| View previous topic :: View next topic |
| Author |
Message |
terramotu
n00b
Joined: 26 May 2025
Posts: 10
Location: Monaco
|
 Posted: Mon May 26, 2025 12:10 pm Post subject: Issue with boot partition and distro-kernel [Ongoing] |
 |
|
Hello, I'm relativly new to gentoo (I already did an installation 2 years ago and wiped it since).
I've always been attracted since I starded my journey with operating system and it's the distro I chosed for my new installation.
My build is OpenRC, and on the go, I choosed the distro-kernel, GRUB, a STAB, an UKI, installkernel and an initframfs with dracut. I don't know if everything will work but I have an issue before that.
I have a SSD and a HDD on this machine and I moved over to my HDD couple of partitions that will be rewritted/acccessed intensivly.
I have a multi LVM over LUKS partition scheme. I chosed the same password in order to be able to chain the LUKS deciphering. Same thing, I will have to tinker, I don't know how to do it yet
Here is the :
| Code: |
sda 8:0 0 931,5G 0 disk
├─sda1 8:1 0 1G 0 part /boot/efi
└─sda2 8:2 0 930,5G 0 part
└─luks_crypt_ssd 253:0 0 930,5G 0 crypt
├─vgssd-recovery 253:6 0 8G 0 lvm /recovery
└─vgssd-root 253:7 0 922,5G 0 lvm /
sdb 8:16 0 931,5G 0 disk
└─sdb1 8:17 0 931,5G 0 part
└─luks_crypt_hdd 253:1 0 931,5G 0 crypt
├─vghdd-var 253:2 0 50G 0 lvm /var
├─vghdd-tmp 253:3 0 50G 0 lvm /tmp
├─vghdd-swap 253:4 0 25G 0 lvm [SWAP]
└─vghdd-home 253:5 0 806,5G 0 lvm /home
|
The isue is that I did the installation first with the wrong mount points, /boot instead of /boot/efi that I wanted in order to have my /boot in my root partition ciphered.
I installed installkernel, the stub and the UKI with the wrong layout.
Then I rechrooted and correct the thing, installed NetworkManager, and recompiled, and it recompiled the kernel and the compilation worked but not the copy apparently.
| Code: | | emerge --ask --changed-use --deep @world |
Here are the output: I am interested for any tips, things to do best practices. Thanks in advance:
| Code: |
Running /usr/lib/kernel/postinst.d/95-efistub-uefi-mkconfig.install 6.12.28-gentoo-dist /efi/EFI/Gentoo/vmlinuz-6.12.28-gentoo-dist.efi...
Updating UEFI configuration...,
Running uefi-mkconfig...,
No efi kernel images found!,
For more information please refer to https://github.com/Biosias/uefi-mkconfig,
uefi-mkconfig failed,
ERROR: Installing 6.12.28-gentoo-dist failed
*
The kernel was not deployed successfully. Inspect the failure,
in the logs above and once you resolve the problems please,
run the equivalent of the following command to try again:*,
emerge --config '=sys-kernel/gentoo-kernel-6.12.28:6.12.28',
ERROR: sys-kernel/gentoo-kernel-6.12.28::gentoo failed (postinst phase):,
Kernel install failed, please fix the problems and run emerge --config*,
Call stack:,
ebuild.sh, line 136: Called pkg_postinst,
environment, line 2512: Called kernel-build_pkg_postinst,
environment, line 1613: Called kernel-install_pkg_postinst,
environment, line 2094: Called kernel-install_install_all '6.12.28-gentoo-dist',
environment, line 2080: Called dist-kernel_install_kernel '6.12.28-gentoo-dist' '/usr/src/linux-6.12.28-gentoo-dist/arch/x86/boot/bzImage' '/usr/src/linux-6.12.28-gentoo-dist/System.map',
environment, line 1161: Called die,
The specific snippet of code:,
die "Kernel install failed, please fix the problems and run emerge --config";*,
If you need support, post the output of emerge --info '=sys-kernel/gentoo-kernel-6.12.28::gentoo',,
the complete build log and the output of emerge -pqv '=sys-kernel/gentoo-kernel-6.12.28::gentoo'.,
The complete build log is located at '/var/tmp/portage/sys-kernel/gentoo-kernel-6.12.28/temp/build.log'.,
The ebuild environment file is located at '/var/tmp/portage/sys-kernel/gentoo-kernel-6.12.28/temp/environment'.,
Working directory: '/var/tmp/portage/sys-kernel/gentoo-kernel-6.12.28/empty',
S: '/var/tmp/portage/sys-kernel/gentoo-kernel-6.12.28/work/linux-6.12',
FAILED postinst: 1
ompleted (1 of 3) sys-kernel/gentoo-kernel-6.12.28::gentoo
> Failed to install sys-kernel/gentoo-kernel-6.12.28, Log file:
>
> >>> '/var/tmp/portage/sys-kernel/gentoo-kernel-6.12.28/temp/build.log'
>
>
> Messages for package sys-kernel/gentoo-kernel-6.12.28:,
>
>
> Your configuration for sys-kernel/gentoo-kernel-6.12.28 has been saved in,
> "/etc/portage/savedconfig/sys-kernel/gentoo-kernel-6.12.28" for your editing pleasure.,
> You can edit these files by hand and remerge this package with,
> USE=savedconfig to customise the configuration.,
> You can rename this file/directory to one of the following for,
> its configuration to apply to multiple versions:,
> ${PORTAGE_CONFIGROOT}/etc/portage/savedconfig/,
> [${CTARGET}|${CHOST}|""]/${CATEGORY}/[${PF}|${P}|${PN}],
> FAILED postinst: 1,
> /usr/src/linux points at another kernel, leaving it as-is.,
> Please use 'eselect kernel' to update it when desired.*,
> The kernel was not deployed successfully. Inspect the failure,
> in the logs above and once you resolve the problems please,
> run the equivalent of the following command to try again:*,
> emerge --config '=sys-kernel/gentoo-kernel-6.12.28:6.12.28',
> ERROR: sys-kernel/gentoo-kernel-6.12.28::gentoo failed (postinst phase):,
> Kernel install failed, please fix the problems and run emerge --config
|
|
|
| Back to top |
|
 |
sMueggli
Guru
Joined: 03 Sep 2022
Posts: 597
|
| Posted: Mon May 26, 2025 2:54 pm Post subject: |
|
|
Can you please show the USE flags of sys-kernel/installkernel
| Code: | | emerge --pretend --verbose sys-kernel/installkernel |
If you want a fully-encrypted disk (including /boot) you will not be able to use UKI or the EFI stub (because they are normally loaded by the firmware which cannot unlock a LUKS container).
If you are using LUKS2 and Grub, please also make sure that the PBKDF is not using Argon (Grub cannot handle this). |
|
| Back to top |
|
|
terramotu
n00b
Joined: 26 May 2025
Posts: 10
Location: Monaco
|
| Posted: Mon May 26, 2025 5:33 pm Post subject: |
|
|
Thanks a lot for your response sMueggli !
I will try to revert what I have done for stub and UKI, I just followed the handbook a bit mindlessy without digging deeper each topic...
Those are very precious advices !
Here is the result of the command:
| Code: |
(chroot) livecd / # emerge --pretend --verbose sys-kernel/installkernel
These are the packages that would be merged, in order:
Calculating dependencies... done!
Dependency resolution took 22.69 s (backtrack: 0/20).
[ebuild R ~] sys-kernel/installkernel-59-r1::gentoo USE="dracut efistub grub -refind -systemd -systemd-boot -ugrd -uki -ukify" 0 KiB
Total: 1 package (1 reinstall), Size of downloads: 0 KiB
* IMPORTANT: 2 news items need reading for repository 'gentoo'.
* Use eselect news read to view new items.
(chroot) livecd / #
|
|
|
| Back to top |
|
|
zen_desu
Apprentice
Joined: 25 Oct 2024
Posts: 285
|
| Posted: Mon May 26, 2025 9:32 pm Post subject: |
|
|
| terramotu wrote: | Thanks a lot for your response sMueggli !
I will try to revert what I have done for stub and UKI, I just followed the handbook a bit mindlessy without digging deeper each topic...
Those are very precious advices !
Here is the result of the command:
| Code: |
(chroot) livecd / # emerge --pretend --verbose sys-kernel/installkernel
These are the packages that would be merged, in order:
Calculating dependencies... done!
Dependency resolution took 22.69 s (backtrack: 0/20).
[ebuild R ~] sys-kernel/installkernel-59-r1::gentoo USE="dracut efistub grub -refind -systemd -systemd-boot -ugrd -uki -ukify" 0 KiB
Total: 1 package (1 reinstall), Size of downloads: 0 KiB
* IMPORTANT: 2 news items need reading for repository 'gentoo'.
* Use eselect news read to view new items.
(chroot) livecd / #
|
|
The efistub use flag should be used if you want uefi-mkconfig to install an entry for your kernel/initramfs directly. Since you're using grub, you probably don't want that.
This page may help some:
https://wiki.gentoo.org/wiki/Rootfs_encryption
_________________
µgRD dev
Wiki writer |
|
| Back to top |
|
|
terramotu
n00b
Joined: 26 May 2025
Posts: 10
Location: Monaco
|
| Posted: Fri May 30, 2025 4:40 pm Post subject: |
|
|
Hello again everyone, I'm going further on the installation this week-end.
Thanks to zen_desu and it's wiki, I have corrected my dracut config and my grub config with the correct parameters.
Then I saw that I had /efi folder containing /efi/EFI and some kernel stuff.
Apparently, That thing was supposed to be in /boot/efi/EFI (so for the moment I copied the files...)
I didn't revert the fact that I have a stub and UKI as apparently even if it's unusable and pointless, it will not be blocking. |
|
| Back to top |
|
|
terramotu
n00b
Joined: 26 May 2025
Posts: 10
Location: Monaco
|
| Posted: Fri May 30, 2025 4:43 pm Post subject: |
|
|
For the moment, I manually copied everything and we will see...
I'll keep you updated if I'm able to recompile the genkernel successfully or not...
| Code: |
bin boot dev etc home lib lib64 lost+found media mnt opt proc recovery root run sbin sys tmp usr var
(chroot) livecd / # tree /boot/
/boot/
├── efi
│ ├── amd-uc.img
│ ├── EFI
│ │ ├── amd-uc.img
│ │ ├── config-6.12.28-gentoo-dist
│ │ ├── config-6.12.28-gentoo-dist.old
│ │ ├── initramfs-6.12.28-gentoo-dist.img
│ │ ├── initramfs-6.12.28-gentoo-dist.img.old
│ │ ├── System.map-6.12.28-gentoo-dist
│ │ ├── System.map-6.12.28-gentoo-dist.old
│ │ ├── vmlinuz-6.12.28-gentoo-dist.efi
│ │ └── vmlinuz-6.12.28-gentoo-dist-old.efi
│ └── grub
│ └── grub.cfg
└── grub
└── grub.cfg
|
|
|
| Back to top |
|
|
terramotu
n00b
Joined: 26 May 2025
Posts: 10
Location: Monaco
|
| Posted: Fri May 30, 2025 4:58 pm Post subject: |
|
|
I wanted to have some confirmation...
Apparently gentoo recommend now to use a /efi as the partition in fat32 (ESP) it's better for secure boot and for having /boot encrypted (I also wanted that).
The only difference with the wiki is that I choosed to mount my esp in /boot/efi instead of /efi as described in the wiki...
So by the way
I changed in /etc/genkernel.conf:
| Code: |
(chroot) livecd / # cat /etc/genkernel.conf
# Set the boot directory, default is /boot
BOOTDIR="/boot/efi"
|
https://wiki.gentoo.org/wiki/Genkernel#Changing_the_boot_directory_to_.2Fefi |
|
| Back to top |
|
|
zen_desu
Apprentice
Joined: 25 Oct 2024
Posts: 285
|
| Posted: Fri May 30, 2025 8:16 pm Post subject: |
|
|
| terramotu wrote: | I wanted to have some confirmation...
Apparently gentoo recommend now to use a /efi as the partition in fat32 (ESP) it's better for secure boot and for having /boot encrypted (I also wanted that).
The only difference with the wiki is that I choosed to mount my esp in /boot/efi instead of /efi as described in the wiki...
So by the way
I changed in /etc/genkernel.conf:
| Code: |
(chroot) livecd / # cat /etc/genkernel.conf
# Set the boot directory, default is /boot
BOOTDIR="/boot/efi"
|
https://wiki.gentoo.org/wiki/Genkernel#Changing_the_boot_directory_to_.2Fefi |
Are you using genkernel instead of dist-kernel now?
_________________
µgRD dev
Wiki writer |
|
| Back to top |
|
|
fspnet
n00b
Joined: 07 Jul 2017
Posts: 18
|
| Posted: Sat May 31, 2025 2:08 am Post subject: so your partition table is set up for XFS |
|
|
ok your set up for XFS i can see that.... but your /boot and /boot/EFI not /boot/efi or i dont know if its different
like WINBOND / APPLE maybe one needs /boot/efi and not /boot/EFI..............................................
you need /boot EXT2.......... and /boot/EFI FAT32.......... then grub should detect the initrd and you have
to set all the LVMTAD stuff up your self ive done it before on a THINKPAD lenovo thinkpad t61p.... and r41???? my i would
never trade a single thing for laptop that thing was like my prized posession.. |
|
| Back to top |
|
|
fspnet
n00b
Joined: 07 Jul 2017
Posts: 18
|
| Posted: Sat May 31, 2025 2:22 am Post subject: if this works |
|
|
| ok use a /ext2 for /boot and /fat32 for /boot/EFI and grub should detect it... |
|
| Back to top |
|
|
terramotu
n00b
Joined: 26 May 2025
Posts: 10
Location: Monaco
|
| Posted: Sat May 31, 2025 8:38 am Post subject: |
|
|
Hello zen_desu !
Yeah you're right, it's a mistake i made with the config file. I am still using the dist-kernel.
By the way, my setup is now able to compile it.
I went further on the installation and installed grub.
When I reboot I got the message for decrypting the disk, but the wrong keyboard layout and it's going In grub rescue after first trial.
I'll chroot again and continue to tinker !
Thanks for the help everyone ! |
|
| Back to top |
|
|
zen_desu
Apprentice
Joined: 25 Oct 2024
Posts: 285
|
| Posted: Sat May 31, 2025 5:32 pm Post subject: |
|
|
| terramotu wrote: | Hello zen_desu !
Yeah you're right, it's a mistake i made with the config file. I am still using the dist-kernel.
By the way, my setup is now able to compile it.
I went further on the installation and installed grub.
