View previous topic :: View next topic |
Author |
Message |
rburcham Apprentice
Joined: 20 Mar 2003 Posts: 247
|
Posted: Tue Jul 16, 2024 5:50 pm Post subject: [CLOSED/WEIRD] Boot 6.10.0, get warnings on dmcrypt mappings |
|
|
I have encrypted root that decrypts and mounts at boot with passphrase (LUKS/lvm2).
Code: | GRUB_CMDLINE_LINUX="dolvm crypt_root=UUID=<UUID-for-nvme1n1p3> root=/dev/mapper/vg0-root net.ifnames=0 biosdevname=0 nomodeset i915.modeset=0 video=efifb:1920x1200x32" |
*EDIT - sorry, I originally mistakenly referenced the UUID for the wrong device in the line above, it is corrected now. The encrypted root is on nvme1n1p3 for sure, and its UUID is referenced on the GRUB_CMDLINE_LINUX in /etc/default/grub. I have corrected the above line.*
I built gentoo-sources-6.10.0 with genkernel and initramfs. I start to boot this kernel/initramfs, get challenged for the passphrase for the encrypted root volume, and after providing passphrase I get
Quote: | WARNING: Using default options for cipher (aes-xts-plain64, key size 256 bits) that could be incompatible with older versions.
WARNING: Using default options for hash (sha256) that could be incompatible with older versions.
For plain mode, always use options --cipher, --key-size and if not keyfile is used, then also, --hash.
WARNING: Device /dev/nvme0n1p1 already contains a 'vfat' superblock signature.
WARNING!
=======
Detected device signature(s) on /dev/nvme0n1p1. Proceeding further may damage existing data.
Are you sure? (Type 'yes' in capital letters):
|
I most definitely am not sure. So I shutdown and booted back into 6.9. No problems. I then inspect the encrypted root volume:
Code: | # cryptsetup status root
/dev/mapper/root is active and is in use.
type: LUKS2
cipher: aes-xts-plain64
keysize: 512 bits
key location: keyring
device: /dev/nvme1n1p3
sector size: 512
offset: 32768 sectors
size: 3999707824 sectors
mode: read/write
|
Right away I see the key size is 512 whereas the warning says the default is 256. So that will have to be provided to the 6.10.0 boot. Also the cipher is aes-xts-plain64 so that will have to be provided too. I don't know what to provide for hash though.
So my questions:
1. I think I'm going to somehow provide the kernel command line options --cipher aes-xts-plain64 --key-size 512 --hash ????, yes?
2. What value do I provide to --hash? It isn't obvious from the cryptsetup status output...
3. How do I specify these switches? I'm guessing as kernel command line options, but to what module/namespace, and what is the syntax?
4. Where best to set these switches? I'm thinking /etc/default/grub and GRUB_CMDLINE_LINUX...
Thanks in advance!
Last edited by rburcham on Wed Jul 17, 2024 5:18 pm; edited 4 times in total |
|
Back to top |
|
|
sublogic Apprentice
Joined: 21 Mar 2022 Posts: 269 Location: Pennsylvania, USA
|
Posted: Wed Jul 17, 2024 1:34 am Post subject: |
|
|
Weird. They are options for cryptsetup open --type plain and are not needed for --type luks2 (or luksOpen).
Hmmm. The warning specifically says: Code: | For plain mode, always use options --cipher, --key-size and if not keyfile is used, then also, --hash.
WARNING: Device /dev/nvme0n1p1 already contains a 'vfat' superblock signature. | So I have questions:- Why is it trying to open with --type plain ?
- Why does it see a vfat signature instead of a LUKS2 header ?
- is (2) the cause of (1) ?
Theory: /dev/nvme0n1p1 is the wrong disk or partition. Is it your EFI system partition ? Do you have multiple SSD's ? Maybe 6.10.0 enumerates devices differently ?
I suggest using a boot option like crypt_root=UUID=xxxxxxxx-0000-0000-xxxx-xxxxxxxxxxxx instead of a device name. Substitute the correct UUID.
It's probably safe to explore what 6.10.0 sees from the rescue shell. Boot with debug to pause in a rescue shell. Don't let it boot, but run lsblk or blkid, try to run cryptsetup manually etc.
(Your initramfs may not have all the good tools though.) |
|
Back to top |
|
|
rburcham Apprentice
Joined: 20 Mar 2003 Posts: 247
|
Posted: Wed Jul 17, 2024 3:32 am Post subject: |
|
|
Hmm, I really like the different device enumeration line of thinking, I definitely have multiple SSDs. But I do specify crypt_root with the UUID parlance (I updated the original post with the GRUB_CMDLINE_LINUX I'm using).
I'll see about poking around in the rescue shell.
Not ruling it out at all, but the initrmafs is the product of genkernel, as with each of my kernels prior to 6.10.0, and they don't choke in this way. |
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 495
|
Posted: Wed Jul 17, 2024 8:33 am Post subject: Re: Boot 6.10.0, get warnings on dm-crypt mappings |
|
|
rburcham wrote: | I have encrypted root that decrypts and mounts at boot with passphrase (LUKS/lvm2).
Code: | GRUB_CMDLINE_LINUX="dolvm crypt_root=UUID=<UUID-for-nvme0n1p1> root=/dev/mapper/vg0-root net.ifnames=0 biosdevname=0 nomodeset i915.modeset=0 video=efifb:1920x1200x32" |
|
Here you are using the UUID of /dev/nvme0n1p1.
rburcham wrote: |
Code: | # cryptsetup status root
/dev/mapper/root is active and is in use.
type: LUKS2
cipher: aes-xts-plain64
keysize: 512 bits
key location: keyring
device: /dev/nvme1n1p3
sector size: 512
offset: 32768 sectors
size: 3999707824 sectors
mode: read/write
|
|
And here the device seems to be /dev/nvme1n1p3. |
|
Back to top |
|
|
rburcham Apprentice
Joined: 20 Mar 2003 Posts: 247
|
Posted: Wed Jul 17, 2024 3:46 pm Post subject: |
|
|
Ugh, sorry, sorry, I mistakenly referenced the UUID for the wrong device when I edited the GRUB_CMDLINE_LINUX into the original post, it is corrected now. The encrypted root is on nvme1n1p3 for sure, and its UUID is properly referenced on the GRUB_CMDLINE_LINUX in /etc/default/grub.
EDIT AGAIN - Alright. Let's start over. God dammit.
The WARNING IS referencing nvme0n1p1. Because as it happens this problem is not the failure of the encrypted root to decrypt and mount at boot. The problem is that the encrypted HOME is failing to decrypt and mount at init. So I am booting and mounting the encrypted root, and then going to mount /home, and getting the WARNING as captured in the original post.
Sorry for the poor interpretation of the console.
/etc/fstab:
Quote: | /dev/mapper/vg1-home /home ext4 nodev,nosuid,noatime 0 0 |
Quote: | $ ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 236 Jul 16 11:27 control
lrwxrwxrwx 1 root root 7 Jul 16 16:27 lvm-home -> ../dm-2
lrwxrwxrwx 1 root root 7 Jul 16 16:27 root -> ../dm-0
lrwxrwxrwx 1 root root 7 Jul 16 11:27 vg0-root -> ../dm-1
lrwxrwxrwx 1 root root 7 Jul 16 16:27 vg1-home -> ../dm-3 |
Quote: | # ls -l /dev/dm*
brw-rw---- 1 root disk 253, 0 Jul 16 16:27 /dev/dm-0
brw-rw---- 1 root disk 253, 1 Jul 16 11:27 /dev/dm-1
brw-rw---- 1 root disk 253, 2 Jul 16 16:27 /dev/dm-2
brw-rw---- 1 root disk 253, 3 Jul 16 16:27 /dev/dm-3 |
Quote: | # cryptsetup status lvm-home
/dev/mapper/lvm-home is active and is in use.
type: LUKS2
cipher: aes-xts-plain64
keysize: 512 bits
key location: keyring
device: /dev/nvme0n1p1
sector size: 512
offset: 32768 sectors
size: 4000760496 sectors
mode: read/write |
Again, sorry for the wrong interpretation, root clearly is mounting, init starts and then /home is where the WARNINGs occur.
Last edited by rburcham on Wed Jul 17, 2024 5:18 pm; edited 1 time in total |
|
Back to top |
|
|
rburcham Apprentice
Joined: 20 Mar 2003 Posts: 247
|
Posted: Wed Jul 17, 2024 5:15 pm Post subject: [CLOSED/WEIRD] Boot 6.10.0, get warnings on dmcrypt mappings |
|
|
So I went to enable rc_logger in /etc/rc.conf and rebooted into 6.10.0 to see if it would capture the details cleanly.
And the home volume decrypted and mounted without issue. So I'm booted into 6.10.0 and I don't understand what the hell happened. I sure hope there isn't a some kind of startup race condition with 6.10.0, lvm and dmcrypt.
I'll mark the thread closed and reopen if it happens again. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|