* RE : Full Disk Encryption (including
@ 2012-09-09 12:38 Arbiel
2012-09-09 15:23 ` Survey Response
0 siblings, 1 reply; 6+ messages in thread
From: Arbiel @ 2012-09-09 12:38 UTC (permalink / raw)
To: Survey Response, grub-devel
[-- Attachment #1: Type: text/plain, Size: 3096 bytes --]
Hi
Did'nt you forget a "/" between the disk's UUID and the variable holding the file name in the linux command ?
Arbiel
Envoyé depuis Samsung Galaxy NoteSurvey Response <survey.response@live.com> a écrit :Hi,
On my USB drive, I have encrypted the entire disk as a single LUKS encrypted partition. I have the grub files on this partition with an ISO image for a Debian-live based distribution. I compiled Grub 2.00 with the necessary crypto modules and left a larger embedding zone before the first LUKS partition to accommodate the larger second-stage bootloader (my core.img is about 44K). When I boot off this USB drive, GRUB asks me the password initially for the encrypted drive and then gets to the point where it brings up the menu, but I couldn't get it to load the kernel since I need to pass the kernel the system device for the ISO image (the live-media and fromiso boot parameters below) and I notice that the devices are not available at the time of loading the kernel (or later, for that matter). Can somebody help me figure out what I am doing wrong? Would be much obliged, since I have been spending some time trying to figure this out.
Here is my grub.cfg
menuentry 'FDE Live' {
set isofile="/ISOs/linux.iso"
# The UUID for the encrypted LUKS partition as obtained by running blkid
set encryptedfs_uuid="377da6816e9a4c7092ae9016a719d04d"
# The UUID for the decrypted ext4 fs in the LUKS partition
set decryptedfs_uuid="a8604976-269b-4ab1-8ecc-63960f60f008"
insmod part_msdos
insmod loopback
insmod iso9660
insmod cryptodisk
insmod luks
echo 'Mounting encrypted disk ...'
cryptomount -u ${encryptedfs_uuid}
echo 'Searching for the root fs in the decrypted fs...'
set root=(cryptouuid/${encryptedfs_uuid})
search --no-floppy --fs-uuid --set=root ${decryptedfs_uuid}
echo 'Setting up a loopback device to the CD image'
loopback loop $root/$isofile
set root=loop
echo 'Loading Linux Kernel ...'
linux /live/vmlinuz boot=live live-media=/dev/disk/by-uuid/${decryptedfs_uuid} fromiso=/dev/disk/by-uuid/${decryptedfs_uuid}$isofile initrd=/live/initrd.img config debug video=640x480 fbcon=scrollback:128
echo 'Loading initial ramdisk ...'
initrd /live/initrd.img
}
From the debugging output on the console, I see that /dev/disk/by-uuid/a8604976-269b-4ab1-8ecc-63960f60f008 (the decryptedfs_uuid) does not exist at the time the linux kernel is being loaded. I can access this folder from the grub command line using the Grub drive (cyrptuuid/377da6816e9a4c7092ae9016a719d04d)/ISOs/linux.iso, but I need to be able to reference this in a way the linux kernel would understand.
Once again, thanks for any help. Pardon any newbie mistakes I may be making. It's a learning experience for me and I am hoping this would be a good exercise in understanding how it all works.
Thanks,
Steve
[-- Attachment #2: Type: text/html, Size: 4532 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread* RE: RE : Full Disk Encryption (including 2012-09-09 12:38 RE : Full Disk Encryption (including Arbiel @ 2012-09-09 15:23 ` Survey Response 2012-09-12 2:34 ` Grub with LUKS support: Passing a reference to the decrypted filesystem to the "linux" command Steve R 2012-10-28 6:33 ` RE : Full Disk Encryption (including James Courtier-Dutton 0 siblings, 2 replies; 6+ messages in thread From: Survey Response @ 2012-09-09 15:23 UTC (permalink / raw) To: arbiel.perlacremaz, grub-devel [-- Attachment #1: Type: text/plain, Size: 3555 bytes --] Hi Arbiel, The isofile is set with the leading "/" . The problem appears to be caused by the fact that the system devices are not created at the time the kernel is loaded. The LUKS partition appears to be decrypted, since I can list the ISO folder under (crypt0), but there is no equivalent device under /dev that I can pass to the linux command. Thanks,Steve Date: Sun, 9 Sep 2012 14:38:12 +0200 Subject: RE : Full Disk Encryption (including From: arbiel.perlacremaz@laposte.net To: survey.response@live.com; grub-devel@gnu.org Hi Did'nt you forget a "/" between the disk's UUID and the variable holding the file name in the linux command ? Arbiel Envoyé depuis Samsung Galaxy Note Survey Response <survey.response@live.com> a écrit : Hi, On my USB drive, I have encrypted the entire disk as a single LUKS encrypted partition. I have the grub files on this partition with an ISO image for a Debian-live based distribution. I compiled Grub 2.00 with the necessary crypto modules and left a larger embedding zone before the first LUKS partition to accommodate the larger second-stage bootloader (my core.img is about 44K). When I boot off this USB drive, GRUB asks me the password initially for the encrypted drive and then gets to the point where it brings up the menu, but I couldn't get it to load the kernel since I need to pass the kernel the system device for the ISO image (the live-media and fromiso boot parameters below) and I notice that the devices are not available at the time of loading the kernel (or later, for that matter). Can somebody help me figure out what I am doing wrong? Would be much obliged, since I have been spending some time trying to figure this out. Here is my grub.cfg menuentry 'FDE Live' { set isofile="/ISOs/linux.iso" # The UUID for the encrypted LUKS partition as obtained by running blkid set encryptedfs_uuid="377da6816e9a4c7092ae9016a719d04d" # The UUID for the decrypted ext4 fs in the LUKS partition set decryptedfs_uuid="a8604976-269b-4ab1-8ecc-63960f60f008" insmod part_msdos insmod loopback insmod iso9660 insmod cryptodisk insmod luks echo 'Mounting encrypted disk ...' cryptomount -u ${encryptedfs_uuid} echo 'Searching for the root fs in the decrypted fs...' set root=(cryptouuid/${encryptedfs_uuid}) search --no-floppy --fs-uuid --set=root ${decryptedfs_uuid} echo 'Setting up a loopback device to the CD image' loopback loop $root/$isofile set root=loop echo 'Loading Linux Kernel ...' linux /live/vmlinuz boot=live live-media=/dev/disk/by-uuid/${decryptedfs_uuid} fromiso=/dev/disk/by-uuid/${decryptedfs_uuid}$isofile initrd=/live/initrd.img config debug video=640x480 fbcon=scrollback:128 echo 'Loading initial ramdisk ...' initrd /live/initrd.img} From the debugging output on the console, I see that /dev/disk/by-uuid/a8604976-269b-4ab1-8ecc-63960f60f008 (the decryptedfs_uuid) does not exist at the time the linux kernel is being loaded. I can access this folder from the grub command line using the Grub drive (cyrptuuid/377da6816e9a4c7092ae9016a719d04d)/ISOs/linux.iso, but I need to be able to reference this in a way the linux kernel would understand. Once again, thanks for any help. Pardon any newbie mistakes I may be making. It's a learning experience for me and I am hoping this would be a good exercise in understanding how it all works. Thanks,Steve [-- Attachment #2: Type: text/html, Size: 5339 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Grub with LUKS support: Passing a reference to the decrypted filesystem to the "linux" command 2012-09-09 15:23 ` Survey Response @ 2012-09-12 2:34 ` Steve R 2012-09-12 5:39 ` Vladimir 'φ-coder/phcoder' Serbinenko 2012-10-28 6:33 ` RE : Full Disk Encryption (including James Courtier-Dutton 1 sibling, 1 reply; 6+ messages in thread From: Steve R @ 2012-09-12 2:34 UTC (permalink / raw) To: grub-devel, help-grub [-- Attachment #1: Type: text/plain, Size: 5369 bytes --] Hi, Haven't heard back any suggestions on how to work my way around this problem. Hoping the changed