You are not logged in.
Hello,
So I have been tearing my hair out trying to grasp why this is not working...
I have a custom fully encrypted disk, this is my layout if I were to arch-chroot into /mnt using a live iso:
/dev/sda1 /mnt/boot/efi
/dev/sda2 /mnt/boot
/dev/sda3
    /dev/mapper/swap [SWAP]
/dev/sda4
    /dev/mapper/tmp /mnt/tmp
/dev/sda5
    /dev/mapper/crypt1 /mnt
    /dev/mapper/crypt2 /mnt/usr
    /dev/mapper/crypt3 /mnt/home
The initcpio img is supposed to run custom scripts to print a message before unlocking the disk, unlock the disk, and use kpartx -a on the unlocked mapped disk to map the partition table (it is a raw gpt table on a luks2 crypt disk, no lvm)
The names of the hook scripts are pre-crypt, custom-crypt, and kpartx-crypt.
Running "mkinitcpio -p linux -c /etc/mkinitcpio.conf" Shows that the custom scripts are being executed with no errors for both the default and fallback images (besides some missing firmware)
/ect/default/grub
The command line here has a "root=/dev/mapper/crypt1" to override the default uuid based root that the kernel introduces earlier in the cmdline.
I have tried with and without "cryptdevice=/dev/sda5:crypt" to get it to load my custom modules but it still will not work.
I have made sure they are located in /etc/initcpio/hooks and they all three have an executable flag set
I have made sure they all have install scripts that are also executable in /etc/initcpio/install
My /etc/mkinitcpio.conf has the following for hooks:
base udev block autodetect microcode modconf kms keyboard kepmap consolefont pre-crypt custon-crypt kpartx-crypt fsck filesystems usr
In that order.
It is marked as uncompressed, and had the dm_mod and dm_crypt modules included...
Now when checking lsinitcpio /boot/initramfs-linux.img | grep "hooks"
the only output is this:
hooks/
hooks/consolefont
hooks/keymap
hooks/udev
hooks/usr
None of my custom hooks are even being included...
But there are no errors when running mkinitcpio.
I am loosing my mind, please if anyone can help me I need this working soon...
Thank you,
Peter F
Last edited by onthegrid007 (2025-05-20 20:52:05)
Offline
I should also mention when I do try and boot it looks like it just tries to run the default mount handler from init_functions, tries to run a fsck and then drops me into an emergency shell, where I can not even unlock the cryptdisk using cryptsetup because after I enter my password it says this:
device-mapper: reload ioctl on crypt (253:0) failed: Invalid Argument
Running with --debug it looks like for some reason /dev/sda5 is ro...
Last edited by onthegrid007 (2025-04-07 19:40:00)
Offline

And the install scripts do have a build() { ... } function with add_runscript in it? Without this, the runtime hook is not added at all.
Why such a complicated setup? Separate /usr partition is problematic, and partitions inside LUKS entirely unsupported. Easier by using LVM, or create the additional partitions on sda then encrypt them individually... the only custom hook required then is the one that opens more than one crypt device (if you don't like systemd initramfs which can do it directly).
Offline
The install scripts do have a build function yes, but I read NOTHING about add_runscript anywhere in the custom mkinitcpio installation guide... I'll go ahead and try it and report back..
Offline
Perfect! The scripts are running now but for some reason the disk is not able to be unlocked in the shell... The error is as follows:
device-mapper: reload ioctl on crypt (253:0) failed: Invalid Argument
Any other ideas?
Offline

