在 grub menuentry 后输入 FDE 密码
[英]enter FDE password after grub menuentry
问题描述
My system is a dual boot of Windows 10 (sdb) and Manjaro (sda) installed on separate hard drive.
我的系统是安装在单独硬盘上的 Windows 10 (sdb) 和 Manjaro (sda) 的双启动。 Windows system drive is encrypted with bitlocker and Manjaro is encrypted via LVM over LUKS as the following (lsblk). Windows 系统驱动器使用 bitlocker 加密,Manjaro 通过 LVM over LUKS 加密,如下所示 (lsblk)。
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 931.5G 0 disk
├─sda1 8:1 0 619M 0 part /boot/efi
├─sda2 8:2 0 232.8G 0 part
│ └─cryptroot 254:0 0 232.8G 0 crypt
│ ├─vg0-swap 254:1 0 32G 0 lvm [SWAP]
│ ├─vg0-system 254:2 0 20G 0 lvm /
│ └─vg0-data 254:3 0 180.8G 0 lvm /home
└─sda5 8:5 0 698.1G 0 part
sdb 8:16 0 232.9G 0 disk
├─sdb1 8:17 0 499M 0 part
├─sdb2 8:18 0 100M 0 part
├─sdb3 8:19 0 16M 0 part
└─sdb4 8:20 0 232.3G 0 part
I setup grub2 as the default bootloader (installed on Manjaro) and it is able to ask me to choose whether I want to boot Windows or Manjaro via a menu.我将 grub2 设置为默认引导加载程序(安装在 Manjaro 上),它可以让我通过菜单选择是要引导 Windows 还是 Manjaro。 However, the problem is that it will ask the (LUKS FDE) password before giving me that menu.但是,问题是它会在给我那个菜单之前询问(LUKS FDE)密码。 As a result, because Windows is already encrypted with bitlocker, I will have to enter the Windows bitlocker password after the LUKS password, which is quite inconvenient.结果,因为windows已经用bitlocker加密了,所以要在LUKS密码后面输入windows的bitlocker密码,很不方便。 (If I want to boot to Manjaro, suprisingly, I don't need to enter the LUKS password twice) (如果我想启动到 Manjaro,出人意料的是,我不需要输入两次 LUKS 密码)
Because Windows and Manjaro is installed on different physical hard drive and the boot partition is not encrypted (as shown above), it shouldn't be necessary for grub to ask me the password for LUKS when I want to boot to Windows.因为 Windows 和 Manjaro 安装在不同的物理硬盘上,并且引导分区没有加密(如上所示),所以当我想引导到 Windows 时,grub 不需要询问我 LUKS 的密码。 It should first show the menu and ask me the LUKS password only if I choose to boot to Manjaro.只有当我选择启动到 Manjaro 时,它才应该首先显示菜单并询问我的 LUKS 密码。 But I am not sure how to configure this, and I can't find much resource about it.但是我不确定如何配置它,而且我找不到太多关于它的资源。
Here is my grub config file (at /etc/default/grub )这是我的 grub 配置文件(在/etc/default/grub )
GRUB_DEFAULT=saved
GRUB_TIMEOUT=10
GRUB_TIMEOUT_STYLE=hidden
GRUB_DISTRIBUTOR="Manjaro"
GRUB_CMDLINE_LINUX_DEFAULT="quiet udev.log_priority=3"
GRUB_CMDLINE_LINUX="cryptdevice=UUID=<uuid_is_hidden>:cryptroot"
# If you want to enable the save default function, uncomment the following
# line, and set GRUB_DEFAULT to saved.
GRUB_SAVEDEFAULT=true
# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"
# Uncomment to enable booting from LUKS encrypted devices
GRUB_ENABLE_CRYPTODISK=y
# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console
# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console
# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command 'videoinfo'
GRUB_GFXMODE=auto
# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep
# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
#GRUB_DISABLE_LINUX_UUID=true
# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true
# Uncomment and set to the desired menu colors. Used by normal and wallpaper
# modes only. Entries specified as foreground/background.
GRUB_COLOR_NORMAL="light-gray/black"
GRUB_COLOR_HIGHLIGHT="green/black"
# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/usr/share/grub/background.png"
GRUB_THEME="/usr/share/grub/themes/manjaro/theme.txt"
# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"
1 个解决方案
解决方案1
0 2020-10-11 22:35:54
OK, after a lot of research, I figured out a solution, but it might not be the best solution (see caveats below).好的,经过大量研究,我找到了一个解决方案,但它可能不是最好的解决方案(请参阅下面的警告)。
Notice the below line in lsblk请注意lsblk的以下行
├─sda1 8:1 0 619M 0 part /boot/efi
The /boot partition is actually encrypted except for the efi partition /boot/efi .除了 efi 分区/boot/efi之外, /boot分区实际上是加密的。 I remembered this is the recommended (and probably the default) setting when I installed manjaro.我记得这是我安装 manjaro 时推荐的(可能也是默认的)设置。 Because grub will read the menu entries from /boot/grub/grub.cfg , it must first decrypt the LUKS volume ( /boot/grub is encrypted).因为 grub 将从/boot/grub/grub.cfg读取菜单项,所以它必须首先解密 LUKS 卷( /boot/grub已加密)。 Therefore, if we want grub to display menu entries before entering password, we must make sure /boot/grub/grub.cfg is not encrypted.因此,如果我们想让 grub 在输入密码之前显示菜单项,我们必须确保/boot/grub/grub.cfg没有被加密。
One way to do this is to mount sda1 as /boot instead of /boot/efi .一种方法是将sda1挂载为/boot而不是/boot/efi 。 To do this, we first need to make change in /etc/fstab to change the mount destination.为此,我们首先需要在/etc/fstab进行更改以更改挂载目的地。 Then, we need to copy all files from /boot to the sda1 .然后,我们需要将所有文件从/boot复制到sda1 。 You may want to reinstall grub and regenerate initramfs in the process.您可能希望在此过程中重新安装grub并重新生成initramfs 。 The following commands are useful for this.以下命令对此很有用。
sudo mkinitcpio -P
sudo grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=manjaro --recheck
sudo grub-mkconfig -o /boot/grub/grub.cfg
In the end, you need to comment out the line GRUB_ENABLE_CRYPTODISK=y in /etc/default/grub to disable decryption from grub.最后,您需要注释掉/etc/default/grub GRUB_ENABLE_CRYPTODISK=y行以禁用来自 grub 的解密。 When everything is done, run the following command to update grub to write the change.一切完成后,运行以下命令更新 grub 以写入更改。
sudo update-grub
Several Caveats几个注意事项
- As I mentioned in the question, the original setup does not require to enter the LUKS password again after entering it in grub.正如我在问题中提到的,原始设置在grub中输入后不需要再次输入LUKS密码。 This is because a keyfile has been embedded into
initramfsso it does not need password to unlock LUKS volume, for detail see here .这是因为密钥文件已嵌入到initramfs因此无需密码即可解锁 LUKS 卷,详情请参见此处。 Since/bootis not encrypted in the new setup, we must not include this keyfile in theinitramfs.由于/boot在新设置中没有加密,我们不能在initramfs包含这个密钥文件。 To do this, modify the config file formkinitcpio(the default one should be/etc/mkinitcpio.conf) to remove the keyfile (underFILES=(...)), and regenerateinitramfs.为此,请修改mkinitcpio的配置文件(默认应为/etc/mkinitcpio.conf)以删除密钥FILES=(...)(在FILES=(...)),并重新生成initramfs。 - From a security perspective, the default and recommended setting of mounting
/boot/efiinstead of/bootprovides better security as the only unencrypted part is the EFI binary (grubx64.efi).从安全角度来看,挂载/boot/efi而不是/boot的默认和推荐设置提供了更好的安全性,因为唯一未加密的部分是 EFI 二进制文件 (grubx64.efi)。 In my setup, however, theinitramfsand linux kernel image (vmlinuz.img) is also unencrypted.但是,在我的设置中, initramfs和 linux 内核映像 (vmlinuz.img) 也未加密。 An attacker can inject malicious code into these files that get executed after you entered the password.攻击者可以将恶意代码注入这些文件中,并在您输入密码后执行。
For the reason mentioned above, I don't think my solution is the best and not sure whether there are other solutions for this problem without compromise too much security.由于上述原因,我认为我的解决方案不是最好的,并且不确定是否有其他解决方案可以解决此问题而不会牺牲太多安全性。
Useful links:有用的链接:
https://wiki.manjaro.org/index.php/GRUB/Restore_the_GRUB_Bootloader https://wiki.archlinux.org/index.php/GRUB https://wiki.archlinux.org/index.php/Mkinitcpio#Image_creation_and_activation https://wiki.manjaro.org/index.php/GRUB/Restore_the_GRUB_Bootloader https://wiki.archlinux.org/index.php/GRUB https://wiki.archlinux.org/index.php/Mkinitcpio#Image_creation_and_activation
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.