[dm-crypt] Kernel panic, cannot mount root fs on unknown block (hd0, 0)

vaskez at airmail.cc vaskez at airmail.cc
Thu Sep 25 21:25:19 CEST 2014


Thank you for your replies. Creating an initramfs image did the trick. 
The only problems as of now are that the initramfs image fails to prompt 
for the passphrase to the root partition. It will drop me into a rescue 
shell, and from there I can use cryptsetup on the command line to 
decrypt the root partition, then I must exit and it will continue 
booting as normal. I hit OpenRC from there and the rest of my partitions 
prompt for a passphrase. I created an initramfs image with dracut with 
these options:
dracut -a "lvm dm crypt" -H --xz --strip initrd.img

I am still using these kernel paramters:
cryptdevice=/dev/sda3:root crypto=sha512:serpent-xts-plain:512 
root=/dev/mapper/root net.ifnames=0 quiet

Are there other parameters that I should be using? Perhaps something 
from dracut? I do not know of kernel parameters that can be accepted by 
the kernel or where to find them, I have only used what has been shown 
from Arch Linux wiki on dm-crypt plain.

Also whenever I halt my system it will print 30 some lines of ioctl 
complaining about the root fs is still in use, then quit. I do not think 
this is much a problem, because it will skip it and umount the other 
filesystems, then mount root as ro and finally shutdown. Do you think 
that this is a problem? If so, how would I be able to stop it?

