slack12 install on encrypted LVM failed
hello,
I'm having a problem with a slackware installation on encrypted LVM. i can't get it booting up normally. Let me explain the problem. The situation: My harddisk 8.5 GB sda1 - primary 500MB Linux partition sda2 - primary 500MB linux swap partition sda3 - primary 7.5GB Linux LVM partition (type 8e) I will use sda1 for boot, sda2 for swap, and sda3 as encrypted partition for my lv's. So i don't have to enter a password seperately for every partition i want to open at boot. step 1: I create the encrypted device with: # cryptsetup -s 256 -y luksFormat /dev/sda3 next i open it for use # cryptsetup luksOpen /dev/sda3 cryptdsk Step 2 Next i'm going to create the LVM on the encrypted device # pvcreate /dev/mapper/cryptdsk // (here i create the physical volume on the encrypted mapped // device /dev/mapper/cryptdsk , i can do this since it is still opened, see above) # vgcreate myvg /dev/mapper/cryptdsk // (here i create the volume groupe called "myvg") # lvcreate -L 6G -n root myvg # lvcreate -L 1G -n home myvg // (here i create the LV's which will be used as "/" and "/home" when performing the slackware install) // next create device nodes needed before activating the volumes: # vgscan --mknodes // activate the volumes: # vgchange -ay now, i don't reboot, i just type "setup" and go install slackware step3: (the slackware installation) I'm installing like this: - "/boot" on "/dev/sda1" (this is my unencrypted first partition) - "swap" on "/dev/sda2" (this has already been done in the previous step) - "/" on "/dev/myvg/root" - "/home" on "/dev/myvg/home" i proceed normally till the lilo dialogue. I do the expert, and install to mbr. When the dialogue asks "which one would you like to boot", i entered "dev/myvg/root". i know. Now, lilo will fail to install, but it will have written the lilo.conf, so i can solve this later. I proceed with the install. and after it ended i don't reboot yet. and i go to step 4 step 4: (the afterwork, creating initrd and fixing lilo) So, this is were it goes wrong i think. i do the following. i chroot into the fresh install and make the initrd # mount -o bind /proc /mnt/proc # mount -o bind /sys /mnt/sys # chroot /mnt next i try to make the initrd with: # mkinitrd -c -k 2.6.21.5-smp -m ext3 -f ext3 -r /dev/myvg/root -C /dev/sda3 -L (is this not correct?? i don't get any errormessages here) in lilo.conf i say image = /boot/vmlinuz initrd = /boot/initrd.gz root = /dev/myvg/root label = linux read-only the bootline on top of the lilo.conf i changed to boot = /dev/sda1 then i save, and do a lilo in the console. i get errormessages(even a fatal one, so it probably did not install with my new config). still i get a kernel panic when booting. it says VFS: Unable to mount root fs on unknown-block(8,3) This is quite a long story, but i hope someone has an idea how to solve this. My question is: Is the mkinitrd command okay? did i made a mistake with lilo.conf Since the rest seems pretty okay to me. the install performed okay on the encrypted LVM partitions. Finally i would like to say that i tried to find all info, but you know, everytime i screw up, i have to start from scratch again to try the next option. So, it's quite time consuming ;) That's why i decided to ask here. Thanks in advance for any responses. |
Hi!
Thanks for trying the LVM/crypto stuff! Quote:
Code:
# mkinitrd -c -k 2.6.21.5-smp -m ext3 -f ext3 -r cryptdsk -C /dev/sda3 -L So, I think I will play with this somewhere this week and see if your setup works with the Slackware 12.0 scripts. Please report your further observations here (or send me an email) and if needed, I will write updated scripts for the initrd and /etc/rc.d Cheers, Eric |
Thanks for the quick reply Alien Bob.
Now at least I have some idea what's the problem. It would be nice to have LVM on encrypted partition support, because it makes life easier and safer, and it also gives more flexibility to your installation. (because i now thought of just performing an encrypted root installation and then luksOpen and mount some extra data partition with a script. but ofcourse that's not that safe and not such a clean solution) I'll try some more and if I fail, i'll just do the encrypted root install. I can do some more experimenting in vmware then. (but i can't try tomorrow since PSV is playing ;) Quote:
|
Quote:
Hell I don't even like football... Eric |
Well, i tried the encrypted root installation, and it also failed. (So without LVM, just the encrypted root)
I wonder whether this is due to the wrong description of the procedure, faulty script, or my stupidity. (I know how to encrypt home.. but i think that is not enough.) But i am pretty sure i followed the procedure exactly as described in the "README_CRYPT.TXT" file. I just did some test cases in vmware, and tried at least 3 times with a very simple setup. They all failed. Even though i documented every step, and compared them very thoroughly with the info in "README_CRYPT.TXT". I cannot imagine that i'm the only one who wants to have his/her disks encrypted. I mean, when a computer is stolen, and nowadays we do almost everything on our computer, it sucks big time knowing that some individual is going through all your financial data, emails, im data, etc. Just like a good backup procedure, hard disk encryption is needed on every pc. i'll just continue trying to find a simple procedure to encrypted certain areas of the system then.., like /home, /var, /tmp and stuff like that with LVM and encryption, because no one wants to enter 3 or 4 passwords when booting the pc. But if someone has done a slackware install with encrypted root, it would be nice if he/she could share it. |
Similar Problem
I don't seem to be able to get initrd to boot my Slackware 12.
