Page MenuHomePureOS Tracker

Encrypted bootloader has lost graphical UI
Open, HighPublic

Description

On initial installation of Pure OS on a new Librem 13, the hard drive was encrypted by default. Accidentally decrypted the hard drive on a subsequent install, then re-encrypted it on a third install, along with the boot partition. Now decryption password prompt comes without a splash screen, even though "splash" parameter is set in the "vmlinuz" line of the grub.cfg file.

Event Timeline

jonas.smedegaard reassigned this task from mladen to mak.Mar 4 2019, 02:57
jonas.smedegaard added a subscriber: mladen.

In the grub package in Debian there was a configuration change that PureOS inherited. That change is the addition of an enabled display of the encryption password prompt. Can you check to see if there is a "GRUB_ENABLE_CRYPTODISK=y" line in/etc/default/grub ?

If so, you can comment that out, then do a ‘sudo update-grub’, and then reboot. Grub should stop asking for a password then.

jeremiah.foster triaged this task as High priority.
jeremiah.foster added a subscriber: mak.

Found the comment in /etc/default/grub and commented it out, then updated grub. Rebooted, but still the same startup sequence. Double checked to make sure the grub default file was saved with the enable_cryptodisk statement commented out.

Did you run

$ sudo update-grub

?

Yes, I updated grub before reboot.

Can you paste a copy of you grub.cfg file? Either here or in a pastebin somewhere? That might help debugging the issue. You grub.cfg file likely won't have any secret info, just things like the command line to boot your system as well as the UUID of your disks.

eric.spivey added a comment.EditedMar 7 2019, 20:09
  1. grub.cfg #
  2. DO NOT EDIT THIS FILE #
  3. It is automatically generated by grub-mkconfig using templates
  4. from /etc/grub.d and settings from /etc/default/grub #

BEGIN /etc/grub.d/00_header

if [ -s $prefix/grubenv ]; then

set have_grubenv=true
load_env

fi
if [ "${next_entry}" ] ; then

set default="${next_entry}"
set next_entry=
save_env next_entry
set boot_once=true

else

set default="0"

fi

if [ x"${feature_menuentry_id}" = xy ]; then

menuentry_id_option="--id"

else

menuentry_id_option=""

fi

export menuentry_id_option

if [ "${prev_saved_entry}" ]; then

set saved_entry="${prev_saved_entry}"
save_env saved_entry
set prev_saved_entry=
save_env prev_saved_entry
set boot_once=true

fi

function savedefault {

if [ -z "${boot_once}" ]; then
  saved_entry="${chosen}"
  save_env saved_entry
fi

}
function recordfail {

set recordfail=1
if [ -n "${have_grubenv}" ]; then if [ -z "${boot_once}" ]; then save_env recordfail; fi; fi

}
function load_video {

if [ x$feature_all_video_module = xy ]; then
  insmod all_video
else
  insmod efi_gop
  insmod efi_uga
  insmod ieee1275_fb
  insmod vbe
  insmod vga
  insmod video_bochs
  insmod video_cirrus
fi

}

if loadfont unicode ; then

set gfxmode=auto
load_video
insmod gfxterm
set locale_dir=$prefix/locale
set lang=en_US
insmod gettext

fi
terminal_output gfxterm
if [ "${recordfail}" = 1 ] ; then

set timeout=30

else

if [ x$feature_timeout_style = xy ] ; then
  set timeout_style=hidden
  set timeout=0
# Fallback hidden-timeout code in case the timeout_style feature is
# unavailable.
elif sleep --interruptible 0 ; then
  set timeout=0
fi

fi

END /etc/grub.d/00_header

BEGIN /etc/grub.d/05_debian_theme

insmod part_msdos
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod ext2
set root='cryptouuid/04d3a27347454e0583b24c470b42faa4'
if [ x$feature_platform_search_hint = xy ]; then

search --no-floppy --fs-uuid --set=root --hint='cryptouuid/04d3a27347454e0583b24c470b42faa4'  4ca57caa-c39a-48c5-933b-50a492704157

else

search --no-floppy --fs-uuid --set=root 4ca57caa-c39a-48c5-933b-50a492704157

fi
insmod png
if background_image /boot/grub/.background_cache.png; then

set color_normal=white/black
set color_highlight=black/white

else

set menu_color_normal=cyan/blue
set menu_color_highlight=white/blue

fi

END /etc/grub.d/05_debian_theme

BEGIN /etc/grub.d/10_linux

function gfxmode {
set gfxpayload="${1}"
if [ "${1}" = "keep" ]; then

		set vt_handoff=vt.handoff=7

else

		set vt_handoff=

fi
}
if [ "${recordfail}" != 1 ]; then

if [ -e ${prefix}/gfxblacklist.txt ]; then
  if hwmatch ${prefix}/gfxblacklist.txt 3; then
    if [ ${match} = 0 ]; then
      set linux_gfx_mode=keep
    else
      set linux_gfx_mode=text
    fi
  else
    set linux_gfx_mode=text
  fi
else
  set linux_gfx_mode=keep
fi

else

set linux_gfx_mode=text

fi
export linux_gfx_mode
menuentry 'PureOS GNU/Linux' --class pureos --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-4ca57caa-c39a-48c5-933b-50a492704157' {
recordfail
load_video
gfxmode $linux_gfx_mode
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_msdos
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod ext2
set root='cryptouuid/04d3a27347454e0583b24c470b42faa4'
if [ x$feature_platform_search_hint = xy ]; then

	  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/04d3a27347454e0583b24c470b42faa4'  4ca57caa-c39a-48c5-933b-50a492704157

else

	  search --no-floppy --fs-uuid --set=root 4ca57caa-c39a-48c5-933b-50a492704157

fi
linux /boot/vmlinuz-4.19.0-2-amd64 root=UUID=4ca57caa-c39a-48c5-933b-50a492704157 ro quiet cryptdevice=UUID=04d3a273-4745-4e05-83b2-4c470b42faa4:luks-04d3a273-4745-4e05-83b2-4c470b42faa4 root=/dev/mapper/luks-04d3a273-4745-4e05-83b2-4c470b42faa4 resume=/dev/mapper/luks-04d3a273-4745-4e05-83b2-4c470b42faa4 splash resume=UUID=bacff010-207b-4d50-b56c-7f93a5df5270 $vt_handoff
initrd /boot/initrd.img-4.19.0-2-amd64
}
submenu 'Advanced options for PureOS GNU/Linux' $menuentry_id_option 'gnulinux-advanced-4ca57caa-c39a-48c5-933b-50a492704157' {
menuentry 'PureOS GNU/Linux, with Linux 4.19.0-2-amd64' --class pureos --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.19.0-2-amd64-advanced-4ca57caa-c39a-48c5-933b-50a492704157' {

		recordfail
		load_video
		gfxmode $linux_gfx_mode
		insmod gzio
		if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
		insmod part_msdos
		insmod cryptodisk
		insmod luks
		insmod gcry_rijndael
		insmod gcry_rijndael
		insmod gcry_sha256
		insmod ext2
		set root='cryptouuid/04d3a27347454e0583b24c470b42faa4'
		if [ x$feature_platform_search_hint = xy ]; then
		  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/04d3a27347454e0583b24c470b42faa4'  4ca57caa-c39a-48c5-933b-50a492704157
		else
		  search --no-floppy --fs-uuid --set=root 4ca57caa-c39a-48c5-933b-50a492704157
		fi
		echo	'Loading Linux 4.19.0-2-amd64 ...'
		linux	/boot/vmlinuz-4.19.0-2-amd64 root=UUID=4ca57caa-c39a-48c5-933b-50a492704157 ro  quiet cryptdevice=UUID=04d3a273-4745-4e05-83b2-4c470b42faa4:luks-04d3a273-4745-4e05-83b2-4c470b42faa4 root=/dev/mapper/luks-04d3a273-4745-4e05-83b2-4c470b42faa4 resume=/dev/mapper/luks-04d3a273-4745-4e05-83b2-4c470b42faa4 splash resume=UUID=bacff010-207b-4d50-b56c-7f93a5df5270 $vt_handoff
		echo	'Loading initial ramdisk ...'
		initrd	/boot/initrd.img-4.19.0-2-amd64

}
menuentry 'PureOS GNU/Linux, with Linux 4.19.0-2-amd64 (recovery mode)' --class pureos --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.19.0-2-amd64-recovery-4ca57caa-c39a-48c5-933b-50a492704157' {

		recordfail
		load_video
		gfxmode $linux_gfx_mode
		insmod gzio
		if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
		insmod part_msdos
		insmod cryptodisk
		insmod luks
		insmod gcry_rijndael
		insmod gcry_rijndael
		insmod gcry_sha256
		insmod ext2
		set root='cryptouuid/04d3a27347454e0583b24c470b42faa4'
		if [ x$feature_platform_search_hint = xy ]; then
		  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/04d3a27347454e0583b24c470b42faa4'  4ca57caa-c39a-48c5-933b-50a492704157
		else
		  search --no-floppy --fs-uuid --set=root 4ca57caa-c39a-48c5-933b-50a492704157
		fi
		echo	'Loading Linux 4.19.0-2-amd64 ...'
		linux	/boot/vmlinuz-4.19.0-2-amd64 root=UUID=4ca57caa-c39a-48c5-933b-50a492704157 ro single 
		echo	'Loading initial ramdisk ...'
		initrd	/boot/initrd.img-4.19.0-2-amd64

}
}

END /etc/grub.d/10_linux

BEGIN /etc/grub.d/20_linux_xen

END /etc/grub.d/20_linux_xen

BEGIN /etc/grub.d/20_memtest86+

menuentry "Memory test (memtest86+)" {
insmod part_msdos
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod ext2
set root='cryptouuid/04d3a27347454e0583b24c470b42faa4'
if [ x$feature_platform_search_hint = xy ]; then

	  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/04d3a27347454e0583b24c470b42faa4'  4ca57caa-c39a-48c5-933b-50a492704157

else

	  search --no-floppy --fs-uuid --set=root 4ca57caa-c39a-48c5-933b-50a492704157

fi
linux16 /boot/memtest86+.bin
}
menuentry "Memory test (memtest86+, serial console 115200)" {
insmod part_msdos
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod ext2
set root='cryptouuid/04d3a27347454e0583b24c470b42faa4'
if [ x$feature_platform_search_hint = xy ]; then

	  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/04d3a27347454e0583b24c470b42faa4'  4ca57caa-c39a-48c5-933b-50a492704157

else

	  search --no-floppy --fs-uuid --set=root 4ca57caa-c39a-48c5-933b-50a492704157

fi
linux16 /boot/memtest86+.bin console=ttyS0,115200n8
}
menuentry "Memory test (memtest86+, experimental multiboot)" {
insmod part_msdos
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod ext2
set root='cryptouuid/04d3a27347454e0583b24c470b42faa4'
if [ x$feature_platform_search_hint = xy ]; then

	  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/04d3a27347454e0583b24c470b42faa4'  4ca57caa-c39a-48c5-933b-50a492704157

else

	  search --no-floppy --fs-uuid --set=root 4ca57caa-c39a-48c5-933b-50a492704157

fi
multiboot /boot/memtest86+_multiboot.bin
}
menuentry "Memory test (memtest86+, serial console 115200, experimental multiboot)" {
insmod part_msdos
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod ext2
set root='cryptouuid/04d3a27347454e0583b24c470b42faa4'
if [ x$feature_platform_search_hint = xy ]; then

	  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/04d3a27347454e0583b24c470b42faa4'  4ca57caa-c39a-48c5-933b-50a492704157

else

	  search --no-floppy --fs-uuid --set=root 4ca57caa-c39a-48c5-933b-50a492704157

fi
multiboot /boot/memtest86+_multiboot.bin console=ttyS0,115200n8
}

END /etc/grub.d/20_memtest86+

  1. BEGIN /etc/grub.d/30_os-prober ###
  2. END /etc/grub.d/30_os-prober ###
  1. BEGIN /etc/grub.d/30_uefi-firmware ###
  2. END /etc/grub.d/30_uefi-firmware ###
    1. BEGIN /etc/grub.d/40_custom ###
  1. This file provides an easy way to add custom menu entries. Simply type the
  2. menu entries you want to add after this comment. Be careful not to change
  3. the 'exec tail' line above.
    1. END /etc/grub.d/40_custom ###

BEGIN /etc/grub.d/41_custom

if [ -f ${config_directory}/custom.cfg ]; then

source ${config_directory}/custom.cfg

elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then

source $prefix/custom.cfg;

fi

  1. END /etc/grub.d/41_custom ###

What does

$ cat /etc/default/grub.cfg

produce? Can you paste that here?

"cat: /etc/default/grub.cfg: No such file or directory"

I went and confirmed that there is no grub.cfg file in the /etc/default directory.

jeremiah.foster added a comment.EditedMar 28 2019, 07:55

Can you paste a copy of /etc/default/grub here?

Here's a few lines from mine;

# Uncomment to disable generation of recovery mode menu entries                                                                                                                                                 
#GRUB_DISABLE_RECOVERY="true"                                                                                                                                                                                   

# Uncomment to get a beep at grub start                                                                                                                                                                         
#GRUB_INIT_TUNE="480 440 1"                                                                                                                                                                                     
GRUB_ENABLE_CRYPTODISK=y

You can see from my that the GRUB_ENABLE_CRYPTODISK=y is *uncommented*. Is that the case in your file?

Also, this will need to be uncommented;

# Uncomment to disable graphical terminal (grub-pc only)                                                                                                                                                        
GRUB_TERMINAL=console

If that is commented, uncomment GRUB_TERMINAL and issue a update-grub command as root and reboot. You should get a graphical prompt for the encryption disk.

Below is text from my /etc/default/grub -- both lines are commented out. I will try uncommenting, updating grub and rebooting, then report.

Uncomment to disable graphical terminal (grub-pc only)

#GRUB_TERMINAL=console

  1. The resolution used on graphical terminal
  2. note that you can use only modes which your graphic card supports via VBE
  3. you can see them in real GRUB with the command `vbeinfo'

#GRUB_GFXMODE=640x480

Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux

#GRUB_DISABLE_LINUX_UUID=true

Uncomment to disable generation of recovery mode menu entries

#GRUB_DISABLE_RECOVERY="true"

Uncomment to get a beep at grub start

#GRUB_INIT_TUNE="480 440 1"
#GRUB_ENABLE_CRYPTODISK=y

updated, rebooted, and still no GUI. Confirmed that the changes are still in the file.

jeremiah.foster added a comment.EditedApr 8 2019, 10:36

Can you re-paste your

/etc/default/grub

file? I don't see any mention of your encrypted disks for example. I worry your grub configuration may have become corrupted somehow.

Also, do you have this line in your grub file;

GRUB_CMDLINE_LINUX_DEFAULT="quiet"

That last may be the problem. I hadn't noticed before, but that line is truncated because it is so long, and didn't copy correctly when I looked at grub before.

The entire line that is currently in my grub file is:
GRUB_CMDLINE_LINUX_DEFAULT="quiet cryptdevice=UUID=04d3a273-4745-4e05-83b2-4c470b42faa4:luks-04d3a273-4745-4e05-83b2-4c470b42faa4 root=/dev/mapper/luks-04d3a273-4745-4e05-83b2-4c470b42faa4 resume=/dev/mapper/luks-04d3a273-4745-4e05-83b2-4c470b42faa4 splash resume=UUID=bacff010-207b-4d50-b56c-7f93a5df5270"

The whole /etc/default/grub (with truncated version of above) follows:

  1. If you change this file, run 'update-grub' afterwards to update
  2. /boot/grub/grub.cfg.
  3. For full documentation of the options in this file, see:
  4. info -f grub -n 'Simple configuration'

GRUB_DEFAULT=0
GRUB_HIDDEN_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR='PureOS'
GRUB_CMDLINE_LINUX_DEFAULT="quiet cryptdevice=UUID=04d3a273-4745-4e05-83b2-4c470b42$
GRUB_CMDLINE_LINUX=""

  1. Uncomment to enable BadRAM filtering, modify to suit your needs
  2. This works with Linux (no patch required) and with any kernel that obtains
  3. the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)

#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"

Uncomment to disable graphical terminal (grub-pc only)

GRUB_TERMINAL=console

  1. The resolution used on graphical terminal
  2. note that you can use only modes which your graphic card supports via VBE
  3. you can see them in real GRUB with the command `vbeinfo'

#GRUB_GFXMODE=640x480

Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux

#GRUB_DISABLE_LINUX_UUID=true

Uncomment to disable generation of recovery mode menu entries

#GRUB_DISABLE_RECOVERY="true"

Uncomment to get a beep at grub start

#GRUB_INIT_TUNE="480 440 1"
GRUB_ENABLE_CRYPTODISK=y

Here's the actual file{F254246}

  1. You have two "resume=" targets. The UUIDs differ too. You may want to compare the two resume target disk UUIDs with what you have in /etc/fstab to make sure that the last resume= is even needed. You can use the 'disks' tool to do this.

Another thing you may want to do is to use "nosplash" instead of splash and "noresume" instead of the last resume=.

can I just change the current line to
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
What is the implication of having two "resume=" targets?
The device after "cryptdevice=" is not a UUID listed in fstab or any of the partitions/filesystem shown in the disks app, but may be an alias for the main filesystem? The first "resume=" and the "root=" are followed by what is in the "Device" field of the main filesystem in disks, while the second "resume=" (after "splash") is followed by the UUID of the swap partition.
I find this all a bit hard to follow, sorry. Here are screenshots of the partitions...

It is complex, I agree. The screenshots help alot. I don't think that your swap partition is in fact encrypted. One way to find out for sure is to issue this command;

ls -l /dev/mapper/

I will research the two resume targets, I'm not sure if in fact this is a problem, it looks like it is not the cause of slow booting in your case. I think that changing the current GRUB_CMDLINE_LINUX_DEFAULT="quite" will help, can you test?

I changed the line to GRUB_CMDLINE_LINUX_DEFAULT="quiet" and then ran "sudo update-grub" This seems to have sped things up, boot does not seem to be hanging, but I unfortunately can't quantify this. I still don't see the splash screen for disk encryption, and decided to go back and double check my grub.cfg file. Strangely, the "splash" parameter has disappeared from the "vmlinuz" lines of the file, so that may be why. I have three "vmlinuz" lines in my grub.cfg file, under separate/nested "menuentry" commands. It looks like this:

menuentry 'PureOS GNU/Linux'--class pureos --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-4ca57caa-c39a-48c5-933b-50a492704157' {
...
linux /boot/vmlinuz-4.19.0-2-amd64 root=UUID=4ca57caa-c39a-48c5-933b-50a492704157 ro quiet
...
}
submenu 'Advanced options for PureOS GNU/Linux' $menuentry_id_option 'gnulinux-advanced-4ca57caa-c39a-48c5-933b-50a492704157' {
menuentry 'PureOS GNU/Linux, with Linux 4.19.0-2-amd64'...{

		...
		linux   /boot/vmlinuz-4.19.0-2-amd64 root=UUID=4ca57caa-c39a-48c5-933b-50a492704157 ro  quiet
		...

}
menuentry 'PureOS GNU/Linux, with Linux 4.19.0-2-amd64 (recovery mode)' ... {

		...
		linux   /boot/vmlinuz-4.19.0-2-amd64 root=UUID=4ca57caa-c39a-48c5-933b-50a492704157 ro single
		...

}
}

Should I just add "splash" to the end of one or more of these lines to get back the splash screen? Which one(s)?

Thanks,
Eric

Hi, any advice on getting the splash screen back by editing my grub.cfg file? It's not a huge priority at this point, but I would feel better if I could resolve this.

May I ask that you try commenting out

# GRUB_ENABLE_CRYPTODISK=y

in the /etc/default/grub file then run;

sudo update-grub.

This didn't change anything, but I did finally get an image of my screen after entering my decryption password, there are some statements about failed loading of firmware before PureOS boots. The least benign-sounding is:
[ 1.402310] i915 0000:0:02.0: firmware: failed to load i915/kbl_dmc_ver1_04. bin (-2)
Which I take it has something to do with the kabylake graphics processor, but may be completely normal for all I know? There's also a statement about failed Bluetooth firmware which I assume is normal.