Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Setting Grub to unlock LVM on Luks
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
noqrax
n00b
n00b


Joined: 04 Oct 2016
Posts: 45

PostPosted: Mon Nov 06, 2017 7:27 pm    Post subject: Setting Grub to unlock LVM on Luks Reply with quote

Hello, I'm using classic scheme with root encypted device and lvm in it. There some explanations how should i configure grub.cfg to be able load root partition.

The ptoblem is in fact there is no good and simple example. Which "insmod" must be loaded in which order, where I need to put cryptdevice and how to map root after if it is on lvm.

Right now i get error which says that it tries to use not yet mapped device (i not even entered password).

I'd like to see working config (my own config is almost whst you have after grub-mkconfig) for proper system configuration.
Back to top
View user's profile Send private message
Roman_Gruber
Advocate
Advocate


Joined: 03 Oct 2006
Posts: 3806
Location: Austro Bavaria

PostPosted: Mon Nov 06, 2017 11:11 pm    Post subject: Reply with quote

Hi

I discussed this several times on this forum, and gave hints i this regards with partly full configs.

--

It all boils down on how you have setup your box. When you are able to run your operating system, aka installation, from a live medium via chroot you should be able to get your booting issue solved. There are several ways on how to set it up properly. You did not provide any data in this regard.
I redid my installtion, because of my backup strategy, last friday and it went well with the gentoo amd 64 handbook. The Logical Volume Manager and Linux Unified Key Setup are just additional layers which need to be dealt with. I recommend for a box which comes with an optical drive sysrescue cd. I recommend that you start from a binary distro, like linux mint. From that you do a setup of your discs and leave the bootloader from linux mint as is. You also move the linux mint to the last 10 GB of your drive, and create a new partition which will be your rootfs for your gentoo installation. When your box is a desctop computer with at least 8GB (GIB for geeks) of RAM leave the swap partion out. Use openrc and eudev. emerge genkernel next and only build the initramfs with all needed use-flags. Than unpack this initramfs and adapt the bootstage, equals verify if all commands are done in right order wiht the right subsets, remove unneeded lines. than repack this initramfs, use it and never touch it again. Also bear in mind you will need certain kernel flags to boot a box, certain kernel build in kernel modules. I also recommend using linux mint bootloader as is and just edit the section for your gentoo as is. you can later nuke linux mint and add those physical extents to your logical volume. Also read your drive manual on which sector size, erase size is in use. Align those section properly.

WARNING: DO NOT USE GRUB from the gentoo overlay, or any AUTOUPDATE grub scripts! e.g. => grub-mkconfig. Those scripts have nuked the booting functionality from one of my boxes without a confirmation dialog for the user. Yes backups may help, but when the box can not boot anymore it is a different issue. When you have once installed your bootloader you will not need to alter it, except for the individiual boot entries. Most of the time only the kernel file name needs to be changed!

DISCLAIMER: use it on your own risk. I have several SSDs with the same setup. Last friday, i unpacked a fresh CRUCIAL SSD and redo all the necessary steps, this SSD booted instantly. No cloning software was used, only Sysrescue - CD, and an external USB 3.0 case.

--

edit

Quote:
I'd like to see working config


Nope. Gentoo is a do it yourself linux.

Encryption took me two weeks the first time I did it. Reading, reading, reading, than reading other gus configs. It all boils down on how fast you can crasp basic principles. The redhat docs are quite decent in this regard

When you want some lazy approach, use ARCH linux. I had a working ARCH linux with luks and lvm running in quite less time

--

OFF topic: Also luks / lvm is insecure on x86 because of e.g. UEFI, intel management engine, RAM data recovery to only name a few things!
Back to top
View user's profile Send private message
noqrax
n00b
n00b


Joined: 04 Oct 2016
Posts: 45

PostPosted: Tue Nov 07, 2017 1:27 pm    Post subject: Reply with quote

Just to save time i post here link to stackoverflow which is simply repets my question and have some additional info. U can aswer me both forum or stackoverflow.

https://stackoverflow.com/q/47146247/8896663
Back to top
View user's profile Send private message
noqrax
n00b
n00b


Joined: 04 Oct 2016
Posts: 45

PostPosted: Tue Nov 07, 2017 4:15 pm    Post subject: Reply with quote

I can unlock my root device but I'm unable to set real root. Because lvm volumes are inactivr. Is there way to emplicitly force load lvm partitions in Grub? E.g. there is shell command
Code:
# vgchange -ay
, which activates volumes if they are inactive. But which commonf do the same in grub.cfg?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 11449

PostPosted: Wed Nov 08, 2017 2:33 am    Post subject: Reply with quote

Roman_Gruber wrote:
OFF topic: Also luks / lvm is insecure on x86 because of e.g. UEFI, intel management engine, RAM data recovery to only name a few things!
Could you provide a citation that quantifies this? Your passing reference to RAM data recovery suggests that affected platforms can never have secure encryption, since keys would always be vulnerable to that attack.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum