Bug#629985: initramfs-tools: encrypted rootfs doesn't work

06-10-2011, 01:44 AM

Package: initramfs-tools
Version: 0.98.8
Severity: important

This is what I want:

/boot unencrypted
/usr unencrypted
/ encrypted
swap encrypted

Here's how I've tried to achieve this on a netbook, in I think the
simplest way possible (i.e. not using LVM):

- get debian-6.0.1a-i386-CD-1.iso, write it to a USB flash stick using
unetbootin, boot the graphical installer from it

- choose "manual" in the partitioner,
* delete all existing partitions
* create small partition and set it up to be ext3 for /boot
* create big partition and set it up to be ext4 for /usr
* create big partition and set it up for crypt usage
* create small partition and set it up for crypt usage
* choose "set up crypt volumes" (or so),
- say no to "overwrite with random data" (too slow for me;
actually I went to a console and used "fastrandom"[1] to
overwrite them)
- give password (2*2 times, twice for each of the two encrypted
partitions)
* set up the big encrypted partition to be ext4 for /
* set up the small encrypted partition to be swap

- let it install the base system; when it says "No installable kernel
was found in the defined APT sources", go to the console, run

# chroot /target
# vi /etc/apt/sources.list
(file is empty, insert sources)
# apt-get update
# apt-get install linux-image-686

- let the installer continue; when it says
apt configuration problem
An attempt to configure apt to install additional packages from
the CD failed.
just confirm that it should fetch things from the net
(at that point it will replace sources.list with its own)

- let it install into the MBR; let it reboot, remove the USB flash
stick; after letting grub boot the default entry, and after waiting
~30-45 seconds for the initrd to time out waiting for the root volume
to appear, when thrown to the emergency shell, type this (I've had
this problem on another laptop of mine where I installed Squeeze when
it was testing, already):

# cryptsetup luksOpen /dev/sda4 sda4_crypt
command cryptsetup not found

Oh, it doesn't even have cryptsetup in the initrd now. Write GRML to
the USB flash stick and boot from that.

Run cryptsetup luksOpen ..., mount and then mount --bind proc / dev /
sys, mount /usr and /boot, then:

# apt-get install busybox
# update-initramfs -u

Installing busybox makes a warning "W: Busybox is required for
successful boot!" from update-initramfs go away, and makes the initrd
a little bigger; but it still doesn't include cryptsetup.

I've compared /etc/initramfs-tools/* with my other system (laptop) and
they are the same, so why does update-initramfs include the crypto
stuff on my laptop (even if the password asking part doesn't work
there) but not at all on the netbook?

(I'm also wondering whether nobody ever tested installing Squeeze with
an encrypted roofs, that can't be true, right, but then why aren't the
problems I ran into known?)

Note that the info below is from my laptop, not the netbook, since I
can't boot the latter. As mentioned it is running squeeze, too, and
uses the same setup regarding / and /usr. As mentioned, on this
laptop update-initramfs at least does include cryptsetup (and I don't
know why), though.

-- Package-specific info:
-- initramfs sizes
-rw-r--r-- 1 root root 11M May 25 00:10 /boot/initrd.img-2.6.32-5-486
-rw-r--r-- 1 root root 9.6M Sep 24 2010 /boot/initrd.img-2.6.32-5-486.1_cj
-rw-r--r-- 1 root root 9.6M Oct 3 2010 /boot/initrd.img-2.6.32-5-486.2
-rw-r--r-- 1 root root 9.6M Oct 3 2010 /boot/initrd.img-2.6.32-5-686.1
-rw-r--r-- 1 root root 7.6M Jun 21 2010 /boot/initrd.img-2.6.33.5-vs2.3.0.36.30.4
-rw-r--r-- 1 root root 5.3M Feb 8 23:47 /boot/initrd.img-2.6.37
-rw-r--r-- 1 root root 12M Mar 20 10:40 /boot/initrd.img-2.6.37.3
-- /proc/cmdline
BOOT_IMAGE=/vmlinuz-2.6.37.3 root=/dev/mapper/sda11plain ro

-- /proc/filesystems
ext4
ext3
squashfs
fuseblk
vfat

-- lsmod
Module Size Used by
iwlagn 113255 0
nls_utf8 920 0
nls_cp437 4501 0
vfat 6455 0
fat 34446 1 vfat
ppp_deflate 2914 0
zlib_deflate 15662 1 ppp_deflate
bsd_comp 3988 0
ppp_async 5261 0
crc_ccitt 1047 1 ppp_async
ppp_generic 15955 3 ppp_deflate,bsd_comp,ppp_async
slhc 3494 1 ppp_generic
option 12918 0
usb_wwan 6147 1 option
usbserial 21120 2 option,usb_wwan
btusb 8055 0
bluetooth 37533 1 btusb
i915 252650 2
drm_kms_helper 19637 1 i915
drm 118430 3 i915,drm_kms_helper
i2c_algo_bit 3373 1 i915
i2c_core 12989 4 i915,drm_kms_helper,drm,i2c_algo_bit
vboxnetadp 5138 0
vboxnetflt 11916 0
vboxdrv 125469 2 vboxnetadp,vboxnetflt
acpi_cpufreq 4447 1
mperf 867 1 acpi_cpufreq
cpufreq_userspace 1392 0
cpufreq_stats 1934 0
cpufreq_conservative 6190 0
binfmt_misc 4877 1
uinput 5126 1
fuse 47030 1
ipt_MASQUERADE 1090 2
iptable_nat 2728 1
nf_nat 10203 2 ipt_MASQUERADE,iptable_nat
nf_conntrack_ipv4 7561 3 iptable_nat,nf_nat
nf_conntrack 38905 4 ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv 4
nf_defrag_ipv4 875 1 nf_conntrack_ipv4
ip_tables 7838 1 iptable_nat
x_tables 9293 3 ipt_MASQUERADE,iptable_nat,ip_tables
squashfs 19808 5
ext3 91508 1
jbd 31112 1 ext3
usb_storage 30511 0
cpufreq_powersave 614 0
speedstep_lib 2471 0
loop 10843 10
snd_hda_codec_analog 53500 1
snd_hda_intel 16277 1
snd_hda_codec 52101 2 snd_hda_codec_analog,snd_hda_intel
snd_hwdep 4046 1 snd_hda_codec
snd_pcm_oss 27678 0
snd_mixer_oss 10395 1 snd_pcm_oss
snd_pcm 47068 3 snd_hda_intel,snd_hda_codec,snd_pcm_oss
snd_seq_midi 3642 0
snd_rawmidi 12645 1 snd_seq_midi
arc4 1002 2
snd_seq_midi_event 3762 1 snd_seq_midi
ecb 1413 2
snd_seq 34316 2 snd_seq_midi,snd_seq_midi_event
snd_timer 12501 2 snd_pcm,snd_seq
iwl3945 41916 0
snd_seq_device 3659 3 snd_seq_midi,snd_rawmidi,snd_seq
iwlcore 39530 2 iwlagn,iwl3945
mac80211 145801 3 iwlagn,iwl3945,iwlcore
snd 34153 13 snd_hda_codec_analog,snd_hda_intel,snd_hda_codec,s nd_hwdep,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_raw midi,snd_seq,snd_timer,snd_seq_device
soundcore 3434 1 snd
snd_page_alloc 4861 2 snd_hda_intel,snd_pcm
cfg80211 94573 4 iwlagn,iwl3945,iwlcore,mac80211
pcmcia 24968 0
tpm_infineon 5643 0
hp_wmi 4066 0
joydev 7016 0
yenta_socket 15680 0
sparse_keymap 1932 1 hp_wmi
rfkill 10602 3 bluetooth,cfg80211,hp_wmi
pcmcia_rsrc 7292 1 yenta_socket
psmouse 38486 0
hp_accel 12416 0
shpchp 18083 0
pcmcia_core 8261 3 pcmcia,yenta_socket,pcmcia_rsrc
serio_raw 2898 0
lis3lv02d 7287 1 hp_accel
rng_core 2298 0
video 9711 1 i915
pcspkr 1219 0
evdev 6160 22
input_polldev 2114 1 lis3lv02d
pci_hotplug 16971 1 shpchp
wmi 6004 1 hp_wmi
output 1220 1 video
tpm_tis 5429 0
tpm 8191 2 tpm_infineon,tpm_tis
tpm_bios 3649 1 tpm
ac 1692 0
battery 4286 0
button 3610 1 i915
processor 21912 3 acpi_cpufreq
ext4 244239 3
mbcache 3784 2 ext3,ext4
jbd2 47383 1 ext4
crc16 1035 1 ext4
sha256_generic 9077 4
aes_i586 6828 4
aes_generic 25766 1 aes_i586
cbc 1975 2
dm_crypt 8691 2
dm_mod 47254 5 dm_crypt
sg 15743 0
sd_mod 24886 6
sr_mod 10929 0
cdrom 25985 1 sr_mod
crc_t10dif 1020 1 sd_mod
ata_generic 2183 0
uhci_hcd 15650 0
ata_piix 17443 5
libata 122762 2 ata_generic,ata_piix
ehci_hcd 28489 0
firewire_ohci 19119 0
tg3 95623 0
scsi_mod 127531 5 usb_storage,sg,sr_mod,sd_mod,libata
usbcore 94997 8 option,usb_wwan,usbserial,btusb,usb_storage,uhci_h cd,ehci_hcd
firewire_core 35048 1 firewire_ohci
libphy 11531 1 tg3
fan 1786 0
thermal 6106 0
crc_itu_t 1039 1 firewire_core
thermal_sys 9328 4 video,processor,fan,thermal
nls_base 4521 5 nls_utf8,nls_cp437,vfat,fat,usbcore

-- /etc/initramfs-tools/modules

-- /etc/kernel-img.conf
# Kernel image management overrides
# See kernel-img.conf(5) for details
do_symlinks = yes
relative_links = yes
do_bootloader = no
do_bootfloppy = no
do_initrd = yes
link_in_boot = no

-- /etc/initramfs-tools/initramfs.conf
MODULES=most
BUSYBOX=y
KEYMAP=n
COMPRESS=gzip
BOOT=local
DEVICE=
NFSROOT=auto

-- /etc/initramfs-tools/update-initramfs.conf
update_initramfs=yes
backup_initramfs=no

-- /etc/crypttab
# <target name> <source device> <key file> <options>

-- mkinitramfs hooks
/etc/initramfs-tools/hooks/:

/usr/share/initramfs-tools/hooks:
busybox
cryptgnupg
cryptkeyctl
cryptopenct
cryptopensc
cryptpassdev
cryptroot
dmsetup
keymap
klibc
lvm2
thermal
udev
uswsusp
v86d

-- System Information:
Debian Release: 6.0.1
APT prefers stable
APT policy: (900, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.37.3 (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages initramfs-tools depends on:
ii cpio 2.11-4 GNU cpio -- a program to manage ar
ii findutils 4.4.2-1+b1 utilities for finding files--find,
ii klibc-utils 1.5.20-1 small utilities built with klibc f
ii module-init-tools 3.12-1 tools for managing Linux kernel mo
ii udev 164-3 /dev/ and hotplug management daemo

Versions of packages initramfs-tools recommends:
ii busybox 1:1.17.1-8 Tiny utilities for small and embed

Versions of packages initramfs-tools suggests:
ii bash-completion 1:1.2-3 programmable completion for the ba

-- no debconf information

--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110610014436.12344.71782.reportbug@tie.local">ht tp://lists.debian.org/20110610014436.12344.71782.reportbug@tie.local

06-10-2011, 02:10 AM

> * * actually I went to a console and used "fastrandom"[1] to

[1] https://github.com/pflanze/fastrandom

(PS. I previously also sent a mail to the debian-boot mailing list on
that issue / those issues, "How to install with encrypted root?")

--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BANLkTi=CyBfCB3YayNzW6PTQLMbWdoeF-w@mail.gmail.com">http://lists.debian.org/BANLkTi=CyBfCB3YayNzW6PTQLMbWdoeF-w@mail.gmail.com