unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#19190: Cannot boot with encrypted root
@ 2014-11-26  3:26 Nikita Karetnikov
  2014-11-26  9:55 ` Ludovic Courtès
  2014-11-26 12:05 ` Duncan Keall
  0 siblings, 2 replies; 10+ messages in thread
From: Nikita Karetnikov @ 2014-11-26  3:26 UTC (permalink / raw)
  To: 19190

[-- Attachment #1: Type: text/plain, Size: 2458 bytes --]

(Ludo suggested to report this as a bug, so this issue won’t get lost.)

While booting, GRUB prints this error:

error: file
‘/gnu/store/rz…-linux-libre-3.17.3/bzImage’ not found.

which is not surprising since the store is encrypted.

I’ve tried putting these lines after the “setparams” line in the GRUB
config (by hitting the ‘e’ key):

insmod luks
cryptomount hd0,gpt3
set root=crypto0

After pressing the ‘F10’ key, I get a password prompt.  And after that, a
bunch of warnings about ‘/dev/mapper/main’:

ext2fs_check_if_mount: Can’t check if filesystem is mounted due to
missing mtab file while determining whether /dev/mapper/main is mounted.
fsck.ext3: No such file or directory while trying to open
/dev/mapper/main
Possibly non-existent device?
‘fsck.ext3’ exited with code 8 on /dev/mapper/main; spawning REPL

In the REPL:

scheme@(guile-user)> ,use (gnu build linux-boot)
scheme@(guile-user)> (boot-system)
[…]
ERROR: In procedure mount:
ERROR: In procedure mount: Device or resource busy

My config is shown below:

(use-modules (gnu))

(define %linux-modules
  '(
    ;; cryptsetup/LUKS
    "dm-crypt.ko" "aes-x86_64.ko" "crc32.ko" "pcbc.ko" "xcbc.ko" "sha256-ssse3.ko"))

(operating-system
  (host-name "test")
  (timezone "Europe/Paris")
  (locale "en_US.UTF-8")

  (bootloader (grub-configuration
               (device "/dev/sda")))

  (initrd (lambda (fs . args)
            (apply base-initrd fs
                   #:extra-modules %linux-modules
                   args)))

  (mapped-devices (list (mapped-device
                         (source "/dev/sda3")
                         (target "main")
                         (type luks-device-mapping))))

  (file-systems (cons* (file-system
                         (device "/dev/mapper/main")
                         (mount-point "/")
                         (type "ext3"))
                       (file-system
                         (device "boot")
                         (type 'label)
                         (mount-point "/boot")
                         (type "ext3"))
                       %base-file-systems))

  (users (list (user-account
                (name "test")
                (group "users")

                (supplementary-groups '("wheel"
                                        "audio" "video"))
                (home-directory "/home/test")))))

[-- Attachment #2: Type: application/pgp-signature, Size: 835 bytes --]

^ permalink raw reply	[flat|nested] 10+ messages in thread

* bug#19190: Cannot boot with encrypted root
  2014-11-26  3:26 bug#19190: Cannot boot with encrypted root Nikita Karetnikov
@ 2014-11-26  9:55 ` Ludovic Courtès
  2014-11-26 12:41   ` Ludovic Courtès
  2014-11-26 12:05 ` Duncan Keall
  1 sibling, 1 reply; 10+ messages in thread
From: Ludovic Courtès @ 2014-11-26  9:55 UTC (permalink / raw)
  To: Nikita Karetnikov; +Cc: 19190

Thanks for the report.  Let’s address the initrd/boot issue first.

Nikita Karetnikov <nikita@karetnikov.org> skribis:

> After pressing the ‘F10’ key, I get a password prompt.

Any message after entering the password prompt?

> And after that, a bunch of warnings about ‘/dev/mapper/main’:
>
> ext2fs_check_if_mount: Can’t check if filesystem is mounted due to
> missing mtab file while determining whether /dev/mapper/main is mounted.
> fsck.ext3: No such file or directory while trying to open
> /dev/mapper/main
> Possibly non-existent device?
> ‘fsck.ext3’ exited with code 8 on /dev/mapper/main; spawning REPL

It looks like ‘cryptsetup open’ simply failed, and ‘boot-system’
currently ignores that error, so it goes up to the file system check as
shown above, which in turn fails and gets us to the debugger.

Perhaps you could try running ‘cryptsetup’ by hand from the REPL.
That’s going to be a bit tedious; something like:

  (use-modules (srfi srfi-1) (ice-9 ftw))
  (define cs (find (lambda (file)
                     (string-contains file "cryptsetup"))
                   (scandir "/gnu/store")))
  (system* (string-append "/gnu/store/" cs "/bin/cryptsetup")
           "open" "--type" "luks" "/dev/whatever" "main")

Then, please report the return value of ‘system*’, and check

  (file-exists? "/dev/mapper/main")

Please also report any messages.

Thanks in advance!

Ludo’.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* bug#19190: Cannot boot with encrypted root
  2014-11-26  3:26 bug#19190: Cannot boot with encrypted root Nikita Karetnikov
  2014-11-26  9:55 ` Ludovic Courtès
@ 2014-11-26 12:05 ` Duncan Keall
  2014-11-26 16:04   ` Ludovic Courtès
  1 sibling, 1 reply; 10+ messages in thread
From: Duncan Keall @ 2014-11-26 12:05 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 19190

Here's what I've found using a very similar setup to Nikita and after
receiving the same error messages.

> Any message after entering the password prompt?

GRUB prints a single message "Slot 0 opened" and then it's into the
kernel boot logs. The first related message appears to be the
"ext2fs_check_if_mount..." one.

> Perhaps you could try running ‘cryptsetup’ by hand from the REPL.

I needed to replace "/bin/cryptsetup" with "/sbin/cryptsetup". After
that, cryptsetup accepted a password and printed these errors:

  device-mapper: table 253:0: crypt: Error allocating crypto tfm
  device-mapper: ioctl: error adding target to table
  device-mapper: reload ioctl on  failed: No such file or directory
  Failed to open temporary keystore device.
  device-mapper: remove ioctl on temporary-cryptsetup-149 failed: No
  such device or address

The return value was 256, and afterwards /dev/mapper/main still did not
exist.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* bug#19190: Cannot boot with encrypted root
  2014-11-26  9:55 ` Ludovic Courtès
@ 2014-11-26 12:41   ` Ludovic Courtès
  0 siblings, 0 replies; 10+ messages in thread
From: Ludovic Courtès @ 2014-11-26 12:41 UTC (permalink / raw)
  To: Nikita Karetnikov; +Cc: 19190

I noticed an obvious issue in (gnu build linux-boot), which is that
device-mapping (the #:pre-mount argument) would be performed after
‘mount-root-file-system’ has been called.

Commit 67979e4 fixes that.

To fix it, we’ll have to update ‘guix-devel’ in (gnu packages
package-management), and to regenerate a VM image that uses it.  I can
help with that.

Ludo’.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* bug#19190: Cannot boot with encrypted root
  2014-11-26 12:05 ` Duncan Keall
@ 2014-11-26 16:04   ` Ludovic Courtès
  2014-11-27  2:06     ` Duncan Keall
  0 siblings, 1 reply; 10+ messages in thread
From: Ludovic Courtès @ 2014-11-26 16:04 UTC (permalink / raw)
  To: Duncan Keall; +Cc: 19190

Hi,  :-)

Duncan Keall <duncan@duncankeall.com> skribis:

>> Perhaps you could try running ‘cryptsetup’ by hand from the REPL.
>
> I needed to replace "/bin/cryptsetup" with "/sbin/cryptsetup". After
> that, cryptsetup accepted a password and printed these errors:
>
>   device-mapper: table 253:0: crypt: Error allocating crypto tfm
>   device-mapper: ioctl: error adding target to table
>   device-mapper: reload ioctl on  failed: No such file or directory
>   Failed to open temporary keystore device.
>   device-mapper: remove ioctl on temporary-cryptsetup-149 failed: No
>   such device or address

I suspect this is due to missing modules.

Does your initrd configuration have the modules Nikita’s configuration
shows?

Thanks for testing so quickly!

Ludo’.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* bug#19190: Cannot boot with encrypted root
  2014-11-26 16:04   ` Ludovic Courtès
@ 2014-11-27  2:06     ` Duncan Keall
  2014-11-27 10:12       ` Ludovic Courtès
  0 siblings, 1 reply; 10+ messages in thread
From: Duncan Keall @ 2014-11-27  2:06 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 19190

> Does your initrd configuration have the modules Nikita’s configuration
> shows?

Here are the configurations I have tested which all result in the errors
posted above:

  ("dm-crypt.ko" "aes-x86_64.ko" "crc32.ko" "pcbc.ko" "xcbc.ko" "sha256-ssse3.ko")
  ("dm-crypt.ko" "cryptd.ko" "aes-x86_64.ko" "crc32.ko" "pcbc.ko" "xcbc.ko" "sha256-ssse3.ko")
  ("dm-crypt.ko" "cryptd.ko" "crc32-pclmul.ko" "aes-x86_64.ko" "crc32.ko" "pcbc.ko" "xcbc.ko" "sha256-ssse3.ko")

I could also add "aesni-intel.ko" but it resulted in a different set of
kernel errors on boot:

  aesni_intel: Unknown symbol ablk_decrypt (err 0)
  aesni_intel: Unknown symbol lrw_free_table (err 0)
  aesni_intel: Unknown symbol ablk_set_key (err 0)
  ...
  ERROR: In procedure load-linux-module: Unknown error -1

For reference, here are all the modules loaded on my current system
which might be related:

  aes_x86_64 aesni_intel af_alg algif_skcipher arc4 ccm crc32_pclmul
  crc32c_intel crc_t10dif crct10dif_common crct10dif_pclmul cryptd ctr
  dm_crypt dm_mod gf128mul ghash_clmulni_intel lrw xor

^ permalink raw reply	[flat|nested] 10+ messages in thread

* bug#19190: Cannot boot with encrypted root
  2014-11-27  2:06     ` Duncan Keall
@ 2014-11-27 10:12       ` Ludovic Courtès
  2014-12-13 22:01         ` Ludovic Courtès
  0 siblings, 1 reply; 10+ messages in thread
From: Ludovic Courtès @ 2014-11-27 10:12 UTC (permalink / raw)
  To: Duncan Keall; +Cc: 19190

Duncan Keall <duncan@duncankeall.com> skribis:

> Here are the configurations I have tested which all result in the errors
> posted above:
>
>   ("dm-crypt.ko" "aes-x86_64.ko" "crc32.ko" "pcbc.ko" "xcbc.ko" "sha256-ssse3.ko")
>   ("dm-crypt.ko" "cryptd.ko" "aes-x86_64.ko" "crc32.ko" "pcbc.ko" "xcbc.ko" "sha256-ssse3.ko")
>   ("dm-crypt.ko" "cryptd.ko" "crc32-pclmul.ko" "aes-x86_64.ko" "crc32.ko" "pcbc.ko" "xcbc.ko" "sha256-ssse3.ko")
>
> I could also add "aesni-intel.ko" but it resulted in a different set of
> kernel errors on boot:
>
>   aesni_intel: Unknown symbol ablk_decrypt (err 0)
>   aesni_intel: Unknown symbol lrw_free_table (err 0)
>   aesni_intel: Unknown symbol ablk_set_key (err 0)
>   ...
>   ERROR: In procedure load-linux-module: Unknown error -1

Presumably that’s because one of its prerequisites hasn’t been loaded
yet.

The difficulty is that modules need to be listed in topological order:
things that aesni_intel.ko depends on must appear before aesni_intel.ko.

On my machine, I see:

--8<---------------cut here---------------start------------->8---
$ lsmod|grep aes
aesni_intel           165373  3 
ablk_helper            13597  1 aesni_intel
cryptd                 20359  4 ghash_clmulni_intel,aesni_intel,ablk_helper
lrw                    13286  1 aesni_intel
glue_helper            13990  1 aesni_intel
aes_x86_64             17131  1 aesni_intel
--8<---------------cut here---------------end--------------->8---

So the right order for these would be:

  cryptd
  aes_x86_64
  ablk_helper
  lrw
  aesni_intel

We’ll have to change the initrd build to figure that out automatically,
but in the meantime, we have to sort them by hand.

Ludo’.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* bug#19190: Cannot boot with encrypted root
  2014-11-27 10:12       ` Ludovic Courtès
@ 2014-12-13 22:01         ` Ludovic Courtès
  2014-12-15 10:49           ` Duncan Keall
  0 siblings, 1 reply; 10+ messages in thread
From: Ludovic Courtès @ 2014-12-13 22:01 UTC (permalink / raw)
  To: Duncan Keall; +Cc: 19190

ludo@gnu.org (Ludovic Courtès) skribis:

> Duncan Keall <duncan@duncankeall.com> skribis:
>
>> Here are the configurations I have tested which all result in the errors
>> posted above:
>>
>>   ("dm-crypt.ko" "aes-x86_64.ko" "crc32.ko" "pcbc.ko" "xcbc.ko" "sha256-ssse3.ko")
>>   ("dm-crypt.ko" "cryptd.ko" "aes-x86_64.ko" "crc32.ko" "pcbc.ko" "xcbc.ko" "sha256-ssse3.ko")
>>   ("dm-crypt.ko" "cryptd.ko" "crc32-pclmul.ko" "aes-x86_64.ko" "crc32.ko" "pcbc.ko" "xcbc.ko" "sha256-ssse3.ko")
>>
>> I could also add "aesni-intel.ko" but it resulted in a different set of
>> kernel errors on boot:
>>
>>   aesni_intel: Unknown symbol ablk_decrypt (err 0)
>>   aesni_intel: Unknown symbol lrw_free_table (err 0)
>>   aesni_intel: Unknown symbol ablk_set_key (err 0)
>>   ...
>>   ERROR: In procedure load-linux-module: Unknown error -1
>
> Presumably that’s because one of its prerequisites hasn’t been loaded
> yet.
>
> The difficulty is that modules need to be listed in topological order:

This particular problem was fixed in 0e704a2 a couple of weeks ago.

For testing, you would need to start from an image generated from
current master with:

  ./pre-inst-env \
    guix system disk-image --image-size=800MiB gnu/system/install.scm

Let me know if anything else is needed.

Ludo’.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* bug#19190: Cannot boot with encrypted root
  2014-12-13 22:01         ` Ludovic Courtès
@ 2014-12-15 10:49           ` Duncan Keall
  2015-09-20 20:14             ` Ludovic Courtès
  0 siblings, 1 reply; 10+ messages in thread
From: Duncan Keall @ 2014-12-15 10:49 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 19190

Thanks for the update, Ludovic!

I've just tested another install with a fresh image from master, using
as similar setup as possible to before.

The boot process still fails at mounting the root filesystem (as
expected):

  fsck.ext4: No such file or directory while trying to open /dev/mapper/main
  Possibly non-existent device?

However I found that cryptsetup was missing from the store during the
early-boot REPL, so I wasn't able to test manually mounting the
encrypted filesystem. 

Nothing in the commit history since v0.8 jumped out as being
responsible, so I'm assuming I've missed something obvious during
install. I'll have to keep looking!

^ permalink raw reply	[flat|nested] 10+ messages in thread

* bug#19190: Cannot boot with encrypted root
  2014-12-15 10:49           ` Duncan Keall
@ 2015-09-20 20:14             ` Ludovic Courtès
  0 siblings, 0 replies; 10+ messages in thread
From: Ludovic Courtès @ 2015-09-20 20:14 UTC (permalink / raw)
  To: Duncan Keall; +Cc: Nikita Karetnikov, 19190-done, Petter

Duncan Keall <duncan@duncankeall.com> skribis:

> The boot process still fails at mounting the root filesystem (as
> expected):
>
>   fsck.ext4: No such file or directory while trying to open /dev/mapper/main
>   Possibly non-existent device?

It took us a while but this part is now fixed with cc0e575, and commit
07779d0 adds dm-crypt.ko and xts.ko and their dependencies to the
default initrd.

I’m closing this bug, but if you have time and interest, you’re welcome
to confirm whether this works for you.

Thanks!

Ludo’.

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2015-09-20 20:15 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-11-26  3:26 bug#19190: Cannot boot with encrypted root Nikita Karetnikov
2014-11-26  9:55 ` Ludovic Courtès
2014-11-26 12:41   ` Ludovic Courtès
2014-11-26 12:05 ` Duncan Keall
2014-11-26 16:04   ` Ludovic Courtès
2014-11-27  2:06     ` Duncan Keall
2014-11-27 10:12       ` Ludovic Courtès
2014-12-13 22:01         ` Ludovic Courtès
2014-12-15 10:49           ` Duncan Keall
2015-09-20 20:14             ` Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).