[arch-general] LUKS, SD card reader and initramfs
I have a setup where I use LVM on LUKS to encrypt all system partitions (except /boot of course). Currently I have to input the LUKS password every time to unlock the volume, I wanted to be able to get the key from an SD card(1) so I don't have to type the password every single time, but I've run into a problem I haven't been able to solve and I'm out of ideas. Here is what I've done/tried. I have got myself an SD card and confirmed it works fine before trying anything else. I have setup everything according to the wiki to store the key between the MBR and first partition. I've added the cryptkey= entry in the kernel command line. I've added the card reader drivers to the MODULES line in /etc/mkinitcpio.conf and rebuilt the initramfs. I've confirmed that the modules have been added. Rebooted to try it out. This is where the problems start, once the drivers for the card reader get loaded I get spammed with messages like: mmcblk0: error -110 transferring data, sector 0, nr 8, cmd response 0x900, card status 0xb00 mmcblk0: error -110 transferring data, sector 1, nr 7, cmd response 0x900, card status 0x0 end_request: I/O error, dev mmcblk0, sector 1 Buffer I/O error on device mmcblk0, logical block 0 This happens even if I don't try to access the card to get the encryption key. The messages only stop after I remove the card. The drivers I have explicitly included in the initramfs are: sdhci-pci and mmc_block. sdhci and mmc_core get pulled as a dependencies of sdhci-pci. I have also tried to include the drivers for the other modules of the card reader, such as memory stick support and firewire since they are all hanging on the same controlled but that didn't make any difference. Since this works fine after the machine has booted I thought I might need to include some udev rule, but grepping through the rules I don't see anything that looks to be needed. The only stuff that comes up is persistent naming link creation and some udisks{,2} stuff that I suppose are meant for icon presentation or something like that. Using 'udevadm monitor' also doesn't show anything that seems to be special, this is what I get when I insert the card: KERNEL[7650.629820] add /devices/pci0000:00/0000:00:14.4/0000:07:01.1/mmc_host/mmc0/mmc0:b368 (mmc) KERNEL[7650.631034] add /devices/virtual/bdi/179:0 (bdi) UDEV [7650.633731] add /devices/pci0000:00/0000:00:14.4/0000:07:01.1/mmc_host/mmc0/mmc0:b368 (mmc) KERNEL[7650.634430] add /devices/pci0000:00/0000:00:14.4/0000:07:01.1/mmc_host/mmc0/mmc0:b368/block/mmcblk0 (block) KERNEL[7650.634494] add /devices/pci0000:00/0000:00:14.4/0000:07:01.1/mmc_host/mmc0/mmc0:b368/block/mmcblk0/mmcblk0p1 (block) UDEV [7650.635568] add /devices/virtual/bdi/179:0 (bdi) UDEV [7650.747593] add /devices/pci0000:00/0000:00:14.4/0000:07:01.1/mmc_host/mmc0/mmc0:b368/block/mmcblk0 (block) UDEV [7650.866726] add /devices/pci0000:00/0000:00:14.4/0000:07:01.1/mmc_host/mmc0/mmc0:b368/block/mmcblk0/mmcblk0p1 (block) The hardware:
lspci -v -s 07:01 07:01.0 FireWire (IEEE 1394): Ricoh Co Ltd R5C832 IEEE 1394 Controller (rev 05) (prog-if 10 [OHCI]) Subsystem: Packard Bell B.V. Device c109 Flags: bus master, medium devsel, latency 64, IRQ 21 Memory at feaff800 (32-bit, non-prefetchable) [size=2K] Capabilities: <access denied> Kernel driver in use: firewire_ohci
07:01.1 SD Host controller: Ricoh Co Ltd R5C822 SD/SDIO/MMC/MS/MSPro Host Adapter (rev 22) Subsystem: Packard Bell B.V. Device c109 Flags: bus master, medium devsel, latency 64, IRQ 22 Memory at feaff400 (32-bit, non-prefetchable) [size=256] Capabilities: <access denied> Kernel driver in use: sdhci-pci 07:01.2 System peripheral: Ricoh Co Ltd R5C592 Memory Stick Bus Host Adapter (rev 12) Subsystem: Packard Bell B.V. Device c109 Flags: bus master, medium devsel, latency 64, IRQ 22 Memory at feafec00 (32-bit, non-prefetchable) [size=256] Capabilities: <access denied> Kernel driver in use: r592 I'm all out of ideas, any help will be appreciated. (1) Why SD card? Because my laptop has a card reader and by using it I don't need to occupy a USB port, so when I'm at home I could insert the SD card and forget about it, then when I take the laptop out I don't carry the card with me or I remove it as soon as it isn't needed. -- Mauro Santos
I've had problems using SDcards and ext2 (data corruption), but when using a journaling filesystem like XFS, the problems went away. Related? - Alexander
On 14-11-2012 16:39, Alexander Rødseth wrote:
I've had problems using SDcards and ext2 (data corruption), but when using a journaling filesystem like XFS, the problems went away. Related?
