Boot question? GRUB, LUKS, LVM

circ · November 8, 2019, 9:43pm

I’m struggling to get a setup described here : New drive partitioning advice?

Can anyone explain the mounting process for the following ?
/root lives on an LV in a PV, in a LUKS container

What is the best way to get a GRUB handoff for boot? It’s failing miserably through a manual crtypsetup open /dev/sd# / mounting / chroot /mnt / grub-install (grub install is fine, boot can’t find the volume).

I guess I’m looking for the UUID relationship between GRUB, LUKS, LVM, fstab, and crypttab. grub-install doesn’t seem to be finding things and setting them correctly.

bonus points for filesystem recommendation as well because maybe it all has to be mbr? Can I do this gpt?

ruff · November 8, 2019, 11:13pm

Ok, here’s my setup where I use full disk encryption, without LVM, and with /boot non-encrypted

# cryptsetup status encDisk
/dev/mapper/encDisk is active and is in use.
  type:    LUKS2
  cipher:  aes-xts-plain64
  keysize: 512 bits
  key location: keyring
  device:  /dev/sda2
  sector size:  512
  offset:  32768 sectors
  size:    60776449 sectors
  mode:    read/write

# cryptsetup luksUUID /dev/sda2
1234d0eb-bb95-4789-9660-820f24d9f58a

# grep \^GRUB_CMDLINE_LINUX_DEFAULT /etc/default/grub 
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=UUID=1234d0eb-bb95-4789-9660-820f24d9f58a:encDisk root=/dev/mapper/encDisk"

# mount | grep \^/
/dev/mapper/encDisk on / type btrfs (rw,relatime,space_cache,subvolid=5,subvol=/)
/dev/sda1 on /boot type ext4 (rw,relatime)

# grep \^HOOKS /etc/mkinitcpio.conf 
HOOKS=(base udev autodetect keyboard keymap modconf block encrypt btrfs filesystems keyboard fsck)

circ · November 8, 2019, 11:33pm

Thanks, this helps, but I’m working towards LVM too -

Can you explain the syntax of this ?
in your GRUB_CMDLINE_LINUX_DEFAULT

I get that it lands you on your # mounted encDisk, but what are the parts telling the kernel?

ruff · November 9, 2019, 6:45am

It’s not for kernel, these params are just stored by kernel as bootparams and then used by init from initcpio:

$ grep cryptdevice /usr/lib/initcpio/hooks/encrypt
    if [ -n "${cryptdevice}" ]; then
$cryptdevice
        echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."

and to encrypt hook it tells where to find our crypt device (UUID=…) and how to map it (root=/dev/mapper/…)
this all is required only to mount root (bootstrap) other disks could be initialized in normal way via unit files.

Now, this maps decrypted sda2 to dm/encDisk but before going to root=… you can put lvm2 hook, which will use dm/encDisk as pv and will map its lvs to other device - you then specify root to be your lv device node (/dev/vg-name/lv-name) rather than encDisk. The hook needs to be injected into mkinitcpio.conf HOOKS as sd-lvm2 and root= param in grub default cmdline. I’ve never tried it though as I’m not a big fan of lvm.

circ · November 10, 2019, 3:42am

thanks, I’m ready to give up on this idea entirely. initcpio is not present anywhere on my system.