[dm-crypt] ing rootfs without initramfs

Will Drewry wad at chromium.org
Mon Jul 22 05:51:40 CEST 2013


On Sun, Jul 21, 2013 at 3:47 AM, Milan Broz <gmazyland at gmail.com> wrote:
> On 21.7.2013 7:40, Bryan Kadzban wrote:
>>
>> Milan Broz wrote:
>>>
>>> On 07/20/2013 09:36 PM, ebelcrom ebelcrom wrote:
>>>
>>>> I played around with dm-crypt without using initramfs for
>>>> en-/decryption of my root file system. The rootfs is encrypted
>>>> plain with cryptsetup and the key is stored at the disk containing
>>>> the rootfs between MBR and the partition. The kernel parameter
>>>> given to it from the bootloader is configured as it should be
>>>> (cryptdevice, cryptkey, root mapper). The disk driver (loaded
>>>> before) is built-in as well as dm-crypt (loaded after). The message
>>>> I got at boot time is this (cr_rootfs is the encrypted rootfs):
>>>>
>>>> VFS: Cannot open root device "mapper/cr_rootfs" or
>>>> unknown-block(0,0)
>>>>
>>>> According to some hints in the web there is no need to have an
>>>> initramfs. Is that true? If yes what are the steps to get there and
>>>> what should I keep into account?
>>>
>>>
>>> I think the only possibility is to use GRUB2 which should understand
>>> LUKS directly and boot from it. (Not sure about plain dmcrypt
>>> device).
>>
>>
>> So I've never tried it myself (I'm using a pretty simple initramfs I
>> wrote in shell for my luks-rootfs setup), but I'm not sure how this can
>> work.
>>
>> Because no bootloader mounts the rootfs.  They only find the kernel code
>> (and, if configured, the initramfs image), load it (or them) into
>> memory, and jump to the kernel's init code, transferring control of the
>> machine to the kernel.  (There's a protocol to tell the kernel about the
>> initramfs if one is present.)
>>
>> The kernel either runs the initramfs's /init program, or mounts the
>> rootfs itself and runs /sbin/init.  (Or whatever you set init= to on the
>> kernel command line.)
>>
>> (Plus there's the fact that the kernel can't automount luks.)
>
>
> Yes, GRUB2 solve just initial kernel boot load, you cannot map any
> device-mapper
> device (that's include crypt but also LVM etc) without userspace tools...
>
> Seems I anwered different question, sorry :)
>
> Anyway, there were tries to add kernel boot parameters for DM
> e.g. http://article.gmane.org/gmane.linux.kernel/988034

FWIW, I'll try to add these again soon and see how it goes!  They
weren't outright rejected :)


More information about the dm-crypt mailing list