[Bug 1670552] Re: Configuration generated for encrypted boot is not bootable
*** This bug is a duplicate of bug 1062623 *** https://bugs.launchpad.net/bugs/1062623 Thank you so much for your detailed steps, I was encountering the same problem and was able to fix it based on your info. An encrypted boot partition seems like an important thing to have. Since grub supports such a thing, it only seems logical that grub would be able to detect an encrypted partition and automatically insert the correct configuration into the EFI grub.cfg file. Am I crazy? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1670552 Title: Configuration generated for encrypted boot is not bootable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1670552/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1670552] Re: Configuration generated for encrypted boot is not bootable
*** This bug is a duplicate of bug 1062623 *** https://bugs.launchpad.net/bugs/1062623 Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: grub2 (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1670552 Title: Configuration generated for encrypted boot is not bootable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1670552/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1670552] Re: Configuration generated for encrypted boot is not bootable
*** This bug is a duplicate of bug 1062623 *** https://bugs.launchpad.net/bugs/1062623 ** This bug has been marked a duplicate of bug 1062623 enable grub-2.00 boot-from-luks support -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1670552 Title: Configuration generated for encrypted boot is not bootable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1670552/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1670552] Re: Configuration generated for encrypted boot is not bootable
** Description changed: I've being experimenting with completely encrypted system on virtual machine and got some problems with automatically generated configs. In my test setup: /dev/sda - ESP partition, mounted as /boot/efi /dev/mapper/system1 is BTRFS partition on /dev/sdb with LUKS encryption /etc/fstab: /dev/mapper/system1 / btrfs defaults,subvol=@ 0 1 UUID=6EF4-C0FE /boot/efi vfat umask=00770 1 /dev/mapper/system1 /home btrfs defaults,subvol=@home 0 2 Except first column generated during initial installation. /etc/crypttab: system1 UUID=6a01d12f-f4c4-4818-8650-2df0baca84bc none luks,keyscript=/etc/cryptroot/system.64.sh File /etc/cryptroot/system.64.sh, obviously, exists. /etc/default/grub contains: - `GRUB_ENABLE_CRYPTODISK=y` - and even `GRUB_PRELOAD_MODULES="luks cryptodisk procfs"` (shouldn't be necessary and doesn't change anything anyway) What goes wrong in this setup out of the box: - 1) `ESP\EFI\ubuntu\grubx64.efi` doesn't have built-in modules `luks`, `cryptodisk` and `procfs` without which it is not possible to decrypt anything and thus boot the system (initially commented here: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1565950) + 1) `ESP\EFI\ubuntu\grubx64.efi` doesn't have built-in modules `luks`, `cryptodisk`, `procfs` and `gcry_*` without which it is not possible to decrypt anything and thus boot the system (initially commented here: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1565950) 2) `ESP\EFI\ubuntu\grub.cfg` contains incomplete config to actually decrypt system (and will be re-written on package update, which is even worse) `ESP\EFI\ubuntu\grub.cfg` as generated by `dpkg-reconfigure grub-efi-amd64`: cryptomount -u 6a01d12ff4c4481886502df0baca84bc search.fs_uuid bb3594a7-41b0-484c-91ad-48424184169e root cryptouuid/6a01d12ff4c4481886502df0baca84bc set prefix=($root)'/@/boot/grub' configfile $prefix/grub.cfg - What I did instead is I've copied `/boot/grub/x86_64-efi` (only `luks.mod`, `cryptodisk.mod` and `procfs.mod` files are needed from there) to `ESP\x86_64-efi` and changed `ESP\EFI\ubuntu\grub.cfg` to following (first 4 lines added): + What I did instead is I've copied `/boot/grub/x86_64-efi` (only `luks.mod`, `cryptodisk.mod`, `procfs.mod` and relevant `gcry_*.mod` files are needed from there) to `ESP\x86_64-efi` and changed `ESP\EFI\ubuntu\grub.cfg` to following (first 4 lines added): search.fs_uuid 6EF4-C0FE boot set prefix=($boot) insmod luks cryptomount -u 6a01d12ff4c4481886502df0baca84bc search.fs_uuid bb3594a7-41b0-484c-91ad-48424184169e root cryptouuid/6a01d12ff4c4481886502df0baca84bc set prefix=($root)'/@/boot/grub' configfile $prefix/grub.cfg Things are getting even worse when BTRFS is not on single partition/disk, but on few in RAID, since more manual configuration is needed. Would be nice to see additional modules added to `grubx64.efi` and fixed `ESP\EFI\ubuntu\grub.cfg` generation by grub2 package. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1670552 Title: Configuration generated for encrypted boot is not bootable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1670552/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1670552] Re: Configuration generated for encrypted boot is not bootable
** Description changed: I've being experimenting with completely encrypted system on virtual machine and got some problems with automatically generated configs. In my test setup: /dev/sda - ESP partition, mounted as /boot/efi /dev/mapper/system1 is BTRFS partition on /dev/sdb with LUKS encryption /etc/fstab: /dev/mapper/system1 / btrfs defaults,subvol=@ 0 1 UUID=6EF4-C0FE /boot/efi vfat umask=00770 1 /dev/mapper/system1 /home btrfs defaults,subvol=@home 0 2 Except first column generated during initial installation. /etc/crypttab: system1 UUID=6a01d12f-f4c4-4818-8650-2df0baca84bc none luks,keyscript=/etc/cryptroot/system.64.sh File /etc/cryptroot/system.64.sh, obviously, exists. /etc/default/grub contains: - `GRUB_ENABLE_CRYPTODISK=y` - and even `GRUB_PRELOAD_MODULES="luks cryptodisk procfs"` (shouldn't be necessary and doesn't change anything anyway) What goes wrong in this setup out of the box: 1) `ESP\EFI\ubuntu\grubx64.efi` doesn't have built-in modules `luks`, `cryptodisk` and `procfs` without which it is not possible to decrypt anything and thus boot the system (initially commented here: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1565950) 2) `ESP\EFI\ubuntu\grub.cfg` contains incomplete config to actually decrypt system (and will be re-written on package update, which is even worse) `ESP\EFI\ubuntu\grub.cfg` as generated by `dpkg-reconfigure grub-efi-amd64`: cryptomount -u 6a01d12ff4c4481886502df0baca84bc - search.fs_uuid bb3594a7-41b0-484c-91ad-48424184169e root cryptouuid/6a01d12ff4c4481886502df0baca84bc + search.fs_uuid bb3594a7-41b0-484c-91ad-48424184169e root cryptouuid/6a01d12ff4c4481886502df0baca84bc set prefix=($root)'/@/boot/grub' configfile $prefix/grub.cfg - What I did instead is I've copied `/boot/grub/x86_64-efi` (only `luks.mod`, `cryptodisk.mod` and `procfs.mod` files are needed from there) to `ESP\x86_64-efi` and changed `ESP\EFI\ubuntu\grub.cfg` to following (first 3 lines added): + What I did instead is I've copied `/boot/grub/x86_64-efi` (only `luks.mod`, `cryptodisk.mod` and `procfs.mod` files are needed from there) to `ESP\x86_64-efi` and changed `ESP\EFI\ubuntu\grub.cfg` to following (first 4 lines added): search.fs_uuid 6EF4-C0FE boot set prefix=($boot) insmod luks cryptomount -u 6a01d12ff4c4481886502df0baca84bc - search.fs_uuid bb3594a7-41b0-484c-91ad-48424184169e root cryptouuid/6a01d12ff4c4481886502df0baca84bc + search.fs_uuid bb3594a7-41b0-484c-91ad-48424184169e root cryptouuid/6a01d12ff4c4481886502df0baca84bc set prefix=($root)'/@/boot/grub' configfile $prefix/grub.cfg Things are getting even worse when BTRFS is not on single partition/disk, but on few in RAID, since more manual configuration is needed. Would be nice to see additional modules added to `grubx64.efi` and fixed `ESP\EFI\ubuntu\grub.cfg` generation by grub2 package. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1670552 Title: Configuration generated for encrypted boot is not bootable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1670552/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
