[SOLVED] Chimaera install, encrypted root

F5PPu6kGqj · 2022-10-25 18:23:00

Chimaera desktop-live used.
Lenovo x230

Boot desktop-live and installed to /dev/sda2, choose encrypted root. No separate boot partition. /dev/sda1 is the EFI partition. Installed boot loader. No errors during the install. On reboot the boot failed. HD not recognised as a bootable device. Booted from the desktop-live usb again. Unencrypted /dev/sda2 and chroot'ed into the install and run

    grub-install --uefi-secure-boot --target=x86_64-efi /dev/sda 
    Installing for x86_64-efi platform.
    Installation finished. No error reported.

Reboot:

  Attempting to decrypt master key...
  Enter passphrase for hd0,gpt2 (94454ab59343fd43c99):

I enter the sda2 crypt password and screen changes graphical options, and I pick:

 
  Booting 'Devuan GNU/Linux'
  Loading Linux 5.10.0-19-amd64 ...
  Loading initial ramdisk ...

But then it drops back to console:

  [   0.190978] x86/cpu: VDX (outside TXT) disabled by BIOS
  [   2.425227] integrity: Couldn't parse dbx signatures: -74
  Please unlock disk root_fs: _

If I enter the crypt password again, the boot continues and I can log in.

VDX (outside TXT) disabled by BIOS

I have these turned options off in the BIOS. Turning them on makes no difference to the boot. Adds a few more error messages if they are on. I don't know why I have them off atm.

Turning secure boot on/off in the BIOS doesn't matter

I think it's a configuration issue with grub? sda2 is decrypted by grub to show the menu, and to be able to start loading the ramdisk. After much trouble shooting editing files, gave up. Run the installer again.

Only option I picked from the installer was encrypted root. I also choose to install the bootloader. The install completed without problems. Reboot and the problem of two password prompts persists. I unlock grub, get the GUI boot option menu, select and ramdisk starts to load before dropping back to the console for password. After which the system boots.

How can I fix this so I don't need to enter the disk encryption password twice?

Here are the current files:

cat /etc/crypttab

  # <target name>	<source device>		<key file>	<options>
  root_fs		UUID=68355f0d-4b1f-428f-85e0-7bdc0fc63f2c		none	luks

cat /etc/fstab

  /dev/mapper/root_fs	/	ext4	defaults,noatime	0	1
  /swapfile	none	swap	sw	0	0
  UUID=10D7-FB08	/boot/efi	vfat	umask=0077	0	1

cat /etc/default/grub

  # If you change this file, run 'update-grub' afterwards to update
  # /boot/grub/grub.cfg.
  # For full documentation of the options in this file, see:
  #   info -f grub -n 'Simple configuration'
  
  GRUB_DEFAULT=0
  GRUB_TIMEOUT=5
  GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
  GRUB_CMDLINE_LINUX_DEFAULT="quiet"
  GRUB_CMDLINE_LINUX=""
   
  # Uncomment to enable BadRAM filtering, modify to suit your needs
  # This works with Linux (no patch required) and with any kernel that obtains
  # the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
  #GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
  
  # Uncomment to disable graphical terminal (grub-pc only)
  #GRUB_TERMINAL=console 
  
  # The resolution used on graphical terminal
  # note that you can use only modes which your graphic card supports via VBE
  # you can see them in real GRUB with the command `vbeinfo'
  #GRUB_GFXMODE=640x480 
  
  # Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
  #GRUB_DISABLE_LINUX_UUID=true
  
  # Uncomment to disable generation of recovery mode menu entries
  #GRUB_DISABLE_RECOVERY="true" 
  
  # Uncomment to get a beep at grub start
  #GRUB_INIT_TUNE="480 440 1"
  
  GRUB_THEME=/usr/share/desktop-base/grub-themes/desktop-grub-theme/theme.txt
  
  GRUB_ENABLE_CRYPTODISK=y

sudo fdisk -l

  Disk /dev/sda: 119.24 GiB, 128035676160 bytes, 250069680 sectors
  Disk model: SAMSUNG MZ7PA128
  Units: sectors of 1 * 512 = 512 bytes
  Sector size (logical/physical): 512 bytes / 512 bytes
  I/O size (minimum/optimal): 512 bytes / 512 bytes
  Disklabel type: gpt
  Disk identifier: 65F1E106-FA8A-47F1-BB09-4CF534271C34
  
  Device      Start       End   Sectors   Size Type
  /dev/sda1    2048    616447    614400   300M EFI System
  /dev/sda2  616448 250068991 249452544 118.9G Linux filesystem

  Disk /dev/mapper/root_fs: 118.95 GiB, 127717605376 bytes, 249448448 sectors
  Units: sectors of 1 * 512 = 512 bytes
  Sector size (logical/physical): 512 bytes / 512 bytes
  I/O size (minimum/optimal): 512 bytes / 512 bytes

Last edited by F5PPu6kGqj (2022-10-26 17:52:31)

golinux · 2022-10-25 20:40:11

Welcome to the forum!

