Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Build broken with CRYPTROOT_ENABLE=yes #6280

Open
1 task done
doodlebro opened this issue Feb 16, 2024 · 4 comments
Open
1 task done

Build broken with CRYPTROOT_ENABLE=yes #6280

doodlebro opened this issue Feb 16, 2024 · 4 comments
Labels
Bug Something isn't working well

Comments

@doodlebro
Copy link

What happened?

Building with CRYPTROOT_ENABLE=yes leads to an error with grub configuration. Built on docker with a Mac.

grub-install: error: attempt to install to encrypted disk without cryptodisk enabled. Set GRUB_ENABLE_CRYPTODISK=y' in file /etc/default/grub'.

How to reproduce?

./compile.sh build SHARE_LOG=yes BOARD=uefi-x86 BOOTSIZE=1024 BRANCH=current BUILD_DESKTOP=no BUILD_MINIMAL=no CRYPTROOT_ENABLE=yes CRYPTROOT_PASSPHRASE=PASSWORD CRYPTROOT_SSH_UNLOCK_PORT=22 INSTALL_HEADERS=yes KERNEL_CONFIGURE=prebuilt KERNEL_GIT=shallow RELEASE=bookworm ROOTFS_TYPE=btrfs BTRFS_COMPRESSION=zstd:5 COMPRESS_OUTPUTIMAGE=gz PROGRESS_DISPLAY=none;

Branch

main (main development branch)

On which host OS are you observing this problem?

Jammy

Relevant log URL

https://paste.armbian.com/fejaheneno

Code of Conduct

  • I agree to follow this project's Code of Conduct
@github-actions GitHub Actions
Copy link

Jira ticket: AR-2068

@igorpecovnik
Copy link
Member

It passes compilation when added:

--- a/extensions/grub.sh
+++ b/extensions/grub.sh
@@ -276,6 +276,7 @@ configure_grub() {
                GRUB_DISABLE_OS_PROBER=false                             # Have to be explicit about enabling os-prober
                GRUB_FONT="/usr/share/grub/unicode.pf2"                  # Be explicit about the font to use so Ubuntu does not freak out and mess gfxterm
                GRUB_GFXPAYLOAD=keep
+                GRUB_ENABLE_CRYPTODISK=y

... but resulting image does not work properly. Grub prompts for password, it prompts for disk-unlock but then it doesn't mount /root ... so there is some other problem too. This needs deeper inspection.

@igorpecovnik igorpecovnik added the Bug Something isn't working well label Feb 17, 2024
@doodlebro
Copy link
Author

Thanks for confirming, my last successful build was Jan 21st at 1:21 UTC. Hope it helps.

@doodlebro
Copy link
Author

Adding a few notes as I found time to debug parts of this:

The main issue comes from forced encryption on the boot partition by grub, but I'm not sure when this started. Forcing encrypted /boot breaks remote access since the password must be entered at the grub menu.

Prior to Jan 21st, using the Armbian build flag "CRYPTROOT_ENABLE=yes" only encrypted the root partition, which allowed grub to boot into the initramfs so that I can remotely unlock the root partition. I would expect this to be preserved, or at least have a flag for the boot partition's inclusion.

I don't think we want "GRUB_ENABLE_CRYPTODISK=y" added to extensions/grub.sh for every build, or at all in my case. When I add this, images build and boot alright, so forced encryption of /boot by grub seems like the only thing to handle.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Something isn't working well
Milestone
No milestone
Development

No branches or pull requests
2 participants
@igorpecovnik @doodlebro