Arch Linux

PuppyFromLosAndes

Member

Registered: 2024-11-04

Posts: 5

[SOLVED] EFI boot stub, GRUB: won't boot into encrypted root

Hello. I have a LUKS2-encrypted partition in an MBR disk, and I'm trying to get the system to boot under UEFI.

The encrypted partition is sda1, and the boot partition is sda2. I tried to install GRUB first, and when I tried to boot the system, it said this:

     ERROR: device '' not found. Skipping fsck.
     mount: /new_root: wrong fs type, bad option, bad superblock on , missing codepage or helper program, or other error.
         dmesg(1) may have more information after failed mount system call.
     ERROR: Failed to mount '' on real root
     You are now being dropped into an emergency shell.
     sh: can't access tty; job control turned off.

Afterwards I removed GRUB and tried to set a boot entry manually with efibootmgr, with the "cryptdevice" option pointing to the UUID of the still unencrypted LUKS partition. I additionally chose to name the mapped LUKS partition "archcrypt", because I gave it that same name in /etc/fstab. However, it still gives me the same error above.

I tried to see what "dmesg" says, but I'm not sure if it helps much.

     scsi 2:0:0:0: Direct-Access Mass Storage Device PQ: 0 ANSI: 0 CCS
     sd 2:0:0:0: [sdb] Media removed, stopped polling
     sd 2:0:0:0: [sdb] Attached SCSI removable disk
     [drm] amdgpu kernel modesetting enabled.
     amdgpu: Virtual CRAT table created for CPU
     amdgpu: Topology: Add CPU node
     device-mapper: uevent: version 1.0.3
     device-mapper: ioctl: 4.49.0-ioctl (2025-01-17) initialised:
     Key type encrypted registered
     random: crng init done
     fbcon: Taking over console

Live environments that have cryptsetup can open the LUKS partition without issue, including the Arch Linux disk. I could also arch-chroot into the system. But what can I do to boot into Arch properly? Please help.

Last edited by PuppyFromLosAndes (2025-08-28 22:31:41)

Scimmia

Fellow

Registered: 2012-09-01

Posts: 13,694

Re: [SOLVED] EFI boot stub, GRUB: won't boot into encrypted root

Post actual configs; grub, efibootmgr, and mkinitcpio (or whatever you use to generate the initcpio).

PuppyFromLosAndes

Member

Registered: 2024-11-04

Posts: 5

Re: [SOLVED] EFI boot stub, GRUB: won't boot into encrypted root

Post actual configs; grub, efibootmgr, and mkinitcpio (or whatever you use to generate the initcpio).

I don't have a grub folder in /boot, since I uninstalled grub, but I have leftover config files on /etc/grub.d. I'm unsure if I've messed with seemingly default configfiles, but I'll just zip them up in the case I'm being dumb and I forgot about something -- https://drive.google.com/file/d/1NCqeNt … RXWXc/view

There's also a file called "linux.preset" in /etc/mkinitcpio.d. It says:

# mkinitcpio preset file for the 'linux' package

#ALL_config="/etc/mkinitcpio.conf"
ALL_kver="/boot/vmlinuz-linux"

PRESETS=('default' 'fallback')

#default_config="/etc/mkinitcpio.conf"
default_image="/boot/initramfs-linux.img"
#default_uki="/efi/EFI/Linux/arch-linux.efi"
#default_options="--splash /usr/share/systemd/bootctl/splash-arch.bmp"

#fallback_config="/etc/mkinitcpio.conf"
fallback_image="/boot/initramfs-linux-fallback.img"
#fallback_uki="/efi/EFI/Linux/arch-linux-fallback.efi"
fallback_options="-S autodetect"

However, /etc/mkinitcpio.conf.d is an empty folder. /etc/initcpio sounds like it would be related, but it's three empty folders, no dotfiles, no nothing.

Finally, there's an /etc/mkinitcpio.conf file:

# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run.  Advanced users may wish to specify all system modules
# in this array.  For instance:
#     MODULES=(usbhid xhci_hcd)
MODULES=()

# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image.  This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=()

# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way.  This is useful for config files.
FILES=()

# HOOKS
# This is the most important setting in this file.  The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added.  Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
##   This setup specifies all modules in the MODULES setting above.
##   No RAID, lvm2, or encrypted root is needed.
#    HOOKS=(base)
#
##   This setup will autodetect all modules for your system and should
##   work as a sane default
#    HOOKS=(base udev autodetect modconf block filesystems fsck)
#
##   This setup will generate a 'full' image which supports most systems.
##   No autodetection is done.
#    HOOKS=(base udev modconf block filesystems fsck)
#
##   This setup assembles a mdadm array with an encrypted root file system.
##   Note: See 'mkinitcpio -H mdadm_udev' for more information on RAID devices.
#    HOOKS=(base udev modconf keyboard keymap consolefont block mdadm_udev encrypt filesystems fsck)
#
##   This setup loads an lvm2 volume group.
#    HOOKS=(base udev modconf block lvm2 filesystems fsck)
#
##   This will create a systemd based initramfs which loads an encrypted root filesystem.
#    HOOKS=(base systemd autodetect modconf kms keyboard sd-vconsole sd-encrypt block filesystems fsck)
#
##   NOTE: If you have /usr on a separate partition, you MUST include the
#    usr and fsck hooks.
HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block encrypt filesystems fsck)

# COMPRESSION
# Use this to compress the initramfs image. By default, zstd compression
# is used for Linux ≥ 5.9 and gzip compression is used for Linux < 5.9.
# Use 'cat' to create an uncompressed image.
#COMPRESSION="zstd"
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"

# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()

# MODULES_DECOMPRESS
# Decompress loadable kernel modules and their firmware during initramfs
# creation. Switch (yes/no).
# Enable to allow further decreasing image size when using high compression
# (e.g. xz -9e or zstd --long --ultra -22) at the expense of increased RAM usage
# at early boot.
# Note that any compressed files will be placed in the uncompressed early CPIO
# to avoid double compression.
#MODULES_DECOMPRESS="no"

and as for the UEFI boot entry, efibootmgr -v shows me that the current parameters for my Arch boot entry are these:

Boot0000* Arch	HD(2,MBR,0x15e915e8,0x3a186000,0x200000)/File(\vmlinuz-linux)c.r.y.p.t.d.e.v.i.c.e.=.U.U.I.D.=.2.f.8.b.7.7.7.9.-.3.d.f.f.-.4.f.f.3.-.b.1.5.3.-.7.7.2.9.5.d.8.e.9.c.1.c.:.a.r.c.h.c.r.y.p.t. .r.w. .i.n.i.t.r.d.=.\.i.n.i.t.r.a.m.f.s.-.l.i.n.u.x...i.m.g.

gtarch

Member

Registered: 2022-10-14

Posts: 48

Re: [SOLVED] EFI boot stub, GRUB: won't boot into encrypted root

and as for the UEFI boot entry, efibootmgr -v shows me that the current parameters for my Arch boot entry are these:

Boot0000* Arch	HD(2,MBR,0x15e915e8,0x3a186000,0x200000)/File(\vmlinuz-linux)c.r.y.p.t.d.e.v.i.c.e.=.U.U.I.D.=.2.f.8.b.7.7.7.9.-.3.d.f.f.-.4.f.f.3.-.b.1.5.3.-.7.7.2.9.5.d.8.e.9.c.1.c.:.a.r.c.h.c.r.y.p.t. .r.w. .i.n.i.t.r.d.=.\.i.n.i.t.r.a.m.f.s.-.l.i.n.u.x...i.m.g.

I don't know how you get efibootmgr to display kernel parameters, but they are wrong. cryptdevice should be /dev/sda1 and root should be the UUID.

PuppyFromLosAndes

Member

Registered: 2024-11-04

Posts: 5

Re: [SOLVED] EFI boot stub, GRUB: won't boot into encrypted root

I don't know how you get efibootmgr to display kernel parameters, but they are wrong. cryptdevice should be /dev/sda1 and root should be the UUID.

I checked. It turns out that I mentioned having set the then-decrypted root's UUID to the cryptdevice, but I re-checked and the UUID that efibootmgr said was set for cryptdevice's parameters ended up being, as you instructed me right now, the encrypted LUKS block.

2f8b7779-3dff-4ff3-b153-77295d8e9c1c was the encrypted LUKS block all along, while in reality the decrypted root partition has the UUID 2da6b582-def4-4301-9d57-f8767fae7331.

However, I mistakenly thought that cryptdevice automatically set the just decrypted partition as the root, when I should've pointed to it right after cryptdevice. So I did:

efibootmgr --create --disk /dev/sda --part 2 --label "Arch btw" --loader /vmlinuz-linux --unicode 'cryptdevice=UUID=2f8b7779-3dff-4ff3-b153-77295d8e9c1c:archcrypt root=UUID=2da6b582-def4-4301-9d57-f8767fae7331 rw initrd=\initramfs-linux.img'

And now it boots with no issues. I apologize for my own foolishness -- I probably should've picked up on such the moment it told me that it was trying to boot into a blank-named device.

Last edited by PuppyFromLosAndes (2025-08-28 22:32:27)