You are not logged in.
I'm trying to set up a fully encrypted laptop using LUKS with root on ZFS + UEFI + GRUB.
What's working:
- Unlocking
- GRUB
- Bootloader
I get the systemd version details displayed and then:
The ZFS modules are not loaded
Run /sbin/modprobe zfs
::
Kernel panic!
grub.cfg looks ok. (compared to non-LUKS root on ZFS installation I got)
The LUKS bit is apparently working ok, so I just seem to be missing something....
Formatted using LUKS1 btw.
Partitions:
1 EFI partition
2 Partition for ZFS
mkinitcpio.conf HOOKS=(....block encrypt zfs filesystems..)
Have done successful LVM on LUKS in the past.
So got a few questions here:
1. Can this actually work? I might be trying something that's just not going to work...
2. I've verified that the zfs modules are installed etc, so why can't it still find them?
3. Should I bother using LUKS or just use the encryption feature of zfs instead?
Any help appreciated.
Will provide grub.cfg later (+ whatever else requested).
mkinitcpio.conf
# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run. Advanced users may wish to specify all system modules
# in this array. For instance:
# MODULES=(piix ide_disk reiserfs)
MODULES=()# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image. This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=()# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way. This is useful for config files.
FILES=(/root/cryptzfs.keyfile)# HOOKS
# This is the most important setting in this file. The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added. Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
## This setup specifies all modules in the MODULES setting above.
## No raid, lvm2, or encrypted root is needed.
# HOOKS=(base)
#
## This setup will autodetect all modules for your system and should
## work as a sane default
# HOOKS=(base udev autodetect block filesystems)
#
## This setup will generate a 'full' image which supports most systems.
## No autodetection is done.
# HOOKS=(base udev block filesystems)
#
## This setup assembles a pata mdadm array with an encrypted root FS.
## Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
# HOOKS=(base udev block mdadm encrypt filesystems)
#
## This setup loads an lvm2 volume group on a usb device.
# HOOKS=(base udev block lvm2 filesystems)
#
## NOTE: If you have /usr on a separate partition, you MUST include the
# usr, fsck and shutdown hooks.
HOOKS=(base udev autodetect keyboard keymap modconf block encrypt zfs filesystems fsck)# COMPRESSION
# Use this to compress the initramfs image. By default, gzip compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()
grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#### BEGIN /etc/grub.d/00_header ###
insmod part_gpt
insmod part_msdos
if [ -s $prefix/grubenv ]; then
load_env
fi
if [ "${next_entry}" ] ; then
set default="${next_entry}"
set next_entry=
save_env next_entry
set boot_once=true
else
set default="0"
fiif [ x"${feature_menuentry_id}" = xy ]; then
menuentry_id_option="--id"
else
menuentry_id_option=""
fiexport menuentry_id_option
if [ "${prev_saved_entry}" ]; then
set saved_entry="${prev_saved_entry}"
save_env saved_entry
set prev_saved_entry=
save_env prev_saved_entry
set boot_once=true
fifunction savedefault {
if [ -z "${boot_once}" ]; then
saved_entry="${chosen}"
save_env saved_entry
fi
}function load_video {
if [ x$feature_all_video_module = xy ]; then
insmod all_video
else
insmod efi_gop
insmod efi_uga
insmod ieee1275_fb
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
fi
}if [ x$feature_default_font_path = xy ] ; then
font=unicode
else
insmod part_gpt
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod zfs
cryptomount -u 8bbf4d9e870c483999ed3460db18e339
set root='cryptouuid/8bbf4d9e870c483999ed3460db18e339'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='cryptouuid/8bbf4d9e870c483999ed3460db18e339' 9b0a032f561f7da0
else
search --no-floppy --fs-uuid --set=root 9b0a032f561f7da0
fi
font="/ROOT/default@/usr/share/grub/unicode.pf2"
fiif loadfont $font ; then
set gfxmode=auto
load_video
insmod gfxterm
set locale_dir=$prefix/locale
set lang=en_US
insmod gettext
fi
terminal_input console
terminal_output gfxterm
if [ x$feature_timeout_style = xy ] ; then
set timeout_style=menu
set timeout=5
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
set timeout=5
fi
### END /etc/grub.d/00_header ###### BEGIN /etc/grub.d/10_linux ###
menuentry 'Arch Linux' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-9b0a032f561f7da0' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_gpt
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod zfs
cryptomount -u 8bbf4d9e870c483999ed3460db18e339
set root='cryptouuid/8bbf4d9e870c483999ed3460db18e339'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='cryptouuid/8bbf4d9e870c483999ed3460db18e339' 9b0a032f561f7da0
else
search --no-floppy --fs-uuid --set=root 9b0a032f561f7da0
fi
echo 'Loading Linux linux ...'
linux /ROOT/default@/boot/vmlinuz-linux root=ZFS=zroot/ROOT/default rw cryptdevice=UUID=dm-uuid-CRYPT-LUKS1-8bbf4d9e870c483999ed3460db18e339-cryptzfs:cryptzfs cryptkey=rootfs:/root/cryptzfs.keyfile loglevel=3 quiet
echo 'Loading initial ramdisk ...'
initrd /ROOT/default@/boot/initramfs-linux.img
}
submenu 'Advanced options for Arch Linux' $menuentry_id_option 'gnulinux-advanced-9b0a032f561f7da0' {
menuentry 'Arch Linux, with Linux linux' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-linux-advanced-9b0a032f561f7da0' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_gpt
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod zfs
cryptomount -u 8bbf4d9e870c483999ed3460db18e339
set root='cryptouuid/8bbf4d9e870c483999ed3460db18e339'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='cryptouuid/8bbf4d9e870c483999ed3460db18e339' 9b0a032f561f7da0
else
search --no-floppy --fs-uuid --set=root 9b0a032f561f7da0
fi
echo 'Loading Linux linux ...'
linux /ROOT/default@/boot/vmlinuz-linux root=ZFS=zroot/ROOT/default rw cryptdevice=UUID=dm-uuid-CRYPT-LUKS1-8bbf4d9e870c483999ed3460db18e339-cryptzfs:cryptzfs cryptkey=rootfs:/root/cryptzfs.keyfile loglevel=3 quiet
echo 'Loading initial ramdisk ...'
initrd /ROOT/default@/boot/initramfs-linux.img
}
menuentry 'Arch Linux, with Linux linux (fallback initramfs)' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-linux-fallback-9b0a032f561f7da0' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_gpt
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod zfs
cryptomount -u 8bbf4d9e870c483999ed3460db18e339
set root='cryptouuid/8bbf4d9e870c483999ed3460db18e339'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='cryptouuid/8bbf4d9e870c483999ed3460db18e339' 9b0a032f561f7da0
else
search --no-floppy --fs-uuid --set=root 9b0a032f561f7da0
fi
echo 'Loading Linux linux ...'
linux /ROOT/default@/boot/vmlinuz-linux root=ZFS=zroot/ROOT/default rw cryptdevice=UUID=dm-uuid-CRYPT-LUKS1-8bbf4d9e870c483999ed3460db18e339-cryptzfs:cryptzfs cryptkey=rootfs:/root/cryptzfs.keyfile loglevel=3 quiet
echo 'Loading initial ramdisk ...'
initrd /ROOT/default@/boot/initramfs-linux-fallback.img
}
}### END /etc/grub.d/10_linux ###
### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###### BEGIN /etc/grub.d/41_custom ###
if [ -f ${config_directory}/custom.cfg ]; then
source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then
source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###
systemd enabled services
dhcpcd.service enabled disabled
getty@.service enabled enabled
sshd.service enabled disabled
systemd-remount-fs.service enabled-runtime disabled
zfs-import-cache.service enabled enabled
zfs-mount.service enabled enabled
remote-fs.target enabled enabled
zfs-import.target enabled enabled
zfs.target enabled enabled
Last edited by pvdp (2020-08-26 09:32:44)
Offline