Linux Mint 19.X and 20.X (but also Ubuntu) with Full Disk Encryption, directory /boot included - PC with firmware UEFI & HDD with GPT partitioning scheme - Booting with EFI STUB loader

linux22
  1 month ago
  2

Linux Mint 19.X and 20.X with Full Disk Encryption, directory /boot included
PC with firmware UEFI & HDD with GPT partitioning scheme - Booting with EFI STUB loader
Author: Naldi Stefano (linux22 at Mint Forum)
First Release: 30 January 2019
Version 1.3
Last update: 5 July 2020

Hits since 30/01/2019  website counter

 

_____________________________________

 

 

I have developed these new solutions for Linux Mint Full Disk Encryption (FDE) with PC UEFI & HDD GPT.

The first solution do not use LVM and handle the SWAP via file.

The second solution use LVM for implementing a separate SWAP partition, thus allowing the Hibernate funcion.

In these new projects I am abandoning the standard boot loader GRUB, replacing it with the EFI STUB loader.

This new solutions have the following PROS and CONS:

PROS:

  • VERY FAST BOOTING
  • VERY FAST SHUTDOWN
  • VERY SIMPLE
  • SUPPORT FOR TYPE 2 LUKS ENCRYPTED PARTITIONS (LUKS2)
  • FULL DISK ENCRYPTION (FDE) REQUESTING ONLY ONE PASSWORD AT BOOT-UP
  • NO LUKS UNLOCK KEYFILES REQUIRED
  • WITHOUT OR WITH LVM (FOR ENABLING HIBERNATE FUNCTION)
  • NO MORE HEADACHE FOR GRUB UPDATING AND/OR UPGRADING
  • WORKS (WITH MINOR CHANGES) ALSO ON LINUX 32-BIT SYSTEMS (TESTED ON VIRTUAL MACHINES ONLY)


CONS:

  • POINTLESS AND/OR POTENTIALLY DANGEROUS FOR FULL DISK ENCRYPTION (FDE) SYSTEMS IF SECURE BOOT IS DISABLED
  • POOR CONFIGURATION OPTIONS (COMPARED TO GRUB)
  • NOT COMMON / NOT STANDARD
  • NEED GREATER EFI PARTITION SIZE (MINIMUM RECOMMENDED SIZE 1GB)

 

_____________________________________

 

 

Other tutorials concerning Linux Mint with Full Disk Encryption, directory /boot included:

 


Table of contents


GNU Free Documentation License

GNU GENERAL PUBLIC LICENSE

Disclaimer and acknowledgments

Useful links

LINUX MINT FDE INSTALLATION FOR PC WITH UEFI AND HDD WITH GPT, EFI STUB LOADER

 

 

GNU Free Documentation License
Version 1.3, 3 November 2008

Linux Mint with Full Disk Encryption, directory /boot included - PC with firmware UEFI & HDD with GPT partitioning scheme - Booting with EFI STUB loader

Copyright (C)  2019  2020  Naldi Stefano.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.

You should have received a copy of the "GNU Free Documentation License" along with this document.

If not, see < https://www.gnu.org/licenses/fdl.html >.


GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007

Linux Mint with Full Disk Encryption, directory /boot included - PC with firmware UEFI & HDD with GPT partitioning scheme - Booting with EFI STUB loader

Copyright (C)  2019  2020  Naldi Stefano

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the "GNU General Public License" along with this program.

If not, see < https://www.gnu.org/licenses/gpl.html >.

 

 

Linux Mint Full Disk Encryption (directory /boot included) installation - PC with UEFI and HDD with GPT, EFI STUB loader

I wrote this guide/tutorial with the hope that it will be useful for everyone who need a Linux installation with Full Disk Encryption. The solution here reported is EXPERIMENTAL and need a good experience with Linux and its installation. At the moment I have successfully experimented this solution with Linux Mint 19.X and 20.X Cinnamon and Mate, Ubuntu 17.10 and above, all 64 bit version.
This guide/tutorial comes with ABSOLUTELY NO WARRANTY.

Prior of all I must thank Matthew Bentley (https://bentley.link/secureboot), because his publications show very well the whole process of building and configuring a reliable EFI STUB loader for Linux systems. You can see that his solution was published on 12 May 2016, more than 2 year ago.

Another thanks go to Michal Krenek (Mikos) for its 'cryptboot' software package (https://github.com/xmikos/cryptboot). In a few pages he has condensed all we need to BUILD and RUN a working UEFI Secure Boot Linux installation.

Altought these two software solutions seem both developed for ArchLinux we can find within them the rights commands and advices for almost every Linux distribution.


Other useful links are these:

 

 

The topic for this tutorial at the Mint Forum is:

https://forums.linuxmint.com/viewtopic.php?t=198077

 

You can download the last version of these two tutorial in pdf format from my cloud storage at the links below:

 

Linux Mint 19.X and 20.X with Full Disk Encryption, directory boot included - System UEFI & HDD GPT - NO LVM - Boot with EFI STUB loader

Linux Mint 19.X and 20.X with Full Disk Encryption, directory boot included - System UEFI & HDD GPT - LVM for Hibernate function - Boot with EFI STUB loader

 

 

Comments
linux22 3 months ago


Hello ehsjoar67, I have read your message.

The new configurations for Linux Mint 20 and Ubuntu 19.10 and above are ready and available for download.

Thank you for your interest.

Regards.

linux22


linux22 3 months ago

Hello ismail783, I have read your message.

Step 3 is necessary to build a working EFI STUB loader. If you skip this step your new Linux Mint installation will not boot, because in Step 2 we had run Ubiquity skipping the installation of the boot loader.

Regards.

linux22


ismail783 3 months ago

I think "Step 3 - Configuring the EFI STUB loader for the Linux Mint FDE installation, require a lot of Terminal commands" is for kernel update stuff. If so, then is there any way we can do it after we login in to Linux Mint (With GUI). I mean can we just restart after step 2 and copy paste lines in `/etc/initramfs/post-update.d/objcopy_update_hook`? If so then please add the instructions in the new tutorial.


ehsjoar67 4 months ago

Thanks for a great tutorial!
I tried the "Linux Mint 19.X with Full Disk Encryption, directory boot included - System UEFI & HDD GPT - LVM for Hibernate function - Boot with EFI STUB loader" on Mint 20 (beta) and most everything worked (didn't try secure boot yet). 2 things that were different. First out the efibootmgr needs to be copied to /mnt/bin/ as it is not part of the default installation. Secondly, objcopy didn't work with paths like /vmlinuz and /initrd.img. It works if changing it to /boot/vmlinuz and /boot/initrd.img though.
Cheers,
// Jonas


DanielCouturier 6 months ago

Thanks for sharing, I couldn't do the manipulation on my viturel machine...


linux22 7 months ago

As I previously said almost all Linux distributions support grub bootloader and use it as their default boot loader. This means that the basic grub packages are installed by default. But if your PC run in UEFI mode it needs the package 'grub-efi' to work. If you search the package grub-efi with Synaptic you can see that this package has not been installed, because the command "012 #: sh -c 'ubiquity -b gtk_ui'&" in Step 2 run Ubiquity skipping the installation of the boot loader.
Anyway the grub basic packages installed by default do not hurt your EFI Stub loader and can not install a working grub bootloader on your system.

Regards.

linux22


ismail783 7 months ago

I copy pasted exactly what was in "Linux Mint 19.X with Full Disk Encryption, directory boot included - System UEFI & HDD GPT - LVM for Hibernate function - Boot with EFI STUB loader" including `sh -c 'ubiquity -b gtk_ui'&`. The commands are mentioned bellow:

Enable Internet

sudo parted -s /dev/sda mklabel gpt
sudo parted -s /dev/sda mkpart ESP fat32 2048s 1050624s
sudo mkfs.vfat -F32 /dev/sda1
sudo parted -s /dev/sda set 1 boot on
sudo parted -s /dev/sda mkpart primary 1052672s 488396799s

sudo cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat --type luks2 /dev/sda2

sudo cryptsetup luksOpen /dev/sda2 sda2_crypt

sudo pvcreate /dev/mapper/sda2_crypt
sudo vgcreate mint /dev/mapper/sda2_crypt
sudo lvcreate -L 4G mint -n swap
sudo lvcreate -l +100%FREE mint -n root
sh -c 'ubiquity -b gtk_ui'&

After This process is complete:

sudo mount /dev/mapper/mint-root /mnt
sudo mount --bind /dev /mnt/dev
sudo mount --bind /dev/pts /mnt/dev/pts
sudo mount --bind /sys /mnt/sys
sudo mount --bind /proc /mnt/proc
sudo mount --bind /run /mnt/run
sudo mount /dev/sda1 /mnt/boot/efi
sudo chmod -R g-rwx,o-rwx /mnt/boot
echo "sda2_crypt UUID=`sudo blkid -s UUID -o value /dev/sda2` none luks" | sudo tee -a /mnt/etc/crypttab

sudo chroot /mnt locale-gen --purge --no-archive

sudo chroot /mnt update-initramfs -u

sudo chroot /mnt mkdir /boot/efistub
sudo chroot /mnt mkdir -p /boot/efi/EFI/Boot
sudo chroot /mnt mkdir -p /boot/efi/EFI/Mint
echo "root=/dev/mapper/mint-root ro quiet splash" | sudo tee -a /mnt/boot/efistub/cmdline.txt
sudo chroot /mnt objcopy --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 --add-section .cmdline=/boot/efistub/cmdline.txt --change-section-vma .cmdline=0x30000 --add-section .linux=/vmlinuz --change-section-vma .linux=0x40000 --add-section .initrd=/initrd.img --change-section-vma .initrd=0x3000000 -S /usr/lib/systemd/boot/efi/linuxx64.efi.stub /boot/efistub/kernel.efi
sudo cp -f /mnt/boot/efistub/kernel.efi /mnt/boot/efi/EFI/Mint/kernel.efi
sudo cp -f /mnt/boot/efistub/kernel.efi /mnt/boot/efi/EFI/Boot/Bootx64.efi
sudo chroot /mnt efibootmgr -c -d /dev/sda -p 1 -D -L "Mint" -l "\EFI\Mint\kernel.efi"

sudo chroot /mnt mkdir -p /etc/initramfs/post-update.d
sudo chroot /mnt touch /etc/initramfs/post-update.d/objcopy_update_hook
sudo chroot /mnt chmod +x /etc/initramfs/post-update.d/objcopy_update_hook

/mnt/etc/initramfs/post-update.d/objcopy_update_hook # while install
/etc/initramfs/post-update.d/objcopy_update_hook # after restart
....
#! /bin/sh
objcopy --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 --add-section .cmdline=/boot/efistub/cmdline.txt --change-section-vma .cmdline=0x30000 --add-section .linux=/vmlinuz --change-section-vma .linux=0x40000 --add-section .initrd=/initrd.img --change-section-vma .initrd=0x3000000 -S /usr/lib/systemd/boot/efi/linuxx64.efi.stub /boot/efistub/kernel.efi
if [ -d /boot/efikeys ]
then
sbsign --key /boot/efikeys/db.key --cert /boot/efikeys/db.crt --output /boot/efistub/kernel.efi
/boot/efistub/kernel.efi
sync
sbverify --cert /boot/efikeys/db.crt /boot/efistub/kernel.efi
fi
knf="`sudo readlink /vmlinuz`"
knb="`sudo basename $knf`"
cp -f /boot/efistub/kernel.efi /boot/efistub/kernel.$knb.efi
cp -f /boot/efistub/kernel.efi /boot/efi/EFI/Mint/kernel.efi
cp -f /boot/efistub/kernel.efi /boot/efi/EFI/Boot/Bootx64.efi
....

sudo rm -r /mnt/boot/efi/EFI/ubuntu
sudo umount /mnt/boot/efi /mnt/proc /mnt/dev/pts /mnt/dev /mnt/sys /mnt/run /mnt

After I reboot command:

$ apt list --installed | grep grub

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

grub-common/bionic-updates,now 2.02-2ubuntu8.14 amd64 [installed]
grub-gfxpayload-lists/bionic,now 0.7 amd64 [installed]
grub-pc/bionic-updates,now 2.02-2ubuntu8.14 amd64 [installed]
grub-pc-bin/bionic-updates,now 2.02-2ubuntu8.14 amd64 [installed]
grub2-common/bionic-updates,now 2.02-2ubuntu8.14 amd64 [installed]
grub2-theme-mint/tricia,tricia,now 1.2.2 all [installed]

I also crosschecked with Synaptic and yes grub* stuff are there.

Even in /boot there is a directory named "grub".


linux22 7 months ago

Hello ismail783, I have read your message.

My answers to your questions are:

1. I think there are no obstacles for enabling Secure Boot in your configuration. I have tested the first solution (NO LVM - WITHOUT HIBERNATE) with Secure Boot on virtual machine (QEMU) and at the moment it is also working on my personal NUC6 PC. I have tested the second solution (LVM FOR HIBERNATE, your choice) with Secure Boot on virtual machine (QEMU) but not on a real PC (I do not like the Hibernation function).

2. Almost all Linux distributions support grub bootloader and use it as their default boot loader. It does not hurt your EFIStub but if you want remove it you can simply run 'synaptic' and uninstall it. Remember that the package name is grub-efi. Anyway if you have installed your system following my tutorial grub should not be installed. The command "012 #: sh -c 'ubiquity -b gtk_ui'&" in Step 2 run Ubiquity skipping the installation of the boot loader.

3. You can simply add every EFIStub .efi file, with different names, in your /boot/efi/EFI/Mint directory and run efibootmgr for every one of them. They will be bootable from your PC EFI Boot Menu clicking the right function key at start-up (see you PC user manual). Another method can be installing 'systemd-boot' package and configuring it for booting all your EFIStub .efi files. It is a very basic but reliable boot manager (here the link for its configuration at Arch Linux Wiki - https://wiki.archlinux.org/index.php/Systemd-boot).

Regards.

linux22


ismail783 7 months ago

"Linux Mint 19.X with Full Disk Encryption, directory boot included - System UEFI & HDD GPT - LVM for Hibernate function - Boot with EFI STUB loader" is working flawlessly in my system.

I have few questions though.

1. Will https://community.linuxmint.com/tutorial/view/2360 work in this system or do I need any change?
2. EFIStub seems enough for me. Why grub2 is still there? How can i completely remove grub2 from this reference system?
3. How can i flip-flop between multiple kernels using EFIStub in this reference system?