I did get my home partition working properly. But I would like to have root encrypted also. I am also following: http://slackware.osuosl.org/slackwar...ADME_CRYPT.TXT My drives are: /boot /dev/sda2 / /dev/sda3 but mapped to /dev/mapper/cryptroot /home /dev/sda5 but mapped to /dev/mapper/crypthome cryptsetup works and I mapped the devices as noted above. I select the appropriate target /dev during setup /dev/mapper/cryptroot /dev/mapper/crypthome /dev/sda1 for /boot Post setup I nano /mnt/etc/crypttab and add: cryptroot /dev/sda3 crypthome /dev/sda5 cryptswap /dev/sda2 none swap and I edit the fstab accordingly. next I chroot /mnt and: mkinitrd -c -k 2.6.21.5-smp -m ext3 -f ext3 -r cryptroot -C /dev/sda3 -L then nano /etc/lilo.conf image = /boot/vmlinuz initrd = /boot/initrd.gz root = /dev/mapper/cryptroot label = linux read-only and at the top: boot = /dev/sda1 save and run lilo I reboot and it tells me I have NO OS. What am I doing wrong? |
Quote:
Quote:
Eric |
Typos!
sorry that was a typo. In both cases it is /dev/sda1
|
Do you have another OS installed on that machine? One OS must have a bootloader installed in the Master Boot Record in order for the PC to boot. That can be Windows, or another Linux distro.
If your installation of Slackware is the only OS on your computer then you should change the line in /etc/lilo.conf Code:
boot = /dev/sda1 Code:
boot = /dev/sda If this is the case your next question will probably how to be able to run LILO at all now that the computer won't boot. Eric |
I am taking a guess (using the installer cd)
cryptsetup luksOpen /dev/sda3 cryptroot cryptsetup luksOpen /dev/sda5 crypthome with the passphrases setup Target the drives but do not format including /boot exit setup /mount -o /proc /mnt/proc chroot /mnt (I don't seem to have a sys (should I add?) Do I need to "mkinitrd -c -k 2.6.21.5-smp -m ext3 -f ext3 -r cryptroot -C /dev/sda3 -L" again? edit lilo.conf as you say. Then: lilo -M /dev/sda Can we see my 'deliberate mistake" Also I notice my date is wrong. I ask during setup for local time but it seems to be saying my laptop is on UTC. |
No luck but I want to persevere...
So here is everything I plan to do:
Code:
cfdisk sda2 Primary Linux Swap 1200.90 sda5 Logical Linux Ext3 10001.95 (will be /) sda6 Logical Linux Ext3 78000.34 (will be /home) Pri/Log Free Space 30474.67 (Will be used for forensic images) Code:
dd if =/dev/urandom of = /dev/sda5 Code:
cryptsetup -s 256 -y luksFormat /dev/sda5 Code:
cryptsetup luksOpen /dev/sda5 cryptroot Code:
setup exit setup Code:
nano /mnt/etc/crypttab crypthome /dev/sda6 cryptswap /dev/sda2 none swap Code:
# mount -o bind /proc /mnt/proc Code:
# mount -o bind /sys /mnt/sys Code:
# chroot /mnt Code:
mkinitrd -c -k 2.6.21.5-smp -m ext3 -f ext3 -r cryptroot -C /dev/sda5 -L Code:
nano /etc/lilo.conf Then run: Code:
lilo Code:
exit Code:
reboot |
I got interested in your issues getting LUKS and LVM to play together nicely, so I did a quick read through the README_CRYPT.TXT. Almost at the very end of the txt I caught this:
Quote:
|
Do you mean something like this:
http://en.opensuse.org/Encrypted_Roo...ith_SUSE_HOWTO Would it work with Slackware 12? |
No mistakes that I can see (quickly scanning - no time to check in full) but why is it that you do not have a /sys mounted in your installer? It should be there.
Eric |
You are right about /sys. I must have forgot the "bind".
I am still getting the wrong date. In the chroot environment it is showing 15:08:xx ICT. In the installer it shows 08:08:xx UTC. My local time (when I write this) is actually 08:08:xx. I am choosing "Clock set to local time when I use the installer. I ran through the commands as above and I got: 99 99 99 99 99 99 99 99 99 99 99 <more 99's> I then chroot from installer disk and run lilo -M /dev/sda I then get "No boot signature in partition" message I check with fdisk and see that /dev/sda1 has * for boot. see below my lilo.conf # LILO configuration file # generated by 'liloconfig' # # Start LILO global section lba32 # Allow booting past 1024th cylinder with a recent BIOS boot = /dev/sda message = /boot/boot_message.txt prompt timeout = 1200 # Override dangerous defaults that rewrite the partition table: change-rules reset # VESA framebuffer console @ 1024x768x256 vga = 773 # Normal VGA console # vga = normal # VESA framebuffer console @ 1024x768x64k # vga=791 # VESA framebuffer console @ 1024x768x32k # vga=790 # VESA framebuffer console @ 1024x768x256 # vga=773 # VESA framebuffer console @ 800x600x64k # vga=788 # VESA framebuffer console @ 800x600x32k # vga=787 # VESA framebuffer console @ 800x600x256 # vga=771 # VESA framebuffer console @ 640x480x64k # vga=785 # VESA framebuffer console @ 640x480x32k # vga=784 # VESA framebuffer console @ 640x480x256 # vga=769 # End LILO global section # Linux bootable partition config begins image = /boot/vmlinuz initrd = /boot/initrd.gz root = /dev/mapper/cryptroot label = Slackware read-only # Linux bootable partition config ends Any ideas? Thanks for your assistance. I am pretty keen to crack this. I have a feeling that Slackware is going to be the ideal linux for me professionally...just for the learning experience! |
Quote:
Quote:
Eric |
Actually lilo did that not me.
Sounds like I should #change-rules |
Just thought I'd post a link to a decent gentoo wiki explaining the use of LVM and LUKS in tandem. It looks like it'll take a little more legwork than just running the stock mkinitrd script with the right flags, but hey, that's why we're using Slackware, right?
http://gentoo-wiki.com/SECURITY_LVM_...ryptsetup-LUKS |
Ok, so I've now gotten a slackware install with lvm on top of luks to work. It takes a little editing, but it can be done. Here's how:
First, you should follow Alien Bob's README for setting up luks, then go through setting up lvm on the mapped device from luks. For me, it was a little bit easier to use the luks device name as the vg name in setting everything up. Go through the rest of the setup and installation up until it's time to install lilo, and do the simple installation to the root device so that you get a basic lilo to edit later. Now, create the chroot environment from the Alien Bob readmes, chroot into it, and run the mkinitrd command for setting up a luks encrypted device (with the -r pointing to the mapped device name). You'll also have to make sure to include -m dm_crypt, because for some reason that gets left out of the initrd-tree otherwise. Now, you're going to have to do a little editing inside the initrd source tree. cd into /boot/initrd-tree, and edit the init script by cutting and pasting the portion that makes the encrypted partitions available above the part that initializes the LVM. You then need to edit the part of the luks script that says Code:
ROOTDEV="/dev/mapper/${ROOTDEV}" Code:
ROOTDEV="/dev/${ROOTDEV}/root" It should also be noted that rc.S also activates logical volumes before opening luks encrypted devices, so you might have to edit that as well. I'm not certain about that. |
Any moves on that? There are really no fixed points for it either in initrd script, or in init scripts, where LVM is the first and cryptsetup is the second.
|
Actually, the way it's set up in 12.0 is under that assumption that you're either setting up one encrypted partition, or you're encrypting a logical volume. The way I set mine up, and the way I assumed the starter of this thread wanted theirs set up, was to encrypt a single partition, and then map the LVM on top of that encrypted partition. That takes a little more work, but it's really no more difficult than changing the order in the init script and then making sure your root device is put in correctly.
|
Okay, here's my Slack-LVM-LUKS tutorial if you're interested. I've done this with LUKS encrypted partitions only, and with LVM and LUKS. Without "changing the init script" (am I capable of that?), this works.
First, you must follow the README_LVM.TXT and setup your logical volume(s) first; then you can encrypt using README_CRYPT.TXT. (Until someone tells us how to do it the other way around). Second, you must use the same kernel for your system as your install media. If not, when you reboot your initrd will not allow you to unlock your root filesystem. For example, yesterday I did a NFS install which I started with my -current CD-RW that had 2.6.23.15. But installing from my -current mirror on my server gave me 2.6.23.16 as the installed kernel. In my limited experience you must use the same kernel on the boot media as the one you install with the system. Third, you must use a generic kernel rather than the huge kernels, because the initial RAM disk is too big to fit between the kernel and the 15M-16M memory hole with the huge ones. Fourth, if you have an USB kbd and encrypt root, you won't be able to give the LUKS passphrase for root, because USB_HID will not have loaded at that time. The easiest option is to use a PS/2 kbd to enter the passphrase for root, after which the module will load and from then on you can use a USB kbd. Then before rebooting rebuild a kernel with USB_HID=m and put it in the new initrd. |
bl0tt0's way of changing initrd's init script is not that hard, works for LVM created on previously encrypted partition and does not have so many limitations, which you have to remember.
And why do you think that huge kernel is not suitable? That warning, which LILO issues is for older computers, as far as I understand, so it is possible to forget about it. What about USB-HID, you may also compile it into your kernel and not to insert it, regarding to as a module. |
Quote:
Lilo will refuse to install the loader. The kernel is just too big. Eric |
All times are GMT -5. The time now is 09:35 AM. |