Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Solved] Initramfs troubles with encrypted root
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
Black Knight
n00b
n00b


Joined: 13 Dec 2015
Posts: 18

PostPosted: Wed Dec 16, 2015 8:24 am    Post subject: [Solved] Initramfs troubles with encrypted root Reply with quote

First time installing Gentoo. Nearly there, but I'm having boot issues. System is as follows:

/dev/sda1 is my BIOS boot partition (my disk is GPT, I'm booting BIOS)
/dev/sda2 is /boot, formatted ext4
/dev/sda3 is LUKS encrypted root; /dev/mapper/cryptroot is ext4; password to unlock.
fstab uses UUIDs.
Kernel was compiled with no issues; I used genkernel with --menuconfig --luks --install --symlink --disklabel --clean all. I was sure to manually compile in ex4 support, mapper/crypt target support, and support for all the crypto needed by my LUKS setup. Genkernel was emerged with cryptsetup support. Grub installed with no issues, found my kernel and initram no problem.

When I try to boot, grub works, and passes flow along to the initramfs. Eventually it fails (I never get prompet for my password) with errors about not being able to find the UUID'd disks. When this failed, I thought I'd give dracut a shot, which generated the initramfs with no issues (adding in the dm and crypt modules), but this failed as well at boot. Going through the /run/initramfs/rdsosreport.txt in the busybox, the first problematic looking thing is
Code:
dmsetup ls --tree
/dev/mapper/control: open failed: No such device
Failure to communicate with kernel device-mapper driver.
Check that device-mapper is available in the kernel.

Which is odd since I included (to my knowledge) dm and crypt target support in the kernel.

After a lot of innocuous messages I'll see
Code:
input: SynPS/2 Synaptics TouchPad as /devices/platform/i8042/serio1/input/input5

which takes a good 30 sec-1min (far longer than anything prior). Immediately after I see
Code:
random: nonblocking pool is initialized

which takes several minutes. Finally, I'll get
Code:
dracut Warning: Could not boot.
dracut Warning: /dev/disk/by-uuid/</dev/sda2's UUID> does not exist.
dracut Warning: /dev/disk/by-uuid/</dev/sda3's UUID> does not exist.
dracut Warning: /dev/disk/by-uuid/</dev/mapper/cryptroot's UUID> does not exist.
]

Last edited by Black Knight on Fri Dec 25, 2015 9:39 pm; edited 1 time in total
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Wed Dec 16, 2015 12:53 pm    Post subject: Reply with quote

Black Knight ... rather than try to debug genkernel/dracut might I suggest the following:

Build better-initramfs ... or get a pre-built binary suitable for your machine arch ... v0.9.1. Place the initramfs.cpio.gz in boot, modify grub.cfg to use this initramfs, and provide the following kernel parameters:

Code:
rootfstype=ext4 luks enc_root=/dev/sda3 lvm root=/dev/mapper/cryptroot

Boot and forget ...

best ... khay
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2970
Location: Germany

PostPosted: Wed Dec 16, 2015 1:03 pm    Post subject: Re: Initramfs troubles with encrypted root Reply with quote

Black Knight wrote:
and support for all the crypto needed by my LUKS setup


Include sha1/sha256, even if you are using sha512 it's used for some initialization things sometimes. If in doubt, including all of crypto doesn't hurt either.

You could post your kernel config, maybe something else is missing as well.
Back to top
View user's profile Send private message
Black Knight
n00b
n00b


Joined: 13 Dec 2015
Posts: 18

PostPosted: Thu Dec 17, 2015 1:39 am    Post subject: Reply with quote

frostschutz,
Quote:
Include sha1/sha256, even if you are using sha512 it's used for some initialization things sometimes.

I actually did include all the common ciphers and hash algos in the kernel I built for precisely this reason, so unfortunately that's not it the issue.

khayyam,
I'll give this a shot, however is the lvm kernel param necessary? I'm not using lvm.

EDIT: On second thought, before messing with another package, is there really no good way to get this working with genkernel? It seems the most widely supported option for Gentoo, and I have hard time believing an initramfs for a disk setup this straightforward can't be generated with it. Even if I end up using another solution, I'd like to understand what I'm doing wrong here.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Thu Dec 17, 2015 4:51 am    Post subject: Reply with quote

Black Knight wrote:
khayyam, I'll give this a shot, however is the lvm kernel param necessary? I'm not using lvm.

Black Knight ... no, it isn't, I'd assumed that, as its often the case that encrypted root will contain logical volumes.

Black Knight wrote:
EDIT: On second thought, before messing with another package, is there really no good way to get this working with genkernel? It seems the most widely supported option for Gentoo, and I have hard time believing an initramfs for a disk setup this straightforward can't be generated with it. Even if I end up using another solution, I'd like to understand what I'm doing wrong here.

Fair enough, but for me genkernel is essentially a means to provide the quickest method to get the install process completed, with as little fuss as possible. The downside is that this invariably introduces problems of its own (ie, like tying the building of the kernel along with the building of the initramfs ... and the things needed to do that).

I personally don't see a reason for rebuilding the initramfs on kernel updates, and with genkernel that is the case, better-initramfs, not. I also don't see the reason why the initramfs should use the system installed binaries (and so require USE="static" on same), better-initramfs builds these using Aboriginal Linux, which makes the initramfs small, lightweight, and fast (due to aboriginal's use of uClibc) ... my uncompressed initramfs is 2.8mb, and includes busybox, cryptsetup, lvm2, and various other tools ... and I've not had to pay any attention to it since it was initially built.

genkernel may be "widely supported", but you could also look at that inversely and see it as a case of it requiring support. So for example, I could probably find some number of support requests related to genkernel where some new user is running genkernel and are suddenly required to rebuild packages with the 'static' useflag, but don't understanding yet what these things are, or how the package manager functions. So, this 'simple' tool turns out to be a lot more complicated that it in fact is. It would probably be far simpler to have a sys-kernel/gentoo-initramfs package built along better-initramfs lines, and separate the provision of an initramfs from the building of the kernel.

best ... khay
Back to top
View user's profile Send private message
Black Knight
n00b
n00b


Joined: 13 Dec 2015
Posts: 18

PostPosted: Fri Dec 18, 2015 6:29 am    Post subject: Reply with quote

Quote:
It would probably be far simpler to have a sys-kernel/gentoo-initramfs package built along better-initramfs lines, and separate the provision of an initramfs from the building of the kernel.


Such an ebuild would certainly be welcome, and I agree with the superiority of a lightweight, self contained initramfs over the build-static-and-dump approach genkernel uses. But it's going to drive me nuts if I I can't figure out why this isn't working!

Given the current setup I've laid out, can someone give me some a step by step"foolproof" configuration for cryptsetup/genkernel/grub? I'm *really* tired of fighting with this; I just want to understand the correct setup and get it booting.
I'm certain the issue isn't dm/crypt features in the kernel; as I mentioned I compiled in ext4 support, dm/crypt target support, and basically every hash and cipher algo available. Perhaps a kernel disk controller driver issue? I've found all sorts of conflicting information online and none of the configurations (including specifying the root and crypt_root kernel params by UUID, PARTUUID, and simple /dev/sdX) I've tried work.

Some more details on the genkernel initramfs error: after loading the initramfs, I get
Code:
"The LUKS device UUID=<the UUID> does not contain a LUKS header"
!! Could not find the root in UUID=<the UUID>
Please specify another value or:
(press enter for the same, shell for shell, etc.)


If I then specify /dev/sda3 (the LUKS partition) I'm prompted for the password. After supplying *any* password, I get
Code:
device-mapper: reload ioctl on  failed: No such file or directory
Failed to setup dm-crypt key mapping for device /dev/sda3.
Check that the kernel supports serpent-xts-plain64 cipher (check syslog for more information).

Two things to note here:
1. The blank in "ioctl on failed"; that's not a typo. There's actually another space in between "on" and "failed", but it's not being rendered here.
2. The initramfs is correctly identifying my LUKS partition's crypto config as serpent-xts-plain64.

A possibly related question: https://wiki.gentoo.org/wiki/DM-Crypt_LUKS states
Quote:
The static USE flag may also be enabled on the sys-fs/cryptsetup so that genkernel will use the system binaries (otherwise it will build its own private copy).

Doesn't this mean that cryptsetup does not need to be built with the static USE flag? My system's cryptsetup is built dynamically.

I've setup similar "installerless" distros with this same disk configuration and I've never had this much grief. Please help.
Back to top
View user's profile Send private message
Roman_Gruber
Advocate
Advocate


Joined: 03 Oct 2006
Posts: 3806
Location: Austro Bavaria

PostPosted: Fri Dec 18, 2015 6:49 am    Post subject: Reply with quote

I can tell that gentoo shipped genkernel initramfs is kinda broken, status october 2015.

When you know a bit linux and how it boots, you are better of debugging the initramfs and fixing grub2 and the intiramfs, like i did.

This implies you know how a box boots, how to hack files, and how you manually mount it in a chroot.

And a bit of C coding helped here too.

It also implies you are able to think like a computer and go from the basics to the end. and not from the end to the start, which most "desctop users" do.

And have lots of patience, i wasted too much time for that. But I wanted to know if its uefi / grub 2 / or config file faults.

Quote:
Doesn't this mean that cryptsetup does not need to be built with the static USE flag? My system's cryptsetup is built dynamically.


You miss the fact, your root is not accessable at that stage.
please set up your bootloader / kernel / initramfs corectly on an accessable partition for your uefi / bios.
your root and it installed packages have nothing to do with the previous mentioned 3 core componentes to boot a box.

i fixed the intiramfs, kernel config and grub2
others write their own initramfs
others use a prebuild initramfs

but all 3 needs some work and configuration and reading
Back to top
View user's profile Send private message
Black Knight
n00b
n00b


Joined: 13 Dec 2015
Posts: 18

PostPosted: Fri Dec 18, 2015 7:48 am    Post subject: Reply with quote

tw04l124,
I appreciate you taking time to help me, but I think you are misunderstanding my issue.

tw04l124 wrote:
I can tell that gentoo shipped genkernel initramfs is kinda broken, status october 2015.

I'm certainly willing to believe that :). Is there a specific bug that affects the setup I've described? And an older ebuild that doesn't suffer from the relevant issue?

tw04l124 wrote:
You miss the fact, your root is not accessable at that stage.

You misunderstand. I'm chrooted into my root from the install media, so everything is accessible when the initramfs is being built. I'm asking if the system cryptsetup *needs* to be built statically so genkernel can copy it into the initramfs, (in which case the docs I quoted are wrong) or if the docs I quoted are correct and genkernel is smart enough to build either build its own static copy, or copy all the necessary dynamically linked libraries in.

tw04l124 wrote:
please set up your bootloader / kernel / initramfs corectly on an accessable partition for your uefi / bios.

As I mentioned in my first post, /boot is a separate, unencrypted partition, and grub, the kernel, and my initramfs load and boot without issue. The problem is that the initramfs doesn't mount my encrypted root.

tw04l124 wrote:
your root and it installed packages have nothing to do with the previous mentioned 3 core componentes to boot a box.

Yes they do, if genkernel is copying those libs into the initramfs it creates during installation. Heck, genkernel itself is a package installed on root, and the state of the root system affects how genkernel configures and builds all of its targets. A prime example from the handbook, describing how genkernel needs to read the installed system's fstab: https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Kernel
Quote:
Further in the Gentoo installation, /etc/fstab will be configured again. The /boot setting is needed right now as the genkernel application reads in this configuration.

Of course, one could technically build the kernel and initramfs on a completely separate system and copy them over, but this obviously isn't the scenario here.
Back to top
View user's profile Send private message
nictki
n00b
n00b


Joined: 10 Jan 2007
Posts: 63
Location: somewhere else...

PostPosted: Fri Dec 18, 2015 9:14 am    Post subject: Reply with quote

Hi,

I'm using this init config and initramfs script since some years.
I've everything encrypted with LUKS except /boot and I use lvm to manage partitions.

init: https://bpaste.net/show/b0c919c88465
mkinitramfs.sh: https://bpaste.net/show/48fb8ce3bf3d

Neither cryptsetup and lvm2 are build statically.

I can't remember exactly, but I think this two files are based on:
https://wiki.gentoo.org/wiki/DM-Crypt_LUKS
https://wiki.gentoo.org/wiki/Dm-crypt

I'm using extlinux as bootloader (no UEFI)

Best
_________________
github
Back to top
View user's profile Send private message
Roman_Gruber
Advocate
Advocate


Joined: 03 Oct 2006
Posts: 3806
Location: Austro Bavaria

PostPosted: Fri Dec 18, 2015 11:05 pm    Post subject: Reply with quote

nah, i just keep it short. regardless how your box is set up.

=> all needed components need to be present, machine readable and accessable to boot your box.

and all arguing against myself, this and that, and useflags.

=> all needed components need to be present, machine readable and accessable to boot your box. <=

your box is encrypted, not accessable. most guys are not aware off, that most bootloaders access rootfs quite early and get the stuff from there. with encrption or bad setup (which is the same, rootfs is not accessable), anything needs to be in those 3 core components.

..

keep arguing, i gave you the hint already, to check every step from uefi booting to the end and you will find hte error like i did.

did you read the initramfs contents? did you read the grub configs? grub way of interaction with the kernel and intiramfs? kernel config? kernel comments?

and do not expect that any wiki is up to date or covers everything. the genkernel initramfs is a nice scelleton, but was adapted here to get it working.

and never ever expect that some windi 10 programmer(general term for windows 10 guys who just write code and do not care much, not proper design flow), wrote a proper script => looks at grub os proper scripts which is broken / genkernel scripts for initramfs / genkernel itself. It may work for some cases but hardly did in my cases.

It has its reason why linux mint suggest a reintall for each new release and they destroyed my grub.cfg without checking and user intervention.
but do not worry happens with windi installer discs too and windi installers...

I hope you solve your issue soon.

nictki wrote:
Best


Nice scripts.
Back to top
View user's profile Send private message
Black Knight
n00b
n00b


Joined: 13 Dec 2015
Posts: 18

PostPosted: Tue Dec 22, 2015 12:08 am    Post subject: Reply with quote

Looking at /proc/crypto from inside the busybox (this is inside the genkernel initramfs on a failed boot) shows that the ciphers and hashes I need for the luks partition are missing despite the fact that these were compiled into the kernel. In fact, most of the hashes and ciphers seem to be missing. This would would definitely explain the issue. What can cause this?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13842

PostPosted: Tue Dec 22, 2015 12:42 am    Post subject: Reply with quote

Compare the /proc/config.gz in the problem kernel to the .config you think you used to build it. The most common cause for this type of problem is that you did not correctly install the configured kernel, so the kernel you are running is not the kernel you intend to run.
Back to top
View user's profile Send private message
Black Knight
n00b
n00b


Joined: 13 Dec 2015
Posts: 18

PostPosted: Thu Dec 24, 2015 4:54 am    Post subject: Solved! Reply with quote

I've got everything working now; the system boots! I'm using an initramfs generated by genkernel. There were three issues:

1. Genkernel needs both the --luks AND the --lvm flags; even if lvm partitions are not being used, the initramfs needs lvm is need for the device mapper functionality. I was using only --luks.
2. Somehow, my kernel configuration which included all the necessary crypto APIs was not being applied when genkernel built the kernel. Hu, your suggestion about the incorrectly installed kernel lead me to this. I only had *one* kernel I had compiled available, so there was no way I could have installed the wrong one. Therefore, the issue was the configuration of that kernel. I'm not sure exactly what happened to the configuration specifically (I *know* I added the necessary crypto), but deleting the kernel, kernel sources, reemerging them and reconfiguring/compiling fresh fixed this.
3. Third issue was the grub boot parameters being completely wrong. Even though I had added the correct parameters (root=UUID=..., crypt_root=UUID=..., and rootfstype=... in my case) to /etc/default/grub, grub tries to be clever and adds more incorrect ones. For example, it added "root=/dev/mapper/cryptroot", which is what I had my root mounted as while chrooted in from the install cd. I determined the correct configuration by using the grub shell and setting them all manually, then editing the grub.cfg file once I had verified the working configuration.

Thanks to all,
Black Knight
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum