[SOLVED] root Partition not unlocked by GRUB with LVM on LUKS

emak · 2013-09-08 18:09:45

Hi

I want to do a full encrypted, new setup of Arch with LVM on LUKS. I did it twice and strand at the very same point:
Laptop boots, Grubs (with efibootmgr generated menu) loads and after booting it shows
error: no such device: <UUID of root partition>
Loading Linux core repo kernel ...
error: disk `lvm/vgroup-rootvol not found.
Loading initial ramdisk ...
unaligned pointer 0x22
Aborted. Press any key to exit.

It looks like GRUB ist not unlocking the root partition and I followed the installation on archwiki and even looked on some youtube howto's but was not successful to find the error.

My partitions:
/dev/sda1 -> /boot (FAT32 / EF00)
/dev/sda2 -> LVM on LUKS (8E00)

Inside LVM partition created a physical volume ("lvm"), then volumegroup ("vgroup") and then logical volumes (rootv, homev, varv).

My /etc/mkinitcpio.conf adapted the HOOKS to:

HOOKS="base udev autodetect modconf block keymap encrypt lvm2 filesystems keyboard fsck shutdown"

My /etc/default/grub adapted the following line to:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:vgroup"

After that I executed both

mkinitcpio -p linux
grub-mkconfig -o /boot/efi/EFI/grub.conf

unmount everything, reboots and here I go...

Have you any idea where's the missing point? I am sure it has to do with LUKS but can't find the solution by now Any help greatly appreciated!

Last edited by emak (2013-09-13 16:46:53)

cfr · 2013-09-09 00:34:02

What command did you use to install grub to disk? That is, what did you use with grub-install? I ask because you are passing non-standard options to grub-mkconfig - that is neither the directory nor the filename I would expect given your partition setup.

Also, you need to post the contents of /etc/default/grub.

emak · 2013-09-09 06:27:13

cfr wrote:

What command did you use to install grub to disk?

I did use the command recommended on https://wiki.archlinux.org/index.php/GR … _systems_2 where the first one (without specifying the boot directory gave an error from grub whereas /boot/grub will not be found at boot so I used the one with specifying the EFI directory):

# grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=arch_grub --boot-directory=/boot/efi/EFI --recheck --debug

This run without an error and also finally boots GRUB.

cfr wrote:

Also, you need to post the contents of /etc/default/grub

It's the standard default apart from the line quoted in my post just before (and a different timeout and different highlighting colors), but here you are:

GRUB_DEFAULT=0
GRUB_TIMEOUT=3
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:vgroup"

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"

# Uncomment to enable Hidden Menu, and optionally hide the timeout count
#GRUB_HIDDEN_TIMEOUT=5
#GRUB_HIDDEN_TIMEOUT_QUIET=true

# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console

# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
GRUB_GFXMODE=auto

# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep

# Uncomment if you want GRUB to pass to the Linux kernel the old parameter 
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx" 
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true

# Uncomment and set to the desired menu colors.  Used by normal and wallpaper 
# modes only.  Entries specified as foreground/background.
#GRUB_COLOR_NORMAL="light-blue/black"
#GRUB_COLOR_HIGHLIGHT="yellow/red"

# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/path/to/wallpaper"
#GRUB_THEME="/path/to/gfxtheme"

# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"

#GRUB_SAVEDEFAULT="true"

If you're interested in - this is the final /boot/efi/EFI/grub/grub.cfg (only the relevant bootentry):

### BEGIN /etc/grub.d/10_linux ###
menuentry 'Arch Linux, with Linux core repo kernel' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-core repo kernel-true-7eb29f8a-2533-45d3-8aee-52cb2fdd56a9' {
	load_video
	set gfxpayload=keep
	insmod gzio
	insmod part_gpt
	insmod cryptodisk
	insmod luks
	insmod gcry_rijndael
	insmod gcry_rijndael
	insmod gcry_sha512
	insmod lvm
	insmod ext2
	set root='lvm/vgroup-rootv'
	if [ x$feature_platform_search_hint = xy ]; then
	  search --no-floppy --fs-uuid --set=root --hint='lvm/vgroup-rootv'  7eb29f8a-2533-45d3-8aee-52cb2fdd56a9
	else
	  search --no-floppy --fs-uuid --set=root 7eb29f8a-2533-45d3-8aee-52cb2fdd56a9
	fi
	echo	'Loading Linux core repo kernel ...'
	linux	/boot/vmlinuz-linux root=/dev/mapper/vgroup-rootv rw cryptdevice=/dev/sda2:vgroup quiet
	echo	'Loading initial ramdisk ...'
	initrd	/boot/initramfs-linux.img
}

I guess it's about cryptsetup not unlocking my LUKS partition not about grub itself - any idea?

cfr · 2013-09-09 21:17:36

emak wrote:

# grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=arch_grub --boot-directory=/boot/efi/EFI --recheck --debug

But --efi-directory should be /boot because you are mounting the EFI partition at /boot - not at /boot/efi.

GRUB_DEFAULT=0
GRUB_TIMEOUT=3
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="quiet"

Remove this to get more information about what is happening.

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:vgroup"

I am not sure that you can use the name of your volume group also as the name of the decrypted LUKS container. I'm not certain you can't - just I use something different at this point.

If you're interested in - this is the final /boot/efi/EFI/grub/grub.cfg (only the relevant bootentry):

### BEGIN /etc/grub.d/10_linux ###
menuentry 'Arch Linux, with Linux core repo kernel' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-core repo kernel-true-7eb29f8a-2533-45d3-8aee-52cb2fdd56a9' {
	load_video
	set gfxpayload=keep
	insmod gzio
	insmod part_gpt
	insmod cryptodisk
	insmod luks
	insmod gcry_rijndael
	insmod gcry_rijndael
	insmod gcry_sha512
	insmod lvm
	insmod ext2
	set root='lvm/vgroup-rootv'
	if [ x$feature_platform_search_hint = xy ]; then
	  search --no-floppy --fs-uuid --set=root --hint='lvm/vgroup-rootv'  7eb29f8a-2533-45d3-8aee-52cb2fdd56a9
	else
	  search --no-floppy --fs-uuid --set=root 7eb29f8a-2533-45d3-8aee-52cb2fdd56a9
	fi
	echo	'Loading Linux core repo kernel ...'
	linux	/boot/vmlinuz-linux root=/dev/mapper/vgroup-rootv rw cryptdevice=/dev/sda2:vgroup quiet
	echo	'Loading initial ramdisk ...'
	initrd	/boot/initramfs-linux.img
}

Something is definitely wrong here. If you are mounting the EFI partition at /boot the vmlinuz-linux and initramfs-linux.img are at the root of the EFI partition and not in a subdirectory of any partition. Also it is setting root to the lvm volume but that's not right. That is right for the parameter passed to the kernel but it is not right for locating the kernel and the initramfs because that volume is not available until after the initramfs is accessed.

I guess it's about cryptsetup not unlocking my LUKS partition not about grub itself - any idea?

It is about the configuration of grub.

I don't know how well grub copes with this type of setup on its own. I use grub but I maintain grub.cfg manually.

I guess one question is: do you need grub? If you do, you either have to edit /etc/default/grub and/or /etc/grub.d/* to do the right thing (perhaps by feeding it a manual stanza via the templates in /etc/grub.d) or you have to abandon autogeneration of grub.cfg.

emak · 2013-09-09 22:35:57

cfr wrote:

But --efi-directory should be /boot because you are mounting the EFI partition at /boot - not at /boot/efi.

Wrong - i mount it at /boot/efi

I finally managed to boot now with adding following line in grub.cfg just before loading lvm module:

...
        cryptomount hd0,gpt2
	insmod lvm
...

There's now one problem left: I need to enter my LUKS password twice - once for grub being able to access root partition and second I don't know why - the first is with QWERTY keyboard and the second with the one defined in Arch due to HOOK "keyboard". Any idea how to resolve that?

cfr · 2013-09-10 00:01:43

emak wrote:

cfr wrote:
But --efi-directory should be /boot because you are mounting the EFI partition at /boot - not at /boot/efi.
Wrong - i mount it at /boot/efi

I'm just going by the information you provided. If the information you provided is wrong, that is your fault:

emak wrote:

My partitions:
/dev/sda1 -> /boot (FAT32 / EF00)
/dev/sda2 -> LVM on LUKS (8E00)

There's now one problem left: I need to enter my LUKS password twice - once for grub being able to access root partition and second I don't know why - the first is with QWERTY keyboard and the second with the one defined in Arch due to HOOK "keyboard". Any idea how to resolve that?

Well you are unlocking the LUKS container twice. The usual way to do this on Arch as far as I know is to use the hook in the initramfs. You don't need grub to unlock the LUKS container at all. But for that you need a separate /boot partition which you now say you do not have. So I'm not sure. Maybe you can prevent the initramfs from needing to re-unlock the LUKS container since grub is presumably already unlocking it and assembling the volume group. But I have no idea about doing it this way.

emak · 2013-09-13 00:24:24

Sorry that it took me so long to reply.

In fact I read and tried almost 1001 articles. I tried with different mkinitcpio settings, changing the global_filter option in /etc/lvm/lvm.conf, tried with syslinux or grub and the really only way up to now is to use GRUB's decrypting functionality. I tried to include the Modules in mkinitcpio.conf (ext4 etc) but that didn't help and it should all be included by block HOOK. Based on what I read under https://bbs.archlinux.org/viewtopic.php?id=158012 it looks like this is a bug as lvm2 HOOK is an early hook rather than encrypt (which is a "normal" hook) and therefore the encrypted volume can't be opened whereas grub claims an "unknown filesystem".

It shouldn't be that difficult

My grub.cfg entry easified:

menuentry 'TEST' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-core repo kernel-true-7eb29f8a-2533-45d3-8aee-52cb2fdd56a9' {
        load_video
        set gfxpayload=keep
        insmod gzio
        insmod part_gpt
        insmod cryptodisk
        insmod luks
        insmod gcry_rijndael
        insmod gcry_rijndael
        insmod gcry_sha512
        insmod lvm
        insmod ext2
        set root='(hd0,gpt2)'
        echo    'Linux core repo kernel wird geladen …'
        linux   /boot/vmlinuz-linux root=/dev/mapper/vgroup-rootv cryptdevice=/dev/sda2:vgroup rw quiet
        echo    'Initiale Ramdisk wird geladen …'
        initrd  /boot/initramfs-linux.img
}

What I understand about my booting process:

GRUB finds the MBR and loads the grub.cfg located under /boot/efi/EFI/grub/grub.cfg
GRUB then tries to access the cryptdevice but gives an error about "unknown filesystem" and about the unaligned pointer 0x22

Can that be a bug in LVM? I read about some people being succesful when using lvm from git..?

cfr · 2013-09-13 00:42:27

emak wrote:

In fact I read and tried almost 1001 articles. I tried with different mkinitcpio settings, changing the global_filter option in /etc/lvm/lvm.conf, tried with syslinux or grub and the really only way up to now is to use GRUB's decrypting functionality. I tried to include the Modules in mkinitcpio.conf (ext4 etc) but that didn't help and it should all be included by block HOOK. Based on what I read under https://bbs.archlinux.org/viewtopic.php?id=158012 it looks like this is a bug as lvm2 HOOK is an early hook rather than encrypt (which is a "normal" hook) and therefore the encrypted volume can't be opened whereas grub claims an "unknown filesystem".

That issue is irrelevant. What you put in mkinitcpio.conf is irrelevant. What is in your initramfs is irrelevant.

Your initramfs is on a LVM volume inside a LUKS container. It is available only after the container is decrypted and the volume group assembled. This is because your kernel and initramfs are directly under /boot and boot is just a directory on your encrypted root volume. At least, given your grub.cfg and if you are really mounting your ESP at /boot/efi and your only other partition is the LUKS container, this must be the case.

EDIT: Also, I'm pretty sure the stuff mentioned in git is now in the stable package for lvm2 - look at the version numbers mentioned and compare with your installed version. In any case, as I say, it is irrelevant to the problem you have.

EDIT 2: Oh, and it isn't grub that tries to use cryptdevice=<whatever>. That parameter is being passed to the kernel. Unfortunately, your kernel is on the cryptdevice i.e. in the encrypted container. So telling it to decrypt that container is never going to work.

EDIT 3: Is there any particular reason you do not want a separate boot partition? Even if it would allow you to, you know, boot and everything? Or you can use your ESP by mounting it at /boot instead of /boot/efi. (Or you could just copy the kernel and initramfs there but that seems pointless as it just introduces another step at which errors can occur.)

EDIT 4: See http://www.spinics.net/linux/fedora/fed … 36701.html. I guess what you are trying to do may be possible (assuming grub's developers are right) but you are going about it the wrong way, I think. You need to be thinking about grub-install rather than (just) grub.cfg and forgetting about mkinitcpio.conf altogether.

Last edited by cfr (2013-09-13 01:22:20)

emak · 2013-09-13 16:45:44

Thanks cfr for writing it bold:

Your initramfs is on a LVM volume inside a LUKS container. It is available only after the container is decrypted and the volume group assembled.

It was THE solution - stupid me and blind of trying endlessly! In fact I rebuilt whole /boot partition from ground and that were the important steps (booted into USB live media, boot partition already built and formatted with FAT32 and before chrooting):

# mkdir /mnt/boot
# mount /dev/sda1 /mnt/boot
# arch-chroot /mnt
# pacman -S linux #for reinstalling kernel and initramfs on the newly built boot partitoin
# grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=arch_grub --boot-directory=/boot/EFI --recheck
# vi /etc/default grub #modifing following line: GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:vgroup"
# mkinitcpio -p linux
# grub-mkconfig -o /boot/EFI/grub/grub.cfg

In fact the problem was that following the wiki https://wiki.archlinux.org/index.php/GR … Boot_Files I would need to install in /boot/efi what is not needed and confusing. The installer script of GRUB2 just works fine. I installed grub straight on /boot and it created /boot/EFI automatically and efibootmgr then got the correct path for the efi Image to boot. Also it makes a lot of sense to mount /boot partition before installing the kernel so it really is placed on the unencrypted partition.

Finally done and thanks for insisting to make a blind man see !

cfr · 2013-09-13 21:48:55

Glad you got it sorted . Bold feels a little rude but, well, letting you keep banging your head against a brick wall rather than using the door didn't seem like a great option either!

Arch Linux

#1 2013-09-08 18:09:45

[SOLVED] root Partition not unlocked by GRUB with LVM on LUKS

#2 2013-09-09 00:34:02

Re: [SOLVED] root Partition not unlocked by GRUB with LVM on LUKS

#3 2013-09-09 06:27:13

Re: [SOLVED] root Partition not unlocked by GRUB with LVM on LUKS

#4 2013-09-09 21:17:36

Re: [SOLVED] root Partition not unlocked by GRUB with LVM on LUKS

#5 2013-09-09 22:35:57

Re: [SOLVED] root Partition not unlocked by GRUB with LVM on LUKS

#6 2013-09-10 00:01:43

Re: [SOLVED] root Partition not unlocked by GRUB with LVM on LUKS

#7 2013-09-13 00:24:24

Re: [SOLVED] root Partition not unlocked by GRUB with LVM on LUKS

#8 2013-09-13 00:42:27

Re: [SOLVED] root Partition not unlocked by GRUB with LVM on LUKS

#9 2013-09-13 16:45:44

Re: [SOLVED] root Partition not unlocked by GRUB with LVM on LUKS

#10 2013-09-13 21:48:55

Re: [SOLVED] root Partition not unlocked by GRUB with LVM on LUKS

Board footer