View previous topic :: View next topic |
Author |
Message |
NP_complete Tux's lil' helper
Joined: 21 Mar 2009 Posts: 135
|
Posted: Sun Oct 06, 2024 6:41 am Post subject: EFI stub+disk encryption: is initramfs really needed? |
|
|
I am following this guide to set up disk encryption, and I would like to boot from an EFI stub.
1. My main question is whether initramfs is really necessary here? As I am thinking this through, I could, simply, put the kernel (with a name ending in .efi) into the ESP partition which will be mounted by the BIOS. The kernel would have all the requisites built in and can therefore decrypt the LUKS volume and mount the btrs root file system. After this, we are basically done. Is there a gap in my logic?
2. As a closely related question, do I need a separate /boot partition containing initramfs, as described in the linked article? Assuming that I do need such a partition, how would the boot sequence proceed? First, the kernel stub is read by the BIOS, then /boot is mounted and initramfs loaded into memory to give the kernel the ability to decrypt and mount the root file system. Do we need to go back and forth between the kernel and initramfs like that?
Many thanks. |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5032 Location: Bavaria
|
Posted: Sun Oct 06, 2024 9:37 am Post subject: |
|
|
Before answering your questions I would like to tell you a few things ... you maybe already know:
1. You can have an external initramfs (as a CPIO archive) or you can embedd it "into" the kernel image.
2. As soon as the kernel knows it has an initramfs, the kernel will no longer do the job of mounting the root partition, because now it is the job of the initramfs.
3. If the kernel has an initramfs the kernel will only start all statically configured modules itself and THEN switch to the intiramfs, BUT there is NO RETURN from the initramfs back to the kernel. This means: the initramfs has to do everything else what is necessary for a correct systemstart (at least: mounting the root partition and loading some kernel modules which has been configured as <M>odule and not statically).
4. The kernel would NOT be able to mount an encrypted root device ... for this you will need always (-> *) an initramfs.
5. UEFI (BIOS) is not able to start a program from an encrypted partition (because UEFI can only do SecureBoot=booting a signed image; but no decryption of an image). This means if you want start your kernel directly via UEFI (a good choice) this kernel must not be encrypted; it must reside inside the ESP and the name must have the suffix *.efi
Now to your questions:
1. Usually you will always need an initramfs when using an encrypted root partition ... (* ->) but it is not entirely true: There is a very rare solution where you need no intramfs for an encrypted root partition ... a complicated one:
https://forums.gentoo.org/viewtopic-t-1110764-highlight-.html
(I would never recommend this to a new user)
Keep in mind you have two choices to build an initramfs: You use an automated routine like dracut (or ugrd), or you create it by yourself. Maybe you want read: https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Initramfs_Overview
2. No, you dont need a seperate /boot partition; you need an ESP (EfiSystemPartition) ... and you must mount this parition into your root directory to access it. Last year was a change of the mountpoint of this ESP: See more here:
https://forums.gentoo.org/viewtopic-t-1165115-highlight-.html
Maybe you want read this to get an idea of booting a (stub) kernel directly via UEFI:
https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Boot_kernel_via_UEFI
Now your boot process for an encrypted root partition would look like this:
1. UEFI gets the information from its own UEFI boot entries list which image.efi it must start. If this is a (stub) kernel THEN ->
2. Kernel starts and knows it has an initramfs. So after a little bit of initializing kernel handover to this initramfs.
3. The init script inside the initramfs does more work and starts at last /sbin/init from your root directory (this would do a kernel without an initramfs at last). Yes, this init will NOT return to the kernel.
4. /sbin/init is your initsystem (either OpenRC or systemd)
Keep in mind: IF you use a kernel with an external CPIO initramfs, THEN this initramfs MUST be ALSO in the ESP (best in the same directory as the kernel) AND you must have an UEFI boot entry of this kernel whith the parameter "initrd=..." (See more:https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Kernel_Commandline_Parameter#Parameter:_initrd.3D ) _________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5032 Location: Bavaria
|
|
Back to top |
|
|
NP_complete Tux's lil' helper
Joined: 21 Mar 2009 Posts: 135
|
Posted: Thu Oct 17, 2024 11:47 am Post subject: |
|
|
@pietinger, thank you for the great explanation! I can't apologize ENOUGH for slow response. I did get the encrypted root partition working. The article I linked to in my original post is very confusing. It must have been tailored specifically to grub. I would not recommend following it outside that scenario.
With the encrypted root partition working, there is one remaining problem. I'd like to also have a separate /home and, possibly, swap partition present. btrfs seems to support quotas, but only at the expense of performance loss. Ideally, I would like to have everything inside a single LUKS container. Except this one thread, there isn't any relevant information available. Sadly, even this thread admits that the proposed solution does not work. And I wouldn't want to use LVM because I don't need all the power.
Does this leave me with the only option of having several LUKS containers, one for each partition? Not a perfect setup since my partition scheme will be exposed.
Many thanks. |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5032 Location: Bavaria
|
Posted: Thu Oct 17, 2024 5:59 pm Post subject: |
|
|
NP_complete wrote: | @pietinger, thank you for the great explanation! I can't apologize ENOUGH for slow response. |
That's really not a problem ... please don't worry ... that's why I asked.
NP_complete wrote: | Not a perfect setup since my partition scheme will be exposed. |
Unfortunately I can't help with BTRFS (as I don't use it) and as far as I know you can only hide the partition schema with LVM. But frankly: Do you think someone can draw conclusions about your data with the information: ESP+SWAP+large partition+even larger partition+also large partition? If it is known that it is a Linux installation (you can see that from the UEFI entries; what UEFI starts), then everyone knows that there is still a SWAP, and /home is possibly an extra partition ... who cares? No matter what you use, I recommend to use the swap as an extra partition (dmcrypt can easily encrypt it: with a temporary key, which is chosen randomly at every system start; and after shutdown no longer exists; i.e. it is not stored anywhere).
I wrote a (german) guide for dmcrypt encrypting the swap (please dont use the other settings for /home; just read related parts for swap):
https://forums.gentoo.org/viewtopic-p-8457358.html#8457358 _________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22575
|
Posted: Thu Oct 17, 2024 7:09 pm Post subject: |
|
|
I am not a btrfs user, but my understanding is that it allows "subvolumes" so that one btrfs filesystem is logically subdivided and parts appear at different mount points. Personally, I would just take the hit of using LVM, but if you really want to avoid it, what about having 1 LUKS container that has within it 1 btrfs filesystem, and then have N btrfs subvolumes in that 1 filesystem, one subvolume for /, one for home, etc.?
I don't see hibernation (suspend-to-disk) discussed here, but it warrants at least a minor mention. If you want to use hibernation, you need a way for your swap device's encryption key to survive reboots (LUKS can do this). pietinger's suggestion of letting dmcrypt discard the key every time is great if you want to discard swap contents with every shutdown. If you need to keep the contents around, then you cannot let the key be discarded. On the positive side, this is something you can fix later. You could choose to use ephemeral swap and no hibernation today, then later decide you want to replace your ephemeral swap with a LUKS-encrypted persistent swap, so that you can begin using hibernation. Your change at that time is only to disable swap, create the LUKS container, and prepare its contents. No reinstall would be required, and your filesystems would be untouched. |
|
Back to top |
|
|
NP_complete Tux's lil' helper
Joined: 21 Mar 2009 Posts: 135
|
Posted: Mon Oct 28, 2024 7:05 am Post subject: |
|
|
Thanks to both of you. @pietinger, I did follow the section of the guide you linked to: Code: | # mkswap -L swap /dev/nvme0n1p2
Setting up swapspace version 1, size = 32 GiB (34359734272 bytes)
LABEL=swap, UUID=5e5ea9ed-c00f-44ee-8836-5e0c820cdb77
# swapoff -a
# /etc/init.d/dmcrypt start
* Setting up dm-crypt mappings ...
* crypt-swap using: -c aes -h sha1 -d /dev/urandom create crypt-swap /dev/nvme0n1p2 ...
WARNING: Using default options for cipher (aes-cbc-plain, key size 256 bits) that could be incompatible with older versions.
For plain mode, always use options --cipher, --key-size and if no keyfile is used, then also --hash.
WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.
WARNING: Device /dev/nvme0n1p2 already contains a 'swap' superblock signature.
WARNING!
========
Detected device signature(s) on /dev/nvme0n1p2. Proceeding further may damage existing data.
Are you sure? (Type 'yes' in capital letters): YES [ ok ]
* pre_mount: mkswap /dev/mapper/crypt-swap ...
# /etc/init.d/dmcrypt stop
* Removing dm-crypt mappings
* crypt-swap ... | The mkswap command was necessary. Otherwise, dmcrypt could not find the partition: Code: | # /etc/init.d/dmcrypt start
* Caching service dependencies ... [ ok ]
* Setting up dm-crypt mappings ...
* waiting for source "LABEL=swap" for ...
* waiting for source "LABEL=swap" for ...
* waiting for source "LABEL=swap" for ...
* waiting for source "LABEL=swap" for ...
* waiting for source "LABEL=swap" for ...
* source "LABEL=swap" for missing, skipping... | Your guide is 100% OpenRC-based, so I am wondering how things would work in a live environment under systemd. Who, for example, would execute the mkswap? Would dmcrypt under systemd still look into /etc/conf.d/ for its config file? Not sure why, all Google search results describe exclusively OpenRC-based setups. I have a feeling that I'm missing something obvious. |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5032 Location: Bavaria
|
Posted: Mon Oct 28, 2024 12:38 pm Post subject: |
|
|
NP_complete wrote: | Thanks to both of you. @pietinger, |
You are very Welcome!
NP_complete wrote: | Your guide is 100% OpenRC-based, so I am wondering how things would work in a live environment under systemd. Who, for example, would execute the mkswap? Would dmcrypt under systemd still look into /etc/conf.d/ for its config file? Not sure why, all Google search results describe exclusively OpenRC-based setups. I have a feeling that I'm missing something obvious. |
Yes, I am using only OpenRC and I cannot help with systemd. Here you would need a systemd expert (maybe open a new thread?) _________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22575
|
Posted: Mon Oct 28, 2024 2:19 pm Post subject: |
|
|
I think your current configuration is wrong, and will cause you problems with every reboot.
NP_complete wrote: | The mkswap command was necessary. Otherwise, dmcrypt could not find the partition: |
It was only necessary because your configuration is wrong. You told it to find LABEL=swap. A LABEL is part of a filesystem / swap device, as appropriate, so until you ran that mkswap, there was no LABEL to find. Since you overwrote that dummy swap device with a dm-crypt device, that LABEL is now gone. I expect that on reboot, your dm-crypt mapping will fail again. You should use a PARTLABEL instead of a LABEL. A PARTLABEL can be stored in the partition table, and will survive dm-crypt overwriting the swap device. Since PARTLABEL is stored separately, you will need to use a disk management tool (such as sgdisk) to set the PARTLABEL, then you can edit /etc/conf.d/dmcrypt to use PARTLABEL instead of LABEL. |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5032 Location: Bavaria
|
Posted: Mon Oct 28, 2024 2:34 pm Post subject: |
|
|
Yes, @Hu is right (as always) ... before I used this/my dmcrypt solution I did:
Code: | # parted -a optimal /dev/sda
> mklabel gpt
> unit mib
> mkpart primary 1 256
> name 1 boot
> set 1 boot on
> mkpart primary 256 4096
> name 2 swap
> mkpart primary 4096 53248
> name 3 root
...
> name 4 home
> q |
(it was before our switch from /boot to /efi as our mountpoint; today may first partition has the name "ESP" as PARTLABEL; but my swap partition has of course the name "swap" as PARTLABEL) _________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
zen_desu n00b
Joined: 25 Oct 2024 Posts: 6
|
Posted: Mon Oct 28, 2024 2:48 pm Post subject: |
|
|
NP_complete wrote: | Thanks to both of you. @pietinger, I did follow the section of the guide you linked to: Code: | # mkswap -L swap /dev/nvme0n1p2
Setting up swapspace version 1, size = 32 GiB (34359734272 bytes)
LABEL=swap, UUID=5e5ea9ed-c00f-44ee-8836-5e0c820cdb77
# swapoff -a
# /etc/init.d/dmcrypt start
* Setting up dm-crypt mappings ...
* crypt-swap using: -c aes -h sha1 -d /dev/urandom create crypt-swap /dev/nvme0n1p2 ...
WARNING: Using default options for cipher (aes-cbc-plain, key size 256 bits) that could be incompatible with older versions.
For plain mode, always use options --cipher, --key-size and if no keyfile is used, then also --hash.
WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.
WARNING: Device /dev/nvme0n1p2 already contains a 'swap' superblock signature.
WARNING!
========
Detected device signature(s) on /dev/nvme0n1p2. Proceeding further may damage existing data.
Are you sure? (Type 'yes' in capital letters): YES [ ok ]
* pre_mount: mkswap /dev/mapper/crypt-swap ...
# /etc/init.d/dmcrypt stop
* Removing dm-crypt mappings
* crypt-swap ... | The mkswap command was necessary. Otherwise, dmcrypt could not find the partition: Code: | # /etc/init.d/dmcrypt start
* Caching service dependencies ... [ ok ]
* Setting up dm-crypt mappings ...
* waiting for source "LABEL=swap" for ...
* waiting for source "LABEL=swap" for ...
* waiting for source "LABEL=swap" for ...
* waiting for source "LABEL=swap" for ...
* waiting for source "LABEL=swap" for ...
* source "LABEL=swap" for missing, skipping... | Your guide is 100% OpenRC-based, so I am wondering how things would work in a live environment under systemd. Who, for example, would execute the mkswap? Would dmcrypt under systemd still look into /etc/conf.d/ for its config file? Not sure why, all Google search results describe exclusively OpenRC-based setups. I have a feeling that I'm missing something obvious. |
This may work, the arch wiki has info as well. With systemd you generally use crypttab to handle dm-crypt stuff.
https://wiki.gentoo.org/wiki/Swap#Activation_.28systemd.29
The FDE wiki page was mostly designed for openrc/grub usage but has some systemd info. I'd like to update it to show a plain ESP/efi stub layout, similar to the rootfs encryption page.
The rootfs encryption page has a bit more systemd info, especially concerning initramfs/bootloader considerations.
I added a section describing a simpler partitioning scheme: https://wiki.gentoo.org/wiki/Rootfs_encryption#Simple_EFI_System_Partition_Layout
If you want to use an efi stub, using "uefi-mkconfig" with the "efistub" option on installkernel may make this easier. One important aspect of setting the efistub flag on instalkernel is that it will make it install files to your ESP instead of to /boot like it would in "compat" layout mode.
If you're using dracut, systemd is a bit of a consideration because I believe it may support using your system crypttab in hostonly mode.
If you're using ugrd, systemd is also a consideration as ugrd does not use udev, so you must use the "ugrd.fs.fakeudev" module to simulate some udev actions so systemd based mounts function. _________________ µgRD dev
Wiki writer |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|