subject line is more specific as to the problem I am running into and would attract some more eyeballs to help me figure this one out. To recap,I am trying to use Grub 2.00 (with Luks support enabled) to boot a Debian-live system from an encrypted LUKS partition. /boot is also located in the encrypted Partition. I am using grub.cfg like below, and things work fine (With Grub requesting a password for the encrypted file system and parsing grub.cfg, displaying the menu, etc.. The problem arises with the linux command to load the kernel. Loading the Debian-live based OS requires passing a reference to the file system hosting the file system, via the live-media kernel command-line parameter. I am passing this reference as /dev/disk/by-uuid/<uuid-of-the-decrypted-fs> . The UUID I am using is the one read by blkid when I mounted and decrypted this encrypted partition from another Linux host. However, this does not work and from the debugging output on the console, it appears to be because the path to the decrypted fs device is invalid. If I mount and decrypt the LUKS partition from a running Linux OS, this device is always created with the same UUID, so I expected this to happen when GRUB decrypts the LUKS partition. Turns out not to be the case. Could someone please point me in the right direction or examples showing grub.cfg for fully encrypted Debian-live based systems (including /boot) ? Thanks in advance, and apologies for any newbie questions. I am learning as I go. Regards,Steve. From: survey.response@live.com To: arbiel.perlacremaz@laposte.net; grub-devel@gnu.org Subject: RE: RE : Full Disk Encryption (including Date: Sun, 9 Sep 2012 08:23:48 -0700 Hi Arbiel, The isofile is set with the leading "/" . The problem appears to be caused by the fact that the system devices are not created at the time the kernel is loaded. The LUKS partition appears to be decrypted, since I can list the ISO folder under (crypt0), but there is no equivalent device under /dev that I can pass to the linux command. Thanks,Steve Date: Sun, 9 Sep 2012 14:38:12 +0200 Subject: RE : Full Disk Encryption (including From: arbiel.perlacremaz@laposte.net To: survey.response@live.com; grub-devel@gnu.org Hi Did'nt you forget a "/" between the disk's UUID and the variable holding the file name in the linux command ? Arbiel Envoyé depuis Samsung Galaxy Note Survey Response <survey.response@live.com> a écrit : Hi, On my USB drive, I have encrypted the entire disk as a single LUKS encrypted partition. I have the grub files on this partition with an ISO image for a Debian-live based distribution. I compiled Grub 2.00 with the necessary crypto modules and left a larger embedding zone before the first LUKS partition to accommodate the larger second-stage bootloader (my core.img is about 44K). When I boot off this USB drive, GRUB asks me the password initially for the encrypted drive and then gets to the point where it brings up the menu, but I couldn't get it to load the kernel since I need to pass the kernel the system device for the ISO image (the live-media and fromiso boot parameters below) and I notice that the devices are not available at the time of loading the kernel (or later, for that matter). Can somebody help me figure out what I am doing wrong? Would be much obliged, since I have been spending some time trying to figure this out. Here is my grub.cfg menuentry 'FDE Live' { set isofile="/ISOs/linux.iso" # The UUID for the encrypted LUKS partition as obtained by running blkid set encryptedfs_uuid="377da6816e9a4c7092ae9016a719d04d" # The UUID for the decrypted ext4 fs in the LUKS partition set decryptedfs_uuid="a8604976-269b-4ab1-8ecc-63960f60f008" insmod part_msdos insmod loopback insmod iso9660 insmod cryptodisk insmod luks echo 'Mounting encrypted disk ...' cryptomount -u ${encryptedfs_uuid} echo 'Searching for the root fs in the decrypted fs...' set root=(cryptouuid/${encryptedfs_uuid}) search --no-floppy --fs-uuid --set=root ${decryptedfs_uuid} echo 'Setting up a loopback device to the CD image' loopback loop $root/$isofile set root=loop echo 'Loading Linux Kernel ...' linux /live/vmlinuz boot=live live-media=/dev/disk/by-uuid/${decryptedfs_uuid} fromiso=/dev/disk/by-uuid/${decryptedfs_uuid}$isofile initrd=/live/initrd.img config debug video=640x480 fbcon=scrollback:128 echo 'Loading initial ramdisk ...' initrd /live/initrd.img} From the debugging output on the console, I see that /dev/disk/by-uuid/a8604976-269b-4ab1-8ecc-63960f60f008 (the decryptedfs_uuid) does not exist at the time the linux kernel is being loaded. I can access this folder from the grub command line using the Grub drive (cyrptuuid/377da6816e9a4c7092ae9016a719d04d)/ISOs/linux.iso, but I need to be able to reference this in a way the linux kernel would understand. Once again, thanks for any help. Pardon any newbie mistakes I may be making. It's a learning experience for me and I am hoping this would be a good exercise in understanding how it all works. Thanks,Steve [-- Attachment #2: Type: text/html, Size: 7557 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Grub with LUKS support: Passing a reference to the decrypted filesystem to the "linux" command 2012-09-12 2:34 ` Grub with LUKS support: Passing a reference to the decrypted filesystem to the "linux" command Steve R @ 2012-09-12 5:39 ` Vladimir 'φ-coder/phcoder' Serbinenko 2012-09-12 15:32 ` Chris Murphy 0 siblings, 1 reply; 6+ messages in thread From: Vladimir 'φ-coder/phcoder' Serbinenko @ 2012-09-12 5:39 UTC (permalink / raw) To: The development of GNU GRUB [-- Attachment #1: Type: text/plain, Size: 6285 bytes --] On 12.09.2012 04:34, Steve R wrote: > Hi, > > Haven't heard back any suggestions on how to work my way around this > problem. Hoping the changed subject line is more specific as to the > problem I am running into and would attract some more eyeballs to help > me figure this one out. > > To recap, > I am trying to use Grub 2.00 (with Luks support enabled) to boot a > Debian-live system from an encrypted LUKS partition. /boot is also > located in the encrypted Partition. I am using grub.cfg like below, and > things work fine (With Grub requesting a password for the encrypted file > system and parsing grub.cfg, displaying the menu, etc.. The problem > arises with the linux command to load the kernel. Loading the > Debian-live based OS requires passing a reference to the file system > hosting the file system, via the live-media kernel command-line > parameter. I am passing this reference as > /dev/disk/by-uuid/<uuid-of-the-decrypted-fs> . The UUID I am using is > the one read by blkid when I mounted and decrypted this encrypted > partition from another Linux host. However, this does not work and from > the debugging output on the console, it appears to be because the path > to the decrypted fs device is invalid. If I mount and decrypt the LUKS > partition from a running Linux OS, this device is always created with > the same UUID, so I expected this to happen when GRUB decrypts the LUKS > partition. Turns out not to be the case. > > Could someone please point me in the right direction or examples showing > grub.cfg for fully encrypted Debian-live based systems (including /boot) ? > > Thanks in advance, and apologies for any newbie questions. I am learning > as I go. > > Regards, > Steve. > > ------------------------------------------------------------------------ > From: survey.response@live.com > To: arbiel.perlacremaz@laposte.net; grub-devel@gnu.org > Subject: RE: RE : Full Disk Encryption (including > Date: Sun, 9 Sep 2012 08:23:48 -0700 > > Hi Arbiel, > > The isofile is set with the leading "/" . The problem appears to be > caused by the fact that the system devices are not created at the time > the kernel is loaded. The LUKS partition appears to be decrypted, since > I can list the ISO folder under (crypt0), but there is no equivalent > device under /dev that I can pass to the linux command. > > Thanks, > Steve > > > ------------------------------------------------------------------------ > Date: Sun, 9 Sep 2012 14:38:12 +0200 > Subject: RE : Full Disk Encryption (including > From: arbiel.perlacremaz@laposte.net > To: survey.response@live.com; grub-devel@gnu.org > > Hi > > Did'nt you forget a "/" between the disk's UUID and the variable holding > the file name in the linux command ? > > Arbiel > > > > > Envoyé depuis Samsung Galaxy Note > > Survey Response <survey.response@live.com> a écrit : > Hi, > > On my USB drive, I have encrypted the entire disk as a single LUKS > encrypted partition. I have the grub files on this partition with an ISO > image for a Debian-live based distribution. I compiled Grub 2.00 with > the necessary crypto modules and left a larger embedding zone before the > first LUKS partition to accommodate the larger second-stage bootloader > (my core.img is about 44K). When I boot off this USB drive, GRUB asks me > the password initially for the encrypted drive and then gets to the > point where it brings up the menu, but I couldn't get it to load the > kernel since I need to pass the kernel the system device for the ISO > image (the live-media and fromiso boot parameters below) and I notice > that the devices are not available at the time of loading the kernel (or > later, for that matter). Can somebody help me figure out what I am doing > wrong? Would be much obliged, since I have been spending some time > trying to figure this out. > > Here is my grub.cfg > > menuentry 'FDE Live' { > > set isofile="/ISOs/linux.iso" > > # The UUID for the encrypted LUKS partition as obtained by > running blkid > set encryptedfs_uuid="377da6816e9a4c7092ae9016a719d04d" > > # The UUID for the decrypted ext4 fs in the LUKS partition > set decryptedfs_uuid="a8604976-269b-4ab1-8ecc-63960f60f008" > > insmod part_msdos > insmod loopback > insmod iso9660 > insmod cryptodisk > insmod luks > > echo 'Mounting encrypted disk ...' > cryptomount -u ${encryptedfs_uuid} > > echo 'Searching for the root fs in the decrypted fs...' > set root=(cryptouuid/${encryptedfs_uuid}) > search --no-floppy --fs-uuid --set=root ${decryptedfs_uuid} > > echo 'Setting up a loopback device to the CD image' > loopback loop $root/$isofile > set root=loop > > echo 'Loading Linux Kernel ...' > linux /live/vmlinuz boot=live > live-media=/dev/disk/by-uuid/${decryptedfs_uuid} > fromiso=/dev/disk/by-uuid/${decryptedfs_uuid}$isofile > initrd=/live/initrd.img config debug video=640x480 fbcon=scrollback:128 > > echo 'Loading initial ramdisk ...' > initrd /live/initrd.img > } > > From the debugging output on the console, I see that > /dev/disk/by-uuid/a8604976-269b-4ab1-8ecc-63960f60f008 (the > decryptedfs_uuid) does not exist at the time the linux kernel is being > loaded. I can access this folder from the grub command line using the > Grub drive (cyrptuuid/377da6816e9a4c7092ae9016a719d04d)/ISOs/linux.iso, > but I need to be able to reference this in a way the linux kernel would > understand. > Linux simply doesn't have such a way. You need to get Linux guys to add it first. Or to do something with initramfs > Once again, thanks for any help. Pardon any newbie mistakes I may be > making. It's a learning experience for me and I am hoping this would be > a good exercise in understanding how it all works. > > Thanks, > Steve > > > _______________________________________________ > Grub-devel mailing list > Grub-devel@gnu.org > https://lists.gnu.org/mailman/listinfo/grub-devel -- Regards Vladimir 'φ-coder/phcoder' Serbinenko [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 294 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Grub with LUKS support: Passing a reference to the decrypted filesystem to the "linux" command 2012-09-12 5:39 ` Vladimir 'φ-coder/phcoder' Serbinenko @ 2012-09-12 15:32 ` Chris Murphy 0 siblings, 0 replies; 6+ messages in thread From: Chris Murphy @ 2012-09-12 15:32 UTC (permalink / raw) To: The development of GNU GRUB On Sep 11, 2012, at 11:39 PM, Vladimir 'φ-coder/phcoder' Serbinenko wrote: > Linux simply doesn't have such a way. You need to get Linux guys to add > it first. Or to do something with initramfs. There may be some confusion between encrypted /boot and "secure boot" and "trusted boot". There isn't anything particularly private or secret about the contents of /boot so encryption doesn't seem to be indicated. But there's some legitimacy to concerns about whether the code being booted is valid (from the user's perspective). Chris Murphy ^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: RE : Full Disk Encryption (including 2012-09-09 15:23 ` Survey Response 2012-09-12 2:34 ` Grub with LUKS support: Passing a reference to the decrypted filesystem to the "linux" command Steve R @ 2012-10-28 6:33 ` James Courtier-Dutton 1 sibling, 0 replies; 6+ messages in thread From: James Courtier-Dutton @ 2012-10-28 6:33 UTC (permalink / raw) To: The development of GNU GRUB [-- Attachment #1: Type: text/plain, Size: 365 bytes --] > > Once again, thanks for any help. Pardon any newbie mistakes I may be making. It's a learning experience for me and I am hoping this would be a good exercise in understanding how it all works. > my guess is this is one of two things: 1) the initramfs does not have the correct usb drivers to see the device at boot time. 2) the device id you are using is wrong. [-- Attachment #2: Type: text/html, Size: 415 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2012-10-28 6:33 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2012-09-09 12:38 RE : Full Disk Encryption (including Arbiel 2012-09-09 15:23 ` Survey Response 2012-09-12 2:34 ` Grub with LUKS support: Passing a reference to the decrypted filesystem to the "linux" command Steve R 2012-09-12 5:39 ` Vladimir 'φ-coder/phcoder' Serbinenko 2012-09-12 15:32 ` Chris Murphy 2012-10-28 6:33 ` RE : Full Disk Encryption (including James Courtier-Dutton
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.