summaryrefslogtreecommitdiffhomepage
path: root/tech/cheatsheet.mdwn
blob: af5c524021e30edaea9b10dbbf3ddda758fffa47 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
[[!toc levels=2]]

# Debian sysadmin

## Chrooting into an offline EFI-on-LVM-on-LUKS system

It's the LVM part that I don't seem to be able to memorise.

1. `cryptsetup luksOpen /dev/sda2`
2. `vgscan`
3. `vgchange`
4. `mkdir /target`
5. `mount /dev/vg-foo/lv-bar /target`
6. `mount /dev/sda1 /target/boot/efi`
7. `for i in /sys /proc /dev /run; do mount --rbind $i /target$i; done`
8. `chroot /target /bin/bash`

## Restoring contents of /boot/efi

`grub-install --target=x86_64-efi`

Note that a removable drive may be mounted at `/boot/efi`.  It is not
clear whether grub-install(1)'s `--removable` option can work with
`GRUB_ENABLE_CRYPTODISK`, so just mount the removable drive to
`/boot/efi`.

Some machines, such as my ThinkPad x220, will only boot from the
fallback bootloader location, `/boot/efi/EFI/BOOT/BOOTX64.EFI`.
Passing `--force-extra-removable` to grub-install(1) is meant to copy
the right files from `/boot/efi/EFI/debian` to `/boot/efi/EFI/BOOT`.
You can manually create `/boot/efi/EFI/BOOT` and copy the file
yourself, however, as a fallback: `cp /boot/efi/EFI/debian/grubx64.efi
/boot/efi/EFI/BOOT/BOOTX64.EFI`

If the machine does not support UEFI Secure Boot, but grub-install
installs the Secure Boot shim to `/boot/efi/EFI/*/bootx64.efi`, the
machine may not boot.  The proper solution is to `apt-get purge
shim-helpers-amd64-signed shim-signed shim-signed-common
shim-unsigned`, and grub-install(1) (both with and without
`--force-extra-removable`) should copy the right file to
`bootx64.efi`.  If it doesn't, should be able to
`/boot/efi/EFI/debian/grubx64.efi` to `/boot/efi/EFI/BOOT/BOOTX64.EFI`
as a workaround to get the machine to boot.