On initial installation of Pure OS on a new Librem 13, the hard drive was encrypted by default. Accidentally decrypted the hard drive on a subsequent install, then re-encrypted it on a third install, along with the boot partition. Now decryption password prompt comes without a splash screen, even though "splash" parameter is set in the "vmlinuz" line of the grub.cfg file.
Description
Description
Event Timeline
Comment Actions
In the grub package in Debian there was a configuration change that PureOS inherited. That change is the addition of an enabled display of the encryption password prompt. Can you check to see if there is a "GRUB_ENABLE_CRYPTODISK=y" line in/etc/default/grub ?
If so, you can comment that out, then do a ‘sudo update-grub’, and then reboot. Grub should stop asking for a password then.
Comment Actions
Found the comment in /etc/default/grub and commented it out, then updated grub. Rebooted, but still the same startup sequence. Double checked to make sure the grub default file was saved with the enable_cryptodisk statement commented out.
Comment Actions
Can you paste a copy of you grub.cfg file? Either here or in a pastebin somewhere? That might help debugging the issue. You grub.cfg file likely won't have any secret info, just things like the command line to boot your system as well as the UUID of your disks.
Comment Actions
- grub.cfg #
- DO NOT EDIT THIS FILE #
- It is automatically generated by grub-mkconfig using templates
- from /etc/grub.d and settings from /etc/default/grub #
BEGIN /etc/grub.d/00_header
if [ -s $prefix/grubenv ]; then
set have_grubenv=true load_env
fi
if [ "${next_entry}" ] ; then
set default="${next_entry}"
set next_entry=
save_env next_entry
set boot_once=trueelse
set default="0"
fi
if [ x"${feature_menuentry_id}" = xy ]; then
menuentry_id_option="--id"
else
menuentry_id_option=""
fi
export menuentry_id_option
if [ "${prev_saved_entry}" ]; then
set saved_entry="${prev_saved_entry}"
save_env saved_entry
set prev_saved_entry=
save_env prev_saved_entry
set boot_once=truefi
function savedefault {
if [ -z "${boot_once}" ]; then
saved_entry="${chosen}"
save_env saved_entry
fi}
function recordfail {
set recordfail=1
if [ -n "${have_grubenv}" ]; then if [ -z "${boot_once}" ]; then save_env recordfail; fi; fi}
function load_video {
if [ x$feature_all_video_module = xy ]; then insmod all_video else insmod efi_gop insmod efi_uga insmod ieee1275_fb insmod vbe insmod vga insmod video_bochs insmod video_cirrus fi
}
if loadfont unicode ; then
set gfxmode=auto load_video insmod gfxterm set locale_dir=$prefix/locale set lang=en_US insmod gettext
fi
terminal_output gfxterm
if [ "${recordfail}" = 1 ] ; then
set timeout=30
else
if [ x$feature_timeout_style = xy ] ; then set timeout_style=hidden set timeout=0 # Fallback hidden-timeout code in case the timeout_style feature is # unavailable. elif sleep --interruptible 0 ; then set timeout=0 fi
fi
END /etc/grub.d/00_header
BEGIN /etc/grub.d/05_debian_theme
insmod part_msdos
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod ext2
set root='cryptouuid/04d3a27347454e0583b24c470b42faa4'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='cryptouuid/04d3a27347454e0583b24c470b42faa4' 4ca57caa-c39a-48c5-933b-50a492704157
else
search --no-floppy --fs-uuid --set=root 4ca57caa-c39a-48c5-933b-50a492704157
fi
insmod png
if background_image /boot/grub/.background_cache.png; then
set color_normal=white/black set color_highlight=black/white
else
set menu_color_normal=cyan/blue set menu_color_highlight=white/blue
fi
END /etc/grub.d/05_debian_theme
BEGIN /etc/grub.d/10_linux
function gfxmode {
set gfxpayload="${1}"
if [ "${1}" = "keep" ]; then
set vt_handoff=vt.handoff=7
else
set vt_handoff=
fi
}
if [ "${recordfail}" != 1 ]; then
if [ -e ${prefix}/gfxblacklist.txt ]; then
if hwmatch ${prefix}/gfxblacklist.txt 3; then
if [ ${match} = 0 ]; then
set linux_gfx_mode=keep
else
set linux_gfx_mode=text
fi
else
set linux_gfx_mode=text
fi
else
set linux_gfx_mode=keep
fielse
set linux_gfx_mode=text
fi
export linux_gfx_mode
menuentry 'PureOS GNU/Linux' --class pureos --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-4ca57caa-c39a-48c5-933b-50a492704157' {
recordfail
load_video
gfxmode $linux_gfx_mode
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_msdos
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod ext2
set root='cryptouuid/04d3a27347454e0583b24c470b42faa4'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='cryptouuid/04d3a27347454e0583b24c470b42faa4' 4ca57caa-c39a-48c5-933b-50a492704157
else
search --no-floppy --fs-uuid --set=root 4ca57caa-c39a-48c5-933b-50a492704157
fi
linux /boot/vmlinuz-4.19.0-2-amd64 root=UUID=4ca57caa-c39a-48c5-933b-50a492704157 ro quiet cryptdevice=UUID=04d3a273-4745-4e05-83b2-4c470b42faa4:luks-04d3a273-4745-4e05-83b2-4c470b42faa4 root=/dev/mapper/luks-04d3a273-4745-4e05-83b2-4c470b42faa4 resume=/dev/mapper/luks-04d3a273-4745-4e05-83b2-4c470b42faa4 splash resume=UUID=bacff010-207b-4d50-b56c-7f93a5df5270 $vt_handoff
initrd /boot/initrd.img-4.19.0-2-amd64
}
submenu 'Advanced options for PureOS GNU/Linux' $menuentry_id_option 'gnulinux-advanced-4ca57caa-c39a-48c5-933b-50a492704157' {
menuentry 'PureOS GNU/Linux, with Linux 4.19.0-2-amd64' --class pureos --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.19.0-2-amd64-advanced-4ca57caa-c39a-48c5-933b-50a492704157' {
recordfail load_video gfxmode $linux_gfx_mode insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_msdos insmod cryptodisk insmod luks insmod gcry_rijndael insmod gcry_rijndael insmod gcry_sha256 insmod ext2 set root='cryptouuid/04d3a27347454e0583b24c470b42faa4' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint='cryptouuid/04d3a27347454e0583b24c470b42faa4' 4ca57caa-c39a-48c5-933b-50a492704157 else search --no-floppy --fs-uuid --set=root 4ca57caa-c39a-48c5-933b-50a492704157 fi echo 'Loading Linux 4.19.0-2-amd64 ...' linux /boot/vmlinuz-4.19.0-2-amd64 root=UUID=4ca57caa-c39a-48c5-933b-50a492704157 ro quiet cryptdevice=UUID=04d3a273-4745-4e05-83b2-4c470b42faa4:luks-04d3a273-4745-4e05-83b2-4c470b42faa4 root=/dev/mapper/luks-04d3a273-4745-4e05-83b2-4c470b42faa4 resume=/dev/mapper/luks-04d3a273-4745-4e05-83b2-4c470b42faa4 splash resume=UUID=bacff010-207b-4d50-b56c-7f93a5df5270 $vt_handoff echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-4.19.0-2-amd64
}
menuentry 'PureOS GNU/Linux, with Linux 4.19.0-2-amd64 (recovery mode)' --class pureos --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.19.0-2-amd64-recovery-4ca57caa-c39a-48c5-933b-50a492704157' {
recordfail load_video gfxmode $linux_gfx_mode insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_msdos insmod cryptodisk insmod luks insmod gcry_rijndael insmod gcry_rijndael insmod gcry_sha256 insmod ext2 set root='cryptouuid/04d3a27347454e0583b24c470b42faa4' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint='cryptouuid/04d3a27347454e0583b24c470b42faa4' 4ca57caa-c39a-48c5-933b-50a492704157 else search --no-floppy --fs-uuid --set=root 4ca57caa-c39a-48c5-933b-50a492704157 fi echo 'Loading Linux 4.19.0-2-amd64 ...' linux /boot/vmlinuz-4.19.0-2-amd64 root=UUID=4ca57caa-c39a-48c5-933b-50a492704157 ro single echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-4.19.0-2-amd64
}
}
END /etc/grub.d/10_linux
BEGIN /etc/grub.d/20_linux_xen
END /etc/grub.d/20_linux_xen
BEGIN /etc/grub.d/20_memtest86+
menuentry "Memory test (memtest86+)" {
insmod part_msdos
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod ext2
set root='cryptouuid/04d3a27347454e0583b24c470b42faa4'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='cryptouuid/04d3a27347454e0583b24c470b42faa4' 4ca57caa-c39a-48c5-933b-50a492704157
else
search --no-floppy --fs-uuid --set=root 4ca57caa-c39a-48c5-933b-50a492704157
fi
linux16 /boot/memtest86+.bin
}
menuentry "Memory test (memtest86+, serial console 115200)" {
insmod part_msdos
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod ext2
set root='cryptouuid/04d3a27347454e0583b24c470b42faa4'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='cryptouuid/04d3a27347454e0583b24c470b42faa4' 4ca57caa-c39a-48c5-933b-50a492704157
else
search --no-floppy --fs-uuid --set=root 4ca57caa-c39a-48c5-933b-50a492704157
fi
linux16 /boot/memtest86+.bin console=ttyS0,115200n8
}
menuentry "Memory test (memtest86+, experimental multiboot)" {
insmod part_msdos
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod ext2
set root='cryptouuid/04d3a27347454e0583b24c470b42faa4'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='cryptouuid/04d3a27347454e0583b24c470b42faa4' 4ca57caa-c39a-48c5-933b-50a492704157
else
search --no-floppy --fs-uuid --set=root 4ca57caa-c39a-48c5-933b-50a492704157
fi
multiboot /boot/memtest86+_multiboot.bin
}
menuentry "Memory test (memtest86+, serial console 115200, experimental multiboot)" {
insmod part_msdos
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod ext2
set root='cryptouuid/04d3a27347454e0583b24c470b42faa4'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='cryptouuid/04d3a27347454e0583b24c470b42faa4' 4ca57caa-c39a-48c5-933b-50a492704157
else
search --no-floppy --fs-uuid --set=root 4ca57caa-c39a-48c5-933b-50a492704157
fi
multiboot /boot/memtest86+_multiboot.bin console=ttyS0,115200n8
}
END /etc/grub.d/20_memtest86+
- BEGIN /etc/grub.d/30_os-prober ###
- END /etc/grub.d/30_os-prober ###
- BEGIN /etc/grub.d/30_uefi-firmware ###
- END /etc/grub.d/30_uefi-firmware ###
- BEGIN /etc/grub.d/40_custom ###
- This file provides an easy way to add custom menu entries. Simply type the
- menu entries you want to add after this comment. Be careful not to change
- the 'exec tail' line above.
- END /etc/grub.d/40_custom ###
BEGIN /etc/grub.d/41_custom
if [ -f ${config_directory}/custom.cfg ]; then
source ${config_directory}/custom.cfgelif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then
source $prefix/custom.cfg;
fi
- END /etc/grub.d/41_custom ###
Comment Actions
"cat: /etc/default/grub.cfg: No such file or directory"
I went and confirmed that there is no grub.cfg file in the /etc/default directory.
Comment Actions
Can you paste a copy of /etc/default/grub here?
Here's a few lines from mine;
# Uncomment to disable generation of recovery mode menu entries #GRUB_DISABLE_RECOVERY="true" # Uncomment to get a beep at grub start #GRUB_INIT_TUNE="480 440 1" GRUB_ENABLE_CRYPTODISK=y
You can see from my that the GRUB_ENABLE_CRYPTODISK=y is *uncommented*. Is that the case in your file?
Comment Actions
Also, this will need to be uncommented;
# Uncomment to disable graphical terminal (grub-pc only) GRUB_TERMINAL=console
If that is commented, uncomment GRUB_TERMINAL and issue a update-grub command as root and reboot. You should get a graphical prompt for the encryption disk.
Comment Actions
Below is text from my /etc/default/grub -- both lines are commented out. I will try uncommenting, updating grub and rebooting, then report.
Uncomment to disable graphical terminal (grub-pc only)
#GRUB_TERMINAL=console
- The resolution used on graphical terminal
- note that you can use only modes which your graphic card supports via VBE
- you can see them in real GRUB with the command `vbeinfo'
#GRUB_GFXMODE=640x480
Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
#GRUB_DISABLE_LINUX_UUID=true
Uncomment to disable generation of recovery mode menu entries
#GRUB_DISABLE_RECOVERY="true"
Uncomment to get a beep at grub start
#GRUB_INIT_TUNE="480 440 1"
#GRUB_ENABLE_CRYPTODISK=y
Comment Actions
updated, rebooted, and still no GUI. Confirmed that the changes are still in the file.
Comment Actions
Can you re-paste your
/etc/default/grub
file? I don't see any mention of your encrypted disks for example. I worry your grub configuration may have become corrupted somehow.
Also, do you have this line in your grub file;
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
Comment Actions
That last may be the problem. I hadn't noticed before, but that line is truncated because it is so long, and didn't copy correctly when I looked at grub before.
The entire line that is currently in my grub file is:
GRUB_CMDLINE_LINUX_DEFAULT="quiet cryptdevice=UUID=04d3a273-4745-4e05-83b2-4c470b42faa4:luks-04d3a273-4745-4e05-83b2-4c470b42faa4 root=/dev/mapper/luks-04d3a273-4745-4e05-83b2-4c470b42faa4 resume=/dev/mapper/luks-04d3a273-4745-4e05-83b2-4c470b42faa4 splash resume=UUID=bacff010-207b-4d50-b56c-7f93a5df5270"
The whole /etc/default/grub (with truncated version of above) follows:
- If you change this file, run 'update-grub' afterwards to update
- /boot/grub/grub.cfg.
- For full documentation of the options in this file, see:
- info -f grub -n 'Simple configuration'
GRUB_DEFAULT=0
GRUB_HIDDEN_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR='PureOS'
GRUB_CMDLINE_LINUX_DEFAULT="quiet cryptdevice=UUID=04d3a273-4745-4e05-83b2-4c470b42$
GRUB_CMDLINE_LINUX=""
- Uncomment to enable BadRAM filtering, modify to suit your needs
- This works with Linux (no patch required) and with any kernel that obtains
- the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
Uncomment to disable graphical terminal (grub-pc only)
GRUB_TERMINAL=console
- The resolution used on graphical terminal
- note that you can use only modes which your graphic card supports via VBE
- you can see them in real GRUB with the command `vbeinfo'
#GRUB_GFXMODE=640x480
Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
#GRUB_DISABLE_LINUX_UUID=true
Uncomment to disable generation of recovery mode menu entries
#GRUB_DISABLE_RECOVERY="true"
Uncomment to get a beep at grub start
#GRUB_INIT_TUNE="480 440 1"
GRUB_ENABLE_CRYPTODISK=y
Comment Actions
- You have two "resume=" targets. The UUIDs differ too. You may want to compare the two resume target disk UUIDs with what you have in /etc/fstab to make sure that the last resume= is even needed. You can use the 'disks' tool to do this.
Another thing you may want to do is to use "nosplash" instead of splash and "noresume" instead of the last resume=.
Comment Actions
can I just change the current line to
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
What is the implication of having two "resume=" targets?
The device after "cryptdevice=" is not a UUID listed in fstab or any of the partitions/filesystem shown in the disks app, but may be an alias for the main filesystem? The first "resume=" and the "root=" are followed by what is in the "Device" field of the main filesystem in disks, while the second "resume=" (after "splash") is followed by the UUID of the swap partition.
I find this all a bit hard to follow, sorry. Here are screenshots of the partitions...
Comment Actions
It is complex, I agree. The screenshots help alot. I don't think that your swap partition is in fact encrypted. One way to find out for sure is to issue this command;
ls -l /dev/mapper/
I will research the two resume targets, I'm not sure if in fact this is a problem, it looks like it is not the cause of slow booting in your case. I think that changing the current GRUB_CMDLINE_LINUX_DEFAULT="quite" will help, can you test?
Comment Actions
I changed the line to GRUB_CMDLINE_LINUX_DEFAULT="quiet" and then ran "sudo update-grub" This seems to have sped things up, boot does not seem to be hanging, but I unfortunately can't quantify this. I still don't see the splash screen for disk encryption, and decided to go back and double check my grub.cfg file. Strangely, the "splash" parameter has disappeared from the "vmlinuz" lines of the file, so that may be why. I have three "vmlinuz" lines in my grub.cfg file, under separate/nested "menuentry" commands. It looks like this:
menuentry 'PureOS GNU/Linux'--class pureos --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-4ca57caa-c39a-48c5-933b-50a492704157' {
...
linux /boot/vmlinuz-4.19.0-2-amd64 root=UUID=4ca57caa-c39a-48c5-933b-50a492704157 ro quiet
...
}
submenu 'Advanced options for PureOS GNU/Linux' $menuentry_id_option 'gnulinux-advanced-4ca57caa-c39a-48c5-933b-50a492704157' {
menuentry 'PureOS GNU/Linux, with Linux 4.19.0-2-amd64'...{
... linux /boot/vmlinuz-4.19.0-2-amd64 root=UUID=4ca57caa-c39a-48c5-933b-50a492704157 ro quiet ...
}
menuentry 'PureOS GNU/Linux, with Linux 4.19.0-2-amd64 (recovery mode)' ... {
... linux /boot/vmlinuz-4.19.0-2-amd64 root=UUID=4ca57caa-c39a-48c5-933b-50a492704157 ro single ...
}
}
Should I just add "splash" to the end of one or more of these lines to get back the splash screen? Which one(s)?
Thanks,
Eric
Comment Actions
Hi, any advice on getting the splash screen back by editing my grub.cfg file? It's not a huge priority at this point, but I would feel better if I could resolve this.
Comment Actions
May I ask that you try commenting out
# GRUB_ENABLE_CRYPTODISK=y
in the /etc/default/grub file then run;
sudo update-grub.
Comment Actions
This didn't change anything, but I did finally get an image of my screen after entering my decryption password, there are some statements about failed loading of firmware before PureOS boots. The least benign-sounding is:
[ 1.402310] i915 0000:0:02.0: firmware: failed to load i915/kbl_dmc_ver1_04. bin (-2)
Which I take it has something to do with the kabylake graphics processor, but may be completely normal for all I know? There's also a statement about failed Bluetooth firmware which I assume is normal.