AEM: Unrecognized encrypted lvm at installation

[marlox-ouda]

Qubes OS version (e.g., R3.2):

Qubes OS version R3.2 (upgraded from R3.1)

Affected TemplateVMs (e.g., fedora-23, if applicable):

Not applicable

---

From https://github.com/QubesOS/qubes-antievilmaid/tree/master/anti-evil-maid
On step 4.b) (setup AEM, create aem device)

# anti-evil-mail-install /dev/sda1

(AEM with password and without USB stick)

Expected behavior:

Actual behavior:

anti-evil-maid-install: Anti Evil Maid requires encrypted disk!

Steps to reproduce the behavior:

General notes:

origin +1:
https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-evil-maid/sbin/anti-evil-maid-install
line 76: if [ -z "$(getluksuuids)" ]; then
getluksuuids function does not return.

origin +2:
https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-evil-maid/sbin/anti-evil-maid-lib
line 23 in getluksuuids: _CMDLINE=${_CMDLINE-$(cat /proc/cmdline)}
luksuuids is based on boot command line.

origin +3:

# cat /proc/cmdline
placeholder root=/dev/mapper/qubes_dom0-root ro

my command line does not explicit encrypted volume.

origin+4:

# lsblk /dev/sda -nio NAME
sda
|-sda1
`-sda2
  `-luks-UUID
    `-qubes_dom0-root
    `-qubes_dom0-swap

i have encrypted volume and none issue during boot.

may be a solution based on following can solve it in getluksuuids :

if` [ -z "$(echo ${_CMDLINE} | grep rd.luks" ]; then
    ROOT_DEV=$(echo /proc/cmdline | sed -re 's/.*root=([^ ]+) .*/\1/)
    ENCRYPTED_DEVS=$(lsblk ${ROOT_DEV} -lsnio -NAME,TYPE | grep ' crypt$'| sed -e 's/ crypt$//')
    for device in ENCRYPTED_DEVS; do
        echo ${device#luks-}
    done
fi

---

Related issues:

[marlox-ouda]

new findings : i get a more complete command line with the following command:

# dracut --print-cmdline
rd.luks.uuid=luks-UUID rd.lvm.lv=qubes_dom0/root
rd.lvm.lv=qubes_dom0/swap
resume=/dev/mapper/qubes_dom0-swap root=/dev/mapper/qubes_dom0-root rootfstype=ext4 rootflags=rw,relatime,data=ordered

[marlox-ouda]

new findings : i get a more complete command line with the following command:

# dracut --print-cmdline
rd.luks.uuid=luks-UUID rd.lvm.lv=qubes_dom0/root
rd.lvm.lv=qubes_dom0/swap
resume=/dev/mapper/qubes_dom0-swap root=/dev/mapper/qubes_dom0-root rootfstype=ext4 rootflags=rw,relatime,data=ordered

[marlox-ouda]

I solve it with :

# export _CMDLINE=$(dracut --print-cmdline)
# anti-evil-maid-install /dev/sda1

Expected result

anti-evil-mail-install: Labeling filesystem aem
anti-evil-mail-install: Syncing to /boot

Solution (v2)

Replace
https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-evil-maid/sbin/anti-evil-maid-lib
line 23 in getluksuuids: _CMDLINE=${_CMDLINE-$(cat /proc/cmdline)}
with
_CMDLINE=${_CMDLINE-$(dracut --print-cmdline)}

[marlox-ouda]

I solve it with :

# export _CMDLINE=$(dracut --print-cmdline)
# anti-evil-maid-install /dev/sda1

Expected result

anti-evil-mail-install: Labeling filesystem aem
anti-evil-mail-install: Syncing to /boot

Solution (v2)

Replace
https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-evil-maid/sbin/anti-evil-maid-lib
line 23 in getluksuuids: _CMDLINE=${_CMDLINE-$(cat /proc/cmdline)}
with
_CMDLINE=${_CMDLINE-$(dracut --print-cmdline)}

[marmarek]

Replace
https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-evil-maid/sbin/anti-evil-maid-lib
line 23 in getluksuuids: _CMDLINE=${_CMDLINE-$(cat /proc/cmdline)}
with
_CMDLINE=${_CMDLINE-$(dracut --print-cmdline)}

I wonder how it works inside initramfs? _CMDLINE is set there already? Have you tested it?

[marmarek]

Replace
https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-evil-maid/sbin/anti-evil-maid-lib
line 23 in getluksuuids: _CMDLINE=${_CMDLINE-$(cat /proc/cmdline)}
with
_CMDLINE=${_CMDLINE-$(dracut --print-cmdline)}

I wonder how it works inside initramfs? _CMDLINE is set there already? Have you tested it?

[marlox-ouda]

You have right : dracut is not available in initramfs and AES fails to boot with such setup.

I have tested a new trick that works but it is not very clean :
_CMDLINE=${CMDLINE-$(dracut --print-cmd 2>/dev/null || cat /proc/cmdline)}

[marlox-ouda]

You have right : dracut is not available in initramfs and AES fails to boot with such setup.

I have tested a new trick that works but it is not very clean :
_CMDLINE=${CMDLINE-$(dracut --print-cmd 2>/dev/null || cat /proc/cmdline)}

[rustybird]

@marlox-ouda: What is the value of GRUB_CMDLINE_LINUX in your /etc/default/grub? #2553 made me think that maybe this file is corrupted or incomplete.

[rustybird]

@marlox-ouda: What is the value of GRUB_CMDLINE_LINUX in your /etc/default/grub? #2553 made me think that maybe this file is corrupted or incomplete.

[marlox-ouda]

The value of GRUB_CMD_LINUX in /etc/default/grub is "$GRUB_CMDLINE_LINUX rd.qubes.hlde_all_usb splash"

[marlox-ouda]

The value of GRUB_CMD_LINUX in /etc/default/grub is "$GRUB_CMDLINE_LINUX rd.qubes.hlde_all_usb splash"

[rustybird]

@marlox-ouda: Sorry, I should have mentioned that there are usually two GRUB_CMDLINE_LINUX lines. What's the value of the first one?

[rustybird]

@marlox-ouda: Sorry, I should have mentioned that there are usually two GRUB_CMDLINE_LINUX lines. What's the value of the first one?

[marlox-ouda]

@rustybird Don't be sorry. I think you point the right issue. I have only one line in /etc/default/grub :
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX rd.qubes.hlde_all_usb splash"

I do not remember to have change this file. What kind of information should I have ?

[marlox-ouda]

@rustybird Don't be sorry. I think you point the right issue. I have only one line in /etc/default/grub :
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX rd.qubes.hlde_all_usb splash"

I do not remember to have change this file. What kind of information should I have ?

[rustybird]

@marlox-ouda: That depends on your installation layout. If you've let the installer create all your partitions automatically, the first line should look like this:

GRUB_CMDLINE_LINUX="rd.luks.uuid=luks-UUID rd.lvm.lv=qubes_dom0/root rd.lvm.lv=qubes_dom0/swap i915.preliminary_hw_support=1 rd.driver.pre=scsi_dh_rdac rhgb quiet"

You could insert the line manually (with UUID replaced by the output of cryptsetup luksUUID /dev/sda2) and rerun grub2-mkconfig -o /boot/grub2/grub.cfg.

But it's interesting that it's missing. Do you have a coreboot system? If so, see issue #2553.

[rustybird]

@marlox-ouda: That depends on your installation layout. If you've let the installer create all your partitions automatically, the first line should look like this:

GRUB_CMDLINE_LINUX="rd.luks.uuid=luks-UUID rd.lvm.lv=qubes_dom0/root rd.lvm.lv=qubes_dom0/swap i915.preliminary_hw_support=1 rd.driver.pre=scsi_dh_rdac rhgb quiet"

You could insert the line manually (with UUID replaced by the output of cryptsetup luksUUID /dev/sda2) and rerun grub2-mkconfig -o /boot/grub2/grub.cfg.

But it's interesting that it's missing. Do you have a coreboot system? If so, see issue #2553.

[marlox-ouda]

Thank you for your help. I will add this.

I have just use the installer and do not use coreboot. The only specific thing I have done is updating from R3.1.
On this previous version I was not able to run AEM because, the TPM version was not supported.

Do you want more information ?

[marlox-ouda]

Thank you for your help. I will add this.

I have just use the installer and do not use coreboot. The only specific thing I have done is updating from R3.1.
On this previous version I was not able to run AEM because, the TPM version was not supported.

Do you want more information ?

[rustybird]

Thanks, nothing comes to mind. I have no idea what could have clobbered /etc/default/grub, unfortunately.

[rustybird]

Thanks, nothing comes to mind. I have no idea what could have clobbered /etc/default/grub, unfortunately.