Error creating Encrypted SSD / Migrating

josch · July 22, 2024, 6:12am

whoops, then you found a bug, sorry!

I’ll try to reproduce it. Is anybody else able to confirm this?

selfawaresoup · July 22, 2024, 7:53am

Here’s the full output of the full script from the start of reform-setup-encrypted-nvme:

root@io:~# reform-setup-encrypted-nvme 
This will ERASE ALL DATA from your NVMe SSD.

Are you sure you want to proceed? [y/N] y
WARNING: Device /dev/nvme0n1 already contains a 'crypto_LUKS' superblock signature.

WARNING!
========
This will overwrite data on /dev/nvme0n1 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1: 
Verify passphrase: 
Enter passphrase for /dev/nvme0n1: 
  Physical volume "/dev/mapper/reform_crypt" successfully created.
  Volume group "reformvg" successfully created
  Logical volume "swap" created.
Setting up swapspace version 1, size = 8 GiB (8589930496 bytes)
no label, UUID=26d83868-8d83-46df-8f47-49d205f9d508
  Logical volume "root" created.
mke2fs 1.47.1 (20-May-2024)
Creating filesystem with 242088960 4k blocks and 60522496 inodes
Filesystem UUID: a8068977-2526-4c18-9a45-b4eeda318790
Superblock backups stored on blocks: 
	32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 
	4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, 
	102400000, 214990848

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (262144 blocks): done
Writing superblocks and filesystem accounting information: done     


The encrypted NVMe is now set up. Do you want me to run reform-migrate now as well? [y/N] y
 12,006,040,764  87%   36.33MB/s    0:05:15 (xfr#331928, to-chk=0/431223)    
Your /boot partition will be on eMMC by default. Do you want it on the SD-Card instead? [y/N] N
This script selects your preferred boot medium. It writes your choice to the file /etc/fstab

/dev/mmcblk2p1 is still mounted somewhere, which means that it is
probably used by the currently running system and that replacing
its contents might make the currently running system unbootable.
Should this script run 'umount /dev/mmcblk2p1' for you? [y/N] y
I: Unmounting /dev/mmcblk2p1...
I: Unmounting /dev/mmcblk2p1 successful.
It seems that the current /boot partition is only booting a rescue
system on SD-Card.

Do you want to unmount it? [y/N] y
umount: /dev/mmcblk2p1: not mounted.
cleaning up /dev/reformvg/root
cleaning up /tmp/reform-boot-config.1UfOOo7TaD
reform-boot-config FAILED to run
reform-boot-config failed. To re-run it manually, perform the following steps:
    $ cryptsetup luksOpen "/dev/nvme0n1" reform_crypt
    $ vgchange -ay reformvg
    $ reform-boot-config --emmc /dev/reformvg/root >&2
    $ vgchange -an reformvg
    $ cryptsetup luksClose reform_crypt
  0 logical volume(s) in volume group "reformvg" now active
/usr/sbin/reform-setup-encrypted-nvme FAILED to run

selfawaresoup · July 22, 2024, 9:50am

I think I know what’s happening here: https://source.mnt.re/reform/reform-tools/-/blob/main/sbin/reform-boot-config?ref_type=heads#L203-232

if ! maybe_umount "/dev/$BOOTPART"; then
	echo "Please unmount before running this script" >&2
	exit 1
fi

leads to the prompt

/dev/mmcblk2p1 is still mounted somewhere, which means that it is probably used by the currently running system and that replacing its contents might make the currently running system unbootable. Should this script run 'umount /dev/mmcblk2p1' for you? [y/N]

which I answered with y. But then this happens after successful unmounting:

echo "It seems that the current /boot partition is only booting a rescue" >&2
echo "system on SD-Card.">&2
echo "" >&2
printf "Do you want to unmount it? [y/N] "

Which gives me false information (I don not have any SD card in my device) so it seems like something is wrong that needs to be corrected by unmounting whatever this supposed “SD card” is, but that fails because that /boot partition was already unmounted in the previous step.

So, I think if I answer N to the prompt about the SD card, it should work. But that sequence of interactions is very misleading for me as a user who doesn’t know all the intricacies of how the partitions are handled.

selfawaresoup · July 22, 2024, 10:01am

Ok, I tried with choosing N at the “SD card” prompt and the script did finish that time, but after rebooting nothing has changed. The device still boots from eMMC and doesn’t mount the SSD at all.

hardcoreufo · July 24, 2024, 6:57am

Yeah I’m having the same issues.

I think the issue is the nvme portion reform-boot-config --emmc nvme I was playing around trying to move / to the nvme partition and managed to unset both /boot and / from the emmc. Booting just led to initramfs.

I made an SD card and set it up the performed reform-boot-config --emmc emmc and that got my emmc back to working. So I went back to booting off the SD card and tried reform-boot-config --emmc nvme this completed but must not have been happy because I ended up back at initramfs.

Anyway I’m able to boot from emmc and it’s bedtime, maybe I’ll figure something out tomorrow.

josch · July 24, 2024, 7:26am

But that is not what reform-setup-encrypted-nvme executes. If you run reform-setup-encrypted-nvme --emmc nvme then that will be implicitly treated as reform-setup-encrypted-nvme --emmc /dev/nvme0n1p1 which is the first partition on your nvme. But that is incorrect when you set up an encrypted nvme (there are no partitions on nvme but instead LVM inside LUKS). So what reform-setup-encrypted-nvme instead calls is:

reform-boot-config --emmc /dev/reformvg/root

hardcoreufo · July 24, 2024, 7:46pm

I had already tried reform-boot-config --emmc /dev/reformvg/root and it always failed. Finally actually used my eyes and the message it basically said luks-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx not in /etc/crypttab.

Manually edited /etc/crypttab based off how its laid out on my big reform reform_crypt UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx none luks,discard. Then I rebooted and ran reform-boot-config --emmc /dev/reformvg/root which failed again but didn’t give a reason why this time. Ran it again and it completed normally. Now I’m booting from the encrypted nvme drive and /etc/fstab matches its layout on my big reform.
`

josch · July 25, 2024, 9:16am

The issue you see here was introduced in this commit: sbin/reform-boot-config: allow interactive umount (46c5b1a9) · Commits · Reform / MNT Reform Tools · GitLab and should be fixed by this commit: Draft: reform-tools 1.46 (!75) · Merge requests · Reform / MNT Reform Tools · GitLab

josch · July 25, 2024, 9:17am

Do you have an error message?

hardcoreufo · July 25, 2024, 7:01pm

Is there a way to see the logs on the emmc now that I am booting from the NVME? I can mount the EMMC and see reformemmcroot/var/log/journal but I’m not sure how to point journalctl there instead of local disk.

josch · August 1, 2024, 1:53am

reform-tools 1.46 should be in the repos in about an hour and should fix this issue