[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Grub with LUKS support: Passing a reference to the decrypted filesys
From: |
Vladimir 'φ-coder/phcoder' Serbinenko |
Subject: |
Re: Grub with LUKS support: Passing a reference to the decrypted filesystem to the "linux" command |
Date: |
Wed, 12 Sep 2012 07:39:20 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:10.0.6esrpre) Gecko/20120817 Icedove/10.0.6 |
On 12.09.2012 04:34, Steve R wrote:
> Hi,
>
> Haven't heard back any suggestions on how to work my way around this
> problem. Hoping the changed subject line is more specific as to the
> problem I am running into and would attract some more eyeballs to help
> me figure this one out.
>
> To recap,
> I am trying to use Grub 2.00 (with Luks support enabled) to boot a
> Debian-live system from an encrypted LUKS partition. /boot is also
> located in the encrypted Partition. I am using grub.cfg like below, and
> things work fine (With Grub requesting a password for the encrypted file
> system and parsing grub.cfg, displaying the menu, etc.. The problem
> arises with the linux command to load the kernel. Loading the
> Debian-live based OS requires passing a reference to the file system
> hosting the file system, via the live-media kernel command-line
> parameter. I am passing this reference as
> /dev/disk/by-uuid/<uuid-of-the-decrypted-fs> . The UUID I am using is
> the one read by blkid when I mounted and decrypted this encrypted
> partition from another Linux host. However, this does not work and from
> the debugging output on the console, it appears to be because the path
> to the decrypted fs device is invalid. If I mount and decrypt the LUKS
> partition from a running Linux OS, this device is always created with
> the same UUID, so I expected this to happen when GRUB decrypts the LUKS
> partition. Turns out not to be the case.
>
> Could someone please point me in the right direction or examples showing
> grub.cfg for fully encrypted Debian-live based systems (including /boot) ?
>
> Thanks in advance, and apologies for any newbie questions. I am learning
> as I go.
>
> Regards,
> Steve.
>
> ------------------------------------------------------------------------
> From: address@hidden
> To: address@hidden; address@hidden
> Subject: RE: RE : Full Disk Encryption (including
> Date: Sun, 9 Sep 2012 08:23:48 -0700
>
> Hi Arbiel,
>
> The isofile is set with the leading "/" . The problem appears to be
> caused by the fact that the system devices are not created at the time
> the kernel is loaded. The LUKS partition appears to be decrypted, since
> I can list the ISO folder under (crypt0), but there is no equivalent
> device under /dev that I can pass to the linux command.
>
> Thanks,
> Steve
>
>
> ------------------------------------------------------------------------
> Date: Sun, 9 Sep 2012 14:38:12 +0200
> Subject: RE : Full Disk Encryption (including
> From: address@hidden
> To: address@hidden; address@hidden
>
> Hi
>
> Did'nt you forget a "/" between the disk's UUID and the variable holding
> the file name in the linux command ?
>
> Arbiel
>
>
>
>
> Envoyé depuis Samsung Galaxy Note
>
> Survey Response <address@hidden> a écrit :
> Hi,
>
> On my USB drive, I have encrypted the entire disk as a single LUKS
> encrypted partition. I have the grub files on this partition with an ISO
> image for a Debian-live based distribution. I compiled Grub 2.00 with
> the necessary crypto modules and left a larger embedding zone before the
> first LUKS partition to accommodate the larger second-stage bootloader
> (my core.img is about 44K). When I boot off this USB drive, GRUB asks me
> the password initially for the encrypted drive and then gets to the
> point where it brings up the menu, but I couldn't get it to load the
> kernel since I need to pass the kernel the system device for the ISO
> image (the live-media and fromiso boot parameters below) and I notice
> that the devices are not available at the time of loading the kernel (or
> later, for that matter). Can somebody help me figure out what I am doing
> wrong? Would be much obliged, since I have been spending some time
> trying to figure this out.
>
> Here is my grub.cfg
>
> menuentry 'FDE Live' {
>
> set isofile="/ISOs/linux.iso"
>
> # The UUID for the encrypted LUKS partition as obtained by
> running blkid
> set encryptedfs_uuid="377da6816e9a4c7092ae9016a719d04d"
>
> # The UUID for the decrypted ext4 fs in the LUKS partition
> set decryptedfs_uuid="a8604976-269b-4ab1-8ecc-63960f60f008"
>
> insmod part_msdos
> insmod loopback
> insmod iso9660
> insmod cryptodisk
> insmod luks
>
> echo 'Mounting encrypted disk ...'
> cryptomount -u ${encryptedfs_uuid}
>
> echo 'Searching for the root fs in the decrypted fs...'
> set root=(cryptouuid/${encryptedfs_uuid})
> search --no-floppy --fs-uuid --set=root ${decryptedfs_uuid}
>
> echo 'Setting up a loopback device to the CD image'
> loopback loop $root/$isofile
> set root=loop
>
> echo 'Loading Linux Kernel ...'
> linux /live/vmlinuz boot=live
> live-media=/dev/disk/by-uuid/${decryptedfs_uuid}
> fromiso=/dev/disk/by-uuid/${decryptedfs_uuid}$isofile
> initrd=/live/initrd.img config debug video=640x480 fbcon=scrollback:128
>
> echo 'Loading initial ramdisk ...'
> initrd /live/initrd.img
> }
>
> From the debugging output on the console, I see that
> /dev/disk/by-uuid/a8604976-269b-4ab1-8ecc-63960f60f008 (the
> decryptedfs_uuid) does not exist at the time the linux kernel is being
> loaded. I can access this folder from the grub command line using the
> Grub drive (cyrptuuid/377da6816e9a4c7092ae9016a719d04d)/ISOs/linux.iso,
> but I need to be able to reference this in a way the linux kernel would
> understand.
>
Linux simply doesn't have such a way. You need to get Linux guys to add
it first. Or to do something with initramfs
> Once again, thanks for any help. Pardon any newbie mistakes I may be
> making. It's a learning experience for me and I am hoping this would be
> a good exercise in understanding how it all works.
>
> Thanks,
> Steve
>
>
> _______________________________________________
> Grub-devel mailing list
> address@hidden
> https://lists.gnu.org/mailman/listinfo/grub-devel
--
Regards
Vladimir 'φ-coder/phcoder' Serbinenko
signature.asc
Description: OpenPGP digital signature