Kernel Panic after reboot when using Guardium Custom Partitioned with Encrypted LVM

Resolving The Problem

The following is a complete procedure - and includes the point at which the described problem occurs at point 15 below .. and the subsequent corrective steps

Procedure for Installing the v10.0.1 ISO with LVM Encryption

Note: This includes steps to resolve the ‘Kernel Panic’ on reboot during the installation process that prevents a successful conclusion.

Requirements

- IBM Security Guardium v10.0.1 ISO

- Either a physical or virtual appliance that meets the v10 requirements

Procedure

Note: This procedure will wipe all data on the system’s hard drives.

1. Through appropriate means, boot the IBM Security Guardium v10.0.1 ISO.

2. Select the ‘Custom Partition installation (Graphical Mode)’:

3. At the prompt warning ‘The storage device below may contain data’ select ‘Yes, discard any data.’

4. Select ‘Use All Space’:

5. The goal partition layout is as follows:

- /boot – 512 MB

- / - 10 GB

- A swap partition should be 4 GB. This is taken from the Red Hat Enterprise Linux 6 Manual, since the minimum System RAM requirement is >= 16 GB.

- /var – should have the remainder of the space

6. Remove existing LVM partitions by clicking on ‘lv_root’, ‘lv_home’, ‘lv_swap’ and clicking delete at the bottom right to move from the first screenshot to the second:

7. There are a few common ways to encrypt LVM partitions. We are going to choose to encrypt both the ‘/’ and ‘/var’ partitions in this procedure, but other methods that provide the partition layout as required in step 5. Note: At any point if the partition scheme deviates from what is intended you can click back and then select ‘Use All Free Space’ to start from step 6.

8. The following procedure must be repeated 3 times, once for ‘/’, swap, and ‘/var’:

a. Press ‘Create’

b. Select ‘LVM Logical Volume’

c. Enter parameters based on the partition scheme of step 5

d. Click ‘Encrypt’ if ‘/’ or ‘/var’

e. Repeat for ‘swap’ and ‘/var’. Example screenshots are below:

Note: The remainder size is used for /var

9. The system partition scheme should look similar to the following:

10. Then choose ‘Next’

11. When warned about formatting, click ‘Format’

12. You will then be asked to enter passphrases for encrypted partitions and an appropriate password should be entered and recorded:

13. The filesystems are then generated based on the progress bar.

14. At this screen do not make any modifications unless necessary, then click ‘Next’

15. The installation then proceeds, and the system should reboot.

This is where the issue discovered in Internal Ref 52192 then requires modification.

1. The system may try to boot into the IBM Security Guardium Appliance from the Hard Disk to complete installation. Because of the issue the boot will fail with a Kernel Panic. Since the system never completed starting it is safe to hard reboot and boot into the ISO.

2. Boot (or Reboot) into the IBM Security Guardium ISO

3. Select ‘rescue mode’:

4. Select an appropriate Language

5. Select an appropriate Keyboard

6. When you reach this screen hit ‘Alt-F2’

7. You will now have a shell. Run ‘fdisk -l’ to find your /boot partition:

8. In this case the boot partition is ‘/dev/sda1’

9. Run ‘mkdir /mnt/boot’, ‘mount /dev/sda1 /mnt/boot’, ‘vi /mnt/boot/grub/grub.conf’

10. Find ‘rd_NO_LUKS’ and remove it. The first screenshot is before while the second screenshot is after:

11. Save the changes, then shutdown the system with ‘halt’

12. Remove the ISO from the drive.

13. Boot the system so it boots from the Hard Disk, and then enter passwords as appropriate.

14. The system should finish final installation and startup. The user may then login to CLI and start basic configuration.