When I reboot I got the message for decrypting the disk, but the wrong keyboard layout and it's going In grub rescue after first trial.
I'll chroot again and continue to tinker !
Thanks for the help everyone ! |
Are you using LUKS1? Generally GRUB won't be able to handle LUKS2 unless you "downgrade" the KDF to pbkdf instead of argon2.
I'd take a moment to consider what security gains you'll get from an encrypted boot. I mean encryption is generally used for privacy, and things that go in your /boot partition are generally not private, especially because that is generally where bootable files are stored so the system must be able to read them. Generally, signing the files is better, as it will let you know if files are from a trusted source. You can do both, but IMO, if you've got things in boot files which are sensitive enough to need encryption, something is wrong. That stuff is most likely loaded into RAM eventually, and here, encryption helps keep data private while at rest specifically.
_________________
µgRD dev
Wiki writer |
|
| Back to top |
|
|
sMueggli
Guru
Joined: 03 Sep 2022
Posts: 597
|
| Posted: Sun Jun 01, 2025 8:26 am Post subject: |
|
|
| zen_desu wrote: | | I'd take a moment to consider what security gains you'll get from an encrypted boot. I mean encryption is generally used for privacy, and things that go in your /boot partition are generally not private, especially because that is generally where bootable files are stored so the system must be able to read them. Generally, signing the files is better, as it will let you know if files are from a trusted source. You can do both, but IMO, if you've got things in boot files which are sensitive enough to need encryption, something is wrong. That stuff is most likely loaded into RAM eventually, and here, encryption helps keep data private while at rest specifically. |
The security goal of encryption is confidentiality, not privacy.
With encryption you can be relatively sure, that no one replaced the kernel or initramfs with a malicious version or modified grub.cfg when the system is shut down.
You are right, signing is probably better. But it is way easier to encrypt /boot than to correctly set up Secure Boot.
An encrypted /boot allows you to embed a LUKS key in the initramfs. |
|
| Back to top |
|
|
zen_desu
Apprentice
Joined: 25 Oct 2024
Posts: 285
|
| Posted: Sun Jun 01, 2025 4:02 pm Post subject: |
|
|
| sMueggli wrote: | | zen_desu wrote: | | I'd take a moment to consider what security gains you'll get from an encrypted boot. I mean encryption is generally used for privacy, and things that go in your /boot partition are generally not private, especially because that is generally where bootable files are stored so the system must be able to read them. Generally, signing the files is better, as it will let you know if files are from a trusted source. You can do both, but IMO, if you've got things in boot files which are sensitive enough to need encryption, something is wrong. That stuff is most likely loaded into RAM eventually, and here, encryption helps keep data private while at rest specifically. |
The security goal of encryption is confidentiality, not privacy.
With encryption you can be relatively sure, that no one replaced the kernel or initramfs with a malicious version or modified grub.cfg when the system is shut down.
You are right, signing is probably better. But it is way easier to encrypt /boot than to correctly set up Secure Boot.
An encrypted /boot allows you to embed a LUKS key in the initramfs. |
You're right about the confidentiality bit, I use "privacy" as a simpler way to describe that but it's technically incorrect. The point I'd like to make is confidentiality can make modifications harder, but it doesn't directly address data integrity (without datta authentication)
As you said, you can be _relatively_ secure. If you keep your boot volume mounted, the encryption is basically pointless. That won't stop someone with root access from replacing your initramfs/kernel. Signatures, to a certain degree, will.
Embedding the key into the initramfs is a generally bad idea. Think of all of the places that key will "float" around, including various temp dirs in the build process etc. For every problem this solves, it essentially invents 3 more.
I embed some of my keys into my initramfs, but they are gpg encrypted themselves. I would hesitate to include "plain" keys anywhere, unless absolutely necessary. Plain keys existing in any form is a recipe for that key getting leaked.
_________________
µgRD dev
Wiki writer |
|
| Back to top |
|
|
sMueggli
Guru
Joined: 03 Sep 2022
Posts: 597
|
| Posted: Sun Jun 01, 2025 4:39 pm Post subject: |
|
|
| zen_desu wrote: | | You're right about the confidentiality bit, I use "privacy" as a simpler way to describe that but it's technically incorrect. The point I'd like to make is confidentiality can make modifications harder, but it doesn't directly address data integrity (without datta authentication) |
Confidentiality and integrity are two different security goals. Some encryption algorithms provide also integrity support. But if you want to guarantee integrity then encryption is the wrong choice.
| zen_desu wrote: |
As you said, you can be _relatively_ secure. If you keep your boot volume mounted, the encryption is basically pointless. That won't stop someone with root access from replacing your initramfs/kernel. Signatures, to a certain degree, will. |
Encryption for storage is normally for data at rest. If someone has elevated access to the running system, you have already lost (and the attacker probably does not need to know the encryption passphrase anyway).
As long as the attacker cannot sign the malicious binaries, you will be able to detect tampered binaries. If the attacker can sign binaries, you will probably think/feel to be "secure". And there is also the possibility that the attacker lets you sign the malicious binary.
| zen_desu wrote: | | Embedding the key into the initramfs is a generally bad idea. Think of all of the places that key will "float" around, including various temp dirs in the build process etc. For every problem this solves, it essentially invents 3 more. |
As already written, if someone has access to the system, you already have lost. And don't you have the same problem with the corresponding private key when signing binaries?
| zen_desu wrote: | | I embed some of my keys into my initramfs, but they are gpg encrypted themselves. I would hesitate to include "plain" keys anywhere, unless absolutely necessary. Plain keys existing in any form is a recipe for that key getting leaked. |
I guess your GPG encrypted stuff does not use MFA, but is only protected by a password? Depending on the length of the password, it might indeed take some time to guess or break the password. But in my experience, people tend to use "simple" passwords. Especially if you do not have a password manager at hand. |
|
| Back to top |
|
|
zen_desu
Apprentice
Joined: 25 Oct 2024
Posts: 285
|
| Posted: Sun Jun 01, 2025 4:52 pm Post subject: |
|
|
| sMueggli wrote: |
Confidentiality and integrity are two different security goals. Some encryption algorithms provide also integrity support. But if you want to guarantee integrity then encryption is the wrong choice.
|
Yup, afaik LUKS doesn't support authenticated encryption, i think bitlocker does if you trust it 
| sMueggli wrote: |
Encryption for storage is normally for data at rest. If someone has elevated access to the running system, you have already lost (and the attacker probably does not need to know the encryption passphrase anyway).
As long as the attacker cannot sign the malicious binaries, you will be able to detect tampered binaries. If the attacker can sign binaries, you will probably think/feel to be "secure". And there is also the possibility that the attacker lets you sign the malicious binary.
|
My solution for this is to use a removable volume for my boot partition (a USB flash drive). this means my system disk is truly fully encrypted, and even with root access, an attacker wouldn't be able to see/modify my kernel/initramfs. If they somehow did, it still wouldn't be signed. There is a small likelihood they could totally take over my running system and somehow inject malware into a future kernel build before I sign it, but I think things are over if someone is pulling off an attack that complex on me.
| sMueggli wrote: |
| zen_desu wrote: | | Embedding the key into the initramfs is a generally bad idea. Think of all of the places that key will "float" around, including various temp dirs in the build process etc. For every problem this solves, it essentially invents 3 more. |
As already written, if someone has access to the system, you already have lost. And don't you have the same problem with the corresponding private key when signing binaries?
|
They could have access to my system, but that doesn't mean they have my actual keys. They may be able to obtain an encrypted keyfile, but that's about it.
I'm not sure what you mean about signed binaries, like if they took over your system and were injecting malware into things before they were signed?
In any case, I use unique signing keys for different things. Most of them are protected with different smartcards, so it would be quite challenging for someone to use my keys without me knowing. It would technically be possible for things to be broken in a way where I'm unknowingly signing malware, but the point here is that someone can't craft up an exploit and drop it on my system and walk away.
| sMueggli wrote: |
| zen_desu wrote: | | I embed some of my keys into my initramfs, but they are gpg encrypted themselves. I would hesitate to include "plain" keys anywhere, unless absolutely necessary. Plain keys existing in any form is a recipe for that key getting leaked. |
I guess your GPG encrypted stuff does not use MFA, but is only protected by a password? Depending on the length of the password, it might indeed take some time to guess or break the password. But in my experience, people tend to use "simple" passwords. Especially if you do not have a password manager at hand.
|
I generally protect LUKS keys with the GPG module on a yubikey. If anyone is using a simple password, that's their choice, and kinda a separate problem. Also if you're using an actual passphrase at any point, why not just use the LUKS header?
I mean if you have a big keyfile which is protected with a simple key, the only factor you're really adding is a "thing you must have" but it's something which can be copied. If you want that, you can just detach the header, and the header can be like your keyfile in a sense. Adding GPG mostly makes sense (imo) if you want to use a yubikey, because it can be your interface for talking to the smartcard. The security added by using an encrypted keyfile in addition to LUKS2 is pretty negligible, unless that keyfile can take advantage of dedicated cryptographic hardware.
Plainly including a plain keyfile in the initramfs is kinda a "shortcut" to a quickly booted system. I'd use that only for the case where I want a device that appears encrypted at a glance but must boot unattended and doesn't have a TPM.
---
Back on topic, I wonder if this is an issue with an encrypted boot being used, accidentally or on purpose (failure to mount /boot so it's written to the rootfs). I'm also not sure what chained deciphering means.
_________________
µgRD dev
Wiki writer |
|
| Back to top |
|
|
terramotu
n00b
Joined: 26 May 2025
Posts: 10
Location: Monaco
|
| Posted: Sun Jun 01, 2025 6:40 pm Post subject: |
|
|
Hello everyone !
You had a very interesting conversation !
And I came back with other troubles (sorry for the skills issues...)
Yes, I choosed first to have my /boot encrypted to prevent anyone from doing anything in the /boot folder when my computer is at rest somewhere.
The idea of having the kernel on USB is very interesting. One of my best gentoo tutorial was doing it https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide as well as having the LUKS headers.
But very unfortunatly I came after and the guide was already no more maintened.
To make things easier, I recently chosed to change the layout with a new /boot partition here is the new layout:
| Code: |
sda 8:0 0 931.5G 0 disk
├─sda1 8:1 0 512M 0 part /boot/efi
├─sda2 8:2 0 512M 0 part /boot
└─sda3 8:3 0 930.5G 0 part
└─luks_crypt_ssd 253:0 0 930.5G 0 crypt
├─vgssd-recovery 253:1 0 8G 0 lvm /recovery
└─vgssd-root 253:2 0 922.5G 0 lvm /
sdb 8:16 0 931.5G 0 disk
└─sdb1 8:17 0 931.5G 0 part
└─luks_crypt_hdd 253:3 0 931.5G 0 crypt
├─vghdd-var 253:4 0 50G 0 lvm /var
├─vghdd-tmp 253:5 0 50G 0 lvm /tmp
├─vghdd-swap 253:6 0 25G 0 lvm [SWAP]
└─vghdd-home 253:7 0 806.5G 0 lvm /home
|
I tried recompiling the dist-kernel and got the issue (i tried changing the kernel selected in eselect but don't know if I did good):
| Code: |
* IMPORTANT: config file '/etc/default/grub' needs updating.
* See the CONFIGURATION FILES and CONFIGURATION FILES UPDATE TOOLS
* sections of the emerge man page to learn how to update config files.
(chroot) livecd / #
* Messages for package sys-kernel/gentoo-kernel-6.12.28:
* Your configuration for sys-kernel/gentoo-kernel-6.12.28 has been saved in
* "/etc/portage/savedconfig/sys-kernel/gentoo-kernel-6.12.28" for your editing pleasure.
* You can edit these files by hand and remerge this package with
* USE=savedconfig to customise the configuration.
* You can rename this file/directory to one of the following for
* its configuration to apply to multiple versions:
* ${PORTAGE_CONFIGROOT}/etc/portage/savedconfig/
* [${CTARGET}|${CHOST}|""]/${CATEGORY}/[${PF}|${P}|${PN}]
* FAILED postinst: 1
* /usr/src/linux points at another kernel, leaving it as-is.
* Please use 'eselect kernel' to update it when desired.
*
* The kernel was not deployed successfully. Inspect the failure
* in the logs above and once you resolve the problems please
* run the equivalent of the following command to try again:
*
* emerge --config '=sys-kernel/gentoo-kernel-6.12.28:6.12.28'
* ERROR: sys-kernel/gentoo-kernel-6.12.28::gentoo failed (postinst phase):
* Kernel install failed, please fix the problems and run emerge --config
*
* Call stack:
* ebuild.sh, line 136: Called pkg_postinst
* environment, line 2512: Called kernel-build_pkg_postinst
* environment, line 1613: Called kernel-install_pkg_postinst
* environment, line 2094: Called kernel-install_install_all '6.12.28-gentoo-dist'
* environment, line 2080: Called dist-kernel_install_kernel '6.12.28-gentoo-dist' '/usr/src/linux-6.12.28-gentoo-dist/arch/x86/boot/bzImage' '/usr/src/linux-6.12.28-gentoo-dist/System.map'
* environment, line 1161: Called die
* The specific snippet of code:
* die "Kernel install failed, please fix the problems and run emerge --config";
*
* If you need support, post the output of emerge --info '=sys-kernel/gentoo-kernel-6.12.28::gentoo',
* the complete build log and the output of emerge -pqv '=sys-kernel/gentoo-kernel-6.12.28::gentoo'.
* The complete build log is located at '/var/tmp/portage/sys-kernel/gentoo-kernel-6.12.28/temp/build.log'.
* The ebuild environment file is located at '/var/tmp/portage/sys-kernel/gentoo-kernel-6.12.28/temp/environment'.
* Working directory: '/var/tmp/portage/sys-kernel/gentoo-kernel-6.12.28/empty'
* S: '/var/tmp/portage/sys-kernel/gentoo-kernel-6.12.28/work/linux-6.12'
|
I also reinstall + regenerate the configuration of my grub but GRUB is still not showing me any entries (probably normal since there is an issue I don't really understand with the kernel)...
My /boot looks like (some of the file were manually copied from an old mountpoint so I don't know I I can clean some of the files there):
| Code: |
/boot/
├── efi
│ ├── EFI
│ │ ├── Gentoo
│ │ │ ├── System.map-6.12.28-gentoo-dist
│ │ │ ├── config-6.12.28-gentoo-dist
│ │ │ ├── grubx64.efi
│ │ │ ├── initramfs-6.12.28-gentoo-dist.img
│ │ │ ├── layouts
│ │ │ │ └── fr.gkb
│ │ │ └── vmlinuz-6.12.28-gentoo-dist.efi
│ │ ├── System.map-6.12.28-gentoo-dist
│ │ ├── System.map-6.12.28-gentoo-dist.old
│ │ ├── amd-uc.img
│ │ ├── config-6.12.28-gentoo-dist
│ │ ├── config-6.12.28-gentoo-dist.old
│ │ ├── initramfs-6.12.28-gentoo-dist.img
│ │ ├── initramfs-6.12.28-gentoo-dist.img.old
│ │ ├── vmlinuz-6.12.28-gentoo-dist-old.efi
│ │ └── vmlinuz-6.12.28-gentoo-dist.efi
│ ├── amd-uc.img
│ └── grub
│ └── grub.cfg
├── grub
│ ├── fonts
│ │ └── unicode.pf2
│ ├── grub.cfg
│ ├── grubenv
│ ├── locale
│ │ ├── ast.mo
│ │ ├── ca.mo
│ │ ├── da.mo
|
| Quote: |
Back on topic, I wonder if this is an issue with an encrypted boot being used, accidentally or on purpose (failure to mount /boot so it's written to the rootfs). I'm also not sure what chained deciphering means.
|
Yes the issue with the /boot should be solved as I chosed to create a new partition.
By "chained deciphering" I wanted express the fact that I have 2 separated LUKS container on two drives and I wanted my initframfs to decrypt both at the same time. I choosed the same password for both. But first I wanted my grub to work properly before trying to setup this.
When we succed in doing the dist-kernel, I can retry to generate the grub and if it fails provide you my /etc/default/grub...
Thanks a lot for your support, it's very precious to me. This build is a challenging for me !
 |
|
| Back to top |
|
|
zen_desu
Apprentice
Joined: 25 Oct 2024
Posts: 285
|
| Posted: Sun Jun 01, 2025 6:48 pm Post subject: |
|
|
That guide is rather outdated, I'd suggest following these for more up to date info:
https://wiki.gentoo.org/wiki/Rootfs_encryption
This one is similar but has more advanced info:
https://wiki.gentoo.org/wiki/Full_Disk_Encryption_From_Scratch
If you're concerned with the integrity of boot files, I would recommend using a UKI and signing it. That's a more hardened solution and is generally less trouble to setup.
If you have an encrypted boot, you'll have to enter keys twice unless the keys are included in plaintext somewhere (not advised)
Enabling UKI support should be as simple as adding the uki and/or ukify USE flags to installkernel.
Can you use wgetpaste to share the build log for gentoo-kernel? That should help figure out why it failed to install.
I would make a backup of your /boot and start fresh. At best, old clutter will be confusing/noise when trying to figure stuff out. You should more or less be able to clear it, run grub-install again, and then install the kernel package using portage.
Are the 2 luks containers for something like software raid? If you want to keep things simple, I'd let the initramfs solely handle the rootfs, and then use keyfiles for the second volume on the rootfs. At the very least, it's not a great idea to use the same password on multiple volumes. It's a good thing LUKS2 lets you add/remove keys easily 
_________________
µgRD dev
Wiki writer |
|
| Back to top |
|
|
terramotu
n00b
Joined: 26 May 2025
Posts: 10
Location: Monaco
|
| Posted: Sun Jun 01, 2025 7:45 pm Post subject: |
|
|
Yes the guide I showned is severely outdated even when I first took a look at it 2 years ago, but man, for it's legendary, the guide was just a pleasure to read !
Yes I read rapidly those guide and they are also great Gentoo just has the best wiki!
I made a lot of cleaning in my /boot but if you confirm that I can more or less wipe everything and I'll just have to reconfigure/reinstall the dist-kernel and then grub then I'll do it.
By the way here are my logs: (didn't knew wgetpaste it's a formidable tool)
https://0x0.st/8YmU.txt |
|
| Back to top |
|
|
zen_desu
Apprentice
Joined: 25 Oct 2024
Posts: 285
|
| Posted: Sun Jun 01, 2025 8:04 pm Post subject: |
|
|
| terramotu wrote: | Yes the guide I showned is severely outdated even when I first took a look at it 2 years ago, but man, for it's legendary, the guide was just a pleasure to read !
Yes I read rapidly those guide and they are also great Gentoo just has the best wiki!
I made a lot of cleaning in my /boot but if you confirm that I can more or less wipe everything and I'll just have to reconfigure/reinstall the dist-kernel and then grub then I'll do it.
By the way here are my logs: (didn't knew wgetpaste it's a formidable tool)
https://0x0.st/8YmU.txt |
_generally_ /boot is not the place to store things you only have one copy of, or which cannot be replaced.
If you are going to empty it, I'd confirm nothing "special" is in there. If you put your LUKS keys in there (generally not the best idea), you should back them up (they should already be backed up, or you should have backup keyslots).
If in doubt, you can archive your current /boot dir/partition.
Once it's clean, you should mostly need to install the bootloader again, then reinstall the kernel/initramfs.
At a glance, that looks fine. The main thing I'd consider if using dracut is that the cmdline args are set properly, and in the right place. Sometimes it's better to configure options on the bootloader level, if things aren't working.
_________________
µgRD dev
Wiki writer |
|
| Back to top |
|
|
terramotu
n00b
Joined: 26 May 2025
Posts: 10
Location: Monaco
|
| Posted: Sun Jun 01, 2025 9:08 pm Post subject: |
|
|
Okay so I cleaned up everything in my /boot and /boot/efi, my two mountpoints and then reinstalled grub and reconfig the kernel...
Unfortunatly I still have the same issue, maybe I'm doing something wrong...
I'll just paste the command I do:
| Code: |
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=gentoo
grub-mkconfig -o /boot/grub/grub.cfg
emerge --ask --config sys-kernel/gentoo-kernel
|
I'm now clueless about why this isn't working.
Does anyone has something. Should I start thinking about workarouds ?
Thanks for your help ! |
|
| Back to top |
|
|
zen_desu
Apprentice
Joined: 25 Oct 2024
Posts: 285
|
| Posted: Sun Jun 01, 2025 9:18 pm Post subject: |
|
|
| terramotu wrote: | Okay so I cleaned up everything in my /boot and /boot/efi, my two mountpoints and then reinstalled grub and reconfig the kernel...
Unfortunatly I still have the same issue, maybe I'm doing something wrong...
I'll just paste the command I do:
| Code: |
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=gentoo
grub-mkconfig -o /boot/grub/grub.cfg
emerge --ask --config sys-kernel/gentoo-kernel
|
I'm now clueless about why this isn't working.
Does anyone has something. Should I start thinking about workarouds ?
Thanks for your help ! |
Can you try to simplify things and simply use one /boot partition, something like a 256MB+ FAT32 partition. You can grub-install there, and kernel/initramfs/etc files will be installed there.
If you have the grub USE flag on installkernel, it'll run grub-mkconfig for you
This is the easy way: https://wiki.gentoo.org/wiki/Rootfs_encryption#Simple_EFI_System_Partition_Layout (be sure to check the "important" note)
This is the harder way: https://wiki.gentoo.org/wiki/Rootfs_encryption#Split_EFI.2FBOOTx_Grub_layout
_________________
µgRD dev
Wiki writer |
|
| Back to top |
|
|
pingtoo
Veteran
Joined: 10 Sep 2021
Posts: 1681
Location: Richmond Hill, Canada
|
| Posted: Sun Jun 01, 2025 9:55 pm Post subject: |
|
|
| terramotu wrote: | Okay so I cleaned up everything in my /boot and /boot/efi, my two mountpoints and then reinstalled grub and reconfig the kernel...
Unfortunatly I still have the same issue, maybe I'm doing something wrong...
I'll just paste the command I do:
| Code: |
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=gentoo
grub-mkconfig -o /boot/grub/grub.cfg
emerge --ask --config sys-kernel/gentoo-kernel
|
I'm now clueless about why this isn't working.
Does anyone has something. Should I start thinking about workarouds ?
Thanks for your help ! |
Can you define what is "same issue"? In another words, What is not working?
Also, I notice you have /dev/sda2 as /boot and /dev/sda1 as /boot/efi. Which mean (for the time of installation kernel/grub) /dev/sda2 must be mounted first, then mount /dev/sda1. Is this the case? A simple command sequence to illustrate what I mean | Code: | # step 1
mount /dev/sda2 /boot
# step 2
mount /dev/sda1 /boot/efi |
|
|
| Back to top |
|
|
sMueggli
Guru
Joined: 03 Sep 2022
Posts: 597
|
| Posted: Mon Jun 02, 2025 3:08 pm Post subject: |
|
|
| terramotu wrote: | Okay so I cleaned up everything in my /boot and /boot/efi, my two mountpoints and then reinstalled grub and reconfig the kernel...
Unfortunatly I still have the same issue, maybe I'm doing something wrong...
I'll just paste the command I do:
| Code: |
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=gentoo
grub-mkconfig -o /boot/grub/grub.cfg
emerge --ask --config sys-kernel/gentoo-kernel
|
|
If you delete everything in /boot you probably need to re-emerge Grub. |
|
| Back to top |
|
|
zen_desu
Apprentice
Joined: 25 Oct 2024
Posts: 285
|
| Posted: Mon Jun 02, 2025 4:59 pm Post subject: |
|
|
| sMueggli wrote: | | terramotu wrote: | Okay so I cleaned up everything in my /boot and /boot/efi, my two mountpoints and then reinstalled grub and reconfig the kernel...
Unfortunatly I still have the same issue, maybe I'm doing something wrong...
I'll just paste the command I do:
| Code: |
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=gentoo
grub-mkconfig -o /boot/grub/grub.cfg
emerge --ask --config sys-kernel/gentoo-kernel
|
|
If you delete everything in /boot you probably need to re-emerge Grub. |
I don't think you'll need to re-emerge, just run grub-install again
_________________
µgRD dev
Wiki writer |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Installing Gentoo
