Hello, dear Manjaro community! I have a complicated question about GRUB bootloader and I will be very grateful if you can help me figure it out.
If you are not interested in the numerous details of my configuration, and you understand without them what and why I want to do, then you can skip reading them and go directly to a specific question at the end of my post.
I have a laptop that doesn’t support UEFI mode at all, so I can use only BIOS legacy mode in my situation. I have Manjaro Linux installed on HDD with GPT partition table. My system is completely up-to-date with latest GRUB 2.06 bootloader version. I want to use new LUKS2 encryption not only for my “root” partition, but also for my “boot” partition. And now with GRUB 2.06 I can make it real.
My “/dev/sda
” disk has the following partitions:
-
sda1
- 1MiB “bios
” partitionwithout filesystem
with “bios_grub
” flag; -
sda2
- 512MiB “boot
” partition, it is a separateLUKS2-PBKDF2-encrypted
boot partition mounted at “/boot
” withBTRFS
filesystem; -
sda3
- 931GiB “root
” partition, it is aLUKS2-argon2id-encrypted
root partition mounted at “/
” withBTRFS
filesystem.
Here are my encryption settings for “boot
” partition:
--type luks2 --cipher serpent-xts-plain64 --hash whirlpool --key-size 512 --pbkdf pbkdf2 --iter-time 10000 --use-random
Here are my encryption settings for “root
” partition:
--type luks2 --cipher serpent-xts-plain64 --hash whirlpool --key-size 512 --pbkdf argon2id --iter-time 10000 --use-random
LUKS keyfiles for both “boot” and “root” partitions are configured correctly. All the necessary GRUB and mount settings have already been set by me. The system starts up correctly with little manual intervention.
I have installed GRUB bootloader
with these commands:
-
sudo grub-install --target=i386-pc /dev/sda --modules="luks2 part_gpt part_msdos cryptodisk gcry_serpent pbkdf2 gcry_whirlpool btrfs" --recheck
-
sudo grub-mkconfig -o /boot/grub/grub.cfg
Although the GRUB 2.06
fully supports LUKS2-PBKDF2-encrypted
“boot
” partition, due to the existing problem described here and here, the system cannot start automatically without little manual intervention.
For the reasons described above I have to use the following script to manually get new preconfigured GRUB
“core.img
” file, which settings should let me automatically turn on my computer without any problems and errors. If I understand correctly, this file is called “grubx64.efi
” on UEFI systems.
#!/bin/bash
CONFIG=$(mktemp /tmp/grub-config.XXXXX)
cat >"$CONFIG" <<EOF
cryptomount -u 24cf2eb3e4c64d8f89e822917f53b5d6
set prefix='(crypto0)/grub'
set root='(crypto0)'
insmod normal
normal
EOF
grub-mkimage \
-p '(crypto0)/grub' \
-O i386-pc \
-c "$CONFIG" \
-o /home/sexyowl/core.img \
luks2 part_gpt part_msdos cryptodisk gcry_serpent pbkdf2 gcry_whirlpool btrfs
rm "$CONFIG"
Please tell me which command I need to use to overwrite my existing GRUB image file with new one so that it works on my configuration (BIOS system without UEFI support or EFI partition, separate “boot” partition, GPT disk partition table, 1MiB bios_grub partition)?
Obviously I can’t just copy and paste this file due to the fact that “bios_grub
” disk partition doesn’t have any filesystem and can’t be mounted.
Thank you very much in advance!!!
P.S. Right now, I can start my system manually by executing the same commands in the “grub rescue” as indicated in the script above, but I need to do it every time when I want to turn on my computer, so I want to make it automatically.