You are not logged in.

#1 2017-04-13 20:59:40

newsboost
Member
Registered: 2016-07-24
Posts: 157

GRUB-issues | dual-boot + LUKS on top of LVM (encrypted /boot) + UEFI

Hi all,

Regarding GRUB-issues, dual-booting + LUKS on top of LVM (encrypted /boot) + UEFI

I've been struggling with this for 3-4 days now and most of the time (also right now) the PC don't even seem to load GRUB - the PC jumps directly into Windows 10 (instead of GRUB). I've searched everything I could but I seem to cannot find out what is wrong... Secure boot is disabled in BIOS + EFI/UEFI and GPT are used. Here are my partitions:

NAME                 MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                    8:0    0 238.5G  0 disk  
├─sda1                 8:1    0   100M  0 part  /mnt/boot/efi
├─sda2                 8:2    0    16M  0 part  
├─sda3                 8:3    0 119.8G  0 part  
├─sda4                 8:4    0     1G  0 part  
├─sda5                 8:5    0   200M  0 part  
│ └─cryptboot        254:3    0   198M  0 crypt /mnt/boot
└─sda6                 8:6    0 117.4G  0 part  
  ├─myVG-lvCryptDisk 254:0    0   100G  0 lvm   
  │ └─crptDsk        254:2    0   100G  0 crypt /mnt
  └─myVG-lvSwap      254:1    0    10G  0 lvm   [SWAP]
sdb                    8:16   1   3.8G  0 disk  /run/archiso/bootmnt
├─sdb1                 8:17   1   749M  0 part  
└─sdb2                 8:18   1    40M  0 part  
loop0                  7:0    0   325M  1 loop  /run/archiso/sfs/airootfs

Some extra details (sda1=EFI, sda2=Microsoft reserved, sda3=C:\ NTFS, sda4=maybe MS recovery partition?, sda5=my encrypted boot-partition, sda6=my encrypted root-partition):

gdisk -l /dev/sda
GPT fdisk (gdisk) version 1.0.1
...
...
Found valid GPT with protective MBR; using GPT.
Disk /dev/sda: 500118192 sectors, 238.5 GiB
...
...
Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048          206847   100.0 MiB   EF00  EFI system partition
   2          206848          239615   16.0 MiB    0C01  Microsoft reserved ...
   3          239616       251461631   119.8 GiB   0700  Basic data partition
   4       498020352       500117503   1024.0 MiB  2700  Basic data partition
   5       251461632       251871231   200.0 MiB   8300  bootPart
   6       251871232       498020351   117.4 GiB   8E00  LVMpart

I think this is maybe an unusual setup - but it should work? I thought it would be safest to have a separate encrypted boot partition outside LVM, as my impression is that there is not much space for LVM-code-execution at the initramfs-stage. But maybe this is a mistake. Would it be better to have my encrypted boot partition inside the LVM (inside /dev/sda6 ) ? I think so - but this should also work, right?

My mikinitcpio.conf-file:

...
FILES=""
HOOKS="base udev autodetect modconf keyboard block encrypt lvm2 mdadm_udev keymap resume filesystems fsck"
...

My /etc/crypttab-file (I'm not using the /root/crypto_keyfile.bin yet, but I'm thinking it doesn't harm to be a little ahead, for my next task - to avoid entering password twice, is this right or wrong???):

# crypttab: mappings for encrypted partitions
cryptboot /dev/sda5 /root/crypto_keyfile.bin luks

My /etc/fstab-file:

# /dev/mapper/crptDsk
UUID=24472288-be67-4520-8ba7-d916414d12a2	/         	ext4      	rw,relatime,data=ordered	0 1
# /dev/mapper/cryptboot
UUID=39aaee78-a741-4cc1-9f67-637896f79a34	/boot     	ext4      	rw,relatime,stripe=4,data=ordered	0 2
# /dev/sda1 LABEL=ESP
UUID=603B-B4B9      	/boot/efi 	vfat      	rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro	0 2
# /dev/mapper/myVG-lvSwap
UUID=ae53a42d-823d-4b6e-9220-332f996a05f3	none      	swap      	defaults  	0 0

This is how I (tried) installed grub:

# cryptsetup luksOpen /dev/mapper/myVG-lvCryptDisk crptDsk
# cryptsetup luksOpen /dev/sda5 cryptboot

# mount /dev/mapper/crptDsk /mnt
# mount /dev/mapper/cryptboot /mnt/boot
# mount /dev/sda1 /mnt/boot/efi

# swapon /dev/mapper/myVG-lvSwap
... pacstrap etc...
# arch-chroot /mnt /bin/bash

# vi /etc/default/grub

Now, this is where things gets exciting and also where I do a lot of experiments - because in around 10% of the cases I do something and the GRUB configuration gets written to disk, because I see GRUB asks for a password right after a reboot, in order to try to unencrypt my partitions. However, I've made something wrong, so I always end back rebooting from USB to fix boot-loader configuration, please see output:

grub-mkconfig -o /boot/grub/grub.cfg
Generating grub configuration file ...
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
....
....
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
Found linux image: /boot/vmlinuz-linux
Found initrd image(s) in /boot: intel-ucode.img initramfs-linux.img
Found fallback initrd image(s) in /boot: intel-ucode.img initramfs-linux-fallback.img
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
[      ] squashfs: SQUASHFS ERROR: can't find a SQUASHFS superblock on sda2
[      ] EXT4-fs (sda2) :VFS: Can't find ext4 filesystem
[      ] EXT4-fs (sda2) :VFS: Can't find ext4 filesystem
[      ] EXT4-fs (sda2) :VFS: Can't find ext4 filesystem
[      ] FAT-fs (sda2): bogus number of reserved sectors
grub-probe: error: cannot find a GRUB drive for /dev/sdb1.  Check your device.map.
done

From what I've read, the warnings/error messages, e.g. "WARNING: Failed to connect to levmetad. Falling back to device scanning" can be ignored. I don't know why it complains about ext4 on sda2 ? Am I doing something wrong here? grub-install ALWAYS gives these very weird messages:

# grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub --recheck
Installing for x86_64-efi platform.
Installation finished. No error reported.

The message "No error reported" is rather awkward...  The most annoying thing here is that GRUB is very often not even loaded - after reboot, Windows directly begins to load, as if there is no GRUB installation...?

UPDATE (for the record - in the hope this might help others!):

I finally discovered I should google for "acer laptop efibootmgr changes are reverted" - and found a lot of inspiration, e.g. some people had to replace /boot/efi/EFI/Microsoft/Boot/bootmgfw.efi with /boot/efi/EFI/arch/grubx64.efi - now I'm really really fed up with GRUB. I cannot explain why GRUB didn't store my changes, but I made huge progress now using:

pacman -S refind-efi
refind-install

Now the machine doesn't directly boot into Windows, which is a requirement for solving my problem. UPDATE: It seemed to be a random coincidence, that this worked... Now I've been struggling again for many hours and I'm sure this can help other people too (I'm on an Acer-laptop):

 1) Hit F2 on boot to enter setup and switch to the Security tab.
  2) Set a supervisor password.
  3) Choose "Select an UEFI file as trusted for executing" and select HDD0\EFI\...(insert file-name)...efi.
  4) You can choose between Windows and Linux at the F12 menu, and choose a default in setup.

However, I still have a problem - I suspect maybe my /etc/default/grub-file is not ok?:

...
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda6:myVG root=/dev/mapper/myVG-lvCryptDisk resume=/dev/mapper/myVG-lvSwap"
...
# I'll change below to false + add replace above with UUID's later (when the system can boot up)...
GRUB_DISABLE_LINUX_UUID=true
...
GRUB_ENABLE_CRYPTODISK=y

What could be wrong here? Following my success with the new boot-manager, this is what I get when I boot up:

[    ] platform MSFT0101:00: failed to claim resource 1
[    ] acpi MSFT0101:00: platform device creation failed: -16
starting version 232
ERROR: Failed to open encryption mapping: The device /dev/sda6 is not a LUKS volume and the crypto= paramater was not specified.
[    ] sd 3:0:0:0: [sdb] No Caching mode page found
[    ] sd 3:0:0:0: [sdb] Assuming drive cache: write through
ERROR: resume: hibernation device '/dev/mapper/myVG-lvSwap' not found
ERROR: device '/dev/mapper/myVG-lvCryptDisk' not found. Skipping fsck.
mount: special device /dev/mapper/myVG-lvCryptDisk does not exist
You are now being dropped into an emergency shell.
sh: can't access tty; job control turned off
[rootfs ]# 

And there's my prompt... This is a huge step forward now, but I just need to solve this last puzzle... Any hints/advice is greatly appreciated, thanks!

Last edited by newsboost (2017-04-15 03:29:34)

Offline

#2 2017-04-14 04:27:12

newsboost
Member
Registered: 2016-07-24
Posts: 157

Re: GRUB-issues | dual-boot + LUKS on top of LVM (encrypted /boot) + UEFI

I just want to follow-up - I've spent numerous hours now... I tried a lot of things, one of them:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda6/myVG:lvCryptDisk root=/dev/mapper/lvcryptDisk resume=/dev/sda6/myVG:lvSwap"

However, this gave me the problem that the LVM-partitions didn't appear under /dev/mapper - so I cannot/couldn't boot! I began searching for "luks boot grub lvscan inactive lvm" and 'luks grub "volume group" is not active grub-install' which led me to this https://bbs.archlinux.org/viewtopic.php?id=218540 suggesting that I had to switch to systemd-based initramfs (change "udev" to "systemd" and "lvm2" to "sd-lvm2" in /etc/mkinitcpio.conf). In the end, this excellent recipe http://blog.ataboydesign.com/2012/08/29 … ux-on-lvm/ showed me that I needed this:

# vi /etc/rc.conf
USELVM="yes"

Now I think I did "mkinitcpio -p linux" and:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/mapper/myVG-lvCryptDisk:crptDsk root=/dev/mapper/crptDsk resume=/dev/mapper/myVG-lvSwap"

... followed by grub-mkconfig -o /boot/grub/grub.cfg (I'm still going through GRUB even though I'm using refind as boot manager, as I currently do not know how setup refind boot options manually).

I rebooted - I received one/some errors, which I discovered was related to the missing /dev/mapper/cryptboot - I temporarily disabled "cryptboot /dev/sda5 /root/crypto_keyfile.bin luks" inside /etc/crypttab. I re-enabled this line, rebooted and VOILA - no errors! However, now I wanted to make sure the "/etc/rc.conf" really was the problem here - I decided to comment out the 'USELVM="yes"' in the /etc/rc.conf -file, followed by "mkinitcpio -p linux" + a reboot... I suspected that I would get severe warning(s) because I thought /dev/mapper did not contain my LVM-volumes... But no errors, strangely enough. It's really a shame that I don't know exactly what changed so LVM-volumes showed up under /dev/mapper........

Next task: I want to implement encrypted swap-partition - anyone can help with advice? You can probably see all relevant config-files above... Otherwise, I'll try on my own. Hopefully others can benefit from the mistakes I do...

Offline

Board footer

Powered by FluxBB