full disk encryption with luks on manjaro xfce

[limxr]

This recipe is for a manjaro xfce pinebook pro image installed to an sdcard.  This recipe may work with other manjaro pinebook pro images.  
First I created a separate partition for /boot that remained unencrypted.  Second, I encrypted the existing root / installation using luks.
I used debian os installed to emmc of pinebook pro, any os that supports luks should work (the default os on pinebook pro does not support luks).  You may want to make sure to have a good backup first in case something goes wrong.

Code:

===================================
separate partitions for boot & root
===================================
boot to debian on emmc
create new partition layout using gparted
(boot will be on 1st partition & root on 2nd partition)
resize mmcblk1p1 partition to smallest size to create free space
(don't touch ~31m unallocated space at start of sdcard)
    copy mmcblk1p1 & paste into remaining free space
  format mmcblk1p1 ext4 to delete files
  resize mmclk1p1 to your desired size, for me ~800mb
    (don't touch ~31m unallocated space at start of sdcard)
  label mmcblk1p1 BOOT
resize/move mmcblk1p2 to fill all remaining free space
move files to /boot
sudo mkdir /mnt/boot; sudo mount /dev/mmcblk1p1 /mnt/boot
    sudo mkdir /mnt/root; sudo mount /dev/mmcblk1p2 /mnt/root
    cd /mnt/boot
    sudo mv /mnt/root/boot/* /mnt/boot
set automount for boot partition
    sudo nano /mnt/root/etc/fstab
        /dev/mmcblk1p1 /boot ext4 defaults 0 2
configure bootloader
    get PARTUUID, for me its 781b2cf9-02
        sudo blkid|grep mmcblk1p2
    add PARTUUID for root and remove /boot/ folder from 3 lines
        cd /mnt/boot/
        sudo nano boot.txt
            #setenv bootargs console=ttyS2,1500000n8 root=PARTUUID=${uuid} rw rootwait bootsplash.bootfile=bootsplash-themes/manjaro/bootsplash append video=eDP-1:1920x1080@60
            setenv bootargs console=ttyS2,1500000n8 root=PARTUUID=781b2cf9-02 rw rootwait bootsplash.bootfile=bootsplash-themes/manjaro/bootsplash append video=eDP-1:1920x1080@60

            #if load ${devtype} ${devnum}:${bootpart} ${kernel_addr_r} /boot/Image; then
            if load ${devtype} ${devnum}:${bootpart} ${kernel_addr_r} Image; then
               #if load ${devtype} ${devnum}:${bootpart} ${fdt_addr_r} /boot/dtbs/${fdtfile}; then
               if load ${devtype} ${devnum}:${bootpart} ${fdt_addr_r} dtbs/${fdtfile}; then

                  #if load ${devtype} ${devnum}:${bootpart} ${ramdisk_addr_r} /boot/initramfs-linux.img; then
                  if load ${devtype} ${devnum}:${bootpart} ${ramdisk_addr_r} initramfs-linux.img; then

    sudo apt install u-boot-tools
    sudo ./mkscr
boot to manjaro on sdcard

============
encrypt root
============
boot to manjaro on sdcard
add modules & hooks to initram
(the order the modules and hooks are loaded is important)
    sudo nano /etc/mkinitcpio.conf
        MODULES=(panfrost rockchipdrm drm_kms_helper hantro_vpu analogix_dp rockchip_rga panel_simple arc_uart cw2015_battery i2c-hid iscsi_boot_sysfs jsm pwm_bl uhid)
        BINARIES=()
        FILES=()
        HOOKS=(base udev keyboard autodetect keymap modconf block encrypt filesystems fsck)
        COMPRESSION="cat"        
    sudo mkinitcpio -P
boot to debian on emmc
encrypt existing partition in place with luks
    make sure mmcblk1p2 is not mounted
    sudo e2fsck -f /dev/mmcblk1p2
    sudo resize2fs -M /dev/mmcblk1p2
    sudo cryptsetup-reencrypt /dev/mmcblk1p2 --new --reduce-device-size 16M
    sudo cryptsetup open /dev/mmcblk1p2 cryptroot
    sudo resize2fs /dev/mapper/cryptroot
    sudo mount /dev/mapper/cryptroot /mnt/root
configure bootloader
    get UUID for mmcblk1p2
    sudo blkid|grep mmcblk1p2
        get UUID root, for me its 6d1c2895-f2c2-477f-8415-b04f7a4641da
    change kernel parameters for encrypted root including display to console & disable splash
        sudo mount /dev/mmcblk1p1 /mnt/boot
        cd /mnt/boot
        sudo nano boot.txt
            # setenv bootargs console=ttyS2,1500000n8 root=PARTUUID=781b2cf9-02 rw rootwait bootsplash.bootfile=bootsplash-themes/manjaro/bootsplash append video=eDP-1:1920x1080@60
            setenv bootargs console=tty1 root=/dev/mapper/cryptroot cryptdevice=UUID=0d739f2d-92af-40ec-bd8b-c8f241e6a2ce:cryptroot:allow-discards rw rootwait quiet append video=eDP-1:1920x1080@60

            #booti ${kernel_addr_r} - ${fdt_addr_r};
            booti ${kernel_addr_r} ${ramdisk_addr_r}:${filesize} ${fdt_addr_r};

        sudo ./mkscr
reboot to manjaro on sdcard

[JaceAlvejetti]

Followed the directions, in the end I reboot to a screen that does ask for my password but when I type its entered into the line below it in plain text, hitting enter doesn't do anything but move to the next line.

after some time modules will start to time out not being able to find firmware so I don't think my text is being entered in the right space.

Any thoughts?

[limxr]

Followed the directions, in the end I reboot to a screen that does ask for my password but when I type its entered into the line below it in plain text, hitting enter doesn't do anything but move to the next line.

after some time modules will start to time out not being able to find firmware so I don't think my text is being entered in the right space.

Any thoughts?

It sounds like the boot process did not wait for the password prompt but just continued.  Do you have rootwait set as a bootarg?  I've attached my boot.txt to see as example.

[JaceAlvejetti]

Followed the directions, in the end I reboot to a screen that does ask for my password but when I type its entered into the line below it in plain text, hitting enter doesn't do anything but move to the next line.

after some time modules will start to time out not being able to find firmware so I don't think my text is being entered in the right space.

Any thoughts?

It sounds like the boot process did not wait for the password prompt but just continued.  Do you have rootwait set as a bootarg?  I've attached my boot.txt to see as example.

I do at that and agree that is what it sounds like, heres mine:

setenv macaddr da 19 c8 7a 6d f4

part uuid ${devtype} ${devnum}:${bootpart} uuid
setenv bootargs console=tty1 root=/dev/mapper/cryptroot cryptdevice=UUID=bc3791fa-01e0-471d-9ace-a7cae5035c15:cryptroot:allow-discards rw rootwait quiet append video=eDP-1:1920x1080@60
setenv fdtfile rockchip/rk3399-pinebook-pro.dtb

if load ${devtype} ${devnum}:${bootpart} ${kernel_addr_r} Image; then
  if load ${devtype} ${devnum}:${bootpart} ${fdt_addr_r} dtbs/${fdtfile}; then
    fdt addr ${fdt_addr_r}
    fdt resize
    fdt set /ethernet@fe300000 local-mac-address "[${macaddr}]"
    if load ${devtype} ${devnum}:${bootpart} ${ramdisk_addr_r} initramfs-linux.img; then
      # This upstream Uboot doesn't support compresses cpio initrd, use kernel option to
      # load initramfs
      setenv bootargs ${bootargs} initrd=${ramdisk_addr_r},20M ramdisk_size=10M
    fi;
    booti ${kernel_addr_r} ${ramdisk_addr_r}:${filesize} ${fdt_addr_r};
  fi;
fi

[limxr]

Followed the directions, in the end I reboot to a screen that does ask for my password but when I type its entered into the line below it in plain text, hitting enter doesn't do anything but move to the next line.

after some time modules will start to time out not being able to find firmware so I don't think my text is being entered in the right space.

Any thoughts?

It sounds like the boot process did not wait for the password prompt but just continued.  Do you have rootwait set as a bootarg?  I've attached my boot.txt to see as example.

I do at that and agree that is what it sounds like, heres mine:

setenv macaddr da 19 c8 7a 6d f4

part uuid ${devtype} ${devnum}:${bootpart} uuid
setenv bootargs console=tty1 root=/dev/mapper/cryptroot cryptdevice=UUID=bc3791fa-01e0-471d-9ace-a7cae5035c15:cryptroot:allow-discards rw rootwait quiet append video=eDP-1:1920x1080@60
setenv fdtfile rockchip/rk3399-pinebook-pro.dtb

if load ${devtype} ${devnum}:${bootpart} ${kernel_addr_r} Image; then
  if load ${devtype} ${devnum}:${bootpart} ${fdt_addr_r} dtbs/${fdtfile}; then
    fdt addr ${fdt_addr_r}
    fdt resize
    fdt set /ethernet@fe300000 local-mac-address "[${macaddr}]"
    if load ${devtype} ${devnum}:${bootpart} ${ramdisk_addr_r} initramfs-linux.img; then
      # This upstream Uboot doesn't support compresses cpio initrd, use kernel option to
      # load initramfs
      setenv bootargs ${bootargs} initrd=${ramdisk_addr_r},20M ramdisk_size=10M
    fi;
    booti ${kernel_addr_r} ${ramdisk_addr_r}:${filesize} ${fdt_addr_r};
  fi;
fi

That boot.txt looks fine.  I wonder if the initram was generated correctly with mkinitcpio -P when booted to manjaro sd before you encrypted the root partition?  From a linux os you could use cryptsetup to open the root partition on the sdcard, mount it, and check the etc/mkinitcpio.conf to make sure all the modules and hooks are loaded in order and the compression set to "cat". 

If you need to generate initram again you can probably do so from an arch/manjaro os just make sure the mkinitcpio -P command is using options to point to the sdcard and not the booted os. 

Another way you could do this is to decrypt the root partion on sdcard (cryptsetup-reencrypt /dev/mmcblk1p2 --decrypt) then change boot.txt back to non-luks configuration so you can boot into sdcard again.

[JaceAlvejetti]

I backed up prior to doing the encryption, So that's likely where I broke it and here comes my question.

I didn't match the order per the instructions just made sure the items were there guessing that matters from what you said, I am going to restore my backup and I'll do it again.

Thanks!

[limxr]

I backed up prior to doing the encryption, So that's likely where I broke it and here comes my question.

I didn't match the order per the instructions just made sure the items were there guessing that matters from what you said, I am going to restore my backup and I'll do it again.

Thanks!

Yes the order for the HOOKS in mkinitcpio.conf definitely matters, not sure about the MODULES but probably safest just to follow order in recipe.

[e-minguez]

Has anyone being able to do this but for the eMMC? Thanks

[as400]

@e-minguez I have luks + lvm on nvme drive. But I was never able to make it work with mkinitcpio generated initrd. I use dracut for creating initrd and extlinux.conf for booting on Manjaro.

[e-minguez]

@e-minguez I have luks + lvm on nvme drive. But I was never able to make it work with mkinitcpio generated initrd. I use dracut for creating initrd and extlinux.conf for booting on Manjaro.

I'm trying to make this work out of the box in the manjaro installer here https://gitlab.manjaro.org/manjaro-arm/a...-/issues/4 but even if I think it should work, it doesn't. 

Could you please take a look to see if I'm missing something?

Thanks.