You are not logged in.

#1 2021-07-31 20:48:03

zpg443
Member
Registered: 2016-12-03
Posts: 271

[SOLVED] New install with LUKS2 drops to shell with Grub

This article: GRUB 2.06 Released With BootHole Fixes, LUKS2 Encrypted Volume Support says Grub now supports LUKS2, but after several days of troubleshooting, I am unable to boot a fresh working install using LUKS2 with Grub.

I previously tried EFISTUB. I added the image to the UEFI menu but it dropped me into shell. This UEFI version does not recognize bfcg, so for me launching from Shell is not a realistic option (without handholding).

It is a simple configuration of a non-encrypted FAT32 boot partition (sda1) and an encrypted ext4 root partition (sda2).

Grub successfully installs and builds the menu entry, but Grub drops into SHELL when selecting the menu item and there is no password prompt. I assume Grub cannot find the partition (it correctly identifies the UUID of the encrypted partition) because it fails to provide a password prompt.

Neither bootloader can find the encrypted volume during the boot process. Is there any updated guidance on configuring Grub for LUKS2, or am I misunderstanding the new guidance? I do not wish to use a keyfile nor use LVM.

/etc/mkinitcpio.conf

MODULES=(ext4 dm-crypt dm-mod)
HOOKS=(base udev autodetect keyboard consolefont modconf block encrypt lvm2 filesystems fsck)

/etc/crypttab

luks         UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx        none    luks,timeout=15

For the Grub  /etc/default/grub

GRUB_CMDLINE_LINUX="cryptdevice=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx:root root=/dev/mapper/cryptluks ro quiet"

Without Grub (efibootmgr only)

efibootmgr --disk /dev/sda --part 1 --create --label "Arch Linux" --loader /vmlinuz-linux -u  "cryptdevice=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx:root root=/dev/mapper/cryptluks rw initrd=\intel-ucode.img initrd=\initramfs-linux.img"

Shell:

 ERROR: device '/dev/mapper/cryptluks' not found. Skipping fsck.
mount: /new_root: no filesystem type specified.
You are now being dropped into an emergency shell.

edit: added shell message

Last edited by zpg443 (2021-08-01 16:10:44)

Offline

#2 2021-07-31 21:20:13

frostschutz
Member
Registered: 2013-11-15
Posts: 1,409

Re: [SOLVED] New install with LUKS2 drops to shell with Grub

It has only limited support for LUKS2 (only PBKDF2 key derivation, not Argon2 which LUKS2 uses by default).

Encrypting /boot is a lot of hassle in general. If you don't even get a password prompt, it may also be a different configuration issue.

Offline

#3 2021-07-31 21:20:41

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: [SOLVED] New install with LUKS2 drops to shell with Grub

Where is your kernel and initramfs? If you put them on the EFI partition, then LUKS2 support in grub is irrelevant.

If the kernel is inside the encrypted partition, then you need decryption in grub. In that case you have to use PBKDF2 key derivation:

If you click through the linked article, then you come to this commit: https://git.savannah.gnu.org/cgit/grub. … 70b49f9755

The proposed support for LUKS2 is able to make use of the metadata to
decrypt such disks. Note though that in the current version, only the
PBKDF2 key derival function is supported.

Edit: A bit too slow.

Last edited by progandy (2021-07-31 21:21:34)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#4 2021-07-31 21:33:07

zpg443
Member
Registered: 2016-12-03
Posts: 271

Re: [SOLVED] New install with LUKS2 drops to shell with Grub

progandy wrote:

Where is your kernel and initramfs? If you put them on the EFI partition, then LUKS2 support in grub is irrelevant.

Yes, they are on the EFI partition. I mistakenly thought the LUKS2 support included solution of UEFI boot issues Grub ordinarily could solve. As frostshultz mentioned, it is more likely a configuration issue.

Is there something wrong with the efibootmgr configuration (instead of Grub) that would prevent a password prompt? I can post more details if needed.

Last edited by zpg443 (2021-07-31 21:34:09)

Offline

#5 2021-07-31 22:51:28

zpg443
Member
Registered: 2016-12-03
Posts: 271

Re: [SOLVED] New install with LUKS2 drops to shell with Grub

I was able to get the password prompt and boot into Arch by doing these steps, using EFI Shell:

1. Launched the live disk, then selected the EFI Shell (not the one from the motherboard UEFI - that was my big mistake). The live disk has the current UEFI version.
2. Created a launchcrypt.nsh file with the following:

vmlinuz-linux cryptdevice=/dev/sda2:cryptluks root=/dev/mapper/cryptluks rw initrd=\intel-ucode.img initrd=\initramfs-linux.img

3. Launched script from EFI shell.

Based on this success, I can ditch Grub and go back to efibootmgr and launch direct from UEFI if it works with the motherboard's UEFI software. Will post the result.

Last edited by zpg443 (2021-07-31 23:02:01)

Offline

#6 2021-08-01 04:11:15

qu@rk
Member
Registered: 2021-07-28
Posts: 55

Re: [SOLVED] New install with LUKS2 drops to shell with Grub

I'mma piggyback on this one maybe it contributes something and helps me as well.
I wanted to make a similar encryption setup, and even if teh latest grub supports pbkdf2 for luks2 I couldn't make it work.
But I tried to have /boot on a different partition encrypted with luks1, and / encrypted with luks2, which seems to work, but there's something I'd like to iron out.
As it is (in the wiki) I get the first /boot encryption password prompt, that goes well, I get to boot into Arch from grub, then comes the encrypt hook asking for the / partition password. That seems to be going well but while booting there's an error "A start job is running for /dev/disk/by-uuid/boot-partition's-UUID" and hangs.
I can get around this by adding the /boot partition's UUID to crypttab, but this is basically a 3rd time that I have to input a password, instead of two times.
The entry in crypttab is "cryptboot UUID=whatever-ID-for-sdXY"
Apart from this issue it seems to work. /boot with luks1 and / with luks2 which should be "better" than everything with luks1
Is there anyway I can skip the 3rd time I have to input the password?

Last edited by qu@rk (2021-08-01 04:13:45)

Offline

#7 2021-08-01 06:10:21

qu@rk
Member
Registered: 2021-07-28
Posts: 55

Re: [SOLVED] New install with LUKS2 drops to shell with Grub

Actually one way to skip the 2nd /boot unlock is to remove the /boot entry from fstab. I still have to unlock both /boot and / at boot time, as using a keyfile for / means I'd have to keep it on /boot which is luks1 "only", so no gain of having luks2 for root.

Last edited by qu@rk (2021-08-01 06:11:35)

Offline

#8 2021-08-01 08:43:32

nl6720
The Evil Wiki Admin
Registered: 2016-07-02
Posts: 592

Re: [SOLVED] New install with LUKS2 drops to shell with Grub

I'm surprised, that no one has looked at the wiki: https://wiki.archlinux.org/title/GRUB#Encrypted_/boot. There's a big red warning there that lists the issues.

Most of the details can be found in this grub-git comment: https://aur.archlinux.org/packages/grub … ent-802401.

Offline

#9 2021-08-01 11:53:50

qu@rk
Member
Registered: 2021-07-28
Posts: 55

Re: [SOLVED] New install with LUKS2 drops to shell with Grub

Yes that's how I knew that grub 2.06 should only work with luks2 with PBKDF2. I might try and use luks2 on /boot with the info from that comment. At the moment I managed to get secure boot working with luks1 for /boot. Might complicate things with secure boot forcing luks2 with that workaround.

Offline

#10 2021-08-01 16:10:18

zpg443
Member
Registered: 2016-12-03
Posts: 271

Re: [SOLVED] New install with LUKS2 drops to shell with Grub

The full booting solution I used for an install with LUKS (non-encrypted EFI partition, LUKS2 root) was to use EFISTUB with the UEFI Shell directly. The (MSI H97 PC Mate) motherboard's UEFI shell was a challenge. Even though it says UEFI Shell version 2.31, it did not have features like bcfg available, and neither efibootmgr nor Grub was working. So I moved on to the "Using a startup.nsh script" section of  EFISTUB.

1. Added an ".efi" filename extension to the image file (i.e. vmlinuz-linux to vmlinuz-linux.efi)
2. In the root of the EFI partition (in my case, /boot), created a file with the name startup.nsh with this single string for my kernel of choice:

vmlinuz-linux-lts.efi cryptdevice=/dev/sda2:cryptluks root=/dev/mapper/cryptluks rw initrd=\intel-ucode.img initrd=\initramfs-linux-lts.img

3. Because I had existing efibootmgr and bootloader entries, I had to remove each from the UEFI Shell. (Use efibootmgr -v to see the menu list) Where (x) is the menu list number:

efibootmgr -b(x) -B

4. UEFI Shell starts with a 5 Sec delay before launching startup.nsh, so I changed it to 1 sec with:

Set StartupDelay 1

The boot result: a 1 sec display of UEFI Shell, and few seconds to launch the startup.nsh script and get a LUKS password prompt.

Last edited by zpg443 (2021-08-01 20:16:14)

Offline

#11 2021-08-02 01:39:59

qu@rk
Member
Registered: 2021-07-28
Posts: 55

Re: [SOLVED] New install with LUKS2 drops to shell with Grub

Did you keep /boot on / or was it a separate partition? For the pbkdf algo did you use the default argon2i or pbkdf2?

Offline

#12 2021-08-02 05:12:51

qu@rk
Member
Registered: 2021-07-28
Posts: 55

Re: [SOLVED] New install with LUKS2 drops to shell with Grub

nl6720 wrote:

Most of the details can be found in this grub-git comment: https://aur.archlinux.org/packages/grub … ent-802401.

I tried to adapt his script to my setup but failed. He's using LVM which I don't, and there's a missmatch in "set root" location notation. Tried with (hd0,X) and (hd0,gptX) but doesn't seem to work.

Offline

#13 2021-08-05 09:27:50

qu@rk
Member
Registered: 2021-07-28
Posts: 55

Re: [SOLVED] New install with LUKS2 drops to shell with Grub

Managed to sort it out, now /boot is also luks2.
I have separate partitions for ESP and /boot. Works with this:

#!/bin/bash

CONFIG=$(mktemp /tmp/grub-config.XXXXX)
cat >"$CONFIG" <<EOF
cryptomount -u boot-partition-UUID
set prefix=(cryptouuid/boot-partition-UUID)/grub
set root=cryptouuid/boot-partiton-UUID
insmod normal
normal
EOF

grub-mkimage \
    -p '(cryptouuid/boot-partiton-UUID)/grub' \
    -O x86_64-efi \
    -c "$CONFIG" \
    -o /tmp/image \
    luks2 part_gpt ext2 cryptodisk gcry_rijndael gzio luks gcry_sha512

rm "$CONFIG"

I don't have LVM and my partitions are ext4.
edit: still my main issue is that I have to insert the /boot unlock passphrase two times + one time from /. Once at the very start to unlock /boot, then unlock / after kernel select, then it again asks for the /boot passphrase as it goes through crypttab. Any way of solving this? Can't it "remember" the passphrase?

Last edited by qu@rk (2021-08-05 09:33:47)

Offline

#14 2021-08-07 03:41:32

Ammako
Member
Registered: 2021-07-16
Posts: 267

Re: [SOLVED] New install with LUKS2 drops to shell with Grub

qu@rk wrote:

edit: still my main issue is that I have to insert the /boot unlock passphrase two times + one time from /. Once at the very start to unlock /boot, then unlock / after kernel select, then it again asks for the /boot passphrase as it goes through crypttab. Any way of solving this? Can't it "remember" the passphrase?

You enter /boot unlock passphrase once so grub can load /boot, then you have to enter your / unlock passphrase because presumably this is a different encrypted partition. Then once / has been decrypted and you've loaded into the system, it tries to mount /boot which requires unlocking (again). You can skip having to enter your /boot unlock passphrase a second time by using a keyfile.

From https://cryptsetup-team.pages.debian.ne … ord-prompt

1: Create a directory to hold key files, and generate your key file:

# mkdir -m0700 /etc/keys
# ( umask 0077 && dd if=/dev/urandom bs=1 count=64 of=/etc/keys/boot.key conv=excl,fsync )

2: Add that key file to a new key slot for your /boot partition:

# cryptsetup luksAddKey /dev/sda2 /etc/keys/boot.key

3: Adapt the entry in /etc/crypttab for your /boot partition using that key file:

boot_crypt UUID=… /etc/keys/boot.key luks,discard,key-slot=1

Ignore the rest of the steps, you don't need them for your setup (and Arch uses mkinitcpio rather than initramfs-tools, so the steps as-is wouldn't apply anyway.) Key file path will already be accessible and readable on the decrypted root partition by the time your system tries to mount /boot via crypttab, so it'll just read the key file directly and you don't need to embed the key file into your initramfs.

Adapt according to your setup. Once again, this assumes a boot partition separate from your root partition. If boot were on the same partition as root, you'd have to embed the key file in initramfs and add an extra kernel parameter to your grub config, which I'm not going to cover here.

Keep a bootable arch iso handy in case anything goes wrong, so you can arch-chroot back in to recover. There shouldn't be any issues though. Writing this from exactly this kind of setup right now.

Offline

#15 2021-08-07 17:44:24

qu@rk
Member
Registered: 2021-07-28
Posts: 55

Re: [SOLVED] New install with LUKS2 drops to shell with Grub

Hey thanks for explaining it! I never connected that I can have more auth options for luks. But yeah, there's extra slots. And I'd keep the /boot key on / which is encrypted with the default luks2 argon2i. I'll try it later, I just installed Arch on my main PC to daily drive it now.

edit: worked perfect! thank you!

Last edited by qu@rk (2021-08-07 21:50:11)

Offline

#16 2022-04-15 17:51:55

xinato
Member
Registered: 2022-04-15
Posts: 1

Re: [SOLVED] New install with LUKS2 drops to shell with Grub

the solution from qu@rk led me in the right direction I had to add a few more modules to the grub-mkimage command: biosdisk search_label search_fs_file search_fs_uuid search pbkdf2 crypto geli

In order to install the image this produces, use:
grub2-bios-setup -c ../../tmp/image -b i386-pc/boot.img <target device (like /dev/sdb)>

(note that mine was not for EFI)

to fix the multiple password problem:
1. create a random password in /etc/keys/root.key
2. Use cryptosetup to add the key to a new keyslot on the encrypted partition(s)
3. Add a crypttab file in /etc with a line like:
     luks-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX5321 UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX5321 /etc/keys/root.key luks,discard

You need a line for each partition that uses the key.
Protect the key by making the directory owner/group root/root and set permissions to 700.

Its ok to have the key in a file on the disk, if the disk itself is protected.

These two files must be included in the boot ram disk as well. This presumes that that ram disk is on an encrypted partition as well.

Thanks for the help.
Best regards.


qu@rk wrote:

Managed to sort it out, now /boot is also luks2.
I have separate partitions for ESP and /boot. Works with this:

#!/bin/bash

CONFIG=$(mktemp /tmp/grub-config.XXXXX)
cat >"$CONFIG" <<EOF
cryptomount -u boot-partition-UUID
set prefix=(cryptouuid/boot-partition-UUID)/grub
set root=cryptouuid/boot-partiton-UUID
insmod normal
normal
EOF

grub-mkimage \
    -p '(cryptouuid/boot-partiton-UUID)/grub' \
    -O x86_64-efi \
    -c "$CONFIG" \
    -o /tmp/image \
    luks2 part_gpt ext2 cryptodisk gcry_rijndael gzio luks gcry_sha512

rm "$CONFIG"

I don't have LVM and my partitions are ext4.
edit: still my main issue is that I have to insert the /boot unlock passphrase two times + one time from /. Once at the very start to unlock /boot, then unlock / after kernel select, then it again asks for the /boot passphrase as it goes through crypttab. Any way of solving this? Can't it "remember" the passphrase?

Offline

Board footer

Powered by FluxBB