+- PINE64 (https://forum.pine64.org)
+-- Forum: Pinebook Pro (https://forum.pine64.org/forumdisplay.php?fid=111)
+--- Forum: Pinebook Pro Tutorials (https://forum.pine64.org/forumdisplay.php?fid=117)
+--- Thread: full disk encryption with luks on manjaro xfce (/showthread.php?tid=9052)
RE: full disk encryption with luks on manjaro xfce - FutureBucket - 05-13-2020
(05-13-2020, 09:54 AM)e-minguez Wrote:(05-13-2020, 03:49 AM)as400 Wrote: Here is how I'm generating initcpio with dracut. I have bootfs unencrypted and rootfs encrypted. I use nvme drive. Everything works just fine.
Code:dracut -H --force -a "crypt lvm drm" -o "kernel-network-modules kernel-modules-extra kernel-modules mdraid qemu qemu-net \
lunmask resume dmraid btrfs modsign i18n" --drivers="rockchipdrm drm drm_kms_helper analogix_dp panel-simple pwm_bl" \
/boot/initramfs-dracut.img
I've used a slightly modified version (removed the -H and used the same name that mkinitcpio uses for the initrd file) because the manjaro-arm-installer is using a chroot. No luck eithersame blinking cursor.
I don't have any suggestions because when I tried, I was stuck at the same point you are.
I just wanted to say thank you for your work on this! I'm watching your progress and I'm hopeful you get it. I'll give it a try this weekend again and see how far I get. I'll post if I get anywhere. I'm not using my PBP because I cant get FDE working.
RE: full disk encryption with luks on manjaro xfce - e-minguez - 05-13-2020
(05-13-2020, 12:20 PM)FutureBucket Wrote:Thanks! To me FDE is a must. I've used the Debian installer approach successfully and I'm starting to think if I should move back to Debian...(05-13-2020, 09:54 AM)e-minguez Wrote:(05-13-2020, 03:49 AM)as400 Wrote: Here is how I'm generating initcpio with dracut. I have bootfs unencrypted and rootfs encrypted. I use nvme drive. Everything works just fine.
Code:dracut -H --force -a "crypt lvm drm" -o "kernel-network-modules kernel-modules-extra kernel-modules mdraid qemu qemu-net \
lunmask resume dmraid btrfs modsign i18n" --drivers="rockchipdrm drm drm_kms_helper analogix_dp panel-simple pwm_bl" \
/boot/initramfs-dracut.img
I've used a slightly modified version (removed the -H and used the same name that mkinitcpio uses for the initrd file) because the manjaro-arm-installer is using a chroot. No luck either
I don't have any suggestions because when I tried, I was stuck at the same point you are.
I just wanted to say thank you for your work on this! I'm watching your progress and I'm hopeful you get it. I'll give it a try this weekend again and see how far I get. I'll post if I get anywhere. I'm not using my PBP because I cant get FDE working.
Enviado desde mi ONEPLUS A5010 mediante Tapatalk
RE: full disk encryption with luks on manjaro xfce - as400 - 05-14-2020
(05-13-2020, 09:54 AM)e-minguez Wrote: I've used a slightly modified version (removed the -H and used the same name that mkinitcpio uses for the initrd file) because the manjaro-arm-installer is using a chroot. No luck either
It's crazy. Do you have console=tty1 in your extlinux.conf ?
RE: full disk encryption with luks on manjaro xfce - e-minguez - 05-14-2020
(05-14-2020, 02:01 AM)as400 Wrote:(05-13-2020, 09:54 AM)e-minguez Wrote: I've used a slightly modified version (removed the -H and used the same name that mkinitcpio uses for the initrd file) because the manjaro-arm-installer is using a chroot. No luck either
It's crazy. Do you have console=tty1 in your extlinux.conf ?
The extlinux.conf is generated and it looks like:
Code:
LABEL Manjaro ARM
KERNEL /Image
FDT /dtbs/rockchip/rk3399-pinebook-pro.dtb
APPEND initrd=/initramfs-linux.img console=tty1 console=ttyS2,1500000 cryptdevice=UUID=a5c23c7b-807f-41ed-94a4-385f028ce2c2 root=/dev/mapper/ROOT_MNJRO rw rootwait video=eDP-1:1920x1080@60 video=HDMI-A-1:1920x1080@60 bootsplash.bootfile=bootsplash-themes/manjaro/bootsplashDracut is executed (in a chroot with systemd-nspawn) as:
Code:
dracut --force -a "crypt lvm drm" \
+ -o "kernel-network-modules kernel-modules-extra kernel-modules mdraid qemu qemu-net \
+ lunmask resume dmraid btrfs modsign i18n" --drivers="rockchipdrm drm drm_kms_helper analogix_dp panel-simple pwm_bl" \
+ /boot/initramfs-linux.img ${KERNELVERSION}RE: full disk encryption with luks on manjaro xfce - as400 - 05-14-2020
OK, I would try to remove this "bootsplash.bootfile=bootsplash-themes/manjaro/bootsplash" and this "console=ttyS2,1500000" and then try.
RE: full disk encryption with luks on manjaro xfce - e-minguez - 05-14-2020
(05-14-2020, 05:33 AM)as400 Wrote: OK, I would try to remove this "bootsplash.bootfile=bootsplash-themes/manjaro/bootsplash" and this "console=ttyS2,1500000" and then try.
Done and now I can finally see things! I'm going to go back to mkinitcpio route without the bootsplash stuff. See attached for the dracut status now (stopped at 'Starting dracut initqueue hook...')
RE: full disk encryption with luks on manjaro xfce - e-minguez - 05-14-2020
I got it working with mkinitcpio after removing both the bootsplash and the console=ttyS2 stuff \o/
I'm going to try to clean up the code a bit, try to just modify the HOOKS in mkinitcpio.conf (to be able to be 'generic' and to work for other devices) and then I will submit a PR to the manjaro repo.
Thanks @as400 for your help!
Edit: No luck with just modifying the HOOKS section (black screen), so I guess that for every device, a list of modules needs to be provided.
Edit2: The patch is available here https://gist.github.com/e-minguez/5287bc266df29d418d8b2b21248b8405 let's see if they merge it, meanwhile, I'm happy to have it working on my pbp \o/
RE: full disk encryption with luks on manjaro xfce - as400 - 05-15-2020
@e-minguez great news.
It would be fantastic if they merge your patch. Even on x86 installer you can't get encryption easily with Manjaro.
Now it's time for you to write a proper HOWTO
Edit: I would also try to restore "console=ttyS2,1500000" and see if everything still works. It should in my opinion.
RE: full disk encryption with luks on manjaro xfce - e-minguez - 05-15-2020
(05-15-2020, 12:05 AM)as400 Wrote: @e-minguez great news.
It would be fantastic if they merge your patch. Even on x86 installer you can't get encryption easily with Manjaro.
Now it's time for you to write a proper HOWTO
Edit: I would also try to restore "console=ttyS2,1500000" and see if everything still works. It should in my opinion.
The howto is very simple, you just need:
* a manjaro x86_64 VM with X (see https://gitlab.manjaro.org/manjaro-arm/applications/manjaro-arm-installer/-/issues/10 for the reason behind the X requirement) with an extra disk (in my case, I've used a 8gb qcow2 empty file mapped as sata, so it is /dev/sda in the VM)
* ssh into it
* clone the https://gitlab.manjaro.org/manjaro-arm/applications/manjaro-arm-installer repo
* install the required packages (dialog and manjaro-arm-qemu-static in my case)
* apply the patch (git apply)
* run export CRYPT=y, then the installer. It will ask you user/pass/software selection/keyboard/etc. then the luks password twice (first one to create the device, the second one to mount it)
Then, power off the manjaro VM, plug a microsd into your computer and convert the qcow2 image into a raw one, then flash it to your microsd (or do it at once as qemu-img convert -f qcow2 -O raw manjaro-usb.qcow2 /dev/mmcblkX)
Plug it into your pbp and profit!
In order to resize the luks partition:
* `parted /dev/mmcblkX`, then `resizepart NUMBER END` (in my case, partition = 2, end = 125GB)
* `cryptsetup resize /dev/mapper/ROOT_MNJRO`
* `resize2fs /dev/mapper/ROOT_MNJRO`
HTH!
Edit: I've tested with the console parameter as suggested and it doesn't work, so I'll keep it that way.
RE: full disk encryption with luks on manjaro xfce - Der Geist der Maschine - 05-15-2020
(05-15-2020, 12:42 AM)e-minguez Wrote: Plug it into your pbp and profit!
I just wonder if you will continue profiting beyond kernel updates? What if a manjaro kernel update comes with a new version of extlinux.conf overwriting your custom one?