Comments (15)
Greetings,
Which example are you using and what hardware? Also please know I only test pristine runs, but I can take a look next time I am updating images.
from cryptmypi.
I am using the pios-encrypted-basic-dropbear config on an raspberry pi 3
from cryptmypi.
I just updated image links and nothing obvious showed up for me. The only thing I can offer is testing that you can unlock and mount the sdcard. If that works then luks is ok and something else broke. I would put new build on and move forward. Will leave open for a few days.
from cryptmypi.
So one thing I did notice while testing when testing the ubuntu-encrypted-basic image was that I could not unlock on pi 3b, but could unlock the same image on pi 4. So if you had a pi 4 you could try that also.
from cryptmypi.
I currently cant test the new image but everytime after a kernel update on the old image I always got the error from the issue
from cryptmypi.
I currently cant test the new image but everytime after a kernel update on the old image I always got the error from the issue
i have encountered this problem before, you have to rebuild initramfs after the kernel update and before reboot
sudo apt update && sudo apt upgrade -y
# check kernel version
ls /lib/modules
update-initramfs -u
# replace "5.10.63-v7l+" with the proper version, refer to the output of the previous ls command
sudo mkinitramfs -o /boot/initramfs.gz 5.10.63-v7l+
sudo reboot
from cryptmypi.
I currently cant test the new image but everytime after a kernel update on the old image I always got the error from the issue
i have encountered this problem before, you have to rebuild initramfs after the kernel update and before reboot
sudo apt update && sudo apt upgrade -y # check kernel version ls /lib/modules update-initramfs -u # replace "5.10.63-v7l+" with the proper version, refer to the output of the previous ls command sudo mkinitramfs -o /boot/initramfs.gz 5.10.63-v7l+ sudo reboot
Hi @gemesa
Can You help me:
I have the same error. I published it here: #49
I try different methods, but I don't understand when I must use this:
sudo apt update && sudo apt upgrade -y
# check kernel version
ls /lib/modules
update-initramfs -u
# replace "5.10.63-v7l+" with the proper version, refer to the output of the previous ls command
sudo mkinitramfs -o /boot/initramfs.gz 5.10.63-v7l+
sudo reboot
I must this code when my custom image is built with chroot?
from cryptmypi.
Hi @gemesa Can You help me: I have the same error. I published it here: #49 I try different methods, but I don't understand when I must use this:
sudo apt update && sudo apt upgrade -y # check kernel version ls /lib/modules update-initramfs -u # replace "5.10.63-v7l+" with the proper version, refer to the output of the previous ls command sudo mkinitramfs -o /boot/initramfs.gz 5.10.63-v7l+ sudo reboot
I must this code when my custom image is built with chroot?
The easy way would be running these commands while you are still logged in. But if you see this error message it means of course you have already rebooted and are locked out currently so yes, you have to use chroot now. Refer to these links for more info:
Raspbian: dm_mod missing after mkinitramfs on luks encrypted partition
initramfs, LUKS and dm_mod can't boot after upgrade
Or you could also just create a clean image and download it to the SD card and keep in mind from now on that you have to rebuild the initramfs after each kernel update.
from cryptmypi.
@gemesa Thx for the fast answer, I am going to work with this!
from cryptmypi.
@gemesa Can You help me:
When I begin to modify my .img file I use next few commands:
# Replace /dev/sdg with your SD card block device.
# Use `lsblk` to help you find where this is.
# Link "mmcblk" block device so chroot later sees the expected device block names.
test -L /dev/mmcblk0p1 || ln -s /dev/sdg1 /dev/mmcblk0p1
test -L /dev/mmcblk0p2 || ln -s /dev/sdg2 /dev/mmcblk0p2
# Mount SD card.
cryptsetup -v luksOpen /dev/mmcblk0p2 sdcard
mount /dev/mapper/sdcard /mnt; mount /dev/mmcblk0p1 /mnt/boot; mount -o bind /dev /mnt/dev; mount -o bind /dev/pts /mnt/dev/pts; mount -t sysfs none /mnt/sys; mount -t proc none /mnt/proc
# Comment out ld.so.preload.
sed -i 's/^/#/g' /mnt/etc/ld.so.preload
# Copy qemu binary.
cp /usr/bin/qemu-arm-static /mnt/usr/bin/
# chroot to Raspbian to update and rebuild initramfs.
chroot /mnt /bin/bash
rm -rf /var/tmp/mkinitramfs*
apt update && apt upgrade && apt dist-upgrade && apt autoremove
apt install --reinstall raspberrypi-bootloader raspberrypi-kernel
test -L /sbin/fsck.luks || ln -s /sbin/e2fsck /sbin/fsck.luks
update-initramfs -u
# IMPORTANT: Replace "5.10.52-v7l+" with the correct kernel from "/lib/modules".
# Doing `$(ls -t /lib/modules | tail -1)` here doesn't always give you the right one!!!
mkinitramfs -o /boot/initramfs.gz 5.10.52-v7l+
exit
# Undo damage to our local recovery system.
sed -i 's/^#//g' /mnt/etc/ld.so.preload
# Force flushing write buffers and unmount SD card.
sync
umount /mnt/{dev/pts,dev,sys,proc,boot} /mnt
cryptsetup -v luksClose sdcard
# Unlink "mmcblk" block device.
test ! -L /dev/mmcblk0p1 || rm /dev/mmcblk0p1
test ! -L /dev/mmcblk0p2 || rm /dev/mmcblk0p2
# All done. Eject the SD card and attempt boot in your Pi.
Then I plugin my SD-card to Raspberry Pi and have some error:
sh: not found /etc/unlock.sh
I found this script here:
https://github.com/unixabg/cryptmypi/blob/07669f8c3b25aa4da8a8f61b7daa1258ca46079b/hooks/2700-stage1-dropbear.hook
How I can complete the step with an upgrade with already done image file?
How I must prepare all scripts for this?
from cryptmypi.
Then I plugin my SD-card to Raspberry Pi and have some error:
sh: not found /etc/unlock.sh
I found this script here: https://github.com/unixabg/cryptmypi/blob/07669f8c3b25aa4da8a8f61b7daa1258ca46079b/hooks/2700-stage1-dropbear.hook How I can complete the step with an upgrade with already done image file? How I must prepare all scripts for this?
Its hard to tell what went wrong/is missing to be honest as cryptmypi contains a lot of hooks and I dont know their prerequisites and dependencies.
Edit: I have checked quickly tho and to me it looks like the initramfs has not been rebuilt properly. Has your script raised any errors?
Do you have some important files on your SD card you want to save? In that case you can just plug the card into your workstation, unlock and mount it:
lsblk
# replace /dev/sda2 with the correct device
cryptsetup luksOpen /dev/sda2 sdcard
mount /dev/mapper/sdcard /mnt/sdcard
Then the files on your encrypted partition will be visible to you, you can back them up and do a clean cryptmypi install.
from cryptmypi.
@gemesa Can You help me: When I begin to modify my .img file I use next few commands:
# Replace /dev/sdg with your SD card block device. # Use `lsblk` to help you find where this is. # Link "mmcblk" block device so chroot later sees the expected device block names. test -L /dev/mmcblk0p1 || ln -s /dev/sdg1 /dev/mmcblk0p1 test -L /dev/mmcblk0p2 || ln -s /dev/sdg2 /dev/mmcblk0p2 # Mount SD card. cryptsetup -v luksOpen /dev/mmcblk0p2 sdcard mount /dev/mapper/sdcard /mnt; mount /dev/mmcblk0p1 /mnt/boot; mount -o bind /dev /mnt/dev; mount -o bind /dev/pts /mnt/dev/pts; mount -t sysfs none /mnt/sys; mount -t proc none /mnt/proc # Comment out ld.so.preload. sed -i 's/^/#/g' /mnt/etc/ld.so.preload # Copy qemu binary. cp /usr/bin/qemu-arm-static /mnt/usr/bin/ # chroot to Raspbian to update and rebuild initramfs. chroot /mnt /bin/bash rm -rf /var/tmp/mkinitramfs* apt update && apt upgrade && apt dist-upgrade && apt autoremove apt install --reinstall raspberrypi-bootloader raspberrypi-kernel test -L /sbin/fsck.luks || ln -s /sbin/e2fsck /sbin/fsck.luks update-initramfs -u # IMPORTANT: Replace "5.10.52-v7l+" with the correct kernel from "/lib/modules". # Doing `$(ls -t /lib/modules | tail -1)` here doesn't always give you the right one!!! mkinitramfs -o /boot/initramfs.gz 5.10.52-v7l+ exit # Undo damage to our local recovery system. sed -i 's/^#//g' /mnt/etc/ld.so.preload # Force flushing write buffers and unmount SD card. sync umount /mnt/{dev/pts,dev,sys,proc,boot} /mnt cryptsetup -v luksClose sdcard # Unlink "mmcblk" block device. test ! -L /dev/mmcblk0p1 || rm /dev/mmcblk0p1 test ! -L /dev/mmcblk0p2 || rm /dev/mmcblk0p2 # All done. Eject the SD card and attempt boot in your Pi.
Then I plugin my SD-card to Raspberry Pi and have some error:
sh: not found /etc/unlock.sh
I found this script here: https://github.com/unixabg/cryptmypi/blob/07669f8c3b25aa4da8a8f61b7daa1258ca46079b/hooks/2700-stage1-dropbear.hook How I can complete the step with an upgrade with already done image file? How I must prepare all scripts for this?
I also got the sh: not found /etc/unlock.sh
error
I guess after updating the kernel something broke with the unlocking script
from cryptmypi.
For me rebuilding the initramfs after an update is working properly. I have not integrated every change into my sandbox though from the latest release (4.10-beta). I am using example pios-encrypted-basic-dropbear with a RPi 4 4GB and I am building the cryptmypi image with an other RPi also to avoid any cross platform, cross compilation problem whatsoever.
Here is my config for reference (all of the changes compared to v4.10-beta, some of them might be unrelated/irrelevant):
cryptmypi.conf:
-export _KERNEL_VERSION_FILTER="v7+"
+export _KERNEL_VERSION_FILTER="v7l+"
-## Stage2 regenerate luks uuid
-# A value of yes generates a new luks uuid for deployment
-export _NEWLUKSUUID="yes"
chroot.fns:
-#chroot_execute update-initramfs -u # -k ${_KERNEL_VERSION} # TODO Test this + test without it completely
+chroot_execute update-initramfs -u # -k ${_KERNEL_VERSION} # TODO Test this + test without it completely
0000-experimental-initramfs-iodine.hook:
- chroot_pkginstall iodine
+ chroot_pkginstall install iodine
0000-experimental-sys-iodine.hook:
- chroot_pkginstall iodine cron
+ chroot_pkginstall install iodine
2600-stage1-ssh.hook:
-# Make sure ssh is enabled
-chroot_execute systemctl enable ssh
2700-stage1-dropbear.hook:
-# Backwards compatibility on dropbear-initramfs
-echo_debug "Attempting dropbear compatibility sanity check with newer versions ..."
-chroot_execute /bin/bash << "EOF"
-if [ -d "/etc/dropbear/initramfs" ]; then
- # New path location for drobbear initramfs exists.
- echo "Found /etc/dropbear/initramfs directory."
- cd /etc
- echo "Linking /etc/dropbear/initramfs to /etc/dropbear-initramfs directory."
- ln -s dropbear/initramfs dropbear-initramfs
- echo "Linking /etc/dropbear/initramfs/config to /etc/dropbear/initramfs/dropbear.conf."
- cd /etc/dropbear/initramfs
- if [ -f "dropbear.conf" ]; then
- mv dropbear.conf config
- else
- echo '#DROPBEAR_OPTIONS=' >> config
- fi
- ln -s config dropbear.conf
- echo $$
-fi
-EOF
3000-stage1-setup-encryption.hook:
-chroot_pkginstall cryptsetup cryptsetup-initramfs busybox
+chroot_pkginstall cryptsetup busybox
echo 'dm_crypt' >> ${_BUILDDIR}/root/etc/initramfs-tools/modules
+# Disable autoresize
+chroot_execute systemctl disable rpiwiggle
+rm ${_BUILDDIR}/root/root/scripts/rpi-wiggle.sh
5200-stage2-setup-luks-create.hook:
- ## Test to generate new luks uuid
- if [ "${_NEWLUKSUUID}" = "yes" ]; then
- echo_debug "Attempting to regenerate and configure a new luks uuid for deployment ..."
