxterm font terminal
|
| Code: |
dracut -f -v /boot/efi/EFI/Gentoo/initramfs-systemd.img 6.12.21-gentoo-dist
|
| Code: |
#/etc/fstab
# <fs> <mountpoint> <type> <opts> <dump> <pass>
#LABEL=boot /boot ext4 defaults 1 2
#UUID=58e72203-57d1-4497-81ad-97655bd56494 / xfs defaults 0 1
#LABEL=swap none swap sw 0 0
#/dev/cdrom /mnt/cdrom auto noauto,ro 0 0
# <fs> <mountpoint> <type> <opts> <dump> <pass>
PARTUUID="a6251365-7e22-49dd-8533-088b63e0b38b" /boot/efi vfat umask=0077 0 2
PARTUUID="5f495276-bf2c-4acd-9ce8-e8b948846887" none swap sw 0 0
UUID="e5c27ed6-607e-4caf-b27b-4467d855ef1c" / ext4 defaults,noatime 0 1
|
| Code: |
cat /etc/crypttab
cryptroot UUID=b8020cba-013e-4ef4-a43b-27dd55f2e1a9 none luks
|
| Code: |
lsblk -o name,uuid
NAME UUID
loop0 f5fc77de-b682-45bc-a0c4-317b7a4d0414
sda
└─sda1 c5608358-6a45-4f4c-8fcd-92131cf69c9f
└─luks-c5608358-6a45-4f4c-8fcd-92131cf69c9f 369b990b-9e6f-496b-b898-8a103f0c45b5
sdb 2025-04-09-12-28-03-00
├─sdb1 2025-04-09-12-28-03-00
└─sdb2 5C3F-262C
zram0 b32bd95e-2925-4d04-8bf5-10a670a8aa9c
nvme0n1
├─nvme0n1p1 7F5D-C323
├─nvme0n1p2 ca0c20eb-1803-4837-8fa6-e128f6376e84
└─nvme0n1p3 b8020cba-013e-4ef4-a43b-27dd55f2e1a9
└─cryptroot e5c27ed6-607e-4caf-b27b-4467d855ef1c
|
| Code: |
[ 1.500741] integrity: Loaded X.509 cert 'Dell Inc.: Dell Bios FW Aux Authority 2018: dd4df7c3f5ce7e5a77847915abc37b031f6b10bd'
[ 1.500760] integrity: Loading X.509 certificate: UEFI:db
[ 1.500781] integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd99e499ae17c55af53'
[ 1.500793] integrity: Loading X.509 certificate: UEFI:db
[ 1.500821] integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309b4d2790c8ed54f316d522988a1b4d'
[ 1.501487] Loading compiled-in module X.509 certificates
[ 1.501601] Loaded X.509 cert 'Mark Kazakov: 200791a7e04af6c43a8b2c28dfe61ac5c481d8c'
[ 1.501611] ima: Allocated hash algorithm: sha256
[ 1.716423] ima: No architecture policies found
[ 1.716558] efi: Initialising EFI variables attributes:
[ 1.716581] efi: security.selinux
[ 1.716601] efi: security.SMACK64 (disabled)
[ 1.716621] efi: security.SMACK64EXEC (disabled)
[ 1.716641] efi: security.SMACK64TRANSMUTE (disabled)
[ 1.716661] efi: security.SMACK64MMAP (disabled)
[ 1.716681] efi: security.apparmor
[ 1.716701] efi: security.ima
[ 1.716721] efi: security.capability
[ 1.716741] efi: MMAC attrs: 0x1
[ 1.719721] PM: Magic number: 9:120:323
[ 1.720779] tty tty48: hash matches
[ 1.723333] usb 3-3: new high-speed USB device number 2 using xhci_hcd
[ 1.727681] RAS: Correctable Errors collector initialized.
[ 1.731341] Lockdown: swapper/0: hibernation is restricted; see man kernel_lockdown.7
[ 1.734591] clk: Disabling unused clocks
[ 1.735221] PM: genpd: Disabling unused power domains
[ 1.806174] usb 3-3: New USB device found, idVendor=2109, idProduct=2822, bcdDevice= 7.54
[ 1.809351] usb 3-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 1.811241] usb 3-3: Product: USB2.0 Hub
[ 1.813071] usb 3-3: Manufacturer: VIA Labs, Inc.
[ 1.814971] usb 3-3: SerialNumber: 000000000000
[ 1.816871] hub 3-3:1.0: USB hub found
[ 1.818771] hub 3-3:1.0: 5 ports detected
[ 1.923891] usb 2-1: new SuperSpeed USB device number 2 using xhci_hcd
[ 1.941341] usb 2-1: New USB device found, idVendor=2109, idProduct=0211, bcdDevice= 4.44
[ 1.943271] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 1.945261] usb 2-1: Product: USB3.0 Hub
[ 1.947251] usb 2-1: Manufacturer: VIA Labs, Inc.
