First of your problems are very distributzion specific. The kernel complains that it cannot find the block device that was passed via root= parameter (without root= it will probably use the first hd block device it sees as fallback). On Mon, September 22, 2014 00:50, vaskez@xxxxxxxxxx wrote: > Several times I have set up virtual machines to test the cryptsetup > software. I can create and remove the encrypted volumes just fine and > mount them, however whenever I am finished setting up my system and > reboot, my kernel panics, ends, then says that it cannot mount root fs > on unknown block (hd0,0). I am sure that it is not a misconfiguration > with the kernel, as I have built kernels for unencrypted systems and > they have booted fine. Some information: > > The encrypted volumes are created with: > cryptsetup -y -v -c serpent-xts-plain -s 512 -h sha512 create dmname > device > > Previous partition layouts was like such: > /dev/sda1 +b Linux 100M (/boot) (not encrypted) > /dev/sda2 Linux Swap / Solaris 2G (swap) > /dev/sda3 Linux 10G (root) > /dev/sda4 Extended > /dev/sda5 Linux 2G (/var) > /dev/sda6 Linux 6G (/home) > > This last time the layout was like such: > /dev/sda1 +b Linux 100M (/boot) (not encrypted) > /dev/sda2 Linux LVM 2G (swap) > /dev/sda3 Linux LVM 10G (root) > /dev/sda4 Extended > /dev/sda5 Linux LVM 2G (/var) > /dev/sda6 Linux LVM 6G (/home) > > The distribution I am using is Gentoo with a custom (to test at one > time) and modified i386_defconfig (every other time) kernel patched with > GRSecurity. > > This last time installing cryptsetup I made sure to install packages in > a specific order, like installing cryptsetup before grub legacy and > still got the same error. I had set root (hd0,0) in grub command line > and setup (hd0) on the command line. At one time I had tested setup on > (hd0,0), still the same error. When issuing grub-install /dev/sda in > bash, it will say that df cannot read filesystems and that it cannot > read a device map file, so I had to install grub in grub command shell. Grub is its own thing, does the bootloader load the kernel from an encrypted fs? grub legacy? grub 2? > > I install cryptsetup from portage with USE="-thin" emerge -avtq > cryptsetup. -thin does not install thin provisioning tools and the boost > sys utils which I assume are very big because they take very long to > install. cryptsetup does not have any thin use flag afaik, lvm2 is the one using thin provisioning ... > > After installing cryptsetup, I configure /etc/crypttab (which does not > exist) as follows: > swap /dev/mapper/swap /dev/urandom > swap,cipher=serpent-xts-plain,size=512,hash=sha512 > root /dev/mapper/swap none > root,cipher=serpent-xts-plain,size=512,hash=sha512 > var /dev/mapper/swap none > var,cipher=serpent-xts-plain,size=512,hash=sha512 > home /dev/mapper/swap none > home,cipher=serpent-xts-plain,size=512,hash=sha512 Gentoo does not really use crypttab, does it? instead it will use dmcrypt in conf.d (for SYSVinit), might use crypttab for systemd though. > > /etc/fstab looks like: > /dev/sda1 /boot ext2 noauto,noatime 0 2 > /dev/mapper/swap none swap sw 0 0 > /dev/mapper/root / ext4 defaults,relatime 0 1 > /dev/mapper/var /var ext4 defaults,relatime 0 1 > /dev/mapper/home /home ext4 defaults,relatime 0 0 > /dev/cdrom /mnt/cdrom auto noauto,user 0 0 > fstab does not really matter when the kernel tries to mount the root filesystem, fstab won't be needed until fscking or so... > I append the output of dmsetup tables to /etc/dmtab as the file says to > do, and then configure /etc/conf.d/dmcrypt to the following lines: > target=swap > source='/dev/sda2' > key='/dev/urandom' > options='-c serpent-xts-plain -s 512 -h sha512' > > target=root > source='/dev/sda3' > options='-c serpent-xts-plain -s 512 -h sha512' > > target=var > source='/dev/sda5' > options='-c serpent-xts-plain -s 512 -h sha512' > > target=home > source='/dev/sda6' > options='-c serpent-xts-plain -s 512 -h sha512' > Okay, so I presume you do use SYSVinit. Again, dmcrypt won't be needed until the boot runlevel is reached, you problem starts WAY before this. > I also add lvm and dmcrypt to the boot runlevel. Kernel parameters are > set as follows: > kernel /boot/kernel cryptdevice=/dev/sda3:root > crypto=sha512:serpent-xts-plain:512:0 root=/dev/mapper/root quiet Unfortunately you don't say anything about your initrd/initramfs, because at some point during early boot you'll have to provide the passphrase. You are telling the kernel to use /dev/mapper/root which in turns seems to be missing when the kernel tries to mount it. That being said, the other options are obviously for your initramfs which in turn should run cryptsetup. These should be documented by the initramfs/initrd generator used. The initramfs/initrd should usually drop you to a rescue shell. This way you could check what actually happened etc. As your GRUB line does not include an initramfs, how do you actually provide the masterkey to cryptsetup and run cryptsetup? Or did you piggy-back the initramfs? > > I have shifted and removed parts of these options in various ways > possibly 15 or more different ways and nothing has worked. > > After all of this none of it works. I reboot and get a kernel panic, and > then it says: VFS: root fs cannot be mounted on unknown block (hd0,0). > And yes I have set LVM and DM_CRYPT options etc in the kernel. I hope I could help to look in the right place for the necessary information etc. Regards -Sven _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
