Hi all,
I am trying to install Leap-16 with FDE (full disk encryption) without LVM and with boot loader grub2-gls.
As far as I understand, that would mean that the following actions need to be done: With the help of YaST2 a) Remove partitions /boot/grub2/i386-pc and /boot/grub2/x86_64-efi and b) Choose boot loader grub2-gls.
As described in the article MicroOS/FDE to read here.
But, with Leap-16 we are now on Agama.
So I tried to adapt the instructions of the MicroOS/FDE article to Leap-16 Agama , but it didn’t work.
So my questions are:
a) Does the Agama installer support the same features as described in the MicroOS/FDE article when installing Leap-16 with FDE?
b) If yes, how? I could not remove the relevant /boot/grub2 partitions, nor choose the boot-loader…
c) If no, how do I change/migrate from a standard Agama with FDE installation to a grub2-gls with FDE installation? I already tried the instructions in the MicroOS/FDE article (see “Migrating from GRUB2-EFI”), but it didn’t work. But maybe that was my fault…?
Outside my experience, (so forgive me if I miss detail or understanding), but did you first manage to install Leap-16 with FDE successfully? Are you using TPM2 as well?
If so, you should be able to migrate to BLS for boot entry management, post installation?
Hi,
thank you very much for your feedback.
Yes, I think I still seek for an answer or a statement. I think there are 2 points here:
1.) The thing is, that we have (had) a perfect installer (yast) with which you could edit and do everything you want. Now we have Agama and the question is, can I do the same things as with yast. In specific, I would like to do an installation of Leap-16 with FDE without LVM and with grub2-gls. This was easy with yast (see the article). And now with Agama? How do I do that? (and what exactly is the benefit of Agama?).
2.) If Agama is not delivering what I seek, then I have to do an unwanted installation and then need to switch to the desired version. So I do a standard Leap-16 Agama installation with FDE (which leads to LVM with grub2-efi, if TPM2 is used I don’t know) and then need to test your commands…
Thank you very much for that!
The test with systemd/grub.efi was nice, but I still have LVM. Also the encryption prompt (at the start-up) is nice but not the same as with grub2-gls prompts (see my older post). So I need some time to start all over…
I’m not sure (without firing up the Agama installer again) what options are catered for with respect to your requirements. I don’t use encryption or LVM.
I suggest that you sign up to the Cockpit project and raise a discussion there perhaps:
I now tested your provided commands with a fresh Leap-16 installation with LVM and FDE:
All steps:
sudo zypper in grub2-x86_64-efi-bls
sudo update-bootloader --show
sudo update-bootloader --loader grub2-bls
sudo update-bootloader
work and no errors.
sudo update-bootloader --show
shows: grub2-bls
but, it has no effect on the FDE-boot-prompt at start-up, see encryption-prompts and it has no visual effect on anything else.
So I am not quite sure if it really worked…
My comments were solely about using grub2-bls, not FDE as such. (I tried this briefly with a Slowroll system, and I’ve reverted back to the “classic” grub2 now.)
My understanding is that the full-disk encryption prompt comes from dracut inside the initrd, not from GRUB, so you’ll see the same prompt whether you use grub2 or grub2-bls.
The default grub2 setup is to have /boot inside the (encrypted) root filesystem, so grub2must unlock it before it can proceed. grub2bls loads the kernel and the initrd from the ESP which is never encrypted and so it does not need to unlock anything.
So, no, you normally see different prompt in each case.