LUKS password prompt invisible, prompts twice

Hardware: ThinkPad X200

Firmware: Libreboot 2016

OS: Guix System

Expected behavior:

Password prompt. Enter LUKS passphrase. Log into computer.

Actual behavior:

Password prompt. Enter LUKS passphrase. Select boot option from GRUB menu. Hangs, no password prompt. Enter passphrase (again) anyway: Boots normally.

Steps to reproduce:

1. Turn on laptop.

2. Select SeaBIOS payload (default boot option doesn't work).

3. Respond to LUKS prompt.

4. Select boot option.

5. Stare at gray screen with no password prompt.

--

Caleb

I can reproduce this on kernels 6.1.58, 6.5.7. Rolling back to a generation with kernel 6.1.57 fixes it, though, this is a correlation and I do not know if the kernel necessarily is what caused it.

As far as I know, the double prompt is expected behaviour (65002 seems to have a fix for that), as /boot is encrypted. What happens for me is that my custom GRUB background seems to cover the Linux framebuffer until I enter my password. After entering my LUKS password, everything works fine and I see output from Shepherd and Xorg starts as expected.

Hardware: Lenovo Thinkpad T460s

Hi Caleb,

Caleb Herbert <csh@bluehome.net> writes:

I think this is a combination of two things: first, we currently need to

unlock the drive once for GRUB, and then once when Linux boots, hence

the two password prompts. This is a known limitation, but the usual

workaround of adding a keyfile to the initrd wouldn't work in our case

for security reasons: the keyfile would end up in the store and be

world-readable, a disaster.

Regarding the second prompt being invisible, I think it might be related

to the framebuffer initialization for Libreboot since there have been

lots of reports about this. I don't know anything myself, but maybe

someone else could chime in?

Best,

--

Josselin Poiret

I believe a patch[1] enabling this is waiting for a review.

[1]: https://issues.guix.gnu.org/65002

With regards to the invisible LUKs prompt; my laptop does not run libreboot, but is still affected. Seems more like the Thinkpad framebuffer driver has a bug on the Linux or Grub side to me.

Hi

I’m also getting this bug (the second decrypt screen not showing up) with

Linux kernel versions 6.5.8 and 6.5.9 (the latest version as of writing);

6.5.7 does not have the bug for me.

The bug behaviour is the same on 2/2 of my Guix System machines. And it is

the same for both Linux and linux-libre kernels of the same version.

Thanks

Jake

Oh, this might be interesting… At least it's something.

Could you diff a working 6.5.7 and broken 6.5.8 configuration? The

configuration is stored as /gnu/store/…-linux-libre-6.5.x/.config;

there's no need to boot the kernel just to load the config.gz module.

If you use Coreboot or a derivative: do your broken kernels include

https://git.savannah.gnu.org/cgit/guix.git/commit/?id=6d7e181ba18d11c92409a93936025fb46b9c8171?

And if they do, have you tried booting with

(initrd-modules (cons "framebuffer-coreboot" %base-initrd-modules))

by any chance?

Kind regards,

T G-R

Sent from a Web browser. Excuse or enjoy my brevity.

Hi everyone,

I've been hit by this bug as well on my desktop (AMD GPU, default UEFI).

Reading through this thread, and especially checking commit

6d7e181ba18d11c92409a93936025fb46b9c8171, what fixed the invisible LUKS

password prompt for me was adding simplefb to the list of initrd-modules

in my system config.

Hope this helps,

James Smith

Hi Tobias

The initrd-modules snippet did not fix it.

Below is the diff of the .configs for 6.5.9 (not 6.5.8 sorry) and 6.5.7.

Thanks

Jake

3c3

< # Linux/x86_64 6.5.9-gnu Kernel Configuration

---

2354c2354

< CONFIG_SYSFB_SIMPLEFB=y

---

2356,2363c2356

< CONFIG_GOOGLE_FIRMWARE=y

< # CONFIG_GOOGLE_SMI is not set

< # CONFIG_GOOGLE_CBMEM is not set

< CONFIG_GOOGLE_COREBOOT_TABLE=m

< # CONFIG_GOOGLE_MEMCONSOLE_X86_LEGACY is not set

< CONFIG_GOOGLE_FRAMEBUFFER_COREBOOT=m

< # CONFIG_GOOGLE_MEMCONSOLE_COREBOOT is not set

< # CONFIG_GOOGLE_VPD is not set

---

6956c6949

< CONFIG_DRM_SIMPLEDRM=m

---

7085c7078

< CONFIG_FB_SIMPLE=m

---

On Sun, Oct 29, 2023 at 11:49?AM Tobias Geerinckx-Rice via Bug reports for

GNU Guix <bug-guix@gnu.org> wrote:

Hi Tobias

The initrd-modules snippet did not fix it.

Below is the diff of the .configs for 6.5.9 (not 6.5.8 sorry) and 6.5.7.

Thanks

Jake

3c3

< # Linux/x86_64 6.5.9-gnu Kernel Configuration

---

2354c2354

< CONFIG_SYSFB_SIMPLEFB=y

---

2356,2363c2356

< CONFIG_GOOGLE_FIRMWARE=y

< # CONFIG_GOOGLE_SMI is not set

< # CONFIG_GOOGLE_CBMEM is not set

< CONFIG_GOOGLE_COREBOOT_TABLE=m

< # CONFIG_GOOGLE_MEMCONSOLE_X86_LEGACY is not set

< CONFIG_GOOGLE_FRAMEBUFFER_COREBOOT=m

< # CONFIG_GOOGLE_MEMCONSOLE_COREBOOT is not set

< # CONFIG_GOOGLE_VPD is not set

---

6956c6949

< CONFIG_DRM_SIMPLEDRM=m

---

7085c7078

< CONFIG_FB_SIMPLE=m

---

Also affected, stock thinkpad. Can confirm that

(initrd-modules (cons "simplefb" %base-initrd-modules))

does fix the issue for me. Reverting

6d7e181ba18d11c92409a93936025fb46b9c8171 also fixes the issue.

T.

--

Tomas P4l4cl][n Volf

-- "There are only 10 types of people in the world: Those who

understand binary, and those who don't."

close 66746

quit

Fixed in e49fdc231b0be00490fe1321888eb5c2acc480ac (by revert).

A guix pull and reconfigure just now fixed it for me. I didn’t need to add

simplefb to os declaration.

Thanks

Jake

On Wed, 1 Nov 2023 at 1:06 am, X <volf.tomas@gmail.com> wrote: