Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results

Sun, 30 Aug 2020 12:04:37 -0700 

On Sun, Aug 30, 2020 at 08:19:08PM +0200, Patrick Steinhardt wrote:
> On Sun, Aug 30, 2020 at 03:30:39PM +0000, HardenedArray via Grub-devel wrote:
> > Patrick, I've also noted Eli's further input, immediately below.
> > 
> > Given that you now know exactly how I've encrypted / and how I unlock
> > my encrypted:  /boot, swap and /, if you can indeed 'hack' a suitable
> > `grub-mkimage` command for me to test, I would be happy to test it.
> 
> I currently don't have any available, sorry. I never did the custom
> config thing yet, even though it shouldn't be too hard. I hope to find
> some time in the next few days to give it a test and will report back.

Well, you nerd-sniped me, so here you go:

```
#!/bin/bash

CONFIG=$(mktemp /tmp/grub-config.XXXXX)
cat >"$CONFIG" <<EOF
cryptomount -a

set prefix=(lvm/system-gentoo)/boot/grub
set root=lvm/system-gentoo

insmod normal
normal
EOF

grub-mkimage \
    -p '(lvm/system-gentoo)/boot/grub' \
    -O x86_64-efi \
    -c "$CONFIG" \
    -o /tmp/image \
    luks2 lvm gcry_rijndael gcry_sha256 gcry_sha512 part_gpt ext2 pbkdf2

rm "$CONFIG"
```

So what does this do? It creates a simple config that just directly
calls `cryptomount -a`, which would try to decrypt _all_ partitions. If
you have multiple encrypted disks, you can also use `cryptomount -u
$DISKUUID` instead. Afterwards, it sets up both prefix and root, which
in my case is the LVM volume "system/gentoo". Last, it does the
normal-dance.

We then use this configuration to build the EFI executable via
grub-mkimage. It again takes the prefix (it shouldn't be necessary here,
but it's a mandatory argument). It builds a 64 bit EFI executable with
our config and the set of modules we want it to include. These may again
need to be adjusted based on your system, e.g. if you use MSDOS instead
of GPT you'd need part_msdos instead of part_gpt. Same with filesystem
(ext2, which also handles ext3/ext4) and gcry modules.

Anyway, the resulting EFI executable is created at "/tmp/image". This is
the image you need to put into the typical "/boot/EFI/gentoo/grubx64.efi"
(paths obviously differ based on your system again).

Reboot and have fun. And thanks for finally fixing my own boot process
via your queries ;)

Patrick

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to