+- PINE64 (https://forum.pine64.org)
+-- Forum: Pinebook Pro (https://forum.pine64.org/forumdisplay.php?fid=111)
+--- Forum: Linux on Pinebook Pro (https://forum.pine64.org/forumdisplay.php?fid=114)
+--- Thread: Install Void Linux with near-full-disk encryption (/showthread.php?tid=17046)
Install Void Linux with near-full-disk encryption - dumetrulo - 07-22-2022
EDIT: in /etc/default/extlinux.conf, changed CMDLINE to have quiet before loglevel
Hi folks! I managed to install Void Linux on my Pinebook Pro with working near-full-disk encryption. This means that everything is encrypted except /boot because extlinux doesn't know how to open a crypt volume to load the kernel from there.
It is possible to install GRUB, and have complete encryption of everything except the GRUB loader—I once had this setup with Manjaro—but I found it a bit flakey in that approximately one out of ten boots, it would not find the crypt volume, and I had to reboot. Also, decrypting the key takes GRUB about 4 minutes because the CPU frequency is set to minimum before boot. Therefore I chose to use an unencrypted /boot, and have the password prompted by the initramfs, which will open the crypt volume in reasonable time, and (so far) works every time.
I want to thank Rudis Muiznieks for figuring most of this out already; his guide can be found at https://rdsm.ca/3lwh2, and was my main source of inspiration.
Let's begin…
What do you need?
- A Pinebook Pro
- A free eMMC, SD card, or USB drive to perform the installation on
- A second SD card or USB drive with at least 4GB
- A second system (could be the same Pinebook Pro running another system, or a different PC/laptop) to prepare the second SD card
- An hour or so to follow this guide; further configuration will take more time
Prepare the Pinebook Pro
If you haven't installed it already, download and install Tow-Boot (https://github.com/Tow-Boot/Tow-Boot/releases) as it will make booting much easier (no more need to have U-Boot on every medium). You can do without but then you'll have to remember to flash U-Boot back to eMMC after deleting everything on it but before rebooting the first time. The steps are in the guide below, just in case.
Prepare the second SD card or USB drive
Download Cameron Nemo's unofficial Void Linux image (https://repo.nohom.org/void/images/void-pinebookpro-20220530.img.xz), and flash it to the SD card or USB drive. Assuming you are using an SD card, and download on the Pinebook Pro using a system that runs a Manjaro kernel, this can be done like this:
Code:
wget https://repo.nohom.org/void/images/void-pinebookpro-20220530.img.xz
blkdiscard -f /dev/mmcblk1
xzcat void-pinebookpro-20220530.img.xz|sudo dd of=/dev/mmcblk1 obs=4M status=progress;syncPlease double-check you have the correct device name; also, if you use a USB drive instead of an SD card, blkdiscard will probably not work; don't worry about it.
As the image comes tightly packed, you will have to extend the root partition, and its file system. To resize the partition, you have to delete and recreate it:
- Run sudo fdisk /dev/mmcblk1
- Press p and Enter to display the partitions; take note of the starting sector of partition 2, just in case
- Press d and Enter to delete partition 2
- Press n and three times Enter to create a new partition 2 which starts at the same sector as before, and uses the whole available space (please double-check the suggested values before pressing Enter; if it does not give you the same starting sector, enter it manually instead of just pressing Enter)
- Press n and Enter when fdisk asks whether to erase the file system signature
- Press p and Enter to display the partitions again; double-check that everything looks good
- Press w and Enter to write the partition table, and exit fdisk
Now the file system can be resized wth the following command:
Code:
sudo resize2fs /dev/mmcblk1p2Mount the file system, and copy the image onto it:
Code:
sudo mount -o rw,noatime /dev/mmcblk1p2 /mnt
sudo cp void-pinebookpro-20220530.img.xz /mnt/root
sudo umount /mntNow you are ready to boot from this SD card or USB drive.
Boot the Pinebook Pro from the just prepared SD card or USB drive
For the purpose of preparing ths guide, I used a small (8GB) SD card for this step, a USB card reader to plug it in for booting, and a bigger (64GB) SD card to install the final system on. If you are installing to eMMC, the steps will be the same but instead of performing them on /dev/mmcblk1 (the SD card in the PBP's internal reader), you wiill perform them on /dev/mmcblk2 (the PBP's eMMC). As always, please verify you are using the correct device name, and make sure you substitute as necessary in the below steps.
Boot from the newly prepared medium (in my case, from USB via a USB card reader), and log in as root with password voidlinux. If you have the ISO keyboard, and using a US layout by default bothers you, perform the following line of code, and reboot:
Code:
echo 'KEYMAP="uk"' >>/etc/rc.confSet up WiFi using the commands below, substituting YourSSID and YourPwd wth your WFi credentials:
Code:
cp -a /etc/wpa_supplicant/wpa_supplicant.conf /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
wpa-passphrase YourSSID YourPwd >>/etc/wpa_supplicant/wpa_supplicant-wlan0.conf
for i in dhcpcd wpa_supplicant;do ln -s /etc/sv/$i /var/service/;doneNow your WiFi should work (if not, double-check that you are using the correct credentials). Update xbps and install some necessary tools:
Code:
xbps-install -Syu xbps
xbps-install -y cryptsetup lvm2 nano xzPrepare your installation target, i.e. the eMMC or SD card
If your installation will be to the eMMC, use /dev/mmcblk2. In my case, I wll use an SD card, and therefore the steps wll use /dev/mmcblk1. Please adjust as necessary:
Code:
blkdscard -f /dev/mmcblk1
sfdisk /dev/mmcblk1 <<EOF
label: gpt
unit: sectors
first-lba: 64
7 : start= 64, size= 16320, type=8da63339-0007-60c0-c436-083ac8230908, name="mmc_idbloader", attrs="RequiredPartition"
8 : start= 16384, size= 8192, type=8da63339-0007-60c0-c436-083ac8230908, name="mmc_uboot", attrs="RequiredPartition"
9 : start= 24576, size= 8192, type=8da63339-0007-60c0-c436-083ac8230908, name="mmc_tfa", attrs="RequiredPartition"
1 : start= 32768, size= 753664, type=0fc63daf-8483-4772-8e79-3d69d8477de4, name="mmc_boot"
2 : start= 786432, size= 121348096, type=e6d6d379-f507-44c2-a23c-238f2a3df928, name="mmc_root"
EOFThe size of partition 2 is calculated to fit on the 64GB eMMC (it also fits on the SD card I was using). If your target medium has a different size, recalculate the size (I am using a number that divides by 8192 so that the end of the partition is on a 4MB boundary, but that's just me). Partitions 7, 8, and 9 are not strictly necessary but they provide some protection against accidentally deleting the boot loader.
Copy U-Boot from the boot medium to the target (please make sure you use the correct device names). This is not needed if you use Tow-Boot but absolutely don't forget this step if you are not using any U-Boot in SPI!
Code:
dd if=/dev/sda of=/dev/mmcblk1 bs=512 count=32704 skip=64 seek=64;syncCreate LUKS container, LVM partitions therein, and file systems as appropriate
Code:
dd if=/dev/random of=/dev/disk/by-partlabel/mmc_root bs=4M status=progress;sync
cryptsetup luksFormat -q --align-payload 8192 /dev/disk/by-partlabel/mmc_root
cryptsetup open /dev/disk/by-partlabel/mmc_root pbp0
pvcreate --dataalignment=4096k /dev/mapper/pbp0
vgcreate vgvoid /dev/mapper/pbp0
lvcreate -n swap -L 4G vgvoid
lvcreate -n root -l '100%FREE' vgvoid
mkswap -L void_swap /dev/vgvoid/swap
mkfs.btrfs -K -L void_root /dev/vgvoid/root
mkfs.ext4 -E stride=1024,stripe_width=1024 -L void_boot /dev/disk/by-partlabel/mmc_boot
mount -o rw,noatime,commit=120,compress-force=zstd,space_cache=v2 /dev/vgvoid/root /mnt
for i in '' .toplevel boot home opt snap tmp var var.tmp;do btrfs subv create /mnt/@$i;done
for i in .snapshots home opt tmp var;do mkdir /mnt/@/$i;done
mkdir /mnt/@var/tmp
chmod 1777 /mnt/@/tmp /mnt/@var/tmp /mnt/@tmp /mnt/@var.tmp
umount /mntMount the install target properly
Code:
mount -o rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@ /dev/vgvoid/root /mnt
mount -o rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=/ /dev/vgvoid/root /mnt/.toplevel
mount -o rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@snap /dev/vgvoid/root /mnt/.snapshots
mount -o rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@home /dev/vgvoid/root /mnt/home
mount -o rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@opt /dev/vgvoid/root /mnt/opt
mount -o rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@tmp /dev/vgvoid/root /mnt/tmp
mount -o rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@var /dev/vgvoid/root /mnt/var
mount -o rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@var.tmp /dev/vgvoid/root /mnt/var/tmp
mount -o rw,noatime,commit=120 /dev/disk/by-partlabel/mmc_boot /mnt/bootMount the source image
Code:
unxz void-pinebookpro-20220530.img.xz
losetup -v -P /dev/loop9 /root/void-pinebookpro-20220530.img
mkdir /tmp/img
mount -r /dev/loop9p2 /tmp/img
mount -r /dev/loop9p1 /tmp/img/bootCopy source to target
Code:
tar --posix --numeric-owner --xattrs --acls -cpSC /tmp/img .|\
tar --posix --numeric-owner --xattrs --acls -xpSC /mnt;syncClean up, and chroot into the new installation
Code:
cp -a /etc/wpa_supplicant/wpa_supplicant-wlan0.conf /mnt/etc/wpa_supplicant/
cp /etc/resolv.conf /mnt/etc/
for i in dev proc run sys tmp;do
mount --rbind /$i /mnt/$i
mount --make-rslave /mnt/$i
done
PS1='[chroot]# ' chroot /mntUpdate xbps, and install a few things
Code:
xbps-install -Syu xbps
xbps-install -y cryptsetup lvm2 nano socklog-void unzip zip xz zsh wget pv neofetch inxi
# Set keymap and RTC if needed:
nano /etc/rc.conf
echo YourHostName >/etc/hostname
# Link the correct timezone
ln -s /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime
# Uncomment the locales you want
nano /etc/default/libc-locales
xbps-reconfigure -f glibc-locales
# Set root password
passwd
# Edit fstab
nano /etc/fstabYour /etc/fstab should look as follows:
Code:
