LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   slack12 install on encrypted LVM failed (http://www.linuxquestions.org/questions/slackware-14/slack12-install-on-encrypted-lvm-failed-585596/)

deNiro 09-18-2007 12:33 PM

slack12 install on encrypted LVM failed
 
hello,

I'm having a problem with a slackware installation on encrypted LVM. i can't get it booting up normally.

Let me explain the problem.

The situation:

My harddisk 8.5 GB
sda1 - primary 500MB Linux partition
sda2 - primary 500MB linux swap partition
sda3 - primary 7.5GB Linux LVM partition (type 8e)

I will use sda1 for boot, sda2 for swap, and sda3 as encrypted partition for my lv's. So i don't have to enter a password seperately for every partition i want to open at boot.

step 1:

I create the encrypted device with:

# cryptsetup -s 256 -y luksFormat /dev/sda3

next i open it for use

# cryptsetup luksOpen /dev/sda3 cryptdsk

Step 2
Next i'm going to create the LVM on the encrypted device

# pvcreate /dev/mapper/cryptdsk
// (here i create the physical volume on the encrypted mapped
// device /dev/mapper/cryptdsk , i can do this since it is still opened, see above)

# vgcreate myvg /dev/mapper/cryptdsk
// (here i create the volume groupe called "myvg")

# lvcreate -L 6G -n root myvg
# lvcreate -L 1G -n home myvg
// (here i create the LV's which will be used as "/" and "/home" when performing the slackware install)

// next create device nodes needed before activating the volumes:
# vgscan --mknodes

// activate the volumes:
# vgchange -ay

now, i don't reboot, i just type "setup" and go install slackware
step3: (the slackware installation)

I'm installing like this:
- "/boot" on "/dev/sda1" (this is my unencrypted first partition)
- "swap" on "/dev/sda2" (this has already been done in the previous step)
- "/" on "/dev/myvg/root"
- "/home" on "/dev/myvg/home"

i proceed normally till the lilo dialogue. I do the expert, and install to mbr. When the dialogue asks "which one would you like to boot", i entered "dev/myvg/root". i know. Now, lilo will fail to install, but it will have written the lilo.conf, so i can solve this later.

I proceed with the install. and after it ended i don't reboot yet. and i go to step 4


step 4: (the afterwork, creating initrd and fixing lilo)


So, this is were it goes wrong i think. i do the following.

i chroot into the fresh install and make the initrd

# mount -o bind /proc /mnt/proc
# mount -o bind /sys /mnt/sys
# chroot /mnt

next i try to make the initrd with:

# mkinitrd -c -k 2.6.21.5-smp -m ext3 -f ext3 -r /dev/myvg/root -C /dev/sda3 -L (is this not correct?? i don't get any errormessages here)

in lilo.conf i say

image = /boot/vmlinuz
initrd = /boot/initrd.gz
root = /dev/myvg/root
label = linux
read-only

the bootline on top of the lilo.conf i changed to
boot = /dev/sda1
then i save, and do a lilo in the console. i get errormessages(even a fatal one, so it probably did not install with my new config).

still i get a kernel panic when booting. it says VFS: Unable to mount root fs on unknown-block(8,3)

This is quite a long story, but i hope someone has an idea how to solve this.

My question is: Is the mkinitrd command okay? did i made a mistake with lilo.conf

Since the rest seems pretty okay to me. the install performed okay on the encrypted LVM partitions.

Finally i would like to say that i tried to find all info, but you know, everytime i screw up, i have to start from scratch again to try the next option. So, it's quite time consuming ;)

That's why i decided to ask here. Thanks in advance for any responses.

Alien Bob 09-18-2007 12:54 PM

Hi!

Thanks for trying the LVM/crypto stuff!

Quote:

# mkinitrd -c -k 2.6.21.5-smp -m ext3 -f ext3 -r /dev/myvg/root -C /dev/sda3 -L
The correct syntax is (see also 'mkinitrd --help')
Code:

# mkinitrd -c -k 2.6.21.5-smp -m ext3 -f ext3 -r cryptdsk -C /dev/sda3 -L
But I think (now that I look into it) that the current init script in your initrd will fail to work, because it first tries to initialize the LVM and only then unlocks the LUKS volumes. Your LVM (which is created on top of the LUKS volume) requires that this is done the other way round.

So, I think I will play with this somewhere this week and see if your setup works with the Slackware 12.0 scripts. Please report your further observations here (or send me an email) and if needed, I will write updated scripts for the initrd and /etc/rc.d

Cheers, Eric

deNiro 09-18-2007 01:35 PM

Thanks for the quick reply Alien Bob.

Now at least I have some idea what's the problem.

It would be nice to have LVM on encrypted partition support, because it makes life easier and safer, and it also gives more flexibility to your installation. (because i now thought of just performing an encrypted root installation and then luksOpen and mount some extra data partition with a script. but ofcourse that's not that safe and not such a clean solution)

I'll try some more and if I fail, i'll just do the encrypted root install. I can do some more experimenting in vmware then. (but i can't try tomorrow since PSV is playing ;)



Quote:

Originally Posted by Alien Bob (Post 2895973)
Hi!

Thanks for trying the LVM/crypto stuff!


The correct syntax is (see also 'mkinitrd --help')
Code:

# mkinitrd -c -k 2.6.21.5-smp -m ext3 -f ext3 -r cryptdsk -C /dev/sda3 -L
But I think (now that I look into it) that the current init script in your initrd will fail to work, because it first tries to initialize the LVM and only then unlocks the LUKS volumes. Your LVM (which is created on top of the LUKS volume) requires that this is done the other way round.

So, I think I will play with this somewhere this week and see if your setup works with the Slackware 12.0 scripts. Please report your further observations here (or send me an email) and if needed, I will write updated scripts for the initrd and /etc/rc.d

Cheers, Eric


Alien Bob 09-18-2007 03:23 PM

Quote:

but i can't try tomorrow since PSV is playing
Even though I live in Eindhoven that does not make me a PSV fan by default ;-)
Hell I don't even like football...

Eric

deNiro 09-19-2007 10:58 AM

Well, i tried the encrypted root installation, and it also failed. (So without LVM, just the encrypted root)

I wonder whether this is due to the wrong description of the procedure, faulty script, or my stupidity. (I know how to encrypt home.. but i think that is not enough.)

But i am pretty sure i followed the procedure exactly as described in the "README_CRYPT.TXT" file.

I just did some test cases in vmware, and tried at least 3 times with a very simple setup. They all failed. Even though i documented every step, and compared them very thoroughly with the info in "README_CRYPT.TXT".

I cannot imagine that i'm the only one who wants to have his/her disks encrypted. I mean, when a computer is stolen, and nowadays we do almost everything on our computer, it sucks big time knowing that some individual is going through all your financial data, emails, im data, etc.

Just like a good backup procedure, hard disk encryption is needed on every pc.

i'll just continue trying to find a simple procedure to encrypted certain areas of the system then.., like /home, /var, /tmp and stuff like that with LVM and encryption, because no one wants to enter 3 or 4 passwords when booting the pc.

But if someone has done a slackware install with encrypted root, it would be nice if he/she could share it.

gluesniffmonkey 11-07-2007 08:24 PM

Similar Problem
 
I don't seem to be able to get initrd to boot my Slackware 12.

I did get my home partition working properly. But I would like to have root encrypted also.

I am also following:

http://slackware.osuosl.org/slackwar...ADME_CRYPT.TXT

My drives are:

/boot /dev/sda2
/ /dev/sda3 but mapped to /dev/mapper/cryptroot
/home /dev/sda5 but mapped to /dev/mapper/crypthome

cryptsetup works and I mapped the devices as noted above.

I select the appropriate target /dev during setup

/dev/mapper/cryptroot
/dev/mapper/crypthome
/dev/sda1 for /boot

Post setup I nano /mnt/etc/crypttab and add:

cryptroot /dev/sda3
crypthome /dev/sda5
cryptswap /dev/sda2 none swap

and I edit the fstab accordingly.

next I chroot /mnt and:

mkinitrd -c -k 2.6.21.5-smp -m ext3 -f ext3 -r cryptroot -C /dev/sda3 -L

then nano /etc/lilo.conf

image = /boot/vmlinuz
initrd = /boot/initrd.gz
root = /dev/mapper/cryptroot
label = linux
read-only

and at the top:

boot = /dev/sda1

save and run lilo


I reboot and it tells me I have NO OS.

What am I doing wrong?

Alien Bob 11-08-2007 05:12 AM

Quote:

My drives are:

/boot /dev/sda2
But further down:
Quote:

and at the top (of lilo.conf):

boot = /dev/sda1
Is this the problem?

Eric

gluesniffmonkey 11-08-2007 07:04 PM

Typos!
 
sorry that was a typo. In both cases it is /dev/sda1

Alien Bob 11-09-2007 01:35 AM

Do you have another OS installed on that machine? One OS must have a bootloader installed in the Master Boot Record in order for the PC to boot. That can be Windows, or another Linux distro.

If your installation of Slackware is the only OS on your computer then you should change the line in /etc/lilo.conf
Code:

boot = /dev/sda1
to
Code:

boot = /dev/sda
and run LILO again.

If this is the case your next question will probably how to be able to run LILO at all now that the computer won't boot.

Eric

gluesniffmonkey 11-09-2007 08:41 PM

I am taking a guess (using the installer cd)

cryptsetup luksOpen /dev/sda3 cryptroot
cryptsetup luksOpen /dev/sda5 crypthome with the passphrases

setup

Target the drives but do not format including /boot

exit setup

/mount -o /proc /mnt/proc
chroot /mnt (I don't seem to have a sys (should I add?)

Do I need to "mkinitrd -c -k 2.6.21.5-smp -m ext3 -f ext3 -r cryptroot -C /dev/sda3 -L" again?


edit lilo.conf as you say. Then:

lilo -M /dev/sda

Can we see my 'deliberate mistake"

Also I notice my date is wrong. I ask during setup for local time but it seems to be saying my laptop is on UTC.

gluesniffmonkey 11-12-2007 07:55 PM

No luck but I want to persevere...
 
So here is everything I plan to do:

Code:

cfdisk
sda1 Boot Primary Linux Ext3 353.69 mb (will be mounted /boot)
sda2 Primary Linux Swap 1200.90
sda5 Logical Linux Ext3 10001.95 (will be /)
sda6 Logical Linux Ext3 78000.34 (will be /home)
Pri/Log Free Space 30474.67 (Will be used for forensic images)


Code:

dd if =/dev/urandom of  = /dev/sda5
dd if =/dev/urandom of  = /dev/sda6

Code:

cryptsetup -s 256 -y luksFormat /dev/sda5
cryptsetup -s 256 -y luksFormat /dev/sda6

Code:

cryptsetup luksOpen /dev/sda5 cryptroot
cryptsetup luksOpen /dev/sda6 crypthome

Code:

setup
(I do not mount sda5 or sda6 as Target but instead /dev/mapper/cryptroot and crypthome)

exit setup

Code:

nano /mnt/etc/crypttab
cryptroot /dev/sda5
crypthome /dev/sda6
cryptswap /dev/sda2 none swap

Code:

# mount -o bind /proc /mnt/proc
Code:

# mount -o bind /sys /mnt/sys
(I don’t have sys…should I add one?)
Code:

  # chroot /mnt
Code:

mkinitrd -c -k 2.6.21.5-smp -m ext3 -f ext3 -r cryptroot -C /dev/sda5 -L
Then
Code:

nano /etc/lilo.conf
boot = /dev/sda

Then run:
Code:

lilo
Code:

exit
Code:

reboot
Any deliberate mistakes?

bl0tt0 11-13-2007 02:59 AM

I got interested in your issues getting LUKS and LVM to play together nicely, so I did a quick read through the README_CRYPT.TXT. Almost at the very end of the txt I caught this:
Quote:

Alternatively, you can setup LVM, encrypt the underlying physical device, and create logical volumes on the mapped device. Once that encrypted physical device is unlocked all the logical volumes you've created and which contain your filesystems are accessible without having to enter additional passphrases.
Is there any particular reason you prefer doing the encryption first deNiro? Would it be possible to run pvcreate first, then run cryptsetup on the partition, then create your VG on the /dev/mapper/foo device, and then stack your LVs on top of that? Perhaps that's trying to do too much at once, but is there any particular reason why it wouldn't work? I don't know enough about LVM or LUKS myself, but was that what you meant Alien?

gluesniffmonkey 11-13-2007 03:16 AM

Do you mean something like this:

http://en.opensuse.org/Encrypted_Roo...ith_SUSE_HOWTO

Would it work with Slackware 12?

Alien Bob 11-13-2007 03:28 AM

No mistakes that I can see (quickly scanning - no time to check in full) but why is it that you do not have a /sys mounted in your installer? It should be there.

Eric

gluesniffmonkey 11-13-2007 07:52 PM

You are right about /sys. I must have forgot the "bind".

I am still getting the wrong date. In the chroot environment it is showing 15:08:xx ICT. In the installer it shows 08:08:xx UTC. My local time (when I write this) is actually 08:08:xx. I am choosing "Clock set to local time when I use the installer.

I ran through the commands as above and I got:

99 99 99 99 99 99 99 99 99 99 99 <more 99's>


I then chroot from installer disk and run lilo -M /dev/sda

I then get "No boot signature in partition" message

I check with fdisk and see that /dev/sda1 has * for boot.

see below my lilo.conf

# LILO configuration file
# generated by 'liloconfig'
#
# Start LILO global section
lba32 # Allow booting past 1024th cylinder with a recent BIOS
boot = /dev/sda
message = /boot/boot_message.txt
prompt
timeout = 1200
# Override dangerous defaults that rewrite the partition table:
change-rules
reset
# VESA framebuffer console @ 1024x768x256
vga = 773
# Normal VGA console
# vga = normal
# VESA framebuffer console @ 1024x768x64k
# vga=791
# VESA framebuffer console @ 1024x768x32k
# vga=790
# VESA framebuffer console @ 1024x768x256
# vga=773
# VESA framebuffer console @ 800x600x64k
# vga=788
# VESA framebuffer console @ 800x600x32k
# vga=787
# VESA framebuffer console @ 800x600x256
# vga=771
# VESA framebuffer console @ 640x480x64k
# vga=785
# VESA framebuffer console @ 640x480x32k
# vga=784
# VESA framebuffer console @ 640x480x256
# vga=769
# End LILO global section
# Linux bootable partition config begins
image = /boot/vmlinuz
initrd = /boot/initrd.gz
root = /dev/mapper/cryptroot
label = Slackware
read-only
# Linux bootable partition config ends


Any ideas?

Thanks for your assistance. I am pretty keen to crack this. I have a feeling that Slackware is going to be the ideal linux for me professionally...just for the learning experience!


All times are GMT -5. The time now is 06:16 PM.