On Fri, 2018-03-16 at 14:14 +0100, Mikhail Morfikov wrote: > I'm working on some LUKS setup and I can't make it work. I thought this could > be > the right place to ask, but if it's not, you can point me in the right > direction. > > I've created a bootable image out of my system's /boot/ partition (with MBR, > partition table and extlinux installed), and the /boot/ image will be served > by > another device via USB -- by my Android phone. When I connect my smartphone > to a > USB port in my laptop, the machine should boot directly from the image using a > USB MSD component of Android kernel (additional disk /dev/sdb1 shows up). To > this point everything works well (my laptop is able to boot directly from the > phone). > > I also want to move the LUKS header of the encrypted system container to the > /boot/ partition (under /boot/luks/header.img) and use this header instead. > Since the system is encrypted, it requires initrd/initramfs image, at least my > setup needs it. But the detached LUKS header solution doesn't work OOTB. > Basically the system can't see the detached LUKS header, and it's because the > /boot/ partition isn't mounted during the initrd/initramfs phase. > > Based on initramfs-tools manual, I tried to write some script that would mount > the /boot/ partition before the system tries to decrypt the LUKS container. I > don't really know how to do it properly, so I probably did it wrong. [...] > And I tried to put this script into any dir that was in > /etc/initramfs-tools/scripts/ , which was: > init-bottom/ init-premount/ init-top/ local-bottom/ local-premount/ > local-top/ . > The initramfs/initrd image was generated each time and it was copied to the > right /boot/ partition (in case someone would wonder). But nothing worked. > > The manual also mentioned the local-block/ dir, but it was missing, so I > created > it and placed my script there. This time, the system finally was able to see > the > detached LUKS header file, but there are couple of things to reconsider. > > 1. The USB device isn't detected right away, and I see some messages > concerning > the missing LUKS header file.
Right, USB devices (among others) are detected asynchronously after
driver initialiation. So initramfs-tools calls the local-block scripts
repeatedly to check whether a needed block device has now appeared.
> After less than 5s the USB disk is detected, and
> everything is fine after that -- I'm able to type the password and unlock the
> encrypted system container using the detached LUKS header. So is there a way
> to
> delay the decryption of the root file system, or make it wait till the
> /dev/sdb1
> shows up?
Not that I can think of immediately.
> 2. Mounting /boot/ partition in the initramfs/initrd phase makes some problems
> when the main system boots. It says something about "resources busy" when it
> comes to mounting of the /boot/ partition. So how to unmount the /boot/
> partition in the initramfs/initrd phase before the root filesystem is mounted
> but after it was decrypted?
All the mounts created in the initramfs need to be either moved under
the new root (e.g. "mount -o move /boot ${rootmnt}/boot") or unmounted,
before we switch the root. You should do that in a local-bottom
script.
Ben.
--
Ben Hutchings
The program is absolutely right; therefore, the computer must be wrong.
signature.asc
Description: This is a digitally signed message part
