Net Nut wrote:
> I have a machine with an encrypted root filesystem on kernel 2.4.22 with
> loop-AES-v1.7e and I want to upgrade to a 2.6 kernel (thinking 2.6.7 or
> 2.6.6 ). Since loop-AES-v2.1b has a kernel patch for 2.6.6 I was
> thinking I should use that kernel, so where I am unsure is will I have
> to make changes to the initrd.gz and all the modified binaries, or will
> just the patched kernel work (it doesn't seem to).
May I suggest that you:
1) Rename old initrd.gz to initrd-old.gz
2) Modify your bootloader configuration to load initrd-old.gz version
with 2.4.22 kernel.
3) Create new initrd.gz using build-initrd.sh from loop-AES-v2.1b
4) Modify your bootloader configuration to load initrd.gz version
with 2.6 kernels.
New initrd.gz should work ok with 2.4 and 2.6 kernels, but having old
version there should enable you to boot old 2.4 kernel if something goes
wrong with new initrd.
Old losetup+mount will work with loop code from loop-AES-v1.X and
loop-AES-v2.X in single-key mode. Your root partition is using single-key
mode because it was created using loop-AES-v1.X . New losetup+mount from
loop-AES-v2.X versions will work with loop code from loop-AES-v1.X and
loop-AES-v2.X in single-key mode, and with loop code from loop-AES-v2.X in
both single-key and multi-key mode. IOW, it is safe to upgrade to newer
versions of losetup+mount.
There is one pitfall though: When module-init-tools are installed as needed
by 2.6 kernels, module-init-tools package renames /sbin/insmod to
/sbin/insmod.old and installs new /sbin/insmod that calls /sbin/insmod.old
when used with 2.4 kernels. If you are using module version of loop-AES,
then /boot directory should contain both insmod and insmod.old after
build-initrd.sh is run. On some distros, insmod.old may be called
insmod.modutils .
Quote from loop-AES-v2.1b/README lines 871 to 875:
"
If you are upgrading kernel of a system where root partition is already
encrypted, only steps 5 to 7 and 13 are needed. /boot/initrd.gz is kernel
independent and there is no need to re-create it for each kernel. However,
if you are upgrading from 2.4 kernel to 2.6 kernel, new insmod may need to
be copied to /boot directory by running step 12 before running step 13.
"
> I wondered what the difference is between the crypto loop that is
> already in the 2.6 kernel, and the loop-AES patch.
Mainline cryptoloop only does single-key mode, which has been broken. Since
your root partition is using single-key mode, your setup is also broken.
Re-encrypting using loop-AES multi-key mode is the way to go.
--
Jari Ruusu 1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9 DB 1D EB E3 24 0E A9 DD
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
