[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing
|
From: |
Patrick Steinhardt |
|
Subject: |
Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results |
|
Date: |
Sun, 30 Aug 2020 21:03:30 +0200 |
On Sun, Aug 30, 2020 at 08:19:08PM +0200, Patrick Steinhardt wrote:
> On Sun, Aug 30, 2020 at 03:30:39PM +0000, HardenedArray via Grub-devel wrote:
> > Patrick, I've also noted Eli's further input, immediately below.
> >
> > Given that you now know exactly how I've encrypted / and how I unlock
> > my encrypted: /boot, swap and /, if you can indeed 'hack' a suitable
> > `grub-mkimage` command for me to test, I would be happy to test it.
>
> I currently don't have any available, sorry. I never did the custom
> config thing yet, even though it shouldn't be too hard. I hope to find
> some time in the next few days to give it a test and will report back.
Well, you nerd-sniped me, so here you go:
```
#!/bin/bash
CONFIG=$(mktemp /tmp/grub-config.XXXXX)
cat >"$CONFIG" <<EOF
cryptomount -a
set prefix=(lvm/system-gentoo)/boot/grub
set root=lvm/system-gentoo
insmod normal
normal
EOF
grub-mkimage \
-p '(lvm/system-gentoo)/boot/grub' \
-O x86_64-efi \
-c "$CONFIG" \
-o /tmp/image \
luks2 lvm gcry_rijndael gcry_sha256 gcry_sha512 part_gpt ext2 pbkdf2
rm "$CONFIG"
```
So what does this do? It creates a simple config that just directly
calls `cryptomount -a`, which would try to decrypt _all_ partitions. If
you have multiple encrypted disks, you can also use `cryptomount -u
$DISKUUID` instead. Afterwards, it sets up both prefix and root, which
in my case is the LVM volume "system/gentoo". Last, it does the
normal-dance.
We then use this configuration to build the EFI executable via
grub-mkimage. It again takes the prefix (it shouldn't be necessary here,
but it's a mandatory argument). It builds a 64 bit EFI executable with
our config and the set of modules we want it to include. These may again
need to be adjusted based on your system, e.g. if you use MSDOS instead
of GPT you'd need part_msdos instead of part_gpt. Same with filesystem
(ext2, which also handles ext3/ext4) and gcry modules.
Anyway, the resulting EFI executable is created at "/tmp/image". This is
the image you need to put into the typical "/boot/EFI/gentoo/grubx64.efi"
(paths obviously differ based on your system again).
Reboot and have fun. And thanks for finally fixing my own boot process
via your queries ;)
Patrick
signature.asc
Description: PGP signature
- Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results, (continued)
- Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results, Glenn Washburn, 2020/08/28
- Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results, Patrick Steinhardt, 2020/08/29
- Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results, HardenedArray, 2020/08/29
- Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results, Patrick Steinhardt, 2020/08/29
- Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results, Eli Schwartz, 2020/08/29
- Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results, HardenedArray, 2020/08/30
- Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results, Patrick Steinhardt, 2020/08/30
- Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results,
Patrick Steinhardt <=
- Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results, HardenedArray, 2020/08/30
- Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results, Patrick Steinhardt, 2020/08/30