Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Solved] Strange initramfs behaviour
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
Princess Nell
l33t
l33t


Joined: 15 Apr 2005
Posts: 789

PostPosted: Mon Nov 11, 2019 11:04 pm    Post subject: [Solved] Strange initramfs behaviour Reply with quote

I'm in the process of migrating a system from partial to full encryption.

Old:
- /dev/sdb1 root
- /dev/sda5 lvm over luks (everything else)

Machine boots, then prompts for sda5 passphrase, all good.

In order to test the new setup while keeping the old intact:
- /dev/sdb2 luks, root
- /dev/sda5 as above; now unlocked via keyfile on luks root

The test setup works fine. Generate initramfs with dracut -a crypt -H, regenerate grub.cfg. Machine boots to initramfs, prompts to unlock /dev/sdb2, and /dev/sda5 is unlocked automatically via key file.

Now for the new config: rebuild sdb1 as luks volume. Copy the sdb2 system to sdb1. chroot to sdb1, regenerate initramfs and grub.cfg. This setup also works, but not in the way expected. The machine now prompts for the passphrase for sda5 before prompting for the sdb1 passphrase. This also works in the end, but the behavior is unexpected, and there are two passphrase prompts where there should be one. The grub/dracut config files are identical.

I also notice that the grub config generated for the "new" scenario is different from the "test" scenario, although these changes do not account for the difference in behavior. E.g. in the first block about "feature_platform_search_hint", where grub.cfg from the "test" scenario has all these hints,
Code:

if [ x$feature_platform_search_hint = xy ]; then
  search --no-floppy --fs-uuid --set=root --hint-bios=hd1 --hint-efi=hd1 --hint-baremetal=ahci1 --hint='cryptouuid/...

the bios/efi/baremetal hints are omitted in the "new" setup.

There are more changes, the "test" setup has an additional "--hint-ieee1275='ieee1275//disk@0,msdos1'" option in other sections of the file which the "new" grub.cfg does not.

Can anyone think of an explanation?


Last edited by Princess Nell on Thu Nov 14, 2019 10:48 pm; edited 1 time in total
Back to top
View user's profile Send private message
GDH-gentoo
Guru
Guru


Joined: 20 Jul 2019
Posts: 351
Location: South America

PostPosted: Tue Nov 12, 2019 12:54 pm    Post subject: Re: Strange initramfs behaviour Reply with quote

I'm not sure about the passphrase thing, but:
Princess Nell wrote:
E.g. in the first block about "feature_platform_search_hint", where grub.cfg from the "test" scenario has all these hints,
Code:

if [ x$feature_platform_search_hint = xy ]; then
  search --no-floppy --fs-uuid --set=root --hint-bios=hd1 --hint-efi=hd1 --hint-baremetal=ahci1 --hint='cryptouuid/...
The search --fs-uuid --set=root command searches for a filesystem with a specified UUID and sets the root variable to its corresponding GRUB device name. Those are just hints that speed up the search if they are correct, but what matters is that the UUID at the end of the command is the one of the filesystem that contains the kernel and initramfs named in later commands.

That said, I'm surprised by what grub-mkconfig thinks the hints should be. You speak of a partitioned disk, /dev/sdb, but the UEFI, BIOS and bare metal ones name whole disks (hd1 / ahci1), and furthermore, there is a cryptouuid hint, suggesting that GRUB thinks that it should open an encrypted volume. Where are your kernel and initramfs?
Princess Nell wrote:
There are more changes, the "test" setup has an additional "--hint-ieee1275='ieee1275//disk@0,msdos1'" option in other sections of the file which the "new" grub.cfg does not.
That is an Open Firmware hint. Did you install GRUB with GRUB_PLATFORMS=ieee1275?
Back to top
View user's profile Send private message
Princess Nell
l33t
l33t


Joined: 15 Apr 2005
Posts: 789

PostPosted: Tue Nov 12, 2019 10:11 pm    Post subject: Reply with quote

I don't have GRUB_PLATFORMS set in make.conf, so it defaults to "efi-64 pc".

Kernel and initramfs live on sda1 (= /boot), where sda is an MBR disk. sdb is a GPT disk. This is a laptop that allows both UEFI and legacy BIOS, and is using the latter, where sda is the original hdd and sdb an ssd that was added later.

I wrote a little script that extracts uuids from blkid output and searches grub.cfg for them (including the format with hyphens removed), and it confirms that only sdb1 (root), sda1 (boot) and the "mapped" form of the luksOpened sdb1 are referenced. The uuid in the cryptomount and set root lines is sdb1, and the last uuid in the search lines is indeed sda1. And this aspect works, kernel and initramfs boot. Only then it goes on a tangent by mounting sda5 next. This didn't happen in the test setup when sdb2 was the luks root and sdb1 a plain linux partition. sda partitions are the same for both setups, they did not change. I don't think it's a bus latency thing or something like that.
Back to top
View user's profile Send private message
GDH-gentoo
Guru
Guru


Joined: 20 Jul 2019
Posts: 351
Location: South America

PostPosted: Wed Nov 13, 2019 9:48 pm    Post subject: Reply with quote

I'm not very familiar with cryptsetup, would it ask for a passphrase if it had any problem accessing and using the key file for /dev/sda5?
Back to top
View user's profile Send private message
Princess Nell
l33t
l33t


Joined: 15 Apr 2005
Posts: 789

PostPosted: Thu Nov 14, 2019 10:48 pm    Post subject: [Solved] Strange initramfs behaviour Reply with quote

I have solved it.

It helps to pay attention to the output of dracut during initramfs generation ;) In this case, it explicitly included two rd.luks.uuid=... parameters, one for sdb1 and one for sda5. Once I figured that out, it was just a matter of finding the correct options to disable the unwanted disk. This combination worked: a custom config file under /etc/dracut.conf.d
Code:

add_dracutmodules+="crypt lvm"
kernel_cmdline="root=/dev/mapper/luks-<uuid> rootfstype=ext4 rootflags=rw,noatime"

and then run dracut as
Code:

# dracut -H --no-hostonly-default-device --add-device /dev/sdb1
...
dracut: Stored kernel commandline:
dracut: root=/dev/mapper/luks-<uuid> rootfstype=ext4 rootflags=rw,noatime
dracut:  rd.luks.uuid=luks-<uuid>
...
#

I have substituted <uuid> everywhere for the real uuid to make this more readable.

Voila, only a single passphrase prompt for the root partition, and sda5 lvm over luks is handled by the boot level dmcrypt service as intended.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum