07-22-2022, 04:53 AM
(This post was last modified: 07-22-2022, 05:49 AM by dumetrulo.
Edit Reason: In /etc/default/extlinux.conf, changed CMDLINE to have quiet before loglevel
)
EDIT: in /etc/default/extlinux.conf, changed CMDLINE to have quiet before loglevel
Hi folks! I managed to install Void Linux on my Pinebook Pro with working near-full-disk encryption. This means that everything is encrypted except /boot because extlinux doesn't know how to open a crypt volume to load the kernel from there.
It is possible to install GRUB, and have complete encryption of everything except the GRUB loader—I once had this setup with Manjaro—but I found it a bit flakey in that approximately one out of ten boots, it would not find the crypt volume, and I had to reboot. Also, decrypting the key takes GRUB about 4 minutes because the CPU frequency is set to minimum before boot. Therefore I chose to use an unencrypted /boot, and have the password prompted by the initramfs, which will open the crypt volume in reasonable time, and (so far) works every time.
I want to thank Rudis Muiznieks for figuring most of this out already; his guide can be found at https://rdsm.ca/3lwh2, and was my main source of inspiration.
Let's begin…
What do you need?
Prepare the Pinebook Pro
If you haven't installed it already, download and install Tow-Boot (https://github.com/Tow-Boot/Tow-Boot/releases) as it will make booting much easier (no more need to have U-Boot on every medium). You can do without but then you'll have to remember to flash U-Boot back to eMMC after deleting everything on it but before rebooting the first time. The steps are in the guide below, just in case.
Prepare the second SD card or USB drive
Download Cameron Nemo's unofficial Void Linux image (https://repo.nohom.org/void/images/void-...530.img.xz), and flash it to the SD card or USB drive. Assuming you are using an SD card, and download on the Pinebook Pro using a system that runs a Manjaro kernel, this can be done like this:
Please double-check you have the correct device name; also, if you use a USB drive instead of an SD card, blkdiscard will probably not work; don't worry about it.
As the image comes tightly packed, you will have to extend the root partition, and its file system. To resize the partition, you have to delete and recreate it:
Now the file system can be resized wth the following command:
Mount the file system, and copy the image onto it:
Now you are ready to boot from this SD card or USB drive.
Boot the Pinebook Pro from the just prepared SD card or USB drive
For the purpose of preparing ths guide, I used a small (8GB) SD card for this step, a USB card reader to plug it in for booting, and a bigger (64GB) SD card to install the final system on. If you are installing to eMMC, the steps will be the same but instead of performing them on /dev/mmcblk1 (the SD card in the PBP's internal reader), you wiill perform them on /dev/mmcblk2 (the PBP's eMMC). As always, please verify you are using the correct device name, and make sure you substitute as necessary in the below steps.
Boot from the newly prepared medium (in my case, from USB via a USB card reader), and log in as root with password voidlinux. If you have the ISO keyboard, and using a US layout by default bothers you, perform the following line of code, and reboot:
Set up WiFi using the commands below, substituting YourSSID and YourPwd wth your WFi credentials:
Now your WiFi should work (if not, double-check that you are using the correct credentials). Update xbps and install some necessary tools:
Prepare your installation target, i.e. the eMMC or SD card
If your installation will be to the eMMC, use /dev/mmcblk2. In my case, I wll use an SD card, and therefore the steps wll use /dev/mmcblk1. Please adjust as necessary:
The size of partition 2 is calculated to fit on the 64GB eMMC (it also fits on the SD card I was using). If your target medium has a different size, recalculate the size (I am using a number that divides by 8192 so that the end of the partition is on a 4MB boundary, but that's just me). Partitions 7, 8, and 9 are not strictly necessary but they provide some protection against accidentally deleting the boot loader.
Copy U-Boot from the boot medium to the target (please make sure you use the correct device names). This is not needed if you use Tow-Boot but absolutely don't forget this step if you are not using any U-Boot in SPI!
Create LUKS container, LVM partitions therein, and file systems as appropriate
Mount the install target properly
Mount the source image
Copy source to target
Clean up, and chroot into the new installation
Update xbps, and install a few things
Your /etc/fstab should look as follows:
Configure extlinux and rebuild initramfs so the system can boot
Finish up with the following commands
Remove all unnecessary media, and boot from the just installed system
If you are prompted for the encryption password, you have successfully installed Void Linux! Let's log in as root using the password you set earlier, and run a few commands to finsh up the minimal configuration:
Because the above created script for backing up /boot is a crude hack, best to reboot now, and run the following commands:
Now you can create snapshots of ths new, clean, and working setup:
Replace YYYYMMDD with the current date as appropriate. If you ever bork up your system, and need to restore from a snapshot, keep that small SD card or USB drive with the initial Void Linux image handy, as you can use it to restore the snapshots like so (check the device names):
Congratulations!
This concludes your installation of Void Linux with encrypted root. It is, of course, very bare-bones, has no user account, and no GUI. But from here on, you can employ any generic guide for Void Linux regarding the further configuration.
Hi folks! I managed to install Void Linux on my Pinebook Pro with working near-full-disk encryption. This means that everything is encrypted except /boot because extlinux doesn't know how to open a crypt volume to load the kernel from there.
It is possible to install GRUB, and have complete encryption of everything except the GRUB loader—I once had this setup with Manjaro—but I found it a bit flakey in that approximately one out of ten boots, it would not find the crypt volume, and I had to reboot. Also, decrypting the key takes GRUB about 4 minutes because the CPU frequency is set to minimum before boot. Therefore I chose to use an unencrypted /boot, and have the password prompted by the initramfs, which will open the crypt volume in reasonable time, and (so far) works every time.
I want to thank Rudis Muiznieks for figuring most of this out already; his guide can be found at https://rdsm.ca/3lwh2, and was my main source of inspiration.
Let's begin…
What do you need?
- A Pinebook Pro
- A free eMMC, SD card, or USB drive to perform the installation on
- A second SD card or USB drive with at least 4GB
- A second system (could be the same Pinebook Pro running another system, or a different PC/laptop) to prepare the second SD card
- An hour or so to follow this guide; further configuration will take more time
Prepare the Pinebook Pro
If you haven't installed it already, download and install Tow-Boot (https://github.com/Tow-Boot/Tow-Boot/releases) as it will make booting much easier (no more need to have U-Boot on every medium). You can do without but then you'll have to remember to flash U-Boot back to eMMC after deleting everything on it but before rebooting the first time. The steps are in the guide below, just in case.
Prepare the second SD card or USB drive
Download Cameron Nemo's unofficial Void Linux image (https://repo.nohom.org/void/images/void-...530.img.xz), and flash it to the SD card or USB drive. Assuming you are using an SD card, and download on the Pinebook Pro using a system that runs a Manjaro kernel, this can be done like this:
Code:
wget https://repo.nohom.org/void/images/void-pinebookpro-20220530.img.xz
blkdiscard -f /dev/mmcblk1
xzcat void-pinebookpro-20220530.img.xz|sudo dd of=/dev/mmcblk1 obs=4M status=progress;sync
Please double-check you have the correct device name; also, if you use a USB drive instead of an SD card, blkdiscard will probably not work; don't worry about it.
As the image comes tightly packed, you will have to extend the root partition, and its file system. To resize the partition, you have to delete and recreate it:
- Run sudo fdisk /dev/mmcblk1
- Press p and Enter to display the partitions; take note of the starting sector of partition 2, just in case
- Press d and Enter to delete partition 2
- Press n and three times Enter to create a new partition 2 which starts at the same sector as before, and uses the whole available space (please double-check the suggested values before pressing Enter; if it does not give you the same starting sector, enter it manually instead of just pressing Enter)
- Press n and Enter when fdisk asks whether to erase the file system signature
- Press p and Enter to display the partitions again; double-check that everything looks good
- Press w and Enter to write the partition table, and exit fdisk
Now the file system can be resized wth the following command:
Code:
sudo resize2fs /dev/mmcblk1p2
Mount the file system, and copy the image onto it:
Code:
sudo mount -o rw,noatime /dev/mmcblk1p2 /mnt
sudo cp void-pinebookpro-20220530.img.xz /mnt/root
sudo umount /mnt
Now you are ready to boot from this SD card or USB drive.
Boot the Pinebook Pro from the just prepared SD card or USB drive
For the purpose of preparing ths guide, I used a small (8GB) SD card for this step, a USB card reader to plug it in for booting, and a bigger (64GB) SD card to install the final system on. If you are installing to eMMC, the steps will be the same but instead of performing them on /dev/mmcblk1 (the SD card in the PBP's internal reader), you wiill perform them on /dev/mmcblk2 (the PBP's eMMC). As always, please verify you are using the correct device name, and make sure you substitute as necessary in the below steps.
Boot from the newly prepared medium (in my case, from USB via a USB card reader), and log in as root with password voidlinux. If you have the ISO keyboard, and using a US layout by default bothers you, perform the following line of code, and reboot:
Code:
echo 'KEYMAP="uk"' >>/etc/rc.conf
Set up WiFi using the commands below, substituting YourSSID and YourPwd wth your WFi credentials:
Code:
cp -a /etc/wpa_supplicant/wpa_supplicant.conf /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
wpa-passphrase YourSSID YourPwd >>/etc/wpa_supplicant/wpa_supplicant-wlan0.conf
for i in dhcpcd wpa_supplicant;do ln -s /etc/sv/$i /var/service/;done
Now your WiFi should work (if not, double-check that you are using the correct credentials). Update xbps and install some necessary tools:
Code:
xbps-install -Syu xbps
xbps-install -y cryptsetup lvm2 nano xz
Prepare your installation target, i.e. the eMMC or SD card
If your installation will be to the eMMC, use /dev/mmcblk2. In my case, I wll use an SD card, and therefore the steps wll use /dev/mmcblk1. Please adjust as necessary:
Code:
blkdscard -f /dev/mmcblk1
sfdisk /dev/mmcblk1 <<EOF
label: gpt
unit: sectors
first-lba: 64
7 : start= 64, size= 16320, type=8da63339-0007-60c0-c436-083ac8230908, name="mmc_idbloader", attrs="RequiredPartition"
8 : start= 16384, size= 8192, type=8da63339-0007-60c0-c436-083ac8230908, name="mmc_uboot", attrs="RequiredPartition"
9 : start= 24576, size= 8192, type=8da63339-0007-60c0-c436-083ac8230908, name="mmc_tfa", attrs="RequiredPartition"
1 : start= 32768, size= 753664, type=0fc63daf-8483-4772-8e79-3d69d8477de4, name="mmc_boot"
2 : start= 786432, size= 121348096, type=e6d6d379-f507-44c2-a23c-238f2a3df928, name="mmc_root"
EOF
The size of partition 2 is calculated to fit on the 64GB eMMC (it also fits on the SD card I was using). If your target medium has a different size, recalculate the size (I am using a number that divides by 8192 so that the end of the partition is on a 4MB boundary, but that's just me). Partitions 7, 8, and 9 are not strictly necessary but they provide some protection against accidentally deleting the boot loader.
Copy U-Boot from the boot medium to the target (please make sure you use the correct device names). This is not needed if you use Tow-Boot but absolutely don't forget this step if you are not using any U-Boot in SPI!
Code:
dd if=/dev/sda of=/dev/mmcblk1 bs=512 count=32704 skip=64 seek=64;sync
Create LUKS container, LVM partitions therein, and file systems as appropriate
Code:
dd if=/dev/random of=/dev/disk/by-partlabel/mmc_root bs=4M status=progress;sync
cryptsetup luksFormat -q --align-payload 8192 /dev/disk/by-partlabel/mmc_root
cryptsetup open /dev/disk/by-partlabel/mmc_root pbp0
pvcreate --dataalignment=4096k /dev/mapper/pbp0
vgcreate vgvoid /dev/mapper/pbp0
lvcreate -n swap -L 4G vgvoid
lvcreate -n root -l '100%FREE' vgvoid
mkswap -L void_swap /dev/vgvoid/swap
mkfs.btrfs -K -L void_root /dev/vgvoid/root
mkfs.ext4 -E stride=1024,stripe_width=1024 -L void_boot /dev/disk/by-partlabel/mmc_boot
mount -o rw,noatime,commit=120,compress-force=zstd,space_cache=v2 /dev/vgvoid/root /mnt
for i in '' .toplevel boot home opt snap tmp var var.tmp;do btrfs subv create /mnt/@$i;done
for i in .snapshots home opt tmp var;do mkdir /mnt/@/$i;done
mkdir /mnt/@var/tmp
chmod 1777 /mnt/@/tmp /mnt/@var/tmp /mnt/@tmp /mnt/@var.tmp
umount /mnt
Mount the install target properly
Code:
mount -o rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@ /dev/vgvoid/root /mnt
mount -o rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=/ /dev/vgvoid/root /mnt/.toplevel
mount -o rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@snap /dev/vgvoid/root /mnt/.snapshots
mount -o rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@home /dev/vgvoid/root /mnt/home
mount -o rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@opt /dev/vgvoid/root /mnt/opt
mount -o rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@tmp /dev/vgvoid/root /mnt/tmp
mount -o rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@var /dev/vgvoid/root /mnt/var
mount -o rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@var.tmp /dev/vgvoid/root /mnt/var/tmp
mount -o rw,noatime,commit=120 /dev/disk/by-partlabel/mmc_boot /mnt/boot
Mount the source image
Code:
unxz void-pinebookpro-20220530.img.xz
losetup -v -P /dev/loop9 /root/void-pinebookpro-20220530.img
mkdir /tmp/img
mount -r /dev/loop9p2 /tmp/img
mount -r /dev/loop9p1 /tmp/img/boot
Copy source to target
Code:
tar --posix --numeric-owner --xattrs --acls -cpSC /tmp/img .|\
tar --posix --numeric-owner --xattrs --acls -xpSC /mnt;sync
Clean up, and chroot into the new installation
Code:
cp -a /etc/wpa_supplicant/wpa_supplicant-wlan0.conf /mnt/etc/wpa_supplicant/
cp /etc/resolv.conf /mnt/etc/
for i in dev proc run sys tmp;do
mount --rbind /$i /mnt/$i
mount --make-rslave /mnt/$i
done
PS1='[chroot]# ' chroot /mnt
Update xbps, and install a few things
Code:
xbps-install -Syu xbps
xbps-install -y cryptsetup lvm2 nano socklog-void unzip zip xz zsh wget pv neofetch inxi
# Set keymap and RTC if needed:
nano /etc/rc.conf
echo YourHostName >/etc/hostname
# Link the correct timezone
ln -s /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime
# Uncomment the locales you want
nano /etc/default/libc-locales
xbps-reconfigure -f glibc-locales
# Set root password
passwd
# Edit fstab
nano /etc/fstab
Your /etc/fstab should look as follows:
Code:
#
# See fstab(5).
#
# <file system> <dir> <type> <options> <dump> <pass>
LABEL=void_swap none swap sw,noatime 0 0
LABEL=void_root / btrfs rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@ 0 1
LABEL=void_root /.toplevel btrfs rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=/ 0 1
LABEL=void_root /.snapshots btrfs rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@snap 0 1
LABEL=void_root /home btrfs rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@home 0 1
LABEL=void_root /opt btrfs rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@opt 0 1
LABEL=void_root /tmp btrfs rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@tmp 0 1
LABEL=void_root /var btrfs rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@var 0 1
LABEL=void_root /var/tmp btrfs rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=@var.tmp 0 1
LABEL=void_boot /boot ext4 rw,noatime,nodev,nosuid,errors=remount-ro 0 2
tmpfs /tmp tmpfs rw,noatime,nodev,nosuid,size=75% 0 0
Configure extlinux and rebuild initramfs so the system can boot
Code:
# Edit /etc/default/extlinux, and make sure the CMDLINE looks as follows:
# CMDLINE="panic=10 coherent_pool=1M console=ttyS2,1500000 console=tty0 quiet loglevel=3 ro rootwait root=LABEL=void_root rd.auto=1 cryptdevice=PARTLABEL=mmc_root:pbp0"
nano /etc/default/extlinux
echo 'hostonly="yes"' >/etc/dracut.conf.d/hostonly.conf
cat >/etc/kernel.d/post-install/99-zzzz-backup-boot <<EOF
PKGNAME="$1"
VERSION="$2"
usr/bin/tar --posix --numeric-owner --xattrs --acls -cpSC /boot .|usr/bin/bzip2 -9 >/boot-${VERSION}.tbz
exit 0
EOF
xbps-reconfigure -f pinebookpro-kernel
Finish up with the following commands
Code:
exit
umount -R /mnt
halt
Remove all unnecessary media, and boot from the just installed system
If you are prompted for the encryption password, you have successfully installed Void Linux! Let's log in as root using the password you set earlier, and run a few commands to finsh up the minimal configuration:
Code:
for i in socklog-unix nanoklogd wpa-supplicant dhcpcd;do ln -s /etc/sv/$i /var/service/;done
xbps-install -Syu
Because the above created script for backing up /boot is a crude hack, best to reboot now, and run the following commands:
Code:
vkpurge rm all
xbps-reconfigure -f pinebookpro-kernel
Now you can create snapshots of ths new, clean, and working setup:
Code:
for i in '' home opt tmp var var.tmp;do btrfs subv snap -r /.toplevel/@$i /.snapshots/YYYYMMDD-justinstalled-@$i;done
Replace YYYYMMDD with the current date as appropriate. If you ever bork up your system, and need to restore from a snapshot, keep that small SD card or USB drive with the initial Void Linux image handy, as you can use it to restore the snapshots like so (check the device names):
Code:
cryptsetup open /dev/disk/by-partlabel/mmc_root pbp0
vgchange -a y
mount -o rw,noatime,commit=120,compress-force=zstd,space_cache=v2,subvol=/ /dev/vgvoid/root /mnt
for i in '' home opt tmp var var.tmp;do
btrfs subv del /mnt/@$i
btrfs subv snap /mnt/@snap/YYYYMMDD-your-description-@$i /mnt/@$i
done
umount /mnt
halt
Congratulations!
This concludes your installation of Void Linux with encrypted root. It is, of course, very bare-bones, has no user account, and no GUI. But from here on, you can employ any generic guide for Void Linux regarding the further configuration.