initrd.img is not containing all required directories

iacchi · 03-16-2019, 08:19 PM

Hello,
I'm installing a new system with testing and I have root filesystem encrypted with luks (but not /boot). To unlock it automatically at boot with a usb key, I'm following this guide, which I have already successfully employed on another system of mine (this one with stable). While, as I said, this guide works like a charm on my other system, with the machine I'm configuring now it fails miserably. At boot I get errors when the time comes to unlock luks devices and the boot process is interrupted, leaving me with the initramfs prompt (busybox), from which I can unlock the two devices (root and swap) and resume boot (which in the end works).

After a lot of debugging, I have finally found the root of my problem: the initrd.img file in the new machine does not contain a lot of the directories that my other working machine has, and some of the missing directories contain the scripts that automate luks opening. To give you a better idea, I have extracted initrd.img files on both system using unmkinitramfs. This is the output of ls -l of the extracted initrd.img directory (actually, its "main" subdirectory) on the working machine:

Code:

drwxr-xr-x 2 root root 3660 mar 17 01:39 bin
drwxr-xr-x 3 root root  120 mar 17 01:39 conf
drwxr-xr-x 7 root root  260 mar 17 01:39 etc
-rwxr-xr-x 1 root root 5960 apr 24  2017 init
drwxr-xr-x 9 root root  200 mar 17 01:39 lib
drwxr-xr-x 2 root root   60 mar 17 01:39 lib64
drwxr-xr-x 2 root root   40 feb 24 21:39 run
drwxr-xr-x 2 root root 1200 mar 17 01:39 sbin
drwxr-xr-x 8 root root  220 mar 17 01:39 scripts
drwxr-xr-x 3 root root   60 mar 17 01:39 usr

and this is the output of the same command on the non-working machine:

Code:

lrwxrwxrwx 1 root root    7 mar 17 01:58 bin -> usr/bin
drwxr-xr-x 1 root root   72 mar 17 01:57 conf
drwxr-xr-x 1 root root   16 mar 17 01:57 cryptroot
drwxr-xr-x 1 root root  146 mar 17 01:57 etc
-rwxr-xr-x 1 root root 6338 feb  6 04:48 init
lrwxrwxrwx 1 root root    7 mar 17 01:58 lib -> usr/lib
lrwxrwxrwx 1 root root    9 mar 17 01:58 lib32 -> usr/lib32
lrwxrwxrwx 1 root root    9 mar 17 01:58 lib64 -> usr/lib64
lrwxrwxrwx 1 root root   10 mar 17 01:58 libx32 -> usr/libx32
drwxr-xr-x 1 root root    0 mar 17 01:57 run
lrwxrwxrwx 1 root root    8 mar 17 01:58 sbin -> usr/sbin
drwxr-xr-x 1 root root  164 mar 17 01:57 scripts
drwxr-xr-x 1 root root   62 mar 17 01:57 usr

As you can see, the bin, sbin and lib* directories are symlinks to the related directories in the root filesystem, rather than being actual directories integrated in the initrd.img file. Since the root filesystem is still locked at this stage, all these become unaccessible and boot fails.

Now for the question: how can I make all these directories be included in the actual initrd.img file, rather than just having symlinks? As the guide explains, the two files that I need for the automatic unlocking to work should be in the "lib/cryptsetup/scripts" and "lib/udev/rules.d/" directories inside the initrd.img files, which are not present.

Brains · 03-16-2019, 09:52 PM

In the guide you posted there is this file you create: /etc/initramfs-tools/hooks/udevusbkey, couldn't you just change the directory to where the file is? I highlighted it in red.

Code:

#!/bin/sh
# udev-usbkey script

PREREQ="udev"
prereqs()
{
echo "$PREREQ"
}

case $1 in
prereqs)
prereqs
exit 0
;;
esac

. /usr/share/initramfs-tools/hook-functions

# Copy across relevant rules

cp /etc/udev/rules.d/99-unlock-luks.rules ${DESTDIR}/usr/lib/udev/rules.d/

exit 0

In the guide, it states " The keyscript should have been copied into the “lib/cryptsetup/scripts” directory", I'm a little confused as to how it get's copied here, maybe it is the file /etc/crypttab created/edited in step #3 that enables this to happen. But if the keyscript (unlockusbkey.sh) is actually in /usr/lib/cryptsetup/scripts/unlockusbkey.sh, change the kernel line in /etc/default/grub to reflect this path as such:

Code:

GRUB_CMDLINE_LINUX_DEFAULT="cryptopts=target=sda2_crypt,source=/dev/disk/by-uuid/uuid-goes-here,lvm=vg-your-root,keyscript=/usr/lib/cryptsetup/scripts/unlockusbkey.sh"

iacchi · 03-17-2019, 03:48 AM

Dear Brains, thank you for your answer. I don't know exactly how the keyscript gets copied into the "lib/cryptsetup/scripts" directory, but it does (in the system that works at least). Changing the script path as you say won't work because, as I mentioned in my first post, /usr (together with the rest of the root filesystem) at that point in the boot is still locked by luks and is therefore inaccessible. This stuff really needs to be inside the initramfs, because anything in the root filesystem cannot be read.

iacchi · 03-17-2019, 04:23 PM

I have solved the issue. I had a closer look at the initram filesystem and in turns out that the two files I need to unlock the drive are in the filesystem, but in different locations compared to what the guide says. I've modified the scripts to reflect this change and modified the grub boot menu and now everything is working fine.