- __NEWLUKSUUID=$(cat /proc/sys/kernel/random/uuid)
- echo "__NEWLUKSUUID=${__NEWLUKSUUID}" > ${_BUILDDIR}/root/boot/newluksuuid.txt
- echo "crypt UUID=${__NEWLUKSUUID} none luks" > ${_BUILDDIR}/root/etc/crypttab
- __LUKSUUID="${__NEWLUKSUUID}"
- fi
cryptmypi.sh:
-export _VER="4.10-beta"
+export _VER="4.8-beta"
from cryptmypi.
Hi @gemesa thx for the answer, I will take my RPi 4 and hard work tomorrow, after giving you some feedback!
Have a nice day
from cryptmypi.
Hi thanks for this awesome project.
Unfortunately, I have the same issue,
I'm using a freshly flashed kali-encrypted-basic from master(52227df) on a RPi Zero 2 W.
This is my only diff in examples/kali-encrypted-basic/cryptmypi.conf:
# LINUX IMAGE FILE ------------------------------------------------------------
-export _IMAGEURL=https://kali.download/arm-images/kali-2022.4/kali-linux-2022.4-raspberry-pi-arm64.img.xz
-export _IMAGESHA="60e33582746bb25d87092e842398e1f946ff3cd3678743856f01d8bd3b43946a"
+export _IMAGEURL=https://kali.download/arm-images/current/kali-linux-2023.4-raspberry-pi-zero-2-w-armhf.img.xz
+export _IMAGESHA="41f88cbecd97a3731768b88a396265f5cf51455c81452618f18cc53cbcc0ff9a"
Also, even with the changes from @gemesa above I still run into the issue that I directly get prompted with:
Cannot initialize device-mapper. Is dm_mod kernel module loaded?
Cannot use device crypt, name is invalid or still in use.
(I did tries with several Kali configs and also tried to add another chroot_mkinitramfs in hooks/7500-stage2-chroot-final.hook. All tries have the same result. Those where I tried unlocking via wifi even failed by the fact that the firmware of wlan0 seemed not to be available.)
I'm really looking forward for your help. Thanks in advance!
EDIT: [SOLVED] I had the wrong Re4son Kernel Version. For the given Kali RPi02w distribution v7+ is required (instead of v8+)
from cryptmypi.
Related Issues (20)
- failed to connect to non-global ctrl_ifname HOT 4
- Fail to build - examples/debian-encrypted-basic-dropbear HOT 5
- AES-cbc vs AES-xts performance on the RPi HOT 2
- apt update fails on debian HOT 6
- Partition should not be hardcoded
- Improvement on the sys-ssh-jump service HOT 1
- Dropbear SSH Server fails on current Kali Builds HOT 2
- dropbear remote unlock with _NEWLUKSUUID="yes" => Device /dev/disk/by-uuid/XXX...XXXX doesn't exist or access denied HOT 6
- [Question] Unlock and operate without connectivity - interactive session offline HOT 4
- Wifi unlock through hostapd
- trying to get this to work for me ;) HOT 5
- rpi4 secure boot + rootFS decryption via OTP registers possible? HOT 1
- PiOS @ Pi4, after upgrade: only ~5 seconds to unlock HOT 5
- Fresh build, LUKS password doesn't work; "Cannot initialize device-mapper" HOT 15
- Is this project alive? HOT 3
- when running cryptmypi on a Kali VM under vmware fusion an IO error is returned from LUKS->sdb
- Unable to unlock Kali dropbear HOT 2
- Hardcoded __DEBIAN_KERNEL in stage2-otherscript.sh and missing unlock.sh HOT 3
- /etc/unlock.sh missing after rebuilding initramfs on RaspberryPi
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cryptmypi.