Dual boot for Linux Mint 20.X Full Disk Encryption with EFI STUB loader + Windows 10

linux22
  1 month ago
  3

Dual boot for Linux Mint 20.X(*) with EFI STUB loader + Windows 10

Linux configured with Full System Encryption (directory /boot included)

PC with UEFI firmware & HDD with GPT partitioning scheme

UEFI Boot Manager ‘systemd-boot’ equipped with Linux Extended Boot Partition (a.k.a. XBOOTLDR)

Author: Naldi Stefano (linux22 at Mint Forum)
First Release: October 2015

Last update: 15 November 2020

Version 3.0

(*) Works also with Ubuntu 20.04.X

 

Hits since 22/10/2016  free hit counter

 

 Other tutorials concerning Linux Mint with Full Disk Encryption, directory /boot included:

 

 

Table of contents

GNU LICENSES
Disclaimer and acknowledgments
Useful links
Preface
INSTALLATION FOR PC WITH UEFI AND HDD WITH GPT, EFI STUB LOADER

Step 1 - Check your HDD and build a Linux Extended Boot Partition (a.k.a. XBOOTLDR)
Step 2 - Set up for Ubiquity configuration file '07crypto_check_mountpoints'
Step 3 - Set up of HDD and partitions
Step 4 - Set up of the Linux FDE installation
Step 5 - Configuring the EFI STUB loader for the Linux FDE installation
Step 6 - Installing and configuring the ‘systemd-boot’ boot manager

Appendix A - Emergency tools - How to access your encrypted partition with your Live Linux
Appendix B - Emergency tools - How to reinstall EFI STUB loader after …
Appendix C - Enabling Secure Boot for both Linux FDE and Windows 10

Method α - Using the original Microsoft UEFI Secure Boot certificates of your PC UEFI platform
Method β - Using the original Microsoft UEFI Secure Boot certificates, downloaded from Microsoft repositories
Secure Boot check

Appendix D - Dual boot Linux Mint 20.X FDE + Windows 10 without XBOOTLDR partition

 

 

GNU Free Documentation License
Version 1.3, 3 November 2008

Dual boot for Linux Mint 20.X with EFI STUB loader + Windows 10
Linux Full System Encryption (directory /boot included)
PC with UEFI & HDD with GPT and ‘systemd-boot’ UEFI Boot Manager

Copyright (C)  2015  2016  2017   2018  2019  2020  Naldi Stefano.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
You should have received a copy of the "GNU Free Documentation License" along with this document.
If not, see < https://www.gnu.org/licenses/fdl.html >.

GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007

Dual boot for Linux Mint 20.X with EFI STUB loader + Windows 10
Linux Full System Encryption (directory /boot included)
PC with UEFI & HDD with GPT and ‘systemd-boot’ UEFI Boot Manager

Copyright (C)  2015  2016  2017   2018  2019  2020  Naldi Stefano.
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the "GNU General Public License" along with this program.
If not, see < https://www.gnu.org/licenses/gpl.html >.

 

 

Disclaimer and acknowledgments

I wrote this guide/tutorial with the hope that it will be useful for everyone who need a dual boot Linux FDE (Full Disk Encryption) + Windows 10 installation. The solution here reported is EXPERIMENTAL and need a good experience with Linux and its installation. At the moment I have successfully experimented this solution with Linux Mint 20.X Cinnamon and Mate and Ubuntu 20.04, all 64 bit version.
This guide/tutorial comes with ABSOLUTELY NO WARRANTY.
Prior of all I must thank Matthew Bentley (https://bentley.link/secureboot), because his publications show very well the whole process of building and configuring a reliable EFI STUB loader for Linux systems. You can see that his solution was published on 12 May 2016, more than 4 year ago.
Another thanks go to Michal Krenek (Mikos) for its 'cryptboot' software package (https://github.com/xmikos/cryptboot). In a few pages he has condensed all we need to BUILD and RUN a working UEFI Secure Boot Linux installation.
Altought these two software solutions seem both developed for ArchLinux distros we can find within them the rights commands and advices for almost every Linux distribution.

 

 

Useful links

    • https://bentley.link/secureboot
    • https://wiki.archlinux.org/index.php/EFISTUB
    • https://wiki.debian.org/EFIStub
    • https://kernel-team.pages.debian.net/kernel-handbook/ch-update-hooks.html
    • http://www.rodsbooks.com/efi-bootloaders/efistub.html
    • https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system
    • https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Keyfiles
    • https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration
    • https://wiki.archlinux.org/index.php/Systemd-boot
    • https://bbs.archlinux.org/viewtopic.php?id=158003
    • http://blog.uncooperative.org/blog/2014/02/06/the-efi-system-partition/
    • https://systemd.io/BOOT_LOADER_SPECIFICATION/
    • https://systemd.io/BOOT_LOADER_INTERFACE/
    • https://www.freedesktop.org/wiki/Software/systemd/systemd-boot/
    • https://www.freedesktop.org/wiki/Specifications/BootLoaderSpec/
    • https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki's_EFI_Install_Guide/Configuring_Secure_Boot

 

 

 Preface

The 4 major difficulties dealing with Dual Boot Linux Full Disk Encryption + Windows 10 are:
- the correct configuration of the boot loader, normally GRUB, for stand alone Linux Full Disk Encryption, especially when also directory ‘/boot’ is encrypted

- the correct configuration of the GRUB Boot Loader for dual booting with Linux Full Disk Encryption + Windows 10, especially when also directory ‘/boot’ is encrypted

- the correct configuration of the GRUB Boot Loader when used on PCs with UEFI platform and Secure Boot enabled      

- the current GRUB package, used in most Linux Distro’s, DO NOT support LUKS2 on Linux Full Disk Encryption when also directory ‘/boot’ is encrypted. Recently the GRUB package has been updated for LUKS2 support and some Distro’s are working for updating their latest builds but the update is still problematic and the LUKS2 support is guaranteed only if the --pbkdf option (Password-Based Key Derivation Function algorithm) is set to pbkdf2.
      
My previous solutions were developed using GRUB Boot Loader but every time I got a Linux Kernel update, a GRUB update, an initrd update or the most weird update I was forced to reinvent the wheel and search for a new correct configuration of GRUB, if possible.

Finally I have found 2 new tools, very spartan, very simple and very light that solved almost every major problem that I encountered dealing with GRUB and Dual Boot with Linux Full Disk Encryption + Windows 10.

The 2 tools are EFISTUB Boot Loader and ‘systemd-boot’ UEFI Boot Manager.

The first tool is EFISTUB Boot Loader, a very simple tool that turns a Linux kernel image into an EFI executable file which can be directly launched from the PC UEFI firmware. This tool, combined with the Linux command 'objcopy', can build a single composite EFI file containing the Linux kernel, a text file containing the Linux kernel’s command-line parameters and the initrd.img file.   
This configuration can manage and boot up also LUKS2 encrypted partition, without any limitation.
This single efi file can be re-built automatically every time we get a Linux Kernel update and/or a initrd update.
The major disadvantage of EFISTUB+objcopy efi files is its size (almost 100 MB).
In dual boot systems with Linux Full Disk Encryption + Windows 10 this problem can be overcomed using a Linux Extended Boot Partition (a.k.a. XBOOTLDR) as a container for the composite EFI files produced by EFISTUB+objcopy tools.

 

The second tool is the ‘systemd-boot’ UEFI Boot Manager. Also this tool is a spartan, simple and extremely light executable efi file. Its configuration is done with simple text configuration files.
The major disadvantage of ‘systemd-boot’ UEFI Boot Manager is the lack of adequate documentation.
Lastly we can also sign these efi executable files with our own Custom Secure Boot keys and run them on PCs UEFI platforms with Secure Boot enabled.  

I have used these tools for a while and I have never got the annoying problems encountered using GRUB.

The solution depicted in this tutorial, using XBOOTLDR partition, can be useful because the typical installation of Windows 10 create an ESP partition with size < 300MB. If reinstalling Windows 10 in your system with a greater ESP partition is contraindicated then putting the composite EFI file of almost 100 MB (produced by EFISTUB+objcopy tools) inside the ESP can be problematic. In this case the solution using XBOOTLDR partition can solve the problem.
For more details see: https://wiki.archlinux.org/index.php/Systemd-boot

If instead is possible installing Windows 10 with an ESP partition size ≥ 1GB  you can choose the very simpler solution depicted in Appendix D (tutorial not yet ready).

The topic for this tutorial at the Mint Forum is:

https://forums.linuxmint.com/viewtopic.php?t=198077

 

You can download the latest version of this tutorial from my cloud storage. The zip file contains the tutorial in pdf format and a text file with all the Terminal commands listed inside it (for more reliable 'Copy and Paste' operations). The link to the zip file is:

Dual boot Linux Mint 20 FDE + systemd-boot + Windows 10 - EFISTUB on XBOOTLDR - Version 3.0

 

 

Comments
linux22 4 years ago

Hello Newby, I have read your message.

Do not worry about the crash window at the end of Ubiquiry. Leave it aside.

Check if your system has the initctl.REAL file.
ONLY IF IT EXIST commit the terminal commands indicated in my tutorial:

- sudo mv /mnt/sbin/initctl /mnt/sbin/initctl.orig
- sudo mv /mnt/sbin/initctl.REAL /mnt/sbin/initctl

Check that your initctl file has the correct size (approximately 193 kB).

Now I have a few question for you:

- Is your computer UEFI firmware setting "Secure Boot" enabled or disabled ?
- Have you get any warning/error message during the installation of my Mint FDE solution ?
- Have you checked, after every Terminal command, that your system responded as indicated in my screenshots ?

If your computer have the Secure Boot enabled try and disable it.
DO NOT touch other UEFI settings !!!

Please keep me informed about your installation attempts.


Regards

linux22


MagicMint 5 years ago

Great work ! But I can’t help mentioning that it’s kinda ironic to make that tremendous labor just in order to have a fully protected Linux installation aside the worst spyware ever seen ;-)


Rebel450 5 years ago

I appreciate the work you made;
thank you for your efforts.