Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/etc/unlock.sh missing after rebuilding initramfs on RaspberryPi #64

Open
ph1387 opened this issue Mar 23, 2024 · 0 comments
Open

/etc/unlock.sh missing after rebuilding initramfs on RaspberryPi #64

ph1387 opened this issue Mar 23, 2024 · 0 comments

Comments

@ph1387
Copy link

ph1387 commented Mar 23, 2024
edited
Loading

As promised, here is a list of all steps including the configuration for how I managed to get an updated Debian instance running on the RaspberryPi.

Setup:

  1. Proxmox VM Debian 12 Bookworm as host for executing the scripts
  2. RaspberryPi 3B+ (named "ares")
  3. next-4.x branch of the repository

Configuration

Steps to Reproduce

Initial setup

  1. Use Proxmox VM host
  2. Delete existing "build" directory in "./cryptmypi.sh examples/debian-encrypted-basic-dropbear"
  3. Switch to next-4.x branch
  4. Apply configuration mentioned above
  5. Switch to root via su -
  6. Run ./cryptmypi.sh examples/debian-encrypted-basic-dropbear stage 1 and stage 2
  7. Since I am not sure which initramfs is being used (/boot or /boot/firmware) check all generated ones. They should all display the same result:
    1. lsinitramfs examples/debian-encrypted-basic-dropbear/build/root/boot/initramfs.gz | grep -P "(crypttab|fstab|unlock.sh)" -> reference initramfs image
      1. cryptroot/crypttab
      2. cryptroot/fstab
      3. etc/crypttab
      4. etc/fstab
      5. etc/unlock.sh
    2. lsinitramfs examples/debian-encrypted-basic-dropbear/build/root/boot/initrd.img-6.1.0-13-arm64 | grep -P "(crypttab|fstab|unlock.sh)"
    3. lsinitramfs examples/debian-encrypted-basic-dropbear/build/root/boot/firmware/initrd.img-6.1.0-13-arm64 | grep -P "(crypttab|fstab|unlock.sh)"
  8. Put the sd card into the RaspberryPi
  9. Start the RaspberryPi
  10. Verify dropbear configuration by logging in from another system via ssh: ssh [email protected] -p 2222 -i ares_luks
  11. Debian starts up and root can log in with the _ROOTPASSWD on the RaspberryPi itself
  12. Enable ssh for root user since it makes the next steps easier:
    1. nano /etc/ssh/sshd_config -> PermitRootLogin yes
    2. systemctl restart ssh.service

Updating (fails by default)

  1. Connect to the RaspberryPi as root via ssh: ssh [email protected] -i ares_luks
  2. Make a copy/note down content of "/boot/firmware/cmdline.txt", as it can get replaced during the update process
  3. Update the RaspberryPi via apt update && apt upgrade -y -> keep the local ssh configuration if asked
  4. Check for new version with ls /lib/modules -> In my case this returns 6.1.0-13-arm64 6.1.0-18-arm64
  5. Create a new initramfs mkinitramfs -o /boot/initramfs.gz 6.1.0-18-arm64
  6. Check the created initramfs via lsinitramfs /boot/initramfs.gz | grep -P "(crypttab|fstab|unlock.sh)" -> this will only include the following:
    1. cryptroot/crypttab
    2. etc/fstab
  7. Notice the missing "etc/unlock.sh" script but continue regardless
  8. Do the same as the scripts by moving the created initramfs around to make it load on boot:
    1. mv /boot/firmware/initrd.img-6.1.0-18-arm64 /boot/firmware/initrd.img-6.1.0-18-arm64-oos
    2. mv /boot/initrd.img-6.1.0-18-arm64 /boot/initrd.img-6.1.0-18-arm64-oos
    3. mv /boot/initramfs.gz /boot/firmware/initrd.img-6.1.0-18-arm64
  9. Check "/boot/firmware/config.txt", it should load the created initramfs since it mentiones the "initrd.img-6.1.0-18-arm64" image
  10. Replace the content of "/boot/firmware/cmdline.txt" with the copied content from before
  11. Reboot
  12. Verify dropbear configuration by logging in from another system via ssh: ssh [email protected] -p 2222 -i ares_luks
  13. Fail the unlock since "/etc/unlock.sh" can not be found:

$ ssh [email protected] -p 2222 -i ares_luks
The authenticity of host '[192.168.188.247]:2222 ([192.168.188.247]:2222)' can't be established.
ED25519 key fingerprint is SHA256:lLYugILqU7OqgXlQ9JX3B2woKFNEay71SZ27KjP7+v0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.188.247]:2222' (ED25519) to the list of known hosts.
Enter passphrase for key 'ares_luks':
sh: /etc/unlock.sh: not found
Connection to 192.168.188.247 closed.

Fix

  1. Manually decrypt the filesystem in the initramfs by pressing "Enter" once and providing the correct decryption password
  2. Connect to the RaspberryPi as root via ssh: ssh [email protected] -i ares_luks
  3. Make a copy/note down content of "/boot/firmware/cmdline.txt", as it can get replaced during the update process
  4. Create an initramfs hook for copying the missing file:
    1. nano /etc/initramfs-tools/hooks/luks_unlock
#!/bin/sh -e
PREREQS=""
case $1 in
		prereqs) echo "${PREREQS}"; exit 0;;
esac

. /usr/share/initramfs-tools/hook-functions
copy_file config /etc/initramfs-tools/unlock.sh /etc/unlock.sh
  1. Make it executable chmod 755 /etc/initramfs-tools/hooks/luks_unlock
  2. Create a new initramfs mkinitramfs -o /boot/initramfs.gz 6.1.0-18-arm64
  3. Check the created initramfs via lsinitramfs /boot/initramfs.gz | grep -P "(crypttab|fstab|unlock.sh)"-> this will include the previously missing unlock.sh:
    1. cryptroot/crypttab
    2. etc/fstab
    3. etc/unlock.sh
  4. Do the same as the scripts by moving the created initramfs around to make it load on boot:
    1. mv /boot/firmware/initrd.img-6.1.0-18-arm64 /boot/firmware/initrd.img-6.1.0-18-arm64-oos
    2. mv /boot/initramfs.gz /boot/firmware/initrd.img-6.1.0-18-arm64
  5. Replace the content of "/boot/firmware/cmdline.txt" with the copied content from before
  6. Reboot
  7. Verify dropbear configuration by logging in from another system via ssh: ssh [email protected] -p 2222 -i ares_luks
  8. Unlocking the device with dropbear works as expected

Test whether keeping hook in script fixes problem

A possible solution for this problem would be the removal of the previously mentioned

cryptmypi/hooks/7500-stage2-chroot-final.hook

Line 6 in 52227df

chroot_execute rm -f /etc/initramfs-tools/hooks/zz-cryptsetup

  1. Comment out the mentioned line with nano hooks/7500-stage2-chroot-final.hook
  2. Remove any previous builds
  3. Run ./cryptmypi.sh examples/debian-encrypted-basic-dropbear stage 1 and stage 2
  4. Start RaspberryPi
  5. Login as Root and enable ssh login again
  6. Verify that the initramfs hook is present: ls -l /etc/initramfs-tools/hooks/ -> zz-cryptsetup
  7. Make a copy/note down content of "/boot/firmware/cmdline.txt", as it can get replaced during the update process
  8. Update the RaspberryPi via apt update && apt upgrade -y -> keep the local ssh configuration if asked
  9. Check for new version with ls /lib/modules -> In my case this returns 6.1.0-13-arm64 6.1.0-18-arm64
  10. Create a new initramfs mkinitramfs -o /boot/initramfs.gz 6.1.0-18-arm64
  11. Check the created initramfs via lsinitramfs /boot/initramfs.gz | grep -P "(crypttab|fstab|unlock.sh)" -> "/etc/unlock.sh" should be in the list
  12. Do the same as the scripts by moving the created initramfs around to make it load on boot:
    1. mv /boot/firmware/initrd.img-6.1.0-18-arm64 /boot/firmware/initrd.img-6.1.0-18-arm64-oos
    2. mv /boot/initrd.img-6.1.0-18-arm64 /boot/initrd.img-6.1.0-18-arm64-oos
    3. mv /boot/initramfs.gz /boot/firmware/initrd.img-6.1.0-18-arm64
  13. Check "/boot/firmware/config.txt", it should load the created initramfs since it mentiones the "initrd.img-6.1.0-18-arm64" image
  14. Replace the content of "/boot/firmware/cmdline.txt" with the copied content from before
  15. Reboot
  16. Verify dropbear configuration by logging in from another system via ssh: ssh [email protected] -p 2222 -i ares_luks
  17. Dropbear works and the filesystem is decrypted

As far as I can tell removing this single line of code allows for updating the initramfs as long as you also adjust the "/boot/firmware/cmdline.txt" as well. I am not sure if the "{DESTDIR}" parts of the hook interfere with anything though.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ph1387