Grub 在容器解密之前寻找加密的根 UUID

Grub 在容器解密之前寻找加密的根 UUID

当我的 PC 冻结时,我正在使用 bleachbit 清理 Ubuntu 18.10。重新启动时,我在 Grub 之后卡在 BusyBox (initramfs) 上。退出 BusyBox 时,我收到以下消息:

ALERT! UUID=f6fc1852-25c6-47a6-9976-... does not exist. Dropping to a shell.

恢复模式也失败了。

我使用 Live CD 重新启动并fsck -f在磁盘上运行,检测到并修复了小错误,然后输出正常,但系统在重新启动时没有通过 Grub。

我有一个完全加密的 LVM,/boot其中有一个不同的明文分区:

$ sudo fdisk -l
Disk /dev/nvme0n1: 477 GiB, 512110190592 bytes, 1000215216 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 6B6C7A2C-478C-4999-ABD9-53A3BB5FE607

Device             Start        End   Sectors   Size Type
/dev/nvme0n1p1      2048     534527    532480   260M EFI System
/dev/nvme0n1p2    534528     567295     32768    16M Microsoft reserved
/dev/nvme0n1p3    567296  547442295 546875000 260.8G Microsoft basic data
/dev/nvme0n1p4 998166528 1000214527   2048000  1000M Windows recovery environment
/dev/nvme0n1p5 547442688  547969023    526336   257M Linux filesystem
/dev/nvme0n1p6 547969024  998166527 450197504 214.7G Linux filesystem

$ sudo blkid
/dev/nvme0n1p1: LABEL="SYSTEM" UUID="7AA1-7D80" TYPE="vfat" PARTLABEL="EFI system partition" PARTUUID="8030af7e-64f9-4090-9457-fcd97de33216"
/dev/nvme0n1p3: LABEL="Windows" UUID="DA32A3D932A3B8C1" TYPE="ntfs" PARTLABEL="Basic data partition" PARTUUID="ccc54701-8855-4d06-a7af-b3c4ce9e3c11"
/dev/nvme0n1p4: LABEL="WinRE_DRV" UUID="B242A4E642A4B111" TYPE="ntfs" PARTLABEL="Basic data partition" PARTUUID="73272228-de36-4cb9-959e-53792c2dc104"
/dev/nvme0n1p5: UUID="8618de9e-f06e-46de-9717-38f6da7b1969" TYPE="ext4" PARTUUID="7cdfe2e1-103d-4cf1-9436-0008d34b5ed6"
/dev/nvme0n1: PTUUID="6b6c7a2c-478c-4999-abd9-53a3bb5fe607" PTTYPE="gpt"
/dev/nvme0n1p2: PARTLABEL="Microsoft reserved partition" PARTUUID="6d62624f-eba4-4fbb-838e-9ce6087d1135"
/dev/nvme0n1p6: UUID="69a32ddc-3092-487f-99b5-b0e757c5ddf1" TYPE="crypto_LUKS" PARTUUID="f7199882-ca6f-44a9-8730-92386d62ef50"

此处没有以 开头的 UUID 。我认为这是使用 解密后分区f6fc上的加密 LVM 的 UUID 。/udisksctl unlock -b

fstab

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
/dev/mapper/nvme0n1p6_crypt /               ext4    errors=remount-ro 0       1
# /boot was on /dev/nvme0n1p5 during installation
UUID=8618de9e-f06e-46de-9717-38f6da7b1969 /boot           ext4    defaults        0       2
# /boot/efi was on /dev/nvme0n1p1 during installation
UUID=7AA1-7D80  /boot/efi       vfat    umask=0077      0       1
# /windows was on /dev/nvme0n1p3 during installation
UUID=DA32A3D932A3B8C1 /windows        ntfs    defaults,umask=007,gid=46 0       0
/swapfile                                 none            swap    sw              0       0

因此我尝试 chroot 系统并重新安装 Grub,使用两者udisksctl unlock -b以及以下步骤解密根目录:

$ sudo cryptsetup luksOpen /dev/nvme0n1p6 crypt
Enter passphrase for /dev/nvme0n1p6: 
$ sudo vgchange -ay
$ sudo mount /dev/mapper/crypt /mnt
$ sudo mount /dev/nvme0n1p5 /mnt/boot/
$ sudo mount -t proc proc /mnt/proc
$ sudo mount -o bind /dev /mnt/dev
$ sudo mount -o bind /sys /mnt/sys
$ sudo chroot /mnt
root@ubuntu:/# update-initramfs -c -k all
update-initramfs: Generating /boot/initrd.img-4.18.0-12-generic
Warning: couldn't identify filesystem type for fsck hook, ignoring.
root@ubuntu:/# update-grub
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-4.18.0-12-generic
Found initrd image: /boot/initrd.img-4.18.0-12-generic
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
Adding boot menu entry for EFI firmware configuration
done

但是,在这里,Grub 无法检测到 Windows 10,你猜如果我在这里发布,那是因为它不起作用。我仍然被这个不在的 UUID 上的奇怪错误所困扰fstab。我也尝试过grub-install在整个磁盘上,没有变化。

编辑:使用解锁根udisks2,我得到:

$ sudo udisksctl unlock -b /dev/nvme0n1p6
Unlocked /dev/nvme0n1p6 as /dev/dm-0.
$ sudo udisksctl mount -b /dev/dm-0 
Mounted /dev/dm-0 at /media/root/f6fc1852-25c6-47a6-9776-4ed8b8d6b70e.

注意媒体的名称,它与错误的 UUID 相同。所以我怀疑 Grub 在实际解密之前正在寻找解密的 LVM 的 UUID。问题是在哪里可以找到该调用?

编辑 2:同时,三个月来首次重启 Windows 10,BIOS 和 SSD 固件已更新。Grub 仍然没有成功。

编辑3:我发现错误的调用在/boot/grub/grub.cfg

menuentry 'Ubuntu' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-f6fc1852-25c6-47a6-9776-4ed8b8d6b70e' {
    recordfail
    load_video
    gfxmode $linux_gfx_mode
    insmod gzio
    if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
    insmod part_gpt
    insmod ext2
    if [ x$feature_platform_search_hint = xy ]; then
      search --no-floppy --fs-uuid --set=root  8618de9e-f06e-46de-9717-38f6da7b1969
    else
      search --no-floppy --fs-uuid --set=root 8618de9e-f06e-46de-9717-38f6da7b1969
    fi
    linux   /vmlinuz-4.18.0-12-generic root=UUID=f6fc1852-25c6-47a6-9776-4ed8b8d6b70e ro  quiet splash elevator=noop $vt_handoff
    initrd  /initrd.img-4.18.0-12-generic
}

但这里是/etc/default/grub

# If you change this file, run 'update-grub' afterwards to update
# /boot/grub/grub.cfg.
# For full documentation of the options in this file, see:
#   info -f grub -n 'Simple configuration'

GRUB_DEFAULT=0
GRUB_TIMEOUT_STYLE=hidden
GRUB_TIMEOUT=0
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash elevator=noop"
GRUB_CMDLINE_LINUX=""

# Uncomment to enable BadRAM filtering, modify to suit your needs
# This works with Linux (no patch required) and with any kernel that obtains
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"

# Uncomment to disable graphical terminal (grub-pc only)
#GRUB_TERMINAL=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
#GRUB_GFXMODE=640x480

# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
#GRUB_DISABLE_RECOVERY="true"

# Uncomment to get a beep at grub start
#GRUB_INIT_TUNE="480 440 1"

那么,我该如何纠正呢?

答案1

如果/et/crypttab是空的那肯定是个问题。

您需要将根分区放在那里,如下所示:

nvme0n1p6_crypt UUID=f6fc1852-25c6-47a6-9776-4ed8b8d6b70e none luks

我假设您将在启动时输入密码。如果您想使用密钥文件,请将密钥文件更改为“none”。

因此,您需要update-initramfschroot。我不确定,但这应该可以解决问题。您也可以重新运行update-grub以确保无误。

# boot a live USB/CD and open a terminal
$ sudo cryptsetup luksOpen /dev/nvme0n1p6 crypt
Enter passphrase for /dev/nvme0n1p6: 
$ sudo mount /dev/mapper/crypt /mnt
# edit your /mnt/etc/crypttab to add root parttion as shown above
$ sudo mount /dev/nvme0n1p5 /mnt/boot/
$ sudo mount -o bind /proc /mnt/proc
$ sudo mount -o bind /dev /mnt/dev
$ sudo mount -o bind /sys /mnt/sys
$ sudo chroot /mnt
root@ubuntu:/# sudo update-initramfs -u -k all
root@ubuntu:/# sudo update-grub
root@ubuntu:/# exit
$ sudo umount /mnt/proc
$ sudo umount /mnt/sys
$ sudo umount /mnt/dev
$ umount /mnt/boot
$ umount /mnt
$ sudo reboot

答案2

启动修复通常有效

使用 Live USB 启动并选择“无需安装即可试用 Ubuntu”。然后打开一个新的终端,输入以下命令(每行后按 Enter 键):

sudo add-apt-repository ppa:yannubuntu/boot-repair
sudo apt-get update
sudo apt-get install -y boot-repair && boot-repair

建议修复

  1. 通过以下方式启动 Boot-Repair:Dash(屏幕左上角的 Ubuntu 徽标)或在终端中输入“boot-repair”

  2. 然后点击“建议修复”按钮。修复完成后,记下纸上显示的 URL(paste.ubuntu.com/XXXXX),然后重新启动并检查是否恢复了对操作系统的访问。

  3. 如果修复不成功,请通过电子邮件或论坛向帮助您的人指出 URL。

警告:默认设置是“推荐修复”使用的设置。更改它们可能会使问题恶化。在创建 BootInfo URL 并在 Ubuntu 论坛绝对初学者部分或安装和升级中寻求建议之前,请勿修改它们。

相关内容