Linux Mint 22 and LMDE 6 Full Disk Encryption (directory /boot included) - Using dracut, luks2, SecureBoot and TPM 2.0+PIN

linux22
  3 months ago
  2

 
Linux Mint 22 and LMDE 6 Full Disk Encryption (directory /boot included) - Using dracut, luks2, SecureBoot and TPM 2.0+PIN
PC with firmware UEFI & HDD with GPT partitioning scheme - Booting with Unified Kernel Image (UKI)
Secure Boot and LUKS2 Unlock via TPM 2.0 (Trusted Platform Module) + PIN
Author: Naldi Stefano (linux22 at Mint Forum)
First Release: 30 January 2019
Last update: 21 August 2024

Hits since 30/01/2019  website counter

 

 

_____________________________________

 

 

I have developed these new solutions for Linux Mint Full Disk Encryption (FDE) with PC UEFI & HDD GPT.

These last configurations setup Linux Mint 22 with Full Disk Encryption using dracut, luks2, SecureBoot and TPM2.0+PIN.

The booting process use systemd-boot manager and UKI efi files.

 

These new solutions have the following PROS and CONS:

PROS:

  • VERY FAST BOOTING
  • VERY FAST SHUTDOWN
  • VERY SIMPLE
  • SUPPORT FOR TYPE 2 LUKS ENCRYPTED PARTITIONS (LUKS2)
  • FULL DISK ENCRYPTION (FDE) REQUESTING ONLY ONE PASSWORD AT BOOT-UP
  • NO LUKS UNLOCK KEYFILES REQUIRED
  • NO MORE HEADACHE FOR GRUB UPDATING AND/OR UPGRADING
  • WORKS (WITH MINOR CHANGES) ALSO ON LINUX 32-BIT SYSTEMS (TESTED ON VIRTUAL MACHINES ONLY)


CONS:

  • POINTLESS AND/OR POTENTIALLY DANGEROUS FOR FULL DISK ENCRYPTION (FDE) SYSTEMS IF SECURE BOOT IS DISABLED
  • POOR CONFIGURATION OPTIONS (COMPARED TO GRUB)
  • NOT COMMON / NOT STANDARD
  • NEED GREATER EFI PARTITION SIZE (MINIMUM RECOMMENDED SIZE 1GB)

 

 

_____________________________________

 

 

Other tutorials concerning Linux Mint with Full Disk Encryption, directory /boot included:

 


Table of contents


GNU Free Documentation License

GNU GENERAL PUBLIC LICENSE

Disclaimer and acknowledgments

Useful links

LINUX MINT FDE INSTALLATION FOR PC WITH UEFI AND HDD WITH GPT, UNIFIED KERNEL IMAGE (UKI)

 

 

GNU Free Documentation License
Version 1.3, 3 November 2008

Linux Mint with Full Disk Encryption, directory /boot included - PC with firmware UEFI & HDD with GPT partitioning scheme - Booting with Unified Kernel Image (UKI)

Copyright (C)  2019  2020  2021  2022  2023 2024  Naldi Stefano.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.

You should have received a copy of the "GNU Free Documentation License" along with this document.

If not, see < https://www.gnu.org/licenses/fdl.html >.


GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007

Linux Mint with Full Disk Encryption, directory /boot included - PC with firmware UEFI & HDD with GPT partitioning scheme - Booting with Unified Kernel Image (UKI)

Copyright (C)  2019  2020  2021  2022  2023 2024  Naldi Stefano

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the "GNU General Public License" along with this program.

If not, see < https://www.gnu.org/licenses/gpl.html >.

 

 

Linux Mint Full Disk Encryption (directory /boot included) installation - PC with UEFI and HDD with GPT, Unified Kernel Image (UKI)

I wrote this guide/tutorial with the hope that it will be useful for everyone who need a Linux installation with Full Disk Encryption. The solution here reported is EXPERIMENTAL and need a good experience with Linux and its installation. At the moment I have successfully experimented this solution with Linux Mint 22 Cinnamon and Mate, Linux Mint Debian Edition LMDE 6, all 64 bit version.
This guide/tutorial comes with ABSOLUTELY NO WARRANTY.


 

 

The topic for this tutorial at the Mint Forum is:

https://forums.linuxmint.com/viewtopic.php?t=198077

 

You can download the latest version of these tutorials from my cloud storage. Every zip file contain the tutorial in pdf format and a few text files with all the Terminal commands listed inside it (for more reliable 'Copy and Paste' operations).

The last tutorial for LMDE 6 has a pdf file which also embed all the attached txt files.

The links to the zip files are:

 

Linux Mint 19.X and 20.X Cinnamon

Linux Mint 19.X and 20.X with Full Disk Encryption, directory boot included - System UEFI & HDD GPT - NO LVM - Boot with EFI STUB loader

Linux Mint 19.X and 20.X with Full Disk Encryption, directory boot included - System UEFI & HDD GPT - LVM - Boot with EFI STUB loader

 

Linux Mint Debian Edition LMDE 6

Version for ext4 filesystems

Linux Mint Debian Edition LMDE 6 with Full Disk Encryption - UKI - Ext4 Version 1.1

Version for btrfs filesystems

Linux Mint Debian Edition LMDE 6 with Full Disk Encryption - UKI - Btrfs Version 1.1

 

Linux Mint 22 Cinnamon

Linux Mint 22 Full Disk Encryption, booting with UKI.pdf

 

Comments
linux22 4 years ago


Hello ehsjoar67, I have read your message.

The new configurations for Linux Mint 20 and Ubuntu 19.10 and above are ready and available for download.

Thank you for your interest.

Regards.

linux22


linux22 4 years ago

Hello ismail783, I have read your message.

Step 3 is necessary to build a working EFI STUB loader. If you skip this step your new Linux Mint installation will not boot, because in Step 2 we had run Ubiquity skipping the installation of the boot loader.

Regards.

linux22


ismail783 4 years ago

I think "Step 3 - Configuring the EFI STUB loader for the Linux Mint FDE installation, require a lot of Terminal commands" is for kernel update stuff. If so, then is there any way we can do it after we login in to Linux Mint (With GUI). I mean can we just restart after step 2 and copy paste lines in `/etc/initramfs/post-update.d/objcopy_update_hook`? If so then please add the instructions in the new tutorial.


ehsjoar67 4 years ago

Thanks for a great tutorial!
I tried the "Linux Mint 19.X with Full Disk Encryption, directory boot included - System UEFI & HDD GPT - LVM for Hibernate function - Boot with EFI STUB loader" on Mint 20 (beta) and most everything worked (didn't try secure boot yet). 2 things that were different. First out the efibootmgr needs to be copied to /mnt/bin/ as it is not part of the default installation. Secondly, objcopy didn't work with paths like /vmlinuz and /initrd.img. It works if changing it to /boot/vmlinuz and /boot/initrd.img though.
Cheers,
// Jonas


DanielCouturier 4 years ago

Thanks for sharing, I couldn't do the manipulation on my viturel machine...


linux22 4 years ago

As I previously said almost all Linux distributions support grub bootloader and use it as their default boot loader. This means that the basic grub packages are installed by default. But if your PC run in UEFI mode it needs the package 'grub-efi' to work. If you search the package grub-efi with Synaptic you can see that this package has not been installed, because the command "012 #: sh -c 'ubiquity -b gtk_ui'&" in Step 2 run Ubiquity skipping the installation of the boot loader.
Anyway the grub basic packages installed by default do not hurt your EFI Stub loader and can not install a working grub bootloader on your system.

Regards.

linux22


ismail783 4 years ago

I copy pasted exactly what was in "Linux Mint 19.X with Full Disk Encryption, directory boot included - System UEFI & HDD GPT - LVM for Hibernate function - Boot with EFI STUB loader" including `sh -c 'ubiquity -b gtk_ui'&`. The commands are mentioned bellow:

Enable Internet

sudo parted -s /dev/sda mklabel gpt
sudo parted -s /dev/sda mkpart ESP fat32 2048s 1050624s
sudo mkfs.vfat -F32 /dev/sda1
sudo parted -s /dev/sda set 1 boot on
sudo parted -s /dev/sda mkpart primary 1052672s 488396799s

sudo cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat --type luks2 /dev/sda2

sudo cryptsetup luksOpen /dev/sda2 sda2_crypt

sudo pvcreate /dev/mapper/sda2_crypt
sudo vgcreate mint /dev/mapper/sda2_crypt
sudo lvcreate -L 4G mint -n swap
sudo lvcreate -l +100%FREE mint -n root
sh -c 'ubiquity -b gtk_ui'&

After This process is complete:

sudo mount /dev/mapper/mint-root /mnt
sudo mount --bind /dev /mnt/dev
sudo mount --bind /dev/pts /mnt/dev/pts
sudo mount --bind /sys /mnt/sys
sudo mount --bind /proc /mnt/proc
sudo mount --bind /run /mnt/run
sudo mount /dev/sda1 /mnt/boot/efi
sudo chmod -R g-rwx,o-rwx /mnt/boot
echo "sda2_crypt UUID=`sudo blkid -s UUID -o value /dev/sda2` none luks" | sudo tee -a /mnt/etc/crypttab

sudo chroot /mnt locale-gen --purge --no-archive

sudo chroot /mnt update-initramfs -u

sudo chroot /mnt mkdir /boot/efistub
sudo chroot /mnt mkdir -p /boot/efi/EFI/Boot
sudo chroot /mnt mkdir -p /boot/efi/EFI/Mint
echo "root=/dev/mapper/mint-root ro quiet splash" | sudo tee -a /mnt/boot/efistub/cmdline.txt
sudo chroot /mnt objcopy --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 --add-section .cmdline=/boot/efistub/cmdline.txt --change-section-vma .cmdline=0x30000 --add-section .linux=/vmlinuz --change-section-vma .linux=0x40000 --add-section .initrd=/initrd.img --change-section-vma .initrd=0x3000000 -S /usr/lib/systemd/boot/efi/linuxx64.efi.stub /boot/efistub/kernel.efi
sudo cp -f /mnt/boot/efistub/kernel.efi /mnt/boot/efi/EFI/Mint/kernel.efi
sudo cp -f /mnt/boot/efistub/kernel.efi /mnt/boot/efi/EFI/Boot/Bootx64.efi
sudo chroot /mnt efibootmgr -c -d /dev/sda -p 1 -D -L "Mint" -l "\EFI\Mint\kernel.efi"

sudo chroot /mnt mkdir -p /etc/initramfs/post-update.d
sudo chroot /mnt touch /etc/initramfs/post-update.d/objcopy_update_hook
sudo chroot /mnt chmod +x /etc/initramfs/post-update.d/objcopy_update_hook

/mnt/etc/initramfs/post-update.d/objcopy_update_hook # while install
/etc/initramfs/post-update.d/objcopy_update_hook # after restart
....
#! /bin/sh
objcopy --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 --add-section .cmdline=/boot/efistub/cmdline.txt --change-section-vma .cmdline=0x30000 --add-section .linux=/vmlinuz --change-section-vma .linux=0x40000 --add-section .initrd=/initrd.img --change-section-vma .initrd=0x3000000 -S /usr/lib/systemd/boot/efi/linuxx64.efi.stub /boot/efistub/kernel.efi
if [ -d /boot/efikeys ]
then
sbsign --key /boot/efikeys/db.key --cert /boot/efikeys/db.crt --output /boot/efistub/kernel.efi
/boot/efistub/kernel.efi
sync
sbverify --cert /boot/efikeys/db.crt /boot/efistub/kernel.efi
fi
knf="`sudo readlink /vmlinuz`"
knb="`sudo basename $knf`"
cp -f /boot/efistub/kernel.efi /boot/efistub/kernel.$knb.efi
cp -f /boot/efistub/kernel.efi /boot/efi/EFI/Mint/kernel.efi
cp -f /boot/efistub/kernel.efi /boot/efi/EFI/Boot/Bootx64.efi
....

sudo rm -r /mnt/boot/efi/EFI/ubuntu
sudo umount /mnt/boot/efi /mnt/proc /mnt/dev/pts /mnt/dev /mnt/sys /mnt/run /mnt

After I reboot command:

$ apt list --installed | grep grub

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

grub-common/bionic-updates,now 2.02-2ubuntu8.14 amd64 [installed]
grub-gfxpayload-lists/bionic,now 0.7 amd64 [installed]
grub-pc/bionic-updates,now 2.02-2ubuntu8.14 amd64 [installed]
grub-pc-bin/bionic-updates,now 2.02-2ubuntu8.14 amd64 [installed]
grub2-common/bionic-updates,now 2.02-2ubuntu8.14 amd64 [installed]
grub2-theme-mint/tricia,tricia,now 1.2.2 all [installed]

I also crosschecked with Synaptic and yes grub* stuff are there.

Even in /boot there is a directory named "grub".


linux22 4 years ago

Hello ismail783, I have read your message.

My answers to your questions are:

1. I think there are no obstacles for enabling Secure Boot in your configuration. I have tested the first solution (NO LVM - WITHOUT HIBERNATE) with Secure Boot on virtual machine (QEMU) and at the moment it is also working on my personal NUC6 PC. I have tested the second solution (LVM FOR HIBERNATE, your choice) with Secure Boot on virtual machine (QEMU) but not on a real PC (I do not like the Hibernation function).

2. Almost all Linux distributions support grub bootloader and use it as their default boot loader. It does not hurt your EFIStub but if you want remove it you can simply run 'synaptic' and uninstall it. Remember that the package name is grub-efi. Anyway if you have installed your system following my tutorial grub should not be installed. The command "012 #: sh -c 'ubiquity -b gtk_ui'&" in Step 2 run Ubiquity skipping the installation of the boot loader.

3. You can simply add every EFIStub .efi file, with different names, in your /boot/efi/EFI/Mint directory and run efibootmgr for every one of them. They will be bootable from your PC EFI Boot Menu clicking the right function key at start-up (see you PC user manual). Another method can be installing 'systemd-boot' package and configuring it for booting all your EFIStub .efi files. It is a very basic but reliable boot manager (here the link for its configuration at Arch Linux Wiki - https://wiki.archlinux.org/index.php/Systemd-boot).

Regards.

linux22


ismail783 4 years ago

"Linux Mint 19.X with Full Disk Encryption, directory boot included - System UEFI & HDD GPT - LVM for Hibernate function - Boot with EFI STUB loader" is working flawlessly in my system.

I have few questions though.

1. Will https://community.linuxmint.com/tutorial/view/2360 work in this system or do I need any change?
2. EFIStub seems enough for me. Why grub2 is still there? How can i completely remove grub2 from this reference system?
3. How can i flip-flop between multiple kernels using EFIStub in this reference system?