1 |
Hi Mike, |
2 |
|
3 |
I run two gentoo servers with both encrypted root fs and GRSEC/RBAC/PAX |
4 |
--- so it is possible. I didn't used LUKS, I set everything up step by |
5 |
step by hand. I've got a little mini-howto (with an already prepared |
6 |
initrd) if you'd like to see what I did: |
7 |
|
8 |
http://www.virtualblueness.net/~blueness/encryptedroot/ |
9 |
|
10 |
I know this doesn't directly answer your question but it may help. |
11 |
|
12 |
-- |
13 |
|
14 |
Anthony Basile, Ph.D. |
15 |
Chair IT, D'Youville College |
16 |
|
17 |
|
18 |
|
19 |
On Tue, 2006-07-11 at 10:11 +0200, Michael Decker wrote: |
20 |
> Hi, |
21 |
> |
22 |
> could somebody help me to solve this problem. I try to encrypting whole |
23 |
> root device by doing this howto: |
24 |
> |
25 |
> |
26 |
> So my booting fails caused by an unmount error. |
27 |
> |
28 |
> On booting an own created initrd will be started to open luks encrypted |
29 |
> filesystem, so this last steps of linuxrc-script [2] fails (on umount |
30 |
> command): |
31 |
> |
32 |
> --- SNIP --- |
33 |
> pivot_root . initrd |
34 |
> |
35 |
> # Start init and flush ram device exec |
36 |
> chroot . /bin/sh <<- EOF >/dev/console 2>&1 |
37 |
> umount initrd |
38 |
> rm -rf initrd |
39 |
> blockdev --flushbufs /dev/ram0 |
40 |
> exec /sbin/init ${CMDLINE} |
41 |
> EOF |
42 |
> --- SNAP --- |
43 |
> |
44 |
> So I get this error: |
45 |
> --- SNIP --- |
46 |
> EXT3 FS on dm-0, internal journal |
47 |
> EXT3-fs: dm-0: 1 orphan inode deleted |
48 |
> EXT3-fs: recovery complete. |
49 |
> EXT3-fs: mounted filesystem with journal data mode. |
50 |
> 0000000037|rsbac_free_dat_dentry(): freeing dat dir dentries |
51 |
> 0000000038|do_umount() [sys_umount()]: umount failed -> calling |
52 |
> rsbac_mount for Device 01:00 |
53 |
> --- SNAP --- |
54 |
> |
55 |
> I've run the kernel with this options: |
56 |
> --- SNIP --- |
57 |
> Kernel command line: root=/dev/ram0 rw init=/linuxrc rsbac_softmode |
58 |
> console=ttyS0,57600 console=tty0 |
59 |
> --- SNAP --- |
60 |
> |
61 |
> Is this a RSBAC problem? Do I have to modify the script [2]? Perhaps |
62 |
> could somebody give a suggestion? |
63 |
> |
64 |
> Best regards, |
65 |
> Michael Decker |
66 |
> |
67 |
> [1] |
68 |
> http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt_with_LUKS |
69 |
> [2] |
70 |
> http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt_with_LUKS#Initrd_Scripts |
71 |
> -- |
72 |
> Michael Decker Michael.Decker@×××××.de |
73 |
> TESIS SYSware GmbH http://www.tesis.de |
74 |
> Baierbrunnerstr. 15 * 81379 Muenchen * Tel. +49 89 747377-0 |
75 |
> |
76 |
-- |
77 |
gentoo-hardened@g.o mailing list |