I just had a phone conversation with fsmithred who creates the live isos and he said that no one has gotten secure-boot to work. You can search for other posts on this forum. It should boot if you turn off secure-boot in the bios.

Suggestion . . . it would make your post easier to read if you used "code" tags. Thanks.

F5PPu6kGqj · 2022-10-25 21:09:52

Secure boot turned on or off makes no difference to this.
The system boots. I just need to enter the crypt password twice.
I want to stop that.

I used the code tags, but preview of the post didn't show any change. The help showed indenting at least 2 spaces was the alternative.
But, that doesn't help the readability either.

Edit: Looked into secure boot more. Secure boot is turned on in the BIOS, but secure boot is NOT being used.

mokutil --sb-state

SecureBoot disabled
Platform is in Setup Mode

Found https://wiki.debian.org/SecureBoot but decided not to test it.

Last edited by F5PPu6kGqj (2022-10-27 17:53:16)

golinux · 2022-10-25 21:41:16

F5PPu6kGqj wrote:

Secure boot turned on or off makes no difference to this.
The system boots. I just need to enter the crypt password twice.
I want to stop that.

Well, I have never used uefi so tried to explain something I don't understand that well so not surprising.

I used the code tags, but preview of the post didn't show any change.

There is a list of clickable tags on the "Post a reply" line. Just hilight and click the appropriate tag like this or

like this

fsmithred · 2022-10-25 22:10:51

I got back sooner than I expected. At some point when I have more time, I might want to look closer at what you did to see how you got secure boot to work.

To avoid entering the password twice, you have to create a keyfile. On my system with unencrypted /boot and separate root and home partitions that are encrypted (without lvm) I have a keyfile in the root partition to open the home partition.

With encrypted /boot, you have to put the key inside the initramfs.
On this page, scroll down to "Add keyfile to avoid extra passphrase prompt"
Most of what is above that section was already done for you by the live installer. You might need to modify the instructions because the author was also using lvm.

Edit: Oops! "this page" was supposed to refer to
this page --> https://www.dwarmstrong.org/fde-debian/
But the one OP found looks as good or better.

F5PPu6kGqj · 2022-10-25 22:21:18

face palm

It uses square brackets not < > . Thanks for that. How'd I miss the buttons!
Is there an option to make the forums more mobile friendly?

Secure boot: In the BIOS is an option to use it, or use legacy. Also an option to try different combinations.

I don't think it's the problem. As I get the boot is happening. I think some config setting that's not getting the right volume for root_fs.
Grub unlocks root_fs to load the kernel from. So it's unlocked initially.

F5PPu6kGqj · 2022-10-26 08:42:23

Yes!!!! Success!!! Thank you fsmithred!!

Your hint about keyfiles, I couldn't find an exact post. This one https://dev1galaxy.org/viewtopic.php?id=597 Talks has an unencrypted boot, encrypted root. But searching, found https://cryptsetup-team.pages.debian.ne … -boot.html
Root at install is LUKS1 encrypted. So only section 4 is needed. Boot is already on the root partition. So I only needed to followed the steps in section

4 Avoiding the extra password prompt

Reboot and success!

golinux: Found why the code buttons didn't work previously. Plugins. The posts today were on mobile without them. Added exception rules for the site.

golinux · 2022-10-26 17:46:06

Happy to hear that you got everything sorted.

Now that you've got the BB code straightened out, feel free to edit your first post for readability.

The officially official Devuan Forum!

#1 2022-10-25 18:23:00

[SOLVED] Chimaera install, encrypted root

#2 2022-10-25 20:40:11

Re: [SOLVED] Chimaera install, encrypted root

#3 2022-10-25 21:09:52

Re: [SOLVED] Chimaera install, encrypted root

#4 2022-10-25 21:41:16

Re: [SOLVED] Chimaera install, encrypted root

#5 2022-10-25 22:10:51

Re: [SOLVED] Chimaera install, encrypted root

#6 2022-10-25 22:21:18

Re: [SOLVED] Chimaera install, encrypted root

#7 2022-10-26 08:42:23

Re: [SOLVED] Chimaera install, encrypted root

#8 2022-10-26 17:46:06

Re: [SOLVED] Chimaera install, encrypted root

Board footer