Build broken with CRYPTROOT_ENABLE=yes

armbian / build

Armbian Linux build framework generates custom Debian or Ubuntu image for x86, aarch64, riscv64 & armhf

https://www.armbian.com

GNU General Public License v2.0

4.28k stars 2.34k forks source link

Build broken with CRYPTROOT_ENABLE=yes #6280

Open doodlebro opened 9 months ago

doodlebro commented 9 months ago

What happened?

Building with CRYPTROOT_ENABLE=yes leads to an error with grub configuration. Built on docker with a Mac.

grub-install: error: attempt to install to encrypted disk without cryptodisk enabled. Set GRUB_ENABLE_CRYPTODISK=y' in file/etc/default/grub'.

How to reproduce?

./compile.sh build SHARE_LOG=yes BOARD=uefi-x86 BOOTSIZE=1024 BRANCH=current BUILD_DESKTOP=no BUILD_MINIMAL=no CRYPTROOT_ENABLE=yes CRYPTROOT_PASSPHRASE=PASSWORD CRYPTROOT_SSH_UNLOCK_PORT=22 INSTALL_HEADERS=yes KERNEL_CONFIGURE=prebuilt KERNEL_GIT=shallow RELEASE=bookworm ROOTFS_TYPE=btrfs BTRFS_COMPRESSION=zstd:5 COMPRESS_OUTPUTIMAGE=gz PROGRESS_DISPLAY=none;

Branch

main (main development branch)

On which host OS are you observing this problem?

Jammy

Relevant log URL

https://paste.armbian.com/fejaheneno

Code of Conduct

[X] I agree to follow this project's Code of Conduct

github-actions[bot] commented 9 months ago

Jira ticket: AR-2068

igorpecovnik commented 9 months ago

It passes compilation when added:

--- a/extensions/grub.sh
+++ b/extensions/grub.sh
@@ -276,6 +276,7 @@ configure_grub() {
                GRUB_DISABLE_OS_PROBER=false                             # Have to be explicit about enabling os-prober
                GRUB_FONT="/usr/share/grub/unicode.pf2"                  # Be explicit about the font to use so Ubuntu does not freak out and mess gfxterm
                GRUB_GFXPAYLOAD=keep
+                GRUB_ENABLE_CRYPTODISK=y

... but resulting image does not work properly. Grub prompts for password, it prompts for disk-unlock but then it doesn't mount /root ... so there is some other problem too. This needs deeper inspection.

doodlebro commented 9 months ago

Thanks for confirming, my last successful build was Jan 21st at 1:21 UTC. Hope it helps.

doodlebro commented 9 months ago

Adding a few notes as I found time to debug parts of this:

The main issue comes from forced encryption on the boot partition by grub, but I'm not sure when this started. Forcing encrypted /boot breaks remote access since the password must be entered at the grub menu.

Prior to Jan 21st, using the Armbian build flag "CRYPTROOT_ENABLE=yes" only encrypted the root partition, which allowed grub to boot into the initramfs so that I can remotely unlock the root partition. I would expect this to be preserved, or at least have a flag for the boot partition's inclusion.

I don't think we want "GRUB_ENABLE_CRYPTODISK=y" added to extensions/grub.sh for every build, or at all in my case. When I add this, images build and boot alright, so forced encryption of /boot by grub seems like the only thing to handle.

superkeyor commented 1 month ago

Using branch=v24.08, I successfully compiled an arm64 distro, but encountered the same issue when compiling the x86 distro.