On Fri, 2018-03-16 at 14:14 +0100, Mikhail Morfikov wrote:
> I'm working on some LUKS setup and I can't make it work. I thought this could be
> the right place to ask, but if it's not, you can point me in the right direction.
>
> I've created a bootable image out of my system's /boot/ partition (with MBR,
> partition table and extlinux installed), and the /boot/ image will be served by
> another device via USB -- by my Android phone. When I connect my smartphone to a
> USB port in my laptop, the machine should boot directly from the image using a
> USB MSD component of Android kernel (additional disk /dev/sdb1 shows up). To
> this point everything works well (my laptop is able to boot directly from the
> phone).
>
> I also want to move the LUKS header of the encrypted system container to the
> /boot/ partition (under /boot/luks/header.img) and use this header instead.
> Since the system is encrypted, it requires initrd/initramfs image, at least my
> setup needs it. But the detached LUKS header solution doesn't work OOTB.
> Basically the system can't see the detached LUKS header, and it's because the
> /boot/ partition isn't mounted during the initrd/initramfs phase.
>
> Based on initramfs-tools manual, I tried to write some script that would mount
> the /boot/ partition before the system tries to decrypt the LUKS container. I
> don't really know how to do it properly, so I probably did it wrong.
[...]
> And I tried to put this script into any dir that was in
> /etc/initramfs-tools/scripts/ , which was:
> init-bottom/ init-premount/ init-top/ local-bottom/ local-premount/
> local-top/ .
> The initramfs/initrd image was generated each time and it was copied to the
> right /boot/ partition (in case someone would wonder). But nothing worked.
>
> The manual also mentioned the local-block/ dir, but it was missing, so I created
> it and placed my script there. This time, the system finally was able to see the
> detached LUKS header file, but there are couple of things to reconsider.
>
> 1. The USB device isn't detected right away, and I see some messages concerning
> the missing LUKS header file.
Right, USB devices (among others) are detected asynchronously after
driver initialiation. So initramfs-tools calls the local-block scripts
repeatedly to check whether a needed block device has now appeared.
> After less than 5s the USB disk is detected, and
> everything is fine after that -- I'm able to type the password and unlock the
> encrypted system container using the detached LUKS header. So is there a way to
> delay the decryption of the root file system, or make it wait till the /dev/sdb1
> shows up?
Not that I can think of immediately.
> 2. Mounting /boot/ partition in the initramfs/initrd phase makes some problems
> when the main system boots. It says something about "resources busy" when it
> comes to mounting of the /boot/ partition. So how to unmount the /boot/
> partition in the initramfs/initrd phase before the root filesystem is mounted
> but after it was decrypted?
All the mounts created in the initramfs need to be either moved under
the new root (e.g. "mount -o move /boot ${rootmnt}/boot") or unmounted,
before we switch the root. You should do that in a local-bottom
script.
Ben.
--
Ben Hutchings
The program is absolutely right; therefore, the computer must be wrong.
Attachment:
signature.asc
Description: This is a digitally signed message part