#
# See fstab(5).
#
# <file system> <dir> <type> <options> <dump> <pass>
LABEL=void_swap none swap sw,noatime 0 0
LABEL=void_root / btrfs rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@ 0 1
LABEL=void_root /.toplevel btrfs rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=/ 0 1
LABEL=void_root /.snapshots btrfs rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@snap 0 1
LABEL=void_root /home btrfs rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@home 0 1
LABEL=void_root /opt btrfs rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@opt 0 1
LABEL=void_root /tmp btrfs rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@tmp 0 1
LABEL=void_root /var btrfs rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@var 0 1
LABEL=void_root /var/tmp btrfs rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@var.tmp 0 1
LABEL=void_boot /boot ext4 rw,noatime,nodev,nosuid,errors=remount-ro 0 2
tmpfs /tmp tmpfs rw,noatime,nodev,nosuid,size=75% 0 0Configure extlinux and rebuild initramfs so the system can boot
Code:
# Edit /etc/default/extlinux, and make sure the CMDLINE looks as follows:
# CMDLINE="panic=10 coherent_pool=1M console=ttyS2,1500000 console=tty0 quiet loglevel=3 ro rootwait root=LABEL=void_root rd.auto=1 cryptdevice=PARTLABEL=mmc_root:pbp0"
nano /etc/default/extlinux
echo 'hostonly="yes"' >/etc/dracut.conf.d/hostonly.conf
cat >/etc/kernel.d/post-install/99-zzzz-backup-boot <<EOF
PKGNAME="$1"
VERSION="$2"
usr/bin/tar --posix --numeric-owner --xattrs --acls -cpSC /boot .|usr/bin/bzip2 -9 >/boot-${VERSION}.tbz
exit 0
EOF
xbps-reconfigure -f pinebookpro-kernelFinish up with the following commands
Code:
exit
umount -R /mnt
haltRemove all unnecessary media, and boot from the just installed system
If you are prompted for the encryption password, you have successfully installed Void Linux! Let's log in as root using the password you set earlier, and run a few commands to finsh up the minimal configuration:
Code:
for i in socklog-unix nanoklogd wpa-supplicant dhcpcd;do ln -s /etc/sv/$i /var/service/;done
xbps-install -SyuBecause the above created script for backing up /boot is a crude hack, best to reboot now, and run the following commands:
Code:
vkpurge rm all
xbps-reconfigure -f pinebookpro-kernelNow you can create snapshots of ths new, clean, and working setup:
Code:
for i in '' home opt tmp var var.tmp;do btrfs subv snap -r /.toplevel/@$i /.snapshots/YYYYMMDD-justinstalled-@$i;doneReplace YYYYMMDD with the current date as appropriate. If you ever bork up your system, and need to restore from a snapshot, keep that small SD card or USB drive with the initial Void Linux image handy, as you can use it to restore the snapshots like so (check the device names):
Code:
cryptsetup open /dev/disk/by-partlabel/mmc_root pbp0
vgchange -a y
mount -o rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=/ /dev/vgvoid/root /mnt
for i in '' home opt tmp var var.tmp;do
btrfs subv del /mnt/@$i
btrfs subv snap /mnt/@snap/YYYYMMDD-your-description-@$i /mnt/@$i
done
umount /mnt
haltCongratulations!
This concludes your installation of Void Linux with encrypted root. It is, of course, very bare-bones, has no user account, and no GUI. But from here on, you can employ any generic guide for Void Linux regarding the further configuration.
Install Void Linux with near-full-disk encryption - petersen77 - 09-04-2022
EDIT: It's the latest pinebookpro kernel (5.15.46)...
I'm using void on SD card and would like to install it to emmc. But I didn't manage to upgrade the kernel (5.15 is a little bit outdated). Do you know what I'm missing to upgrade to 5.19?
Gesendet von meinem RMX3085 mit Tapatalk
RE: Install Void Linux with near-full-disk encryption - dumetrulo - 09-05-2022
(09-04-2022, 04:33 AM)petersen77 Wrote: I'm using void on SD card and would like to install it to emmc. But I didn't manage to upgrade the kernel (5.15 is a little bit outdated). Do you know what I'm missing to upgrade to 5.19?
Gesendet von meinem RMX3085 mit Tapatalk
I haven't seen a Pinebook Pro-specific package for kernel 5.19 yet. You can (in principle) uninstall the Pinebook Pro kernel packages, and install the regular linux-* packages instead. But please note that I have not tried that, and therefore don't know whether/to what extent it works properly.
Install Void Linux with near-full-disk encryption - petersen77 - 09-05-2022
It didn't work, black screen & reboot after some seconds with regular 5.19 kernel.
Gesendet von meinem RMX3085 mit Tapatalk