-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bookworm] cannot unlock LUKS2 volume from initramfs #362
Comments
@tdewey-rpi, since you're looking at something similar, is this something you've stumbled upon? |
ACK. I'm going to try and reproduce something along these lines now. |
Thanks for the report, @blkop. I've been able to reproduce part of your failure and methodology. I can confirm I'm seeing files explicitly named in the hooks file be transferred to the resultant initramfs, but it appears that the documentation for mkinitramfs isn't aligning with observed behaviour on bookworm. Specifically, it says:
And sure enough, the adiantum module isn't being copied into the initramfs, while it's present on the installed system: initramfs: Installed system:
Just saw your modules file - the only way I can investigate further is to spin up another device, so I'll schedule this digging. |
Can you confirm you have |
Yes
|
@tdewey-rpi did you get a chance to look into this? |
I followed the same (I guess; this one? https://rr-developer.github.io/LUKS-on-Raspberry-Pi/) tutorial and got similar errors. |
@bklop
in
Despite all the fixes I've made, when i unlocked luks on initramfs and typed exit initramfs opens with |
I am having exactly the same issue. I don't understand how can it write that /dev/mapper/XXX is not present if I see it is there. What kind of nonsensical error message is that? |
Seems culprit is this function: # Resolve device node from a name. This expands any LABEL or UUID.
# $1=name
# Resolved name is echoed.
resolve_device() {
DEV="$1"
case "$DEV" in
LABEL=* | UUID=* | PARTLABEL=* | PARTUUID=*)
DEV="$(blkid -l -t "$DEV" -o device)" || return 1
;;
esac
[ -e "$DEV" ] && echo "$DEV"
} It doesn't handle case where device is already resolved, like:
|
Fix: resolve_device() {
DEV="$1"
case "$DEV" in
/dev/*)
# If the input starts with /dev/, we don't need to do anything else
;;
LABEL=* | UUID=* | PARTLABEL=* | PARTUUID=*)
DEV="$(blkid -l -t "$DEV" -o device)" || return 1
;;
esac
[ -e "$DEV" ] && echo "$DEV"
} |
Thanks for sharing a fix. It's located in |
Yes. For practical reasons I do this:
Replacing entire function, |
@marsante Btw, what are you doing? I am currently making script that creates mdadm raid1, and luks on top of that and makes it a raspberry pi root. I have 2x m.2 on Raspberry Pi. seems to work fine after I fixed this. |
@exander77 much simpler than you, just encrypting the SD card. |
I can test, it works, but every time I reboot, I have to reopen luks via initramfs, maybe I missed something ?
|
I am not sure what you mean by this. |
Sorry if it's not clear .
After that I can finish all the procedures in initramfs, exit it and get into the OS.
to boot into the OS. |
That would be expected if nothing else is calling |
If you list the contents, you can see what it does:
Basically, it installs a hook and unlock script that calls |
Oh thanks, I thought it was a recommended package with cryptsetup, but I have to install it manually. I'll be able to search in the installed files, because it unfortunately doesn't change the behavior at boot. |
Ok I think I got it. First time I made.
This time I make :
I don't know if Thank again for your help @exander77 |
Btw, I don't think you have to set up |
With RBPI OS Lite 64 based on Debian 11 (2023-05-03-raspios-bullseye-arm64-lite.img.xz) running on a RBPI CM4 I can decrypt a LUKS2 volume encrypted with Adiantum from initramfs. The procedure I follow for building initramfs:
sudo apt install busybox cryptsetup initramfs-tools
Check that the algorithms are available:
cryptsetup benchmark -c xchacha20,aes-adiantum-plain64
/etc/initramfs-tools/hooks/luks_hooks
sudo chmod +x /etc/initramfs-tools/hooks/luks_hooks
/etc/initramfs-tools/modules
Finally, build a new initramfs:
sudo -E CRYPTSETUP=y mkinitramfs -o /boot/initramfs.gz
I then update /boot/cmdline.txt etc. And during reboot I get bumped into a shell where I can unlock a volume:
cryptsetup luksOpen /dev/XYZ crypted
This works fine with Debian 11. When I followed the same procedure with Bookworm (2023-12-11-raspios-bookworm-arm64-lite.img.xz) everything works fine until I boot into initramfs and try to unlock the volume, where I got this error:
libgcc_s.so.1 must be installed for pthread_exit to work
I realized it was most likely this issue: https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1960080
So I added libpthread and libgcc to my luks_hooks script:
After building a new initramfs I then checked the archive for the presence of the modules:
However, after booting into initramfs I still cannot use cryptfs to unlock the volume:
Cannot use xchacha20,aes-adiantum-plain64 cipher
The text was updated successfully, but these errors were encountered: