cryptsetup not in initramfs

[burnbabyburn]

Hi, thanks for this project! It makes life a lot easier and more convinient.

I try to compile this project on a Debian 9.5 with the following template:

RPI_MODEL=3
RELEASE=buster
BUILD_KERNEL=true
KERNEL_ARCH=arm64
RELEASE_ARCH=arm64
CROSS_COMPILE=aarch64-linux-gnu-
QEMU_BINARY=/usr/bin/qemu-aarch64-static
KERNEL_DEFCONFIG=bcmrpi3_defconfig
KERNEL_BIN_IMAGE=Image
KERNEL_IMAGE=kernel8.img

#also tried rpi-4.11.y
KERNEL_BRANCH=rpi-4.14.y

ENABLE_SPLITFS=true
ENABLE_INITRAMFS=true
ENABLE_CRYPTFS=true
CRYPTFS_PASSWORD=1234567890ß

HOSTNAME=pihole
USER_NAME=helge
USER_PASSWORD=1234
PASSWORD=1234
ENABLE_I2C=true
ENABLE_SPI=true
ENABLE_NONFREE=true
ENABLE_WIRELESS=true
ENABLE_SOUND=true
ENABLE_MINGPU=true
ENABLE_DBUS=true

ENABLE_IFNAMES=false
SSH_LIMIT_USERS=true
KERNELSRC_DIR=/home/helge/linux
RPI_FIRMWARE_DIR=/home/helge/firmware
REDUCE_SSHD=false

ENABLE_UBOOT=TRUE
UBOOTSRC_DIR=/home/helge/u-boot

APT_INCLUDES=locales,keyboard-configuration,cryptsetup,busybox,kbd,net-tools,wireless-tools,hostapd,wpasupplicant,git,console-setup

XKB_MODEL="pc105"
XKB_LAYOUT="DE"

and get this error in 14-fstab.sh

cryptsetup: WARNING: Couldn't determine root device
cryptsetup: ERROR: Couldn't resolve device /dev/sda5
cryptsetup: WARNING: The initramfs image may not contain cryptsetup binaries
    nor crypto modules. If that's on purpose, you may want to uninstall the
    'cryptsetup-initramfs' package in order to disable the cryptsetup initramfs
    integration and avoid this warning.
Warning: couldn't identify filesystem type for fsck hook, ignoring.
loadkeys is missing. Please install the 'kbd' package.

This behaviour resulting in a non bootable image (no cryptsetup in initramfs to mount root)

If i dont split the image my sd-card can boot up after entering my pw. (with crypto and uboot) Maybe it is a problem with the fake luks device needed to get cryptsetup included in initramfs?

I tried several build configs (no crypt, no split, no uboot and mixing them up) I nearly always encounter the first problem after kernel is up and the next step is to access usbb_hdd to mount root. Most of the time my builds got stuck at boot process after random: crng init done

I am a full time admin with mediocre linux skills and willing to build some more images if needed. Appreciate your help.

Thanks helge

[drtyhlpr]

Hi Helge,

I tested the CRYPTFS functionality a couple of weeks ago and it was broken (sadly). I tried the default rpi3 stretch and buster releases, building was working fine (I think it required some more busybox packages) but booting the new generated package failed (without useful error messages).

I am currently working on a fix. I will release a update soon that will add ENABLE_QEMU parameter to generate images that can be run in qemu emulator. I hope the debugging of the cryptfs problems will get easier then (it was quite complicated to get the cryptfs functionality running when I added to some years ago but I also haven't used oo tested it for at least one year)

thanks for your message and detailed error descriptions

have a great day

ps. SSH to initramfs or dedicated USB Rubber Ducky Style functionality (to enter or "auto enter" cryptfs password at initramfs/boot) still needs to be implemented.

[burnbabyburn]

Hi drtyhlpr,

thanks for your reply.

root@rpi23-gen-image:/home/helge/rpi23-gen-image/images/buster/build/chroot/boot/firmware

lsinitramfs initramfs-4.14.76-v8+ | grep crypt
cryptroot
cryptroot/crypttab
scripts/init-premount/expand_encrypted_rootfs
scripts/local-block/cryptroot
scripts/local-bottom/cryptopensc
scripts/local-top/cryptopensc
scripts/local-top/cryptroot
usr/bin/cryptroot-unlock
usr/lib/modules/4.14.76-v8+/kernel/crypto
usr/lib/modules/4.14.76-v8+/kernel/crypto/xor.ko
usr/lib/modules/4.14.76-v8+/kernel/drivers/block/cryptoloop.ko

Just to be complete here is the error message IF you install above mentioned packets in APT_INCLUDES

0 1 crypt aes-xts-plain64 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096
+ chroot_exec mkinitramfs -o /boot/firmware/initramfs-4.14.76-v8+ 4.14.76-v8+
+ LANG=C LC_ALL=C DEBIAN_FRONTEND=noninteractive chroot /home/helge/rpi23-gen-image/images/buster/build/chroot mkinitramfs -o /boot/firmware/initramfs-4.14.76-v8+ 4.14.76-v8+
cryptsetup: WARNING: Couldn't determine root device
cryptsetup: WARNING: The initramfs image may not contain cryptsetup binaries 
    nor crypto modules. If that's on purpose, you may want to uninstall the 
    'cryptsetup-initramfs' package in order to disable the cryptsetup initramfs 
    integration and avoid this warning.
Warning: couldn't identify filesystem type for fsck hook, ignoring.
+ chroot_exec cryptsetup close secure
+ LANG=C LC_ALL=C DEBIAN_FRONTEND=noninteractive chroot /home/helge/rpi23-gen-image/images/buster/build/chroot cryptsetup close secure
+ head -n 3 bootstrap.d/15-rpi-config.sh

[burnbabyburn]

adding ,initramfsto /etc/crypttab forces include of cryptsetup into initramfs! Fixes the problem of initramfs not including crypsetup.

cat /etc/fstab
crypt /dev/sda1  none luks,initramfs

bootstrap.d/14-fstab.sh
#Add encrypted partition to crypttab and fstab
  install_readonly files/mount/crypttab "${ETC_DIR}/crypttab"
  echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks,initramfs" >> "${ETC_DIR}/crypttab"

Results in:

build.log

LANG=C LC_ALL=C DEBIAN_FRONTEND=noninteractive chroot /home/helge/rpi23-gen-image/images/buster/build/chroot mkinitramfs -o /boot/firmware/initramfs-4.14.77-v8+ 4.14.77-v8+
cryptsetup: WARNING: Couldn't determine root device
cryptsetup: ERROR: Couldn't resolve device /dev/sda5
cryptsetup: ERROR: Couldn't resolve device /dev/sda1
Warning: couldn't identify filesystem type for fsck hook, ignoring.

---

root@rpi23-gen-image:/home/helge/rpi23-gen-image/images/buster/build/chroot/boot/firmware#

lsinitramfs initramfs-4.14.77-v8+ | grep cryptsetup
usr/lib/aarch64-linux-gnu/libcryptsetup.so.12
usr/lib/aarch64-linux-gnu/libcryptsetup.so.12.3.0
usr/lib/cryptsetup
usr/lib/cryptsetup/askpass
usr/lib/cryptsetup/functions
usr/sbin/cryptsetup

[drtyhlpr]

thanks for the fix and infos.

here is the fix i am currently working on. untested so far because qemu emulation still gives me trouble :)

APT_INCLUDES="busybox,console-setup" and adding CRYPTSETUP=y to initramfs.conf (in 14-fstab.sh)

ps. adding to crypttab also looks nice+

[burnbabyburn]

thx for the continuing support :) But...

and adding CRYPTSETUP=y to initramfs.conf (in 14-fstab.sh)

this is depricated. Better set it in /etc/cryptsetup-initramfs/conf-hook instead https://tracker.pureos.net/w/troubleshooting/cryptsetup_setting_deprecated

Also..

• In my build /lib/firmware/brcm/brcmfmac43455-sdio.txt was missing, but the bin file was there. (specific to pi3b+ i think) You can get it from https://raw.githubusercontent.com/RPi-Distro/firmware-nonfree/master/brcm/brcmfmac43455-sdio.txt

[burnbabyburn]

after updating debian to buster, which has much newer qemu, all errors are gone! (ofc with above fixes applied)

[drtyhlpr]

should be fixed. feel free to re open.