Re: [dm-crypt] Kernel panic, cannot mount root fs on unknown block (hd0, 0)

[Arno Wagner <arno@wagner.name>]

On Mon, Sep 22, 2014 at 07:41:39 CEST, Heiko Rosemann wrote:
> On 09/22/2014 12:50 AM, vaskez@airmail.cc wrote:
> > Several times I have set up virtual machines to test the cryptsetup
> >  software. I can create and remove the encrypted volumes just fine
> > and mount them, however whenever I am finished setting up my system
> > and reboot, my kernel panics, ends, then says that it cannot mount
> > root fs on unknown block (hd0,0). I am sure that it is not a
> > misconfiguration with the kernel, as I have built kernels for
> > unencrypted systems and they have booted fine. Some information:
> 
> You will need to setup an initramfs or modify the one provided with
> the gentoo install to open your encrypted volumes (at least the root
> volume). I do not remember how it is "supposed to be done" in gentoo,
> but I do remember it's not as simple as installing software in the
> right order.

The thing is that the kernel cannot open LUKS encrypted partitions
by itself. It needs user-space tools (cryptsetup) for that. That
means the system must be running and have a working root filesystem.
The initrd mechanism provides a temporary root filesystem for that 
use.

As I do not like initrds on my systems (too much hassle changing 
anything), I use a different approach: Non-encrypted root and 
anything I consider security-critical on encrypted partition(s). 

A common criticism of that set-up is that it allows an attacker 
to change things on the root partition, but the same applies to 
the initrd (and the kernel!) as well and hence the initrd approach
does not really offer better security. If you want to prevent that,
you have to use some variant of secure boot, for example placing
bootloader, kernel and initrd on an encrypted memory-stick with
keypad or the like. And you better verify the BIOS checksum as 
well, although that may not be enough if somebody put a blue-pill
in there. Fortunately such attacks are expensive and come with a
high risk of detection, so unless you are a known terrorist or 
crimnal master-mind, don't worry about these. 

Second thing is that a running system is far easier to attack and 
as soon as it is opened, disk-encryption does not offer any 
protection anymore....


Arno

 
> A good starting point would be
> http://wiki.gentoo.org/wiki/DM-Crypt_LUKS#Generating_an_initramfs -
> and as this is really distro specific (or maybe systemd takes care of
> it - I don't know, I won't be trying) it is really beyond the topic of
> this list.
> 
> Good luck with your setup,
> Heiko
> -- 
> Mein PGP-Key zur Verifizierung: http://pgp.mit.edu
> 
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier