1 (edited by cynicfm 2020-06-09 23:44:05)

Topic: Encrypted installation - Libreboot grub configuration

edit: okay i manually changed /boot/grub/grub.cfg entry now everything is ok :-)


Yoo...

Today i decided to give encrypted installation a try so i did it, i am running lxdm with openbox now, managed to create users etc.
but i have to get into system manually by typing grub commands by pressing c in commandlind

But when i installed grub typed grub-install /dev/sda and grub-mkconfig -o /boot/grub/grub.cfg it says can't find certain volumes so hyperbola automatic libreboot boot isn't possible...
But it is if i manually type everything

So here is grub.cfg configuration

[root@libreboot fifi]# cat /boot/grub/grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#

### BEGIN /etc/grub.d/00_header ###
insmod part_gpt
insmod part_msdos
if [ -s $prefix/grubenv ]; then
  load_env
fi
if [ "${next_entry}" ] ; then
   set default="${next_entry}"
   set next_entry=
   save_env next_entry
   set boot_once=true
else
   set default="0"
fi

if [ x"${feature_menuentry_id}" = xy ]; then
  menuentry_id_option="--id"
else
  menuentry_id_option=""
fi

export menuentry_id_option

if [ "${prev_saved_entry}" ]; then
  set saved_entry="${prev_saved_entry}"
  save_env saved_entry
  set prev_saved_entry=
  save_env prev_saved_entry
  set boot_once=true
fi

function savedefault {
  if [ -z "${boot_once}" ]; then
    saved_entry="${chosen}"
    save_env saved_entry
  fi
}

function load_video {
  if [ x$feature_all_video_module = xy ]; then
    insmod all_video
  else
    insmod efi_gop
    insmod efi_uga
    insmod ieee1275_fb
    insmod vbe
    insmod vga
    insmod video_bochs
    insmod video_cirrus
  fi
}

set menu_color_normal=light-gray/black
set menu_color_highlight=black/white

if [ x$feature_default_font_path = xy ] ; then
   font=unicode
else
insmod part_gpt
insmod cryptodisk
insmod luks
insmod gcry_serpent
insmod gcry_serpent
insmod gcry_whirlpool
insmod lvm
insmod ext2
cryptomount -u f6c6ce6d7780453eb182188f72e2bf83
set root='lvmid/tFCsHS-bdSI-Owiq-YZos-QybI-FlH8-Lo8z0m/T9azgr-oYjw-HcIw-pR6C-9L1f-qlh0-K6Akoh'
if [ x$feature_platform_search_hint = xy ]; then
  search --no-floppy --fs-uuid --set=root --hint='lvmid/tFCsHS-bdSI-Owiq-YZos-QybI-FlH8-Lo8z0m/T9azgr-oYjw-HcIw-pR6C-9L1f-qlh0-K6Akoh'  01c206c2-5682-4b2e-ac0e-0500ac1464fd
else
  search --no-floppy --fs-uuid --set=root 01c206c2-5682-4b2e-ac0e-0500ac1464fd
fi
    font="/usr/share/grub/unicode.pf2"
fi

if loadfont $font ; then
  set gfxmode=auto
  load_video
  insmod gfxterm
  set locale_dir=$prefix/locale
  set lang=en_GB
  insmod gettext
fi
terminal_input console
terminal_output gfxterm
if [ x$feature_timeout_style = xy ] ; then
  set timeout_style=menu
  set timeout=5
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
  set timeout=5
fi
### END /etc/grub.d/00_header ###

### BEGIN /etc/grub.d/10_linux ###
menuentry 'Hyperbola GNU/Linux-libre, linux-libre-lts kernel' --class hyperbola --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-linux-libre-lts-advanced-01c206c2-5682-4b2e-ac0e-0500ac1464fd' {
    load_video
    set gfxpayload=keep
    insmod gzio
    insmod part_gpt
    insmod cryptodisk
    insmod luks
    insmod gcry_serpent
    insmod gcry_serpent
    insmod gcry_whirlpool
    insmod lvm
    insmod ext2
    cryptomount -u f6c6ce6d7780453eb182188f72e2bf83
    set root='lvmid/tFCsHS-bdSI-Owiq-YZos-QybI-FlH8-Lo8z0m/T9azgr-oYjw-HcIw-pR6C-9L1f-qlh0-K6Akoh'
    if [ x$feature_platform_search_hint = xy ]; then
      search --no-floppy --fs-uuid --set=root --hint='lvmid/tFCsHS-bdSI-Owiq-YZos-QybI-FlH8-Lo8z0m/T9azgr-oYjw-HcIw-pR6C-9L1f-qlh0-K6Akoh'  01c206c2-5682-4b2e-ac0e-0500ac1464fd
    else
      search --no-floppy --fs-uuid --set=root 01c206c2-5682-4b2e-ac0e-0500ac1464fd
    fi
    echo    'Loading linux-libre-lts kernel ...'
    linux    /boot/vmlinuz-linux-libre-lts root=/dev/mapper/matrix-rootvol rw  quiet
    echo    'Loading initial ramdisk ...'
    initrd    /boot/initramfs-linux-libre-lts.img
}
menuentry 'Hyperbola GNU/Linux-libre, linux-libre-lts kernel (fallback initramfs)' --class hyperbola --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-linux-libre-lts-fallback-01c206c2-5682-4b2e-ac0e-0500ac1464fd' {
    load_video
    set gfxpayload=keep
    insmod gzio
    insmod part_gpt
    insmod cryptodisk
    insmod luks
    insmod gcry_serpent
    insmod gcry_serpent
    insmod gcry_whirlpool
    insmod lvm
    insmod ext2
    cryptomount -u f6c6ce6d7780453eb182188f72e2bf83
    set root='lvmid/tFCsHS-bdSI-Owiq-YZos-QybI-FlH8-Lo8z0m/T9azgr-oYjw-HcIw-pR6C-9L1f-qlh0-K6Akoh'
    if [ x$feature_platform_search_hint = xy ]; then
      search --no-floppy --fs-uuid --set=root --hint='lvmid/tFCsHS-bdSI-Owiq-YZos-QybI-FlH8-Lo8z0m/T9azgr-oYjw-HcIw-pR6C-9L1f-qlh0-K6Akoh'  01c206c2-5682-4b2e-ac0e-0500ac1464fd
    else
      search --no-floppy --fs-uuid --set=root 01c206c2-5682-4b2e-ac0e-0500ac1464fd
    fi
    echo    'Loading linux-libre-lts kernel ...'
    linux    /boot/vmlinuz-linux-libre-lts root=/dev/mapper/matrix-rootvol rw  quiet
    echo    'Loading initial ramdisk ...'
    initrd    /boot/initramfs-linux-libre-lts-fallback.img
}

### END /etc/grub.d/10_linux ###

### BEGIN /etc/grub.d/20_linux_xen ###

### END /etc/grub.d/20_linux_xen ###

### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###

### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###

### BEGIN /etc/grub.d/41_custom ###
if [ -f  ${config_directory}/custom.cfg ]; then
  source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f  $prefix/custom.cfg ]; then
  source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###

And here is boot/grub/default

[root@libreboot fifi]# cat /etc/default/grub
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Hyperbola"
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX=""
GRUB_CMDLINE_XEN_DEFAULT="quiet"
GRUB_CMDLINE_XEN=""
GRUB_CMDLINE_LINUX_XEN_REPLACE_DEFAULT="quiet"
GRUB_CMDLINE_LINUX_XEN_REPLACE=""

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"

# Uncomment to enable Hidden Menu, and optionally hide the timeout count
#GRUB_HIDDEN_TIMEOUT=5
#GRUB_HIDDEN_TIMEOUT_QUIET=true

# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console

# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
GRUB_GFXMODE=auto

# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep

# Uncomment if you want GRUB to pass to the Linux kernel the old parameter 
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx" 
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true

# Uncomment and set to the desired menu colors.  Used by normal and wallpaper 
# modes only.  Entries specified as foreground/background.
GRUB_COLOR_NORMAL="light-gray/black"
GRUB_COLOR_HIGHLIGHT="black/white"

# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/path/to/wallpaper"
#GRUB_THEME="/path/to/gfxtheme"

# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"

# Uncomment to enable the GRUB environment block
# https://www.gnu.org/software/grub/manual/grub/grub.html#Environment-block
# Note: This is only useful if GRUB_DEFAULT=saved
#GRUB_SAVEDEFAULT=true

# Disable advanced submenu
GRUB_DISABLE_SUBMENU=y

# Uncomment to disable the external "os-prober" program
#GRUB_DISABLE_OS_PROBER=true

# Uncomment to use LUKS and LVM2
#GRUB_PRELOAD_MODULES=lvm
GRUB_ENABLE_CRYPTODISK=y

Also i mind asking since i only run openbox wm now, is there something you recommend for suspending/hibernating laptop with just typing one command?? Any specific package?? smile

Cheers so how do i edit grub?? Is everything ok with .cfg??

2 (edited by zapper 2020-07-19 04:44:55)

Re: Encrypted installation - Libreboot grub configuration

cynicfm wrote:

edit: okay i manually changed /boot/grub/grub.cfg entry now everything is ok :-)


Yoo...

Today i decided to give encrypted installation a try so i did it, i am running lxdm with openbox now, managed to create users etc.
but i have to get into system manually by typing grub commands by pressing c in commandlind

But when i installed grub typed grub-install /dev/sda and grub-mkconfig -o /boot/grub/grub.cfg it says can't find certain volumes so hyperbola automatic libreboot boot isn't possible...
But it is if i manually type everything

So here is grub.cfg configuration

[root@libreboot fifi]# cat /boot/grub/grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#

### BEGIN /etc/grub.d/00_header ###
insmod part_gpt
insmod part_msdos
if [ -s $prefix/grubenv ]; then
  load_env
fi
if [ "${next_entry}" ] ; then
   set default="${next_entry}"
   set next_entry=
   save_env next_entry
   set boot_once=true
else
   set default="0"
fi

if [ x"${feature_menuentry_id}" = xy ]; then
  menuentry_id_option="--id"
else
  menuentry_id_option=""
fi

export menuentry_id_option

if [ "${prev_saved_entry}" ]; then
  set saved_entry="${prev_saved_entry}"
  save_env saved_entry
  set prev_saved_entry=
  save_env prev_saved_entry
  set boot_once=true
fi

function savedefault {
  if [ -z "${boot_once}" ]; then
    saved_entry="${chosen}"
    save_env saved_entry
  fi
}

function load_video {
  if [ x$feature_all_video_module = xy ]; then
    insmod all_video
  else
    insmod efi_gop
    insmod efi_uga
    insmod ieee1275_fb
    insmod vbe
    insmod vga
    insmod video_bochs
    insmod video_cirrus
  fi
}

set menu_color_normal=light-gray/black
set menu_color_highlight=black/white

if [ x$feature_default_font_path = xy ] ; then
   font=unicode
else
insmod part_gpt
insmod cryptodisk
insmod luks
insmod gcry_serpent
insmod gcry_serpent
insmod gcry_whirlpool
insmod lvm
insmod ext2
cryptomount -u f6c6ce6d7780453eb182188f72e2bf83
set root='lvmid/tFCsHS-bdSI-Owiq-YZos-QybI-FlH8-Lo8z0m/T9azgr-oYjw-HcIw-pR6C-9L1f-qlh0-K6Akoh'
if [ x$feature_platform_search_hint = xy ]; then
  search --no-floppy --fs-uuid --set=root --hint='lvmid/tFCsHS-bdSI-Owiq-YZos-QybI-FlH8-Lo8z0m/T9azgr-oYjw-HcIw-pR6C-9L1f-qlh0-K6Akoh'  01c206c2-5682-4b2e-ac0e-0500ac1464fd
else
  search --no-floppy --fs-uuid --set=root 01c206c2-5682-4b2e-ac0e-0500ac1464fd
fi
    font="/usr/share/grub/unicode.pf2"
fi

if loadfont $font ; then
  set gfxmode=auto
  load_video
  insmod gfxterm
  set locale_dir=$prefix/locale
  set lang=en_GB
  insmod gettext
fi
terminal_input console
terminal_output gfxterm
if [ x$feature_timeout_style = xy ] ; then
  set timeout_style=menu
  set timeout=5
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
  set timeout=5
fi
### END /etc/grub.d/00_header ###

### BEGIN /etc/grub.d/10_linux ###
menuentry 'Hyperbola GNU/Linux-libre, linux-libre-lts kernel' --class hyperbola --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-linux-libre-lts-advanced-01c206c2-5682-4b2e-ac0e-0500ac1464fd' {
    load_video
    set gfxpayload=keep
    insmod gzio
    insmod part_gpt
    insmod cryptodisk
    insmod luks
    insmod gcry_serpent
    insmod gcry_serpent
    insmod gcry_whirlpool
    insmod lvm
    insmod ext2
    cryptomount -u f6c6ce6d7780453eb182188f72e2bf83
    set root='lvmid/tFCsHS-bdSI-Owiq-YZos-QybI-FlH8-Lo8z0m/T9azgr-oYjw-HcIw-pR6C-9L1f-qlh0-K6Akoh'
    if [ x$feature_platform_search_hint = xy ]; then
      search --no-floppy --fs-uuid --set=root --hint='lvmid/tFCsHS-bdSI-Owiq-YZos-QybI-FlH8-Lo8z0m/T9azgr-oYjw-HcIw-pR6C-9L1f-qlh0-K6Akoh'  01c206c2-5682-4b2e-ac0e-0500ac1464fd
    else
      search --no-floppy --fs-uuid --set=root 01c206c2-5682-4b2e-ac0e-0500ac1464fd
    fi
    echo    'Loading linux-libre-lts kernel ...'
    linux    /boot/vmlinuz-linux-libre-lts root=/dev/mapper/matrix-rootvol rw  quiet
    echo    'Loading initial ramdisk ...'
    initrd    /boot/initramfs-linux-libre-lts.img
}
menuentry 'Hyperbola GNU/Linux-libre, linux-libre-lts kernel (fallback initramfs)' --class hyperbola --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-linux-libre-lts-fallback-01c206c2-5682-4b2e-ac0e-0500ac1464fd' {
    load_video
    set gfxpayload=keep
    insmod gzio
    insmod part_gpt
    insmod cryptodisk
    insmod luks
    insmod gcry_serpent
    insmod gcry_serpent
    insmod gcry_whirlpool
    insmod lvm
    insmod ext2
    cryptomount -u f6c6ce6d7780453eb182188f72e2bf83
    set root='lvmid/tFCsHS-bdSI-Owiq-YZos-QybI-FlH8-Lo8z0m/T9azgr-oYjw-HcIw-pR6C-9L1f-qlh0-K6Akoh'
    if [ x$feature_platform_search_hint = xy ]; then
      search --no-floppy --fs-uuid --set=root --hint='lvmid/tFCsHS-bdSI-Owiq-YZos-QybI-FlH8-Lo8z0m/T9azgr-oYjw-HcIw-pR6C-9L1f-qlh0-K6Akoh'  01c206c2-5682-4b2e-ac0e-0500ac1464fd
    else
      search --no-floppy --fs-uuid --set=root 01c206c2-5682-4b2e-ac0e-0500ac1464fd
    fi
    echo    'Loading linux-libre-lts kernel ...'
    linux    /boot/vmlinuz-linux-libre-lts root=/dev/mapper/matrix-rootvol rw  quiet
    echo    'Loading initial ramdisk ...'
    initrd    /boot/initramfs-linux-libre-lts-fallback.img
}

### END /etc/grub.d/10_linux ###

### BEGIN /etc/grub.d/20_linux_xen ###

### END /etc/grub.d/20_linux_xen ###

### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###

### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###

### BEGIN /etc/grub.d/41_custom ###
if [ -f  ${config_directory}/custom.cfg ]; then
  source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f  $prefix/custom.cfg ]; then
  source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###

And here is boot/grub/default

[root@libreboot fifi]# cat /etc/default/grub
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Hyperbola"
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX=""
GRUB_CMDLINE_XEN_DEFAULT="quiet"
GRUB_CMDLINE_XEN=""
GRUB_CMDLINE_LINUX_XEN_REPLACE_DEFAULT="quiet"
GRUB_CMDLINE_LINUX_XEN_REPLACE=""

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"

# Uncomment to enable Hidden Menu, and optionally hide the timeout count
#GRUB_HIDDEN_TIMEOUT=5
#GRUB_HIDDEN_TIMEOUT_QUIET=true

# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console

# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
GRUB_GFXMODE=auto

# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep

# Uncomment if you want GRUB to pass to the Linux kernel the old parameter 
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx" 
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true

# Uncomment and set to the desired menu colors.  Used by normal and wallpaper 
# modes only.  Entries specified as foreground/background.
GRUB_COLOR_NORMAL="light-gray/black"
GRUB_COLOR_HIGHLIGHT="black/white"

# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/path/to/wallpaper"
#GRUB_THEME="/path/to/gfxtheme"

# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"

# Uncomment to enable the GRUB environment block
# https://www.gnu.org/software/grub/manual/grub/grub.html#Environment-block
# Note: This is only useful if GRUB_DEFAULT=saved
#GRUB_SAVEDEFAULT=true

# Disable advanced submenu
GRUB_DISABLE_SUBMENU=y

# Uncomment to disable the external "os-prober" program
#GRUB_DISABLE_OS_PROBER=true

# Uncomment to use LUKS and LVM2
#GRUB_PRELOAD_MODULES=lvm
GRUB_ENABLE_CRYPTODISK=y

Also i mind asking since i only run openbox wm now, is there something you recommend for suspending/hibernating laptop with just typing one command?? Any specific package?? smile

Cheers so how do i edit grub?? Is everything ok with .cfg??

I did this one a while back,

is it full disk encryption you tried to do, or FDE - /boot

???


I mean if its FDE + boot
you have to type two passwords in to boot the system and one for your login. hmm

IF your okay with that, then no worries, but its unwise to have a passwordless login screen. Anywho, just letting you know that's how it is, although you probably know this all already.

So i guess I wasted my time. heh...

But yeah, I have done both so send a message if you still have issues.

Hyperbola:

The Stable Secure Libre Arch!