On Sonntag, 16. Juni 2024, 12:59:54 CEST Michael wrote:
> I'm not the right person to comment reliably on this, because I don't use
> systemd and do not use LVM, but until someone else chimes in I'll give it a
> go ... :-)
>
I found the solution for my specific setup (lvm+luks+secureboot:
installkernel: USE+=uki ukify
Systemd: USE += secureboot cryptsetup boot ukify
This implies that installkernel is using dracut for creating an initrd and
systemd's uki-generator for creating the efi file.
Systemd's uki generator is configured in /etc/kernel/uki.conf:
[UKI]
SecureBootSigningTool=sbsign
SecureBootPrivateKey="/usr/share/secureboot/keys/db/db.key"
SecureBootCertificate="/usr/share/secureboot/keys/db/db.pem"
Cmdline=dolvm rd.luks.uuid=luks-<partuuid> root=/dev/mapper/<lvmroot>
rd.luks.options=discard
Where <partuuid> is the patition uuid of the encrypted lvm container and
<lvmroot> the real root inside the contianer (/dev/mapper/<something>). The
dolvm instructs initrd to trigger the lvm discovery, rd.luks.uuid being defined
tells it to use cryptsetup luksOpen on the specified device.
rd.luks.options=discard is optional and enables pass-through of ssd trim
commands through the lvm layer to the real nvme-ssd.
The relevant information I was looking for is the Cmdline arguement in
uki.conf.
Best Regards
Alex
> On Sunday, 16 June 2024 09:04:26 BST Alexander Puchmayr wrote:
> > Hi there,
> >
> > I just tried to prepare my new laptop for UFEI+secureboot by creating a
> > single unified kernel image including kernel,initrd,microcode,etc.
> > NB: The partition layout has a vfat/Efi partition and a luks encrypted lvm
> > container holding SYS(Root), Data(home) and swap.
> >
> > I added uki and ukify use flags to installkernel and systemd, checked the
> > configuration again and configured the kernel by emerge --config
> > sys-kernel/ gentoo-kernel.
> >
> > Bulding the kernel image seems to work fine, the log messages say its
> > creating a initrd using dracut, creating a efi file, signing it properly
> > and even installs it under /boot/efi/EFI/Linux.
>
> Why is the ESP mounted under /boot/efi, instead of /efi?
>
> https://wiki.gentoo.org/wiki/EFI_System_Partition#Mount_point
>
> > When booting it, it loads the kernel and then seems to get stuck:
> >
> > Timed out waiting for device /dev/gpt-auto-root
> > Dependency failed for File System Check in /dev/gpt-auto-root
> > Dependency failed for Root Partition
> > Dependency failed for Initrd Root File System
> > Dependency failed for Initrd Mountpoints Configured in the Real Root
> > Dependency failed for Initrd Root Device
>
> The gpt-auto-root is a script which tries to automatically detect and mount
> the root fs. Did you create your partition(s) with GPT and did you select
> the correct partition type "Linux Root (x86-64)" to make sure the partition
> GUID code for LUKS is correct according to the Discoverable Partitions
> Specification? If you used fdisk, you'll probably need to add the partition
> type GUID code manually, as advised in the Handbook. Press -i in fdisk to
> find out what it currently is set as.
>
> > Then it ends up in an emergency shell.
> >
> > There's a log in /run/initramfs/rdsosreport.txt, which reveals that it
> > does
> > not find my encrypted lvm partition (LUKS encrypted lvm container holding
> > SYS, DATA, SWAP, etc), which obviously needs to be setup first. Seems like
> > some boot parameter is missing.
>
> Did you configure dracut to include the necessary modules and to add the
> corresponding LUKS and LVM UUIDs?
>
> https://wiki.gentoo.org/wiki/
> Full_Disk_Encryption_From_Scratch#Initramfs_configuration
>
> > Checking systemd's USE flags: Relevant flags lvm + cryptsetup + boot +
> > secureboot use flags are set
> >
> > To me it looks like as if its missing information which partition to use
> > for decrypting/mounting, and which lvm volume to use as real-root.
> >
> > Is this a dracut configuration? A systemd configruation? An installkernel
> > configuration? Something else?
> >
> > Thanks
> >
> > Alex
>
> I think this is a dracut configuration issue, because systemd's 'kernel-
> install' setup is relatively straight forward:
>
> https://wiki.gentoo.org/wiki/Installkernel#Systemd_kernel-install_.28USE.3D.
> 2Bsystemd.29
>
> If the problem is with dracut as I suspect, you may find 'sys-kernel/ugrd'
> easier than dracut for your type of installation, but dracut should work too
> if correctly configured.
>
> HTH.
