[dm-crypt] ing rootfs without initramfs

Bryan Kadzban bryan at kadzban.is-a-geek.net
Sun Jul 21 07:40:58 CEST 2013


Milan Broz wrote:
> On 07/20/2013 09:36 PM, ebelcrom ebelcrom wrote:
> 
>> I played around with dm-crypt without using initramfs for 
>> en-/decryption of my root file system. The rootfs is encrypted
>> plain with cryptsetup and the key is stored at the disk containing
>> the rootfs between MBR and the partition. The kernel parameter
>> given to it from the bootloader is configured as it should be
>> (cryptdevice, cryptkey, root mapper). The disk driver (loaded
>> before) is built-in as well as dm-crypt (loaded after). The message
>> I got at boot time is this (cr_rootfs is the encrypted rootfs):
>> 
>> VFS: Cannot open root device "mapper/cr_rootfs" or 
>> unknown-block(0,0)
>> 
>> According to some hints in the web there is no need to have an 
>> initramfs. Is that true? If yes what are the steps to get there and
>> what should I keep into account?
> 
> I think the only possibility is to use GRUB2 which should understand 
> LUKS directly and boot from it. (Not sure about plain dmcrypt
> device).

So I've never tried it myself (I'm using a pretty simple initramfs I
wrote in shell for my luks-rootfs setup), but I'm not sure how this can
work.

Because no bootloader mounts the rootfs.  They only find the kernel code
(and, if configured, the initramfs image), load it (or them) into
memory, and jump to the kernel's init code, transferring control of the
machine to the kernel.  (There's a protocol to tell the kernel about the
initramfs if one is present.)

The kernel either runs the initramfs's /init program, or mounts the
rootfs itself and runs /sbin/init.  (Or whatever you set init= to on the
kernel command line.)

(Plus there's the fact that the kernel can't automount luks.)


More information about the dm-crypt mailing list