grub-btrfs icon indicating copy to clipboard operation
grub-btrfs copied to clipboard

Published 20 hours ago verified publisher icon Antynea

add support for booting snapshots on LUKS encrypted disk

Open cip91sk opened this issue 1 year ago • 3 comments

Fixes #260

cip91sk avatar Jun 04 '24 16:06 cip91sk

Thank you very much. Can you also add some description on the setting in the man pages and the readme?

Schievel1 avatar Jun 06 '24 13:06 Schievel1

Sure! I will hopefully do it in a couple days

cip91sk avatar Jun 07 '24 08:06 cip91sk

Done, let me know if I need to change anything!

cip91sk avatar Jun 08 '24 11:06 cip91sk

As a fellow user with an encrypted /boot I hope this gets merged.

gabrielb1804 avatar Jan 02 '25 05:01 gabrielb1804

@cip91sk not sure if I'm doing something wrong, but I'm testing this and maybe I don't need this configured with how I have my setup configured. I want to configure this so that I can rollback /boot if something were to fail.

I'm still doing this install in a VM for now on Debian Sid. Anyway, I have UEFI and a BTRFS volume configured and boot is on the root filesystem. Everything is working and booting as intended.

image

You can see the steps here.

I have GRUB_ENABLE_CRYPTODISK=y enabled in /etc/default/grub.

You can see my modules loaded in the default Debian grub.cfg.

image

In addition, I have /boot the main btrfs root partition and have a key in the initramfs to avoid having to enter the password twice, which was documented in the document above in Step 4.

See my luks config below. It is still luks2, just with a lower pbkdf by using: cryptsetup luksConvertKey --pbkdf pbkdf2 /dev/vda.

image

If I enable GRUB_BTRFS_ENABLE_CRYPTODISK="true" in the grub-btrfs config, it no longer writes the snapshots to the bootloader.

I CAN boot the read-only snapshots when the GRUB_BTRFS_ENABLE_CRYPTODISK config is commented out and it seems to write the snapshots when it's disabled, but when it's enabled, it's not working correctly. As you can see in the screenshot below, it now writes the snapshots out when I disable it.

image image

Newly written grub-btrfs.cfg with no luks or crypt entries for the modules.

image

So in summary, two main issues:

  1. Not sure if I need to enable GRUB_BTRFS_ENABLE_CRYPTODISK
  2. snapper rollback doesn't seem to be working, but I'm not sure if I need to do any additional configuration because /boot is on the root partition.

Not sure where to proceed and if there is anything I need to do, or if I'm misunderstanding how this works with the key in the initramfs and it handling unlocking the root partition. I want to make sure this is configured properly as well before I roll this out to my new hardware coming in soon as well. Let me know. Thank you.

dasunsrule32 avatar May 12 '25 22:05 dasunsrule32

@Antynea any thoughts? Should I open a separate thread? Thanks. :)

dasunsrule32 avatar May 13 '25 04:05 dasunsrule32

I was able to get 2. working properly now, it was a misunderstanding how snapper rollback works.

I'm not sure if I need GRUB_BTRFS_ENABLE_CRYPTODISK still. Thanks.

dasunsrule32 avatar May 13 '25 15:05 dasunsrule32

@dasunsrule32 If you can boot snasphots fine without enabling cryptodisk support I assume that you don't need it and I think - from my limited knowledge - that you should leave it disabled

cip91sk avatar May 24 '25 17:05 cip91sk

Yeah, it fails miserably with it enabled. Thank you!

dasunsrule32 avatar May 24 '25 17:05 dasunsrule32