[SOLVED] Initramfs with decrypting a luks root partition questions

dman777 · 05-16-2011, 09:26 PM

I created a fresh gentoo install. I am creating the initramfs because i made my root partition a encrypted luks partition. I did the usual and placed busybox on the initramfs so far. I have two questions:

1) doesn't there need to be a /dev/mapper in the initramfs so when the root partition is unlocked it has a /dev/mapper/file name?
2) when the exec_switch is preformed how is the /dev/mapper/file name going to transfer over?

and

3) how do i get the initramfs to take the key from a usb key device given from the grub command line?

Still having trouble though getting the initramfs.

1) I built the initramfs into the kernel...using /usr/src/initramfs. I did not choose any compression for it.
2) I created:

Code:

mkdir /usr/src/initramfs
cd /usr/src/initramfs
mkdir /usr/src/initramfs/bin
mkdir /usr/src/initramfs/lib
mkdir /usr/src/initramfs/dev
mkdir /usr/src/initramfs/etc
mkdir -p /usr/src/initramfs/mnt/root
mkdir /usr/src/initramfs/proc
mkdir /usr/src/initramfs/root
mkdir /usr/src/initramfs/sbin
mkdir /usr/src/initramfs/sys

2)I used the cryptsetup binary from the live dvd for the initramfs. For the busybox, I compiled it statically on my chroot system and copied over that binary to the initramfs.

3) I copied my luks key into /usr/src/initramfs/key

4) my init script is:

Code:

#!/bin/busybox sh

mount -t proc none /proc
mount -t sysfs none /sys
mount -t devtmpfs none /dev

cryptsetup -d /key luksOpen /dev/sda5 root

mount -o ro /dev/mapper/root /mnt/root || rescue_shell

umount /proc
umount /sys
umount /dev


exec switch_root /mnt/root /sbin/init

rescue_shell() {
        echo "Something went wrong. Dropping you to a shell."
                busybox --install -s
        exec /bin/sh
}

but upon boot up I get:
http://img.photobucket.com/albums/v6...517_100756.jpg

I spent so many hours...if you could help please i'd really appreciate it.

Note: I tried this kernel on a non encrypted partition on the same laptop(just copied the partition) and it booted successfully(with no initramfs).
Pax and Grsecurity are turned off.

dman777 · 05-17-2011, 07:51 PM

UPDATE:

This time I built the initramfs outside the kernel and loaded it externally with grub. I got a more verbose error output. I also updated the script to place marks where the init script may be at:

Code:

Gentoo-11 initramfs # cat init
#!/bin/busybox sh
echo "go this far"
mount -t proc none /proc
mount -t sysfs none /sys
mount -t devtmpfs none /dev

echo "crypt"
crypsetup -d /tyler2.jpg luksOpen /dev/sda5 root
echo "root unlocked"

mount -o ro /dev/mapper/root /mnt/root || rescue_shell
echo "mounted"

umount /dev
umount /sys
umount /proc

echo "about to do switch"
exec switch_root /mnt/root /sbin/init
echo "done"

rescue_shell() {
echo "bad"
busybox --install -s
exec /bin/sh
}

Here is a picture of the errors I get upon boot up:
http://img.photobucket.com/albums/v6...7_191224-1.jpg

Please note that on that screen shot it saids "about to do switch" on the very top, so I got that far in the script.

It looks like the syntax could be correct with "exec switch_root /mnt/root /sbin/init", but in the screen shot it seems to be complaining about the new root. Can this be a problem with devtmpfs? Or is switch_root util messed up because of the call traces?

dman777 · 05-18-2011, 09:24 AM

found the problem...i missed spelled the word cryptsetup.

win32sux · 05-18-2011, 09:58 AM

Moved to Software, as it isn't a security issue (at least not directly).