Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using an encrypted root with a regular keyfile asks for passphrase #49

Open
siebz0r opened this issue Nov 21, 2017 · 6 comments
Open

Using an encrypted root with a regular keyfile asks for passphrase #49

siebz0r opened this issue Nov 21, 2017 · 6 comments

Comments

@siebz0r
Copy link

siebz0r commented Nov 21, 2017

I have an encrypted root set up on /dev/sda2. To access the encrypted partition I use a key, which is a regular file called key on the root of a usb drive with the label KEY.
I've read the manual and this is what I came up with for the kernel arguments:

luks=reg:LABEL=KEY:/key root=root-sda2

When I boot (and the usb drive isn't connected) I am prompted to plug in the drive with LABEL=KEY, so far so good. However, when I plug it in, I am prompted for a passphrase for /dev/sda2. I am forced to press enter until I am dropped in a rescue shell where I can manually mount the thumb drive, use cryptsetup to open the root device with the key and mount it under /newroot. Then pressing ctrl-D and the booting continues as expected.

Not sure if I'm doing something wrong here, but it looks like a bug to me.
@szorfein
Copy link
Contributor

szorfein commented Nov 21, 2017
edited
Loading

kernel arg seem correct, you say

I boot (and the usb drive isn't connected)

Did you try to boot with usb drive connected, maybe it change something ?

what's the file system u are using ?
and how did you build the image ? (command)

A log file can be usefull too :)

@siebz0r
Copy link
Author

siebz0r commented Nov 22, 2017
edited
Loading

When booting with the usb drive connected it doesn't prompt to connect the usb drive but it does prompt me for a passphrase. I'm using ext4 for the usb drive and the root partition.

I have built the the image using mkinitramfs, it uses the following config:

opts[-module-boot]+=:kms:ext2:ext3:ext4
opts[-module-device-mapper]+=:dm-thin-pool:dm-mirror:dm-cache:dm-multipath:dm-snapshot
opts[-module-dm-crypt]+=aes:dm-crypt:sha256:sha512:wp512:ecb:lrw:xts:twofish:serpent
opts[-module-dm-raid]+=:dm-raid:dm-mirror:dm-multipath:dm-snapshot
opts[-module-gpg]+=:cast5
opts[-module-kms]+=:i915:nouveau:radeon
opts[-module-raid]+=:raid0:raid10:raid1:raid456
opts[-module-remdev]+=:nls_cp437:vfat
opts[-module-squashd]+=:aufs:overlay:squashfs
opts[-module-swsusp]+=
opts[-module-tuxonice]+=:tuxonice_swap:tuxonice_userui:tuxonice_file
opts[-module-zfs]+=:zfs
opts[-module-zram]+=:zram
opts[-module-bcache]+=:bcache
opts[-module-btrfs]+=:btrfs
opts[-firmware]=:iwlwifi-7260
opts[-module]+=:boot:kms:remdev:uvesafb
opts[-module-group]+=:boot:kms:remdev:swsusp
opts[-bin]+=:blkid:v86d
opts[-bin-zfs]=zfs:zpool:mount.zfs
opts[-bin-btrfs]=btrfs:btrfsck:fsck.btrfs
opts[-font]+=:ter-g12n:ter-g14n:ter-112n:ter-v12n
opts[-keymap]+=:us
opts[-luks]=:
opts[-compressor]=none
opts[-initramfs]="efi/initramfs-$(uname -r)"

env=(
	${MIR_EXTRA_ENV}
	'CHECK_ENV=false'
)

And here's the log:

[0]: umask 0077
[0]: mkdir -p dev/pts proc run sys /newroot /mnt/tok
[0]: mount -t proc proc /proc
[0]: mount -t sysfs sysfs /sys
[0]: mount -t devtmpfs devtmpfs /dev
[0]: /sbin/mdev -s
[0]: mount -t tmpfs -o mode=755,size=1% tmpfs /run
[0]: MODPROBE kms
[0]: ln -fns /proc/self/fd /dev/fd
[0]: ln -fns fd/2 /dev/stderr
[0]: ln -fns fd/0 /dev/stdin
[0]: ln -fns fd/1 /dev/stdout
[0]: loadfont
[0]: loadkmap
[1]: test -f /etc/issue
[0]: test -n root-sda2
[0]: CUT _luks reg:LABEL=KEY:/key , 1 
[0]: mount -n -r /dev/sdc1 /mnt/tok
[0]: test -f /mnt/tok//key
[0]: get_key reg:LABEL=KEY:/key
[0]: MODPROBE dm-crypt
[0]: cryptsetup isLuks /dev/sda2
[0]: dmcrypt /dev/sda2 _dev
[2]: cryptsetup open /dev/sda2 root
[1]: test -b /dev/mapper/root
[1]: dmopen root-sda2 DEV
[0]: get_dev root-sda2 ROOT 1
[1]: mount /newroot

@szorfein
Copy link
Contributor

szorfein commented Nov 22, 2017
edited
Loading

I'll just show an example what i did last time. So directly after install mkinitramfs-ll.

You need generate a static busybox.

# cd /usr/share/mkinitramfs-ll/scripts
# ./busybox.sh

After, you edit /etc/mkinitramfs.conf to add kernel arg on last line.

# vim /etc/mkinitramfs.conf

env="${env} luks=reg:LABEL=KEY:/key root=root-sda2"

And last step, build image, check kernel version (4.9.24-hardened here):

# ls /lib/modules
  4.9.24-hardened

# mkinitramfs-ll.sh --luks --keymap=us -k 4.9.24-hardened --extension=img

@szorfein
Copy link
Contributor

szorfein commented Nov 22, 2017
edited
Loading

if you have alrealy done that or it doesn't help, don't know how resolve your issue. Never test with regular file.

@szorfein
Copy link
Contributor

what command line do you use to open your device with regular key?

@tokiclover
Copy link
Owner

I am afraid there is a bug that should be fixed. I will commit a patch later.

tokiclover added a commit that referenced this issue Apr 30, 2018
@tokiclover
functions: dmopen: fix regular keyfile (issue #49)
03399c1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tokiclover @siebz0r @szorfein