Encrypted Root with F11
Robert L Cochran
cochranb at speakeasy.net
Fri Jun 26 00:47:33 UTC 2009
Umm, you know the /boot partition has to be ext3? Grub cannot handle an
ext4 /boot. I know this has not a thing to do with encryption, but I
thought I'd ask just to be sure.
Bob
On 06/25/2009 08:23 PM, Brian Mearns wrote:
> On Thu, Jun 25, 2009 at 5:20 PM, davide<lists4davide at gmail.com> wrote:
>
>> Il Thu, 25 Jun 2009 11:28:14 -0400, Brian Mearns ha scritto:
>>
>>
>>> On Thu, Jun 25, 2009 at 11:03 AM, davide<lists4davide at gmail.com> wrote:
>>>
>>>> Brian Mearns<bmearns<at> ieee.org> writes:
>>>>
>>>>
>>>>
>>>>> Thanks for the response, Davide. /boot is a seperate, non-LVM
>>>>> partition with its own ext3 fs. I know F11 has options for encrypting
>>>>> during setup, but I've already got it set up, and would now like to go
>>>>> back and switch over to an excrypted root filesystem without having to
>>>>> reinstall. I think your suggestion of using a Live CD implies that I
>>>>> would reinstall Fedora, which I don't want to do.
>>>>>
>>>> have you all the needed modules compiled into the kernel or into the
>>>> initrd? otherwise I would give a look at /etc/crypttab and /etc/fstab
>>>>
>>>>
>>>>
>>>>
>>>>> Also, it's not grub asking for the root, I'm referring to the "root"
>>>>> parameter for the kernel.
>>>>>
>>>> Yes, I think you mean the root parameter into the grub config, it is a
>>>> parameter for the kernel. I would suppose is used by the kernel to find
>>>> out where are modules and filesystem.
>>>>
>>> [clipped]
>>>
>>> Thanks, again, Davide.
>>>
>>> crypttab and fstab should be fine, as init is able to mount the device
>>> correctly. I'm not sure if I have all the correct modules: I ran
>>> mkinitrd with "--with=aes --with=sha256" and tried to boot using the
>>> generated initrd.img, but perhaps there are additional modules I need?
>>>
>>> Thanks,
>>>
>> thanks to Robert, I opened the init, I copy here the relevant part.
>> tell me if it helps, or I can try to investigate more deeply.
>>
>>
>> echo Creating block device nodes.
>> mkblkdevs
>> echo Creating character device nodes.
>> mkchardevs
>> echo "Loading dm-crypt module"
>> modprobe -q dm-crypt
>> echo "Loading aes module"
>> modprobe -q aes
>> echo "Loading cbc module"
>> modprobe -q cbc
>> echo "Loading sha256 module"
>> modprobe -q sha256
>> echo "Loading pata_acpi module"
>> modprobe -q pata_acpi
>> echo "Loading ata_generic module"
>> modprobe -q ata_generic
>> echo Making device-mapper control node
>> mkdmnod
>> modprobe scsi_wait_scan
>> rmmod scsi_wait_scan
>> mkblkdevs
>>
> [clipped]
>
> I'm back home and can get some additional information about this.
> Attempting to boot using the "crypto-initrd.img", which I generated
> with "mkinitrd --with=aes --with=sha256" and specifying the
> LUKS/cryptsetup encrypted drive for the kernel's "root" parameter, the
> boot process gets to the point of asking me for a password, then
> mentions a few things about an EXT4-fs (not sure which one, but no
> error's reported here), then gives the following messages before
> hanging:
>
> SELinux: policydb magic number 0xffffe4f0 does not match expected
> magic number 0xf97cff8c
> request_module: runaway loop modprobe binfmt-ffff
> request_module: runaway loop modprobe binfmt-ffff
> request_module: runaway loop modprobe binfmt-ffff
> request_module: runaway loop modprobe binfmt-ffff
> request_module: runaway loop modprobe binfmt-ffff
>
> I am able to restart the system uneventfully at this point by pressing
> ctrl-alt-del.
>
> Attempting to boot with the same initrd img, but specifying an
> unecrypted partition for the kernel's "root" parameter, it all comes
> up fine, but does still ask me for a password during boot.
>
> I'm going to attempt to debug my initrd img, as suggested, but I'm not
> sure how well I'll be able to understand the script. So if anyone has
> any additional advice, I'd really appreciate it.
>
> Thanks, again.
> -Brian
>
>
>
More information about the fedora-list
mailing list