On 07.01.24 18:07, David Wright wrote:
I compared your new grub.cfg with mine (suitably decimated and edited)
and the significant differences are very few; extra modules are loaded:
cryptodisk, luks2, gcry_rijndael, gcry_rijndael and gcry_sha256.
My set root='hd0,gpt5' is replaced by
set root='cryptouuid/<root-partition-UUID>'
and my
--hint-bios=hd0,gpt5 --hint-efi=hd0,gpt5 --hint-bar emetal=ahci0,gpt5
is replaced by
hint='cryptouuid/<root-partition-UUID>'
Unlike the first version of grub.cfg that you pasted earlier:
cryptomount -u <LUKS1 partition's UUID>
set root='cryptouuid/<LUKS1 partition's UUID>
there's no cryptomount in your new one. I'm guessing that means that
the LUKS2 partition has been decrypted by Grub before grub.cfg is
commanded. Do you now get just the one prompt for the passphrase
when you boot? (I'm not very familiar with how far encrypted
/boot has progressed.)
There was always only one prompt for the passphrase when boot was
working on its own. Only if you had to manually decrypt all partitions,
you'd need to enter it for every encrypted partition there is — probably
because you don't necessarily need to have the same password for
everything. There might be an option to have it reuse the key, but I
have yet to find that.
Also, that the cryptomount lines are missing must be why Grub was still
a bit unreliable. I'll write my current grub.cfg in a separate message,
as they are back now after some experiments with rEFInd, systemd-boot
and trying to get resume from hibernation to work reliably.
The other difference in the earlier, pasted grub.cfg is that its
linux line was extremely long, and looked as though a large amount
of text had been added from GRUB_CMDLINE_LINUX_DEFAULT and/or
GRUB_CMDLINE_LINUX, perhaps set in /etc/default/grub?
I commented previously on the multiple root= parameters, and have
also noticed that the recovery mode lines had "single" duplicated.
I presume all that configuration stuff has gone away now.
Well, that bunch of text is necessary, since grub has to communicate the
location of the root and the swap partitions to the kernel, so of course
they are automatically included in the default/grub. The last one there
is just a little fix for better handling very old Synaptic touchpads in
Wayland.
In my current grub.cfg the multiple root= entries in one line seem to be
gone, but there are still multiple single in the recovery parts.
I somehow doubt whether all this will be any help, as you're working
well beyond my experience, and somewhere near the cutting edge of Grub.
Just shows how hopelessly outdated Grub is and that it sorely needs a
replacement — and a better experience in replacing it. Grub 2.12 was
just released in December. On the other hand, LUKS was originally
released in 2004, LUKS2 followed in 2018 and became the default with
cryptsetup 2.1.0 in early 2019 — though Debian seems to ignore that,
since the installer still by default creates LUKS1 volumes. Also, by
default, LUKS2 uses Argon2 key derivation function — unsupported even by
Grub 2.12. All this in a time when smartphones have been encrypted for
years by default, so have MacBooks and even Windows is slowing making it
a default. Not to mention the fact that Linux distributions are offering
encryption in their installers for many years now, with a few even
making it a default, like Pop.