[SOLVED] booting an encrypted root

This forum is for topics specific to the Raspberry Pi and Arch Linux ARM

[SOLVED] booting an encrypted root

Postby jbodhorn » Mon Oct 10, 2016 2:11 am

This number: 0x00f00000 is used at least twice in creating an encrypted root

$this->bbcode_second_pass_code('', '
Step 9

Edit /boot/config.txt and add to the end:

initramfs initrd 0x00f00000
')

$this->bbcode_second_pass_code('', '
Step 10

Edit the kernel command line, leave whatever is there alone, add or modify the following (file is /boot/cmdline.txt):

cryptdevice=/dev/mmcblk0p3:root:allow-discards root=/dev/mapper/root initrd=0x00f00000
Up to you if you want allow-discards or not, your choice.

Be sure to leave the "ro" option there.

Now add the following to fstab, edit /mnt/etc/fstab and ensure:

/dev/mmcblk0p1 /boot vfat defaults 0 0
/dev/mapper/root / ext4 defaults,discard,commit=120 0 1
')

$this->bbcode_second_pass_code('', 'ls -al /boot')

$this->bbcode_second_pass_code('', '
total 22404
drwxr-xr-x 3 root root 16384 Oct 9 21:13 .
drwxr-xr-x 18 root root 4096 Oct 8 17:05 ..
-rwxr-xr-x 1 root root 14010 Sep 30 21:06 bcm2708-rpi-b.dtb
-rwxr-xr-x 1 root root 14273 Sep 30 21:06 bcm2708-rpi-b-plus.dtb
-rwxr-xr-x 1 root root 13964 Sep 30 21:06 bcm2708-rpi-cm.dtb
-rwxr-xr-x 1 root root 17932 Oct 4 20:28 bootcode.bin
-rwxr-xr-x 1 root root 240 Oct 9 21:32 cmdline.txt
-rwxr-xr-x 1 root root 149 Oct 9 21:30 config.txt
-rwxr-xr-x 1 root root 2532 Oct 4 20:28 fixup_cd.dat
-rwxr-xr-x 1 root root 6504 Oct 4 20:28 fixup.dat
-rwxr-xr-x 1 root root 9744 Oct 4 20:28 fixup_db.dat
-rwxr-xr-x 1 root root 9740 Oct 4 20:28 fixup_x.dat
-rwxr-xr-x 1 root root 4789167 Oct 9 21:13 initrd
-rwxr-xr-x 1 root root 5780324 Sep 30 21:06 kernel.img
drwxr-xr-x 2 root root 8192 Sep 30 21:06 overlays
-rwxr-xr-x 1 root root 633252 Oct 4 20:28 start_cd.elf
-rwxr-xr-x 1 root root 4944996 Oct 4 20:28 start_db.elf
-rwxr-xr-x 1 root root 2763940 Oct 4 20:28 start.elf
-rwxr-xr-x 1 root root 3895396 Oct 4 20:28 start_x.elf
')


How from this:
$this->bbcode_second_pass_code('', '
-rwxr-xr-x 1 root root 4789167 Oct 9 21:13 initrd
')
do I get this:
$this->bbcode_second_pass_code('', '
0x00f00000
')

How do I get the size of a file in hex?
Last edited by jbodhorn on Thu Oct 13, 2016 10:42 pm, edited 1 time in total.
jbodhorn
 
Posts: 41
Joined: Wed Dec 16, 2015 2:22 am

Re: /boot/config.txt add to the end:initramfs initrd 0x00f00

Postby WarheadsSE » Mon Oct 10, 2016 10:51 am

Can you provide full background context, by providing the URL of wherever you got this tutorial from?
Core Developer
Remember: Arch Linux ARM is entirely community donation supported!
WarheadsSE
Developer
 
Posts: 6807
Joined: Mon Oct 18, 2010 2:12 pm

Re: /boot/config.txt add to the end:initramfs initrd 0x00f00

Postby jbodhorn » Thu Oct 13, 2016 7:46 pm

I was working from this:
[url]
https://gist.github.com/pezz/5310082
[/url]

After doing the following steps and rebooting my RPi just hangs

$this->bbcode_second_pass_quote('', '
')Step 9

Edit /boot/config.txt and add to the end:

initramfs initrd 0x00f00000
Step 10

Edit the kernel command line, leave whatever is there alone, add or modify the following (file is /boot/cmdline.txt):

cryptdevice=/dev/mmcblk0p3:root:allow-discards root=/dev/mapper/root initrd=0x00f00000
Up to you if you want allow-discards or not, your choice.

Be sure to leave the "ro" option there.

Now add the following to fstab, edit /mnt/etc/fstab and ensure:

/dev/mmcblk0p1 /boot vfat defaults 0 0
/dev/mapper/root / ext4 defaults,discard,commit=120 0 1
Change options to what you want.

Reboot and hope it works!


I've read other posts regarding a fail to boot with the root encrypted and usually after changing the hex number they are able to boot. How do I find this number and what exactly is it? I thought it was the size of the initrd in hex but I just read that it is an address for memory.

I'm trying to finish my RPi security camera and I would very much like to have my root encrypted in case someone steals my camera, it will be outside and powered by a battery that gets charged with a small solar panel, totally wireless.

The camera data will be stored on my odroid-xu4 NAS so if someone does steal the camera we'll still have the video of it. The biggest reason for the encryption is that if the camera does get stolen I don't want the thieves to be able to get our wifi password and access to my odroid server by just searching through the data on the SD card
jbodhorn
 
Posts: 41
Joined: Wed Dec 16, 2015 2:22 am

Re: /boot/config.txt add to the end:initramfs initrd 0x00f00

Postby jbodhorn » Thu Oct 13, 2016 8:06 pm

Here's another link about booting an encrypted root:
http://raspberrypi.stackexchange.com/questions/7159/can-the-raspberry-boot-to-an-lvm-root-partition
This isn't what I was following I posted the link to that in my previous post. I was just trying to post more info to help clarify what I am attempting and why I'm confused. I've seen many post where they just say to use a certain hex number but I've yet to see a post saying how that number was obtained. Using the numbers I've seen online I'm not able to boot. If the number is the size of the initrd in hex the size of my initrd being different than the size of the person posting would be an issue.

If the number is an address for memory I would guess I would have to find the possible addresses I that are available before I could assign one to the initrd and that isn't something I know how to do.

The fact that I'm reading that this hex number could be at least two different things it's making it hard for me to verify what it actually is and how it is obtained
jbodhorn
 
Posts: 41
Joined: Wed Dec 16, 2015 2:22 am

Re: /boot/config.txt add to the end:initramfs initrd 0x00f00

Postby jbodhorn » Thu Oct 13, 2016 8:58 pm

I found this
$this->bbcode_second_pass_quote('', '
')INITRAMFS

This specifies both the ramfs filename and the memory address to load it at; it performs the actions of both ramfsfile and ramfsaddr in one parameter. Example values are: initramfs initramf.gz 0x00800000. NOTE: This option uses different syntax to all the other options; you should not use a = character here.


At this link https://www.raspberrypi.org/documentation/configuration/config-txt.md

and I found this
$this->bbcode_second_pass_quote('', '
')initramfs (string address) ramfs file and address to load it at (it's like ramfsfile+ramfsaddr in one option). NOTE: this option uses different syntax than all other options - you should not use "=" character here. Example:

initramfs initramf.gz 0x00800000
The valid addresses depend on the kernel size. 0x00800000 works for 3.6-trunk-rpi, 0x00a00000 works for 3.14-1-rpi.


at this link http://elinux.org/RPiconfig

Once again no info on how to obtain the numbers used in these examples
jbodhorn
 
Posts: 41
Joined: Wed Dec 16, 2015 2:22 am
Top

Re: /boot/config.txt add to the end:initramfs initrd 0x00f00

Postby jbodhorn » Thu Oct 13, 2016 10:41 pm

Found a working answer, finally got my encrypted root to boot, here's what worked:
$this->bbcode_second_pass_code('', '
sudo pacman -S --needed mkinitcpio rsync

shrink partition with gparted (on another pc), create a new partition on the end

sudo cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 --use-random -i 30000 /dev/mmcblk0p3

sudo cryptsetup luksOpen /dev/mmcblk0p3 root
sudo mkfs.ext4 /dev/mapper/root

sudo mount /dev/mapper/root /mnt

sudo rsync --progress -axv / /mnt/

sudo nano /etc/mkinitcpio.conf
HOOKS="base udev autodetect modconf block keymap encrypt filesystems keyboard fsck"

sudo mkinitcpio -k $(uname -r) -g /boot/initrd -c /etc/mkinitcpio.conf

sudo nano /boot/config.txt
initramfs initrd followkernel

sudo nano /boot/cmdline.txt
cryptdevice=/dev/mmcblk0p3:root root=/dev/mapper/root

sudo nano /mnt/etc/fstab
/dev/mapper/root / ext4 defaults,noatime 0 1

sudo nano /mnt/etc/crypttab
root /dev/mmcblk0p3 none luks
')
jbodhorn
 
Posts: 41
Joined: Wed Dec 16, 2015 2:22 am


Return to Raspberry Pi

Who is online

Users browsing this forum: No registered users and 12 guests