| 2017-03-07 11:22:39 |
Nazar Mokrynskyi |
description |
I've being experimenting with completely encrypted system on virtual machine and got some problems with automatically generated configs.
In my test setup:
/dev/sda - ESP partition, mounted as /boot/efi
/dev/mapper/system1 is BTRFS partition on /dev/sdb with LUKS encryption
/etc/fstab:
/dev/mapper/system1 / btrfs defaults,subvol=@ 0 1
UUID=6EF4-C0FE /boot/efi vfat umask=0077 0 1
/dev/mapper/system1 /home btrfs defaults,subvol=@home 0 2
Except first column generated during initial installation.
/etc/crypttab:
system1 UUID=6a01d12f-f4c4-4818-8650-2df0baca84bc none luks,keyscript=/etc/cryptroot/system.64.sh
File /etc/cryptroot/system.64.sh, obviously, exists.
/etc/default/grub contains:
- `GRUB_ENABLE_CRYPTODISK=y`
- and even `GRUB_PRELOAD_MODULES="luks cryptodisk procfs"` (shouldn't be necessary and doesn't change anything anyway)
What goes wrong in this setup out of the box:
1) `ESP\EFI\ubuntu\grubx64.efi` doesn't have built-in modules `luks`, `cryptodisk` and `procfs` without which it is not possible to decrypt anything and thus boot the system (initially commented here: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1565950)
2) `ESP\EFI\ubuntu\grub.cfg` contains incomplete config to actually decrypt system (and will be re-written on package update, which is even worse)
`ESP\EFI\ubuntu\grub.cfg` as generated by `dpkg-reconfigure grub-efi-amd64`:
cryptomount -u 6a01d12ff4c4481886502df0baca84bc
search.fs_uuid bb3594a7-41b0-484c-91ad-48424184169e root cryptouuid/6a01d12ff4c4481886502df0baca84bc
set prefix=($root)'/@/boot/grub'
configfile $prefix/grub.cfg
What I did instead is I've copied `/boot/grub/x86_64-efi` (only `luks.mod`, `cryptodisk.mod` and `procfs.mod` files are needed from there) to `ESP\x86_64-efi` and changed `ESP\EFI\ubuntu\grub.cfg` to following (first 3 lines added):
search.fs_uuid 6EF4-C0FE boot
set prefix=($boot)
insmod luks
cryptomount -u 6a01d12ff4c4481886502df0baca84bc
search.fs_uuid bb3594a7-41b0-484c-91ad-48424184169e root cryptouuid/6a01d12ff4c4481886502df0baca84bc
set prefix=($root)'/@/boot/grub'
configfile $prefix/grub.cfg
Things are getting even worse when BTRFS is not on single partition/disk, but on few in RAID, since more manual configuration is needed.
Would be nice to see additional modules added to `grubx64.efi` and fixed `ESP\EFI\ubuntu\grub.cfg` generation by grub2 package. |
I've being experimenting with completely encrypted system on virtual machine and got some problems with automatically generated configs.
In my test setup:
/dev/sda - ESP partition, mounted as /boot/efi
/dev/mapper/system1 is BTRFS partition on /dev/sdb with LUKS encryption
/etc/fstab:
/dev/mapper/system1 / btrfs defaults,subvol=@ 0 1
UUID=6EF4-C0FE /boot/efi vfat umask=0077 0 1
/dev/mapper/system1 /home btrfs defaults,subvol=@home 0 2
Except first column generated during initial installation.
/etc/crypttab:
system1 UUID=6a01d12f-f4c4-4818-8650-2df0baca84bc none luks,keyscript=/etc/cryptroot/system.64.sh
File /etc/cryptroot/system.64.sh, obviously, exists.
/etc/default/grub contains:
- `GRUB_ENABLE_CRYPTODISK=y`
- and even `GRUB_PRELOAD_MODULES="luks cryptodisk procfs"` (shouldn't be necessary and doesn't change anything anyway)
What goes wrong in this setup out of the box:
1) `ESP\EFI\ubuntu\grubx64.efi` doesn't have built-in modules `luks`, `cryptodisk` and `procfs` without which it is not possible to decrypt anything and thus boot the system (initially commented here: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1565950)
2) `ESP\EFI\ubuntu\grub.cfg` contains incomplete config to actually decrypt system (and will be re-written on package update, which is even worse)
`ESP\EFI\ubuntu\grub.cfg` as generated by `dpkg-reconfigure grub-efi-amd64`:
cryptomount -u 6a01d12ff4c4481886502df0baca84bc
search.fs_uuid bb3594a7-41b0-484c-91ad-48424184169e root cryptouuid/6a01d12ff4c4481886502df0baca84bc
set prefix=($root)'/@/boot/grub'
configfile $prefix/grub.cfg
What I did instead is I've copied `/boot/grub/x86_64-efi` (only `luks.mod`, `cryptodisk.mod` and `procfs.mod` files are needed from there) to `ESP\x86_64-efi` and changed `ESP\EFI\ubuntu\grub.cfg` to following (first 4 lines added):
search.fs_uuid 6EF4-C0FE boot
set prefix=($boot)
insmod luks
cryptomount -u 6a01d12ff4c4481886502df0baca84bc
search.fs_uuid bb3594a7-41b0-484c-91ad-48424184169e root cryptouuid/6a01d12ff4c4481886502df0baca84bc
set prefix=($root)'/@/boot/grub'
configfile $prefix/grub.cfg
Things are getting even worse when BTRFS is not on single partition/disk, but on few in RAID, since more manual configuration is needed.
Would be nice to see additional modules added to `grubx64.efi` and fixed `ESP\EFI\ubuntu\grub.cfg` generation by grub2 package. |
|
| 2017-03-07 13:04:41 |
Nazar Mokrynskyi |
description |
I've being experimenting with completely encrypted system on virtual machine and got some problems with automatically generated configs.
In my test setup:
/dev/sda - ESP partition, mounted as /boot/efi
/dev/mapper/system1 is BTRFS partition on /dev/sdb with LUKS encryption
/etc/fstab:
/dev/mapper/system1 / btrfs defaults,subvol=@ 0 1
UUID=6EF4-C0FE /boot/efi vfat umask=0077 0 1
/dev/mapper/system1 /home btrfs defaults,subvol=@home 0 2
Except first column generated during initial installation.
/etc/crypttab:
system1 UUID=6a01d12f-f4c4-4818-8650-2df0baca84bc none luks,keyscript=/etc/cryptroot/system.64.sh
File /etc/cryptroot/system.64.sh, obviously, exists.
/etc/default/grub contains:
- `GRUB_ENABLE_CRYPTODISK=y`
- and even `GRUB_PRELOAD_MODULES="luks cryptodisk procfs"` (shouldn't be necessary and doesn't change anything anyway)
What goes wrong in this setup out of the box:
1) `ESP\EFI\ubuntu\grubx64.efi` doesn't have built-in modules `luks`, `cryptodisk` and `procfs` without which it is not possible to decrypt anything and thus boot the system (initially commented here: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1565950)
2) `ESP\EFI\ubuntu\grub.cfg` contains incomplete config to actually decrypt system (and will be re-written on package update, which is even worse)
`ESP\EFI\ubuntu\grub.cfg` as generated by `dpkg-reconfigure grub-efi-amd64`:
cryptomount -u 6a01d12ff4c4481886502df0baca84bc
search.fs_uuid bb3594a7-41b0-484c-91ad-48424184169e root cryptouuid/6a01d12ff4c4481886502df0baca84bc
set prefix=($root)'/@/boot/grub'
configfile $prefix/grub.cfg
What I did instead is I've copied `/boot/grub/x86_64-efi` (only `luks.mod`, `cryptodisk.mod` and `procfs.mod` files are needed from there) to `ESP\x86_64-efi` and changed `ESP\EFI\ubuntu\grub.cfg` to following (first 4 lines added):
search.fs_uuid 6EF4-C0FE boot
set prefix=($boot)
insmod luks
cryptomount -u 6a01d12ff4c4481886502df0baca84bc
search.fs_uuid bb3594a7-41b0-484c-91ad-48424184169e root cryptouuid/6a01d12ff4c4481886502df0baca84bc
set prefix=($root)'/@/boot/grub'
configfile $prefix/grub.cfg
Things are getting even worse when BTRFS is not on single partition/disk, but on few in RAID, since more manual configuration is needed.
Would be nice to see additional modules added to `grubx64.efi` and fixed `ESP\EFI\ubuntu\grub.cfg` generation by grub2 package. |
I've being experimenting with completely encrypted system on virtual machine and got some problems with automatically generated configs.
In my test setup:
/dev/sda - ESP partition, mounted as /boot/efi
/dev/mapper/system1 is BTRFS partition on /dev/sdb with LUKS encryption
/etc/fstab:
/dev/mapper/system1 / btrfs defaults,subvol=@ 0 1
UUID=6EF4-C0FE /boot/efi vfat umask=0077 0 1
/dev/mapper/system1 /home btrfs defaults,subvol=@home 0 2
Except first column generated during initial installation.
/etc/crypttab:
system1 UUID=6a01d12f-f4c4-4818-8650-2df0baca84bc none luks,keyscript=/etc/cryptroot/system.64.sh
File /etc/cryptroot/system.64.sh, obviously, exists.
/etc/default/grub contains:
- `GRUB_ENABLE_CRYPTODISK=y`
- and even `GRUB_PRELOAD_MODULES="luks cryptodisk procfs"` (shouldn't be necessary and doesn't change anything anyway)
What goes wrong in this setup out of the box:
1) `ESP\EFI\ubuntu\grubx64.efi` doesn't have built-in modules `luks`, `cryptodisk`, `procfs` and `gcry_*` without which it is not possible to decrypt anything and thus boot the system (initially commented here: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1565950)
2) `ESP\EFI\ubuntu\grub.cfg` contains incomplete config to actually decrypt system (and will be re-written on package update, which is even worse)
`ESP\EFI\ubuntu\grub.cfg` as generated by `dpkg-reconfigure grub-efi-amd64`:
cryptomount -u 6a01d12ff4c4481886502df0baca84bc
search.fs_uuid bb3594a7-41b0-484c-91ad-48424184169e root cryptouuid/6a01d12ff4c4481886502df0baca84bc
set prefix=($root)'/@/boot/grub'
configfile $prefix/grub.cfg
What I did instead is I've copied `/boot/grub/x86_64-efi` (only `luks.mod`, `cryptodisk.mod`, `procfs.mod` and relevant `gcry_*.mod` files are needed from there) to `ESP\x86_64-efi` and changed `ESP\EFI\ubuntu\grub.cfg` to following (first 4 lines added):
search.fs_uuid 6EF4-C0FE boot
set prefix=($boot)
insmod luks
cryptomount -u 6a01d12ff4c4481886502df0baca84bc
search.fs_uuid bb3594a7-41b0-484c-91ad-48424184169e root cryptouuid/6a01d12ff4c4481886502df0baca84bc
set prefix=($root)'/@/boot/grub'
configfile $prefix/grub.cfg
Things are getting even worse when BTRFS is not on single partition/disk, but on few in RAID, since more manual configuration is needed.
Would be nice to see additional modules added to `grubx64.efi` and fixed `ESP\EFI\ubuntu\grub.cfg` generation by grub2 package. |
|
