search

Antynea / grub-btrfs

Include btrfs snapshots at boot options. (Grub menu)
GNU General Public License v3.0
739 stars 75 forks source link

Unable to boot into snapshots that are on LUKS encrypted disk #260

Open szszoke opened 1 year ago

szszoke commented 1 year ago

Hello!

I am having some trouble booting into my snapshots. I get the exact same error as the screenshot here: https://github.com/Antynea/grub-btrfs/issues/116

I am using Arch.

I have an unencrypted EFI partition that is mounted to /efi and I have a /boot folder with my kernel, microcode, etc.

Initially I had grub installed to /boot. With that setup I had to enter my encryption key before I could see the grub menus. If I then booted into a snapshot it worked.

I installed Arch on a different computer and there I followed a slightly different guide. I ended up with the same partition layout but grub was installed to the unencrypted /efi/grub folder instead.

This caused some changes. When I start that machine, I get the grub menu initially and I only have to enter the decryption key when I actually select an option that would boot into my Arch installation.

I prefer this setup because it doesn't force me to enter a decryption key even if I am not planning to boot into an OS that is on an encrypted disk.

This latter approach broke booting into my snapshots however.

I looked at my grub.cfg and grub-btrfs.cfg files and I think I know why I get the error.

Here is my main menu entry for Arch:

menuentry 'Arch Linux' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-5d034398-3c1d-4e1e-bb0a-0585959c5a6c' {
    load_video
    set gfxpayload=keep
    insmod gzio
    insmod part_gpt
    insmod cryptodisk
    insmod luks
    insmod gcry_rijndael
    insmod gcry_rijndael
    insmod gcry_sha256
    insmod btrfs
    cryptomount -u 6f4f9d6d-94cf-4ce5-b3f6-2ab2bbc9420a
    set root='cryptouuid/6f4f9d6d94cf4ce5b3f62ab2bbc9420a'
    if [ x$feature_platform_search_hint = xy ]; then
      search --no-floppy --fs-uuid --set=root --hint='cryptouuid/6f4f9d6d94cf4ce5b3f62ab2bbc9420a'  5d034398-3c1d-4e1e-bb0a-0585959c5a6c
    else
      search --no-floppy --fs-uuid --set=root 5d034398-3c1d-4e1e-bb0a-0585959c5a6c
    fi
    echo    'Loading Linux linux ...'
    linux   /@/boot/vmlinuz-linux root=UUID=5d034398-3c1d-4e1e-bb0a-0585959c5a6c rw rootflags=subvol=@  loglevel=3 quiet cryptdevice=UUID=6f4f9d6d-94cf-4ce5-b3f6-2ab2bbc9420a:root rootflags=subvol=@ cryptkey=rootfs:/root_keyfile.bin
    echo    'Loading initial ramdisk ...'
    initrd  /@/boot/amd-ucode.img /@/boot/initramfs-linux.img
}

Here is the menu entry for my snapshot:

menuentry '  vmlinuz-linux & initramfs-linux-fallback.img & amd-ucode.img' --class snapshots --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-snapshots-5d034398-3c1d-4e1e-bb0a-0585959c5a6c' {
        if [ x$feature_all_video_module = xy ]; then
        insmod all_video
        fi
        set gfxpayload=keep
        insmod btrfs
        if [ x$feature_platform_search_hint = xy ]; then
            search --no-floppy --fs-uuid  --set=root --hint='cryptouuid/6f4f9d6d94cf4ce5b3f62ab2bbc9420a'  5d034398-3c1d-4e1e-bb0a-0585959c5a6c
        else
            search --no-floppy --fs-uuid  --set=root 5d034398-3c1d-4e1e-bb0a-0585959c5a6c
        fi
        echo 'Loading Snapshot: 2023-01-06 15:01:08 @snapshots/2/snapshot'
        echo 'Loading Kernel: vmlinuz-linux ...'
        linux "/@snapshots/2/snapshot/boot/vmlinuz-linux" root=UUID=5d034398-3c1d-4e1e-bb0a-0585959c5a6c  loglevel=3 quiet cryptdevice=UUID=6f4f9d6d-94cf-4ce5-b3f6-2ab2bbc9420a:root rootflags=subvol=@ cryptkey=rootfs:/root_keyfile.bin rootflags=rw,relatime,compress=zstd:3,ssd,space_cache=v2,subvol="@snapshots/2/snapshot"
        echo 'Loading Microcode & Initramfs: amd-ucode.img initramfs-linux-fallback.img ...'
        initrd "/@snapshots/2/snapshot/boot/amd-ucode.img" "/@snapshots/2/snapshot/boot/initramfs-linux-fallback.img"
    }

Everything related to my encrypted disk seems to be missing. I never have to enter my decryption key and the encrypted disk is never unlocked and mounted.

I can go back to my previous setup where I have to unlock my encrypted disk first then chose a GRUB menu item but I would prefer this setup instead if it is possible.

szszoke commented 1 year ago

I suppose I could just update 41_snapshots-btrfs around line 220 to include the missing lines.

Edit: Just by replacing line 220 with the lines below I can boot into the snapshots again, but I would have to redo this on every update.

insmod gzio
insmod part_gpt
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod ${boot_fs}
cryptomount -u 6f4f9d6d-94cf-4ce5-b3f6-2ab2bbc9420a
Schievel1 commented 1 year ago

Hm, would it help if we created a config variable there to inject additional modules?

szszoke commented 1 year ago

I think that would be a start but I would still have to call cryptomount so just a list if modules that are then loaded via insmod is not enough.