I have lvm on luks with detached header and key on usb stick
/dev/sda - main disk luks
/dev/mapper/container - unlocked luks
/dev/mapper/vol-root - root on btrfs
/dev/sdb1 - usb stick [ header at /hdr and key at /key ]

I also read man but I cant understand how to setup config
Can you explain please?

The install works (no errors), but is not functional afterwards:

ERROR: mkinitramfs-ll.bash: no mkinitramfs-ll.conf found

When executed inside /etc, where the conf file resides:
ERROR: mkinitramfs-ll.bash: /usr/share//usr dir not found

/usr/share/mkinitramfs-ll/ has the hooks, scripts etc. installed.

It does work when manually untared into a directory and ./mkinitramfs-ll.bash is used...

hi,

i can set the ishrl to whatever i want (e.g. ishrl=2s) but it doesn't drop into a shell

Hi tokiclover,

first of all thank you for sharing your great script. I've been using version 0.5 for some time and now wanted to upgrade to the ebuild from your overlay. My setup is as follows:

• /boot on /dev/sda1 (ext2)
• Luks encrypted /dev/sda2 with lvm2 volume group 'vg' in it
• vg contains logical volumes 'root' (ext4) and 'swap'

Version 0.5 worked for this setup with the following kernel options:

kernel /boot/kernel-3.0.6-gentoo iroot=vg-root:c:ext4 iswap=swap:vg-swap ilvm=sda2_crypt-sda2,sda2_crypt-sda2 ikmap=de-latin1-nodeadkeys-x86_64.bin:

Back then I built the image as described in the DM-Crypt with LUKS article on the gentoo wiki:

find . | cpio --quiet -o -H newc | gzip -9 >/boot/initramfs-gentoo-crypt

So now after installing your ebuild (init version 0.10.0 2012/07/08 15:59:11) with useflags

bash bzip2 cryptsetup device-mapper e2fs symlink xz

from working directory /usr/local/share/mkinitramfs-ll/ I ran

/usr/local/sbin/mkinitramfs-ll.bash --luks --lvm --keymap

I moved '/usr/local/share/mkinitramfs-ll/usr' for it wouldn't start to build otherwise. The only thing I changed in grub.cfg was removing the colon at the end of the kernel line (I think it had to be added because of a bug in earlier versions). Then I tried to reboot and got a kernel panic.

When I built the image myself from the folder the script created I didn't get a kernel panic but for some reason init didn't run cryptsetup and then of course didn't find my volume group. It dropped me into a shell and I could run cryptsetup manually.

Do you have any idea what I'm doing wrong?

/dev/ttyS0 doesn't work. I'm not sure if the init is stuck or what is going on but immediately after "Booting the kernel" I get no output on VGA or the ttyS0.

hi,

on line 386 in init
_i="$(cat /sys/power/tuxonice/image_exists | head -n 1)" should read
_img="$(cat /sys/power/tuxonice/image_exists | head -n 1)"

also the logic up to line 392 is a bit wrong? 1 indicates a image present and i can't see what is actually tested there

To me it looks like it only clutters the repository and duplicates code.

hi,

/bin/sh doesn't like the new syntax in functions, only bash can interpret

function arg()
{
}

, sh only

arg(){
}

At least for debugging purposes

Hi again,
I'm procrastinating this for a while (at the moment still using version 0.10.0):

[...]
2 logical volume(s) in volume group "vg" now active
/init: eval: line 1: iswap:vg-swap=: not found
* Switching to init shell runlevel: 3d
* Switching to init shell runlevel: 3f
/init: line 1: -text4: not found
* Switching to init shell runlevel: 3m
EXT4-fs (dm-2): warning: maximal mount count reached, running e2fsck is recommended
EXT4-fs (dm-2): mounted filesystem with ordered data mode. Opts: (null)
[...]

I described my setup in issue #6. I'm not sure if the init script is able to run e2fsck at all. The corresponding entry in /etc/mkinitramfs-ll looks like this:

opts[-bin]+=:cryptsetup:e2fsck:v86d

By default it was:

opts[-bin]+=:cryptsetup:fsck.ext4:fsck.jfs:fsck.reiserfs:fsck.xfs:v86d

I build my initramfs using '/usr/sbin/mkinitramfs-ll.bash --luks --lvm --keymap'. In both cases the wished binaries are put into /sbin and can be executed from the rescue shell but init doesn't run any of them.
In the first case mkinitramfs-ll.bash tells me '* /sbin/e2fsck is not a static binary.' but the config file says it can handle this by copying library dependancies over.
So what can I do to make init run a file system check?

the find call with -name xxx.ko -name xxx-*.ko
must be

find -name xxx.ko -or -name xxx-*.ko

At line https://github.com/tokiclover/mkinitramfs-ll/blob/master/init#L332 the Out-variable _dev won't work as expected since mdopen declares _dev as local variable and therefore eval at https://github.com/tokiclover/mkinitramfs-ll/blob/master/init#L302 won't propagate into the dorootfs scope

I have a initramfs build with

mkinitramfs -Hbtrfs --all --usrdir=/usr/share/mkinitramfs-ll/usr/ --keymap=de -k4.0.5-gentoo

and the kernel is compiled with the initramfs embedded and called via EFI boot

efibootmgr -c -L Gentoo-4.0.5-2 -l vmlinuz-4.0.5-gentoo root=LABEL=croot rootfs=:Yes btrfs=root-sda5 luks=pwd

But it asks for the plain boot partition "init: Type in valid block device" (seemingly ignoring the luks=pwd) and bails into rescue shell when I enter sda5 e.g.
I can then use cryptsetup open /dev/sda5 root and mount the underlying btrfs filesystem to /newroot and then it boots after an exit command. So all works, but the script just does not handle the luks/btrfs correct I think.

This is the /run/init.log by the way:
0: umask 0077
0: mkdir -p dev/pts proc run sys /newroot /mnt/tok
0: mount -t proc proc /proc
0: mount -t sysfs sysfs /sys
0: mount -t devtmpfs devtmpfs /dev
0: /sbin/mdev -s
0: mount -t tmpfs -o mode=755,size=1% tmpfs /run
0: MODPROBE kms
0: ln -fns /proc/self/fd /dev/fd
0: ln -fns fd/2 /dev/stderr
0: ln -fns fd/0 /dev/stdin
0: ln -fns fd/1 /dev/stdout

[1]: test -f /etc/issue
0: test -n /dev/mapper/enc_root

0: blk /dev/mapper/enc_root DEV
0: get_dev /dev/mapper/enc_root ROOT 1
[255]: mount -o ro /dev/sda5 /newroot

There is no dev/mapper/enc_root created of course. I checked this.

Hello again,

After successful test of your marvelous work I decided to put it on other machine:

When I tried to boot for first time I get this error
/init:line 177: syntax error: bad substitution

first i tried to figure out it myself (trying to find my mistakes) but no luck

system is Gentoo 64 - fresh install and with your latest scripts (cloned around 9:00 GMT)

S.

Hey,

Thank you for this project.

I'm trying to build a Gentoo install at the moment and hoping to use your script for the initramfs. I'm just having a hard time following the documentation and what precisely I need to do to get my setup to work.

I've got LVM on LUKS and using a detached header on a separate device, which is the boot device.

so /dev/sda1 is LUKS encrypted
and header.img is the detached header located on /dev/sdb1
then /dev/mapper/myvol-gentoo is the LVM volume I want to use as root

I'm using just a regular passphrase, no key file. Would you be able provide an example of what kernel parameters I should be using?

Cheers

CK

Feature request: support for whole disk systems.

mkinitramfs-ll do not support case when LUKS encrypted whole disk have detached header.
I suspect some other whole disk systems (RAID on w.d.s., FS on w.d.s ) may also have problems.

Proposed solution:

diff -ur mkinitramfs-ll-master.old/usr/lib/mkinitramfs-ll/functions mkinitramfs-ll-master.new/usr/lib/mkinitramfs-ll/functions
--- mkinitramfs-ll-master.old/usr/lib/mkinitramfs-ll/functions	2017-07-02 12:24:08.000000000 +0300
+++ mkinitramfs-ll-master.new/usr/lib/mkinitramfs-ll/functions	2017-08-30 10:49:35.000000000 +0300
@@ -265,6 +265,11 @@
 	local _asw _blk
 	BLK() {
 		_blk=$(blkid | sed -nre "\|${1#*=}|s|(^/dev/.*):.*$|\1|p")
+		if [ -z "$_blk" ]; then
+			if grep -sqw "$1" /proc/partitions; then
+				_blk="/dev/$1"
+			fi
+		fi
 	}
 	BLK "$1"
 	

hi,

if a hibernate file isn't found the script dies die "failed to resume from hibernation" - it should instead just carry on booting.
i changed that and also found that the major:minor of the resume device must be echoed into /sys/power/resume for it to work

This is just a hint that specifying a custom keymap on current Gentoo systems will resulted in broken keyboard maps (which made my system unbootable as I cannot enter the LUKS key).

tl;dr:

emerge ~sys-apps/kbd-2.3.0-r1

to fix it.

https://bugs.gentoo.org/735086

Why not just split the /init.sh into helpers?

I have an encrypted root set up on /dev/sda2. To access the encrypted partition I use a key, which is a regular file called key on the root of a usb drive with the label KEY.
I've read the manual and this is what I came up with for the kernel arguments:

luks=reg:LABEL=KEY:/key root=root-sda2

When I boot (and the usb drive isn't connected) I am prompted to plug in the drive with LABEL=KEY, so far so good. However, when I plug it in, I am prompted for a passphrase for /dev/sda2. I am forced to press enter until I am dropped in a rescue shell where I can manually mount the thumb drive, use cryptsetup to open the root device with the key and mount it under /newroot. Then pressing ctrl-D and the booting continues as expected.

Not sure if I'm doing something wrong here, but it looks like a bug to me.

I include i915 in my initramfs. However - although the building process correctly evaluates the dependencies and pulls in intel_gtt (and drm etc. if they are modular as well), I get several undefined symbol errors during the modprobe step of the initramfs.

I found (https://e2e.ti.com/support/embedded/linux/f/354/t/593147) that the "Simplified modutils - Build smaller (~1.5 kbytes), simplified module tools." option of busybox may cause errors like these. The menuconfig's help text indicates it should work nevertheless, but be slower. It does not here, however.

Gentoo's default busybox config sets

CONFIG_MODPROBE_SMALL=y

If I configure busybox to not build small modprobe, the undefined symbol errors are gone and everything works as expected. An existing /etc/portage/savedconfig/sys-apps/busybox-* may also affect this (e.g. it could work if this is configured locally/at your test setup)

Here is a patch that unconditionally disables this feature:

--- /usr/share/mkinitramfs-ll/scripts/busybox.sh.org	2018-02-16 23:19:35.321250918 +0100
+++ /usr/share/mkinitramfs-ll/scripts/busybox.sh	2018-02-16 23:20:54.626462712 +0100
@@ -59,7 +59,9 @@
 cd ${PORTDIR:-/usr/portage}/sys-apps/busybox
 mkdir -p "${usrdir}"/bin
 USE=static ebuild ${pkg}.ebuild clean || die "clean failed"
-USE=static ebuild ${pkg}.ebuild unpack || die "unpack failed"
+USE=static ebuild ${pkg}.ebuild configure || die "configure failed"
+# Small modprobe is not able to properly resolve dependencies, though it should
+sed -i "s/CONFIG_MODPROBE_SMALL=y/# CONFIG_MODPROBE_SMALL is not set/" "${PORTAGE_TMPDIR:-/var/tmp}"/portage/sys-apps/${pkg}/work/${pkg}/.config
 USE=static ebuild ${pkg}.ebuild compile || die "compile failed"
 cp "${PORTAGE_TMPDIR:-/var/tmp}"/portage/sys-apps/${pkg}/work/${pkg}/busybox \
 	"${usrdir}"/bin/ || die

btw: The unpack step is unnecessary anyway.

I have this thought for quite some times now... and cannot help but... keep getting back to it:

• removed the "i" prefix to cmdline option name to have, at least, the legacy "root", "swap" and "resume" instead?
• use "rootfstype" for rootfs? (And so keep only chck option only on "root"?)
• use "rootflags" for rootfs mount options?
• what to use for btrfs, zfs, zram, squashd... just use the name of the hook/script?

The cmdline option will be longer and still keep incompatibilities with what the kernel support for plaindevice. (Canonical device name is sweet to keep around... and this avoid to have a monstruously long cmdline. Just imagine an LVM/ZFS/BTRFS with two crypted devices... it's already too long to write down the cmdline!)

The short and compact variant was intended to avoid to bear such a useless pain of writing very long cmdline. Because, after all, there are quite some options I'd rather keep around rather than threwing them away for compatibility reasons... because there is no such compatibility concerns to begin with when using LVM/LUKS/ZFS...

But this does confuse some users, especially new users. And this clean up would only benefit to them.

Having long cmdline is not an issue because a default cmdline can be bundled into the initramfs, and then can be disabled at runtime if necessary. However, it's still painfull to write such a long thing to begin with.

So what to do?

When using SSDs/NVMs, --allow-discards can prove to be useful during the cryptsetup step.

There are security implications, so the man page excerpt is provided here. This should probably also be noted in the man page of mkinitramfs-ll

      --allow-discards
              Allow  the  use  of discard (TRIM) requests for device.  This option is only relevant
              for open action.

              WARNING: This command can have  a  negative  security  impact  because  it  can  make
              filesystem-level  operations visible on the physical device. For example, information
              leaking filesystem type, used space, etc. may be extractable from the physical device
              if the discarded blocks can be located later. If in doubt, do not use it.

              A  kernel  version  of  3.1  or  later  is needed. For earlier kernels this option is
              ignored.

The user should be able to pass this parameter to cryptsetup.

I solved it by providing an environment variable/cmdline parameter discards=yes|true|whatever in the config file like so (using LVM on LUKS with password here):

env=(
        ${MIR_EXTRA_ENV}
        # Disable applets/binaries checking
        'CHECK_ENV=false'
        'root=vg00-root'
        'lvm=vg00-nvme0n1p5'
        'rootflags=user_xattr'
        'luks=pwd'
        'discards=yes'
)

and the following patch:

--- /usr/share/mkinitramfs-ll/usr/lib/mkinitramfs-ll/functions.org	2018-01-01 23:25:38.443257852 +0100
+++ /usr/share/mkinitramfs-ll/usr/lib/mkinitramfs-ll/functions	2018-02-09 23:10:11.252510811 +0100
@@ -293,7 +293,7 @@
 		debug -d losetup "$_ld" "$1"
 		loopback_dev="$_ld $loopback_dev"
 	fi
-	debug cryptsetup luksOpen "$_ld" "$_fn" && loopback_key="$_fn $loopback_key"
+	debug cryptsetup luksOpen "$_ld" "$_fn" "$(get_discards)" && loopback_key="$_fn $loopback_key"
 }
 
 # @FUNCTION: Key[file/mode] handler
@@ -359,6 +359,11 @@
 	eval "${_name:-REPLY}='${_typ:+$_typ:}$DEV${_sig:+:$_sig}'"
 }
 
+# @FUNCTION: Determine if discards should be allowed
+get_discards() {
+	yesno ${discards:-no} && echo "--allow-discards"	
+}
+
 # @FUNCTION: Close dm-crypt mapping
 # @ARG: <map>
 dmclose() {
@@ -412,7 +417,7 @@
 		fi
 		;;
 	esac
-	_arg="open $_dev $_map ${_header:+--header} $_header"
+	_arg="open $_dev $_map ${_header:+--header} $_header $(get_discards)"
 
 	case "$keymode" in
 		(gpg)

As I don't use the detached header function (nor any other scenario) I cannot say whether this works for all use cases. I am however able to issue "fstrim" after doing the above.
Please adapt to your coding standards.
This could most likely be generalized into allowing arbitrary options to cryptsetup with cryptsetup=--allow-discards:--some-option:--some-other-option but I have no test setup here to develop and test this efficiently, the above is more or less a quick hack on my one and only production system ;-)

I hope you can include this into the master branch!

Thanks a lot in advance!

On any error mkinitramfs-ll.sh prints following useless error message:
error: not found

Reason: error function is not defined. May be it should be copied from mkinitramfs-ll.bash?

It's just FYI. I personally don't care about this bug.

Hello again,
today I've tried to update my initramfs so I got fresh pull of your great scripts...
But it ended in infinite loop on parsing arguments
error is following (showed up after adding -x to 1st line of script)

·> ./mkifs -lg -y /var/ini/mkinitramfs-ll//bin/cz-i686.bin

• revision=0.5.0
• [[ 3 = 0 ]]
  ++ getopt -o ab:c:e:fgk:lm:rstuvy:B:M:S:W: --long all,bin:,bindir:comp:,ev:,font:,keymap: --long gpg:,mboot:,mdep:,mgpg:msqfsd:,mremdev:,mtuxonice,sqfsd,toi,usage,version --long lvm,miscdir:,workdir:,kv:,raid -n mkifs -- -lg -y /var/ini/mkinitramfs-ll//bin/cz-i686.bin
  ++ exit 0
• opt=' -l -g -y '''/var/ini/mkinitramfs-ll//bin/cz-i686.bin''' --'
• eval set -- ' -l -g -y '''/var/ini/mkinitramfs-ll//bin/cz-i686.bin''' --'
  ++ set -- -l -g -y /var/ini/mkinitramfs-ll//bin/cz-i686.bin --
• [[ -z '' ]]
• declare -A opts
• [[ 5 > 0 ]]
• case $1 in
• opts[lvm]=y
• shift
• [[ 4 > 0 ]]
• case $1 in
• opts[gpg]=y
• shift
• [[ 3 > 0 ]]
• case $1 in
• [[ 3 > 0 ]]
• case $1 in
• [[ 3 > 0 ]]
• case $1 in
• [[ 3 > 0 ]]
• case $1 in
  <.... AND SO ON>

Hope this helps
S

in init there is a typo in: (diff)

115c115

< info "Removalble device mounted."; }

  info "Removable device mounted."; }

Hi, i have a problem with busybox. I put the output that ends up on a kernel panic.

+ echo [134]: zpool import -R /newroot zfsforninja
+ [ ! 134 ]
+ return 134
+ [ 1=1 ]
+ zfs mount
+ grep -q zfsforninja
+ debug -d zfs mount -v0 -a
+ local _cmd _opt _ret
+ [ 5 -ge 1 ]
+ _opt=-d
+ shift
+ [ 4 -ge 1 ]
+ _cmd=zfs mount -v0 -a 
+ break
+ eval zfs mount -v0 -a
+ zfs mount -v0 -a
+ _ret=0
+ echo [0]: zfs mount -v0 -a
+ [ ! 0 ]
+ return 0
+ rm /run/sh.pid
+ echo ROOT=zfsforninja
+ _ret=0
+ echo [0]: dozfs ROOT 1 zfsforninja
+ [ ! 0 ]
+ return 0
+ retval=0
+ exit 0[

>>> Switching to init shell run level 4s
>>> Switching Root
BusyBox v1.27.2 (2017-09-21 16:36:49 -00) multi-call binary.

Usage: switch_root [ -c /dev/console ] NEW_ROOT NEW_INIT [ARGS]

Free initramfs and switch to another root fs:
chroot to NEW_ROOT, delete all in /, move NEW_ROOT to /,
execute NEW_INIT. PID must be 1. NEW_ROOT must be a mountpoint.

    -c DEV Reopen stdio to DEV after switch
[ 58.965964] Kernel panic - not syncing: Attemped to kill init exitcode=0x00000100
...

I was a use of TrueCrypt myself and liked very much a few abilities of it. When I started using GNU Linux 24/7, not being able to boot from a TC volume dispaointed. Now I like pretty much the abilities of DM-Crypt LUKS. But hidden volumes, so hidden header make sense.

So any one on it?

Implemetation should be easy anyway?

hi,

since a long time the current git really just worked for me 👍
well, to be honest i had to add a / in mkinitramfs.bash, see comment for commit 73cf2df

Considering switching using your project for my setup. Does mkinitramfs-ll support multiple luks containers? I have two hard drives in my laptop. Also, does it support detached headers for both of them?

Hello,
is there a way to let intramf's init tell that I want to use /usr/bin/systemd as init instead of /sbin/init ?
Would it be possible to implemet some cli switch to choose between systemd or classic init?
Thank you for your wonderful work
S

hi,

i always get a
install: cannot stat xcpio" no such file

when emerrging the 9999 ebuild, any hints?

On Gentoo, the following line in scripts/busybox.sh fails for busybox version with a revision, e.g. the current
sys-apps/busybox-1.31.1-r2:

cp "${PORTAGE_TMPDIR:-/var/tmp}"/portage/sys-apps/${pkg}/work/${pkg}/busybox \

because the work directory does not contain revision suffixes.
The following fixes it

cp "${PORTAGE_TMPDIR:-/var/tmp}"/portage/sys-apps/${pkg}/work/${pkg%-r[0-9]*}/busybox \

Hi tokiclover,

I just upgraded from version 0.10.0 to 0.10.9. My setup is still the same one that I described in issue #6.
My kernel options are still:

kernel /boot/kernel-3.0.6-gentoo iroot=vg-root:c:ext4 iswap=swap:vg-swap ilvm=sda2_crypt-sda2,sda2_crypt-sda2 ikmap=de-latin1-nodeadkeys-x86_64.bin

I'm being dropped into a shell after this:

Switching to init shell run level: 2s
*[1]: ikswap = :: device field empty

If ikswap is required now, I don't know what to assign to it.

