42.1 LVM Encrypted issues during boot

English Install/Boot/Login
1

I am trying to setup 42.1 with LVM Encrypted SWAP and ROOT along with secure boot.
After the installation for the first boot it fails into Grub prompt.

I was reading on the forums that we have an issue if we use the system name for the group, I did change that to MAIN and I still have the issue.
I tried to record the messages before the prompt because it was too fast, the messages are:

Failed to set MokListRT: Not found
System BootOrder not found. Initializing defaults
Failed to set MokListRT: Not Found
Welcome to GRUB!

error: can’t find command `cryptmount’.
error: failure reading sector 0x0 from hd1.
error: failure reading sector 0x0 from hd1.

Some more context, this installation is happening on a mac book pro onto an external disk. I was able to perform a successful installation without an encrypted LVM.
Please advice.

2

Need to make a separate /boot partition not in the LVM

3

I think you can fix that.

1: Disable secure-boot in your BIOS.

2: You should have two UEFI boot entries known to your BIOS, one named “opensuse” and the other named “opensuse-secureboot”. Use the first of those, even though it is not the default.

3: If that gets you booted (it should), then run updates.

4: After your system is fully up-to-date, see if you can now use the “opensuse-secureboot” UEFI entry. If that works, then turn secure-boot back on and all should be good.

NOTE: You will have to enter your encryption key twice – once when requested by grub2, and a second time during boot when requested by the booting kernel (via Plymouth).

4

Using a separate /boot stops the need to enter two passwords.

/boot only contains the kernel and some of the boot code so it does no harm not to have it encrypted.

5

I already have the EFI Boot partition that is outside of the LVM Group. Is there something else you are referring to?

6

Just to clarify when you mean disable secure-boot in your BIOS are you referring to removing the secure boot option in the grub installation section? Let me check to see what options I find in the grub menu next time I load, it just disappears so fast without giving me time to react.

7

Hi
Yes, user gogalthorp is referring to something like this (dual boot openSUSE Leap 42.1 and Windows 8.1);


lsblk

NAME                                         MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                                            8:0    0 298.1G  0 disk
├─sda1                                         8:1    0   260M  0 part  /boot/efi
├─sda2                                         8:2    0   128M  0 part
├─sda3                                         8:3    0   500M  0 part  /boot
├─sda4                                         8:4    0   200G  0 part
│ └─cr_ata-TOSHIBA_MK3275GSX_91Q7B2OZB-part4 254:0    0   200G  0 crypt
│   ├─secure-swap                            254:1    0     8G  0 lvm   [SWAP]
│   ├─secure-leap                            254:2    0    40G  0 lvm   /
│   └─secure-data                            254:3    0   100G  0 lvm   /data
└─sda5                                         8:5    0  97.2G  0 part
8

Thanks for the clarification. Let me try that.

9

Hi
See this thread for steps I took;
https://forums.opensuse.org/showthread.php/513011-Problem-to-Install-Windows-after-Installing-Leap?p=2750726#post2750726

10

No, I am referring to the BIOS. I assume that you can turn off secure-boot there.

Unfortunately, there were some UEFI problems with the 42.1 install media. And you have installed in a way that hits all of them. But, as far as I know, they are all fixed. So the question is of how to get far enough to be able to update your system.

If you boot the install media to rescue mode, and login as root, you should be able to do:

# efibootmgr -v

That should tell you the UEFI boot options. There should be one named “opensuse” and one named “opensuse-secureboot”. Your system is setup to use the second. You need to instead use the first. You can change the BIOS boot order with something like:

# efibootmgr -o 0001,0003,0002

(you don’t actually need the leading zeros). But if your BIOS is enforcing secure-boot, then it won’t work to use the plain “opensuse” entry.

So disable secure-boot in BIOS settings. Set the boot order so that plain “opensuse” comes first. You should then be able to update your system. And, once fully updated, you can go back to using secure-boot.

11

I’ll add:

My own 42.1 system is setup similarly to what malcolmlewis is suggesting – with a separate “/boot” outside the LVM. That way, I only have to enter the encryption key once.

I do have Tumbleweed setup the way that you are using it. And, when I first tried that, I ran into the problems that you describe (or worse). But I reported a bug, and worked with the opensuse team to fix that bug in Tumbleweed, which now works as it should. But they forgot to put that bug fix into the released 42.1.

12

This worked like a charm thank you so much.

13

I have never tried getting into BIOS on a mac, let me see if I find something about that.

I am able to boot now with the other option of having boot outside of LVM, so I will update now and then check.

14

I do not think Mac supports secure boot at all.

15

Thanks for your help and clarification. I would also like to try Tumbleweed and am happy to hear that most likely I might not hit this issue there.