slack12 install on encrypted LVM failed
 

hello,

I'm having a problem with a slackware installation on encrypted LVM. i can't get it booting up normally.

Let me explain the problem.

The situation:

My harddisk 8.5 GB
sda1 - primary 500MB Linux partition
sda2 - primary 500MB linux swap partition
sda3 - primary 7.5GB Linux LVM partition (type 8e)

I will use sda1 for boot, sda2 for swap, and sda3 as encrypted partition for my lv's. So i don't have to enter a password seperately for every partition i want to open at boot.

step 1:

I create the encrypted device with:

# cryptsetup -s 256 -y luksFormat /dev/sda3

next i open it for use

# cryptsetup luksOpen /dev/sda3 cryptdsk

Step 2
Next i'm going to create the LVM on the encrypted device

# pvcreate /dev/mapper/cryptdsk
// (here i create the physical volume on the encrypted mapped
// device /dev/mapper/cryptdsk , i can do this since it is still opened, see above)

# vgcreate myvg /dev/mapper/cryptdsk
// (here i create the volume groupe called "myvg")

# lvcreate -L 6G -n root myvg
# lvcreate -L 1G -n home myvg
// (here i create the LV's which will be used as "/" and "/home" when performing the slackware install)

// next create device nodes needed before activating the volumes:
# vgscan --mknodes

// activate the volumes:
# vgchange -ay

now, i don't reboot, i just type "setup" and go install slackware
step3: (the slackware installation)

I'm installing like this:
- "/boot" on "/dev/sda1" (this is my unencrypted first partition)
- "swap" on "/dev/sda2" (this has already been done in the previous step)
- "/" on "/dev/myvg/root"
- "/home" on "/dev/myvg/home"

i proceed normally till the lilo dialogue. I do the expert, and install to mbr. When the dialogue asks "which one would you like to boot", i entered "dev/myvg/root". i know. Now, lilo will fail to install, but it will have written the lilo.conf, so i can solve this later.

I proceed with the install. and after it ended i don't reboot yet. and i go to step 4


step 4: (the afterwork, creating initrd and fixing lilo)

So, this is were it goes wrong i think. i do the following.

i chroot into the fresh install and make the initrd

# mount -o bind /proc /mnt/proc
# mount -o bind /sys /mnt/sys
# chroot /mnt

next i try to make the initrd with:

# mkinitrd -c -k 2.6.21.5-smp -m ext3 -f ext3 -r /dev/myvg/root -C /dev/sda3 -L (is this not correct?? i don't get any errormessages here)

in lilo.conf i say

image = /boot/vmlinuz
initrd = /boot/initrd.gz
root = /dev/myvg/root
label = linux
read-only

the bootline on top of the lilo.conf i changed to
boot = /dev/sda1
then i save, and do a lilo in the console. i get errormessages(even a fatal one, so it probably did not install with my new config).

still i get a kernel panic when booting. it says VFS: Unable to mount root fs on unknown-block(8,3)

This is quite a long story, but i hope someone has an idea how to solve this.

My question is: Is the mkinitrd command okay? did i made a mistake with lilo.conf

Since the rest seems pretty okay to me. the install performed okay on the encrypted LVM partitions.

Finally i would like to say that i tried to find all info, but you know, everytime i screw up, i have to start from scratch again to try the next option. So, it's quite time consuming ;)

That's why i decided to ask here. Thanks in advance for any responses.

Hi!

Thanks for trying the LVM/crypto stuff!

The correct syntax is (see also 'mkinitrd --help')
But I think (now that I look into it) that the current init script in your initrd will fail to work, because it first tries to initialize the LVM and only then unlocks the LUKS volumes. Your LVM (which is created on top of the LUKS volume) requires that this is done the other way round.

So, I think I will play with this somewhere this week and see if your setup works with the Slackware 12.0 scripts. Please report your further observations here (or send me an email) and if needed, I will write updated scripts for the initrd and /etc/rc.d

Cheers, Eric

Thanks for the quick reply Alien Bob.

Now at least I have some idea what's the problem.

It would be nice to have LVM on encrypted partition support, because it makes life easier and safer, and it also gives more flexibility to your installation. (because i now thought of just performing an encrypted root installation and then luksOpen and mount some extra data partition with a script. but ofcourse that's not that safe and not such a clean solution)

I'll try some more and if I fail, i'll just do the encrypted root install. I can do some more experimenting in vmware then. (but i can't try tomorrow since PSV is playing ;)

Even though I live in Eindhoven that does not make me a PSV fan by default ;-)
Hell I don't even like football...

Eric

Well, i tried the encrypted root installation, and it also failed. (So without LVM, just the encrypted root)

I wonder whether this is due to the wrong description of the procedure, faulty script, or my stupidity. (I know how to encrypt home.. but i think that is not enough.)

But i am pretty sure i followed the procedure exactly as described in the "README_CRYPT.TXT" file.

I just did some test cases in vmware, and tried at least 3 times with a very simple setup. They all failed. Even though i documented every step, and compared them very thoroughly with the info in "README_CRYPT.TXT".

I cannot imagine that i'm the only one who wants to have his/her disks encrypted. I mean, when a computer is stolen, and nowadays we do almost everything on our computer, it sucks big time knowing that some individual is going through all your financial data, emails, im data, etc.

Just like a good backup procedure, hard disk encryption is needed on every pc.

i'll just continue trying to find a simple procedure to encrypted certain areas of the system then.., like /home, /var, /tmp and stuff like that with LVM and encryption, because no one wants to enter 3 or 4 passwords when booting the pc.

But if someone has done a slackware install with encrypted root, it would be nice if he/she could share it.

Similar Problem
 

I don't seem to be able to get initrd to boot my Slackware 12.

I did get my home partition working properly. But I would like to have root encrypted also.

I am also following:

http://slackware.osuosl.org/slackwar...ADME_CRYPT.TXT

My drives are:

/boot /dev/sda2
/ /dev/sda3 but mapped to /dev/mapper/cryptroot
/home /dev/sda5 but mapped to /dev/mapper/crypthome

cryptsetup works and I mapped the devices as noted above.

I select the appropriate target /dev during setup

/dev/mapper/cryptroot
/dev/mapper/crypthome
/dev/sda1 for /boot

Post setup I nano /mnt/etc/crypttab and add:

cryptroot /dev/sda3
crypthome /dev/sda5
cryptswap /dev/sda2 none swap

and I edit the fstab accordingly.

next I chroot /mnt and:

mkinitrd -c -k 2.6.21.5-smp -m ext3 -f ext3 -r cryptroot -C /dev/sda3 -L

then nano /etc/lilo.conf

image = /boot/vmlinuz
initrd = /boot/initrd.gz
root = /dev/mapper/cryptroot
label = linux
read-only

and at the top:

boot = /dev/sda1

save and run lilo


I reboot and it tells me I have NO OS.

What am I doing wrong?

But further down:
Is this the problem?

Eric

Typos!
 

sorry that was a typo. In both cases it is /dev/sda1

Do you have another OS installed on that machine? One OS must have a bootloader installed in the Master Boot Record in order for the PC to boot. That can be Windows, or another Linux distro.

If your installation of Slackware is the only OS on your computer then you should change the line in /etc/lilo.conf to and run LILO again.

If this is the case your next question will probably how to be able to run LILO at all now that the computer won't boot.

Eric

I am taking a guess (using the installer cd)

cryptsetup luksOpen /dev/sda3 cryptroot
cryptsetup luksOpen /dev/sda5 crypthome with the passphrases

setup

Target the drives but do not format including /boot

exit setup

/mount -o /proc /mnt/proc
chroot /mnt (I don't seem to have a sys (should I add?)

Do I need to "mkinitrd -c -k 2.6.21.5-smp -m ext3 -f ext3 -r cryptroot -C /dev/sda3 -L" again?


edit lilo.conf as you say. Then:

lilo -M /dev/sda

Can we see my 'deliberate mistake"

Also I notice my date is wrong. I ask during setup for local time but it seems to be saying my laptop is on UTC.

No luck but I want to persevere...
 

So here is everything I plan to do:

sda1 Boot Primary Linux Ext3 353.69 mb (will be mounted /boot)
sda2 Primary Linux Swap 1200.90
sda5 Logical Linux Ext3 10001.95 (will be /)
sda6 Logical Linux Ext3 78000.34 (will be /home)
Pri/Log Free Space 30474.67 (Will be used for forensic images)


(I do not mount sda5 or sda6 as Target but instead /dev/mapper/cryptroot and crypthome)

exit setup

cryptroot /dev/sda5
crypthome /dev/sda6
cryptswap /dev/sda2 none swap

(I don’t have sys…should I add one?)
Then boot = /dev/sda

Then run: Any deliberate mistakes?

I got interested in your issues getting LUKS and LVM to play together nicely, so I did a quick read through the README_CRYPT.TXT. Almost at the very end of the txt I caught this: Is there any particular reason you prefer doing the encryption first deNiro? Would it be possible to run pvcreate first, then run cryptsetup on the partition, then create your VG on the /dev/mapper/foo device, and then stack your LVs on top of that? Perhaps that's trying to do too much at once, but is there any particular reason why it wouldn't work? I don't know enough about LVM or LUKS myself, but was that what you meant Alien?

Do you mean something like this:

http://en.opensuse.org/Encrypted_Roo...ith_SUSE_HOWTO

Would it work with Slackware 12?

No mistakes that I can see (quickly scanning - no time to check in full) but why is it that you do not have a /sys mounted in your installer? It should be there.

Eric

You are right about /sys. I must have forgot the "bind".

I am still getting the wrong date. In the chroot environment it is showing 15:08:xx ICT. In the installer it shows 08:08:xx UTC. My local time (when I write this) is actually 08:08:xx. I am choosing "Clock set to local time when I use the installer.

I ran through the commands as above and I got:

99 99 99 99 99 99 99 99 99 99 99 <more 99's>


I then chroot from installer disk and run lilo -M /dev/sda

I then get "No boot signature in partition" message

I check with fdisk and see that /dev/sda1 has * for boot.

see below my lilo.conf

# LILO configuration file
# generated by 'liloconfig'
#
# Start LILO global section
lba32 # Allow booting past 1024th cylinder with a recent BIOS
boot = /dev/sda
message = /boot/boot_message.txt
prompt
timeout = 1200
# Override dangerous defaults that rewrite the partition table:
change-rules
reset
# VESA framebuffer console @ 1024x768x256
vga = 773
# Normal VGA console
# vga = normal
# VESA framebuffer console @ 1024x768x64k
# vga=791
# VESA framebuffer console @ 1024x768x32k
# vga=790
# VESA framebuffer console @ 1024x768x256
# vga=773
# VESA framebuffer console @ 800x600x64k
# vga=788
# VESA framebuffer console @ 800x600x32k
# vga=787
# VESA framebuffer console @ 800x600x256
# vga=771
# VESA framebuffer console @ 640x480x64k
# vga=785
# VESA framebuffer console @ 640x480x32k
# vga=784
# VESA framebuffer console @ 640x480x256
# vga=769
# End LILO global section
# Linux bootable partition config begins
image = /boot/vmlinuz
initrd = /boot/initrd.gz
root = /dev/mapper/cryptroot
label = Slackware
read-only
# Linux bootable partition config ends


Any ideas?

Thanks for your assistance. I am pretty keen to crack this. I have a feeling that Slackware is going to be the ideal linux for me professionally...just for the learning experience!

This is normal. The installer does not use any of the timezone settings you configure. This configuration is strictly for the system you are installing.

Why do you use the "change-rules"? After the chroot you should be able to just run "lilo" with that lilo.conf to let lilo install itself into the MBR of the hard disk.

Eric

Actually lilo did that not me.

