Ok, here's my initial instructions:
https://gist.github.com/pezz/5310082
This will get you going with an encrypted root, an initrd etc -- but no unlock over SSH. You need direct access with a keyboard to unlock this.
I need to work through the "unlock over ssh" bit, but it's getting late where I am.
You could work it out from the normal Arch Wiki and installing the dropbear initrd hook.
Anyway, hope the instructions help, please advise of any corrections that need to be made.
Cheers.
Using an initrd
18 posts
• Page 2 of 2 • 1, 2
Re: Using an initrd
by pezz » Thu Apr 04, 2013 1:22 pm
- pezz
- Posts: 76
- Joined: Fri Sep 14, 2012 11:19 pm
- Location: Geelong, Australia
Re: Using an initrd
by pezz » Fri Apr 05, 2013 11:29 am
I've updated my gist to include instructions all the way to installing the dropbear_initrd_encrypt package and setting up the kernel.
However, the latest version of dropbear is segfaulting when you input the passphrase.
Not sure how to fix it, the error message says to lodge a bug with the developer, but not sure how much testing he does with ARM builds.
Also, dropbear works fine if you run it instead of sshd on a normally booted system and login with it.
Nevertheless, trying to hunt the problem down.
However, the latest version of dropbear is segfaulting when you input the passphrase.
Not sure how to fix it, the error message says to lodge a bug with the developer, but not sure how much testing he does with ARM builds.
Also, dropbear works fine if you run it instead of sshd on a normally booted system and login with it.
Nevertheless, trying to hunt the problem down.
- pezz
- Posts: 76
- Joined: Fri Sep 14, 2012 11:19 pm
- Location: Geelong, Australia
Re: Using an initrd
by pezz » Fri Apr 05, 2013 12:25 pm
Fixed it, I forgot to create the root_key file (apologies for besmirching the developer) .
Instructions done.
Please give me some feedback, improvements, corrections, kudos etc.
I'm looking at you "for the love of god" guy.
Instructions done.
Please give me some feedback, improvements, corrections, kudos etc.
I'm looking at you "for the love of god" guy.
- pezz
- Posts: 76
- Joined: Fri Sep 14, 2012 11:19 pm
- Location: Geelong, Australia
Re: Using an initrd
by gfvos » Fri Apr 05, 2013 3:55 pm
Oh wow, I didn't expect you to react so quickly and didn't check the forum yesterday. I only had time to skim through the instructions, I'll give it a try over the weekend and report back. Thank you very very much for your effort!
- gfvos
- Posts: 7
- Joined: Fri Jun 22, 2012 9:47 am
Re: Using an initrd
by gfvos » Sun Apr 14, 2013 10:29 am
All right, so I finally got around to finishing the set-up. It worked without a hitch! Excellent instructions, pezz, thanks again.
I see you already edited the gist and answered the only question I had left, which was if I had to rebuild the initramfs after every kernel update.
The only other detail that threw me off was: "Be sure to leave the "ro" option there." at step 10. I assume that was supposed to mean "Be sure to leave the "root" option there."?
I see you already edited the gist and answered the only question I had left, which was if I had to rebuild the initramfs after every kernel update.
The only other detail that threw me off was: "Be sure to leave the "ro" option there." at step 10. I assume that was supposed to mean "Be sure to leave the "root" option there."?
- gfvos
- Posts: 7
- Joined: Fri Jun 22, 2012 9:47 am
Re: Using an initrd
by pezz » Tue Apr 16, 2013 7:26 am
$this->bbcode_second_pass_quote('gfvos', 'T')he only other detail that threw me off was: "Be sure to leave the "ro" option there." at step 10. I assume that was supposed to mean "Be sure to leave the "root" option there."?
"ro" is for root to be initially mounted read-only, then it gets re-mounted "rw" because of systemd / fstab.
So no, it's not a typo. You'll get an error if you try and initially mount "rw", although you might get away with it if you use the fsck hook (as systemd won't have to do it during boot).
- pezz
- Posts: 76
- Joined: Fri Sep 14, 2012 11:19 pm
- Location: Geelong, Australia
Re: Using an initrd
by gfvos » Wed Apr 17, 2013 12:08 am
$this->bbcode_second_pass_quote('pezz', '')$this->bbcode_second_pass_quote('gfvos', 'T')he only other detail that threw me off was: "Be sure to leave the "ro" option there." at step 10. I assume that was supposed to mean "Be sure to leave the "root" option there."?
"ro" is for root to be initially mounted read-only, then it gets re-mounted "rw" because of systemd / fstab.
So no, it's not a typo. You'll get an error if you try and initially mount "rw", although you might get away with it if you use the fsck hook (as systemd won't have to do it during boot).
Hmm, interesting. If I recall correctly, there was no "ro" in the default /boot/cmdline.txt. But you're right, now that I think about it, the kernel command lines in my regular Arch installs all have the ro option.
This is what my cmdline.txt looks like:
$this->bbcode_second_pass_code('', 'smsc95xx.turbo_mode=N dwc_otg.lpm_enable=0 console=ttyAMA0,115200 kgdboc=ttyAMA0,115200 console=tty1 cryptdevice=/dev/mmcblk0p3:root root=/dev/mapper/root rootfstype=ext4 initrd=0x00f00000 elevator=noop rootwait')
and it seems to boot fine. But yeah, I also have the fsck hook enabled.
- gfvos
- Posts: 7
- Joined: Fri Jun 22, 2012 9:47 am