[dm-crypt] Kernel panic, cannot mount root fs on unknown block (hd0, 0)

Sven Eschenberg sven at whgl.uni-frankfurt.de
Mon Sep 22 18:10:14 CEST 2014


First of your problems are very distributzion specific.

The kernel complains that it cannot find the block device that was passed
via root= parameter (without root= it will probably use the first hd block
device it sees as fallback).

On Mon, September 22, 2014 00:50, vaskez at airmail.cc wrote:
> Several times I have set up virtual machines to test the cryptsetup
> software. I can create and remove the encrypted volumes just fine and
> mount them, however whenever I am finished setting up my system and
> reboot, my kernel panics, ends, then says that it cannot mount root fs
> on unknown block (hd0,0). I am sure that it is not a misconfiguration
> with the kernel, as I have built kernels for unencrypted systems and
> they have booted fine. Some information:
>
> The encrypted volumes are created with:
> cryptsetup -y -v -c serpent-xts-plain -s 512 -h sha512 create dmname
> device
>
> Previous partition layouts was like such:
> /dev/sda1 +b   Linux                  100M  (/boot) (not encrypted)
> /dev/sda2      Linux Swap / Solaris   2G    (swap)
> /dev/sda3      Linux                  10G   (root)
> /dev/sda4      Extended
> /dev/sda5      Linux                  2G    (/var)
> /dev/sda6      Linux                  6G    (/home)
>
> This last time the layout was like such:
> /dev/sda1 +b    Linux                 100M  (/boot) (not encrypted)
> /dev/sda2       Linux LVM             2G    (swap)
> /dev/sda3       Linux LVM             10G   (root)
> /dev/sda4       Extended
> /dev/sda5       Linux LVM             2G    (/var)
> /dev/sda6       Linux LVM             6G    (/home)
>
> The distribution I am using is Gentoo with a custom (to test at one
> time) and modified i386_defconfig (every other time) kernel patched with
> GRSecurity.
>
> This last time installing cryptsetup I made sure to install packages in
> a specific order, like installing cryptsetup before grub legacy and
> still got the same error. I had set root (hd0,0) in grub command line
> and setup (hd0) on the command line. At one time I had tested setup on
> (hd0,0), still the same error. When issuing grub-install /dev/sda in
> bash, it will say that df cannot read filesystems and that it cannot
> read a device map file, so I had to install grub in grub command shell.

Grub is its own thing, does the bootloader load the kernel from an
encrypted fs? grub legacy? grub 2?

>
> I install cryptsetup from portage with USE="-thin" emerge -avtq
> cryptsetup. -thin does not install thin provisioning tools and the boost
> sys utils which I assume are very big because they take very long to
> install.

cryptsetup does not have any thin use flag afaik, lvm2 is the one using
thin provisioning ...
>
> After installing cryptsetup, I configure /etc/crypttab (which does not
> exist) as follows:
> swap   /dev/mapper/swap   /dev/urandom
> swap,cipher=serpent-xts-plain,size=512,hash=sha512
> root   /dev/mapper/swap   none
> root,cipher=serpent-xts-plain,size=512,hash=sha512
> var    /dev/mapper/swap   none
> var,cipher=serpent-xts-plain,size=512,hash=sha512
> home   /dev/mapper/swap   none
> home,cipher=serpent-xts-plain,size=512,hash=sha512

Gentoo does not really use crypttab, does it? instead it will use dmcrypt
in conf.d (for SYSVinit), might use crypttab for systemd though.

>
> /etc/fstab looks like:
> /dev/sda1           /boot       ext2   noauto,noatime      0 2
> /dev/mapper/swap    none        swap   sw                  0 0
> /dev/mapper/root    /           ext4   defaults,relatime   0 1
> /dev/mapper/var     /var        ext4   defaults,relatime   0 1
> /dev/mapper/home    /home       ext4   defaults,relatime   0 0
> /dev/cdrom          /mnt/cdrom  auto   noauto,user         0 0
>

fstab does not really matter when the kernel tries to mount the root
filesystem, fstab won't be needed until fscking or so...

> I append the output of dmsetup tables to /etc/dmtab as the file says to
> do, and then configure /etc/conf.d/dmcrypt to the following lines:
> target=swap
> source='/dev/sda2'
> key='/dev/urandom'
> options='-c serpent-xts-plain -s 512 -h sha512'
>
> target=root
> source='/dev/sda3'
> options='-c serpent-xts-plain -s 512 -h sha512'
>
> target=var
> source='/dev/sda5'
> options='-c serpent-xts-plain -s 512 -h sha512'
>
> target=home
> source='/dev/sda6'
> options='-c serpent-xts-plain -s 512 -h sha512'
>

Okay, so I presume you do use SYSVinit. Again, dmcrypt won't be needed
until the boot runlevel is reached, you problem starts WAY before this.

> I also add lvm and dmcrypt to the boot runlevel. Kernel parameters are
> set as follows:
> kernel /boot/kernel cryptdevice=/dev/sda3:root
> crypto=sha512:serpent-xts-plain:512:0 root=/dev/mapper/root quiet

Unfortunately you don't say anything about your initrd/initramfs, because
at some point during early boot you'll have to provide the passphrase.

You are telling the kernel to use /dev/mapper/root which in turns seems to
be missing when the kernel tries to mount it.

That being said, the other options are obviously for your initramfs which
in turn should run cryptsetup. These should be documented by the
initramfs/initrd generator used. The initramfs/initrd should usually drop
you to a rescue shell. This way you could check what actually happened
etc.

As your GRUB line does not include an initramfs, how do you actually
provide the masterkey to cryptsetup and run cryptsetup? Or did you
piggy-back the initramfs?

>
> I have shifted and removed parts of these options in various ways
> possibly 15 or more different ways and nothing has worked.
>
> After all of this none of it works. I reboot and get a kernel panic, and
> then it says: VFS: root fs cannot be mounted on unknown block (hd0,0).
> And yes I have set LVM and DM_CRYPT options etc in the kernel.

I hope I could help to look in the right place for the necessary
information etc.

Regards

-Sven




More information about the dm-crypt mailing list