spwhitton/ tech/ cheatsheet
  1. Debian sysadmin
    1. Chrooting into an offline EFI-on-LVM-on-LUKS system
    2. Restoring contents of /boot/efi
    3. Booting Debian from the GRUB 2 shell

Debian sysadmin

Chrooting into an offline EFI-on-LVM-on-LUKS system

It’s the LVM part that I don’t seem to be able to memorise.

  1. cryptsetup luksOpen /dev/sda2 sda2_crypt
  2. vgscan
  3. vgchange -ay /dev/vg-foo
  4. mkdir /target
  5. mount /dev/vg-foo/lv-bar /target
  6. mount /dev/sda1 /target/boot/efi
  7. for i in /sys /proc /dev /run; do mount --rbind $i /target$i; done
  8. chroot /target /bin/bash, maybe prefixed with unshare --uts so that can use hostname(1) to set the chroot’s hostname independently of the host.

GRML is a decent live system. The PGP sigs for the releases are signed by a DD, so can verify against the Debian keyring.

Restoring contents of /boot/efi

grub-install --target=x86_64-efi

Note that a removable drive may be mounted at /boot/efi when this command is run. It is not clear whether grub-install(1)’s --removable option can work with GRUB_ENABLE_CRYPTODISK, so just mount the removable drive to /boot/efi when I want to restore the contents of its EFI partition.

Some machines, such as my ThinkPad x220, will only boot from the fallback bootloader location, /boot/efi/EFI/BOOT/BOOTX64.EFI. Passing --force-extra-removable to grub-install(1) is meant to copy the right files from /boot/efi/EFI/debian to /boot/efi/EFI/BOOT. You can manually create /boot/efi/EFI/BOOT and copy the file yourself, however, as a fallback: mkdir -p /boot/efi/EFI/BOOT; cp /boot/efi/EFI/debian/grubx64.efi /boot/efi/EFI/BOOT/BOOTX64.EFI

If the machine does not support UEFI Secure Boot, but grub-install installs the Secure Boot shim to /boot/efi/EFI/*/bootx64.efi, the machine may not boot. The proper solution is to apt-get purge shim-helpers-amd64-signed shim-signed shim-signed-common shim-unsigned, and then grub-install(1) should copy the right file to bootx64.efi. If it doesn’t, as a workaround to get the machine to boot, mkdir -p /boot/efi/EFI/BOOT; cp /boot/efi/EFI/debian/grubx64.efi /boot/efi/EFI/BOOT/BOOTX64.EFI should work.

Booting Debian from the GRUB 2 shell

grub> ls
grub> set root=(hd0,gpt2)
grub> linux /boot/vmlinuz-... root=/dev/...
grub> initrd /boot/initrd.img-...
grub> boot

Or, from the rescue shell,

grub rescue> ls
grub rescue> set prefix=(hd0,gpt2)/boot/grub
grub rescue> set root=(hd0,gpt2)
grub rescue> insmod normal
grub rescue> normal
grub rescue> insmod linux
grub rescue> linux /boot/vmlinuz-... root=/dev/...
grub rescue> initrd /boot/initrd.img-...
grub rescue> boot