[Bug 1670552] Re: Configuration generated for encrypted boot is not bootable

Nazar Mokrynskyi nazar at mokrynskyi.com
Tue Mar 7 11:22:39 UTC 2017 

** Description changed:

  I've being experimenting with completely encrypted system on virtual
  machine and got some problems with automatically generated configs.
  
  In my test setup:
  /dev/sda - ESP partition, mounted as /boot/efi
  /dev/mapper/system1 is BTRFS partition on /dev/sdb with LUKS encryption
  
  /etc/fstab:
  /dev/mapper/system1 /         btrfs defaults,subvol=@     0 1
  UUID=6EF4-C0FE      /boot/efi vfat  umask=0077            0 1
  /dev/mapper/system1 /home     btrfs defaults,subvol=@home 0 2
  
  Except first column generated during initial installation.
  
  /etc/crypttab:
  system1 UUID=6a01d12f-f4c4-4818-8650-2df0baca84bc none luks,keyscript=/etc/cryptroot/system.64.sh
  
  File /etc/cryptroot/system.64.sh, obviously, exists.
  
  /etc/default/grub contains:
  - `GRUB_ENABLE_CRYPTODISK=y`
  - and even `GRUB_PRELOAD_MODULES="luks cryptodisk procfs"` (shouldn't be necessary and doesn't change anything anyway)
  
  What goes wrong in this setup out of the box:
  1) `ESP\EFI\ubuntu\grubx64.efi` doesn't have built-in modules `luks`, `cryptodisk` and `procfs` without which it is not possible to decrypt anything and thus boot the system (initially commented here: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1565950)
  2) `ESP\EFI\ubuntu\grub.cfg` contains incomplete config to actually decrypt system (and will be re-written on package update, which is even worse)
  
  `ESP\EFI\ubuntu\grub.cfg` as generated by `dpkg-reconfigure grub-efi-amd64`:
  cryptomount -u 6a01d12ff4c4481886502df0baca84bc
- search.fs_uuid bb3594a7-41b0-484c-91ad-48424184169e root cryptouuid/6a01d12ff4c4481886502df0baca84bc 
+ search.fs_uuid bb3594a7-41b0-484c-91ad-48424184169e root cryptouuid/6a01d12ff4c4481886502df0baca84bc
  set prefix=($root)'/@/boot/grub'
  configfile $prefix/grub.cfg
  
- What I did instead is I've copied `/boot/grub/x86_64-efi` (only `luks.mod`, `cryptodisk.mod` and `procfs.mod` files are needed from there) to `ESP\x86_64-efi` and changed `ESP\EFI\ubuntu\grub.cfg` to following (first 3 lines added):
+ What I did instead is I've copied `/boot/grub/x86_64-efi` (only `luks.mod`, `cryptodisk.mod` and `procfs.mod` files are needed from there) to `ESP\x86_64-efi` and changed `ESP\EFI\ubuntu\grub.cfg` to following (first 4 lines added):
  search.fs_uuid 6EF4-C0FE boot
  set prefix=($boot)
  insmod luks
  cryptomount -u 6a01d12ff4c4481886502df0baca84bc
- search.fs_uuid bb3594a7-41b0-484c-91ad-48424184169e root cryptouuid/6a01d12ff4c4481886502df0baca84bc 
+ search.fs_uuid bb3594a7-41b0-484c-91ad-48424184169e root cryptouuid/6a01d12ff4c4481886502df0baca84bc
  set prefix=($root)'/@/boot/grub'
  configfile $prefix/grub.cfg
  
  Things are getting even worse when BTRFS is not on single
  partition/disk, but on few in RAID, since more manual configuration is
  needed.
  
  Would be nice to see additional modules added to `grubx64.efi` and fixed
  `ESP\EFI\ubuntu\grub.cfg` generation by grub2 package.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1670552

Title:
  Configuration generated for encrypted boot is not bootable

Status in grub2 package in Ubuntu:
  New

Bug description:
  I've being experimenting with completely encrypted system on virtual
  machine and got some problems with automatically generated configs.

  In my test setup:
  /dev/sda - ESP partition, mounted as /boot/efi
  /dev/mapper/system1 is BTRFS partition on /dev/sdb with LUKS encryption

  /etc/fstab:
  /dev/mapper/system1 /         btrfs defaults,subvol=@     0 1
  UUID=6EF4-C0FE      /boot/efi vfat  umask=0077            0 1
  /dev/mapper/system1 /home     btrfs defaults,subvol=@home 0 2

  Except first column generated during initial installation.

  /etc/crypttab:
  system1 UUID=6a01d12f-f4c4-4818-8650-2df0baca84bc none luks,keyscript=/etc/cryptroot/system.64.sh

  File /etc/cryptroot/system.64.sh, obviously, exists.

  /etc/default/grub contains:
  - `GRUB_ENABLE_CRYPTODISK=y`
  - and even `GRUB_PRELOAD_MODULES="luks cryptodisk procfs"` (shouldn't be necessary and doesn't change anything anyway)

  What goes wrong in this setup out of the box:
  1) `ESP\EFI\ubuntu\grubx64.efi` doesn't have built-in modules `luks`, `cryptodisk` and `procfs` without which it is not possible to decrypt anything and thus boot the system (initially commented here: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1565950)
  2) `ESP\EFI\ubuntu\grub.cfg` contains incomplete config to actually decrypt system (and will be re-written on package update, which is even worse)

  `ESP\EFI\ubuntu\grub.cfg` as generated by `dpkg-reconfigure grub-efi-amd64`:
  cryptomount -u 6a01d12ff4c4481886502df0baca84bc
  search.fs_uuid bb3594a7-41b0-484c-91ad-48424184169e root cryptouuid/6a01d12ff4c4481886502df0baca84bc
  set prefix=($root)'/@/boot/grub'
  configfile $prefix/grub.cfg

  What I did instead is I've copied `/boot/grub/x86_64-efi` (only `luks.mod`, `cryptodisk.mod` and `procfs.mod` files are needed from there) to `ESP\x86_64-efi` and changed `ESP\EFI\ubuntu\grub.cfg` to following (first 4 lines added):
  search.fs_uuid 6EF4-C0FE boot
  set prefix=($boot)
  insmod luks
  cryptomount -u 6a01d12ff4c4481886502df0baca84bc
  search.fs_uuid bb3594a7-41b0-484c-91ad-48424184169e root cryptouuid/6a01d12ff4c4481886502df0baca84bc
  set prefix=($root)'/@/boot/grub'
  configfile $prefix/grub.cfg

  Things are getting even worse when BTRFS is not on single
  partition/disk, but on few in RAID, since more manual configuration is
  needed.

  Would be nice to see additional modules added to `grubx64.efi` and
  fixed `ESP\EFI\ubuntu\grub.cfg` generation by grub2 package.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1670552/+subscriptions

More information about the foundations-bugs mailing list