(address . bug-guix@gnu.org)
Hi,
I followed the manual to manually install Guix with full disk encryption
using LUKS2 and PBKDF2. However this leaves me with an unbootable system,
stuck at Grub’s rescue prompt, because `grub-install` apparently does
not know how to detect a LUKS2 target and therefore does not include
the modules required to open the encrypted volume in the EFI image. See
[1].
I managed to manually create a core.img with the help of ArchLinux’
Wiki[2] (see also [3]), boot into the system and reconfigure with a
modified bootloader:
---snip---
(define install-grub-efi-mkimage
"Create an Grub EFI image with included cryptomount support for luks2,
which grub-install does not handle yet."
#~(lambda (bootloader efi-dir mount-point)
(when efi-dir
(let ((grub-mkimage (string-append bootloader "/bin/grub-mkimage"))
;; Required modules, YMMV.
(modules (list "luks2" "part_gpt" "cryptodisk" "gcry_rijndael" "pbkdf2" "gcry_sha256" "ext2"))
(prefix (string-append mount-point "/boot/grub"))
;; Different configuration required to set up a crypto
;; device. Change crypto_uuid to match your output of
;; `cryptsetup luksUUID /device`.
;; XXX: Maybe cryptomount -a could work?
(config #$(plain-file "grub.cfg" "set crypto_uuid=755e547f78f44dc38dab58399e1780a6
cryptomount -u $crypto_uuid
set root=crypto0
set prefix=($root)/boot/grub
insmod normal
normal"))
(target-esp (if (file-exists? (string-append mount-point efi-dir))
(string-append mount-point efi-dir)
efi-dir)))
(apply invoke (append
(list
grub-mkimage
"-p" prefix
"-O" "x86_64-efi"
"-c" config
"-o" (string-append target-esp "/EFI/Guix/grubx64.efi"))
modules))))))
(define grub-efi-bootloader-luks2
(bootloader
(inherit grub-efi-bootloader)
(name 'grub-efi-luks2)
(installer install-grub-efi-mkimage)))
---snap---
Supposedly there are also patches for grub-mkimage, but maybe we can
include a workaround like the above by default until then or remove the
section about LUKS2 entirely?
Cheers,
Lars