Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

[CLOSED/WEIRD] Boot 6.10.0, get warnings on dmcrypt mappings
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
rburcham
Apprentice
Apprentice


Joined: 20 Mar 2003
Posts: 247
PostPosted: Tue Jul 16, 2024 5:50 pm    Post subject: [CLOSED/WEIRD] Boot 6.10.0, get warnings on dmcrypt mappings Reply with quote
I have encrypted root that decrypts and mounts at boot with passphrase (LUKS/lvm2).

Code:
GRUB_CMDLINE_LINUX="dolvm crypt_root=UUID=<UUID-for-nvme1n1p3> root=/dev/mapper/vg0-root net.ifnames=0 biosdevname=0 nomodeset i915.modeset=0 video=efifb:1920x1200x32"


*EDIT - sorry, I originally mistakenly referenced the UUID for the wrong device in the line above, it is corrected now. The encrypted root is on nvme1n1p3 for sure, and its UUID is referenced on the GRUB_CMDLINE_LINUX in /etc/default/grub. I have corrected the above line.*

I built gentoo-sources-6.10.0 with genkernel and initramfs. I start to boot this kernel/initramfs, get challenged for the passphrase for the encrypted root volume, and after providing passphrase I get

Quote:
WARNING: Using default options for cipher (aes-xts-plain64, key size 256 bits) that could be incompatible with older versions.
WARNING: Using default options for hash (sha256) that could be incompatible with older versions.
For plain mode, always use options --cipher, --key-size and if not keyfile is used, then also, --hash.
WARNING: Device /dev/nvme0n1p1 already contains a 'vfat' superblock signature.

WARNING!
=======
Detected device signature(s) on /dev/nvme0n1p1. Proceeding further may damage existing data.

Are you sure? (Type 'yes' in capital letters):


I most definitely am not sure. So I shutdown and booted back into 6.9. No problems. I then inspect the encrypted root volume:

Code:
# cryptsetup status root
/dev/mapper/root is active and is in use.
  type:    LUKS2
  cipher:  aes-xts-plain64
  keysize: 512 bits
  key location: keyring
  device:  /dev/nvme1n1p3
  sector size:  512
  offset:  32768 sectors
  size:    3999707824 sectors
  mode:    read/write


Right away I see the key size is 512 whereas the warning says the default is 256. So that will have to be provided to the 6.10.0 boot. Also the cipher is aes-xts-plain64 so that will have to be provided too. I don't know what to provide for hash though.

So my questions:

    1. I think I'm going to somehow provide the kernel command line options --cipher aes-xts-plain64 --key-size 512 --hash ????, yes?
    2. What value do I provide to --hash? It isn't obvious from the cryptsetup status output...
    3. How do I specify these switches? I'm guessing as kernel command line options, but to what module/namespace, and what is the syntax?
    4. Where best to set these switches? I'm thinking /etc/default/grub and GRUB_CMDLINE_LINUX...


Thanks in advance!

Last edited by rburcham on Wed Jul 17, 2024 5:18 pm; edited 4 times in total
Back to top
View user's profile Send private message
sublogic
Apprentice
Apprentice


Joined: 21 Mar 2022
Posts: 264
Location: Pennsylvania, USA
PostPosted: Wed Jul 17, 2024 1:34 am    Post subject: Reply with quote
Weird. They are options for cryptsetup open --type plain and are not needed for --type luks2 (or luksOpen).

Hmmm. The warning specifically says:
Code:
For plain mode, always use options --cipher, --key-size and if not keyfile is used, then also, --hash.
WARNING: Device /dev/nvme0n1p1 already contains a 'vfat' superblock signature.
So I have questions:
  1. Why is it trying to open with --type plain ?
  2. Why does it see a vfat signature instead of a LUKS2 header ?
  3. is (2) the cause of (1) ?
Theory: /dev/nvme0n1p1 is the wrong disk or partition. Is it your EFI system partition ? Do you have multiple SSD's ? Maybe 6.10.0 enumerates devices differently ?

I suggest using a boot option like crypt_root=UUID=xxxxxxxx-0000-0000-xxxx-xxxxxxxxxxxx instead of a device name. Substitute the correct UUID.

It's probably safe to explore what 6.10.0 sees from the rescue shell. Boot with debug to pause in a rescue shell. Don't let it boot, but run lsblk or blkid, try to run cryptsetup manually etc.
(Your initramfs may not have all the good tools though.)
Back to top
View user's profile Send private message
rburcham
Apprentice
Apprentice


Joined: 20 Mar 2003
Posts: 247
PostPosted: Wed Jul 17, 2024 3:32 am    Post subject: Reply with quote
Hmm, I really like the different device enumeration line of thinking, I definitely have multiple SSDs. But I do specify crypt_root with the UUID parlance (I updated the original post with the GRUB_CMDLINE_LINUX I'm using).

I'll see about poking around in the rescue shell.

Not ruling it out at all, but the initrmafs is the product of genkernel, as with each of my kernels prior to 6.10.0, and they don't choke in this way.
Back to top
View user's profile Send private message
sMueggli
Guru
Guru


Joined: 03 Sep 2022
Posts: 430
PostPosted: Wed Jul 17, 2024 8:33 am    Post subject: Re: Boot 6.10.0, get warnings on dm-crypt mappings Reply with quote
rburcham wrote:
I have encrypted root that decrypts and mounts at boot with passphrase (LUKS/lvm2).

Code:
GRUB_CMDLINE_LINUX="dolvm crypt_root=UUID=<UUID-for-nvme0n1p1> root=/dev/mapper/vg0-root net.ifnames=0 biosdevname=0 nomodeset i915.modeset=0 video=efifb:1920x1200x32"


Here you are using the UUID of /dev/nvme0n1p1.
rburcham wrote:

Code:
# cryptsetup status root
/dev/mapper/root is active and is in use.
  type:    LUKS2
  cipher:  aes-xts-plain64
  keysize: 512 bits
  key location: keyring
  device:  /dev/nvme1n1p3
  sector size:  512
  offset:  32768 sectors
  size:    3999707824 sectors
  mode:    read/write


And here the device seems to be /dev/nvme1n1p3.
Back to top
View user's profile Send private message
rburcham
Apprentice
Apprentice


Joined: 20 Mar 2003
Posts: 247
PostPosted: Wed Jul 17, 2024 3:46 pm    Post subject: Reply with quote
Ugh, sorry, sorry, I mistakenly referenced the UUID for the wrong device when I edited the GRUB_CMDLINE_LINUX into the original post, it is corrected now. The encrypted root is on nvme1n1p3 for sure, and its UUID is properly referenced on the GRUB_CMDLINE_LINUX in /etc/default/grub.

EDIT AGAIN - Alright. Let's start over. God dammit.

The WARNING IS referencing nvme0n1p1. Because as it happens this problem is not the failure of the encrypted root to decrypt and mount at boot. The problem is that the encrypted HOME is failing to decrypt and mount at init. So I am booting and mounting the encrypted root, and then going to mount /home, and getting the WARNING as captured in the original post.

Sorry for the poor interpretation of the console.

/etc/fstab:
Quote:
/dev/mapper/vg1-home /home ext4 nodev,nosuid,noatime 0 0


Quote:
$ ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 236 Jul 16 11:27 control
lrwxrwxrwx 1 root root 7 Jul 16 16:27 lvm-home -> ../dm-2
lrwxrwxrwx 1 root root 7 Jul 16 16:27 root -> ../dm-0
lrwxrwxrwx 1 root root 7 Jul 16 11:27 vg0-root -> ../dm-1
lrwxrwxrwx 1 root root 7 Jul 16 16:27 vg1-home -> ../dm-3


Quote:
# ls -l /dev/dm*
brw-rw---- 1 root disk 253, 0 Jul 16 16:27 /dev/dm-0
brw-rw---- 1 root disk 253, 1 Jul 16 11:27 /dev/dm-1
brw-rw---- 1 root disk 253, 2 Jul 16 16:27 /dev/dm-2
brw-rw---- 1 root disk 253, 3 Jul 16 16:27 /dev/dm-3


Quote:
# cryptsetup status lvm-home
/dev/mapper/lvm-home is active and is in use.
type: LUKS2
cipher: aes-xts-plain64
keysize: 512 bits
key location: keyring
device: /dev/nvme0n1p1
sector size: 512
offset: 32768 sectors
size: 4000760496 sectors
mode: read/write


Again, sorry for the wrong interpretation, root clearly is mounting, init starts and then /home is where the WARNINGs occur.

Last edited by rburcham on Wed Jul 17, 2024 5:18 pm; edited 1 time in total
Back to top
View user's profile Send private message
rburcham
Apprentice
Apprentice


Joined: 20 Mar 2003
Posts: 247
PostPosted: Wed Jul 17, 2024 5:15 pm    Post subject: [CLOSED/WEIRD] Boot 6.10.0, get warnings on dmcrypt mappings Reply with quote
So I went to enable rc_logger in /etc/rc.conf and rebooted into 6.10.0 to see if it would capture the details cleanly.

And the home volume decrypted and mounted without issue. So I'm booted into 6.10.0 and I don't understand what the hell happened. I sure hope there isn't a some kind of startup race condition with 6.10.0, lvm and dmcrypt.

I'll mark the thread closed and reopen if it happens again.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy