From: Milan Broz <gmazyland@gmail.com>
To: Bryan Kadzban <bryan@kadzban.is-a-geek.net>
Cc: dm-crypt@saout.de, ebelcrom ebelcrom <ebelcrom@googlemail.com>
Subject: Re: [dm-crypt] ing rootfs without initramfs
Date: Sun, 21 Jul 2013 10:47:17 +0200 [thread overview]
Message-ID: <51EBA015.10409@gmail.com> (raw)
In-Reply-To: <51EB746A.3020600@kadzban.is-a-geek.net>
On 21.7.2013 7:40, Bryan Kadzban wrote:
> Milan Broz wrote:
>> On 07/20/2013 09:36 PM, ebelcrom ebelcrom wrote:
>>
>>> I played around with dm-crypt without using initramfs for
>>> en-/decryption of my root file system. The rootfs is encrypted
>>> plain with cryptsetup and the key is stored at the disk containing
>>> the rootfs between MBR and the partition. The kernel parameter
>>> given to it from the bootloader is configured as it should be
>>> (cryptdevice, cryptkey, root mapper). The disk driver (loaded
>>> before) is built-in as well as dm-crypt (loaded after). The message
>>> I got at boot time is this (cr_rootfs is the encrypted rootfs):
>>>
>>> VFS: Cannot open root device "mapper/cr_rootfs" or
>>> unknown-block(0,0)
>>>
>>> According to some hints in the web there is no need to have an
>>> initramfs. Is that true? If yes what are the steps to get there and
>>> what should I keep into account?
>>
>> I think the only possibility is to use GRUB2 which should understand
>> LUKS directly and boot from it. (Not sure about plain dmcrypt
>> device).
>
> So I've never tried it myself (I'm using a pretty simple initramfs I
> wrote in shell for my luks-rootfs setup), but I'm not sure how this can
> work.
>
> Because no bootloader mounts the rootfs. They only find the kernel code
> (and, if configured, the initramfs image), load it (or them) into
> memory, and jump to the kernel's init code, transferring control of the
> machine to the kernel. (There's a protocol to tell the kernel about the
> initramfs if one is present.)
>
> The kernel either runs the initramfs's /init program, or mounts the
> rootfs itself and runs /sbin/init. (Or whatever you set init= to on the
> kernel command line.)
>
> (Plus there's the fact that the kernel can't automount luks.)
Yes, GRUB2 solve just initial kernel boot load, you cannot map any device-mapper
device (that's include crypt but also LVM etc) without userspace tools...
Seems I anwered different question, sorry :)
Anyway, there were tries to add kernel boot parameters for DM
e.g. http://article.gmane.org/gmane.linux.kernel/988034
But this wil not work for LUKS either without in-kernel LUKS implementation.
And for plain crypt you have to provide key on kernel line (quite insecure).
I think using some initramfs is the only solution now for mapping
encrypted root fs (for now).
Milan
next prev parent reply other threads:[~2013-07-21 8:47 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-20 19:36 [dm-crypt] ing rootfs without initramfs ebelcrom ebelcrom
2013-07-20 20:06 ` Milan Broz
2013-07-21 5:40 ` Bryan Kadzban
2013-07-21 8:47 ` Milan Broz [this message]
2013-07-21 9:01 ` Thomas Bächler
2013-07-21 12:27 ` Milan Broz
2013-07-22 3:51 ` Will Drewry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51EBA015.10409@gmail.com \
--to=gmazyland@gmail.com \
--cc=bryan@kadzban.is-a-geek.net \
--cc=dm-crypt@saout.de \
--cc=ebelcrom@googlemail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.