Fix Fedora UEFI Boot with encrypted partitions

I recently upgraded my laptop, a Lenovo X1 Carbon 4th gen, to Fedora 32, which is still in Beta, but with just two weeks until its scheduled release, I deemed it stable enough for my purposes.

The upgrade process went smoothly and everything worked fine. I really like the new lockscreen, it looks really clean.

As usual with the beta releases, there are quite many updates and I usually run a sudo dnf upgrade once a day. I also do not really pay attention to what is actually upgraded, it is simply too much.

One of these upgrades seems to have broken my startup system. After a restart, the Grub selection did not appear at all and instead Windows started immediately. This seemed odd, so I started investigating.

First thing I did was to open the Boot selection menu of the laptop. It lists all the available boot options and still contains the Fedora entry. Selecting it resulted in nothing, instead the very same selection screen reappeared immediately. Windows could be selected and booted up without issues, so I guess that the system automatically tries all entries in order until it finds one that actually works.

My task now was to fix the issue. As this turned out to be a bit trickier due to UEFI and the fact that my Linux partitions are encrypted. Most forum entries and manual pages are considering simpler cases, where either it is not an UEFI system or where everything is unencrypted. Hence, I will list all steps to help anyone and to have a reference in case this happens again.

I started off by downloading the Fedora Media Writer and the Fedora 32 DVD ISO from the Fedora download page. It might have worked with the stable Fedora 31 release as well, but I didn’t want to take any chances. I then created a Live CD on a USB stick.

Next, I booted from the USB stick, started the Live version of Fedora, opened a terminal, made myself a superuser with the

su
command and listed all my disk partitions:

# fdisk -l
Festplatte /dev/nvme0n1: 476,96 GiB, 512110190592 Bytes, 1000215216 Sektoren
Festplattenmodell: SAMSUNG MZVKV512HAJH-000L1              
Einheiten: Sektoren von 1 * 512 = 512 Bytes
Sektorgröße (logisch/physikalisch): 512 Bytes / 512 Bytes
E/A-Größe (minimal/optimal): 512 Bytes / 512 Bytes
Festplattenbezeichnungstyp: gpt
Festplattenbezeichner: 2C4E590F-0E6F-4950-9740-F8C04BCDCC5E

Gerät             Anfang       Ende  Sektoren  Größe Typ
/dev/nvme0n1p1      2048     534527    532480   260M EFI-System
/dev/nvme0n1p2    534528     567295     32768    16M Microsoft reserviert
/dev/nvme0n1p3    567296  362516479 361949184 172,6G Microsoft Basisdaten
/dev/nvme0n1p4 998166528 1000214527   2048000  1000M Windows-Wiederherstellungsumgebung
/dev/nvme0n1p5 362516480  364613631   2097152     1G Linux-Dateisystem
/dev/nvme0n1p6 364613632  998166527 633552896 302,1G Linux-Dateisystem

We can see that the EFI partition is

/dev/nvme0n1p1
the Linux
/boot
partition can be determined by its size of 1 GB and is
/dev/nvme0n1p5
and finally the main Linux partition with all encrypted partitions is
/dev/nvme0n1p6

Next, we need to unlock the encrypted partition:

# udiskctl unlock -b /dev/nvme0n1p6

This prompts us to enter our password for decryting the partition and it provides all the logical volumes under
/dev/mapper
. In my case, the actual partitions can be accessed at
/dev/mapper/fedora-root
,
/dev/mapper/fedora-home
and
/dev/mapper/fedora-swap
, respectively.

Now we can start to mount our real Fedora installation into some directory in order to repair it. First, we need some main directory under which to mount everything:

# mkdir /mnt/root

and now we can mount all directories:
# mount /dev/mapper/fedora-root /mnt/root

# mount /dev/nvme0n1p5 /mnt/root/boot

# mount /dev/nvme0n1p1 /mnt/root/boot/efi

# mount -t proc proc /mnt/root/proc

Although this could already be sufficient, I needed to make the Wireless network from my live instance available in the environment which will be used for chroot:

# mv /mnt/root/etc/resolv.conf \

/mnt/root/etc/resolv.conf.backup<br># cp /etc/resolv.conf /mnt/root/etc/resolv.conf

Finally I could change into my prepared environment

# chroot /mnt/root /bin/bash

… and actually repair the UEFI setup:

# dnf install grub2-efi shim

# dnf reinstall grub2-efi shim

After all of this, the system should be ready to be rebooted.

I hope these steps are helpful to someone else than just me 🙂


Kommentare

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert