Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] how can efi boot into encrypted root partition
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1073

PostPosted: Thu Jan 02, 2020 1:30 pm    Post subject: [solved] how can efi boot into encrypted root partition Reply with quote

I am trying to grub-mkconfig -o /boot/grub.grub.cfg without lvm

Edit - abandoned, and added lvm layer. See next post for my question please. Though - if possible without lvm, I am willing to retry.

Everything worked fine creating encrypted partition, opening it with key and/or passphrase. Now I chrooted in new environnement, and want to create corresponding grub entries. Thus I modified /etc/default/grub and added the following:
Code:
GRUB_CMDLINE_LINUX_DEFAULT="quiet rootdelay=10 domdadm root=/dev/ram0 crypt_root=UUID=xxyyyzz real_root=/dev/mapper/crypt-fs rootfstype=xfs root_key=key \${bnomodeset} \${bdrivers} \${bacpi} \${bapic} \${bdostartx}"
GRUB_ENABLE_CRYPTODISK=y


I removed dolvm from GRUB_CMDLINE_LINUX_DEFAULT, but issuing grub-mkconfig -o /boot/grub.grub.cfg I get
Code:
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-4.19.86-gentoo-x86_64
Found initrd image: /boot/intel-uc.img /boot/amd-uc.img /boot/initramfs-4.19.86-gentoo-x86_64.img
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  Volume group "cryptfs" not found
  Cannot process volume group cryptfs
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  Volume group "cryptfs" not found
  Cannot process volume group cryptfs
/usr/sbin/grub-probe: error: disk `lvm/cryptfs' not found.
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  Volume group "cryptfs" not found
  Cannot process volume group cryptfs
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  Volume group "cryptfs" not found
  Cannot process volume group cryptfs
/usr/sbin/grub-probe: error: disk `lvm/cryptfs' not found.
Found linux image: /boot/vmlinuz-4.19.86-gentoo-x86_64.old
Found initrd image: /boot/intel-uc.img /boot/amd-uc.img /boot/initramfs-4.19.86-gentoo-x86_64.img
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  Volume group "cryptfs" not found
  Cannot process volume group cryptfs
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  Volume group "cryptfs" not found
  Cannot process volume group cryptfs
/usr/sbin/grub-probe: error: disk `lvm/cryptfs' not found.
done

How can I tell grub that there is no lvm thus no volume group but just plain /dev/mapper/cryptfs?


Last edited by Elleni on Sat Jan 04, 2020 3:28 pm; edited 6 times in total
Back to top
View user's profile Send private message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1073

PostPosted: Thu Jan 02, 2020 6:30 pm    Post subject: Reply with quote

Instead of the KISS approach, I went on with the "If the mountain will not come to the prophet, then the prophet goes to the mountain" approach and created a volumegroup "crypt" and a logical volume "fs", and that way I was mostly successfull.

Using LRS from sabayonino as base system for my usb stick, I was able to configure the system that way that I can boot in non uefi mode on encrypted /dev/sdf3. Grub asks for the password to open LUKS encrypted root partition, and the system successfully boots. As having also put a key file in initramfs it only asks for the key once. For this setup, I have used those instructions.

Now where I need some help is, when choosing uefi boot option in bios menu, I only get grub rescue prompt, same grub this time is stating that the filesystem is unknown. I only have encrypted /dev/sdf3. What are the needed steps, to also allow grub in efi-mode successfully boot into encrypted sdf3? uefi boot worked fine, when /dev/sdf3 was uncencrypted.
Code:
cfdisk /dev/sdf
Disk: /dev/sdf
                           Size: 238.5 GiB, 256060514304 bytes, 500118192 sectors
                        Label: gpt, identifier: 700981BF-1069-491E-B47C-B3CA35C35A5C

    Device                     Start              End          Sectors          Size Type
>>  /dev/sdf1                   2048             4095             2048            1M BIOS boot             
    /dev/sdf2                   4096           208895           204800          100M EFI System
    /dev/sdf3                 208896        500118158        499909263        238.4G Linux filesystem

Code:
blkid /dev/sdf2sdf2
/dev/sdf2: UUID="B40E-8B95" TYPE="vfat" PARTLABEL="EFI System" PARTUUID="6e8c8a89-c5e7-4bb8-b1f2-cce53ea7edba"


Code:
UUID=B40E-8B95               /boot/efi   vfat   noauto,defaults            0 2
UUID=7525a56e-62eb-4cee-a281-d24044ab6cc6   /   xfs   defaults,inode64,discard,noatime   0 1
tmpfs                  /var/tmp/portage   tmpfs   uid=portage,gid=portage,mode=0775,size=55%,auto,noatime,nodiratime         0 0
shm                  /dev/shm      tmpfs   nodev,nosuid,noexec     0 0
devpts                  /dev/pts      devpts   rw,nosuid,noexec,relatime,gid=5,mode=620 0 0

Code:
mount
/dev/mapper/crypt-fs on / type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
none on /proc type proc (rw,relatime)
dev on /dev type devtmpfs (rw,nosuid,relatime,size=8162148k,nr_inodes=2040537,mode=755)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)

Code:
ls -l /boot/efi/
total 0

Code:
mount /dev/sdf2 /boot/efi/
(chroot) hostname / # mount
/dev/mapper/crypt-fs on / type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
none on /proc type proc (rw,relatime)
dev on /dev type devtmpfs (rw,nosuid,relatime,size=8162148k,nr_inodes=2040537,mode=755)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
/dev/sdf2 on /boot/efi type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro)
Code:
(chroot) hostname / # LC_ALL=C grub-install --target=x86_64-efi --efi-directory=/boot/efit/efi
Installing for x86_64-efi platform.
File descriptor 4 (/dev/sdf2) leaked on vgs invocation. Parent PID 15423: grub-install
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
File descriptor 4 (/dev/sdf2) leaked on vgs invocation. Parent PID 15423: grub-install
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
EFI variables are not supported on this system.
EFI variables are not supported on this system.
Installation finished. No error reported.
Code:
(chroot) hostname / # ls -l /boot/efi/EFI/
BOOT/ live/
(chroot) hostname / # ls -l /boot/efi/EFI/live/
insgesamt 216
-rwxr-xr-x 1 root root 221184  3. Jan 00:29 grubx64.efi
Back to top
View user's profile Send private message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1073

PostPosted: Sat Jan 04, 2020 3:28 pm    Post subject: Reply with quote

I was successfull. I mounted efi partition to /boot/efi and then I created an efi file with
Code:
grub-install --target=x86_64-efi --efi-directory=/boot/efi/
x86_64-efi wird für Ihre Plattform installiert.
File descriptor 4 (/dev/sda2) leaked on vgs invocation. Parent PID 10330: grub-install
File descriptor 38 (socket:[42816]) leaked on vgs invocation. Parent PID 10330: grub-install
File descriptor 39 (socket:[42817]) leaked on vgs invocation. Parent PID 10330: grub-install
File descriptor 49 (socket:[40546]) leaked on vgs invocation. Parent PID 10330: grub-install
File descriptor 53 (socket:[40550]) leaked on vgs invocation. Parent PID 10330: grub-install
File descriptor 4 (/dev/sda2) leaked on vgs invocation. Parent PID 10330: grub-install
File descriptor 38 (socket:[42816]) leaked on vgs invocation. Parent PID 10330: grub-install
File descriptor 39 (socket:[42817]) leaked on vgs invocation. Parent PID 10330: grub-install
File descriptor 49 (socket:[40546]) leaked on vgs invocation. Parent PID 10330: grub-install
File descriptor 53 (socket:[40550]) leaked on vgs invocation. Parent PID 10330: grub-install
EFI variables are not supported on this system.
EFI variables are not supported on this system.
installation beendet. Keine Fehler aufgetreten.

But it was created in another path and with another name
Code:
ls -l /boot/efi/EFI/live/grubx64.efi
-rwxr-xr-x 1 root root 221184  4. Jan 16:07 /boot/efi/EFI/live/grubx64.efi
While the original one is:
Code:
ls -l /boot/efi/EFI/BOOT/BOOTX64.EFI
-rwxr-xr-x 1 root root 221184  4. Jan 16:09 /boot/efi/EFI/BOOT/BOOTX64.EFI

so I copied, renamed and replaced grubx64.efi to BOOTX64.EFI and now it works.

I have no idea how I would change the BIOS boot entry to correspond to the other path, and would be interested in related information, but I will edit the thread title to [solved] anyway as I workarounded it somehow.

Edit to add, that I also would appreciate any information on how I could have achieved above installation without the need of lvm layer.

Why grub always told me
Quote:
Volume group "cryptfs" not found
Cannot process volume group cryptfs

Why was it looking for a volume group? I had created a crypted partition only and put the filesystem directly on it, but grub always looked for a volume group :?:
Back to top
View user's profile Send private message
nick_gentoo
Tux's lil' helper
Tux's lil' helper


Joined: 07 Jan 2019
Posts: 97

PostPosted: Sat Jan 04, 2020 4:33 pm    Post subject: Reply with quote

For updating the "BIOS" entries, the tool should be Efibootmgr
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum