You are not logged in.

Pages: 1

#1 2024-01-13 22:41:42

storestyggeulv
Member
From: Denmark
Registered: 2024-01-13
Posts: 3

[SOLVED] Unable to boot after / install on LUKS encrypted LVM volume

I have tried to install Arch Linux for dual-boot on my Lenovo laptop for several days, using various partitioning schemes. 
All to no avail so far, except for one preliminary test which I no longer recall what I made to make it work.  But at least
I remember that when it worked I played around with mkinitcpio HOOKS and /ect/default/grub settings.

My latest iteration has the following disk configuration:

1, I have one single 1GB Samsumg NVMe disk with the following layout

nvme0n1               259:0    0 931,5G  0 disk  
├─nvme0n1p1           259:1    0   512M  0 part  /boot/efi
├─nvme0n1p2           259:2    0   3,7G  0 part  /boot
├─nvme0n1p3           259:3    0   730G  0 part  
│ └─nvme0n1p3_crypt   252:0    0   730G  0 crypt 
│   ├─vgubuntu-root   252:1    0   710G  0 lvm   /var/snap/firefox/common/host-hunspell
│   │                                            /
│   └─vgubuntu-swap_1 252:2    0    20G  0 lvm   [SWAP]
├─nvme0n1p4           259:4    0   512M  0 part  
└─nvme0n1p5           259:5    0 196,8G  0 part  

fdisk -l /dev/nvme0n1
Disk /dev/nvme0n1: 931,51 GiB, 1000204886016 bytes, 1953525168 sectors
Disk model: Samsung SSD 970 EVO Plus 1TB            
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: E530359E-4120-494C-8BD0-601BDA6DE269

Device              Start        End    Sectors   Size Type
/dev/nvme0n1p1       2048    1050623    1048576   512M EFI System
/dev/nvme0n1p2    1050624    8885955    7835332   3,7G Linux filesystem
/dev/nvme0n1p3    8885956 1539807231 1530921276   730G Linux filesystem
/dev/nvme0n1p4 1539807232 1540855807    1048576   512M Linux filesystem
/dev/nvme0n1p5 1540855808 1953523711  412667904 196,8G Linux filesystem

FYI my laptop has the following configuration:

OS: Ubuntu 22.04.3 LTS x86_64 
Host: Lenovo 82KV IdeaPad 3 17ALC6  (EFI)
Kernel: 6.5.0-14-generic 
CPU: AMD Ryzen 5 5500U with Radeon Graphics (12) @ 4.056GHz 
GPU: AMD ATI 03:00.0 Lucienne 
Memory: 3884MiB / 17835MiB

The first three partitions are Ubuntu partitions, although I have re-used the EFI partition nvme0n1p1 for Arch Linux.
I installed Arch Linux from a USB stick using the latest ISO image.

Installation procedure was as follows,  based on Arch Linux install recommendations except for
not making a separate /home logical volume (to optimize space usage)

1. Existing Ubuntu partitions:
===============================

sudo fdisk -l /dev/nvme0n1
Disk /dev/nvme0n1: 931,51 GiB, 1000204886016 bytes, 1953525168 sectors
Disk model: Samsung SSD 970 EVO Plus 1TB            
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: E530359E-4120-494C-8BD0-601BDA6DE269

Device              Start        End    Sectors   Size Type
/dev/nvme0n1p1       2048    1050623    1048576   512M EFI System
/dev/nvme0n1p2    1050624    8885955    7835332   3,7G Linux filesystem
/dev/nvme0n1p3    8885956 1539807231 1530921276   730G Linux filesystem
...

2. Wiped out pre-existing arch linux partitions if present e.g.:
================================================================
wipefs --all /dev/nvme0n1pX
dd if=/dev/urandom of=/dev/nvme0n1pX bs=4M
deleted pre-existing Arch Linux partitions, using fdisk

3. Created 2 new partitions for Arch Linux:
===============================================

/dev/nvme0n1p4  512MiB Linux ext4 filesystem for "/boot"
/dev/nvme0n1p5  190GiB to be used for LVM2 on LUKS2 with two logical volumes:
		20 GiB for "swap"
		190 GiB for "/" (including /home)

Final partition layout :
		
sudo fdisk -l /dev/nvme0n1
Disk /dev/nvme0n1: 931,51 GiB, 1000204886016 bytes, 1953525168 sectors
Disk model: Samsung SSD 970 EVO Plus 1TB            
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: E530359E-4120-494C-8BD0-601BDA6DE269

Device              Start        End    Sectors   Size Type
/dev/nvme0n1p1       2048    1050623    1048576   512M EFI System
/dev/nvme0n1p2    1050624    8885955    7835332   3,7G Linux filesystem
/dev/nvme0n1p3    8885956 1539807231 1530921276   730G Linux filesystem
/dev/nvme0n1p4 1539807232 1540855807    1048576   512M Linux filesystem
/dev/nvme0n1p5 1540855808 1953523711  412667904 196,8G Linux filesystem

format /boot partion:
------------------------------
mkfs.ext4 /dev/nvme0n1p4

create encrypted LUKS container:
--------------------------------
cryptsetup --use-random luksFormat /dev/nvme0n1p5
cryptsetup luksOpen /dev/nvme0n1p5 cryptvol

create LVM physical volume, volume group, and logical volumes:
---------------------------------------------------------
pvcreate /dev/mapper/cryptvol
vgcreate vg0 /dev/mapper/cryptvol

lvcreate -L 20G vg0 --name swap
lvcreate -l +100%FREE vg0 --name root
lvreduce --size -1G vg0/root

mkswap /dev/vg0/swap
mkfs.ext4 /dev/vg0/root

check setup using pvs vgs and lvs

4. Mount filesystems
=====================

mount /dev/vg0/root /mnt
mount --mkdir /dev/nvme0n1p4 /mnt/boot
mount --mkdir /dev/nvme0n1p1 /mnt/boot/efi

swapon /dev/vg0/swap

4. Arch Linux install
=========================

# localectl list-keymaps
# loadkeys dk
# cat /sys/firmware/efi/fw_platform_size (should print 64)

connect to network:

# iwctl
> device list
> adapter phy0 set-property Powered on
> station wlan0 scan
> station wlan0 get-networks
> station wlan0 connect <SSID> (provide passphrase)
> exit

# ping archlinux.org
# timedatectl

# pacstrap -K /mnt base linux linux-firmware openssh git vim vi sudo which lvm2 mkinitcpio dosfstools os-prober mtools linux-tools man efibootmgr grub

# genfstab -U /mnt >> /mnt/etc/fstab 

edit /mnt/etc/fstab to change "relatime" to "noatime" 

Enter the installed Arch Linux:
# arch-chroot /mnt /bin/bash

See available timezones:
# ls /usr/share/zoneinfo/

Set timezone:
# ln -s /usr/share/zoneinfo/CET /etc/localtime
# hwclock --systohc

Edit locale file to uncomment desired locales:
# vi /etc/locale.gen (uncomment en_DK.UTF-8, en_GN.UTF-8, en_US.UTF-8 UTF-8, etc)

Generate desired locales:
# locale-gen

Set console keyboard layout:
# vi /etc/locale.conf and enter the following line
# LANG=en_DK.UTF-8

Set host name:
# echo myarch > /etc/hostname

Manage users:
# useradd -m -G wheel --shell /bin/bash jan
# passwd jan
# visudo
# ---> Uncomment "%wheel ALL=(ALL) ALL"
# passwd (set root password)

Make boot images with support for LUKS and LVM2:
# vi /etc/mkinitcpio.conf
 ---> Add 'encrypt' and 'lvm2' to HOOKS line before 'filesystems' to look like this:
 ---> (base udev autodetect modconf kms keyboard keymap consolefont block encrypt lvm2 filesystems fsck)

# mkinitcpio -P

# vi /etc/default/grub and do the following:
  add "luks2" "lvm" and "ext2" to "GRUB_PRELOAD_MODULES"
  GRUB_DISABLE_OS_PROBER=false
  GRUB_ENABLE_CRYPTODISK=y
  add cryptdevice statement to "GRUB_CMDLINE_LINUX_DEFAULT" 
 
# blkid

/dev/nvme0n1p5: UUID="5c4b48cd-7817-4116-a2e6-cd73693faf02" TYPE="crypto_LUKS" PARTUUID="b7f62375-a758-4c8c-9ee7-0387c67e226e"

GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=UUID=5c4b48cd-7817-4116-a2e6-cd73693faf02:cryptvol root=/dev/vg0/root"
  
Install grub2 on EFI partition:
# grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=arch --recheck

Install amd microcode 

# pacman -S amd-ucode

Update grub configuration:
# grub-mkconfig -o /boot/grub/grub.cfg

Restrict /boot permissions

chmod 700 /boot

# pacman -S networkmanager gnome gdm
# systemctl enable NetworkManager
# exit
 
# umount -R /mnt
# reboot

BUT !!

When I reboot into the Arch Install I end up in a grub prompt:

grub> 

I then did the following:

> ls
(hd) (hd0,gpt5) (hd0,gpt4) ......... (others are ubuntu partitions)

(hd0,gpt5) is the LUKS encrypted device and I then tried to open it for booting up from GRUB

> cryptomount (hd0,gpt5)
No cryptodisk module loaded

> insmod luks2  (success)
> cryptomount (hd0,gpt5)
Enter passphrase for hd0,gpt5 (5c4b48cd-7817-4116-a2e6-cd73693faf02): <typed it in>
Error: Invalid passphrase

GRUB use a US keyboard layout so I tried both danish keys and US keys with same result.  When I tried it on the Ubuntu LUKS I got same result. And both can be unlocked when booting Ubuntu or when I boot from Arch Linux install USB.

When I try boot 

using usual GRUB procedure:
> set root=(hd0,gpt5)
> set linux (hd0,gpt4)/vmlinuz-linux
> set initrd (hd0,gpt4)/initramfs-linux.img or the fallback image
> insmod luks2
> boot

then I predictably can't boot because the LUKS container can't be unlocked and I end up in some other rescue "rootfs" mode (probably initramfs busybox or something similar).  I wanted to attach a screen picture of the messages but I don't know how? maybe someone can give me a hint on this ?

I am at my wits end so hopefully someone have a hint ?

Does GRUBs luks2 module not support the makeup of my LUKS passphrase ?  It contains upper and lowercase letters and a singe "&" and was created with a "loadkeys dk"  keyboard layout during install - most likely UTF-8.

Last edited by storestyggeulv (2024-01-14 19:29:51)

Offline

#2 2024-01-13 23:07:15

frostschutz
Member
Registered: 2013-11-15
Posts: 1,421

Re: [SOLVED] Unable to boot after / install on LUKS encrypted LVM volume

It seems you didn't reinstall Grub after setting it to cryptodisk mode (or I might have misread). The cryptodisk stuff has to go into its core.img so it kind of requires re-running grub-install to be active.

Another thing is that Grub does not support LUKS2 argon2id keys, so it will only work if you have a PBKDF2 passphrase (or LUKS1 instead of LUKS2 header). Otherwise that's where you get unknown passphrase errors. You can add PBKDF2 keys or convert existing keys with luksConvertKey.

Personally I prefer to not encrypt boot/kernel/initramfs at all. Makes booting so much simpler, allows you to use any other bootloader, without depending on Grubs specialties. And your rootfs and everything else is still encrypted. It's just not worth the extra effort and complications just for the kernel/initramfs.

If you already have an unencrypted /boot partition then just leave the grub crypto stuff off. All you need is encrypt support in your initramfs, and the correct menuentry / parameters in your grub config.

Last edited by frostschutz (2024-01-13 23:17:32)

Offline

#3 2024-01-14 00:20:08

storestyggeulv
Member
From: Denmark
Registered: 2024-01-13
Posts: 3

Re: [SOLVED] Unable to boot after / install on LUKS encrypted LVM volume

Hi Frostschuts. Thank you for your suggestion. It may have solved the problem. But in the meantim I have actually solved it in an easier way.  When searching the forum with LUKS and login error or something like that I found someone who had had a similar problem. And apparently it was as I suspected that that GRUB did not read my keystrokes correctly.  I simply added KEYMAP=dk to /etc/vconsole.conf and did mkinitcpio -P  and grub-mkconfig -o /boot/grub/grub.cfg, and the problem went away :-)  It was all down to locale settings.  I still dont understand why using the wrong locale could cause the problem.  I found out it was a US layout and simple used the right US keys to type the correct passphrase.  Oh well.

Offline

Pages: 1

Board footer

Powered by FluxBB