summaryrefslogtreecommitdiffhomepage
path: root/tech/cheatsheet.mdwn
blob: 33accd3b8022af963df0984eb101136fa832b8f1 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
[[!toc levels=2]]

# Debian sysadmin

## Chrooting into an offline EFI-on-LVM-on-LUKS system

It's the LVM part that I don't seem to be able to memorise.

1. `cryptsetup luksOpen /dev/sda2`
2. `vgscan`
3. `vgchange`
4. `mkdir /target`
5. `mount /dev/vg-foo/lv-bar /target`
6. `mount /dev/sda1 /target/boot/efi`
7. `for i in /sys /proc /dev /run; do mount --rbind $i /target$i; done`
8. `chroot /target /bin/bash`

## Restoring contents of /boot/efi

`grub-install --target=x86_64-efi`

Note that a removable drive may be mounted at `/boot/efi`.  It is not
clear whether grub-install(1)'s `--removable` option can work with
`GRUB_ENABLE_CRYPTODISK`, so just mount the removable drive to
`/boot/efi`.

Some machines, such as my ThinkPad x220, will only boot from the
fallback bootloader location, `/boot/efi/EFI/BOOT/BOOTX64.EFI`.
Passing `--force-extra-removable` to grub-install(1) is meant to copy
`/boot/efi/EFI/debian/grubx64.efi` to
`/boot/efi/EFI/BOOT/BOOTX64.EFI`.  You can manually create
`/boot/efi/EFI/BOOT` and copy the file yourself, however, as a
fallback.

If the machine does not support UEFI Secure Boot, but grub-install
installs the Secure Boot shim to `/boot/efi/EFI/*/bootx64.efi`, the
machine may not boot.  The proper solution is to `apt-get purge
shim-helpers-amd64-signed shim-signed shim-signed-common
shim-unsigned`, and then `--force-extra-removable` should copy the
right file to `bootx64.efi`.  If it doesn't, should be able to
`/boot/efi/EFI/debian/grubx64.efi` to `/boot/efi/EFI/BOOT/BOOTX64.EFI`
as a workaround to get the machine to boot.