Creating a bug report/issue
I have searched the existing open and closed issues
Required Information
- DietPi version |
8.25.1 - Distro version |
bookworm 0 - Kernel version |
Linux dietpihost 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux - Architecture |
arm64 - SBC model |
RPi4B - Power supply used | Original RPi4 supply
- SD card used | Kingston Industrial 16GB
Additional Information (if applicable)
RootFS encrpytion as described by Zymbit. The same procedure was tested on a fresh RaspbianOS Bookworm installation and works. But it fails with DietPi installation.
Steps to reproduce
- Temporarily disable reboot with quickndirty
sudo mv /usr/sbin/reboot /usr/sbin/reboot.NOto make everything visible in the second part withjournalctl -fu cfg_SD_crfs - Follow these instruction: Zymbit Encrypt RootFS
- Part one of the script runs fine.
- In Part 2 (nested script: cfg_SD_crfs.sh) the part marked bold below fails with the following errors
Building initramfs...
Jan 04 19:13:29 dietpihost cfg_SD_crfs.sh[7247]: update-initramfs: Generating /mnt/tmpboot//initrd.img-6.1.21-v8+
Jan 04 19:13:29 dietpihost cfg_SD_crfs.sh[7254]: grep: /boot/config-6.1.21-v8+: Datei oder Verzeichnis nicht gefunden
Jan 04 19:13:29 dietpihost cfg_SD_crfs.sh[7249]: W: zstd compression (CONFIG_RD_ZSTD) not supported by kernel, using gzip
Jan 04 19:13:29 dietpihost cfg_SD_crfs.sh[7255]: grep: /boot/config-6.1.21-v8+: Datei oder Verzeichnis nicht gefunden
Jan 04 19:13:29 dietpihost cfg_SD_crfs.sh[7249]: E: gzip compression (CONFIG_RD_GZIP) not supported by kernel
Jan 04 19:13:29 dietpihost cfg_SD_crfs.sh[7247]: update-initramfs: failed for /mnt/tmpboot//initrd.img-6.1.21-v8+ with 1.
Expected behaviour
- The kernel should support zstd compression, like it does in RaspbianOS.
Actual behaviour
The kernel does not seem to support compression.
Extra details
This is the above mentioned nested script with bold marked section showing where it fails:
#!/bin/bash
# Make a zymkey-locked LUKS key
echo -n "Creating LUKS key..."
ct=0
while [ $ct -lt 3 ]
do
sleep 1
let ct=ct+1
zkgrifs 512 > /run/key.bin
if [ $? -ne 0 ]
then
echo "Retrying zkgrifs..."
continue
fi
zklockifs /run/key.bin > /var/lib/zymbit/key.bin.lock
if [ $? -ne 0 ]
then
echo "Retrying zklockifs..."
else
break
fi
done
if [ $ct -ge 3 ]
then
echo "LUKS key creation failed"
exit
fi
echo "done."
# Create the dm-crypt volume on /dev/mmcblk0p2
echo -n "Formatting crypto file system on /dev/mmcblk0p2..."
cat /run/key.bin | cryptsetup -q -v luksFormat /dev/mmcblk0p2 - >/dev/null
cat /run/key.bin | cryptsetup luksOpen /dev/mmcblk0p2 cryptrfs --key-file=- >/dev/null
echo "done."
echo -n "Creating ext4 partition on /dev/mmcblk0p2..."
mkfs.ext4 -j /dev/mapper/cryptrfs -F >/dev/null || exit
echo "done."
echo "Copying files to crypto fs..."
mkdir -p /mnt/cryptrfs
mount /dev/mapper/cryptrfs /mnt/cryptrfs >/dev/null || exit
tar -xpf /original_zk_root.tgz -C /mnt/cryptrfs
echo "done."
echo -n "Copying /var/lib/zymbit to crypto fs..."
rm -rf /mnt/cryptrfs/var/lib/zymbit
cp -rpf /var/lib/zymbit /mnt/cryptrfs/var/lib/
echo "done."
echo -n "Copying hostname..."
cp /etc/hosts /mnt/cryptrfs/etc
cp /etc/hostname /mnt/cryptrfs/etc
echo "done."
echo -n "Copying ssh keys..."
cp /etc/ssh/*_key* /mnt/cryptrfs/etc/ssh
# Mount the boot partition in a safe place
mkdir -p /mnt/tmpboot
mount /dev/mmcblk0p1 /mnt/tmpboot || exit
# Remove the plaintext key now
rm /run/key.bin
# Change fstab to no longer use the unencrypted root volume
echo -n "Configuring fstab..."
pushd /mnt/cryptrfs/etc/
cp /etc/fstab .
sed -i -e '/# temp root fs/,+1d' fstab
rootln=`grep -w "/" fstab | grep -ve "^#"`
if [ -n "${rootln}" ]
then
sed -i "s|^${rootln}|#${rootln}|" fstab
fi
popd
grep -q "^/dev/mapper/cryptrfs" /mnt/cryptrfs/etc/fstab || echo -e "\n# crypto root fs\n/dev/mapper/cryptrfs / ext4 defaults,noatime 0 1" >> /mnt/cryptrfs/etc/fstab
mv /etc/fstab /etc/fstab.prev
cp /mnt/cryptrfs/etc/fstab /etc/fstab
echo "done."
# Make sure that boot uses initramfs
echo -n "Configuring config.txt..."
grep -q "^initramfs" /mnt/tmpboot/config.txt || echo "initramfs initrd.img followkernel" >> /mnt/tmpboot/config.txt
echo "done."
# Add crypto fs stuff to the kernel command line
echo -n "Configuring kernel cmd line..."
sed -i "s/root=[^ ]*//" /mnt/tmpboot/cmdline.txt
sed -i "s/rootfstype=[^ ]*//" /mnt/tmpboot/cmdline.txt
sed -i "s/cryptdevice=[^ ]*//" /mnt/tmpboot/cmdline.txt
tr -d '\n' </mnt/tmpboot/cmdline.txt> /tmp/cmdline.txt
mv /tmp/cmdline.txt /mnt/tmpboot/cmdline.txt
echo " root=/dev/mapper/cryptrfs cryptdevice=/dev/mmcblk0p2:cryptrfs rng_core.default_quality=1000" >> /mnt/tmpboot/cmdline.txt
echo "done."
# Add crypttab cfg
echo -n "Configuring crypttab..."
echo -e "cryptrfs\t/dev/mmcblk0p2\t/etc/cryptroot/key.bin\tluks,keyscript=/lib/cryptsetup/scripts/zk_get_key,tries=100,timeout=30s" > /mnt/cryptrfs/etc/crypttab
cp /mnt/cryptrfs/etc/crypttab /etc/crypttab
echo "done."
# Bring the i2c drivers into initramfs
echo -n "Adding i2c drivers to initramfs..."
grep -q "^i2c-dev" /etc/initramfs-tools/modules || echo "i2c-dev" >> /etc/initramfs-tools/modules
grep -q "^i2c-bcm2835" /etc/initramfs-tools/modules || echo "i2c-bcm2835" >> /etc/initramfs-tools/modules
grep -q "^i2c-bcm2708" /etc/initramfs-tools/modules || echo "i2c-bcm2708" >> /etc/initramfs-tools/modules
grep -q "^lan78xx" /etc/initramfs-tools/modules || echo "lan78xx" >> /etc/initramfs-tools/modules
cp -rpf /etc/initramfs-tools/modules /mnt/cryptrfs/etc/initramfs-tools
echo "done."
# chroot to future root fs
mount -t proc /proc /mnt/cryptrfs/proc/
mount --rbind /sys /mnt/cryptrfs/sys/
mount --rbind /dev /mnt/cryptrfs/dev/
mount --rbind /run /mnt/cryptrfs/run/
mkdir -p /mnt/cryptrfs/mnt/tmpboot/
mount --bind /mnt/tmpboot /mnt/cryptrfs/mnt/tmpboot/
SCRIPT FAILS IN THIS SECTION
cat << EOF1 | chroot /mnt/cryptrfs /bin/bash
#Install zstd
apt install -y zstd
# Make the initramfs
echo -n "Building initramfs..."
rm /mnt/tmpboot/initrd.img-6.1.21-v8+ 2>/dev/null
update-initramfs -v -c -k 6.1.21-v8+ -b /mnt/tmpboot/
EOF1
umount --recursive /mnt/cryptrfs
mv /mnt/tmpboot/initrd.img-6.1.21-v8+ /mnt/tmpboot/initrd.img
echo "done."
# Restore local backup of fstab
mv /etc/fstab.prev /etc/fstab
# Reboot now. Should reboot into encrypted SD card root file system.
echo "Rebooting..."
reboot