# [FDE] how to fix encrypted boot double password promt

## geek_str1k3

So what am I trying to do is to create a secured gentoo linux setup, but this must be a bit similar with other linux distro's.

The problem that I'm facing is closing Evil Maid Attack vector, which malicios bootloader or linux kernel/initramfs being replaced 

So far I've found 2 solutions: 

1) not to use any bootloader except use UEFI firwware to load signed kernel with use of a Secure Boot, my UEFI doesnt support passing arguments("grub kernel parameters") so I would need to include initramfs and kernel parametrs in kernel, also updating kernel becomes so painfull 

2) boot with signed grub (secure boot again) and encrypt my /boot partition and enable grub's LVM and LUKS support in config file, I managed to successfully setup my system with OpenRC

!!! but when GRUB loads kernel it does not passes unencrypted storage to kernel so it asks for password one more time, thats what I am trying to fix

and to fix that I need include encryption key in my initramfs, which I know is possible with such tools as dracut or genkernel-next but its unknown to me how can I configure those tools to do that

please let me know if there are other ways to close that attack vector or if there a solution to double password promt

----------

## Kimitsune

Okay, so if I understand correctly you want the in-memory kernel to be able to unlock your encrypted partition. Here is how I did it : (A long time ago, so I don't know if genkernel natively support this or not now)

-I made a folder holding files I want to add to the genkernel initramfs: /usr/local/src/initramfs/fs_content_overlay 

-This folder contains a LUKS keyfile and a custom linuxrc shell script (sh)

-There are two ways:

*you can copy the default genkernel linuxrc and modify it to make it use the bundled keyfile.

*you write your own custom linuxrc

I did the latter.

The linuxrc is the script ran by the kernel from the initramfs after it just finished booting (or more accuratly -with genkernel- it runs the init script which is a symlink to linuxrc)

I intented to write a detailed post on the forum as a HOW TO guide but because I'm lazy I did not even start it yet.

Here is an example linuxrc : 

(Because I KNOW someone is going to ask me to do it, I put a license explicitly, but I'm not even sure if i can, because I think some parts come from the wiki)

```

#!/bin/busybox sh

#Copyright (C) 2018  Kimitsune

#This program is free software: you can redistribute it and/or modify

#it under the terms of the GNU General Public License as published by

#the Free Software Foundation, either version 3 of the License, or

#(at your option) any later version.

#This program is distributed in the hope that it will be useful,

#but WITHOUT ANY WARRANTY; without even the implied warranty of

#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

#GNU General Public License for more details.

#You should have received a copy of the GNU General Public License

#along with this program. If not, see <http://www.gnu.org/licenses/>.

rescue_shell() {

   echo "Something went wrong.  Here is a shell. Fix it."

   echo $@ >&2

   /bin/busybox --install -s

   exec /bin/sh

}

if [ "$$" != '1' ]

then

   echo '/linuxrc has to be run as the init process as the one'

   echo 'with a PID of 1. Try adding init="/linuxrc" to the'

   echo 'kernel command line or running "exec /linuxrc".'

   rescue_shell "Not PID 1: Investigate."

fi

mount -t devtmpfs none /dev

mount -t proc none /proc

mount -t sysfs none /sys

# Prevent superfluous printks from being printed to the console

echo 1 > /proc/sys/kernel/printk

# Set up symlinks

/bin/busybox --install -s || rescue_shell "Busybox failed"

mntopts="rw"

for x in $(cat /proc/cmdline); do

   case $x in

   ro)

      mntopts="ro"

      ;;

   rw)

      mntops="rw"

      ;;

   skipfsck|fsck=n)

      skipfsck=y

      ;;

   shell=y|dropshell|shell)

      rescue_shell "Dropping to shell according to kernel command line"

      ;;

   esac

done

mkdir -p /mnt/root || rescue_shell "Cannot mkdir /mnt/root"

cryptsetup luksOpen /dev/XXXXX XXXXX --key-file /XXXXXX || rescue_shell "Unable to mount LUKS container with keyfile"

#YOU CAN PUT LVM SCAN STUFF HERE IF NEEDED

#support resume from disk

#EDIT HERE TOO, put your swap device

local device=$(ls -lL "/dev/XXXXX" | sed 's/\  */ /g' | cut -d \  -f 5-6 | sed 's/,\ */:/')

echo "${device}" > /sys/power/resume

sleep 2

#If you want swap mounted before full userspace is ready, uncomment this line

#swapon /dev/XXXX || rescue_shell "Unable to mount swap"

if [ -z ${skipfsck+x} ]; then #checking if skipfsck is unset

    echo "Checking filesystem"

    #EDIT HERE

    e2fsck -pv -C0 /dev/XXXXX || (echo "fsck failed on root." ; sleep 5)

else

    echo "Skipping filesystem checking according to command line"

fi

#EDIT THIS TOO

mount -o "${mntopts}" /dev/XXXXX  /mnt/root || rescue_shell "Unable to mount root"

echo "Moving special system mounts before entering switch_root"

mount --move /proc /mnt/root/proc || rescue_shell "Unable to move mounts"

mount --move /sys /mnt/root/sys || rescue_shell "Unable to move mounts"

mount --move /dev /mnt/root/dev || rescue_shell "Unable to move mounts"

exec switch_root /mnt/root /sbin/init

echo "A fatal error has occured since /sbin/init did not"

echo "boot correctly. Trying to open a shell..."

exec /bin/bash

exec /bin/sh

exec /bin/ash

exec /bin/dash

exec sh

```

Read VERY carefully the script and edit each time the devices names with your own.

It requires the kernel to be compiled with the devtmpfs option.

-Then to build the initramfs you use :

```
genkernel --initramfs-overlay=/usr/local/src/initramfs/fs_content_overlay/ --linuxrc=/usr/local/src/initramfs/fs_content_overlay/linuxrc --luks --busybox --e2fsprogs initramfs
```

 (If you need more options feel free to add them, in my case btrfs and luks)

And voila. It works well for me.

----------

