Custom EFI entry to properly load encrypted partition

42_custom_grub_efi

#!/bin/bash
BOOT=$HOSTNAME
DEVICE=/dev/nvme0n1
# Encrypted partition
GRUBROOT=(hd0,gpt4)

if [ "$BOOT" == "ubuntu" ]; then
    # dont call it ubuntu at is it already exists
    BOOT=ubuntu2
fi

# Delete old entry
for N in `efibootmgr | grep $BOOT | cut -d\* -f1 | cut -dt -f2`; do
    echo "Deleting EFI boot $N" >&2
    efibootmgr -B -b $N >&2
done

# Add new entry
efibootmgr -c -L $BOOT -d $DEVICE -p 1 -l /EFI/$BOOT/shimx64.efi >&2

BOOTOUR=""
# Make it first on next boot
for N in `efibootmgr | grep $BOOT | cut -d\* -f1 | cut -dt -f2`; do
    BOOTOUR="$N"
done

BOOTALL="$BOOTOUR"
for N in `efibootmgr | grep ^Boot0000 | cut -d\* -f1 | cut -dt -f2`; do
    if [ "$N" != "$BOOTOUR" ]; then
        BOOTALL="$BOOTALL,$N"
    fi
done

echo "Setting boot order $BOOTALL" >&2
efibootmgr --bootorder $BOOTALL >&2

# Copy original files
mkdir -p /boot/efi/EFI/$BOOT
cp -ar /boot/efi/EFI/ubuntu/. /boot/efi/EFI/$BOOT

# Decrypt
cat <<EOF >/boot/efi/EFI/$BOOT/grub.cfg
pager=1
default=0
timeout=5

menuentry "Linux" {
    cryptomount ${GRUBROOT}
    prefix=(crypto0)/boot/grub
    configfile (crypto0)/boot/grub/grub.cfg
}
EOF

# Write image with required modules
grub-mkstandalone --modules="minicmd normal search search_fs_file search_fs_uuid search_label ext2 echo cat ls disk part_gpt part_msdos crypto gcry_rijndael gcry_sha256 pbkdf2 cryptodisk luks" \
    -o /boot/efi/EFI/$BOOT/grubx64.efi \
    -O x86_64-efi --compress=xz \
    "/boot/grub/grub.cfg=/boot/efi/EFI/$BOOT/grub.cfg" >&2