- Alexander
Unfortunately not related. My problem happens very early during boot, while still running from the initramfs and I don't even need to access the card to see the problem. Besides, I was planning to use fat32 in the card, I've read somewhere that some cards rely on the usage of fat to be able to do some housekeeping. -- Mauro Santos
Hi, 2012/11/14 Mauro Santos <registo.mailling@gmail.com>:
(1) Why SD card? Because my laptop has a card reader and by using it I don't need to occupy a USB port, so when I'm at home I could insert the SD card and forget about it, then when I take the laptop out I don't carry the card with me or I remove it as soon as it isn't needed.
Nice idea. I have entire disk encrypted and I keep my /boot on usb stick (that I carry with me). With unencrypted /boot anyone can access and modify kernel image and initramfs (for example, to intercept passphrase). Boot with 'break=y' in kernel commandline, this will drop you to shell in initramfs. Check if you are able to access sd card. If not, try to add some modules to initramfs and try again. -- Krzysztof Warzecha
On 14-11-2012 19:06, Krzysztof Warzecha wrote:
Hi,
2012/11/14 Mauro Santos <registo.mailling@gmail.com>:
(1) Why SD card? Because my laptop has a card reader and by using it I don't need to occupy a USB port, so when I'm at home I could insert the SD card and forget about it, then when I take the laptop out I don't carry the card with me or I remove it as soon as it isn't needed.
Nice idea. I have entire disk encrypted and I keep my /boot on usb stick (that I carry with me). With unencrypted /boot anyone can access and modify kernel image and initramfs (for example, to intercept passphrase).
I have a script that checks all files in /boot and the space from lba 0 up to the first partition for any changes and issues a warning if anything changed. It doesn't prevent from all nasty things but at least gives me a heads up.
Boot with 'break=y' in kernel commandline, this will drop you to shell in initramfs. Check if you are able to access sd card. If not, try to add some modules to initramfs and try again.
Thanks for the tip, I didn't know I could use break=y, I was using init=/bin/sh. I think I have it more or less figured out now. I was doing things correctly from the start(1) it's just that either the card reader, the card or both(2) don't play well in certain cases, it goes like this: If I do a cold boot things always work well. If I reboot sometimes it works fine, sometimes it works but I would need to use a long rootdelay, which I don't want to use because of the case when I boot without the card inserted. Other times it fails miserably with lots of errors and I need to remove the card so boot can continue. The compromise I've found is that if I reboot without the card inserted and wait until the kernel starts to boot to insert the card (around the time early kms kicks in) things seem to always work fine too. The only quirk is that using /dev/disk/by-id/mmc-whatever seems to be more reliable than using /dev/mmcblk0 directly (less change of getting errors). (1) I was adding the correct drivers to the initramfs but I was testing things after a reboot and not with cold boots. (2) It might be due to the cheap card I bought, since I didn't know from the start if I was going to be able to make this work (currently I don't have any other devices that use sd cards). It could also be a case of funky hardware and something the bios does (or does not do) on reboots, could be a combination of cheap card + funky hardware or the driver does not do some reset it should do when being loaded. -- Mauro Santos
participants (3)
-
Alexander Rødseth
-
Krzysztof Warzecha
-
Mauro Santos