[Bug 1201439] New: brand new laptop with just recently installes clean 15.4 FDE will not boot any more after todays updates
http://bugzilla.opensuse.org/show_bug.cgi?id=1201439 Bug ID: 1201439 Summary: brand new laptop with just recently installes clean 15.4 FDE will not boot any more after todays updates Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: x86-64 OS: openSUSE Leap 15.4 Status: NEW Severity: Critical Priority: P5 - None Component: Bootloader Assignee: screening-team-bugs@suse.de Reporter: abittner@opensuse.org QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- brand new laptop with just recently installes clean 15.4 FDE will not boot any more after todays updates when looking at todays updates, I only see the mdadm stuff that might affect the bootloader config being rebuilt or something? <https://lists.opensuse.org/archives/list/updates@lists.opensuse.org/> I dont think it has applied some kernel update just yet? the boot config initually asked me for FDE key/password to be entered on the keyboard. it didnt complain, I entered the correct password there. then instead of coming up with the normal grub2 menu, it only shows a basic very default grub2 command prompt. I am at a loss for words, this is my production laptop, and I have had way too many boot issues in my linux life with opensuse over many years. that this very new laptop becomes killed and who knows if i will be able to access this machine again really makes me scared :( I have just some weeks ago installed a clean leap 15.4 with this hp probook, single nvme drive, with the opensuse installer selecting full disk encryption, very defaulty installation. btrfs or something. I am really no expert in what it did exactly during install partition wise. the grub menu shows when trying to enter the commmand "boot"
boot
(proc) (hd0) (hd0.gpt2) (hd0.gpt1) and it writes that I need to load a kernel first in boot.c:197..... what now? where can I order support even paid support for this situation. this is really scaring me :( thanks. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1201439 http://bugzilla.opensuse.org/show_bug.cgi?id=1201439#c1 --- Comment #1 from andreas bittner <abittner@opensuse.org> --- i think the last two updates it just applied (zypper ref and zypper up) right before i rebooted the machine were the mdadm and the x11-org updates as also given on that mailing list overview. the kernel update seems only been released for 15.3 so far. so I dont know why it fails to reboot. I think I just rebooted this machine the other day some day ago or so when there was some rather larger plasma desktop patches or so. booted fine during the past few weeks ever since I installed it. FDE, I always had to prompts for the password, one at the very beginning right out of the UEFI stage, and then one after selecting the first entry in the grub2 menu to boot the normal 15.4 kernel. it asked my twice for a boot. then happily booted into the kde plasmal login screen. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1201439 http://bugzilla.opensuse.org/show_bug.cgi?id=1201439#c2 --- Comment #2 from andreas bittner <abittner@opensuse.org> --- just to make clear, I simply selected "enable disk encryption" or such option from the normal yast installer on the fresh 15.4 install just some weeks ago. <https://en.opensuse.org/SDB:Encrypted_root_file_system> I didnt go for this "enter the passphrase just once" stuff. only the very basic yast disk encrpytion stuff. left everything else as defaults. the nvme disk is a 2TB nvme. was completely empty factory empty. laptop is some current hp probook 455 G8, amd based. everything booted normally just until todays reboot. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1201439 andreas bittner <abittner@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|brand new laptop with just |brand new laptop with just |recently installes clean |recently installed clean |15.4 FDE will not boot any |15.4 FDE will not boot any |more after todays updates |more after todays updates -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1201439 http://bugzilla.opensuse.org/show_bug.cgi?id=1201439#c3 --- Comment #3 from andreas bittner <abittner@opensuse.org> --- just to make sure, what does it actually look like when you enter a different password for this grub2 disk encryption that is activated during first clean install from the opensuse 15.4 installer/setup? i see no difference when entering a wrong password deliberately? there is initially. this machine boots as follows: - power on - hp logo on screen visible - Weltome to GRUB! .... printed to the left upper corner attempting to decrypt master key.... enter passphrase for hd0.gpt2 (.... some hash(?) value seen here....) : I then need to enter my password that I set during the initial leap 15.4 install. until yesterday: when having entered the correct password there, the screen eventually got cleard, hp logo vanished and then a normal grub menu was being presented with three entries, first like to boot normal 15.4 kernel or so... two additional lines I dont even remember any more, like in the old days... opensuse safe settings or rescue or similar. So since yesterday, when I enter my password (or anything here at the fist prompt).... after a little while there is briefly something being printed to the sceeen (at the top?) but vanishes so quickly to land into tha grub very basic terminal prompt or so.... I fail to see any differences in behavior when using a false password or when using my supposedly correct password typing it very carefully. Any way to see any logs of whats happening in this basic grub stage? of seeing that briefly presented message after the password? to see any differences? so see whats going on? What can I do now? where to request for support or help? thanks. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1201439 http://bugzilla.opensuse.org/show_bug.cgi?id=1201439#c4 --- Comment #4 from andreas bittner <abittner@opensuse.org> --- well yesterday another (related?) bug appeared on the list at: <https://bugzilla.suse.com/show_bug.cgi?id=1201399> was trying to find a bit out with the help of it, some brief ls (and path showing command) of grub I can always as well with the tab key on the keyboard and the "ls" or the "configfile" command kind of make the terminal display some existing path names? on (hd0,gpt2) i can browse through /efi/boot or /efi/opensuse or /efi/hp but I can 'see' always the same /efi/opensuse/grub.cfg file no matter what I type in as my master key (initial password asked by grub2), and this is kind of odd to me. I have not much idea about how this efi stuff gets populated and where all the contents are really coming from. I would have thought that there would be a difference when using a completely false password. maybe something else is amiss here. maybe that other bug boo#1201399 is related or maybe its not? appeared yesterday as well. thanks for helping me out. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1201439 http://bugzilla.opensuse.org/show_bug.cgi?id=1201439#c5 Dirk Weber <d_werner@gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |d_werner@gmx.net --- Comment #5 from Dirk Weber <d_werner@gmx.net> --- Just a suggestion from a wild guess, maybe it is helpful... in Leap 15.4 the keyboard layout for entering the passphrase is originally localized (e.g. "de"). Does your passphrase contain characters which are located at different keys for keyboard layout "de" and keyboard layout "en"? Some weeks ago (?) it happened in Tumbleweed that the localized keyboard was not setup correctly for grub to enter the passphrase. Maybe something similar happened now resulting in an invalid passphrase when you think you entered it correctly. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1201439 http://bugzilla.opensuse.org/show_bug.cgi?id=1201439#c6 --- Comment #6 from andreas bittner <abittner@opensuse.org> --- Thanks a lot for the reply. I am really kind of scared alone here in this situation... ;/ no no special or deviating keys between de and us/en keyboard I already thought about that. but then again I was trying to find out if I could actually see any visible difference in the state of this grub terminal when I enter wrong password in contrast to the proper password. Can I find out? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1201439 http://bugzilla.opensuse.org/show_bug.cgi?id=1201439#c7 --- Comment #7 from Dirk Weber <d_werner@gmx.net> --- Currently I do not know of a way to verify or check the keymapping in grub. But I also installed these updates on two machines with encrypted partitions yesterday. One is a virtual machine with BIOS, the other is a PC with UEFI. Both booted without problems after the update. Also no file under /boot got a new timestamp during the upgrade. Therefore I do not have an idea what else could be the problem. I think it looks like a specific problem on your machine. Are you using secure boot? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1201439 http://bugzilla.opensuse.org/show_bug.cgi?id=1201439#c8 --- Comment #8 from andreas bittner <abittner@opensuse.org> --- I didnt mean the keyboard. I mean how can I make sure I enter the correct password in the means how can I find out if the password was successfully used to decrypt some first stage of this boot process. where normally the second stage follows showing the normal grub2 menu with default kernel for 15.4, advanced settings for leap 15.4, uefi entry and another one I guess. I just checked on another uefi system with no encryption. there are four normal entries being presented in the normal colored grub2 menu with the suse log and so on. I want to make sure that its not me being foolish and having a password problem. the key mapping is fine at least in this very basic grub2 terminal i can try and type with the keyboard there and I can type my password or its characters fine without messing up the keyboard layout. any way to find out if the initial password gets used properly to decrypt anything? or to see that briefly flashing text that instantly vanishes? what next? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1201439 http://bugzilla.opensuse.org/show_bug.cgi?id=1201439#c9 --- Comment #9 from Dirk Weber <d_werner@gmx.net> --- I am afraid the grub menu is only accessible after decrypting the boot partition. I suggest: try to boot from a rescue system on pen drive/USB stick and try to mount the encrypted partition from the running rescue-system. There you can verify the keyboard layout and possibly there will be error messages which give further hints. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1201439 http://bugzilla.opensuse.org/show_bug.cgi?id=1201439#c10 --- Comment #10 from andreas bittner <abittner@opensuse.org> --- How would I do that exactly? I have finally decided to go for a Laptop and Opensuse on it and now I am stuck :( btw, I have recorded the screen after I enter the credentials with a camera, and I can briefly see in the video that there are two error lines: error: ../../grub-core/disk/luks.c:311: access denied error: ../../grub-core/disk/cryptodisk.c:1132 no such cryptodisk found a third error appears error: ../../grub-core/commands/search.c:296 so such device: ... uuid(?) some sort of address Its very hard to record this stuff with the equipment I have available at the moment, but if I am not completely with a memory loss I am typing my password properly. Any hints on how to make this mounting of the full disk encryption from a rescue opensuse usb stick? so that I can try easily there and see all the messages? thanks. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1201439 http://bugzilla.opensuse.org/show_bug.cgi?id=1201439#c11 --- Comment #11 from andreas bittner <abittner@opensuse.org> --- I have the 15.4 iso image here and created an simple bootable usb stick from it. it is able to boot the stick on this uefi system, this is the way i installed this laptop I guess. selecting rescue mode from the usb stick and setting the keyboard language, and then root shows me two partitions via lsblk the /dev/nvme0n1p1 is about 512M I can mount that and I find the /mnt/EFI/opensuse/grub.cfg file there and it has a few lines that make sense: cryptomount -u hashere..... which gets shown for entering passphrase to decrypt master key... and search --fs-uuid --set=root longuuid here from error lines.... which I have found briefly appearing with the help of my camera. two more lines set prefix..... source... look like default stuff to me. How would I mount the /dev/nvme0n1p2 partition now as it only writes me an error when I simply try to mount it, unknown filesystem type crypto_LUKS. I have never done this before. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1201439 http://bugzilla.opensuse.org/show_bug.cgi?id=1201439#c12 --- Comment #12 from Dirk Weber <d_werner@gmx.net> --- A rescue system is available here (this is the current Tumbleweed): https://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-Rescue-CD-x... + signatures Here is some documentation how to put in on a USB stick: https://en.opensuse.org/SDB:Live_USB_stick BTW: if you originally installed from a USB stick and it still contains the installation system it could work with this one, too. The rescue system boots into a graphical desktop, and with the file manager of this desktop it should be possible to "just mount" the encrypted partition. I think the line "error: ../../grub-core/disk/luks.c:311: access denied" can mean that the decryption failed - possibly due to an invalid passphrase. But I am not sure this is the only case in which this error message comes. The next lines then mean that the expected cryptodisk and device which are in the container can not be found and are the consequence of the failed decryption. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1201439 http://bugzilla.opensuse.org/show_bug.cgi?id=1201439#c13 andreas bittner <abittner@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WORKSFORME --- Comment #13 from andreas bittner <abittner@opensuse.org> --- okay update here, really MYBAD, I am so utterly sorry. I did have a brain malfunction. I am back inside my system now. It *was* a password problem. Sigh. Sorry sorry. Thanks for the help. I will look into this how to actually do a resuce on a LUKS encrypted root partition and all that. Once again. My fault :( sorry to cause all this traffic and noise. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1201439 http://bugzilla.opensuse.org/show_bug.cgi?id=1201439#c14 Dirk Weber <d_werner@gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|WORKSFORME |FIXED --- Comment #14 from Dirk Weber <d_werner@gmx.net> --- Probably better so :-) possibly useful hints: https://linuxwiki.de/cryptsetup -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1201439 http://bugzilla.opensuse.org/show_bug.cgi?id=1201439#c15 --- Comment #15 from andreas bittner <abittner@opensuse.org> --- one more remark though, maybe to make end users life easier, dont know if this would conflict with plausible deniability or similar reasoning if at all, that this initial password prompt with this LUKS and grub2 and all, should give the user a proper error message visible readable and observable if this makes sense? this bug also means to me that I never actually failed at entering my FDE LUKS password on this laptop ever before, only last night. it was totally unclear to me what was going on. When trying with the correct password, there is the normal grub2 menu being shown and then I select the first entry of it to boot the kernel. After selecting this step there is the second graphical mode password prompt and entering the wrong password there recreates this prompt and asks again, this would hint a simple user that the password was wrong and needs to be reentered. but failing the first step grub2 prompt only leads to rudimentary grub prompt and doesnt help the user? wouldnt this be a better service to the user when not leaving them in such low level technical situations? thanks. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com