You are not logged in.

#1 2021-02-19 11:46:53

dictionary
Member
Registered: 2021-02-19
Posts: 6

[Solved] New installation + UEFI + encryption + systemd-boot

Hi, first time I'm installing Arch on a modern computer with the feature in the title, so I'm having some difficulties. I'm following the official wiki.

I have a EFI partition, a /boot partition and a root encrypted partition.
I set the /boot as "Linux Extended boot" because if I understood correctly this must stay unencrypted and EFI will look at it, and due to this section. Am I correct or I just need the previous section of that page?

Then, I chrooted to the root system, set the mkinitcpio for systemd. In /boot/loader/entries/arch.conf i wrote "options rd.luks.name=MyUID=arch root=MyRoot rd.luks.options=timeout=30s quiet splash" . I copied the same file under /efi/loader/entries/arch.conf , is it needed?

I chose systemd-boot because the encryption type is Luks2 and Grub doesn't support it.

If I reboot the computer, it comes up a screen where I can select Windows boot or go back to firmware. If I go back to firmware and choose the boot options, I see listed Linux, Windows, and "choose file". If I select Linux the first screen comes back.

I think I'm doing something wrong in the EFI or systemd-boot step, what am I missing?

Thank you


EDIT: I just realized I totally missed this section that has required parameters... I'll update it asap.

Last edited by dictionary (2021-02-20 12:21:39)

Offline

#2 2021-02-19 12:02:03

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 12,237

Re: [Solved] New installation + UEFI + encryption + systemd-boot

It seems you are having a few wrong assumptions/misunderstandings here. That grub doesn't "support luks2" is irrelevant in this usecase. It would be if you wanted to have your kernels on the encrypted partition, but you can't have that  either with systemd-boot. A separate /boot partition can be done but isn't necessary if you scope your ESP with enough space. For the separate boot partition to work it needs to be FAT32 and unencrypted as well if you intend for systemd-boot to reach the images on it.

Last edited by V1del (2021-02-19 12:02:45)

Offline

#3 2021-02-19 13:13:36

dictionary
Member
Registered: 2021-02-19
Posts: 6

Re: [Solved] New installation + UEFI + encryption + systemd-boot

So I can just use the efi partition and delete the /boot one? In that case I need only "bootctl install" I guess.
Am i free to use systemd-boot with this setup?

EDIT: here "It is important to note from now that in almost every case there has to be a separate partition for /boot that must remain unencrypted, because the bootloader needs to access the /boot directory where it will load the initramfs/encryption modules needed to load the rest of the system"
This sentence confuses me a lot.

EDIT2: "ESP with enough space" it was 260M preinstalled. Is it enough?

Last edited by dictionary (2021-02-19 13:25:55)

Offline

#4 2021-02-19 13:59:14

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 12,237

Re: [Solved] New installation + UEFI + encryption + systemd-boot

The idea would be that you'd mount the unencrypted ESP to /boot instead of a separate partition. 260M are generally good for ~3 or 4 kernels so you'd be good to go here. The important thing that has to happen is that your initramfs has to be reachable somehow, as that were the necessary additional tools lie to actually unencrypt the root partition. The seperate /boot partition is more relevant for BIOS system, as the bootloader resides in the MBR so you need a dedicated partition where the initramfs is reachable. On UEFI systems the ESP  can take the role of that as your MB needs to be able to read it anyway.

Offline

#5 2021-02-19 21:25:27

DarkWarrior703
Member
Registered: 2021-01-13
Posts: 14

Re: [Solved] New installation + UEFI + encryption + systemd-boot

dictionary wrote:

EDIT2: "ESP with enough space" it was 260M preinstalled. Is it enough?

260M is probably enough. I have 2 kernels installed and 100M occupied. The 512M is just to be sure that you will never end up without space.

Offline

#6 2021-02-20 08:30:29

dictionary
Member
Registered: 2021-02-19
Posts: 6

Re: [Solved] New installation + UEFI + encryption + systemd-boot

V1del wrote:

The idea would be that you'd mount the unencrypted ESP to /boot instead of a separate partition. 260M are generally good for ~3 or 4 kernels so you'd be good to go here. The important thing that has to happen is that your initramfs has to be reachable somehow, as that were the necessary additional tools lie to actually unencrypt the root partition. The seperate /boot partition is more relevant for BIOS system, as the bootloader resides in the MBR so you need a dedicated partition where the initramfs is reachable. On UEFI systems the ESP  can take the role of that as your MB needs to be able to read it anyway.

I did this, now the pc hangs at the manufacturer logo.
A recap:

EFI partition mounted to /boot , fat32 and unencrypted . "mount /dev/xxx /mnt/boot"
root is encrypted with Luks2, etx4 . cryptsetup opened and then "mount /dev/mapper/arch /mnt".

mkinitcpio.conf

...
HOOKS=(base systemd autodetect modconf block filesystems keyboard sd-vconsole fsck sd-encrypt)
...

Launched command "mkinitcpio -p linux" .

fstab file generated with "genfstab -U /mnt >> /mnt/etc/fstab" while not chrooted.

/boot/loader/loader.conf

default arch.conf
editor no
auto-entries 0

/boot/loader/entries/arch.conf

title Arch
linux /vmlinuz-linux
initrd /initramfs-linux.img
options rd.luks.name=MyUID=arch rd.luks.options=timeout=30s root=/dev/mapper/arch rw quiet splash

vmlinux and initramfs files are there.


Edit: I now booted without "quiet" . It hangs waiting for /dev/mapper/arch . Why it doesn't find it?

Last edited by dictionary (2021-02-20 08:50:09)

Offline

#7 2021-02-20 09:54:57

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 12,237

Re: [Solved] New installation + UEFI + encryption + systemd-boot

Where is there? It needs to be the /boot partition (respectively the mounted ESP's path/root), run a

mkinitcpio -P

after mounting to be sure.  Also do you see the splash after selecting a boot entry or do you not even get into systemd-boot ? What's the output of

bootctl status
sudo efibootmgr -uv

Offline

#8 2021-02-20 10:57:51

dictionary
Member
Registered: 2021-02-19
Posts: 6

Re: [Solved] New installation + UEFI + encryption + systemd-boot

Yes, by "there" I meant /boot . I already did mkinitcpio -P .

bootctl status says:
"WARNING: the boot loader reports different ESP UUID than detected"
ESP: /dev/disk/by-partuuid/xyz

that xyz is my usb drive I'm using to install... why?

I'll post screenshots of complete output if needed.


EDIT: Ok looks like that Warning is irrelevant, now the installation works! I must note I reinstalled everything from scratch.
Thanks a lot for your precious help!

Last edited by dictionary (2021-02-20 11:16:00)

Offline

Board footer

Powered by FluxBB