Il Sun, 28 Jun 2009 11:07:36 -0400, Brian Mearns ha scritto: > Thanks for the continued assistance, Davide. My cipher is the same as > yours. I'm going to try making my initrd module order match yours, and > see if that helps. Hi, Brian. I'm interested in crypto and software issues, and I'm new in fedora world, so I really enjoy your problem ;-) A question: do you have a custom kernel? if so, try with a fedora one, I'm using it and it has all the stuff needed by this crypto setup. Let me know. -- fedora-list mailing list fedora-list(a)redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

On Fri, Jun 26, 2009 at 11:04 AM, davide&lt;lists4davide(a)gmail.com&gt; wrote: > davide <lists4davide <at> gmail.com> writes: > >> choosed > > oh my gosh! sorry! > > > > > -- > fedora-list mailing list > fedora-list(a)redhat.com > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list > Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines > Thanks for the continued assistance, Davide. My cipher is the same as yours. I'm going to try making my initrd module order match yours, and see if that helps. -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://keys.gnupg.net

choosed

Umm, you know the /boot partition has to be ext3? Grub cannot handle an ext4 /boot. I know this has not a thing to do with encryption, but I thought I'd ask just to be sure. Bob

Il Thu, 25 Jun 2009 11:28:14 -0400, Brian Mearns ha scritto: > On Thu, Jun 25, 2009 at 11:03 AM, davide&lt;lists4davide(a)gmail.com&gt; wrote: >> Brian Mearns <bmearns <at> ieee.org> writes: >> >> >>> Thanks for the response, Davide. /boot is a seperate, non-LVM >>> partition with its own ext3 fs. I know F11 has options for encrypting >>> during setup, but I've already got it set up, and would now like to go >>> back and switch over to an excrypted root filesystem without having to >>> reinstall. I think your suggestion of using a Live CD implies that I >>> would reinstall Fedora, which I don't want to do. >> >> have you all the needed modules compiled into the kernel or into the >> initrd? otherwise I would give a look at /etc/crypttab and /etc/fstab >> >> >> >>> Also, it's not grub asking for the root, I'm referring to the "root" >>> parameter for the kernel. >> >> Yes, I think you mean the root parameter into the grub config, it is a >> parameter for the kernel. I would suppose is used by the kernel to find >> out where are modules and filesystem. > [clipped] > > Thanks, again, Davide. > > crypttab and fstab should be fine, as init is able to mount the device > correctly. I'm not sure if I have all the correct modules: I ran > mkinitrd with "--with=aes --with=sha256" and tried to boot using the > generated initrd.img, but perhaps there are additional modules I need? > > Thanks, thanks to Robert, I opened the init, I copy here the relevant part. tell me if it helps, or I can try to investigate more deeply. echo Creating block device nodes. mkblkdevs echo Creating character device nodes. mkchardevs echo "Loading dm-crypt module" modprobe -q dm-crypt echo "Loading aes module" modprobe -q aes echo "Loading cbc module" modprobe -q cbc echo "Loading sha256 module" modprobe -q sha256 echo "Loading pata_acpi module" modprobe -q pata_acpi echo "Loading ata_generic module" modprobe -q ata_generic echo Making device-mapper control node mkdmnod modprobe scsi_wait_scan rmmod scsi_wait_scan mkblkdevs

Brian Mearns<bmearns<at> ieee.org> writes: > Thanks, again, Davide. > you're welcome. > crypttab and fstab should be fine, as init is able to mount the device > correctly. I'm not sure if I have all the correct modules: I ran > mkinitrd with "--with=aes --with=sha256" and tried to boot using the > generated initrd.img, but perhaps there are additional modules I need? > > I'm not at home with my pc now, but I can send you my list of modules, if you need it. (just need to find out how to generate it)

Brian Mearns <bmearns <at> ieee.org> writes: > Thanks for the response, Davide. /boot is a seperate, non-LVM > partition with its own ext3 fs. I know F11 has options for > encrypting during setup, but I've already got it set up, and would > now like to go back and switch over to an excrypted root filesystem > without having to reinstall. I think your suggestion of using a Live > CD implies that I would reinstall Fedora, which I don't want to do. have you all the needed modules compiled into the kernel or into the initrd? otherwise I would give a look at /etc/crypttab and /etc/fstab > > Also, it's not grub asking for the root, I'm referring to the "root" > parameter for the kernel. Yes, I think you mean the root parameter into the grub config, it is a parameter for the kernel. I would suppose is used by the kernel to find out where are modules and filesystem.

