[SOLVED] Cleaning up my boot with GRUB and encrypted root

j83a · 2022-09-18 10:59:32

The recent grub changes made quite a mess with my messy system and it is a great opportunity to clean up.

What I have:
- An EFI partition, vfat, let's say it's UUID foo123-efi-... and /dev/sda1
- An encrypted root partition, LUKS2, ext4, let's say it's UUID bar987-encryptedroot-... and /dev/sda2. The UUID of the unencrypted partition is baz555-decryptedroot-...

I use GRUB. I don't care about encrypting my /boot/ directory.

I would like to have my /boot/ directory on the EFI partition as that sounds like the least amount of headache when I don't have to bother with being part of the encrypted root.

Where I am at:

My /etc/default/grub contains:

...
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=aa4067f8-beab-4300-9600-dc7fd8c3d155:cryptroot:allow-discards root=/dev/mapper/cryptroot loglevel=3"
...
GRUB_DEVICE_UUID="foo123-efi-..."

and I executed this while I had the EFI partition mounted at /efi in a chroot on my decrypted root partition:

grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB --boot-directory=/efi --debug --recheck
grub-mkconfig -o /efi/grub/grub.cfg

But that leaves my system broken because GRUB will try to use bar987-encryptedroot-... as its root.
I could manually edit /efi/grub/grub.cfg for all the --set=root occurences and put foo123-efi-... instead of bar987-encryptedroot-... there but that is clearly not how it is supposed to work.

How can I get GRUB to use the correct root (on the EFI partition) and my system to boot correctly without manually hacking around? I am scared of updates breaking this current setup.

Last edited by j83a (2022-09-19 16:02:38)

frostschutz · 2022-09-18 14:00:40

try setting GRUB_DEVICE_BOOT (defaults to /boot) and (optionally) GRUB_DEVICE_BOOT_UUID in your /etc/default/grub (your post said /etc/defaults/grub that would be the wrong path, probably a typo but just in case).

alternatively just mount it to /boot too then you don't have to specify paths all the time

Last edited by frostschutz (2022-09-18 14:01:28)

j83a · 2022-09-18 15:05:35

Thanks!

Yes, "defaultS" was a typo in the post, the directory and file are in the correct place.

I added

GRUB_DEVICE_BOOT=/dev/sda1
GRUB_DEVICE_BOOT_UUID=foo123-efi-...

and ran the two lines again.

Booting runs further but fails with several mounting failures now. A local disk (unknown filesystem type xfs), a unionfs (fuse: device not found) and /boot (unknown filesystem type vfat) itself. I imagine it could be some older initramfs(?) or something that GRUB is not pointing at?

I see current initramfs-linux.img and vmlinuz-linux in /boot/ as well as /efi/boot/ in my chroot and older files in /efi/.

Last edited by j83a (2022-09-18 15:08:20)

jonno2002 · 2022-09-18 15:48:36

get rid of all the grub_device_* entrys in /et/default/grub, and remove "root=/dev/mapper/cryptroot" from "GRUB_CMDLINE_LINUX_DEFAULT" as grub will add that itself.

and also do as "frostschutz" said and stop messing around with different mount points, just use /boot

once youve done all that, re-install grub, generate grub config and run mkinitcpio as well just to be sure.

j83a · 2022-09-18 16:06:48

How and when would I do the mounting of /boot/ in this process? (I am really confused about all the things GRUB does at various stages (e.g. what it will automatically discover and how and when) and the documentation is very hard to decipher.)

jonno2002 · 2022-09-18 16:23:41

first make sure youve done this

get rid of all the grub_device_* entrys in /et/default/grub, and remove "root=/dev/mapper/cryptroot" from "GRUB_CMDLINE_LINUX_DEFAULT" as grub will add that itself.

then do the following:
-boot from arch iso or similar
-decrypt your root partition then mount it to /mnt
-mount your efi partition to /mnt/boot
-run "arch-chroot /mnt"
-run "grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB" (EDIT: fixed this line so this mistake doesnt happen again)
-run "grub-mkconfig -o /boot/grub/grub.cfg"
-run "mkinitcpio -p linux"
-reboot and everything SHOULD work

Last edited by jonno2002 (2022-11-27 23:45:14)

j83a · 2022-09-18 17:03:53

I had to do an extra pacman -S linux before the (then probably redundant) mkinitcpio or it complained about the modules directory not being valid.

It works well now. Thank you very much, you two. I owe you!

jonno2002 · 2022-09-18 17:45:19

thats good to hear, even tho i made a mistake in my instructions, "--efi-directory=/boot/EFI" should be "--efi-directory=/boot" according to grub man page:

--efi-directory=DIR
use DIR as the EFI System Partition root.

you may just have another directory "EFI" inside the existing "EFI" directory, sorry about that.

j83a · 2022-09-19 16:02:26

I noticed that too and fixed it. Thanks again!

Arch Linux

#1 2022-09-18 10:59:32

[SOLVED] Cleaning up my boot with GRUB and encrypted root

#2 2022-09-18 14:00:40

Re: [SOLVED] Cleaning up my boot with GRUB and encrypted root

#3 2022-09-18 15:05:35

Re: [SOLVED] Cleaning up my boot with GRUB and encrypted root

#4 2022-09-18 15:48:36

Re: [SOLVED] Cleaning up my boot with GRUB and encrypted root

#5 2022-09-18 16:06:48

Re: [SOLVED] Cleaning up my boot with GRUB and encrypted root

#6 2022-09-18 16:23:41

Re: [SOLVED] Cleaning up my boot with GRUB and encrypted root

#7 2022-09-18 17:03:53

Re: [SOLVED] Cleaning up my boot with GRUB and encrypted root

#8 2022-09-18 17:45:19

Re: [SOLVED] Cleaning up my boot with GRUB and encrypted root

#9 2022-09-19 16:02:26

Re: [SOLVED] Cleaning up my boot with GRUB and encrypted root

Board footer