Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
luksOpen fails in initramfs
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2382
Location: Kentucky

PostPosted: Fri Mar 15, 2024 11:47 pm    Post subject: luksOpen fails in initramfs Reply with quote

I have recently upgraded to the 6.6.13 kernel using gentoo-sources. The kernel worked with my old disk and booted with my old initramfs, so I built a new disk from scratch (after carelessly clobbering my old disk) using a live usb. I prepared the disk with the cryptsetup on the live usb using luksFormat The old disk and its kernel's initramfs were built with tools from 2010. The live usb that was used to setup the new disk uses the 6.1.67-gentoo-x86_64 kernel.

I use a separate usb stick to boot my system, with the kernel on the usb stick and the disk fully encrypted with LUKS, then LVM on that. The disk is not partitioned at all, just LUKS encrypt the whole device. This is the way the old disk was also.

But the live usb apparently uses a newer cryptsetup than was used to make the old disk and its initramfs, and so I built a new cryptsetup by static linking cryptsetup and placing the binary in the bin directory of my initramfs, then I built the kernel to incorporate the new static linked cryptsetup.

It will not boot. I fails the cryptsetup luksOpen command with the following error message:
Code:
Fatal error during RNG initialization.
Cannot initialize crypto RNG backend.


Did I miss specifying some USE flag when I built the static linked cryptsetup? Or is something wrong with my 6.6.13 kernel? I can use the cryptsetup luksOpen command on the live usb to decrypt the disk with no problem.

Here is my init script from the initramfs: (Pardon all the echo and sleep lines; they are just for debugging...)
Code:
#!/bin/busybox sh

echo Starting init script

sleep 10

rescue_shell() {
    echo "$@"
    echo "Something went wrong. Dropping you to a shell."
    busybox --install -s
    exec /bin/sh
}

echo Mount the /proc and /sys filesystems.
mount -t proc none /proc
mount -t sysfs none /sys
echo After mounting /proc and /sys

sleep 10

echo doing luksOpen
cryptsetup luksOpen /dev/sda cryptoroot || rescue_shell "cryptsetup failed"
echo after luksOpen

sleep 10

echo doing vgscan
lvm vgscan  || rescue_shell "vgscan failed"
echo after vgscan

sleep 10

echo doing vgchange
lvm vgchange -a y  || rescue_shell "vgchange failed"
echo after vgchange

sleep 10

echo mounting root
mount /dev/gentoo/rootfs /mnt/root  || rescue_shell "mount root failed"
echo after mounting root

sleep 10

echo unmounting /proc and /sys
umount /proc
umount /sys
echo after unmounting /proc and /sys

sleep 10

echo doing the pivot root
exec switch_root /mnt/root /sbin/init

# if we get here, it means trouble!  :-(
echo "starting emergency rescue shell..."
rescue_shell()


The screenshot of the boot failure is at http://www.elilabs.com/~rj/onesimus_boot_fail.jpg

The config for my kernel is at http://www.elilabs.com/~rj/config-6.6.13-gentoo

What did I mess up?
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2977
Location: Germany

PostPosted: Sun Mar 17, 2024 9:12 am    Post subject: Reply with quote

make sure that /dev/random /dev/urandom exists (that /dev devtmpfs is mounted)
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2382
Location: Kentucky

PostPosted: Sun Mar 17, 2024 1:14 pm    Post subject: Reply with quote

Aha! /dev/random is not in /dev on my initramfs directory:
Code:
  /ssh:root@onesimus:/usr/src/initramfs/dev:
  drwxr-xr-x  2 root root   59 Feb 10  2019 .
  drwxr-xr-x 12 root root  146 Mar 15 19:07 ..
  crw-------  1 root root 5, 1 Feb  1  2010 console
  crw-rw-rw-  1 root root 1, 3 Feb 10  2019 null
  brw-rw----  1 root disk 8, 0 Jan 31  2010 sda
  crw-rw-rw-  1 root root 1, 9 Feb  1  2010 urandom

I will put it there and try again.
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2382
Location: Kentucky

PostPosted: Sun Mar 17, 2024 3:47 pm    Post subject: Reply with quote

I added /dev/random to the initramfs/dev directory, and I still get:
Code:
Fatal error during RNG initialization.
Cannot initialize crypto RNG backend.
Device /dev/sda is not a valid LUKS device.
cryptsetup failed
Something went wrong. Dropping you to a shell.
/bin/sh: can't access tty; job control turned off
/ #

So I did ls -l /dev and it showed both random and urandom were there, so I fixed the missing /dev/random at least.

But when I did df it showed nothing at all. So how do I determine whether /dev/tempfs is there? Its not in /dev and I can't see it anywhere else...

I realize the shell I get when the initramfs fails is pretty slim.
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 23028

PostPosted: Sun Mar 17, 2024 5:09 pm    Post subject: Reply with quote

Why are you using df here? You have no mounted filesystems at this stage, so there is nothing for which you can meaningfully measure the amount of disk free.

What is /dev/tempfs? Did you mean the filesystem devtmpfs, which would be present if you mounted it (traditionally on /dev) and absent otherwise?

When you drop to a rescue shell, what is /dev/sda? Does it return what looks like a plausible LUKS header?
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2382
Location: Kentucky

PostPosted: Sun Mar 17, 2024 5:43 pm    Post subject: Reply with quote

/dev/sda will decrypt using the cryptsetup on my live isb, and that is the same cryptsetup that I used to encrypt /dev/sda before I used LVM2 to do the pvcreate, vgcreate, and lvcreate to set it up for this system. Using the live usb everything works great, but when I try to boot the kernel (with its initramfs), it does as described above.

What exactly do you mean by
Quote:
When you drop to a rescue shell, what is /dev/sda? Does it return what looks like a plausible LUKS header?


When I do fdisk -l it shows that /dev/sda is a 2 TB drive, which is what I would expect. How do I see if it returns a plausable LUKS header? Seems to me that since it works great with the cryptsetup on the live usb, that either I built the static linked cryptsetup on the initramfs wrong, or I am missing something in the kernel that cryptsetup needs, or something else in the initramfs environment is wrong.
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 23028

PostPosted: Sun Mar 17, 2024 7:25 pm    Post subject: Reply with quote

On the Live USB, /dev/sda refers to a block device which contains a valid and usable LUKS container. There is no reason to assume that the /dev/sda on the failing system also refers to that same block device. It likely does, unless the kernel is enumerating disks differently, or your use of a manually curated /dev has provided an incorrect device node sda. Since you have a non-working system, I suggest you assume nothing, and verify each prerequisite.

The report that fdisk returns a 2TB drive is encouraging, and from context, I infer the system has no other 2TB drives that sda could wrongly refer to. If so, we can probably assume that sda refers to the block device you intend it to refer to. For checking for a LUKS header, you could use cryptsetup isLuks, or try to do it by hand by manually inspecting the first few dozen bytes of the device. If you suspect a kernel problem, you could check dmesg. You could try using the live kernel's configuration with your custom initramfs. You could try using a non-static cryptsetup with its libraries explicitly included. You could inspect the cryptsetup code to see under what circumstances it produces the errors about RNG initialization, and then try to disprove that those could be occurring in the live environment.
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2977
Location: Germany

PostPosted: Sun Mar 17, 2024 8:16 pm    Post subject: Reply with quote

cryptsetup code

setup.c :: init_crypto()

Code:

        r = crypt_random_init(ctx);
        if (r < 0) {
                log_err(ctx, _("Cannot initialize crypto RNG backend."));
                return r;
        }


random.c ::

Code:

#define URANDOM_DEVICE  "/dev/urandom"
static int urandom_fd = -1;

#define RANDOM_DEVICE   "/dev/random"
static int random_fd = -1;

/* Initialisation of both RNG file descriptors is mandatory */
int crypt_random_init(struct crypt_device *ctx)
{
        if (random_initialised)
                return 0;

        /* Used for CRYPT_RND_NORMAL */
        if(urandom_fd == -1)
                urandom_fd = open(URANDOM_DEVICE, O_RDONLY | O_CLOEXEC);
        if(urandom_fd == -1)
                goto err;

        /* Used for CRYPT_RND_KEY */
        if(random_fd == -1)
                random_fd = open(RANDOM_DEVICE, O_RDONLY | O_NONBLOCK | O_CLOEXEC);
        if(random_fd == -1)
                goto err;

        if (crypt_fips_mode())
                log_verbose(ctx, _("Running in FIPS mode."));

        random_initialised = 1;
        return 0;
err:
        crypt_random_exit();
        log_err(ctx, _("Fatal error during RNG initialisation."));
        return -ENOSYS;
}


it opens both /dev/random /dev/urandom (...there's an ioctl for that nowadays but who cares)

on failure you get Fatal error during RNG initialisation, Cannot initialize crypto RNG backend.

this is the only occurence of this specific error message as far as I can see, hence - make sure these devices exist and also work

You can also run cryptsetup with --debug option to get a bit more output. or strace it, if you include strace in your initramfs. maybe something else will pop up...

PS: did you really encrypt /dev/sda and not sda1 (or other partition)? It's unusual and a bit dangerous since creating any partition table would corrupt your LUKS header then.
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2382
Location: Kentucky

PostPosted: Sun Mar 17, 2024 9:10 pm    Post subject: Reply with quote

Regarding my non-partitioned /dev/sda, since I use LVM for all my filesystems, I do not partition the disk, as it is unnecessary. I have used this approach since at least 2008, when I built my original backup server. I need to have all filesystems under LVM so that I can take an LVM snapshot of the filesystem before I back it up, thus freezing the filesystem for the backup. Meanwhile, after the snapshot has been created, the machine can be used normally while the backup operation is occurring, and it will not cause any corruption of the backup, as it is a backup of a snapshot of the filesystem frozen in time. Since my root filesystem needs to be snapshotable, it also needs to be based on LVM. I originally started using initrd/initramfs tto get / under LVM back in the days of nash when all initrds were hand crafted. I added the full disk encryption later, around 2012 so that my laptop would be protected against data theft, as I carry it with me on consulting gigs, and it has client proprietary data on it.

Thanks for the sleuthing around for where the error messages I am seeing are generated. Since I now have both /dev/random and /dev/urandom in the initramfs, I am assuming that I must be missing something in the kernel. I did post earlier in this thread a link to a screenshot of the boot failure, and also a link to my .config file. I also checked to make sure that my static linked cryptsetup indeed has no library references:
Code:
(chroot) livecd /usr/src/initramfs/bin # ls -la
total 10720
drwxr-xr-x  2 root root      63 Jan 30  2010 .
drwxr-xr-x 12 root root     146 Mar 15 19:07 ..
-rwxr-xr-x  1 root root 2046328 Jan 30  2010 busybox
-rwxr-xr-x  1 root root 5305120 Mar 14 12:27 cryptsetup
-r-xr-xr-x  1 root root 3550224 Mar 14 17:45 lvm
-rwx--x--x  1 root root   69624 Jan 30  2010 mount
(chroot) livecd /usr/src/initramfs/bin # lddtree busybox
busybox => ./busybox (interpreter => none)
(chroot) livecd /usr/src/initramfs/bin # lddtree cryptsetup
cryptsetup => ./cryptsetup (interpreter => none)
(chroot) livecd /usr/src/initramfs/bin # lddtree lvm
lvm => ./lvm (interpreter => none)


If someone could take a look at my kernel config and check for errors of omission I would appreciate it. I ran make menuconfig on it to make it easier to read, but I was not sure what to look for.
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2382
Location: Kentucky

PostPosted: Sun Mar 17, 2024 9:22 pm    Post subject: Reply with quote

I just had a simple idea for a test. I can boot into the live usb, then mount my boot usb that has the cryptsetup problem. I ought to be able to run the static linked cryptsetup manually in the live usb environment and see if it also fails there. If it does, then we know the problem is in the static linked cryptsetup. I will try that tomorrow when I am back in the lab where the laptop is located.
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2382
Location: Kentucky

PostPosted: Tue Mar 19, 2024 6:11 pm    Post subject: Reply with quote

That was a worthwhile test! My static linked cryptsetup works fine when run in the live usb environment, so it must be something about my kernel.

Can somebody knowledgable about the linux-6.6.13-gentoo kernel please take a look at my .config file? It is located at:

http://www.elilabs.com/~rj/config-6.6.13-gentoo

Thanks!
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5329
Location: Bavaria

PostPosted: Tue Mar 19, 2024 6:34 pm    Post subject: Reply with quote

I think this is the reason for your problem (but I am not sure): # CONFIG_CRYPTO_USER is not set

Maybe you need also (but I dont think so): # CONFIG_CRYPTO_USER_API_RNG is not set

What I recommend: Enable every accelerated Module, IF you use the plain module AND IF your CPU has this ability - at least:
Code:
#
# Accelerated Cryptographic Algorithms for CPU (x86)
#
...
# CONFIG_CRYPTO_SHA1_SSSE3 is not set
# CONFIG_CRYPTO_SHA256_SSSE3 is not set
# CONFIG_CRYPTO_SHA512_SSSE3 is not set
...
# CONFIG_CRYPTO_CRC32C_INTEL is not set
# CONFIG_CRYPTO_CRC32_PCLMUL is not set

_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
sublogic
Guru
Guru


Joined: 21 Mar 2022
Posts: 300
Location: Pennsylvania, USA

PostPosted: Tue Mar 19, 2024 10:17 pm    Post subject: Reply with quote

pietinger wrote:
I think this is the reason for your problem (but I am not sure): # CONFIG_CRYPTO_USER is not set

I doubt it. I have CONFIG_CRYPTO_USER=m and no modules in my initramfs, yet my early-userspace cryptsetup works just fine.

pietinger wrote:
Maybe you need also (but I dont think so): # CONFIG_CRYPTO_USER_API_RNG is not set

I don't have it either, so probably not needed.

@Moriah: did you try comparing the .config of the live usb with yours ? (Hopefully the live usb has /proc/config.gz ?)
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5329
Location: Bavaria

PostPosted: Tue Mar 19, 2024 11:41 pm    Post subject: Reply with quote

sublogic wrote:
I doubt it. I have CONFIG_CRYPTO_USER=m and no modules in my initramfs, yet my early-userspace cryptsetup works just fine.

Yes, I was afraid of it. dm-crypt really doesn't need many options ... depending on which encryption method you use, of course. But almost every crypto module is statically activated. The only thing that WOULD be missing IF he used tcrypt (TrueCrypt/tcplay/VeraCrypt compatibility mode) is that FUSE is included as <M>module - instead of static. But he would have told us so.

sublogic wrote:
@Moriah: did you try comparing the .config of the live usb with yours ? (Hopefully the live usb has /proc/config.gz ?)

That's difficult if you don't know which modules are important ... and when I look at the .config, I can see that PO actually knows its way around.

If nothing helps you would probably have to run a strace on cryptsetup to see what is missing.
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2382
Location: Kentucky

PostPosted: Thu Mar 21, 2024 2:46 am    Post subject: Reply with quote

I had a chance to rebuild my kernel this evening. I only enabled CONFIG_CRYPTO_USER. The idea I had in mind was not to just get this to work, but to find out *EXACTLY* what makes the difference. If this doesn't work, I will enable the other options that pietinger suggested, one by one, until it does work, or until I prove that none of them work.

If nothing works, then I will run strace on cryptsetup in the live usb environment and see what all it calls. Hopefully that will help us zero in on the problem.

I noticed that this new kernel build had to rebuild a lot of files. I guess CONFIG_CRYPTO_USER is a conditional compilation flag that appears in many places.

I am unable to test the new kernel until tomorrow, as I built it by logging in remotely to my lab, which is in another building about 5 miles away from my home where I am working now. I will post again after I see whether it works.
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 23028

PostPosted: Thu Mar 21, 2024 2:36 pm    Post subject: Reply with quote

Considering how expensive it is for you to test this (visiting the lab in person), perhaps this would warrant a side project of creating a virtual machine, booting it with the Live USB, creating a LUKS volume in that machine, and then rebooting that machine into your test kernels+initramfs combinations. That way, you can run this test on any hardware you like, and not take down a machine anyone else uses when you run your tests.
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2382
Location: Kentucky

PostPosted: Thu Mar 21, 2024 3:34 pm    Post subject: Reply with quote

Nice idea, but we are in the middle of a move. My lab is still at the old location, all I have at the new location is my wife's W12 laptop running cygwin for ssh tunnellinig into the LAN in my lab at the old location, and VNC to access everything in the lab remotely. My laptop is over there so I have other machines to use to ssh into the laptop and still have access to the rest of my network , including my backup server. Besides the wired business grade connection there is much faster that the wifi connection at the new house. I should be moving the lab to the new house in a few weeks. The construction work on the new lab is just about finished. The move will be pretty disruptive, and I want my laptop working before we start the move. Besides, I am over at the old location every day anyway.
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2382
Location: Kentucky

PostPosted: Thu Mar 21, 2024 7:10 pm    Post subject: Reply with quote

Adding CONFIG_CRYPTO_USER did not solve the problem.

I will be adding other suggested tags in the near future
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5329
Location: Bavaria

PostPosted: Thu Mar 21, 2024 9:46 pm    Post subject: Reply with quote

Moriah wrote:
Adding CONFIG_CRYPTO_USER did not solve the problem.

I will be adding other suggested tags in the near future

Yes, I was afraid of it.

Please try enabling FUSE static as next (the other options I mentioned are only for performance but not the reason of the problem).
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2382
Location: Kentucky

PostPosted: Thu Mar 21, 2024 9:53 pm    Post subject: Reply with quote

Did you mean FUSE_FS, which is currently a module? Is that the tag I should make static?
Code:
  │ Symbol: FUSE_FS [=m]
  │ Type  : tristate
  │ Defined at fs/fuse/Kconfig:2
  │   Prompt: FUSE (Filesystem in Userspace) support
  │   Location:
  │     -> File systems
  │ (2)   -> FUSE (Filesystem in Userspace) support (FUSE_FS [=m])
  │ Selects: FS_POSIX_ACL [=y]

_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5329
Location: Bavaria

PostPosted: Thu Mar 21, 2024 9:56 pm    Post subject: Reply with quote

Moriah wrote:
Did you mean FUSE_FS, which is currently a module? Is that the tag I should make static?

Yes.

I explained it in my last post before my last post (It should be only necessary if you use tcrypt)
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2382
Location: Kentucky

PostPosted: Sat Mar 23, 2024 12:31 pm    Post subject: Reply with quote

Well, the FUSE_FS did not help, so I added --debug to the cryptsetup call in the init script in the initramfs, but not enough information there to shed any light on the problem either, so I did an strace using the static linked cryptsetup running in the live usb environment, as I could not figure a reasonable way to run strace from the initramfs.

The output of the strace is at http://www.elilabs.com/~rj/cryptsetup_static.strace

Grepping the interesting lines, we get:
Code:
(chroot) livecd ~ # grep openat cryptsetup_static.strace
openat(AT_FDCWD, "/dev/sda", O_RDONLY|O_DIRECT) = 3
openat(AT_FDCWD, "/dev/urandom", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/dev/random", O_RDONLY|O_NONBLOCK|O_CLOEXEC) = 4
openat(AT_FDCWD, "/usr/lib64/ossl-modules/legacy.so", O_RDONLY|O_CLOEXEC) = 5
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 5
openat(AT_FDCWD, "/usr/lib64/libcrypto.so.3", O_RDONLY|O_CLOEXEC) = 5
openat(AT_FDCWD, "/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 5
openat(AT_FDCWD, "/lib64/ld-linux-x86-64.so.2", O_RDONLY|O_CLOEXEC) = 5
openat(AT_FDCWD, "/dev/sda", O_RDONLY|O_DIRECT) = 5
openat(AT_FDCWD, "/dev/sda", O_RDONLY|O_DIRECT) = 5
openat(AT_FDCWD, "/dev/sda", O_RDONLY)  = 6
openat(AT_FDCWD, "/dev/tty", O_RDWR)    = 6
(chroot) livecd ~ #

As you can see, cryptsetup is trying to open files that are not in the initramfs.

Please note at the top of the strace output file, I show that the copy of cryptsetup is indeed staticly linked with no library references,
Code:
root@livecd /usr/src/initramfs/bin # lddtree cryptsetup
cryptsetup => ./cryptsetup (interpreter => none)
root@livecd /usr/src/initramfs/bin #

yet it is opening several *.so files.
Code:
(chroot) livecd ~ # grep openat cryptsetup_static.strace | grep .so
openat(AT_FDCWD, "/usr/lib64/ossl-modules/legacy.so", O_RDONLY|O_CLOEXEC) = 5
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 5
openat(AT_FDCWD, "/usr/lib64/libcrypto.so.3", O_RDONLY|O_CLOEXEC) = 5
openat(AT_FDCWD, "/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 5
openat(AT_FDCWD, "/lib64/ld-linux-x86-64.so.2", O_RDONLY|O_CLOEXEC) = 5
(chroot) livecd ~ #


What's the deal here?

Do I have to put all those files in my iniitramfs to do the luksOpen? What a pain! That's almost 6.5 MB of librarry files.
Code:
-rw-r--r-- 1 root root   39912 Mar 22 22:38 /etc/ld.so.cache
-rwxr-xr-x 1 root root  235296 Feb 18 22:38 /lib64/ld-linux-x86-64.so.2
-rwxr-xr-x 1 root root 1892440 Feb 18 22:38 /lib64/libc.so.6
-rwxr-xr-x 1 root root 4391168 Mar 14 12:55 /usr/lib64/libcrypto.so.3
-rwxr-xr-x 1 root root  142040 Mar 14 12:55 /usr/lib64/ossl-modules/legacy.so


BTW I only ran the strace up to the point where it asks for the pass phrase, because the initramfs version never gets that far anyway.
Code:
openat(AT_FDCWD, "/dev/tty", O_RDWR)    = 6
ioctl(6, TCGETS, {c_iflag=ICRNL|IXON, c_oflag=NL0|CR0|TAB0|BS0|VT0|FF0|OPOST, c_cflag=B38400|CS8|CREAD, c_lflag=ISIG|ICANON|ECHOE|ECHOK|IEXTEN|ECHOCTL|ECHOKE, ...}) = 0
write(6, "Enter passphrase for /dev/sda: ", 31Enter passphrase for /dev/sda: ) = 31
ioctl(6, TCSETSF, {c_iflag=ICRNL|IXON, c_oflag=NL0|CR0|TAB0|BS0|VT0|FF0|OPOST, c_cflag=B38400|CS8|CREAD, c_lflag=ISIG|ICANON|ECHOE|ECHOK|IEXTEN|ECHOCTL|ECHOKE, ...}) = 0

_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
pingtoo
Veteran
Veteran


Joined: 10 Sep 2021
Posts: 1420
Location: Richmond Hill, Canada

PostPosted: Sat Mar 23, 2024 4:30 pm    Post subject: Reply with quote

Moriah wrote:
I added /dev/random to the initramfs/dev directory, and I still get:
Code:
Fatal error during RNG initialization.
Cannot initialize crypto RNG backend.
Device /dev/sda is not a valid LUKS device.
cryptsetup failed
Something went wrong. Dropping you to a shell.
/bin/sh: can't access tty; job control turned off
/ #

So I did ls -l /dev and it showed both random and urandom were there, so I fixed the missing /dev/random at least.

But when I did df it showed nothing at all. So how do I determine whether /dev/tempfs is there? Its not in /dev and I can't see it anywhere else...

I realize the shell I get when the initramfs fails is pretty slim.


Did you rebuild your initramfs file after ypu put /dev/random in? Did you deploy the new initramfs file with /dev/random in it?

can you share content of /dev/ from the shell in initramfs?

Through out the thread I did not found evident that /dev/random exist so I ask this question.

I think @frostschutz have correctly point out the condition that you got those errror messages
Code:
Fatal error during RNG initialization.
Cannot initialize crypto RNG backend
is due to missing /dev/random.

So it is unlikely you have kernel problem (or at least it have yet to hit kernel part)

Please note, the /dev/random must have major=1 and minor=8, please verify that is how you setup in initramfs' /dev/

Or am I misunderstand current condition? After you put the /dev/random in initramfs you no longer get the messages
Code:
Fatal error during RNG initialization.
Cannot initialize crypto RNG backend
and still not able to open rootfs?
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2382
Location: Kentucky

PostPosted: Sat Mar 23, 2024 6:09 pm    Post subject: Reply with quote

See my posts on March 17 where I said /dev/random was missing so I put it in.

Since I am not in my lab now, here is:
Code:
(chroot) livecd /usr/src/initramfs/dev # ls -la
total 0
drwxr-xr-x  2 root root   73 Mar 17 09:21 .
drwxr-xr-x 12 root root  146 Mar 22 23:11 ..
crw-------  1 root root 5, 1 Feb  1  2010 console
crw-rw-rw-  1 root root 1, 3 Feb 10  2019 null
brw-rw-rw-  1 root root 1, 8 Mar 17 09:21 random
brw-rw----  1 root disk 8, 0 Jan 31  2010 sda
crw-rw-rw-  1 root root 1, 9 Feb  1  2010 urandom
(chroot) livecd /usr/src/initramfs/dev #

So you can see that it is in /dev now, and has been since March 17.

After I put /dev/random in, with correct major and minor numbers, as shown above, I still get "Fatal error during RNG initialisation."

But anyway, why is cryptsetup opening all those library files? I am thinking *THAT* is my problem.
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
pingtoo
Veteran
Veteran


Joined: 10 Sep 2021
Posts: 1420
Location: Richmond Hill, Canada

PostPosted: Sat Mar 23, 2024 7:12 pm    Post subject: Reply with quote

Moriah wrote:
See my posts on March 17 where I said /dev/random was missing so I put it in.

Since I am not in my lab now, here is:
Code:
(chroot) livecd /usr/src/initramfs/dev # ls -la
total 0
drwxr-xr-x  2 root root   73 Mar 17 09:21 .
drwxr-xr-x 12 root root  146 Mar 22 23:11 ..
crw-------  1 root root 5, 1 Feb  1  2010 console
crw-rw-rw-  1 root root 1, 3 Feb 10  2019 null
brw-rw-rw-  1 root root 1, 8 Mar 17 09:21 random
brw-rw----  1 root disk 8, 0 Jan 31  2010 sda
crw-rw-rw-  1 root root 1, 9 Feb  1  2010 urandom
(chroot) livecd /usr/src/initramfs/dev #

So you can see that it is in /dev now, and has been since March 17.

After I put /dev/random in, with correct major and minor numbers, as shown above, I still get "Fatal error during RNG initialisation."

But anyway, why is cryptsetup opening all those library files? I am thinking *THAT* is my problem.


First of all you are showing what is on a may be chroot file system, not what is in initramfs. I can understand that you have created but I am not able to know if it got deployed, herece I ask to see it in initramfs' dev.

