On Wed, 15 Aug 2007 20:06:32 +0300
Jari Ruusu <jariruusu@xxxxxxxxxxxxxxxxxxxxx> wrote:
> Fog_Watch wrote:
> > I am aiming to boot from logical volumes that are attached to
> > an encrypted /dev/loop which is in turn attached to a /dev/hda.
> > I hope to have all but /boot encrypted, yet retain the flexibility
> > of lvm2. To date I have failed.
> >
snip
> One of the config options in build-initrd.sh is USEROOTSETUP. If you
> set that to USEROOTSETUP=1 ,
Done
> then created initrd will mount BOOTDEV
/dev/hda1
> as /lib, and run /lib/rootsetup program or script instead
> of /lib/losetup program. If /lib/rootsetup is a shell script, then a
> shell (and its libraries) must be manually copied to boot partition.
I am using a script along the lines you suggested. The shell I chose
was dash (static), which was copied to /boot.
> The script then sets up needed logical volume and calls losetup to do
> the loop setup work. rootsetup program/script needs to able to both
> set up a device and also tear it down (in case mount fails, and mount
> is tried again). rootsetup program/script gets same command line
> parameters as losetup. In following example all command line
> parameters are ignored, with exception of first one that used to
> determine whether the script should set up a loop device or tear it
> down.
I'm not understanding this bit. The script (rootsetup) tests for
"-d", but I don't know where this parameter is set.
And, the parameters "-e AES128 -K /lib/rootkey.gpg -G /lib /dev/loop5"
in the following rootsetup are ignored. I don't know why they are
there.
> Initrd image has only few static device nodes. Additional
> needed device nodes need to be created by the script.
My encrypted partition is /dev/hda6. Does that mean that my rootsetup
script should include "mknod /dev/hda6 b 3 6" (wild guess)?
> Any external
> program that the script uses (and their libraries) you need to
> manually copy to boot partition.
copied in lvm, mknod and dash to /boot. Apparently no additional
libraries required.
>
> Something like this: (completely untested!)
>
> #!/lib/sh
> if [ "$1" != "-d" ] ; then
> # INSERT LOGICAL VOLUME SETUP HERE
> /lib/losetup -e AES128 -K /lib/rootkey.gpg
> -G /lib /dev/loop5 /dev/vg/root else
> /lib/losetup -d /dev/loop5
> # INSERT LOGICAL VOLUME TEARDOWN HERE
> fi
>
RB is correct is suggesting that I am aiming for LVM on loop-aes. So,
the script I have conjured up is as follows:
#!/lib/sh
if [ "$1" != "-d" ] ; then
/lib/mknod /dev/hda6 b 3 6 #necessary?
/lib/losetup -e AES128 -K /lib/rootkey.gpg \
-G /lib /dev/loop5 /dev/hda6
# INSERT LOGICAL VOLUME SETUP HERE
/lib/lvm vgscan --mknodes
else
# INSERT LOGICAL VOLUME TEARDOWN HERE
/lib/losetup -d /dev/loop5
fi
During boot, the kernel loads and the machine then shuts down with the
following error repeated six times:
Command "/lib/rootsetup -e AES128 -I 0 -K /lib/rootkey.gpg
-G /lib /dev/loop5 /dev/hda6" returned error
Hmmmmmm, any clues?
Jari, thanks for the suggestions.
Regards
Fog_Watch.
--
Lose wait. Get Gentoo.
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
