From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jvyo_7BXmlV4 for ; Sun, 21 Jul 2013 10:47:41 +0200 (CEST) Received: from mail-ea0-x229.google.com (mail-ea0-x229.google.com [IPv6:2a00:1450:4013:c01::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.saout.de (Postfix) with ESMTPS for ; Sun, 21 Jul 2013 10:47:41 +0200 (CEST) Received: by mail-ea0-f169.google.com with SMTP id h15so3186316eak.14 for ; Sun, 21 Jul 2013 01:47:40 -0700 (PDT) Message-ID: <51EBA015.10409@gmail.com> Date: Sun, 21 Jul 2013 10:47:17 +0200 From: Milan Broz MIME-Version: 1.0 References: <51EAEDB4.1090407@gmail.com> <51EB746A.3020600@kadzban.is-a-geek.net> In-Reply-To: <51EB746A.3020600@kadzban.is-a-geek.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] ing rootfs without initramfs List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Bryan Kadzban Cc: dm-crypt@saout.de, ebelcrom ebelcrom On 21.7.2013 7:40, Bryan Kadzban wrote: > Milan Broz wrote: >> On 07/20/2013 09:36 PM, ebelcrom ebelcrom wrote: >> >>> I played around with dm-crypt without using initramfs for >>> en-/decryption of my root file system. The rootfs is encrypted >>> plain with cryptsetup and the key is stored at the disk containing >>> the rootfs between MBR and the partition. The kernel parameter >>> given to it from the bootloader is configured as it should be >>> (cryptdevice, cryptkey, root mapper). The disk driver (loaded >>> before) is built-in as well as dm-crypt (loaded after). The message >>> I got at boot time is this (cr_rootfs is the encrypted rootfs): >>> >>> VFS: Cannot open root device "mapper/cr_rootfs" or >>> unknown-block(0,0) >>> >>> According to some hints in the web there is no need to have an >>> initramfs. Is that true? If yes what are the steps to get there and >>> what should I keep into account? >> >> I think the only possibility is to use GRUB2 which should understand >> LUKS directly and boot from it. (Not sure about plain dmcrypt >> device). > > So I've never tried it myself (I'm using a pretty simple initramfs I > wrote in shell for my luks-rootfs setup), but I'm not sure how this can > work. > > Because no bootloader mounts the rootfs. They only find the kernel code > (and, if configured, the initramfs image), load it (or them) into > memory, and jump to the kernel's init code, transferring control of the > machine to the kernel. (There's a protocol to tell the kernel about the > initramfs if one is present.) > > The kernel either runs the initramfs's /init program, or mounts the > rootfs itself and runs /sbin/init. (Or whatever you set init= to on the > kernel command line.) > > (Plus there's the fact that the kernel can't automount luks.) Yes, GRUB2 solve just initial kernel boot load, you cannot map any device-mapper device (that's include crypt but also LVM etc) without userspace tools... Seems I anwered different question, sorry :) Anyway, there were tries to add kernel boot parameters for DM e.g. http://article.gmane.org/gmane.linux.kernel/988034 But this wil not work for LUKS either without in-kernel LUKS implementation. And for plain crypt you have to provide key on kernel line (quite insecure). I think using some initramfs is the only solution now for mapping encrypted root fs (for now). Milan