Secondly the "random" is a character device, it is not a block device. In your shared output it show it is a block device. (i.e. it should be made with "mknod dev/random 1 8 c")

In the
cryptsetup::lib/random.c -- int crypt_random_init(struct crypt_device *ctx):

{
   if (random_initialised)
      return 0;

   /* Used for CRYPT_RND_NORMAL */
   if(urandom_fd == -1)
      urandom_fd = open(URANDOM_DEVICE, O_RDONLY | O_CLOEXEC);
   if(urandom_fd == -1)
      goto err;

   /* Used for CRYPT_RND_KEY */
   if(random_fd == -1)
      random_fd = open(RANDOM_DEVICE, O_RDONLY | O_NONBLOCK | O_CLOEXEC);
   if(random_fd == -1)
      goto err;

   if (crypt_fips_mode())
      log_verbose(ctx, _("Running in FIPS mode."));

   random_initialised = 1;
   return 0;
err:
   crypt_random_exit();
   log_err(ctx, _("Fatal error during RNG initialisation."));
   return -ENOSYS;
}
I am not sure how the open() call with O_NONBLOCK on a block device will or will not cause the open() call falire.

And as for the reason it is trying to load dynamic library is because the crypto backend choice, I am not sure how the build option choose but from the source code and your strace result mean that it is because the build have choose to use openssl as backend therefor the
cryptsetup::lib/setup.c -- init_cryptpo():
int init_crypto(struct crypt_device *ctx)
{
   struct utsname uts;
   int r;

   r = crypt_random_init(ctx);
   if (r < 0) {
      log_err(ctx, _("Cannot initialize crypto RNG backend."));
      return r;
   }

   r = crypt_backend_init(crypt_fips_mode());
   if (r < 0)
      log_err(ctx, _("Cannot initialize crypto backend."));

   if (!r && !_crypto_logged) {
      log_dbg(ctx, "Crypto backend (%s%s) initialized in cryptsetup library version %s.",
         crypt_backend_version(), crypt_argon2_version(), PACKAGE_VERSION);

      if (!uname(&uts))
         log_dbg(ctx, "Detected kernel %s %s %s.",
            uts.sysname, uts.release, uts.machine);
      _crypto_logged = 1;
   }

   return r;
}
chose to use openssl library to setup.
cryptsetup::lib/crypto_backend/crypto_openssl.c:
static int openssl_backend_init(bool fips)
{
/*
 * OpenSSL >= 3.0.0 provides some algorithms in legacy provider
 */
#if OPENSSL_VERSION_MAJOR >= 3
   int r;
   bool ossl_threads = false;

   /*
    * In FIPS mode we keep default OpenSSL context & global config
    */
   if (!fips) {
      ossl_ctx = OSSL_LIB_CTX_new();
      if (!ossl_ctx)
         return -EINVAL;

      ossl_default = OSSL_PROVIDER_try_load(ossl_ctx, "default", 0);
      if (!ossl_default) {
         OSSL_LIB_CTX_free(ossl_ctx);
         return -EINVAL;
      }

      /* Optional */
      ossl_legacy = OSSL_PROVIDER_try_load(ossl_ctx, "legacy", 0);
   }

   if (OSSL_set_max_threads(ossl_ctx, MAX_THREADS) == 1 &&
       OSSL_get_max_threads(ossl_ctx) == MAX_THREADS)
      ossl_threads = true;

   r = snprintf(backend_version, sizeof(backend_version), "%s %s%s%s%s%s",
      OpenSSL_version(OPENSSL_VERSION),
      ossl_default ? "[default]" : "",
      ossl_legacy  ? "[legacy]" : "",
      fips  ? "[fips]" : "",
      ossl_threads ? "[threads]" : "",
      crypt_backend_flags() & CRYPT_BACKEND_ARGON2 ? "[argon2]" : "");

   if (r < 0 || (size_t)r >= sizeof(backend_version)) {
      openssl_backend_exit();
      return -EINVAL;
   }
#else
   UNUSED(fips);
#endif
   return 0;
}
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum