help-grub
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: encrypted boot won't work

From: sashab
Subject: Re: encrypted boot won't work
Date: Sat, 29 Feb 2020 12:58:00 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.2 
Hi jnqnfe,

As the boot partition is encrypted,
grub has no access to grub.cfg before
decrypting it.

Have you set
    GRUB_ENABLE_CRYPTODISK="y"
in
    /etc/default/grub
and called
    update-grub
afterwards?

For more information see
    info -f grub -n 'Simple configuration' | grep CRYPTODISK -A6


With kind regards,
    sashab

On 2/28/20 8:35 AM, address@hidden wrote:
> I decided to play with having an encrypted /boot on an old system but I
> cannot boot with it and I don't know why. Please advise.
> 
> The system has UEFI. The disk uses GPT. Grub version is 2.04-5
> (debian).
> 
> Procedure followed:
>  - The system already had encrypted root (luks v2)
>  - I am aware that grub currently only supports luks v1 for encrypted
> /boot
>  1) made a backup of all contents of /boot (excluding /boot/efi)
>  2) unmounted /boot/efi and /boot
>  3) overwrote /dev/sda2 (/boot) with cryptsetup as a new luks v1 volume
>  4) opened the new encrypted /dev/sda2
>  5) created an ext4 filesystem inside it
>  6) copied all of the backed up files into it
>  7) ensured that all of the ownership and permissions for them was
> correct (comparing with another system)
>  8) remounted as /boot
>  9) remounted /dev/sda1 as /boot/efi
>  10) added an entry to /etc/crypttab
>  11) adjusted /etc/fstab
>  12) ran `update-initramfs -u` and `update-grub` (not sure which order
> if it matter, pretty sure I've run them each multiple times now anyway)
>  13) rebooted
> 
> note, below i've replaced the real UUID's with simple replacements like
> 'aaa'...
> 
> the partition table looks like this:
> 
> NAME                    FS     UUID  MOUNT
> /dev/sda1               fat32  aaa   /boot/efi
> /dev/sda2               -      bbb   -
> /dev/sda3               -      ccc   -
> /dev/mapper/sda2_crypt  ext4   ddd   /boot
> /dev/mapper/sda3_crypt  ext4   eee   /
> 
> when I boot, I get a prompt like this:
> attempting to decrypt master key...
> enter passphrase for hd0,gpt2 (bbb):
> 
> but several moments after entering the password I get:
> error:access denied
> error: no such cryptodisk found
> error: no such device: ddd
> Loading Linux 5.4.0-3-amd64 ...
> error: no server specified
> Loading initial ramdisk ...
> error: you need to load the kernel first
> 
> crypttab:
> ```
> boot_crypt UUID=bbb none luks
> root_crypt UUID=ccc none luks
> ```
> 
> fstab:
> ```
> # <file system>  <mount point>  <type>  <options>  <dump>  <pass>
> /dev/mapper/root_crypt  /  ext4  errors=remount-ro  0  1
> /dev/mapper/boot_crypt  /boot  ext4  errors=remount-ro  0  2
> UUID=aaa                /boot/efi  vfat  umask=0077  0  2
> /dev/sr1                /media/cdrom0  udf,iso9660  user,noauto  0  0
> /dev/sr0                /media/cdrom1  udf,iso9660  user,noauto  0  0
> /swapfile               none  swap  defaults  0  0
> ```
> 
> /boot/grub.cfg (autogenerated) looks like this (stripped down):
> ```
> insmod luks
> insmod cryptodisk
> ...
> if [ x$feature_default_font_path = xy ] ; then
>     font=unicode
> else
>     insmod ext2
>     set root='hd0'
>     if [ x$feature_platform_search_hint = xy ]; then
>         search --no-floppy --fs-uuid --set=root --hint-bios=hd0 --hint-
> efi=hd0 --hint-baremetal=ahci0  eee
>     else
>         search --no-floppy --fs-uuid --set=root eee
>     fi
>     font="/usr/share/grub/unicode.pf2"
> fi
> ...
> insmod ext2
> set root='hd0'
> if [ x$feature_platform_search_hint = xy ]; then
>     search --no-floppy --fs-uuid --set=root --hint-bios=hd0 --hint-
> efi=hd0 --hint-baremetal=ahci0  eee
> else
>     search --no-floppy --fs-uuid --set=root eee
> fi
> ...
> menuentry 'Debian GNU/Linux' --class debian --class gnu-linux --class
> gnu --class os $menuentry_id_option 'gnulinux-simple-eee' {
>       ...
>       insmod cryptodisk
>       insmod luks
>       insmod gcry_rijndael
>       insmod gcry_rijndael
>       insmod gcry_sha256
>       insmod ext2
>       cryptomount -u bbb
>       set root='cryptouuid/bbb'
>       if [ x$feature_platform_search_hint = xy ]; then
>         search --no-floppy --fs-uuid --set=root --hint-bios=hd0 --
> hint-efi=hd0 --hint-baremetal=ahci0 --hint='cryptouuid/bbb'  ddd
>       else
>         search --no-floppy --fs-uuid --set=root ddd
>       fi
>       echo    'Loading Linux 5.4.0-3-amd64 ...'
>       linux   /vmlinuz-5.4.0-3-amd64 root=UUID=eee ro
> cryptdevice=/dev/sda3:root root=/dev/mapper/root_crypt quiet
>       echo    'Loading initial ramdisk ...'
>       initrd  /initrd.img-5.4.0-3-amd64
> }
> submenu 'Advanced options for Debian GNU/Linux' $menuentry_id_option
> 'gnulinux-advanced-eee' {
>     ...
> }
> ...
> ```
> 
> I can unlock /dev/sda2 fine with cryptsetup in a live environment (as
> well as /dev/sda3), so it surely cannot be as simple as entering the
> wrong password...
> 
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]