Join Log in
Score:0
avatar Ubuntu

UEFI Grub fails to boot encrypted Ubuntu 21.04 system: can't find command `cryptomount'

cn flag
mpb

I am manually (i.e. via custom scripts) installing an Ubuntu 21.04 system.

My GPT disk has two partitions. An EFI System Partition, and a LUKS (version 1) encrypted BTRFS partition.

On boot, grub flashes the following error messages, and then drops to a grub prompt.

error: file `/boot' not found.
error: no such device: /.disk/info.
error: no such device: /.disk/mini-info.
error: can't find command `cryptomount'.

My question is: how do I provide/activate the cryptomount command inside Grub?

(If I type help at the grub prompt, the command cryptomount is not listed.)

Interestingly, if I add a type ef02 BIOS boot partition, and install the BIOS version of Grub, and boot the system in BIOS mode, the boot will succeed. However, I want the disk to boot on a UEFI system.

Background information:

I have looked at the instructions at the below link, and I don't see anything else I need to do to enable the cryptomount command. I tried adding insmod cryptomount to /boot/efi/EFI/BOOT/grub.cfg, but that did not work.

https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html

Previously, I have manually installed Ubuntu with a plaintext /boot partition and an encrypted / partition, and everything worked. So the new element is that I am trying to put the /boot directory on the encrypted / partition. I have also installed Void Linux with /boot on an encrypted partition, and that worked as expected.

/boot/efi/EFI/BOOT/grub.cfg is:

cryptomount -u e5f6f8f5dc3944cbb6d8d99b1f17b343
search.fs_uuid 5e42bb87-3342-48b6-aff5-f2519063f9b9 root 
cryptouuid/e5f6f8f5dc3944cbb6d8d99b1f17b343 
set prefix=($root)'/@_2107_hirsute/boot/grub'
configfile $prefix/grub.cfg

I install grub by running the following:

opts=''
opts="$opts  --force"
opts="$opts  --no-floppy"
opts="$opts  --recheck"
opts="$opts  --removable"

opts="$opts  --target=x86_64-efi"
opts="$opts  --efi-directory=/boot/efi"
opts="$opts  --bootloader-id=Ubuntu"

chroot  /mnt  grub-install  $opts
907
1 + 2
ChanganAuto avatar
us flag
ChanganAuto
Typically you need a /boot partition outside of the encrypted volume. There are ways to avoid it but it's very complex and IMHO not worth the time.
0
Reply
cn flag
mpb
@ChanganAuto I believe my question stated that I was already fully familiar with the plaintext `/boot` approach. I disagree with your assessment that the solution is "very complex". The solution is actually very simple (albeit obscure and hard to find).
0
Reply
Score:0
avatar Ubuntu
cn flag
mpb

It appears that running the following commands (as root), in the following order, inside the installation chroot environment, will generate Grub files in /boot/efi/EFI/BOOT/ that will allow Grub to read the kernel and the initrd.img file from the /boot directory on the encrypted / partition.

#  echo  'GRUB_ENABLE_CRYPTODISK=y'  >>  /etc/default/grub
#  apt-get  install  -y  --reinstall  grub-efi-amd64-signed
#  update-initramfs  -c  -k all
#  grub-install  /dev/vda
#  update-grub

Soucre: https://mutschler.eu/linux/install-guides/ubuntu-btrfs/#install-the-efi-bootloader

Previously, I was running most or all of the above commands, but in a different order.

Afterwards, the files look like this:

# ls -l /boot/efi/EFI/BOOT
total 1680
-rwx------ 1 root root 1718144 Jul 17 16:08 BOOTX64.EFI
-rwx------ 1 root root     224 Jul 17 06:13 grub.cfg

# cat /boot/efi/EFI/BOOT/grub.cfg 
cryptomount -u a771eeddca6942c0be0ac88852a9b45b
search.fs_uuid ae60b399-84bd-4a08-b0aa-7f33a847b873 root 
cryptouuid/a771eeddca6942c0be0ac88852a9b45b 
set prefix=($root)'/@_2107_hirsute/boot/grub'
configfile $prefix/grub.cfg

Your files may look different depending upon how you have partitioned and mounted your disks.

Prior to running the above commands in the above order, the BOOTX64.EFI file was 1.4M, whereas now it is 1.7M.

I don't know of any way (other than trying a reboot) to look inside the BOOTX64.EFI and verify that it actually contains the cryptodisk module.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.