[SOLVED] initramfs(boot): Poweroff/shutdown on password entry timeout

Maksym · 2024-06-02 18:25:44

I have full encrypted root partition, and system is asking password on early boot.

I want to power off my system when it started by accident (accidentally hit power button on my laptop) after some amount of time. Currently, if it turned on by accident, it will ask password indefinitely until battery was discharged.

/etc/mkinitcpio.conf
HOOKS=(systemd autodetect microcode modconf keyboard sd-vconsole block sd-encrypt filesystems fsck)

Kernel parameters:

rd.luks.options=timeout=10s luks.options=discard luks.name=fa0158b2=root luks.name=264314ea=swap root=/dev/mapper/root initrd=/initramfs-linux-lts.img resume=/dev/mapper/swap

I tried rd.luks.options=timeout, but it doesn't help. It bails out to emergency mode.

Also, I tried to take a look to the mkinitcpio /usr/lib/initcpio/install/sd-encrypt script, but it wasn't helpful for me. Looks like password asking and boot flow is completely up to systemd.

Last edited by Maksym (2024-06-10 14:36:38)

Maksym · 2024-06-02 22:43:20

Is that even possible with mkinitcpio, or I should look into dracut?

Lone_Wolf · 2024-06-03 08:04:32

Also, I tried to take a look to the mkinitcpio /usr/lib/initcpio/install/sd-encrypt script, but it wasn't helpful for me. Looks like password asking and boot flow is completely up to systemd.

The sd in sd-encrypt stands for systemd , so that's no surprise .

No idea if any initramfs system supports what you want, but I'd take care of this before OSes are started, like in the bootloader.

Create a bootloader entry that powers off the system, set that entry as default choice with a reasonable timeout .

frostschutz · 2024-06-03 08:29:49

Maksym wrote:

Is that even possible with mkinitcpio, or I should look into dracut?

You'd probably need a custom hook either way. If there is an out of the box solution for such a timeout, I'm not aware of it.

Since systemd-based initcpio does not have any runtime hooks, you'd have to implement it as a systemd service, or run your timeout script via a custom udev rule. This script should check that /dev/mapper/<yourcryptdevice> does not exist before shutting down...

The Grub idea sounds very nice too, if you're already using Grub, and don't mind selecting a boot entry every time.

Rather than a menuentry you could probably also use a simple logic like `if sleep --verbose 60; halt; fi` which means Grub will count-down 60 seconds for you to hit the ESC, F4 or hold Shift key, otherwise halt the machine.

Maksym · 2024-06-04 21:24:40

Lone_Wolf wrote:

Also, I tried to take a look to the mkinitcpio /usr/lib/initcpio/install/sd-encrypt script, but it wasn't helpful for me. Looks like password asking and boot flow is completely up to systemd.
The sd in sd-encrypt stands for systemd , so that's no surprise .
No idea if any initramfs system supports what you want, but I'd take care of this before OSes are started, like in the bootloader.
Create a bootloader entry that powers off the system, set that entry as default choice with a reasonable timeout .

Do you have an example of the approach with a bootloader? If I do that, how will look regular boot when I turn on the laptop not by accident? Do you mean if I started my laptop not by accident, I should every time select right boot option manually?

PS: nice footer about systemd. I really like it

Maksym · 2024-06-04 21:30:11

frostschutz wrote:

Maksym wrote:
Is that even possible with mkinitcpio, or I should look into dracut?
You'd probably need a custom hook either way. If there is an out of the box solution for such a timeout, I'm not aware of it.
Since systemd-based initcpio does not have any runtime hooks, you'd have to implement it as a systemd service, or run your timeout script via a custom udev rule. This script should check that /dev/mapper/<yourcryptdevice> does not exist before shutting down...
The Grub idea sounds very nice too, if you're already using Grub, and don't mind selecting a boot entry every time.
Rather than a menuentry you could probably also use a simple logic like `if sleep --verbose 60; halt; fi` which means Grub will count-down 60 seconds for you to hit the ESC, F4 or hold Shift key, otherwise halt the machine.

Thank you for the option, but I'm using pure EFI, and my boot record looks like (long uuid's partially replaced with ellipsis):

$ efibootmgr -u
Boot0004* Arch Linux LTS	HD(1,GPT,...67bb6f5a8c2c,0x800,0x80000)/\vmlinuz-linux-ltsrd.luks.options=timeout=10s luks.options=discard luks.name=...451795b819d1=root luks.name=...3c760ed7594c=swap root=/dev/mapper/root initrd=/initramfs-linux-lts.img resume=/dev/mapper/swap

seth · 2024-06-04 22:44:10

https://wiki.archlinux.org/title/Unifie … UEFI_Shell
https://techlibrary.hpe.com/docs/iss/pr … _auto.html
https://superuser.com/questions/1595233 … uefi-shell

if I started my laptop not by accident, I should every time select right boot option manually

when it started by accident (accidentally hit power button on my laptop)

How exactly does that happen?
https://www.amazon.de/-/en/DOITOOL-Butt … B0CPZQ5GMY ?

Maksym · 2024-06-04 23:51:57

seth wrote:

https://wiki.archlinux.org/title/Unifie … UEFI_Shell
https://techlibrary.hpe.com/docs/iss/pr … _auto.html
https://superuser.com/questions/1595233 … uefi-shell
---
How exactly does that happen?
https://www.amazon.de/-/en/DOITOOL-Butt … B0CPZQ5GMY ?

Thank you for comprehensive references for UEFI handling. I'll take a look.

My laptop can be turned on by just opening the lid, so that funny accessory wont help.

Larsson · 2024-06-05 04:51:56

No solution for your problem, but better then letting the battery die.
ctrl+alt+del

seth · 2024-06-05 07:00:44

My laptop can be turned on by just opening the lid, so that funny accessory wont help.

https://m.media-amazon.com/images/I/619 … _QL80_.jpg

More seriously (though some plastic clamp or https://m.media-amazon.com/images/I/61o … 0_ML2_.jpg might actually work), does the system actually boot or just wake out of hibernation? You can probably just disable the LID behavior.

Maksym · 2024-06-08 16:07:28

I found more graceful programmatic way, so topic can be marked as SOLVED.

I'm using systemd flavored initramfs. The idea is to replace emergency target by power off. For the emergency mode, I have separate initramfs image.

I've created a hook that replaces emergency by power-off target

>>> /etc/initcpio/install/emergency-shutdown
#!/bin/bash

build() {
    add_symlink /usr/lib/systemd/system/emergency.target poweroff.target
    add_file /usr/lib/systemd/system/poweroff.target
    add_file /usr/lib/systemd/system/systemd-poweroff.service
}

help() {
    cat <<HELPEOF
    The hook replaces emergency target by power-off.
    So, instead of emergency mode the system will be powered off.
    Intended to use with LUKS timeout settings. When no password
    provided for some amount of time, a device will be turned off.
HELPEOF
}

I added this hook to the mkinitcpio config

>>>/etc/mkinitcpio.conf
HOOKS=(systemd autodetect microcode modconf keyboard sd-vconsole block sd-encrypt emergency-shutdown filesystems fsck)

Do not forget to rebuild your initramfs images:

sudo mkinitcpio -P

Finally, I updated EFI bootloader:

# efibootmgr --unicode --create \
    --label "Arch Linux LTS" \
    --disk "/dev/nvme0n1" \
    --part "1" \
    --loader "/vmlinuz-linux-lts" \
    "luks.options=discard,timeout=60s luks.name=451795b819d1=root luks.name=3c760ed7594c=swap root=/dev/mapper/root initrd=/initramfs-linux-lts.img resume=/dev/mapper/swap"

Important things here is "luks.options=timeout=60s". Pay attention on the unit specification. Manual says that default unit is seconds, but without "s" it wasn't work for me. Idk, it's out of scope anyway.

Works like a charm. Thank you all for yours suggestions and help. It helped me to thing in a right way.

seth · 2024-06-08 19:02:02

Mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.

Arch Linux

#1 2024-06-02 18:25:44

[SOLVED] initramfs(boot): Poweroff/shutdown on password entry timeout

#2 2024-06-02 22:43:20

Re: [SOLVED] initramfs(boot): Poweroff/shutdown on password entry timeout

#3 2024-06-03 08:04:32

Re: [SOLVED] initramfs(boot): Poweroff/shutdown on password entry timeout

#4 2024-06-03 08:29:49

Re: [SOLVED] initramfs(boot): Poweroff/shutdown on password entry timeout

#5 2024-06-04 21:24:40

Re: [SOLVED] initramfs(boot): Poweroff/shutdown on password entry timeout

#6 2024-06-04 21:30:11

Re: [SOLVED] initramfs(boot): Poweroff/shutdown on password entry timeout

#7 2024-06-04 22:44:10

Re: [SOLVED] initramfs(boot): Poweroff/shutdown on password entry timeout

#8 2024-06-04 23:51:57

Re: [SOLVED] initramfs(boot): Poweroff/shutdown on password entry timeout

#9 2024-06-05 04:51:56

Re: [SOLVED] initramfs(boot): Poweroff/shutdown on password entry timeout

#10 2024-06-05 07:00:44

Re: [SOLVED] initramfs(boot): Poweroff/shutdown on password entry timeout

#11 2024-06-08 16:07:28

Re: [SOLVED] initramfs(boot): Poweroff/shutdown on password entry timeout

#12 2024-06-08 19:02:02

Re: [SOLVED] initramfs(boot): Poweroff/shutdown on password entry timeout

Board footer