hi,

as there is a missing return 0 the doresume() and domount() functions get never called as they are in a && chain

On host without /dev/mem mkinitramfs fails with following errors:

/tmp/.private/root/initramfs-5.1.21-gentoo-myrc02-XXXXXX /tmp/000/1
cp: cannot stat '/dev/mem': No such file or directory
/tmp/.private/root/initramfs-5.1.21-gentoo-myrc02-XXXXXX/dev /tmp/.private/root/initramfs-5.1.21-gentoo-myrc02-XXXXXX /tmp/000/1
chmod: invalid mode: '0:9'
Try 'chmod --help' for more information.
ERROR: mkinitramfs-ll.bash: ```

`````` iraid=mdN+UUID=X```
results in

ARRAY /dev/mdN+UUID=X UUID=X```

output:```
mdadm: /dev/mdN+UUID=X is an invalid name for an md device - ignored.
mdadm: /dev/mdN+UUID=X is an invalid name for an md device.  Try /dev/md/mdN+UUID=X```

idebug=x shall enable shell tracing

I had commented some lines of file gnupg.bash

I have been having some trouble getting your helpful script to work properly on my system. First off I am building a initramfs with gpg, luks and lvm and the keys are on a removable device.

mkifs-ll --gpg --lvm

this command seems to complete successfully. Upon restart of my system the script recognizes the removable device. The script then outputs this:

• Removable Device Mounted
• ROOT LV...
• ...encrypted rootfs.
• dev detached header doesn't exist.

It then drops into the minimal shell.

I have never setup or opened luks with the detached header option. Is it possible that the script that generates the initramfs is adding in this option?

Or perhaps there is an issue with my configuration? I have been looking through the scripts created for the initramfs and have found nothing that hints of a detached header....

Let me know what information or logs you need to further diagnose, thank you.

hi,

somehow the generation is faulty, used with bash

Hi,
I'm trying to build initrd with your mkifs script (version 0.3.4_p20110907) clonned from git. Script called with --aufs -g -l arguments ends with ./mkifs:206: closing brace expected.
Am I doing something wrong?

Thank you for help in advance
S

hi,

tested latest git and swap on top of luks doesn't work anymore

old command line:

iresume=swap iswap=swap:sda3 ikswap=reg:sda2:/key

fails as ikswap has no dash in it ?

with

iresume=swap iswap=swap:sda3 ikswap=reg:test-sda2:/key

i get:
Insert test-sda2 block device and press Enter,
with reg:sda2:/key i get
Insert block device and press Enter

and at last it prompts Type in a valid block device e.g. [sda5 ...

when i remove resume and all swap options from grub it boots (without swap)

any idea?

To me it looks like it only makes code less readable (and the output of shell tracing) and doesn't provide any value.

source is a bash built-in.

/usr/local/sbin/mkinitramfs: 174: /usr/local/sbin/mkinitramfs: source: not found
/usr/local/sbin/mkinitramfs: 54: /usr/local/sbin/mkinitramfs: error: not found

hi,

-kXXX leads to building initramfs-:XXX breaking stuff, --kv=XXX works

Hello,
I have two ideas which I thing would be worthwhile in some way for enhancing security of this nice init generator:

1. would in be possible to implement (on user request when building initrd image) some hash checking of boot directory (at least initrd and kernel images).
   I magine it in this way: kernel boots form initrd, decrypts rootfs and looks for script to check integrity (eg. in /etc which could be in some way customizable to user - eg. custom message to know that script was run from init - which in turn would check kernel, initrd and possibly whole /boot (or whatever) against known set of pre-generated hashes also stored on encrypted part of system and on successful finishing it would hand system to systems own init (otherwise it would ask if continue in booting or not)

2. second idea is the one of destroing key/header when user types in predefined password (stored as hash initrd image) - some way to add deniability "Ups its broken - I cant open it for you

Have nice day S

Helo,
I have this setup
/dev/sda1 /boot - unencrypted - latest init version build with your great work
/dev/sda2 LUKS container with malej VG on it which holds root LV

kernel cmd line is
iroot=malej-root:c:ext4 ikmap=cz-i686.bin ikroot=pwd ilvm=malej-sda2

but it faild in runlevel 3d with:
VG "malej" not found
Skipping VG
*insert malej-sda2 removable device
"output of cryptsetup --help"
*Type in valid cyphertext/header eg....