FS#51879 - [grub] fails with ext4 and encrypt feature in /boot
Attached to Project:
Arch Linux
Opened by Rodrigo Rivas Costa (rodrigorc) - Friday, 18 November 2016, 19:29 GMT
Last edited by Christian Hesse (eworm) - Friday, 08 September 2017, 10:11 GMT
Opened by Rodrigo Rivas Costa (rodrigorc) - Friday, 18 November 2016, 19:29 GMT
Last edited by Christian Hesse (eworm) - Friday, 08 September 2017, 10:11 GMT
|
Details
Description:
Grub does not recognizes the "encrypt" feature in ext4 filesystems. That makes the system totally unbootable if /boot is in such a system. And since tune2fs cannot be used to remove that feature, only to insert it, you will have a bad time restoring the system. I'm sure that the Grub people are working on it, but in the meantime, I have written a quick patch to be able to boot, attached. Additional info: * 1:2.02.beta3-4 Steps to reproduce: * Enable the feature in your filesystem where /boot is: "tune2fs -O encrypt /dev/sdxx". * Reboot the system, it will fail * To restore the system, reboot with a ArchISO and do: "debugfs -w -R 'feature -encrypt' /dev/sdxx" |
This task depends upon
Closed by Christian Hesse (eworm)
Friday, 08 September 2017, 10:11 GMT
Reason for closing: Implemented
Additional comments about closing: grub 2:2.02-2
Friday, 08 September 2017, 10:11 GMT
Reason for closing: Implemented
Additional comments about closing: grub 2:2.02-2
Probably we should wait for upstream to provide a proper solution.
My patch just accepts the filesystem feature and then ignores the encrypted directories content, so it is able to boot the system.
Of course, if the /boot directory itself is encripted it will not work. For that you'd need to implement the decrypt functionality and add the password somewhere...
But I don't think that is the normal use case for this feature (and I'm not up to patching that). I think that it is intended to encrypt the `/home/user` or the `/home/user/secret` or something like that. Not `/` or `/boot`.
@Doug:
> Sounds more like an unimplemented feature than a bug.
From the Grub POV, sure. But from the Arch user POV, now I have this fancy new feature [1] that will make my system unbootable. I'd say that this is a distribution bug.
[1]: https://wiki.archlinux.org/index.php/Ext4#Using_ext4_file-based_encryption
https://git.savannah.gnu.org/cgit/grub.git/commit/?id=734668238fcc0ef691a080839e04f33854fa133a