[ 1.949241] hub 2-1:1.0: USB hub found
[ 1.951231] hub 2-1:1.0: 1 port detected
[ 2.034741] input: PS/2 Generic Mouse as /devices/platform/i8042/serio1/input5
[ 2.036961] md: Waiting for all devices to be available before autodetect
[ 2.038191] md: If you don't use raid, use raid=noautodetect
[ 2.039421] md: Autodetecting RAID arrays.
[ 2.040651] md: autorun ...
[ 2.041881] md: ... autorun DONE
[ 2.043111] /dev/root: Can't open blockdev
[ 2.044341] VFS: Cannot open root device "UUID=e5c27ed6-607e-4caf-b27b-4467d855ef1c" or unknown-block(0,0): error -6
[ 2.045571] Please append a correct "root=" boot option; here are the available partitions:
[ 2.046801] ext3
[ 2.047421] ext2
[ 2.048041] ext4
[ 2.048661] xfs
[ 2.049281] btrfs
[ 2.049901] vfat
[ 2.050521] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)
[ 2.051141] CPU: 4 UID: 0 FID: 1 Comm: swapper/0 Not tainted 6.12.21-gentoo-dist #1
[ 2.051761] Hardware name: Dell Inc. XPS 17 9720/0RG82H, BIOS 1.7.1 05/16/2022
[ 2.052381] Call Trace:
[ 2.052971] <TASK>
[ 2.053561] dump_stack_lvl+0x5d/0x80
[ 2.054151] panic+0x155/0x327
[ 2.054741] mount_root_generic+0x1ce/0x270
[ 2.055331] prepare_namespace+0x1ec/0x240
[ 2.055921] kernel_init_freeable+0x247/0x310
[ 2.056511] ? pfx_kernel_init+0x10/0x10
[ 2.057101] kernel_init+0x1a/0x140
[ 2.057691] ret_from_fork+0x31/0x50
[ 2.058281] ? pfx_kernel_init+0x10/0x10
[ 2.058871] ret_from_fork_asm+0x1b/0x30
[ 2.059461] </TASK>
[ 2.060051] Kernel Offset: 0x31000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 2.060641] ---[ end Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0) ]---
|
I don't understand what is causing the issue. I've been stuck on that one for may days, could you please direct me or point out any issues in my configs, or command lines I have used? |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 55227
Location: 56N 3W
|
| Posted: Mon May 12, 2025 10:10 am Post subject: |
|
|
markkazakov,
means that the kernel cannot see any brock devices at all.
| Code: | | [ 2.045571] Please append a correct "root=" boot option; here are the available partitions: |
is an empty list.
The kernel should list all the block devices it can see there.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
keet
Guru
Joined: 09 Sep 2008
Posts: 575
|
| Posted: Mon May 12, 2025 12:43 pm Post subject: |
|
|
I boot using a similar setup. This is my (entire dracut, sans comments) configuration:
/etc/dracut.conf
| Code: | | dracutmodules+="crypt kernel-modules rootfs-block udev-rules usrmount base fs-lib shutdown " |
/etc/dracut.conf.d/cmdline.conf
| Code: | | kernel_cmdline="rd.luks.uuid=xxxx root=UUID=xxxx net.ifnames=0 root_trim=yes rw" |
|
|
| Back to top |
|
|
pingtoo
Veteran
Joined: 10 Sep 2021
Posts: 1671
Location: Richmond Hill, Canada
|
| Posted: Mon May 12, 2025 1:11 pm Post subject: |
|
|
markkazakov,
Can you confirm initrd actually started? from your dmesg I am not able to tell if that portion executed or not. In theory if it executed you should get dracut rescue shell prompt not kernel panic unless you just simply exit the dracut rescue shell without doing anything. |
|
| Back to top |
|
|
markkazakov
n00b
Joined: 09 May 2025
Posts: 6
|
| Posted: Mon May 12, 2025 1:29 pm Post subject: |
|
|
keet,
Thank you so much for providing your dracut configs. It actually did the trick to allow mounting the rootfs.
pingtoo,
Yes initrd has started, after a long boot time, I was able to get a shell access to my system so everything works properly! |
|
| Back to top |
|
|
pingtoo
Veteran
Joined: 10 Sep 2021
Posts: 1671
Location: Richmond Hill, Canada
|
| Posted: Mon May 12, 2025 1:33 pm Post subject: |
|
|
| markkazakov wrote: | keet,
Thank you so much for providing your dracut configs. It actually did the trick to allow mounting the rootfs.
pingtoo,
Yes initrd has started, after a long boot time, I was able to get a shell access to my system so everything works properly! |
Thank you for confirmation. Please consider mark this topic solved if you don't need further help. |
|
| Back to top |
|
|
markkazakov
n00b
Joined: 09 May 2025
Posts: 6
|
| Posted: Mon May 12, 2025 2:02 pm Post subject: |
|
|
Yes we can close the thread.
Thank you so much to everyone who has helped me. |
|
| Back to top |
|
|
|
Installing Gentoo