Perhaps modules are missing? kpartx would most likely require dm-linear (try adding lvm2 hook, if it works then, its module related.)
Offline
kpartx is not being executed because in the script the cryptsetup is the command that is failing... So its never reaching the point of probing the partition table yet... I will try dm-linear, and will adding the lvm2 hook cause any issues if I have it before the decrypt script because not only am I not using lvm the disk will not even be decrypted at the time of executing...
Offline
lvm2 hook does not work because I do not have a config file for it, dm_linear can not be force loaded in the initramfs due to it being already loaded in the kernel and I still can not unlock the disk...
Offline
Offline

https://bbs.archlinux.org/viewtopic.php?id=262656 # wrong cipher
https://forums.gentoo.org/viewtopic-t-1 … art-0.html # wrong cipher …
=> cipher module missing?
Offline
I saw the first fourm post, but nope. I have tried including cipher_aes and xts as modules in initramfs but it still wont work
I also tried in /etc/default/grub under preload modules luks and lvm and still no luck
Here is the luks dump of the drive in question
Last edited by onthegrid007 (2025-04-09 17:48:15)
Offline

Want's me to register.
Also don't post pictures of text, post the text.
You can 
cryptsetup luksDump whatever | curl -F 'file=@-' 0x0.stOffline
Offline
Any ideas on the modules I should be including in the initcpio image? Ive tried almost everything and I still can not unlock the disk
Offline

please post the output of (run as root)
# lsinitcpio -a /boot/initramfs-linux.imgDisliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
 Try clean chroot manager by graysky
Offline

Try to correlate that w/ the output of "lsmod" after successfully unlocking the device.
Offline
lsinitcpio -a /boot/initramfs-linux-lts.img
"Try to correlate that w/ the output of "lsmod" after successfully unlocking the device."
I can not unlock the crypt disk successfully, that is the whole problem...
Offline

I can not unlock the crypt disk successfully
AT ALL?
I thought this was just about the initramfs, but you cannot unlock it from eg. the install iso??
Offline
What would lsmod on the installation media be helpful? Is it not the same for everyone? I can unlock it from the installation media just fine. Here is the lsmod from the installation media:
https://0x0.st/8fQa.txt
Offline

Unlocking the drive won't happen w/o loading the necessary modules.
dm_crypt               65536  1
algif_aead             12288  0
crypto_null            16384  1 algif_aead
libdes                 20480  2 des_generic,des3_ede_x86_64
algif_skcipher         12288  0
algif_hash             12288  0
af_alg                 32768  3 algif_hash,algif_skcipher,algif_aead
skx_edac_common        32768  0
nfit                   86016  1 skx_edac_common
encrypted_keys         28672  2 dm_crypt,libnvdimm
trusted                49152  2 encrypted_keys,dm_crypt
asn1_encoder           12288  1 trusted
tee                    49152  1 trusted
polyval_clmulni        12288  0
polyval_generic        12288  1 polyval_clmulni
dm_mod                225280  14 dm_crypt
gf128mul               16384  2 polyval_generic,aesni_intel
crypto_simd            16384  1 aesni_intel
cryptd                 28672  3 crypto_simd,ghash_clmulni_intelThough maybe also just draw lsmod before and after unlocking the drive and sort and diff both?
Last edited by seth (2025-04-14 19:45:27)
Offline
Should I just force load all these modules in the mkinitcpio.conf?
dm_crypt
algif_aead
crypto_null
libdes
algif_skcipher
algif_hash
af_alg
skx_edac_common
nfit
encrypted_keys
trusted
asn1_encoder
tee
polyval_clmulni
polyval_generic
dm_mod
gf128mul
crypto_simd
cryptd
?
Offline

Some of them would hopefully be implicitly added but basically yes - unless you can maybe narrow down the list by comparing the loaded modules pre/post unlocking the drive.
Offline
I explicitly added every module I just listed and I still can not unlock the disk...
Any other ideas?
Last edited by onthegrid007 (2025-04-14 20:37:23)
Offline

Do you still get the exact same error sequence?
Does the failsafe image work? 
Offline
here is the output of:
cryptsetup luksOpen /dev/sda5 crypt --debug
running in the initramfs in an interactive terminal ash session
https://drive.google.com/file/d/19sIaIF … sp=sharing
https://drive.google.com/file/d/1sbR8lZ … sp=sharing
The fallback Image is the exact same result, it does not work
Cant use the
| curl -F 'file=@-' 0x0.st
even when including the curl binary because in initramfs because the network stack is not set up
Offline