Arch-Linux
GRUB 找不到加密的引導分區
Arch Linux 安裝(在加密的 LVM 上)並嘗試加密引導分區。
使用未加密的引導分區進行“全盤加密”讓我感到困擾。這個問題是關於我的安裝可能出了什麼問題,但我非常感謝有沒有非加密引導分區的想法。未加密的引導分區確實是系統上的一個漏洞點嗎?什麼仍然脆弱?加密引導分區確實有助於更好地保護系統嗎?
那指出,我打算盡我所能詳細介紹有關安裝和系統的必要資訊,以幫助解決grub 找不到引導分區的問題,但我也非常感謝支持了解需要詳細說明的內容,我只是對可能是決定因素以及系統啟動過程如何工作的提示,我喜歡探索 linux 系統,試驗它,並從中學習。
安裝後啟動時
Welcome to GRUB! error: no such device: dbf12ef6-156f-43ac-980d-ee41ao17b917 error: unknown filesystem. Entering rescue mode... grub rescue>安裝
# iwctl to connect to a wifi root@archiso ~ # iwctl # update package repository index root@archiso ~ # pacman -Syyy # securely erase the disk root@archiso ~ # dd if=/dev/urandom of=/dev/sda bs=4096 status=progress # partition the table root@archiso ~ # fdisk /dev/sda g (GPT Partition Table) /dev/sda1 EFI System (type alias 1) +500M /dev/sda2 Linux FileSystem (type alias 20) +500M /dev/sda3 Linux LVM (type alias 30) +100%FREE root@archiso ~ # fdisk -l /dev/sda #result Disk /dev/sda: 298.09 GiB, 320072933376 bytes, 625142448 sectors Disk model: Hitachi HTS54503 Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 4096 bytes I/O size (minimum/optimal): 4096 bytes /4096 bytes Disklabel type: gpt Disk identifier: A9C36FBB-D67F-5840-9BD9-28326588F6BA Device Start End Sectors Size Type /dev/sda1 2048 1026047 1024000 500M EFI System /dev/sda2 1026048 2050047 1024000 500M Linux filesystem /dev/sda3 2050047 625142414 623092367 297.1G EFI System root@archiso ~ # lsblk -f NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINT loop squashfs 4.0 0 100% /rub/archiso/sfs/airootfs sda -sda1 vfat FAT32 7D44-F492 -sda2 crypto_LUKS 2 60f94adc-1e6f-425d-a120-4888fa9bacd3 -sda3 crypto_LUKS 2 5ab19132-685d-479b-8425-acaa133ed7a8 # format EFI partition root@archiso ~ # mkfs.fat -F32 /dev/sda1 # encrypt boot partition root@archiso ~ # cryptsetup luksFormat /dev/sda2 # open encrypted boot partition root@archiso ~ # cryptsetup open --type luks /dev/sda2 cryptboot # format encrypted boot partition root@archiso ~ # mkfs.ext4 /dev/mapper/cryptboot # encrypt LVM partition root@archiso ~ # cryptsetup luksFormat /dev/sda3 # open encrypted LVM partition root@archiso ~ # cryptsetup open --type luks /dev/sda3 cryptlvm # create physical volume root@archiso ~ # pvcreate /dev/mapper/cryptlvm # create volume group root@archiso ~ # vgcreate volgroup0 /dev/mapper/cryptlvm # create logical volume root@archiso ~ # lvcreate -L 50GB volgroup0 -n root # format root filesystem logical volume root@archiso ~ # mkfs.ext4 /dev/volgroup0/root # mount root logical volume root@archiso ~ # mount /dev/volgroup0/root /mnt # create directory to mount the encrypted boot partition root@archiso ~ # mkdir /mnt/boot # mount the encrypted boot partition root@archiso ~ # mount /dev/mapper/cryptboot /mnt/boot #create /etc directory root@archiso ~ # mkdir /mnt/etc # generate fstab file (required for successful boot) root@archiso ~ # genfstab -U -p /mnt >> /mnt/etc/fstab # sanity check on file root@archiso ~ # cat /mnt/etc/fstab # /dev/mapper/volgroup0-root UUID=71d35768-2e3b-4aad-bd88-313544742d72 / ext4 rw,relatime 0 1 # /dev/mapper/cryptboot UUID=dbf12ef6-156f-43ac-980d-ee41a017b917 /boot ext4 rw,relatime,stripe=4 0 2 #install packages on file system #(obs #linux <defaultLinuxKernel> linux-lts <alternateLinuxKernel # -makes possibly a selection at the start process of the computer in which you can set the alternate kernel, which is very useful if you run into a problem # #efibootmgt dosfstools os-prober mtools # -packages to support grub #) root@archiso ~ # pacstrap -i /mnt base base-devel linux linux-lts linux-headers linux-lts-headers networkmanager wpa_supplicant wireless_tools netctl openssh dialog lvm2 grub efibootmgr dosfstools os-prober mtools vim # change to archroot to access in progress installation to make additional changes root@archiso ~ # arch-chroot /mnt # enable openssh NetworkManager by default (start automatically at boot time) [root@archiso /]# systemctl enable sshd NetworkManager # edit the very specific file /etc/mkinitcpio.conf # line -- HOOKS=(base udev autodetect keyboard keymap consolefont modconf block lvm2 encrypt filesystems fsck) [root@archiso /]# vim /etc/mkinitcpio.conf # run mkinitcpio -p against whatever kernel decided to go along with [root@archiso /]# mkinitcpio -p linux [root@archiso /]# mkinitcpio -p linux-lts # set time zone [root@archiso /]# ln -sf /usr/share/zoneinfo/Brazil/East /etc/localtime # generate /etc/adjtime [root@archiso /]# hwclock --systohc # Localization - edit /etc/locale.gen uncommenting appropriate locale [root@archiso /]# vim /etc/locale.gen # generate the locale(s) [root@archiso /]# locale-gen # set the LANG variable in a file named /etc/locale.conf [root@archiso /]# vim /etc/locale.conf # set the keyboard layout in a file named /etc/vconsole.font [root@archiso /]# vim /etc/vconsole.conf # configure bootloader (grub has the most compatibility, applications such as timeshift have an issue when not using grub) # (obs # GRUB_ENABLE_CRYPTODISK=y # GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 cryptdevice=/dev/sda3:volgroup0:allow-discards quiet" # ) [root@archiso /]# vim /etc/default/grub # create file for EFI information (files that are required for booting the system) [root@archiso /]# mkdir /boot/EFI # mount the EFI System partition [root@archiso /]# mount /dev/sda1 /boot/EFI # install grub bootloader on the hard drive # no errors were reported [root@archiso /]# grub-install --target=x86_64-efi --bootloader-id=grub_uefi --recheck # create directory /boot/grub/locale [root@archiso /]# mkdir /boot/grub/locale # copy file into directory [root@archiso /]# cp /usr/share/locale/en\@quot/LC_MESSAGES/grub.mo /boot/grub/locale/en.mo # Generate GRUB's configuration file: [root@archiso /]# grub-mkconfig -o /boot/grub/grub.cfg # create a swap file # (obs # it's preferable to create a swap file instead of a swap partition because it is easier to change the size of swap just deleting and recreating the file with a bigger size whereas with a swap partition. With a swap partition it's needed to resize the partitions which is a lot more risky # ) [root@archiso /]# fallocate -l 4G /swapfile # adjust the swap file permissions to be more restrictive [root@archiso /]# chmod 600 /swapfile # Make swap [root@archiso /]# mkswap /swapfile # create a backup of fstab file [root@archiso /]# cp /etc/fstab /etc/fstab.bak # Make swap activate as soon as computer is started adding to fstab file [root@archiso /]# echo "/swapfile none swap sw 0 0" | tee -a /etc/fstab # sanity check on file [root@archiso /]# cat /mnt/etc/fstab # /dev/mapper/volgroup0-root UUID=71d35768-2e3b-4aad-bd88-313544742d72 / ext4 rw,relatime 0 1 # /dev/mapper/cryptboot UUID=dbf12ef6-156f-43ac-980d-ee41a017b917 /boot ext4 rw,relatime,stripe=4 0 2 /swapfile none swap sw 0 0 # install micro code package for the actual CPU (if AMD cpu - amd-ucode; elseif intel cpu - intel-ucode) [root@archiso /]# pacman -S intel-ucode # package to facilitate a desktop environment [root@archiso /]# pacman -S xorg-server # consider installing a video driver, if intel or AMD gpu - mesa; elseif NVIDIA gpu - nvidia nvidia-lts nvidia-utils [root@archiso /]# pacman -S mesa # back to arch linux install media [root@archiso /]# exit # umount -a root@archiso ~ # umount -a # poweroff or reboot root@archiso ~ # poweroff直截了當,這就是安裝。寫這個問題,我注意到 GRUB 試圖找到設備 id dbf12ef6-156f-43ac-980d-ee41ao17b917
error: no such device: dbf12ef6-156f-43ac-980d-ee41ao17b917這恰好是**/dev/mapper/cryptboot的設備 ID,因為它在文件/mnt/etc/fstab或只是/etc/fstab**中,並且在安裝期間安裝在 /boot
# /dev/mapper/cryptboot UUID=dbf12ef6-156f-43ac-980d-ee41a017b917 /boot ext4 rw,relatime,stripe=4 0 2在我看來,它只存在於命令root@archiso ~ # cryptsetup open –type luks /dev/sda2 cryptboot
這可能是問題嗎?關於可能是什麼問題,我哪裡出錯以及如何解決的任何提示?
非常感謝,任何缺少的資訊我都會提供更詳細的資訊。
正如 TelcomM 所建議的那樣,我在安裝之前徹底審查了 Arch Wiki 中的兩個連結,但我錯過了一個具體的說明:
注意:/boot 不需要單獨的分區;它也可能位於系統的根/目錄樹下。
即使在我的安裝中沒有回答“為什麼 grub 找不到加密的引導分區”的問題,也沒有解決讓 grub 找到分區的問題,在我看來,在同一個磁碟上加密兩個不同的分區是沒有意義的,一個用於系統的根目錄,另一個用於系統的引導。
在系統根目錄下只有一個帶有 /boot 的加密分區可以正常工作,並且系統可以正常啟動。
指出這一點,在我看來,這個解決方案也完全足以解決我在使用非加密引導分區的假裝“全盤加密”中的困擾。所以,關於 /boot 分區的問題對我來說似乎已經解決了。
然而,在這個安裝中,我們仍然有一個“煩人”的非加密 EFI 系統分區,並且對我來說仍然存在一個問題:“這個未加密的分區是否會使其成為系統上的一個可能的漏洞點?”
我非常感謝討論中的任何觀點。
Arch Wiki 有配置引導分區和 grub 以相互兼容的具體說明: 加密 /boot 分區 - Arch Wiki
您是否有機會徹底審查並確保您在創建加密引導分區時已經完成了那裡列出的步驟?
還有這個Arch Wiki Guide on Full System Encryption
未加密的引導分區確實是系統上的一個漏洞點嗎?
我對 /boot 上的內容知之甚少,無法肯定地說,但我懷疑那裡會有很多東西會造成有人破壞其他磁碟上的加密的額外風險。
也許攻擊者可以找到有關您正在執行的核心的資訊。