On Sat, Mar 09, 2019 at 11:43:12PM +0100, Joerg Jaspert wrote: > I'm unsure about the severity, so feel free to adjust it. But it did > make my system unbootable twice already, and as its a setup one can > get directly from within debian-installer, it would be nice if it can be > fixed before buster.
(Not by guided partitioning though, as I believe that always gives you a separate unencrypted /boot right now, and you have to arrange for GRUB_ENABLE_CRYPTODISK=y to be set.) > Setup: A new buster install with a fully (except for the EFI partition) > encrypted disk. That includes /boot as encrypted, as /boot is just part > of / here. In that setup, grub-install writes a > /boot/efi/EFI/debian/grub.cfg that contains something like > > --8<---------------cut here---------------start------------->8--- > cryptomount -u e37941013b6c4997bfcdff6145ee0918 > search.fs_uuid a6cd673c-de1d-474f-8808-2ae4fdc7e755 root > lvmid/0l70u1-APaW-hXej-Sn6a-Nnsb-ue1X-0cFW3Y/APpMrR-2yO8-7EOl-V1pi-DH3a-eNby-lwWX3K > set prefix=($root)'/boot/grub' > configfile $prefix/grub.cfg > --8<---------------cut here---------------end--------------->8--- > > Which tries to be clever to not duplicate the actual information in > grub.cfg by loading it from the usual /boot/grub/grub.cfg place. > > Unfortunately the cryptomount line above appears to *not* be enough to > enable grub to decrypt /, so it can not load the real config and you end > up in a rather unusable tiny grub shell. Ugh. > > A cp /boot/grub/grub.cfg /boot/efi/EFI/debian/grub.cfg fixes it and > makes it nicely bootable. No idea which of the many extra commands in > the full grub.cfg are doing the magic, but they do. I tried reproducing this today and couldn't. Now, I was doing it by setting up a matching stretch installation (somewhat by accident) and then upgrading, but still ... Could you tell me exactly which GRUB packages you have installed? In particular it may matter whether you have grub-efi-amd64-signed and shim-signed installed or not (since the -signed image is monolithic rather than relying on "insmod" commands). And it would be helpful to get the full output of "grub-install --debug". Thanks, -- Colin Watson [cjwat...@debian.org]
