Re: Grub with LUKS support: Passing a reference to the decrypted filesystem to the "linux" command

[Vladimir 'φ-coder/phcoder' Serbinenko]

On 12.09.2012 04:34, Steve R wrote:

> Hi,
> 
> Haven't heard back any suggestions on how to work my way around this
> problem. Hoping the changed subject line is more specific as to the
> problem I am running into and would attract some more eyeballs to help
> me figure this one out.
> 
> To recap,
> I am trying to use Grub 2.00 (with Luks support enabled) to boot a
> Debian-live system from an encrypted LUKS partition. /boot is also
> located in the encrypted Partition. I am using grub.cfg like below, and
> things work fine (With Grub requesting a password for the encrypted file
> system and parsing grub.cfg, displaying the menu, etc.. The problem
> arises with the linux command to load the kernel. Loading the
> Debian-live based OS requires passing a reference to the file system
> hosting the file system, via the live-media kernel command-line
> parameter. I am passing this reference as
> /dev/disk/by-uuid/<uuid-of-the-decrypted-fs> . The UUID I am using is
> the one read by blkid when I mounted and decrypted this encrypted
> partition from another Linux host. However, this does not work and from
> the debugging output on the console, it appears to be because the path
> to the decrypted fs device is invalid. If I mount and decrypt the LUKS
> partition from a running Linux OS, this device is always created with
> the same UUID, so I expected this to happen when GRUB decrypts the LUKS
> partition. Turns out not to be the case.
> 
> Could someone please point me in the right direction or examples showing
> grub.cfg for fully encrypted Debian-live based systems (including /boot) ?
> 
> Thanks in advance, and apologies for any newbie questions. I am learning
> as I go.
> 
> Regards,
> Steve.
> 
> ------------------------------------------------------------------------
> From: address@hidden
> To: address@hidden; address@hidden
> Subject: RE: RE : Full Disk Encryption (including
> Date: Sun, 9 Sep 2012 08:23:48 -0700
> 
> Hi Arbiel,
> 
> The isofile is set with the leading "/" . The problem appears to be
> caused by the fact that the system devices are not created at the time
> the kernel is loaded. The LUKS partition appears to be decrypted, since
> I can list the ISO folder under (crypt0), but there is no equivalent
> device under /dev that I can pass to the linux command.
> 
> Thanks,
> Steve
> 
> 
> ------------------------------------------------------------------------
> Date: Sun, 9 Sep 2012 14:38:12 +0200
> Subject: RE : Full Disk Encryption (including
> From: address@hidden
> To: address@hidden; address@hidden
> 
> Hi
> 
> Did'nt you forget a "/" between the disk's UUID and the variable holding
> the file name in the linux command ?
> 
> Arbiel
> 
> 
> 
> 
> Envoyé depuis Samsung Galaxy Note
> 
> Survey Response <address@hidden> a écrit :
> Hi,
> 
> On my USB drive, I have encrypted the entire disk as a single LUKS
> encrypted partition. I have the grub files on this partition with an ISO
> image for a Debian-live based distribution. I compiled Grub 2.00 with
> the necessary crypto modules and left a larger embedding zone before the
> first LUKS partition to accommodate the larger second-stage bootloader
> (my core.img is about 44K). When I boot off this USB drive, GRUB asks me
> the password initially for the encrypted drive and then gets to the
> point where it brings up the menu, but I couldn't get it to load the
> kernel since I need to pass the kernel the system device for the ISO
> image (the live-media and fromiso boot parameters below) and I notice
> that the devices are not available at the time of loading the kernel (or
> later, for that matter). Can somebody help me figure out what I am doing
> wrong? Would be much obliged, since I have been spending some time
> trying to figure this out.
> 
> Here is my grub.cfg
> 
> menuentry 'FDE Live' {
>         
>         set isofile="/ISOs/linux.iso"
> 
>         # The UUID for the encrypted LUKS partition as obtained by
> running blkid
>         set encryptedfs_uuid="377da6816e9a4c7092ae9016a719d04d" 
> 
>         # The UUID for the decrypted ext4 fs in the LUKS partition
>         set decryptedfs_uuid="a8604976-269b-4ab1-8ecc-63960f60f008"
> 
>         insmod part_msdos
>         insmod loopback
>         insmod iso9660
>         insmod cryptodisk
>         insmod luks
> 
>         echo 'Mounting encrypted disk ...' 
>         cryptomount -u ${encryptedfs_uuid}
> 
>         echo 'Searching for the root fs in the decrypted fs...'
>         set root=(cryptouuid/${encryptedfs_uuid})
>         search --no-floppy --fs-uuid --set=root ${decryptedfs_uuid}
> 
>         echo 'Setting up a loopback device to the CD image'
>         loopback loop $root/$isofile
>         set root=loop
> 
>         echo 'Loading Linux Kernel ...'
>         linux  /live/vmlinuz boot=live
> live-media=/dev/disk/by-uuid/${decryptedfs_uuid}
> fromiso=/dev/disk/by-uuid/${decryptedfs_uuid}$isofile
> initrd=/live/initrd.img config debug video=640x480 fbcon=scrollback:128
> 
>         echo 'Loading initial ramdisk ...'
>         initrd /live/initrd.img
> }
> 
> From the debugging output on the console, I see that
> /dev/disk/by-uuid/a8604976-269b-4ab1-8ecc-63960f60f008 (the
> decryptedfs_uuid) does not exist at the time the linux kernel is being
> loaded. I can access this folder from the grub command line using the
> Grub drive (cyrptuuid/377da6816e9a4c7092ae9016a719d04d)/ISOs/linux.iso,
> but I need to be able to reference this in a way the linux kernel would
> understand.
> 

Linux simply doesn't have such a way. You need to get Linux guys to add
it first. Or to do something with initramfs

> Once again, thanks for any help. Pardon any newbie mistakes I may be
> making. It's a learning experience for me and I am hoping this would be
> a good exercise in understanding how it all works.
> 
> Thanks,
> Steve
> 
> 
> _______________________________________________
> Grub-devel mailing list
> address@hidden
> https://lists.gnu.org/mailman/listinfo/grub-devel



-- 
Regards
Vladimir 'φ-coder/phcoder' Serbinenko

signature.asc
Description: OpenPGP digital signature