Sounds like I should #change-rules

Just thought I'd post a link to a decent gentoo wiki explaining the use of LVM and LUKS in tandem. It looks like it'll take a little more legwork than just running the stock mkinitrd script with the right flags, but hey, that's why we're using Slackware, right?

http://gentoo-wiki.com/SECURITY_LVM_...ryptsetup-LUKS

Ok, so I've now gotten a slackware install with lvm on top of luks to work. It takes a little editing, but it can be done. Here's how:

First, you should follow Alien Bob's README for setting up luks, then go through setting up lvm on the mapped device from luks. For me, it was a little bit easier to use the luks device name as the vg name in setting everything up. Go through the rest of the setup and installation up until it's time to install lilo, and do the simple installation to the root device so that you get a basic lilo to edit later.

Now, create the chroot environment from the Alien Bob readmes, chroot into it, and run the mkinitrd command for setting up a luks encrypted device (with the -r pointing to the mapped device name). You'll also have to make sure to include -m dm_crypt, because for some reason that gets left out of the initrd-tree otherwise.

Now, you're going to have to do a little editing inside the initrd source tree. cd into /boot/initrd-tree, and edit the init script by cutting and pasting the portion that makes the encrypted partitions available above the part that initializes the LVM. You then need to edit the part of the luks script that says to point to wherever you configured the root device under lvm. For me, this was easy because I had configured my volume group to be named the same as my luks device, so all I had to do is edit the script like this: After you've made and saved the edit, run mkinitrd again without any flags. This will take the contents of /boot/initrd-tree and roll it up into a new initrd.gz. Now all you have to do is edit your /etc/lilo.conf and /etc/fstab to point to the right devices, run lilo, and you're good to go.

It should also be noted that rc.S also activates logical volumes before opening luks encrypted devices, so you might have to edit that as well. I'm not certain about that.

Any moves on that? There are really no fixed points for it either in initrd script, or in init scripts, where LVM is the first and cryptsetup is the second.

Actually, the way it's set up in 12.0 is under that assumption that you're either setting up one encrypted partition, or you're encrypting a logical volume. The way I set mine up, and the way I assumed the starter of this thread wanted theirs set up, was to encrypt a single partition, and then map the LVM on top of that encrypted partition. That takes a little more work, but it's really no more difficult than changing the order in the init script and then making sure your root device is put in correctly.

Okay, here's my Slack-LVM-LUKS tutorial if you're interested. I've done this with LUKS encrypted partitions only, and with LVM and LUKS. Without "changing the init script" (am I capable of that?), this works.

First, you must follow the README_LVM.TXT and setup your logical volume(s) first; then you can encrypt using README_CRYPT.TXT. (Until someone tells us how to do it the other way around).

Second, you must use the same kernel for your system as your install media. If not, when you reboot your initrd will not allow you to unlock your root filesystem. For example, yesterday I did a NFS install which I started with my -current CD-RW that had 2.6.23.15. But installing from my -current mirror on my server gave me 2.6.23.16 as the installed kernel. In my limited experience you must use the same kernel on the boot media as the one you install with the system.

Third, you must use a generic kernel rather than the huge kernels, because the initial RAM disk is too big to fit between the kernel and the 15M-16M memory hole with the huge ones.

Fourth, if you have an USB kbd and encrypt root, you won't be able to give the LUKS passphrase for root, because USB_HID will not have loaded at that time. The easiest option is to use a PS/2 kbd to enter the passphrase for root, after which the module will load and from then on you can use a USB kbd. Then before rebooting rebuild a kernel with USB_HID=m and put it in the new initrd.

bl0tt0's way of changing initrd's init script is not that hard, works for LVM created on previously encrypted partition and does not have so many limitations, which you have to remember.
And why do you think that huge kernel is not suitable? That warning, which LILO issues is for older computers, as far as I understand, so it is possible to forget about it.
What about USB-HID, you may also compile it into your kernel and not to insert it, regarding to as a module.

Try running lilo when you use a Slackware 'huge' kernel together with an initrd.
Lilo will refuse to install the loader. The kernel is just too big.

Eric