-
Story
-
Resolution: Won't Do
-
Normal
-
None
-
rhel-9.3.0.z
-
Normal
-
sst_desktop_firmware_bootloaders
-
ssg_desktop
-
3
-
False
-
-
Red Hat Enterprise Linux
-
-
x86_64
What were you trying to do that didn't work?
Customer would like uEFI support added such that booting with an encrypted /boot partition in Red Hat Enterprise Linux 9 is possible.
NOTE: This capability was previously added to Red Hat Enterprise Linux 8 in BZ:1873725
"UEFI: allow booting from luks encrypted /boot"
https://bugzilla.redhat.com/show_bug.cgi?id=1873725
Please provide the package NVR for which bug is seen:
grub2-efi-x64
How reproducible:
N/A
Steps to reproduce:
- mkdir /boot-backup
- umount -v /boot/efi
- rsync -avAXP /boot/ /boot-backup
- umount -v /boot
- cryptsetup luksFormat /dev/sda2 --type luks1 uuid=$(lsblk -dno uuid /dev/sda2) echo "******* $uuid ********"
- cryptsetup open /dev/sda2 luks-${uuid} orig_uuid=$(grep 'boot.*xfs' /etc/fstab | cut -d' ' -f1 | cut -d'=' -f2)
- mkfs.xfs
m uuid=${orig_uuid} -L BOOT /dev/mapper/luks${uuid} - mount
v /dev/mapper/luks$uuid /boot - rsync -avAXP /boot-backup/ /boot/
- mount -v /dev/sda1 /boot/efi/
- restorecon -RFv /boot
- rm -rvf /boot-backup/
- echo "GRUB_PRELOAD_MODULES=\"luks cryptodisk\" >> /etc/default/grub
- echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub
- echo "luks-${uuid} UUID=${uuid} none discard" >> /etc/crypttab
- grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
I've been asked for the password before GRUB2 starts but then I don't see any menu entry.
If I enter in GRUB command line mode:
#cryptomount -u 2161ce0fb4fc4bd0a4010c21e8e79196 search --no-floppy --fs-uuid --set=dev – hint='cryptouuid/2161ce0fb4fc4bd0a4010c21e8e79196' aa3f4dea-f05c-4bd6-9372-967f4b4d5e42 set prefix=($dev)/grub2 export $prefix configfile $prefix/grub.cfg
where 2161ce0fb4fc4bd0a4010c21e8e79196 is the UUID of the encrypted /dev/sda2 and aa3f4dea-f05c-4bd6-9372-967f4b4d5e42 is the UUID of the unencrypted /boot
NOTE: It properly starts but it gives an error with FIPS (because the original system has FIPS enabled).