[gentoo-user] Uefi + uki stuck while booting (/dev/gpt-auto-root)

[gentoo-user] Uefi + uki stuck while booting (/dev/gpt-auto-root)

[Alexander Puchmayr]

Hi there,

I just tried to prepare my new laptop for UFEI+secureboot by creating a single 
unified kernel image including kernel,initrd,microcode,etc. 
NB: The partition layout has a vfat/Efi partition and a luks encrypted lvm 
container holding SYS(Root), Data(home) and swap.

I added uki and ukify use flags to installkernel and systemd, checked the 
configuration again and configured the kernel by emerge --config sys-kernel/
gentoo-kernel.

Bulding the kernel image seems to work fine, the log messages say its creating 
a initrd using dracut, creating a efi file, signing it properly and even 
installs it under /boot/efi/EFI/Linux. 

When booting it, it loads the kernel and then seems to get stuck:

Timed out waiting for device /dev/gpt-auto-root
Dependency failed for File System Check in /dev/gpt-auto-root
Dependency failed for Root Partition
Dependency failed for Initrd Root File System
Dependency failed for Initrd Mountpoints Configured in the Real Root
Dependency failed for Initrd Root Device

Then it ends up in an emergency shell. 

There's a log in /run/initramfs/rdsosreport.txt, which reveals that it does 
not find my encrypted lvm partition (LUKS encrypted lvm container holding SYS, 
DATA, SWAP, etc), which obviously needs to be setup first. Seems like some boot 
parameter is missing.

Checking systemd's USE flags: Relevant flags lvm + cryptsetup + boot + 
secureboot use flags are set 

To me it looks like as if its missing information which partition to use for 
decrypting/mounting, and which lvm volume to use as real-root.

Is this a dracut configuration? A systemd configruation? An installkernel 
configuration? Something else? 

Thanks
	Alex

Re: [gentoo-user] Uefi + uki stuck while booting (/dev/gpt-auto-root)

[Michael]

[-- Attachment #1: Type: text/plain, Size: 3185 bytes --]

I'm not the right person to comment reliably on this, because I don't use 
systemd and do not use LVM, but until someone else chimes in I'll give it a go 
...  :-)

On Sunday, 16 June 2024 09:04:26 BST Alexander Puchmayr wrote:
> Hi there,
> 
> I just tried to prepare my new laptop for UFEI+secureboot by creating a
> single unified kernel image including kernel,initrd,microcode,etc.
> NB: The partition layout has a vfat/Efi partition and a luks encrypted lvm
> container holding SYS(Root), Data(home) and swap.
> 
> I added uki and ukify use flags to installkernel and systemd, checked the
> configuration again and configured the kernel by emerge --config sys-kernel/
> gentoo-kernel.
> 
> Bulding the kernel image seems to work fine, the log messages say its
> creating a initrd using dracut, creating a efi file, signing it properly
> and even installs it under /boot/efi/EFI/Linux.

Why is the ESP mounted under /boot/efi, instead of /efi?

https://wiki.gentoo.org/wiki/EFI_System_Partition#Mount_point


> When booting it, it loads the kernel and then seems to get stuck:
> 
> Timed out waiting for device /dev/gpt-auto-root
> Dependency failed for File System Check in /dev/gpt-auto-root
> Dependency failed for Root Partition
> Dependency failed for Initrd Root File System
> Dependency failed for Initrd Mountpoints Configured in the Real Root
> Dependency failed for Initrd Root Device

The gpt-auto-root is a script which tries to automatically detect and mount 
the root fs.  Did you create your partition(s) with GPT and did you select the 
correct partition type "Linux Root (x86-64)" to make sure the partition GUID 
code for LUKS is correct according to the Discoverable Partitions 
Specification?  If you used fdisk, you'll probably need to add the partition 
type GUID code manually, as advised in the Handbook.  Press -i in fdisk to 
find out what it currently is set as.


> Then it ends up in an emergency shell.
> 
> There's a log in /run/initramfs/rdsosreport.txt, which reveals that it does
> not find my encrypted lvm partition (LUKS encrypted lvm container holding
> SYS, DATA, SWAP, etc), which obviously needs to be setup first. Seems like
> some boot parameter is missing.

Did you configure dracut to include the necessary modules and to add the 
corresponding LUKS and LVM UUIDs?

https://wiki.gentoo.org/wiki/
Full_Disk_Encryption_From_Scratch#Initramfs_configuration


> Checking systemd's USE flags: Relevant flags lvm + cryptsetup + boot +
> secureboot use flags are set
> 
> To me it looks like as if its missing information which partition to use for
> decrypting/mounting, and which lvm volume to use as real-root.
> 
> Is this a dracut configuration? A systemd configruation? An installkernel
> configuration? Something else?
> 
> Thanks
> 	Alex

I think this is a dracut configuration issue, because systemd's 'kernel-
install' setup is relatively straight forward:

https://wiki.gentoo.org/wiki/Installkernel#Systemd_kernel-install_.28USE.3D.
2Bsystemd.29

If the problem is with dracut as I suspect, you may find 'sys-kernel/ugrd' 
easier than dracut for your type of installation, but dracut should work too 
if correctly configured.

HTH.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] [SOLVED] Uefi + uki stuck while booting (/dev/gpt-auto-root)

[Alexander Puchmayr]

On Sonntag, 16. Juni 2024, 12:59:54 CEST Michael wrote:
> I'm not the right person to comment reliably on this, because I don't use
> systemd and do not use LVM, but until someone else chimes in I'll give it a
> go ...  :-)
> 

I found the solution for my specific setup (lvm+luks+secureboot:

installkernel: USE+=uki ukify
Systemd: USE += secureboot cryptsetup boot ukify 

This implies that installkernel is using dracut for creating an initrd and 
systemd's uki-generator for creating the efi file.

Systemd's uki generator is configured in /etc/kernel/uki.conf:

[UKI]
SecureBootSigningTool=sbsign
SecureBootPrivateKey="/usr/share/secureboot/keys/db/db.key"
SecureBootCertificate="/usr/share/secureboot/keys/db/db.pem"
Cmdline=dolvm rd.luks.uuid=luks-<partuuid> root=/dev/mapper/<lvmroot> 
rd.luks.options=discard

Where <partuuid> is the patition uuid of the encrypted lvm container and 
<lvmroot> the real root inside the contianer (/dev/mapper/<something>). The 
dolvm instructs initrd to trigger the lvm discovery, rd.luks.uuid being defined 
tells it to use cryptsetup luksOpen on the specified device. 
rd.luks.options=discard is optional and enables pass-through of ssd trim 
commands through the lvm layer to the real nvme-ssd.

The relevant information I was looking for is the Cmdline arguement in 
uki.conf.

Best Regards
	Alex



> On Sunday, 16 June 2024 09:04:26 BST Alexander Puchmayr wrote:
> > Hi there,
> > 
> > I just tried to prepare my new laptop for UFEI+secureboot by creating a
> > single unified kernel image including kernel,initrd,microcode,etc.
> > NB: The partition layout has a vfat/Efi partition and a luks encrypted lvm
> > container holding SYS(Root), Data(home) and swap.
> > 
> > I added uki and ukify use flags to installkernel and systemd, checked the
> > configuration again and configured the kernel by emerge --config
> > sys-kernel/ gentoo-kernel.
> > 
> > Bulding the kernel image seems to work fine, the log messages say its
> > creating a initrd using dracut, creating a efi file, signing it properly
> > and even installs it under /boot/efi/EFI/Linux.
> 
> Why is the ESP mounted under /boot/efi, instead of /efi?
> 
> https://wiki.gentoo.org/wiki/EFI_System_Partition#Mount_point
> 
> > When booting it, it loads the kernel and then seems to get stuck:
> > 
> > Timed out waiting for device /dev/gpt-auto-root
> > Dependency failed for File System Check in /dev/gpt-auto-root
> > Dependency failed for Root Partition
> > Dependency failed for Initrd Root File System
> > Dependency failed for Initrd Mountpoints Configured in the Real Root
> > Dependency failed for Initrd Root Device
> 
> The gpt-auto-root is a script which tries to automatically detect and mount
> the root fs.  Did you create your partition(s) with GPT and did you select
> the correct partition type "Linux Root (x86-64)" to make sure the partition
> GUID code for LUKS is correct according to the Discoverable Partitions
> Specification?  If you used fdisk, you'll probably need to add the partition
> type GUID code manually, as advised in the Handbook.  Press -i in fdisk to
> find out what it currently is set as.
> 
> > Then it ends up in an emergency shell.
> > 
> > There's a log in /run/initramfs/rdsosreport.txt, which reveals that it
> > does
> > not find my encrypted lvm partition (LUKS encrypted lvm container holding
> > SYS, DATA, SWAP, etc), which obviously needs to be setup first. Seems like
> > some boot parameter is missing.
> 
> Did you configure dracut to include the necessary modules and to add the
> corresponding LUKS and LVM UUIDs?
> 
> https://wiki.gentoo.org/wiki/
> Full_Disk_Encryption_From_Scratch#Initramfs_configuration
> 
> > Checking systemd's USE flags: Relevant flags lvm + cryptsetup + boot +
> > secureboot use flags are set
> > 
> > To me it looks like as if its missing information which partition to use
> > for decrypting/mounting, and which lvm volume to use as real-root.
> > 
> > Is this a dracut configuration? A systemd configruation? An installkernel
> > configuration? Something else?
> > 
> > Thanks
> > 
> > 	Alex
> 
> I think this is a dracut configuration issue, because systemd's 'kernel-
> install' setup is relatively straight forward:
> 
> https://wiki.gentoo.org/wiki/Installkernel#Systemd_kernel-install_.28USE.3D.
> 2Bsystemd.29
> 
> If the problem is with dracut as I suspect, you may find 'sys-kernel/ugrd'
> easier than dracut for your type of installation, but dracut should work too
> if correctly configured.
> 
> HTH.