> First of your problems are very distributzion specific.
> 
> The kernel complains that it cannot find the block device that was 
> passed
> via root= parameter (without root= it will probably use the first hd 
> block
> device it sees as fallback).
> 
> On Mon, September 22, 2014 00:50, vaskez at airmail.cc wrote:
>> Several times I have set up virtual machines to test the cryptsetup
>> software. I can create and remove the encrypted volumes just fine and
>> mount them, however whenever I am finished setting up my system and
>> reboot, my kernel panics, ends, then says that it cannot mount root fs
>> on unknown block (hd0,0). I am sure that it is not a misconfiguration
>> with the kernel, as I have built kernels for unencrypted systems and
>> they have booted fine. Some information:
>> 
>> The encrypted volumes are created with:
>> cryptsetup -y -v -c serpent-xts-plain -s 512 -h sha512 create dmname
>> device
>> 
>> Previous partition layouts was like such:
>> /dev/sda1 +b   Linux                  100M  (/boot) (not encrypted)
>> /dev/sda2      Linux Swap / Solaris   2G    (swap)
>> /dev/sda3      Linux                  10G   (root)
>> /dev/sda4      Extended
>> /dev/sda5      Linux                  2G    (/var)
>> /dev/sda6      Linux                  6G    (/home)
>> 
>> This last time the layout was like such:
>> /dev/sda1 +b    Linux                 100M  (/boot) (not encrypted)
>> /dev/sda2       Linux LVM             2G    (swap)
>> /dev/sda3       Linux LVM             10G   (root)
>> /dev/sda4       Extended
>> /dev/sda5       Linux LVM             2G    (/var)
>> /dev/sda6       Linux LVM             6G    (/home)
>> 
>> The distribution I am using is Gentoo with a custom (to test at one
>> time) and modified i386_defconfig (every other time) kernel patched 
>> with
>> GRSecurity.
>> 
>> This last time installing cryptsetup I made sure to install packages 
>> in
>> a specific order, like installing cryptsetup before grub legacy and
>> still got the same error. I had set root (hd0,0) in grub command line
>> and setup (hd0) on the command line. At one time I had tested setup on
>> (hd0,0), still the same error. When issuing grub-install /dev/sda in
>> bash, it will say that df cannot read filesystems and that it cannot
>> read a device map file, so I had to install grub in grub command 
>> shell.
> 
> Grub is its own thing, does the bootloader load the kernel from an
> encrypted fs? grub legacy? grub 2?
> 
>> 
>> I install cryptsetup from portage with USE="-thin" emerge -avtq
>> cryptsetup. -thin does not install thin provisioning tools and the 
>> boost
>> sys utils which I assume are very big because they take very long to
>> install.
> 
> cryptsetup does not have any thin use flag afaik, lvm2 is the one using
> thin provisioning ...
>> 
>> After installing cryptsetup, I configure /etc/crypttab (which does not
>> exist) as follows:
>> swap   /dev/mapper/swap   /dev/urandom
>> swap,cipher=serpent-xts-plain,size=512,hash=sha512
>> root   /dev/mapper/swap   none
>> root,cipher=serpent-xts-plain,size=512,hash=sha512
>> var    /dev/mapper/swap   none
>> var,cipher=serpent-xts-plain,size=512,hash=sha512
>> home   /dev/mapper/swap   none
>> home,cipher=serpent-xts-plain,size=512,hash=sha512
> 
> Gentoo does not really use crypttab, does it? instead it will use 
> dmcrypt
> in conf.d (for SYSVinit), might use crypttab for systemd though.
> 
>> 
>> /etc/fstab looks like:
>> /dev/sda1           /boot       ext2   noauto,noatime      0 2
>> /dev/mapper/swap    none        swap   sw                  0 0
>> /dev/mapper/root    /           ext4   defaults,relatime   0 1
>> /dev/mapper/var     /var        ext4   defaults,relatime   0 1
>> /dev/mapper/home    /home       ext4   defaults,relatime   0 0
>> /dev/cdrom          /mnt/cdrom  auto   noauto,user         0 0
>> 
> 
> fstab does not really matter when the kernel tries to mount the root
> filesystem, fstab won't be needed until fscking or so...
> 
>> I append the output of dmsetup tables to /etc/dmtab as the file says 
>> to
>> do, and then configure /etc/conf.d/dmcrypt to the following lines:
>> target=swap
>> source='/dev/sda2'
>> key='/dev/urandom'
>> options='-c serpent-xts-plain -s 512 -h sha512'
>> 
>> target=root
>> source='/dev/sda3'
>> options='-c serpent-xts-plain -s 512 -h sha512'
>> 
>> target=var
>> source='/dev/sda5'
>> options='-c serpent-xts-plain -s 512 -h sha512'
>> 
>> target=home
>> source='/dev/sda6'
>> options='-c serpent-xts-plain -s 512 -h sha512'
>> 
> 
> Okay, so I presume you do use SYSVinit. Again, dmcrypt won't be needed
> until the boot runlevel is reached, you problem starts WAY before this.
> 
>> I also add lvm and dmcrypt to the boot runlevel. Kernel parameters are
>> set as follows:
>> kernel /boot/kernel cryptdevice=/dev/sda3:root
>> crypto=sha512:serpent-xts-plain:512:0 root=/dev/mapper/root quiet
> 
> Unfortunately you don't say anything about your initrd/initramfs, 
> because
> at some point during early boot you'll have to provide the passphrase.
> 
> You are telling the kernel to use /dev/mapper/root which in turns seems 
> to
> be missing when the kernel tries to mount it.
> 
> That being said, the other options are obviously for your initramfs 
> which
> in turn should run cryptsetup. These should be documented by the
> initramfs/initrd generator used. The initramfs/initrd should usually 
> drop
> you to a rescue shell. This way you could check what actually happened
> etc.
> 
> As your GRUB line does not include an initramfs, how do you actually
> provide the masterkey to cryptsetup and run cryptsetup? Or did you
> piggy-back the initramfs?
> 
>> 
>> I have shifted and removed parts of these options in various ways
>> possibly 15 or more different ways and nothing has worked.
>> 
>> After all of this none of it works. I reboot and get a kernel panic, 
>> and
>> then it says: VFS: root fs cannot be mounted on unknown block (hd0,0).
>> And yes I have set LVM and DM_CRYPT options etc in the kernel.
> 
> I hope I could help to look in the right place for the necessary
> information etc.
> 
> Regards
> 
> -Sven


More information about the dm-crypt mailing list