Add LUKS2 support to GRUB bootloader UEFI image

Add LUKS2 support to GRUB bootloader UEFI image.md

Add LUKS2 support to GRUB bootloader UEFI image

• Assuming a Linux live or rescue system is booted and the new soon-to-be root encrypted partition is accessible on an NVMe drive, 2nd partiton (/dev/nvme0n1p2).
• The EFI partition is the first on the device (/dev/nvme0n1p1).
• There is no extra /boot partition since it should be encrypted as well and is included in the partition mounted as root / later.
• The following requires root privileges, a preceeding sudo -i is assumed.

Inspired by: https://askubuntu.com/questions/1397826/default-embedded-modules-in-bootx64-efi-grubx64-efi-and-mmx64-efi/1466507#1466507

1. Get chroot

mkdir -p /target
cryptsetup luksOpen /dev/nvme0n1p2 cryptdata
mount /dev/mapper/cryptdata /target/ -osubvol=@,ssd,noatime,commit=120,compress=zstd
mount /dev/mapper/cryptdata /target/home/ -osubvol=@home,ssd,noatime,commit=120,compress=zstd
mount /dev/nvme0n1p1 /target/boot/efi
for i in /dev /proc /dev/pts /sys /run /sys/firmware/efi/efivars; do
  mount --bind $i /target/$i;
done
chroot /target

2. Get list of included modules:

strings /boot/efi/EFI/ubuntu/grubx64.efi | grep -A10 --no-group-separator LICENSE= | grep -v LICENSE= | egrep -v '^grub_|^_|^\.|[A-Z]|\b\s\b' | sort -u > ~/grub-mods

3. Check if modules exist and create a list:

for mod in $(cat ~/grub-mods); do
  if [ -f "/usr/lib/grub/x86_64-efi/$mod.mod" ]; then
    echo $mod;
  fi;
done > ~/grub-mods.verified
# append the luks2 module to the list
echo luks2 >> ~/grub-mods.verified

4. Move the old grubx64.efi aside:

cd /boot/efi/EFI/ubuntu/ && mv -i grubx64.efi grubx64.efi.old

5. Build a new grubx64.efi including the luks2 module

grub-mkimage -o /boot/efi/EFI/ubuntu/grubx64.efi -O x86_64-efi -p grub/ $(cat ~/grub-mods.verified) luks2

Or just include all modules:

grub-mkimage -o /boot/efi/EFI/ubuntu/grubx64.efi -O x86_64-efi -p grub/ $(cd /usr/lib/grub/x86_64-efi && ls *.mod)