Fresh Debian 10.1 install, GRUB does not load anything

Help with issues regarding installation of Debian

Fresh Debian 10.1 install, GRUB does not load anything

Postby HydraGene » 2019-11-04 21:39

Today I have installed Debian 10.1. I have had no obvious error messages.

I have set up my (dual boot windows 10) system as follows:
EFI boot partition
1 encrypted partition (os)
- lvm root
- lvm swap
1 encryped partition (data)
- lvm home

This gave no problem with Debian 9.

Now my laptop loads just a GRUB screen with "grub> _" flashing underscore. Nothing else happens, no error messages, etc.
I tried to reinstall (grub-install and update-grub) by rescue mode, but nothing chaged. I tried to add "GRUB_ENABLE_CRYPTODISK=y" to /etc/default/grub then run "update-grub" again but still nothing changed.

What could be wrong here?
HydraGene
 
Posts: 18
Joined: 2015-10-28 19:58

Re: Fresh Debian 10.1 install, GRUB does not load anything

Postby kedaha » 2019-11-04 23:12

have you tried any commands after the grub prompt?
For instance, what does the ls command return?
Code: Select all
grub> ls
Mate DE & OSSv4.
FreedomBox in Debian
ispmail
Debian Stable

Words, as is well known, are the great foes of reality. Joseph Conrad.
Kedaha's Conjecture
User avatar
kedaha
 
Posts: 3017
Joined: 2008-05-24 12:26

Re: Fresh Debian 10.1 install, GRUB does not load anything

Postby p.H » 2019-11-05 09:36

Is /boot in the encrypted root partition or in a separate unencrypted partition ?
p.H
 
Posts: 1159
Joined: 2017-09-17 07:12

Re: Fresh Debian 10.1 install, GRUB does not load anything

Postby HydraGene » 2019-11-05 16:47

kedaha wrote:have you tried any commands after the grub prompt?
For instance, what does the ls command return?
Code: Select all
grub> ls


I have no experience in grub commands, so I tried a few failed attepmts. But ls gives following output:
Code: Select all
grub> ls
(proc) (hd0) (hd0,msdos1) (hd1) (hd1,gpt5) (hd1,gpt4) (hd1,gpt3) (hd1,gpt2) (hd1,gpt1) (hd2) (hd3) (hd3,gpt4) (hd3,gpt3) (hd3,gpt2) (hd3,gpt1)


p.H wrote:Is /boot in the encrypted root partition or in a separate unencrypted partition ?


/boot is in the encrypted root partition. (I have no separate /boot partition.)
/boot/EFI however is installed at the EFI system partition which is unencrypted.
I had exactly the same setup with Debian 9, and it worked there.
HydraGene
 
Posts: 18
Joined: 2015-10-28 19:58

Re: Fresh Debian 10.1 install, GRUB does not load anything

Postby p.H » 2019-11-05 21:17

You may need to run grub-install again after adding GRUB_ENABLE_CRYPTODISK=y to /etc/default/grub.
Make sure /boot/efi is mounted.
p.H
 
Posts: 1159
Joined: 2017-09-17 07:12

Re: Fresh Debian 10.1 install, GRUB does not load anything

Postby kedaha » 2019-11-05 21:57

HydraGene wrote:I have no experience in grub commands, so I tried a few failed attempts.

I don't think many of us here are very familiar with such commands; it's not so often one gets this unfriendly grub prompt; however, I've been able to solve it a few times in the past by searching for possible solutions. See for example how-rescue-non-booting-grub-2-linux/
HydraGene wrote:But ls gives following output:
Code: Select all
grub> ls
(proc) (hd0) (hd0,msdos1) (hd1) (hd1,gpt5) (hd1,gpt4) (hd1,gpt3) (hd1,gpt2) (hd1,gpt1) (hd2) (hd3) (hd3,gpt4) (hd3,gpt3) (hd3,gpt2) (hd3,gpt1)

Try a few commands till you get the hang of it, like:
Code: Select all
grub> ls (hd0,msdos1/
grub> set root=(hd0,msdos1)

and see what they do.
Mate DE & OSSv4.
FreedomBox in Debian
ispmail
Debian Stable

Words, as is well known, are the great foes of reality. Joseph Conrad.
Kedaha's Conjecture
User avatar
kedaha
 
Posts: 3017
Joined: 2008-05-24 12:26

Re: Fresh Debian 10.1 install, GRUB does not load anything

Postby p.H » 2019-11-06 19:05

This method is not appropriate with /boot in an encrypted device. You must open the encrypted device (see cryptomount in GRUB documentation).
p.H
 
Posts: 1159
Joined: 2017-09-17 07:12

Re: Fresh Debian 10.1 install, GRUB does not load anything

Postby HydraGene » 2019-11-06 19:39

p.H wrote:You may need to run grub-install again after adding GRUB_ENABLE_CRYPTODISK=y to /etc/default/grub.
Make sure /boot/efi is mounted.

I have just tried this, and it gives the same result.. This was indeed the solution to Debian 9 boot problems. But this time it is as if GRUB doesn't recognize the encrypted partition.

kedaha wrote:Try a few commands till you get the hang of it, like:
Code: Select all
grub> ls (hd0,msdos1/
grub> set root=(hd0,msdos1)

and see what they do.

Alright, I've followed your link, thanks. But it mainly explains commands using unencrypted partition.
I am 100% sure (hd1,gpt4) is my encrypted root partition and (hd3,gpt2) is my encrypted home partition. I know by the size and exclusion of other partitions.
Code: Select all
ls (hd1,gpt4)
      Partition hd1,gpt4: No known filesysteem detected - Partition start at 200901632KiB - Total size 48235520KiB
ls (hd1,gpt4)/
      error: unknown filesystem.

set root=xxxxx does nothing. Gives back empty line.

p.H wrote:This method is not appropriate with /boot in an encrypted device. You must open the encrypted device (see cryptomount in GRUB documentation).

The linked page contained a link to a GRUB manual and I found cryptomount too. But I think GRUB doesn't know that these partitions are encrypted. I've tried cryptomount (hd1,gpt4) and cryptomount -a, but again just a blank line. Still unknown filesystem when using ls..
HydraGene
 
Posts: 18
Joined: 2015-10-28 19:58

Re: Fresh Debian 10.1 install, GRUB does not load anything

Postby p.H » 2019-11-07 13:02

IME in EFI mode Debian installs a signed GRUB with shim for compatibility with UEFI secure boot. One difference with the standard unsigned grub is that it uses a static (because signed) core image instead of a dynamically built image. I have not checked whether this signed GRUB supports /boot encryption. You could try to install a non-signed image with
Code: Select all
grub-install --no-uefi-secure-boot
p.H
 
Posts: 1159
Joined: 2017-09-17 07:12

Re: Fresh Debian 10.1 install, GRUB does not load anything

Postby HydraGene » 2019-11-07 20:33

p.H wrote:IME in EFI mode Debian installs a signed GRUB with shim for compatibility with UEFI secure boot. One difference with the standard unsigned grub is that it uses a static (because signed) core image instead of a dynamically built image. I have not checked whether this signed GRUB supports /boot encryption. You could try to install a non-signed image with
Code: Select all
grub-install --no-uefi-secure-boot

Great idea. That was the problem!

(On a side note: While you've explained it, I understand that you can't sign a dynamically built image with standard keys. However, I wonder why the installation process doesn't generate its own keys. I read on the SB Debian page that you can have MOK's. Wouldn't this solve the issue with dynamically built images?)


But now I have a new error...
Code: Select all
error: disk `lvmid/......' not found.
Entering rescue mode...

I have rried possible solutions by adding UUID to fstab, but if I do that, I get parse error on the lines with the added UUID.. And update-grub and update-grub2, but it didn't solve anything.
Do you know more things I could try?

ls now gives just (hd0) to (hd3).. ls (hd0)/ gives error: unknown filesystem
HydraGene
 
Posts: 18
Joined: 2015-10-28 19:58

Re: Fresh Debian 10.1 install, GRUB does not load anything

Postby p.H » 2019-11-07 21:33

HydraGene wrote:I understand that you can't sign a dynamically built image with standard keys. However, I wonder why the installation process doesn't generate its own keys. I read on the SB Debian page that you can have MOK's. Wouldn't this solve the issue with dynamically built images?

I have not investigated into this, as I am not interested in secure boot at all. I guess that you could sign GRUB with your own keys, but you would have to add these keys to the UEFI firmware. Not sure that all firmwares allow this.

HydraGene wrote:Entering rescue mode...

So now GRUB enters rescue mode. This is not really a progress.
Does GRUB ask for a LUKS passphrase ?

HydraGene wrote:ls now gives just (hd0) to (hd3)

No partitions ? This is interesting. It means that the generated core image does not contain the partition table modules as it should.
What is the output of "lsmod" at the grub rescue prompt ?
Can you run
Code: Select all
grub-install --no-uefi-secure-boot -v > grub-install.txt 2>&1
grep mkimage grub-install.txt

and post the output ?

You can force the GPT partition table module into the core image with "--modules=part_gpt" but other modules may be missing too.
p.H
 
Posts: 1159
Joined: 2017-09-17 07:12

Re: Fresh Debian 10.1 install, GRUB does not load anything

Postby HydraGene » 2019-11-08 19:16

p.H wrote:What is the output of "lsmod" at the grub rescue prompt ?

Code: Select all
grub rescue> lsmod
Unknown command `lsmod'.
grub rescue> ls mod
error: disk `lvmid/....' not found.

p.H wrote:Can you run
Code: Select all
grub-install --no-uefi-secure-boot -v > grub-install.txt 2>&1
grep mkimage grub-install.txt

and post the output ?

Code: Select all
grub-install: info: grub-mkimage --directory '/usr/lib/grub/x86_64-efi' --prefix '(lvmid/P9zCKE-3Ihw-gMRp-sxdY-7NMM-mcQM-OY0M5v/VfOE8s-niLe-r4Qi-NtYe-ULfp-iQXx-h6yjGu)/boot/grub' --output 'boot/grub/x86_64-efi/core.efi' --format 'x86_64-efi' --compression 'auto' 'ext2' 'lvm'
grub-install: info: grub-mkimage --directory '/usr/lib/grub/x86_64-efi' --prefix '' --output '/boot/grub/x86_64-efi/grub.efi' --format 'x86_64-efi' --compression 'auto' 'ext2' 'lvm'

After --prefix it is the string grub can't find.
HydraGene
 
Posts: 18
Joined: 2015-10-28 19:58

Re: Fresh Debian 10.1 install, GRUB does not load anything

Postby p.H » 2019-11-09 09:04

Sigh - even lsmod isn't available in grub rescue mode...

Crypto modules and the GPT module are missing in the grub-mkimage command. Is "GRUB_ENABLE_CRYPTODISK=y" present in /etc/default/grub and without typo ? I have not tested an encrypted /boot with Buster yet, so I do not know if it is supported yet.

You could add the missing modules to grub-install with the option --modules (GPT module is part_gpt, don't know crypto module names), but it may not be enough : grub-install must also set up the core image so that it unlocks the encrypted device.

You may have to revert to an unencrypted /boot/grub at least. If there is no available partition, you can make /boot/grub a symlink to some subdirectory in the EFI partition mounted on /boot/efi.
p.H
 
Posts: 1159
Joined: 2017-09-17 07:12

Re: Fresh Debian 10.1 install, GRUB does not load anything

Postby HydraGene » 2019-11-09 12:36

p.H wrote:Is "GRUB_ENABLE_CRYPTODISK=y" present in /etc/default/grub and without typo ? I have not tested an encrypted /boot with Buster yet, so I do not know if it is supported yet.

Yes, checked it and it is there.

p.H wrote:You could add the missing modules to grub-install with the option --modules (GPT module is part_gpt, don't know crypto module names), but it may not be enough : grub-install must also set up the core image so that it unlocks the encrypted device.

I tried:
Code: Select all
grub-install --no-uefi-secure-boot --modules part_gpt crypto

The partitions are now visible but still in rescue mode..

p.H wrote:You may have to revert to an unencrypted /boot/grub at least. If there is no available partition, you can make /boot/grub a symlink to some subdirectory in the EFI partition mounted on /boot/efi.

I am getting a little tired of trying too. I can make a 1GB partition besides the encrypted /root and encrypted /home, is this enough for the /boot partition? I see people write about 300-500MB and some 1GB.
HydraGene
 
Posts: 18
Joined: 2015-10-28 19:58

Re: Fresh Debian 10.1 install, GRUB does not load anything

Postby p.H » 2019-11-10 09:58

HydraGene wrote:The partitions are now visible but still in rescue mode

I'm afraid that unlocking a LUKS device requires many more modules than just "crypto".

HydraGene wrote:I can make a 1GB partition besides the encrypted /root and encrypted /home, is this enough for the /boot partition?

1 GB is more than enough. You can check the current size of /boot. But I repeat that you do not have to move the whole /boot, only /boot/grub should be enough if menu entries in /boot/grub/grub.cfg contain instructions to unlock the LUKS device.
p.H
 
Posts: 1159
Joined: 2017-09-17 07:12

Next

Return to Installation

Who is online

Users browsing this forum: No registered users and 11 guests

fashionable