On Tue, May 31, 2011 at 5:59 AM, Jari Ruusu <jariruusu@xxxxxxxxxxxxxxxxxxxxx> wrote: > Frederick Gazerblezeebe wrote: >> I am trying to set up a Fedora 15 system (kernel 2.6.39) on which the >> root filesystem is encrypted with loop-aes (v3.6c). >> >> Can someone suggest the best location to place the initial losetup >> commands? This new version uses the systemd boot stuff and >> /etc/rc.d/rc.sysinit (where I placed the losetup commands before) no >> longer exists. I was partially successful placing them in >> /lib/systemd/fedora-readonly, meaning losetup successfully sets up the >> loop device, but attempts to actually mount a file system on this loop >> fail and the boot process terminates. I think I may be placing the >> losetup too late in the sequence and the system is attempting to mount >> on the loop before it is actually set up, but that's just a guess at >> this point. > > I am assuming you used loop-AES' build-initrd.sh script. I changed the > script so that it can be configured to set up more loop devices than the one > used by encrypted root partition. For example, if you want to set up > "no password entering required" /dev/loop6 and /dev/loop4, you can add these > lines to build-initrd.sh config: > > EXTRACOMMANDRUN1=1 > EXTRACOMMANDSTR1="/sbin/losetup -e AES128 -P /etc/cleartextkey-loop6.txt /dev/loop6 /dev/sda3" > EXTRACOMMANDRUN2=1 > EXTRACOMMANDSTR2="/sbin/losetup -e AES128 -P /etc/cleartextkey-loop4.txt /dev/loop4 /dev/sdd12" > > Limitations/rules: > 1) Commands are run after switching to encrypted root but before starting > /sbin/init > 2) Encrypted root partition is mounted read-only. Other file systems are not > mounted. > 3) udev is not running yet, so dynamic device nodes on tmpfs (created and > mounted by udev on top of /dev directory) are not available. > 4) If commands need /dev/* device nodes, you must make sure that static > device nodes exist on encrypted root partition on /dev directory. Use > mknod program to create those device nodes. Above example would need 4 > nodes: /dev/loop6, /dev/sda3, /dev/loop4 and /dev/sdd12. The tricky part > is putting them on the directory that is under udev mounted tmpfs file > system. > 5) /etc/cleartextkey-loop*.txt files (or whatever) on encrypted root > partition are protected by root partition encryption. Each of these files > contain 65 lines of key material that would normally be wrapped by and > protected by gpg encryption. > 6) Up to 8 extra commands can be configured. If you need more, make it run a > shell script somewhere on encrypted root partition. > > New version of the build-initrd.sh script is here: > http://loop-aes.sourceforge.net/updates/build-initrd.sh-20110531.bz2 > http://loop-aes.sourceforge.net/updates/build-initrd.sh-20110531.bz2.sign > > -- > Jari Ruusu 1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9 DB 1D EB E3 24 0E A9 DD > I am currently up on the encrypted root with a couple of issues, which may not be problems with loop-aes. Using the EXTRACOMMANDRUN# options in your new script I am able to get the loop device for /home initialized, as shown by the output of losetup -a (loop2=/, loop3=home), /dev/loop2: [0001]:5099 (/dev/sda2) encryption=AES128 multi-key-v3 /dev/loop3: [0702]:2104244 (/dev/sda3) encryption=AES128 multi-key-v3 but systemd is unable to mount it to /home as defined in fstab, /dev/loop3 /home ext4 defaults 0 2 #/dev/sda3 resulting in a failure to boot. At first I thought this was a selinux problem, but further testing shows that this is not likely the case. Next I need to go through the systemd scripts and find exactly where it is failing and see what I can do about it. One additional peculiarity is that although the swap is activated at boot time, it is not encrypted until I remove/add it again. The fstab entry is /dev/sda5 swap swap sw,loop=/dev/loop5,encryption=AES128 0 0 Immediately after boot: ###[102]% losetup -a /dev/loop2: [0001]:5099 (/dev/sda2) encryption=AES128 multi-key-v3 /dev/loop3: [0702]:2104244 (/dev/sda3) encryption=AES128 multi-key-v3 ###[103]% swapon -s Filename Type Size Used Priority /dev/sda5 partition 6136824 0 0 ###[104]% swapoff -a ###[105]% swapon -a Setting up swapspace version 1, size = 6136820 KiB no label, UUID=4f1b6b95-bd99-4ac5-aee6-b87d599b1f5c ###[107]% losetup -a /dev/loop2: [0001]:5099 (/dev/sda2) encryption=AES128 multi-key-v3 /dev/loop3: [0702]:2104244 (/dev/sda3) encryption=AES128 multi-key-v3 /dev/loop5: [0005]:5244 (/dev/sda5) offset=4096 encryption=AES128 multi-key-v3 ###[109]% swapon -s Filename Type Size Used Priority /dev/loop5 partition 6136820 0 -1 Once again I think this is a systemd issue as opposed to a loop-aes problem and I am currently looking into it as well. So thanks again for the quick script update, it really helped, and I'll post back again when I've made some more progress. FG -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
