On 2018-03-16 21:47, Ben Hutchings wrote:
> On Fri, 2018-03-16 at 14:14 +0100, Mikhail Morfikov wrote:
>> I'm working on some LUKS setup and I can't make it work. I thought this
>> could be
>> the right place to ask, but if it's not, you can point me in the right
>> direction.
>>
>> I've created a bootable image out of my system's /boot/ partition (with MBR,
>> partition table and extlinux installed), and the /boot/ image will be served
>> by
>> another device via USB -- by my Android phone. When I connect my smartphone
>> to a
>> USB port in my laptop, the machine should boot directly from the image using
>> a
>> USB MSD component of Android kernel (additional disk /dev/sdb1 shows up). To
>> this point everything works well (my laptop is able to boot directly from the
>> phone).
>>
>> I also want to move the LUKS header of the encrypted system container to the
>> /boot/ partition (under /boot/luks/header.img) and use this header instead.
>> Since the system is encrypted, it requires initrd/initramfs image, at least
>> my
>> setup needs it. But the detached LUKS header solution doesn't work OOTB.
>> Basically the system can't see the detached LUKS header, and it's because the
>> /boot/ partition isn't mounted during the initrd/initramfs phase.
>>
>> Based on initramfs-tools manual, I tried to write some script that would
>> mount
>> the /boot/ partition before the system tries to decrypt the LUKS container. I
>> don't really know how to do it properly, so I probably did it wrong.
> [...]
>> And I tried to put this script into any dir that was in
>> /etc/initramfs-tools/scripts/ , which was:
>> init-bottom/ init-premount/ init-top/ local-bottom/ local-premount/
>> local-top/ .
>> The initramfs/initrd image was generated each time and it was copied to the
>> right /boot/ partition (in case someone would wonder). But nothing worked.
>>
>> The manual also mentioned the local-block/ dir, but it was missing, so I
>> created
>> it and placed my script there. This time, the system finally was able to see
>> the
>> detached LUKS header file, but there are couple of things to reconsider.
>>
>> 1. The USB device isn't detected right away, and I see some messages
>> concerning
>> the missing LUKS header file.
>
> Right, USB devices (among others) are detected asynchronously after
> driver initialiation. So initramfs-tools calls the local-block scripts
> repeatedly to check whether a needed block device has now appeared.
>
>> After less than 5s the USB disk is detected, and
>> everything is fine after that -- I'm able to type the password and unlock the
>> encrypted system container using the detached LUKS header. So is there a way
>> to
>> delay the decryption of the root file system, or make it wait till the
>> /dev/sdb1
>> shows up?
>
> Not that I can think of immediately.
>
>> 2. Mounting /boot/ partition in the initramfs/initrd phase makes some
>> problems
>> when the main system boots. It says something about "resources busy" when it
>> comes to mounting of the /boot/ partition. So how to unmount the /boot/
>> partition in the initramfs/initrd phase before the root filesystem is mounted
>> but after it was decrypted?
>
> All the mounts created in the initramfs need to be either moved under
> the new root (e.g. "mount -o move /boot ${rootmnt}/boot") or unmounted,
> before we switch the root. You should do that in a local-bottom
> script.
>
> Ben.
>
Thanks for the answer.
signature.asc
Description: OpenPGP digital signature
