Testing initramfs-tools integration
Max Vozeler
max at nusquama.org
Sat Dec 2 16:30:44 CET 2006
Hi all,
I installed a few test systems today to test the initramfs-tools
integration in 2.12p-15 (unreleased). Overall the process was very
smooth - I installed one system normally using d-i, copied the root
partition to an encrypted partition and switched manually. This
mostly worked fine. There were some mostly minor problems though:
1. Following README, I added "INITRAMFS_LOOPAES=auto" to /etc/
initramfs-tools/initramfs.conf and went to do update-initramfs to get
the scripts, tools and everything included. To my surprise the initramfs
was built without support for loop-AES. Putting some debug statements
into the hook-script revealed that the variable INITRAMFS_LOOPAES was
not initialized. It seems like vars from the initramfs.conf are not
exported to hook scripts. If this is correct, should we perhaps try to
source the config in the hook script? This could be tricky as only
CONFDIR gets exported, not the name of the config file.
2. During initramfs generation and boot there was a warning about
the cipher 'AES128' being unknown; Looking at the code, it seems the
cipher is passed to decode_cipher with verbatim quotes around it. The
attached patch gets rid of the warning for me, but probably breaks
loading of ciphers which include whitespace. The warning is harmless
though in that it didn't cause problems for the boot process.
3. Trying to find the cause for problem 2, I called update-initramfs
-u a couple of time to update the initramfs. I forgot about problem 1
and didn't specify INITRAMFS_LOOPAES, so the resulting initramfs didn't
include loop-AES support. Since I was so clever to do it a few times,
the backup initramfs (initrd.img-$KVERS.bak) was overwritten too, and
on next boot I noticed that I had turned my root partition into a large
blob of random-looking data as the only place the keyfile was stored
now was on the encrypted root partition ;-)
I think we could do something to help prevent getting systems into
such a state: README could mention that one should backup the key files
(and keys, if the keyfile is encrypted asymmetrically) somewhere outside
the encrypted root partition so that the system can still be repaired in
case the initramfs gets lost, overwritten or some other thing happens to
it. And/or we could check if the currently booted system has its root
partition on loop-AES and output a strong warning in case the initramfs
being generated cannot be used to boot it.
4. During boot there was another warning: "/scripts/local-top/loopaes:
<linenum>: modprobe -q: not found". This appears to be due to the call
to iterate_cipher_module "modprobe -q" "$rootencryption". The shell
tries to execute $1 ("modprobe -q"), cannot find it and returns.
Leaving aside the minor problems, I think it's great how smooth one
can make a system boot from loop-AES encrypted root now :-) And I feel a
bit bad about having so little time currently that inclusion was delayed
so much. Lionel, once you feel it is ready and we've fixed at least
problem 1) above, I think we should finally upload to unstable.
cheers,
Max
-------------- next part --------------
Index: debian/initramfs-tools-hook
===================================================================
--- debian/initramfs-tools-hook (revision 1332)
+++ debian/initramfs-tools-hook (working copy)
@@ -93,7 +93,7 @@
for opt in $rootoptions; do
case "$opt" in
encryption=*)
- cipher="$(decode_cipher \"${opt#encryption=}\")"
+ cipher="$(decode_cipher ${opt#encryption=})"
if [ -n "$cipher" ]; then
rootencryption="${rootencryption}${rootencryption:+:}${cipher}"
fi
Index: debian/initramfs-tools-script
===================================================================
--- debian/initramfs-tools-script (revision 1332)
+++ debian/initramfs-tools-script (working copy)
@@ -78,7 +78,7 @@
for opt in $loopaes_opts; do
case $opt in
encryption=*)
- cipher="$(decode_cipher \"${opt#encryption=}\")"
+ cipher="$(decode_cipher ${opt#encryption=})"
if [ -n "$cipher" ]; then
rootencryption="${rootencryption}${rootencryption:+:}${cipher}"
fi
More information about the Pkg-loop-aes-maint
mailing list