[Solved] Booting from LUKS root with efibootmgr

[Nocte]

Hi all,

I am quite new to Gentoo and looking forward to migrate my new laptop over. I was able to get my hands on one of the latest Alienware x14 with Intel Gen 12 (its a working machine ). explanation at the top and actual question in the end

for setting up the system I mostly stuck to the handbook but where I want to get a bit fancy is having the root partition LUKS encrypted and inside all lvm based the following partitions /, /home, /usr and /var. my issue is that on boot the LUKS partition does not get decrypted (no password prompt) and therefore my root lvm partition can not be found (VFS:_Crypt_open_root_device_"<uuid>"_or unkown-block(0.0): error -6). this point I have reached by building the sys-kernel/gentoo-sources with a somewhat minimal setup but made sure to follow all the wiki information about necessary kernel configs. also I am using latest 5.17.1 version. then I build an initramfs via dracut with the modules lvm, crypt, systemd. furthermore I would like to boot everything via UEFI itself using efibootmgr. I did find out that with dell machines there has been an issue (https://wiki.gentoo.org/wiki/Efibootmgr#cite_note-1) the past which supposedly is fixed by now.

given all of this I seem to be able to get the bootloader to start the kernel but I am not even sure if the initramfs properly is started. but most importantly I cant see any traces of an attempt to decrypt something. therefore I have tried to use genkernel and GRUP to get the system to boot up which worked neither. probably all of this simply is misconfiguration. But I got a bit lost in the possible configuration like crypt_root and rd.luks.uuid which apparently are the difference between initramfs create by genkernel and by dracut??? also I have not yet tinkered around with the /etc/crypttab (which potentially works differently when using systemd - which I am). from what I have seen so far I am thinking the config files are not needed since I am supplying the information via kernel command line parameter (where I am still not sure if they are even working).

to get to the point:
a) is there any tutorial using efi boot, LUKS encrypted partition, lvm inside of LUKS and systemd together with dracut initramfs (maybe even on a Dell machine) or
b) any hints what to look for to correctly configure my boot environment with the described quirks

any hints are welcome and thanks already just for reading this !

[CooSee]

hello,

and welcome to GenToo.

i don't know much about systemd or lvm or crypt install, but here's a good install guide:

https://mrlc.dev/posts/building-gentoo-system/

if you follow this guide, ignore Bootstrapping the system part - it's to much effort, imho.

just take your time with it and it's important that you understand what all the commands means.

good luck

[MrRoy3]

The problem is most likely an incorrect boot command in the efibootmgr.
I don't use LVM, but I have an encrypted root partition, use dracut and efibootmgr; this is the boot command that I use :

Code: Select all

efibootmgr --disk /dev/nvme0n1 --part 1 --create --label "Gentoo" --loader '\EFI\Gentoo\vmlinuz' --unicode 'root=UUID=<DECRYPTED DEVICE UUID> rd.luks.uuid=<ENCRYPTED DISK UUID> rd.luks.options=discard initrd=\EFI\Gentoo\initramfs.img'

Please post the efibootmgr/GRUB commands that you use, perhaps there is something wrong with them.

[Nocte]

Thanks @CooSee for the link. looked over it and its contents seams very interesting to me. but it is mostly about the parts of setting up toolchain and stuff for usage after the system boots

@MrRoy3 thanks a lot for your example. I now switched back to the dracut setup similar to yours.

Code: Select all

efibootmgr --disk /dev/nvme0n1 --part 1 --create --label "Gentoo" --loader '\EFI\Gentoo\vmlinuz' --unicode 'root=UUID=<UUID of ./dev/nvme0n1p3> rd.luks.uuid=<UUID of ./dev/nvme/root> rd.luks.allow-discards initrd=\EFI\Gentoo\initramfs.img'

but since i now waited a bit while the system tried to find the encrypted device while booting (apparently I was to quick to reboot the system before) I saw a timeout error saying it could not find <UUID OF ENCRYPTED DEVICE>. so it seams that my kernel / initramfs is missing support for nvme disks??? I do have NVM Express block device enabled as shown in https://wiki.gentoo.org/wiki/NVMe. Maybe I do need the other configs as well? or do I need to tell dracut about some additional modules? I have not found any nvme while looking through dracuts --list-modules.

tomorrow evening I will try a full setup with all nvme kernel features enabled and all dracut modules. thx for the input so far !

[MrRoy3]

Code: Select all

efibootmgr --disk /dev/nvme0n1 --part 1 --create --label "Gentoo" --loader '\EFI\Gentoo\vmlinuz' --unicode 'root=UUID=<UUID of ./dev/nvme0n1p3> rd.luks.uuid=<UUID of ./dev/nvme/root> rd.luks.allow-discards initrd=\EFI\Gentoo\initramfs.img'

The UUIDs in your command are reserved.
root= needs to be the UUID of /dev/mapper/unlockedPartition
and rd.luks.uuid= needs to be the UUID of the locked device (/dev/nvme0n1p3 in my case)

[Nocte]

Okay, fixed the UUIDs but this at first did not do anything for me...
I dug a bit deeper and got an emergency shell running when booting the initramfs. in there I could validate that indeed no nvme drives where found at /dev/. earlier I read something about AHCI/NVME configs. so in my BIOS I changed SATA/NVMe Operation from RAID on to AHCI/NVMe which made those nvme partitions appear at /dev/. with that the decryption process asked for a password and this part worked out for me as well. so progress was made !

but now something hangs when /usr/ needs to be mounted. if I then drop to the emergency shell I can see that the /usr is mounted correctly (by mount command) but something is still not working out. probably lvm configuration now. will look into it again tomorrow .
still any hints are still appreciated !

EDIT:
I had a closer look at all the output while booting and I found the following messages:

Code: Select all

[  OK  ] Mounted /sysroot
[Assert] Assertion failed for Initrd Root File System
[Depend] Dependency failed for Reload Configuration from the Real Root
[Assert] Assertion failed for Initrd File System

so far I could not figure out what the problem is. as far as I can tell the root is correctly mounted at /sysroot

anyone having any ideas?

[szatox]

I'm using refind and genkernel, but chances are you can still use it for reference.
You can save the parameters in mobo's memory instead, if you keep the names of kernel and initramfs constant/unversioned, and I suppose dracut's initrd won't be too different from genkernel's.

Here's my working setup:
Boot line as received by kernel

Code: Select all

# cat /proc/cmdline 
dolvm crypt_root=/dev/nvme0n1p2 root=/dev/vg_os/root ro net.ifnames=0 initrd=\initramfs-5.17.2-gentoo-x86_64.img

lsblk

Code: Select all

# lsblk 
NAME                  MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
nvme0n1               259:0    0 476,9G  0 disk  
├─nvme0n1p1           259:1    0   511M  0 part  /boot
└─nvme0n1p2           259:2    0 476,4G  0 part  
  └─root              254:0    0 476,4G  0 crypt 
    ├─vg_os-root      254:1    0    50G  0 lvm   /

refind's config files (active lines only)

Code: Select all

# cat /boot/EFI/refind/refind.conf | grep -vE '^#|^[[:blank:]]*$'
timeout 20

# cat /boot/refind_linux.conf 
"Boot with standard options"  "dolvm crypt_root=/dev/nvme0n1p2 root=/dev/vg_os/root ro net.ifnames=0"
"Boot to single-user mode"    "dolvm crypt_root=/dev/nvme0n1p2 root=/dev/vg_os/root ro net.ifnames=0 single"
"Boot with minimal options"   "ro root=/dev/mapper/vg_os-root"

Refind looks for my kernels and initrds and automagically creates boot entries with parameters from the config files; by default the newest kernel is chosen and combined with the first boot line specified.
20 seconds timeout is plenty of time for me to decide otherwise.
net.ifnames=0 is there because unpredictable interface names are annoying, take it or leave it. Not 100% sure if ro is necessary, but it doesn't hurt. The other params make it run.

Also, my /boot is a vfat partition tagged as EFI boot (partition type code EF00 - required by efi). For simplicity I didn't bother splitting it up into kernels and efi.
I don't recommend using UUIDs with LVM; snapshots make clashes possible.

[Nocte]

Hi again and thanks also to @szalox. I could validate that efi partition is formated the same for me. also thanks for the hint regarding uuids. I will change it in the future but for now it seams to be more promising...

I again spent the last few days understanding what the initramfs does. according to Bootup in the Initial RAM Disk (initrd) some filesystems are mounted and then a switch to the actual root fs will be executed. from what my screen output says the system is trying to mount my /usr, /var and /home but never succeeds. if I am using UUIDs in /etc/fstab (which dracut copies over to the initramfs and also will be read again in the actual root fs) then after 35s I encounter a timeout which I have provided via the efi stub load in rd.timeout. if this happens I get an emergency shell and can see that not all the lvm partitions have been activated (but /root and /usr have). this is confusing to me because that should be enough to get the system to boot but I seams to fail afterwards. if on the other hand side I use the /dev/mapper/nvme-xxx path in /etc/fstab (nvme being my lvm volume group) then the timeout is infinite which is why I dont get the emergency shell to look around and figure out what was happening. I am intending to try a bit more with the rd.lvm.vg argument. but at the moment I am not entirely sure how the efi command line arguments and the dracut ones relate to each other... while creating the initrfamfs I can see dracut "guessing" additional rd.lvm.lv in its output and probably appending those the the command line somehow. but setting all the information like root=UUID=xxx to --kernel-cmdline when executing dracut does result in a hanging boot process. if someone could explain to me how those two relate to each other that might be helpful.
also on a side node... my /home is a btrfs partition. I already made sure this is also included in the initramfs.

[wless123]

Hey,
it can be difficult to get an initram up and running and switching between different tools which create it makes it even worse.

However you can read about every cmdline parameter for the initramfs in

Code: Select all

man genkernel
or
man dracut.cmdline

EDIT: if you try to boot the kernel (and initramfs) these cmdline parameter need to be set correctly to boot the system. The right place for them (for efi boot) is in the kernel in "CONFIG_CMDLINE"

I again spent the last few days understanding what the initramfs does. according to Bootup in the Initial RAM Disk (initrd) some filesystems are mounted and then a switch to the actual root fs

This is true and as simple as it sounds it can get quite complex with the requirements one has.


You need some solid information about what is going on and what prevents your system from booting. There are a few ways to do this:

1) stick with one tool to create the initramfs (dracut or genkernel)
2) activate debugging for the initramfs (esp. dracut has a nice feature - read in the man page above)
3) unpack a created initramfs and inspect the init script in the root directory.

Alternatively go for a custom initramfs https://wiki.gentoo.org/wiki/Custom_Ini ... ic_devices. This approach will take you probably longer to get it running, but afterward you will know what is going on in the initramfs.

So choice is yours. Welcome to gentoo .

[NeddySeagoon]

Nocte,

Your kernel loads as you get kernel messages.
unknown-block(0,0) means that the kernel cannot communicate with your storage device. You have something missing.

If the initrd is loaded and in use, you will be dropped to the busybox shell when root fails to mount so you can look around and get some diagnostic information.
If the initrd is not in use, the kernel will panic.

The initrd is a must for root in LUKS, or LVM at all.

Get into the rescue shell and try

Code: Select all

ls /dev

are your block devices listed?
If not can you modprobe the drivers and make then appear.

Code: Select all

lsmod 

will tell what kernel modules are loaded.

You mas spot errors in

Code: Select all

dmesg | more

I like my initrd to be kernel agnostic. That means it only contains userspace tools, so it does not get updated with every kernel update.
Its firmware, make it once for the life of the system.

[tbart]

I like my initrd to be kernel agnostic. That means it only contains userspace tools, so it does not get updated with every kernel update.
Its firmware, make it once for the life of the system.

That's pretty clever!
Never thought of it like this.

The OP (and me too, FWIW) like to boot from EFI directly (EFI stub). This should not prevent me from using this strategy, right? I mean, could the initrd also reside on the EFI partition?
I initially thought I'd have to have everything I need in the kernel directly, for EFI stub booting to work (with LUKS+LVM).

So I wrote a little script back then.
It uses mkinitramfs-ll as it seemed lightweight and good to understand for a bash guy like me

The layout is a little involved, as I compile the kernel, compile the initramfs and then compile the kernel again, putting the initramfs directly into it.
Maybe I overthought things back then, but it works since 5 years now without a hickup.

My production kernel 5.15.x on my thinkpad has 26M right now with this config (with quite a bit of pro-audio stuff in it). Not too bad I think.

One of these days I'll start to host all my Gentoo tools somewhere...

Till then: Here it is. make menuconfig your kernel and call kernel_build.sh afterwards.

Code: Select all

#!/bin/bash

# kernel_build.sh
# Builds an EFI-compatible kernel (no need for a bootloader)
# with integrated initramfs (possibly for LUKS encrypted root)

# Copyright 2018 tbart <gentoo.rockmusic@neverbox.org>
# Licence: Do whatever you see fit with it, but attribute me. Send improvements back to me.

# /etc/fstab should contain something along this line:
# 
# /dev/nvme0n1p1    /boot/efi   vfat    noatime,noauto  0 0

### USER CONFIGURABLE
EFI="/boot/efi"
### END USER CONFIGURABLE

distro="$(sed -n '/NAME/s#.*=\(.*\)#\L\1#p;q' /etc/os-release 2>/dev/null)"
[[ $distro ]] || die "Error getting distro name, /etc/os-release missing (or NAME= variable not contained)"

tools="efibootmgr sed lsblk findmnt mkinitramfs-ll.bash" 
for tool in $tools
do
    [[ -e $(which $tool 2>/dev/null) ]] || die "Necessary tool $tool not found. Please install."
done

cleanup() { #{{{ #Cleanup in case of interruption
    status ok "Cleaning up."
    umount $EFI 2>/dev/null
    mount -o remount,ro efivarfs 2>/dev/null
    exit 0
} #}}}

trap cleanup SIGINT SIGKILL SIGTERM

status() { #{{{ #Output colored status messages
    case $1 in
        error)
            shift
            echo -e "\e[01;31m$@\e[0m"        
            ;;
        ok)
            shift
            echo -e "\e[01;32m$@\e[0m"        
            ;;
        warn)
            shift
            echo -e "\e[01;33m$@\e[0m"        
            ;;
        *)
            die "status function used incorrectly"
            ;;
    esac
    echo
} #}}}

die() { #{{{ #Echo message and exit unsuccessfully
    echo
    status error "$0: $@"
    cleanup
    echo "Exiting."
    echo
    exit -1
} #}}}

enabled() { #{{{ #Check whether kernel config option is enabled; accepts y, m, y|m
    egrep -iq "$1=($2)" .config
} #}}}

checkkernelconfig() { #{{{ # Check existance of necessary kernel config values
    # Options needed for booting have to be built in
    for opt in CONFIG_EFI CONFIG_EFI_STUB CONFIG_FW_LOADER
    do
        enabled "$opt" "y" || die "Kernel config $opt needs to be set to Y (builtin)"
    done

    enabled CONFIG_EXTRA_FIRMWARE "\".+\"" || die "Kernel config CONFIG_EXTRA_FIRMWARE needs to contain the latest ucode for your CPU (e.g. intel-ucode/06-8e-09; use iucode_tool -S -l /lib/firmware/intel-ucode/* for finding the correct package for your CPU! emerge sys-firmware/intel-microcode sys-apps/iucode_tool or respective packages for your vendor!)"
    enabled CONFIG_EXTRA_FIRMWARE_DIR "\".+\"" || die "Kernel config CONFIG_EXTRA_FIRMWARE_DIR needs to be set (to /lib/firmware, most likely)"
    # Options for handling installation of a new kernel may be modular
    for opt in CONFIG_EFIVAR_FS CONFIG_EFI_PARTITION
    do
        enabled "$opt" "y|m" || die "Kernel config $opt needs to set to Y (builtin) or M (module)"
    done
    # Options that improve the user experience are recommended
    for opt in CONFIG_FB_EFI CONFIG_EARLY_PRINTK_EFI
    do
        enabled "$opt" "y|m" || { echo "Kernel config $opt is recommended as Y (builtin) or M (module), but not strictly necessary.";
            echo "Ctrl-C to abort. Will continue in 3 seconds.";
            sleep 3; }
    done
} #}}}

efientry() { #{{{ #Adds/modifies EFI bootmgr entry
    [[ -d "$EFI/EFI/$distro" ]] || mkdir "$EFI/EFI/$distro" || die "Error creating directory $EFI/EFI/$distro"
    entry="/EFI/$distro/kernel-$KV.efi"
    # The efibootmgr executable with all necessary parameters
    efiexec="efibootmgr -d $(lsblk -pno pkname $(findmnt -no source $EFI)) -p $(tail -c2 <<< $EFIDEV)"
    # Find existing boot number ..
    existingbootnum="$($efiexec -v | sed -n "/${entry////\\\\}/{s#^Boot\(....\).*#\1#;p}")" # XXX: probably catch errors of efiexec as well
    if [[ $existingbootnum ]] # .. and if it exists
    then
        [[ ! $setasfirst ]] && return # .. but should not be set as first, don't touch it
        # .. otherwise, it is easiest to just delete the existing one and add it anew
        $efiexec -b $existingbootnum -B || die "Could not delete existing boot entry."
    fi
    # .. there's no entry there (anymore), add it
    $efiexec -c -l "$entry" -L "$distro kernel $KV" || die "Could not add new EFI boot entry."
} #}}}

[[ $PWD == "/usr/src/linux" ]] || die "PWD is not /usr/src/linux ! Check the symlink is correctly set and cd to /usr/src/linux"

checkkernelconfig

grep -q $EFI /etc/mtab || mount $EFI 2>/dev/null || die "$EFI could not be mounted! It seems the fstab entry is missing."

EFIDEV="$(findmnt -no source $EFI)"
KV=$(readlink -f . | sed 's#.*linux-\(.*\)#\1#') #Kernel version to build
[[ $KV =~ [0-9]-rt[0-9] ]] && KV="${KV/-rt/-rt-rt}" # XXX: This is strange, why do -rt kernels have -rt-rt47 as a version?
JOBS=$(($(grep -c processor /proc/cpuinfo)+1)) #Number of parallel build jobs

# If commandline parameters are needed, they can also be specified in the kernel
# config (look for CMDLINE)

# Kernel build, first round, needed for getting modules for the initramfs
# XXX: Can we just make modules without building the whole kernel in this step?

status ok "Compiling kernel, iteration 1."
make -j$JOBS \
    || die "Error building kernel (iteration 1)."
status ok "Compiling kernel modules."
make -j$JOBS modules \
	|| die "Error building modules."
status ok "Installing kernel modules."
make modules_install \
	|| die "Error installing modules."
# Build initramfs with the modules just built
status ok "Building initramfs."
mkinitramfs-ll.bash -c none -k $KV \
	|| die "Error creating initramfs."
# Include the resulting initramfs in the kernel, so we don't need an initrd parameter
# normally passed by the boot loader
status ok "Modifying kernel config to include built initramfs."
sed -i "/CONFIG_INITRAMFS_SOURCE=/s#\".*\"#\"/boot/initramfs-$KV.cpio\"#" .config \
	|| die "Error adapting kernel config for initramfs."
# probably add the missing config for UID and GID, but it gets prompted anyway..
# This just adapts it, does not add it: /CONFIG_INITRAMFS_ROOT_[UG]ID/s#.*\(CONFIG_[^ ]*\).*#\1=\"0\"#
status ok "Compiling kernel, iteration 2 (including initramfs)."
make -j$JOBS \
	|| die "Error building kernel (iteration 2) with included initramfs."
# Copy kernel to EFI partition
status ok "Copying kernel to EFI partition."
cp arch/$(uname -m)/boot/bzImage $EFI/EFI/$distro/kernel-$KV.efi \
	|| die "Error copying kernel image to EFI partition ($EFI/EFI/$distro/kernel-$KV.efi)."
status ok "Mounting efivarfs read/write."
mount -o remount,rw efivarfs \
	|| die "Could not mount efivarsfs rw (missing kernel support in running kernel? Look for EFIVAR_FS)."
status ok "Updating EFI boot order/entries."
efientry \
    || die "Error adding/modifying EFI boot entry."
status ok "Rebuilding kernel modules."
emerge @module-rebuild \
    || die "Error rebuilding kernel modules."
status ok "All necessary operations finished successfully! Some EFI implementations are buggy.
If the boot order has not changed as expected, do so via the EFI firmware during boot.
Make sure you include all necessary firmware and microcode blobs into the kernel or the initramfs
when needed early on."

cleanup

It should be pretty straight forward to change the tool for building the initramfs to something else.

mkinitramfs-ll however is really easy to setup.
This is everything I need in /etc/mkinitramfs-ll.conf (getting discards/cryptsetup_args to work was a little more involved - it's part of the official mkinitramfs-ll distribution now, however; the config below plus "luks,discard" in /etc/crypttab is enough now; you want to be able to fstrim your NVMe)

Code: Select all

opts[-module-boot]+=:kms:
opts[-module-kms]+=:i915:
opts[-firmware]=:iwlwifi-8265:i915/:
opts[-module-group]+=:boot:kms:swsusp
opts[-bin]+=:blkid:
opts[-font]+=:ter-v32n
opts[-keymap]+=:de-latin1-nodeadkeys:
opts[-lvm]=:
opts[-luks]=:
opts[-compressor]=none
opts[-kernel-version]=$(uname -r)
env=(
	${MIR_EXTRA_ENV}
	# Disable applets/binaries checking
	'CHECK_ENV=false'
	# cmdline needed for EFI boot
	'root=vg00-root'
	'lvm=vg00-nvme0n1p5'
	'rootflags=user_xattr'
	'luks=pwd'
	'cryptsetup_args=--allow-discards'
)

[Nocte]

Hi again and thanks for all that input

I did manage to get my system to boot. and in the end it has simply been missconfiguration on my side. while going through all of my issues at some time I set dracuts --fstab option which messed up the initramfs. this I likely did because earlier I had mounting issues where I suspected my fstab to be wrong. but this part must have been fixed by adding btrfs or nvme compatibility to the initramfs. this was probably due to not exactly understanding what I did at first. but reading up on the initramfs concepts and in my case the documentation of the systemd services run inside the initramfs helped a lot. in the end it came down to going into the emergency shell and look around. there i noticed that the lvm volumes did exist but where not mount under the /sysroot/ but at the /. after noticing that and fixing my dracut command actually everything worked as intended

thanks again for all the hints. I will now go back to @CooSee post to really start my gentoo experience