From: Lars-Dominik Braun <lars@6xq.net>
To: 55723@debbugs.gnu.org
Subject: bug#55723: Full disk encryption with grub-efi and LUKS2
Date: Mon, 30 May 2022 12:07:47 +0200 [thread overview]
Message-ID: <YpSXc6binZlmdwdd@noor.fritz.box> (raw)
Hi,
I followed the manual to manually install Guix with full disk encryption
using LUKS2 and PBKDF2. However this leaves me with an unbootable system,
stuck at Grub’s rescue prompt, because `grub-install` apparently does
not know how to detect a LUKS2 target and therefore does not include
the modules required to open the encrypted volume in the EFI image. See
[1].
I managed to manually create a core.img with the help of ArchLinux’
Wiki[2] (see also [3]), boot into the system and reconfigure with a
modified bootloader:
---snip---
(define install-grub-efi-mkimage
"Create an Grub EFI image with included cryptomount support for luks2,
which grub-install does not handle yet."
#~(lambda (bootloader efi-dir mount-point)
(when efi-dir
(let ((grub-mkimage (string-append bootloader "/bin/grub-mkimage"))
;; Required modules, YMMV.
(modules (list "luks2" "part_gpt" "cryptodisk" "gcry_rijndael" "pbkdf2" "gcry_sha256" "ext2"))
(prefix (string-append mount-point "/boot/grub"))
;; Different configuration required to set up a crypto
;; device. Change crypto_uuid to match your output of
;; `cryptsetup luksUUID /device`.
;; XXX: Maybe cryptomount -a could work?
(config #$(plain-file "grub.cfg" "set crypto_uuid=755e547f78f44dc38dab58399e1780a6
cryptomount -u $crypto_uuid
set root=crypto0
set prefix=($root)/boot/grub
insmod normal
normal"))
(target-esp (if (file-exists? (string-append mount-point efi-dir))
(string-append mount-point efi-dir)
efi-dir)))
(apply invoke (append
(list
grub-mkimage
"-p" prefix
"-O" "x86_64-efi"
"-c" config
"-o" (string-append target-esp "/EFI/Guix/grubx64.efi"))
modules))))))
(define grub-efi-bootloader-luks2
(bootloader
(inherit grub-efi-bootloader)
(name 'grub-efi-luks2)
(installer install-grub-efi-mkimage)))
---snap---
Supposedly there are also patches for grub-mkimage, but maybe we can
include a workaround like the above by default until then or remove the
section about LUKS2 entirely?
Cheers,
Lars
[1] https://logs.guix.gnu.org/guix/2022-05-27.log#111808
[2] https://wiki.archlinux.org/title/GRUB#LUKS2
[3] https://wiki.archlinux.org/title/GRUB/Tips_and_tricks#Manual_configuration_of_core_image_for_early_boot
next reply other threads:[~2022-05-30 10:09 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-30 10:07 Lars-Dominik Braun [this message]
2022-05-31 10:44 ` bug#55723: Full disk encryption with grub-efi and LUKS2 Josselin Poiret via Bug reports for GNU Guix
2022-05-31 14:36 ` bug#55723: [PATCH] doc: Warn about LUKS2-encrypted boot not working with GRUB Josselin Poiret via Bug reports for GNU Guix
2022-06-05 10:38 ` Lars-Dominik Braun
2022-06-02 13:44 ` bug#55723: Full disk encryption with grub-efi and LUKS2 Giovanni Biscuolo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YpSXc6binZlmdwdd@noor.fritz.box \
--to=lars@6xq.net \
--cc=55723@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).