How to manually overwrite existing GRUB image file with new one on BIOS-GPT system

Support
, , ,
1

Hello, dear Manjaro community! I have a complicated question about GRUB bootloader and I will be very grateful if you can help me figure it out.

If you are not interested in the numerous details of my configuration, and you understand without them what and why I want to do, then you can skip reading them and go directly to a specific question at the end of my post.

I have a laptop that doesn’t support UEFI mode at all, so I can use only BIOS legacy mode in my situation. I have Manjaro Linux installed on HDD with GPT partition table. My system is completely up-to-date with latest GRUB 2.06 bootloader version. I want to use new LUKS2 encryption not only for my “root” partition, but also for my “boot” partition. And now with GRUB 2.06 I can make it real.

My “/dev/sda” disk has the following partitions:

  1. sda1 - 1MiB “bios” partition without filesystem with “bios_grub” flag;
  2. sda2 - 512MiB “boot” partition, it is a separate LUKS2-PBKDF2-encrypted boot partition mounted at “/boot” with BTRFS filesystem;
  3. sda3 - 931GiB “root” partition, it is a LUKS2-argon2id-encrypted root partition mounted at “/” with BTRFS filesystem.

Here are my encryption settings for “boot” partition:

--type luks2 --cipher serpent-xts-plain64 --hash whirlpool --key-size 512 --pbkdf pbkdf2 --iter-time 10000 --use-random

Here are my encryption settings for “root” partition:

--type luks2 --cipher serpent-xts-plain64 --hash whirlpool --key-size 512 --pbkdf argon2id --iter-time 10000 --use-random

LUKS keyfiles for both “boot” and “root” partitions are configured correctly. All the necessary GRUB and mount settings have already been set by me. The system starts up correctly with little manual intervention.

I have installed GRUB bootloader with these commands:

  1. sudo grub-install --target=i386-pc /dev/sda --modules="luks2 part_gpt part_msdos cryptodisk gcry_serpent pbkdf2 gcry_whirlpool btrfs" --recheck

  2. sudo grub-mkconfig -o /boot/grub/grub.cfg

Although the GRUB 2.06 fully supports LUKS2-PBKDF2-encryptedboot” partition, due to the existing problem described here and here, the system cannot start automatically without little manual intervention.

For the reasons described above I have to use the following script to manually get new preconfigured GRUBcore.img” file, which settings should let me automatically turn on my computer without any problems and errors. If I understand correctly, this file is called “grubx64.efi” on UEFI systems.

#!/bin/bash
CONFIG=$(mktemp /tmp/grub-config.XXXXX)
cat >"$CONFIG" <<EOF
cryptomount -u 24cf2eb3e4c64d8f89e822917f53b5d6
set prefix='(crypto0)/grub'
set root='(crypto0)'
insmod normal
normal
EOF
grub-mkimage \
    -p '(crypto0)/grub' \
    -O i386-pc \
    -c "$CONFIG" \
    -o /home/sexyowl/core.img \
    luks2 part_gpt part_msdos cryptodisk gcry_serpent pbkdf2 gcry_whirlpool btrfs
rm "$CONFIG"

Please tell me which command I need to use to overwrite my existing GRUB image file with new one so that it works on my configuration (BIOS system without UEFI support or EFI partition, separate “boot” partition, GPT disk partition table, 1MiB bios_grub partition)?
Obviously I can’t just copy and paste this file due to the fact that “bios_grub” disk partition doesn’t have any filesystem and can’t be mounted.

Thank you very much in advance!!!

P.S. Right now, I can start my system manually by executing the same commands in the “grub rescue” as indicated in the script above, but I need to do it every time when I want to turn on my computer, so I want to make it automatically.

2

Hello @hotcapy :slight_smile:

That is just a thought, but could be wrong.

If you grub-install with these modules:

Must it not added to GRUB_PRELOAD_MODULES= also?

/etc/default/grub

GRUB_PRELOAD_MODULES="luks2 part_gpt part_msdos cryptodisk gcry_serpent pbkdf2 gcry_whirlpool btrfs"

I mean grub-install creates the core.img or? So when running grub-mkconfig it reads /etc/default/grub for creation of the menu.

Just an idea.

1 Like
3

Hi, @megavolt =) Thank you very much for your answer!

I think you are right about GRUB preload modules, but I have already specified them in the /etc/grub/default configuration file and after that executed the command grub-mkconfig -o /boot/grub/grub.cfg:

GRUB_PRELOAD_MODULES="luks2 part_gpt part_msdos cryptodisk gcry_serpent pbkdf2 gcry_whirlpool btrfs"

My main problem is that when I turn on my computer, the GRUB bootloader displays an error “No such device found” and then I get “grub rescue” window. After that, I can manually start the bootloader with the following commands in “grub rescue” window:

cryptomount -u 24cf2eb3e4c64d8f89e822917f53b5d6
set prefix='(crypto0)/grub'
set root='(crypto0)'
insmod normal
normal

24cf2eb3e4c64d8f89e822917f53b5d6 is UUID of my separate LUKS2-encrypted “boot” partition and (crypto0) is the “name” of this partition given by GRUB after entering the password and decryption/mounting.

But every time I restart my computer, I get the same error, and again I have to manually write these commands in “grub rescue”.

This problem is definitely related to LUKS2, because when “boot” partition encrypted with LUKS1 everything is perfect and GRUB displays no errors. And, of course, after converting LUKS1 to LUKS2 I tried many times to reinstall GRUB and it’s config with all the necessary modules.

Maybe there is some other way to automatically execute these commands when I turn on the computer, for example, via some GRUB configuration files?.. :slightly_smiling_face:

4

Sorry, my knowledge and experience ends here, no idea about this, but since the grub.cfg is similar to the bash shell, you should be able to run your script there and copy it:

cp /tmp/image /boot/path/to/core.img

https://www.gnu.org/software/grub/manual/grub/html_node/Shell_002dlike-scripting.html#Shell_002dlike-scripting

However… maybe it could be also a problem with different PBKDF:

argon2id seems not be supported by grub.