FDE NOT prompting for password during boot after new EFI image

Hi,

After rebuild of the efi image, the disk is decrypted and mounted without a prompt for entering the decryption password on my side.
Nothing is else is change by me on the default setup except the new efi image I generated.

How is this automatic boot working and how do I make the new EFI image prompt for password?
I want to sign the efi image so I can enable secure boot, but I noticed that happened...

Commands to generate new efi image:

objcopy
--add-section .osrel="/usr/lib/os-release" --change-section-vma .osrel=0x20000
--add-section .cmdline="/proc/cmdline" --change-section-vma .cmdline=0x30000
--add-section .linux="/boot/vmlinuz-linux-zen" --change-section-vma .linux=0x40000
--add-section .initrd="/boot/initramfs-linux-zen.img" --change-section-vma .initrd=0x3000000
"/usr/lib/systemd/boot/efi/linuxx64.efi.stub" "/boot/efi/EFI/Linux.efi"

Added EFI image using efibootmgr:

efibootmgr --create --disk /dev/nvme0n1 --part 1 --label "GarudaTPM" --loader "\EFI\Linux.efi" --verbose

IDK, what way you use to know this security things?
Arch wiki?
Whoogle?

4 Likes

Don't even start this toxic attitude.
I've read all over the arch wikies, stack exchange and so on, there is absolutely no information.

What is the idea behind "Garuda Team" members that flip off people telling them to google it anyway? I didn't ask how to install a package using pacman since I was too lazy to man it did I? Is this someway of saying that you have no Idea, but still make yourself useful?

Chill dude. Calm down. Be patient.

5 Likes

:speaking_head: dont even start that demanding attitude.
We still need to know what steps you took in order to give relevant ( aka not redundant ) information.

Tbh, for most of the questions people have all I do is putting the query into my search engine of choice trying to search for a solution :crazy_face: :grin:

In this case its quite unclear where the code snippets came from so I think its a valid question as the topic is quite specific :thinking: Also, secure boot is nothing supported by default as we advise to turn it off in order for booting live usb to suceed.

Its impossible to know everything, especially if the topic is something which most people wont ever touch. Still, its useful to do some basic troubleshooting & getting answers which might help someone who actually knows whats going on. This is also called teamwork :stuck_out_tongue:

In case you havent read it before, Im linking this article which might be helpful:
https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/Secure_Boot

3 Likes

This doesn't have anything to do with secure boot. I haven't reached there yet.
I only mentioned it to give some backstory on why I was doing what I was doing.

Let me clarify the situation.

  1. I did a clean install, no swap, FDE enabled, default partitions.
  2. I generated a new efi image, using the commands, I don't know what you want me to say about it more than that, pretty much standard Linux process for generating an efi image...
  3. added a boot entry using efibootmgr.

There isn't anything in-between step 1 and step 2, no other changes to system, nothing, crypttab is the same, everything is the same as a fresh install with exception to the above.

The issue:
On fresh install with FDE, before I regenerate the EFI I get prompted for luks password due to FDE, after the new boot entry and image regeneration I boot without being asked for password, by boot I mean successful login screen, so the disk is decrypted and mapped successfully.

I wanna know why is this happening and how to stop it from happening after a new EFI.
So no, the question isn't valid at all, secure boot is not enabled. Just some person that flipped me off for asking a valid question - so excuse my frustration.

I agree, you cannot know everything, that is why I am asking.

btw, what I am aiming at in the end is a FDE + secure boot + TPM.
This will greatly improve security on Garuda installed laptops and I am planning on writing a guide on it once done, don't hate before you know the full story.

EDIT: If someone knows what is going on I wouldn't be flamed like that for no reason at all :slight_smile:

Isn't the whole point of using TPM that you're not prompted for a password?

3 Likes

Yeah, but I haven't setup that yet so this isn't the cause for the automatic boot without a key. As far as I am aware this feature is not coming to cryptsetup before 2.4 nor does the Garuda installer supports this by default.

EDIT:
Just disabled TPM chip using UEFI, this is still the same. 100% not a feature of Garuda :smiley:

Consider it as resolved.

Autobooting due to "/crypto_keyfile.bin" set in crypttab and mkinitcpio.conf.
When that key is removed the screen goes to a loading loop without password prompt, this is due to the plymouth hook in mkinitcpio.conf. After removing this hook and rebuilding the initial ramdisk all seems fine now, even the hook for TPM is working.

When finished with all the testing I'll post a guide or something in a another thread.

Thanks for all of your help, it was really productive for me. :slight_smile:

Edit:
Guide Garuda-fde_and_tpm-guide/README.md at main · SubXi/Garuda-fde_and_tpm-guide · GitHub

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.