[arch-general] LUKS, SD card reader and initramfs
Mauro Santos
registo.mailling at gmail.com
Thu Nov 15 09:30:17 EST 2012
On 14-11-2012 19:06, Krzysztof Warzecha wrote:
> Hi,
>
> 2012/11/14 Mauro Santos <registo.mailling at gmail.com>:
>> (1) Why SD card? Because my laptop has a card reader and by using it I
>> don't need to occupy a USB port, so when I'm at home I could insert the
>> SD card and forget about it, then when I take the laptop out I don't
>> carry the card with me or I remove it as soon as it isn't needed.
>
> Nice idea. I have entire disk encrypted and I keep my /boot on usb
> stick (that I carry with me). With unencrypted /boot anyone can access
> and modify kernel image and initramfs (for example, to intercept
> passphrase).
>
I have a script that checks all files in /boot and the space from lba 0
up to the first partition for any changes and issues a warning if
anything changed. It doesn't prevent from all nasty things but at least
gives me a heads up.
>
> Boot with 'break=y' in kernel commandline, this will drop you to shell
> in initramfs. Check if you are able to access sd card. If not, try to
> add some modules to initramfs and try again.
>
Thanks for the tip, I didn't know I could use break=y, I was using
init=/bin/sh.
I think I have it more or less figured out now. I was doing things
correctly from the start(1) it's just that either the card reader, the
card or both(2) don't play well in certain cases, it goes like this:
If I do a cold boot things always work well.
If I reboot sometimes it works fine, sometimes it works but I would need
to use a long rootdelay, which I don't want to use because of the case
when I boot without the card inserted. Other times it fails miserably
with lots of errors and I need to remove the card so boot can continue.
The compromise I've found is that if I reboot without the card inserted
and wait until the kernel starts to boot to insert the card (around the
time early kms kicks in) things seem to always work fine too. The only
quirk is that using /dev/disk/by-id/mmc-whatever seems to be more
reliable than using /dev/mmcblk0 directly (less change of getting errors).
(1) I was adding the correct drivers to the initramfs but I was testing
things after a reboot and not with cold boots.
(2) It might be due to the cheap card I bought, since I didn't know from
the start if I was going to be able to make this work (currently I don't
have any other devices that use sd cards). It could also be a case of
funky hardware and something the bios does (or does not do) on reboots,
could be a combination of cheap card + funky hardware or the driver does
not do some reset it should do when being loaded.
--
Mauro Santos
More information about the arch-general
mailing list