On 12.09.2012 04:34, Steve R wrote: > Hi, > > Haven't heard back any suggestions on how to work my way around this > problem. Hoping the changed subject line is more specific as to the > problem I am running into and would attract some more eyeballs to help > me figure this one out. > > To recap, > I am trying to use Grub 2.00 (with Luks support enabled) to boot a > Debian-live system from an encrypted LUKS partition. /boot is also > located in the encrypted Partition. I am using grub.cfg like below, and > things work fine (With Grub requesting a password for the encrypted file > system and parsing grub.cfg, displaying the menu, etc.. The problem > arises with the linux command to load the kernel. Loading the > Debian-live based OS requires passing a reference to the file system > hosting the file system, via the live-media kernel command-line > parameter. I am passing this reference as > /dev/disk/by-uuid/ . The UUID I am using is > the one read by blkid when I mounted and decrypted this encrypted > partition from another Linux host. However, this does not work and from > the debugging output on the console, it appears to be because the path > to the decrypted fs device is invalid. If I mount and decrypt the LUKS > partition from a running Linux OS, this device is always created with > the same UUID, so I expected this to happen when GRUB decrypts the LUKS > partition. Turns out not to be the case. > > Could someone please point me in the right direction or examples showing > grub.cfg for fully encrypted Debian-live based systems (including /boot) ? > > Thanks in advance, and apologies for any newbie questions. I am learning > as I go. > > Regards, > Steve. > > ------------------------------------------------------------------------ > From: survey.response@live.com > To: arbiel.perlacremaz@laposte.net; grub-devel@gnu.org > Subject: RE: RE : Full Disk Encryption (including > Date: Sun, 9 Sep 2012 08:23:48 -0700 > > Hi Arbiel, > > The isofile is set with the leading "/" . The problem appears to be > caused by the fact that the system devices are not created at the time > the kernel is loaded. The LUKS partition appears to be decrypted, since > I can list the ISO folder under (crypt0), but there is no equivalent > device under /dev that I can pass to the linux command. > > Thanks, > Steve > > > ------------------------------------------------------------------------ > Date: Sun, 9 Sep 2012 14:38:12 +0200 > Subject: RE : Full Disk Encryption (including > From: arbiel.perlacremaz@laposte.net > To: survey.response@live.com; grub-devel@gnu.org > > Hi > > Did'nt you forget a "/" between the disk's UUID and the variable holding > the file name in the linux command ? > > Arbiel > > > > > Envoyé depuis Samsung Galaxy Note > > Survey Response a écrit : > Hi, > > On my USB drive, I have encrypted the entire disk as a single LUKS > encrypted partition. I have the grub files on this partition with an ISO > image for a Debian-live based distribution. I compiled Grub 2.00 with > the necessary crypto modules and left a larger embedding zone before the > first LUKS partition to accommodate the larger second-stage bootloader > (my core.img is about 44K). When I boot off this USB drive, GRUB asks me > the password initially for the encrypted drive and then gets to the > point where it brings up the menu, but I couldn't get it to load the > kernel since I need to pass the kernel the system device for the ISO > image (the live-media and fromiso boot parameters below) and I notice > that the devices are not available at the time of loading the kernel (or > later, for that matter). Can somebody help me figure out what I am doing > wrong? Would be much obliged, since I have been spending some time > trying to figure this out. > > Here is my grub.cfg > > menuentry 'FDE Live' { > > set isofile="/ISOs/linux.iso" > > # The UUID for the encrypted LUKS partition as obtained by > running blkid > set encryptedfs_uuid="377da6816e9a4c7092ae9016a719d04d" > > # The UUID for the decrypted ext4 fs in the LUKS partition > set decryptedfs_uuid="a8604976-269b-4ab1-8ecc-63960f60f008" > > insmod part_msdos > insmod loopback > insmod iso9660 > insmod cryptodisk > insmod luks > > echo 'Mounting encrypted disk ...' > cryptomount -u ${encryptedfs_uuid} > > echo 'Searching for the root fs in the decrypted fs...' > set root=(cryptouuid/${encryptedfs_uuid}) > search --no-floppy --fs-uuid --set=root ${decryptedfs_uuid} > > echo 'Setting up a loopback device to the CD image' > loopback loop $root/$isofile > set root=loop > > echo 'Loading Linux Kernel ...' > linux /live/vmlinuz boot=live > live-media=/dev/disk/by-uuid/${decryptedfs_uuid} > fromiso=/dev/disk/by-uuid/${decryptedfs_uuid}$isofile > initrd=/live/initrd.img config debug video=640x480 fbcon=scrollback:128 > > echo 'Loading initial ramdisk ...' > initrd /live/initrd.img > } > > From the debugging output on the console, I see that > /dev/disk/by-uuid/a8604976-269b-4ab1-8ecc-63960f60f008 (the > decryptedfs_uuid) does not exist at the time the linux kernel is being > loaded. I can access this folder from the grub command line using the > Grub drive (cyrptuuid/377da6816e9a4c7092ae9016a719d04d)/ISOs/linux.iso, > but I need to be able to reference this in a way the linux kernel would > understand. > Linux simply doesn't have such a way. You need to get Linux guys to add it first. Or to do something with initramfs > Once again, thanks for any help. Pardon any newbie mistakes I may be > making. It's a learning experience for me and I am hoping this would be > a good exercise in understanding how it all works. > > Thanks, > Steve > > > _______________________________________________ > Grub-devel mailing list > Grub-devel@gnu.org > https://lists.gnu.org/mailman/listinfo/grub-devel -- Regards Vladimir 'φ-coder/phcoder' Serbinenko