search

unixabg / cryptmypi

Project to assist users in building an encrypted raspberry pi
GNU General Public License v3.0
63 stars 20 forks source link

dropbear remote unlock with _NEWLUKSUUID="yes" => Device /dev/disk/by-uuid/XXX...XXXX doesn't exist or access denied #49

Closed donyshmony closed 2 years ago

donyshmony commented 2 years ago

Hi there @unixabg First of all thx for the GREAT work with this project, BUT now I have some Big problem and I am stuck on these: I'm trying to use examples/pios-encrypted-basic-dropbear on a Raspberry Pi (4 Model B Rev 1.2 4 GB Ram):

rooy@pi-home:/home# cat /proc/cpuinfo
processor       : 0
model name      : ARMv7 Processor rev 3 (v7l)
BogoMIPS        : 108.00
Features        : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm crc32 
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x0
CPU part        : 0xd08
CPU revision    : 3

processor       : 1
model name      : ARMv7 Processor rev 3 (v7l)
BogoMIPS        : 108.00
Features        : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm crc32 
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x0
CPU part        : 0xd08
CPU revision    : 3

processor       : 2
model name      : ARMv7 Processor rev 3 (v7l)
BogoMIPS        : 108.00
Features        : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm crc32 
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x0
CPU part        : 0xd08
CPU revision    : 3

processor       : 3
model name      : ARMv7 Processor rev 3 (v7l)
BogoMIPS        : 108.00
Features        : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm crc32 
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x0
CPU part        : 0xd08
CPU revision    : 3

Hardware        : BCM2711
Revision        : c03112
Serial          : 10000000f4031d51
Model           : Raspberry Pi 4 Model B Rev 1.2

and it boots and accepts the SSH connect but the following messages show up instead of the LUKS password prompt:

Device /dev/disk/by-uuid/609fe123-f56d-4125-ba8d-986a77033580 does not exist or access denied.
Device /dev/disk/by-uuid/609fe123-f56d-4125-ba8d-986a77033580 does not exist or access denied.
Device /dev/disk/by-uuid/609fe123-f56d-4125-ba8d-986a77033580 does not exist or access denied.

And that's all I can't log in and unlock my RPi I am using the next config files (I have just updated img url and sha256, and change KERNEL_VERSION_FILTER to v8l+ ):

###############################################################################
## cryptmypi profile ##########################################################

# EXAMPLE OF A SIMPLE ENCRYPTED Raspberry Pi OS CONFIGURATION
#   Will create a encrypted pios system:
#   - during boot the encryption password will be prompted both
#       via the console and ssh on port 2222
#   - with ssh server (available after boot)
#       The id_rsa.pub public key will be added to authorized_keys
#
#   Some optional hooks are defined on stage2:
#   - "optional-sys-rootpassword" that sets root password

# General settings ------------------------------------------------------------
# You need to choose a kernel compatible with your RPi version.
#   - Re4son+ is for armv6 devices (ie. RPi1, RPi0, and RPi0w)
#   - v7+ and v8+ are for the 32bit and 64bit armv7 devices (ie. RPi 3)
#   - l+ is mostly for the RPi4 since one can have 4GB or 8GB versions
#     The l in l+ actually means lpae (Large Physical Address Extensions)
export _KERNEL_VERSION_FILTER="v8l+"

# HOSTNAME
#   Each element of the hostname must be from 1 to 63 characters long and
#   the entire hostname, including the dots, can be at most 253
#   characters long.  Valid characters for hostnames are ASCII(7) letters
#   from a to z, the digits from 0 to 9, and the hyphen (-)
export _HOSTNAME="pi-home"

# BLOCK DEVICE
#   The SD card or USD SD card reader block device
#   - USB drives will show up as the normal /dev/sdb, /dev/sdc, etc.
#   - MMC/SDcards may show up the same way if the card reader is USB-connected.
#   - Internal card readers normally show up as /dev/mmcblk0, /dev/mmcblk1, ...
#   You can use the lsblk command to get an easy quick view of all block
#   devices on your system at a given moment.
export _BLKDEV="/dev/sdc"

# LUKS ENCRYPTION -------------------------------------------------------------
## Encryption Cypher
export _LUKSCIPHER="aes-cbc-essiv:sha256"

## Encryption Password
export _LUKSPASSWD="password"

## Stage2 regenerate luks uuid
# A value of yes generates a new luks uuid for deployment
export _NEWLUKSUUID="yes"

## Encryption Extra
# On rpi0-1-2-3 you may want to reduce the required memory to unlock
#  _LUKSEXTRA="--pbkdf-memory 131072"
export _LUKSEXTRA=""

# LINUX IMAGE FILE ------------------------------------------------------------
export _IMAGEURL=https://downloads.raspberrypi.org/raspios_lite_armhf/images/raspios_lite_armhf-2022-01-28/2022-01-28-raspios-bullseye-armhf-lite.zip
export _IMAGESHA="f6e2a3e907789ac25b61f7acfcbf5708a6d224cf28ae12535a2dc1d76a62efbc"

# PACKAGE ACTIONS -------------------------------------------------------------
export _PKGSPURGE=""
export _PKGSINSTALL="tree htop"

# MINIMAL SSH CONFIG ----------------------------------------------------------
#   Keyfile to be used to access the system remotelly through ssh.
#   Its public key will be added to the system's root .ssh/autorized_keys
export _SSH_LOCAL_KEYFILE="$_USER_HOME/.ssh/id_rsa"

###############################################################################
## Stage 1 Settings ###########################################################

# Custom Stage1 Profile
#   Check functions/stage1profiles.fns for reference. You may instruct hooks
#   here or you may call one predefined stage1profile functions.
#   Optional function:
#   - if stage1_hooks is not defined, you will be prompted
#   - declare it if you want to skip script prompt predefining it
stage1_hooks(){
    stage1profile_complete
}

###############################################################################
## Stage-2 Settings ###########################################################

# Optional stage 2 hooks
#   If declared, this function is called during stage2 build by the
#   stage2-runoptional hook.
#
#   Optional function: can be ommited.
stage2_optional_hooks(){
    myhooks "optional-sys-rootpassword"
}

###############################################################################
##Optional Hook Settings #####################################################

# ROOT PASSWORD CHANGER settings ----------------------------------------------
# Hooks
#   optional-sys-rootpassword
#       Changes the system root password

## The new root password
export _ROOTPASSWD="root_password"

P.S. Mostly of all I am using default config file with changes: change export _NEWLUKSUUID="yes" to export _NEWLUKSUUID="no" in this way have to error like this issue: https://github.com/unixabg/cryptmypi/issues/46 If use Your default config file like here: https://github.com/unixabg/cryptmypi/blob/master/examples/pios-encrypted-basic-dropbear/cryptmypi.conf That's all ok, but after apt update -y && apt upgrade -y, I have this error: https://github.com/unixabg/cryptmypi/issues/46

Plz help =) And have a nice day @unixabg

unixabg commented 2 years ago

Greetings, Thank you for the issue report and detailed information. I am out this week but will get setup to confirm all you submitted soonish. On the upgrading of kernels it can break. In the short term on #46 see comment by gemesa and apply after you upgrade and before reboot on a pristine install.

donyshmony commented 2 years ago

@unixabg Thx, I am waiting for Your support Cheerz!=)

KevinLage commented 2 years ago

I had the same problem, try to use this release https://github.com/unixabg/cryptmypi/releases/tag/v4.9-beta

donyshmony commented 2 years ago

Hi @KevinLage thx for the answer, I will take my RPi 4 and hard work tomorrow, after giving you some feedback ! Have a nice day

unixabg commented 2 years ago

Greetings,

Thank you for report and sorry it took me so long to get setup. I do all pristine runs and pristine dev vm for almost every issue. The issue does appear to be reproducible, and I am on the rpi3 builds atm. Please know I will work on resolving this issue. Again thank you for the report.

unixabg commented 2 years ago

Greetings, Based on testing dropbear remote unlock with _NEWLUKSUUID="yes" enabled in the conf file does not work, hence this bug. I have changed the default of _NEWLUKSUUID to "no" in next-4.x branch for now.