Debian sysadmin
Chrooting into an offline EFI-on-LVM-on-LUKS system
It’s the LVM part that I don’t seem to be able to memorise.
cryptsetup luksOpen /dev/sda2 sda2_crypt
vgscan
vgchange -ay /dev/vg-foo
mkdir /target
mount /dev/vg-foo/lv-bar /target
mount /dev/sda1 /target/boot/efi
for i in /sys /proc /dev /run; do mount --rbind $i /target$i; done
chroot /target /bin/bash
, maybe prefixed withunshare --uts
so that can use hostname(1) to set the chroot’s hostname independently of the host.
GRML is a decent live system. The PGP sigs for the releases are signed by a DD, so can verify against the Debian keyring.
Restoring contents of /boot/efi
grub-install --target=x86_64-efi
Note that a removable drive may be mounted at /boot/efi
when this
command is run. It is not clear whether grub-install(1)’s
--removable
option can work with GRUB_ENABLE_CRYPTODISK
, so just
mount the removable drive to /boot/efi
when I want to restore the
contents of its EFI partition.
Some machines, such as my ThinkPad x220, will only boot from the
fallback bootloader location, /boot/efi/EFI/BOOT/BOOTX64.EFI
.
Passing --force-extra-removable
to grub-install(1) is meant to copy
the right files from /boot/efi/EFI/debian
to /boot/efi/EFI/BOOT
.
You can manually create /boot/efi/EFI/BOOT
and copy the file
yourself, however, as a fallback: mkdir -p /boot/efi/EFI/BOOT; cp
/boot/efi/EFI/debian/grubx64.efi /boot/efi/EFI/BOOT/BOOTX64.EFI
If the machine does not support UEFI Secure Boot, but grub-install
installs the Secure Boot shim to /boot/efi/EFI/*/bootx64.efi
, the
machine may not boot. The proper solution is to apt-get purge
shim-helpers-amd64-signed shim-signed shim-signed-common
shim-unsigned
, and then grub-install(1) should copy the right file to
bootx64.efi
. If it doesn’t, as a workaround to get the machine to
boot, mkdir -p /boot/efi/EFI/BOOT; cp /boot/efi/EFI/debian/grubx64.efi
/boot/efi/EFI/BOOT/BOOTX64.EFI
should work.
Booting Debian from the GRUB 2 shell
grub> ls
grub> set root=(hd0,gpt2)
grub> linux /boot/vmlinuz-... root=/dev/...
grub> initrd /boot/initrd.img-...
grub> boot
Or, from the rescue shell,
grub rescue> ls
grub rescue> set prefix=(hd0,gpt2)/boot/grub
grub rescue> set root=(hd0,gpt2)
grub rescue> insmod normal
grub rescue> normal
grub rescue> insmod linux
grub rescue> linux /boot/vmlinuz-... root=/dev/...
grub rescue> initrd /boot/initrd.img-...
grub rescue> boot