I apologize if this has been asked before, I checked the most recent archives and didn't find anything. I've successfully set up two separate LUKS encrypted logical-volumes, one for home and one for root. Everything appeared to be working fine, until I tried to delete my old root logical-volume and found out it was still in use: the kernel was using it as the root, even though mount had then replaced it at / with the encrypted one. So I tried simply changing the root parameter to the kernel (from grub.conf) so it points to the encrypted one, but when I boot, the startup routine stops after a little while and just hangs there until I ctrl-alt-del, and then it restarts. I don't think it's reaching init, because I haven't seen any of the usual "Starting some server... [OK]" messages. I guess that makes sense if it's failing to load the root device, it wouldn't get to init. So can anyone help me get this set up properly? I have a basic understanding of the boot process and I guess that something needs to be changed in initrd to tell it to unlock the encrypted root disk before mounting it. But I have no idea how to do that. On a related note, can anyone explain what's actually required of the root FS loaded by the kernel? I tried setting up just a 1GB empty ext3 filesystem to use as the root, and then let mount replace it with the encrypted one once init starts, but this also caused the startup process to hang: apparently having a filesystem alone is insufficient, there actually needs to be some stuff on it? I'm using Fedora 11 on a Compaq Presario laptop (x86). Many thanks for any help, - -Brian - -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://keys.gnupg.net

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iQEcBAEBAgAGBQJKQ3FxAAoJEHOUulIkSI7cA9AH/1MVKuxOg9udqRBDwxLOQwSM 6A+iEDWZVj5e+oCJg62RNeuh++oZLVpHx8EWvH7G5S5T1NvSvnQomim7kvJgoqei 1+TEhc9iy99isZJ6Qqc+e2CTljXIsb48/nddTc+oWa2LSN1wnRR0x/cBW9tUopro K4wRwzwa/UcPh/wRPEWFDHXM6Pgbdq/3PVJZR2s0VG9HZAz4hGfxRNSdJeFFcsOz xvAoOtCifp5ssr2p/+JYKtjTw7e63LVUHh5/ALjCHo89ILcnjos3549b3AOI7MeJ 8kp73u3c6z99TB7+LjydenIRc2l25WYEEkhVFWLRFKJwDYvK/G61l4epde05FF8= =4Qhh -----END PGP SIGNATURE-----

> So can anyone help me get this set up properly? I have a basic > understanding of the boot process and I guess that something needs > to be changed in initrd to tell it to unlock the encrypted root > disk before mounting it. But I have no idea how to do that.

On Thu, Jun 25, 2009 at 5:20 PM, davide&lt;lists4davide(a)gmail.com&gt; wrote: > Il Thu, 25 Jun 2009 11:28:14 -0400, Brian Mearns ha scritto: > > >> On Thu, Jun 25, 2009 at 11:03 AM, davide&lt;lists4davide(a)gmail.com&gt; wrote: >> >>> Brian Mearns<bmearns<at> ieee.org> writes: >>> >>> >>> >>>> Thanks for the response, Davide. /boot is a seperate, non-LVM >>>> partition with its own ext3 fs. I know F11 has options for encrypting >>>> during setup, but I've already got it set up, and would now like to go >>>> back and switch over to an excrypted root filesystem without having to >>>> reinstall. I think your suggestion of using a Live CD implies that I >>>> would reinstall Fedora, which I don't want to do. >>>> >>> have you all the needed modules compiled into the kernel or into the >>> initrd? otherwise I would give a look at /etc/crypttab and /etc/fstab >>> >>> >>> >>> >>>> Also, it's not grub asking for the root, I'm referring to the "root" >>>> parameter for the kernel. >>>> >>> Yes, I think you mean the root parameter into the grub config, it is a >>> parameter for the kernel. I would suppose is used by the kernel to find >>> out where are modules and filesystem. >>> >> [clipped] >> >> Thanks, again, Davide. >> >> crypttab and fstab should be fine, as init is able to mount the device >> correctly. I'm not sure if I have all the correct modules: I ran >> mkinitrd with "--with=aes --with=sha256" and tried to boot using the >> generated initrd.img, but perhaps there are additional modules I need? >> >> Thanks, >> > thanks to Robert, I opened the init, I copy here the relevant part. > tell me if it helps, or I can try to investigate more deeply. > > > echo Creating block device nodes. > mkblkdevs > echo Creating character device nodes. > mkchardevs > echo "Loading dm-crypt module" > modprobe -q dm-crypt > echo "Loading aes module" > modprobe -q aes > echo "Loading cbc module" > modprobe -q cbc > echo "Loading sha256 module" > modprobe -q sha256 > echo "Loading pata_acpi module" > modprobe -q pata_acpi > echo "Loading ata_generic module" > modprobe -q ata_generic > echo Making device-mapper control node > mkdmnod > modprobe scsi_wait_scan > rmmod scsi_wait_scan > mkblkdevs > [clipped] I'm back home and can get some additional information about this. Attempting to boot using the "crypto-initrd.img", which I generated with "mkinitrd --with=aes --with=sha256" and specifying the LUKS/cryptsetup encrypted drive for the kernel's "root" parameter, the boot process gets to the point of asking me for a password, then mentions a few things about an EXT4-fs (not sure which one, but no error's reported here), then gives the following messages before hanging: SELinux: policydb magic number 0xffffe4f0 does not match expected magic number 0xf97cff8c request_module: runaway loop modprobe binfmt-ffff request_module: runaway loop modprobe binfmt-ffff request_module: runaway loop modprobe binfmt-ffff request_module: runaway loop modprobe binfmt-ffff request_module: runaway loop modprobe binfmt-ffff I am able to restart the system uneventfully at this point by pressing ctrl-alt-del. Attempting to boot with the same initrd img, but specifying an unecrypted partition for the kernel's "root" parameter, it all comes up fine, but does still ask me for a password during boot. I'm going to attempt to debug my initrd img, as suggested, but I'm not sure how well I'll be able to understand the script. So if anyone has any additional advice, I'd really appreciate it. Thanks, again. -Brian