Summary: | Fresh Neon install can't boot if encryption is used (20240201-0717 iso) | ||
---|---|---|---|
Product: | [KDE Neon] neon | Reporter: | spiesant <metal450> |
Component: | Live/Install images | Assignee: | Neon Bugs <neon-bugs> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | carlosdemaine, chris, hello, hohenegger, jr, luke, neon-bugs, ricksanchez137c, sitter, ssnintf, yiannispana |
Priority: | NOR | ||
Version: | unspecified | ||
Target Milestone: | --- | ||
Platform: | Neon | ||
OS: | Linux | ||
Latest Commit: | Version Fixed In: | ||
Attachments: |
Here's some analysis that I did
This is the session log from the install into my VM |
Description
spiesant
2024-02-04 15:31:28 UTC
Addendum: it looks like others are experiencing the same - multiple posts about this on Reddit in the past 5 days: https://www.reddit.com/r/kdeneon/comments/1aenouy/kde_neon_wont_boot_after_fresh_install_cryptsetup/ Can confirm the bug. Tried today to install it on some new machines but after installation and successful password prompt, it failed to boot. We use the default setup with no custom configuration (we use the 'use full disk' option with the 'system encryption' enabled). The iso version was 'neon-user-20240208-0715' and we verified the signature before writing it to media. Can we at least get a link to the last good iso until the fix? (In reply to Ioannis Panagiotopoulos from comment #2) > Can confirm the bug. Tried today to install it on some new machines but > after installation and successful password prompt, it failed to boot. We use > the default setup with no custom configuration (we use the 'use full disk' > option with the 'system encryption' enabled). The iso version was > 'neon-user-20240208-0715' and we verified the signature before writing it to > media. Can we at least get a link to the last good iso until the fix? Same exact process and issue here. Confirmed on testing ISO from today. More reports of this here: https://discuss.kde.org/t/disk-encryption-not-working-on-recent-neon-isos-but-is-working-on-older-images/9505 (In reply to spiesant from comment #1) > Addendum: it looks like others are experiencing the same - multiple posts > about this on Reddit in the past 5 days: > https://www.reddit.com/r/kdeneon/comments/1aenouy/ > kde_neon_wont_boot_after_fresh_install_cryptsetup/ I can confirm this is happening when I install KDE neon using a recent ISO. Most recent user iso is broken on boot when installing with encryption!!! Created attachment 166669 [details]
Here's some analysis that I did
Created attachment 166670 [details]
This is the session log from the install into my VM
I can report that the Reddit workaround https://www.reddit.com/r/kdeneon/comments/1aenouy/kde_neon_wont_boot_after_fresh_install_cryptsetup/ works (where I replaced /dev/nvme0n1p2 with my root partition path inferred from, e.g., partitionmanager) ------------------- On the running system, out of curiosity I re-added the keyfile to the key slots of my two encrypted partitions by calling this: sudo cryptsetup luksAddKey /dev/nvme0n1p2 /crypto_keyfile.bin To my surprise when checking sudo cryptsetup luksDump /dev/nvme0n1p2 before and after adding of the keyfile, I found out that the new key slot data does not match any of the old slots. It looks like the keyfile was not added correctly to the slots before. Also I put the /crypto_keyfile.bin back into the /etc/crypttab (replacing the none's) but did not add back the keyscript=/bin/cat. I read in the man page of crypttab that the third parameter is the keyfile. I didn't see the need to add the keyscript at all. sudo update-initramfs -c -k all and reboot ------------ This can be done after booting the installed system as follows from an (initramfs) prompt https://discuss.kde.org/t/disk-encryption-not-working-on-recent-neon-isos-but-is-working-on-older-images/9505/4 ------------- cryptsetup luksOpen /dev/disk/by-id/[deviceid] luks-<uuid> and enter the password. Then run exec run-init /root /sbin/init /root/dev/console ------------- Here's everything I've found so far: ## Stuff that is fine - the `/etc/crypttab` looks fine - the `/etc/fstab` looks fine - the keyfile _is_ present and _can_ unlock the filesystems - the swap partition appears to be good, but in mapper form (which makes sense since it's an encrypted partition) ## Stuff that doesn't appear to be fine - the `initramfs.conf` seems to be missing from the ISO - the `luksbootkeyfile.conf` seems to be missing from the ISO - I still get error `Failed to enable swap for devices: ['/dev/sda3']`, but it may be a red herring I'm continuing to dig, but even after I place the two config files above and re-run the installer, the system still won't boot. this is now working. neon's calamares-settings package had to be adjusted to use the calamares initramfscfg module. tested in neon release. will be snapshot(ted) to neon user very soon (TM) and a new iso spun up. |