Skip to content

Commit b509fca

Browse files
cip91skcip91sk
authored
add support for booting snapshots on LUKS encrypted disk (#333)
* add support for booting snapshots on LUKS encrypted disk * documentation for booting from LUKS encrypted devices * better detecting cryptdevice UUID
1 parent f682e17 commit b509fca

File tree

5 files changed

+47
-2
lines changed

5 files changed

+47
-2
lines changed

41_snapshots-btrfs

Lines changed: 26 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -122,6 +122,25 @@ boot_uuid_subvolume=$(awk -F":" 'match($1, /(^[ \t]+UUID)/) {sub(/^[ \t]+/, "",
122122
boot_hs=$(${grub_probe} --device ${boot_device} --target="hints_string" 2>/dev/null) # hints string
123123
boot_fs=$(${grub_probe} --device ${boot_device} --target="fs" 2>/dev/null) # Type filesystem of boot device
124124

125+
# Enable LUKS encrypted devices support
126+
case "$(echo "$GRUB_BTRFS_ENABLE_CRYPTODISK" | tr '[:upper:]' '[:lower:]')" in
127+
true)
128+
list_insmods=()
129+
list_insmods+=("insmod gzio")
130+
list_insmods+=("insmod part_gpt")
131+
list_insmods+=("insmod cryptodisk")
132+
list_insmods+=("insmod luks")
133+
list_insmods+=("insmod gcry_rijndael")
134+
list_insmods+=("insmod gcry_rijndael")
135+
list_insmods+=("insmod gcry_sha256")
136+
list_insmods+=("insmod ${boot_fs}")
137+
list_insmods+=("cryptomount -u $(echo $GRUB_CMDLINE_LINUX_DEFAULT | grep -o -P '(?<=cryptdevice=UUID=).*(?=:cryptdev)')")
138+
;;
139+
*)
140+
list_insmods=("insmod ${boot_fs}")
141+
;;
142+
esac
143+
125144
## Parameters passed to the kernel
126145
kernel_parameters="$GRUB_CMDLINE_LINUX $GRUB_CMDLINE_LINUX_DEFAULT $GRUB_BTRFS_SNAPSHOT_KERNEL_PARAMETERS"
127146
## Mount point location
@@ -218,8 +237,12 @@ make_menu_entries()
218237
if [ x\$feature_all_video_module = xy ]; then
219238
insmod all_video
220239
fi
221-
set gfxpayload=keep
222-
insmod ${boot_fs}
240+
set gfxpayload=keep"
241+
for j in "${insmods[@]}"; do
242+
entry "\
243+
${j}"
244+
done
245+
entry "\
223246
if [ x\$feature_platform_search_hint = xy ]; then
224247
search --no-floppy --fs-uuid --set=root ${boot_hs} ${boot_uuid}
225248
else
@@ -541,6 +564,7 @@ boot_bounded()
541564
detect_rootflags
542565
title_format
543566
boot_dir_root_grub="$(make_system_path_relative_to_its_root "${boot_dir}")" # convert "boot_directory" to root of GRUB (e.g /boot become /)
567+
insmods=("${list_insmods[@]##*"/"}")
544568
make_menu_entries
545569
# show snapshot found during run "grub-mkconfig"
546570
if [ "${GRUB_BTRFS_SHOW_SNAPSHOTS_FOUND:-"true"}" = "true" ]; then

README.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -274,6 +274,10 @@ After that, the daemon should be restarted with:
274274
sudo rc-service grub-btrfsd restart
275275
```
276276

277+
##### 🔒 Snapshots on LUKS encrypted devices
278+
By default, grub-btrfs generates entries that does not load modules for dealing with encrypted devices.
279+
Enable the `GRUB_BTRFS_ENABLE_CRYPTODISK` variable in `/etc/default/grub-btrfs/config` to load said modules and then execute the steps to mount encrypted root after selecting the snapshot.
280+
277281
- - -
278282
### Troubleshooting
279283
If you experience problems with grub-btrfs don't hesitate [to file an issue](https://github.com/Antynea/grub-btrfs/issues/new/choose).

config

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -158,3 +158,7 @@ GRUB_BTRFS_IGNORE_PREFIX_PATH=("var/lib/docker" "@var/lib/docker" "@/var/lib/doc
158158
# doesn't work if GRUB_BTRFS_PROTECTION_AUTHORIZED_USERS isn't empty
159159
# Default: "false"
160160
#GRUB_BTRFS_DISABLE_PROTECTION_SUBMENU="true"
161+
162+
# Enable booting from snapshots stored on LUKS encrypted devices
163+
# Default: "false"
164+
#GRUB_BTRFS_ENABLE_CRYPTODISK="true"

manpages/grub-btrfs.8.man

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -102,6 +102,14 @@ Default: “false”
102102
.IP \(em 4
103103
Example: \fCGRUB_BTRFS_OVERRIDE_BOOT_PARTITION_DETECTION="true"\fP
104104

105+
.SS "\GRUB_BTRFS_ENABLE_CRYPTODISK\fP"
106+
.PP
107+
Enable booting from snapshots stored on LUKS encrypted devices
108+
.IP \(em 4
109+
Default: “false”
110+
.IP \(em 4
111+
Example: \GRUB_BTRFS_ENABLE_CRYPTODISK="true"\fP
112+
105113
.SS "CUSTOM KERNELS"
106114
.SS "\fCGRUB_BTRFS_NKERNEL\fP / \fCGRUB_BTRFS_NINIT\fP / \fCGRUB_BTRFS_CUSTOM_MICROCODE\fP"
107115
.PP

manpages/grub-btrfs.8.org

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -73,6 +73,11 @@ Change to "true" if your boot partition is not detected as separate.
7373
- Default: "false"
7474
- Example: ~GRUB_BTRFS_OVERRIDE_BOOT_PARTITION_DETECTION="true"~
7575

76+
*** ~GRUB_BTRFS_ENABLE_CRYPTODISK~
77+
Enable booting from snapshots stored on LUKS encrypted devices
78+
- Default: "false"
79+
- Example: ~GRUB_BTRFS_ENABLE_CRYPTODISK="true"~
80+
7681
** CUSTOM KERNELS
7782

7883
*** ~GRUB_BTRFS_NKERNEL~ / ~GRUB_BTRFS_NINIT~ / ~GRUB_BTRFS_CUSTOM_MICROCODE~

0 commit comments

Comments
 (0)