Extra partitions in /etc/crypttab in initramfs
54 views
Skip to first unread message
Trammell Hudson
Oct 28, 2016, 7:28:57 AM10/28/16
to qubes...@googlegroups.com
I'm not sure if this issue affects anyone else, but the /etc/crypttab in
initramfs does not have entries for extra partitions that were created
during installation. It only has / and swap.
Since I'm configuring / to be read only, I have a separate /home for
the modifiable state. The disks are unlocked via a TPM sealed keyfile,
so the initramfs needs to be modified to add the additional entry for
the extra partitons.
--
Trammell
initramfs does not have entries for extra partitions that were created
during installation. It only has / and swap.
Since I'm configuring / to be read only, I have a separate /home for
the modifiable state. The disks are unlocked via a TPM sealed keyfile,
so the initramfs needs to be modified to add the additional entry for
the extra partitons.
--
Trammell
Marek Marczykowski-Górecki
Oct 28, 2016, 7:34:17 AM10/28/16
to Trammell Hudson, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
/etc/crypttab in initramfs is generated (not copied) by dracut. See
here:
/usr/lib/dracut/modules.d/90crypt/module-setup.sh
Anyway I think it all should be possible also using kernel command line,
see man dracut.cmdline.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJYEzexAAoJENuP0xzK19csmDIH/3zWRW+5pLyqcZUfFalPKVHk
eX2i6Nf4YGAMjQ7i84hEB6brUdS2CfSQuVHAYPIeCs10PwNf0pKdwvmm//LTIT5A
8F1FBeB9mApTda5Bg9DNflR4mfNLRmi9VB7j5egAF/g/Ll4shfAFiiAMxt7RefsY
cBwWd0AVmLIqm1u2lmzGRaWCnE6pTO8XV0tgbZpEXVOwbcwPCQel29w+evA5Y8QF
TJazZ+DvYQmxmyUsqBQs13C1+afcJr/ONfCPmgNNGrZy0Yol9zxAFthp4QNCc5Z4
AglTULH7vlo7qXDjLOQ8+5H46uugMO67ysBGz4Qzm39L82umK2CBwW2lD0EMags=
=zb0P
-----END PGP SIGNATURE-----
Hash: SHA256
here:
/usr/lib/dracut/modules.d/90crypt/module-setup.sh
Anyway I think it all should be possible also using kernel command line,
see man dracut.cmdline.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJYEzexAAoJENuP0xzK19csmDIH/3zWRW+5pLyqcZUfFalPKVHk
eX2i6Nf4YGAMjQ7i84hEB6brUdS2CfSQuVHAYPIeCs10PwNf0pKdwvmm//LTIT5A
8F1FBeB9mApTda5Bg9DNflR4mfNLRmi9VB7j5egAF/g/Ll4shfAFiiAMxt7RefsY
cBwWd0AVmLIqm1u2lmzGRaWCnE6pTO8XV0tgbZpEXVOwbcwPCQel29w+evA5Y8QF
TJazZ+DvYQmxmyUsqBQs13C1+afcJr/ONfCPmgNNGrZy0Yol9zxAFthp4QNCc5Z4
AglTULH7vlo7qXDjLOQ8+5H46uugMO67ysBGz4Qzm39L82umK2CBwW2lD0EMags=
=zb0P
-----END PGP SIGNATURE-----
Trammell Hudson
Oct 28, 2016, 8:39:55 AM10/28/16
to Marek Marczykowski-Górecki, qubes...@googlegroups.com
On Fri, Oct 28, 2016 at 01:34:09PM +0200, Marek Marczykowski-Górecki wrote:
> On Fri, Oct 28, 2016 at 05:28:52AM -0600, Trammell Hudson wrote:
> > I'm not sure if this issue affects anyone else, but the /etc/crypttab in
> > initramfs does not have entries for extra partitions that were created
> > during installation. It only has / and swap. [...]
> On Fri, Oct 28, 2016 at 05:28:52AM -0600, Trammell Hudson wrote:
> > I'm not sure if this issue affects anyone else, but the /etc/crypttab in
> > initramfs does not have entries for extra partitions that were created
>
> /etc/crypttab in initramfs is generated (not copied) by dracut. See
> here:
> /usr/lib/dracut/modules.d/90crypt/module-setup.sh
It looks like that parses the existing /etc/crypttab on the running
> /etc/crypttab in initramfs is generated (not copied) by dracut. See
> here:
> /usr/lib/dracut/modules.d/90crypt/module-setup.sh
system, so I wonder if the extra partitions are not listed there
during the install. That's difficult for me to verify right now.
> Anyway I think it all should be possible also using kernel command line,
> see man dracut.cmdline.
rd.luks.key=/secret.key to set the keyfile for all devices does not
seem to be honored by the initramfs. The keyfile is only used if it is
specified in the /etc/crypttab in initramfs.
There is also discussion online that if the initramfs has a
/crypto_keyfile.bin that it will be used by default, but this does not
seem to be the case. I don't see any references to that file in
the generated initramfs.
--
Trammell
Manuel Amador (Rudd-O)
Oct 28, 2016, 5:29:49 PM10/28/16
to qubes...@googlegroups.com
dracut -fv --regenerate-all
HOWEVER, /home does absolutely not need to be present in /etc/crypttab
or in kernel cmdline. It can be unlicked after boot.
I would recommend using a keyfile to prevent having to type the password
for /home.
--
Rudd-O
http://rudd-o.com/
Manuel Amador (Rudd-O)
Oct 28, 2016, 5:32:34 PM10/28/16
to qubes...@googlegroups.com
On 10/28/2016 12:39 PM, Trammell Hudson wrote:
> On Fri, Oct 28, 2016 at 01:34:09PM +0200, Marek Marczykowski-Górecki wrote:
>> On Fri, Oct 28, 2016 at 05:28:52AM -0600, Trammell Hudson wrote:
>>> I'm not sure if this issue affects anyone else, but the /etc/crypttab in
>>> initramfs does not have entries for extra partitions that were created
>>> during installation. It only has / and swap. [...]
>> /etc/crypttab in initramfs is generated (not copied) by dracut. See
>> here:
>> /usr/lib/dracut/modules.d/90crypt/module-setup.sh
> It looks like that parses the existing /etc/crypttab on the running
> system, so I wonder if the extra partitions are not listed there
> during the install. That's difficult for me to verify right now.
>
>> Anyway I think it all should be possible also using kernel command line,
>> see man dracut.cmdline.
> A related issue is that the kernel command line parameter
> rd.luks.key=/secret.key to set the keyfile for all devices does not
> seem to be honored by the initramfs. The keyfile is only used if it is
> specified in the /etc/crypttab in initramfs.
This is a dracut + systemd bug. It's somewhere in the red hat
> On Fri, Oct 28, 2016 at 01:34:09PM +0200, Marek Marczykowski-Górecki wrote:
>> On Fri, Oct 28, 2016 at 05:28:52AM -0600, Trammell Hudson wrote:
>>> I'm not sure if this issue affects anyone else, but the /etc/crypttab in
>>> initramfs does not have entries for extra partitions that were created
>>> during installation. It only has / and swap. [...]
>> /etc/crypttab in initramfs is generated (not copied) by dracut. See
>> here:
>> /usr/lib/dracut/modules.d/90crypt/module-setup.sh
> It looks like that parses the existing /etc/crypttab on the running
> system, so I wonder if the extra partitions are not listed there
> during the install. That's difficult for me to verify right now.
>
>> Anyway I think it all should be possible also using kernel command line,
>> see man dracut.cmdline.
> A related issue is that the kernel command line parameter
> rd.luks.key=/secret.key to set the keyfile for all devices does not
> seem to be honored by the initramfs. The keyfile is only used if it is
> specified in the /etc/crypttab in initramfs.
bugzilla. Briefly said, you must add the keyfile to /etc/crypttab.
Effectively key files are no longer supported like they used to be
supported prior to systemd.
Key file support works fine after the initramfs is done, the system has
pivoted to the actual root, and the regular boot-from-root process has
started.
>
> There is also discussion online that if the initramfs has a
> /crypto_keyfile.bin that it will be used by default, but this does not
> seem to be the case. I don't see any references to that file in
> the generated initramfs.
>
--
Rudd-O
http://rudd-o.com/
Reply all
Reply to author
Forward
0 new messages