Encrypted Root with F11

Brian Mearns bmearns at ieee.org
Fri Jun 26 12:26:05 UTC 2009


On Thu, Jun 25, 2009 at 8:23 PM, Brian Mearns<bmearns at ieee.org> wrote:
> On Thu, Jun 25, 2009 at 5:20 PM, davide<lists4davide at gmail.com> wrote:
>> Il Thu, 25 Jun 2009 11:28:14 -0400, Brian Mearns ha scritto:
>>
>>> On Thu, Jun 25, 2009 at 11:03 AM, davide<lists4davide at gmail.com> wrote:
>>>> Brian Mearns <bmearns <at> ieee.org> writes:
>>>>
>>>>
>>>>> Thanks for the response, Davide. /boot is a seperate, non-LVM
>>>>> partition with its own ext3 fs. I know F11 has options for encrypting
>>>>> during setup, but I've already got it set up, and would now like to go
>>>>> back and switch over to an excrypted root filesystem without having to
>>>>> reinstall. I think your suggestion of using a Live CD implies that I
>>>>> would reinstall Fedora, which I don't want to do.
>>>>
>>>> have you all the needed modules compiled into the kernel or into the
>>>> initrd? otherwise I would give a look at /etc/crypttab and /etc/fstab
>>>>
>>>>
>>>>
>>>>> Also, it's not grub asking for the root, I'm referring to the "root"
>>>>> parameter for the kernel.
>>>>
>>>> Yes, I think you mean the root parameter into the grub config, it is a
>>>> parameter for the kernel. I would suppose is used by the kernel to find
>>>> out where are modules and filesystem.
>>> [clipped]
>>>
>>> Thanks, again, Davide.
>>>
>>> crypttab and fstab should be fine, as init is able to mount the device
>>> correctly. I'm not sure if I have all the correct modules: I ran
>>> mkinitrd with "--with=aes --with=sha256" and tried to boot using the
>>> generated initrd.img, but perhaps there are additional modules I need?
>>>
>>> Thanks,
>>
>> thanks to Robert, I opened the init, I copy here the relevant part.
>> tell me if it helps, or I can try to investigate more deeply.
>>
>>
>> echo Creating block device nodes.
>> mkblkdevs
>> echo Creating character device nodes.
>> mkchardevs
>> echo "Loading dm-crypt module"
>> modprobe -q dm-crypt
>> echo "Loading aes module"
>> modprobe -q aes
>> echo "Loading cbc module"
>> modprobe -q cbc
>> echo "Loading sha256 module"
>> modprobe -q sha256
>> echo "Loading pata_acpi module"
>> modprobe -q pata_acpi
>> echo "Loading ata_generic module"
>> modprobe -q ata_generic
>> echo Making device-mapper control node
>> mkdmnod
>> modprobe scsi_wait_scan
>> rmmod scsi_wait_scan
>> mkblkdevs
> [clipped]
>
> I'm back home and can get some additional information about this.
> Attempting to boot using the "crypto-initrd.img", which I generated
> with "mkinitrd --with=aes --with=sha256" and specifying the
> LUKS/cryptsetup encrypted drive for the kernel's "root" parameter, the
> boot process gets to the point of asking me for a password, then
> mentions a few things about an EXT4-fs (not sure which one, but no
> error's reported here), then gives the following messages before
> hanging:
>
> SELinux:  policydb magic number 0xffffe4f0 does not match expected
> magic number 0xf97cff8c
> request_module: runaway loop modprobe binfmt-ffff
> request_module: runaway loop modprobe binfmt-ffff
> request_module: runaway loop modprobe binfmt-ffff
> request_module: runaway loop modprobe binfmt-ffff
> request_module: runaway loop modprobe binfmt-ffff
>
> I am able to restart the system uneventfully at this point by pressing
> ctrl-alt-del.
>
> Attempting to boot with the same initrd img, but specifying an
> unecrypted partition for the kernel's "root" parameter, it all comes
> up fine, but does still ask me for a password during boot.
>
> I'm going to attempt to debug my initrd img, as suggested, but I'm not
> sure how well I'll be able to understand the script. So if anyone has
> any additional advice, I'd really appreciate it.
>
> Thanks, again.
> -Brian
[clipped]

Well, I opened my initrd init-script, but very little of it means
anything to me. Davide indicated a certain section in his script as
relevant, so I've included that section of mine. It's a bit different,
but I'm not sure if that's relevant:

###############################################
   echo Creating block device nodes.
   mkblkdevs
   echo Creating character device nodes.
   mkchardevs
   echo "Loading aes module"
   modprobe -q aes
   echo "Loading cbc module"
   modprobe -q cbc
   echo "Loading sha256 module"
   modprobe -q sha256
   echo "Loading sata_nv module"
   modprobe -q sata_nv
   echo "Loading pata_acpi module"
   modprobe -q pata_acpi
   echo "Loading ata_generic module"
   modprobe -q ata_generic
   echo "Loading dm-crypt module"
   modprobe -q dm-crypt
   echo Making device-mapper control node
   mkdmnod
   modprobe scsi_wait_scan
   rmmod scsi_wait_scan
   mkblkdevs
   echo Scanning logical volumes
###############################################

So if this means anything to anybody and they can give me any help on
how to proceed, I'd super appreciate it.

Thanks,
-Brian



-- 
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net




More information about the fedora-list mailing list