Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] EFI-stub+systemd+crypt-swap+crypt-root+crypt-home
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
NP_complete
Tux's lil' helper
Tux's lil' helper


Joined: 21 Mar 2009
Posts: 137

PostPosted: Sun Oct 06, 2024 6:41 am    Post subject: [SOLVED] EFI-stub+systemd+crypt-swap+crypt-root+crypt-home Reply with quote

(Previous title was: "EFI stub+disk encryption: is initramfs really needed?")

I am following this guide to set up disk encryption, and I would like to boot from an EFI stub.

1. My main question is whether initramfs is really necessary here? As I am thinking this through, I could, simply, put the kernel (with a name ending in .efi) into the ESP partition which will be mounted by the BIOS. The kernel would have all the requisites built in and can therefore decrypt the LUKS volume and mount the btrs root file system. After this, we are basically done. Is there a gap in my logic?

2. As a closely related question, do I need a separate /boot partition containing initramfs, as described in the linked article? Assuming that I do need such a partition, how would the boot sequence proceed? First, the kernel stub is read by the BIOS, then /boot is mounted and initramfs loaded into memory to give the kernel the ability to decrypt and mount the root file system. Do we need to go back and forth between the kernel and initramfs like that?

Many thanks.


Last edited by NP_complete on Mon Nov 11, 2024 12:12 pm; edited 4 times in total
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5121
Location: Bavaria

PostPosted: Sun Oct 06, 2024 9:37 am    Post subject: Reply with quote

Before answering your questions I would like to tell you a few things ... you maybe already know:

1. You can have an external initramfs (as a CPIO archive) or you can embedd it "into" the kernel image.
2. As soon as the kernel knows it has an initramfs, the kernel will no longer do the job of mounting the root partition, because now it is the job of the initramfs.
3. If the kernel has an initramfs the kernel will only start all statically configured modules itself and THEN switch to the intiramfs, BUT there is NO RETURN from the initramfs back to the kernel. This means: the initramfs has to do everything else what is necessary for a correct systemstart (at least: mounting the root partition and loading some kernel modules which has been configured as <M>odule and not statically).
4. The kernel would NOT be able to mount an encrypted root device ... for this you will need always (-> *) an initramfs.
5. UEFI (BIOS) is not able to start a program from an encrypted partition (because UEFI can only do SecureBoot=booting a signed image; but no decryption of an image). This means if you want start your kernel directly via UEFI (a good choice) this kernel must not be encrypted; it must reside inside the ESP and the name must have the suffix *.efi

Now to your questions:

1. Usually you will always need an initramfs when using an encrypted root partition ... (* ->) but it is not entirely true: There is a very rare solution where you need no intramfs for an encrypted root partition ... a complicated one:
https://forums.gentoo.org/viewtopic-t-1110764-highlight-.html
(I would never recommend this to a new user)

Keep in mind you have two choices to build an initramfs: You use an automated routine like dracut (or ugrd), or you create it by yourself. Maybe you want read: https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Initramfs_Overview

2. No, you dont need a seperate /boot partition; you need an ESP (EfiSystemPartition) ... and you must mount this parition into your root directory to access it. Last year was a change of the mountpoint of this ESP: See more here:
https://forums.gentoo.org/viewtopic-t-1165115-highlight-.html

Maybe you want read this to get an idea of booting a (stub) kernel directly via UEFI:
https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Boot_kernel_via_UEFI

Now your boot process for an encrypted root partition would look like this:
1. UEFI gets the information from its own UEFI boot entries list which image.efi it must start. If this is a (stub) kernel THEN ->
2. Kernel starts and knows it has an initramfs. So after a little bit of initializing kernel handover to this initramfs.
3. The init script inside the initramfs does more work and starts at last /sbin/init from your root directory (this would do a kernel without an initramfs at last). Yes, this init will NOT return to the kernel.
4. /sbin/init is your initsystem (either OpenRC or systemd)

Keep in mind: IF you use a kernel with an external CPIO initramfs, THEN this initramfs MUST be ALSO in the ESP (best in the same directory as the kernel) AND you must have an UEFI boot entry of this kernel whith the parameter "initrd=..." (See more:https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Kernel_Commandline_Parameter#Parameter:_initrd.3D )
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5121
Location: Bavaria

PostPosted: Thu Oct 17, 2024 9:35 am    Post subject: Reply with quote

NP_complete,

do you need more informations?
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
NP_complete
Tux's lil' helper
Tux's lil' helper


Joined: 21 Mar 2009
Posts: 137

PostPosted: Thu Oct 17, 2024 11:47 am    Post subject: Reply with quote

@pietinger, thank you for the great explanation! I can't apologize ENOUGH for slow response. I did get the encrypted root partition working. The article I linked to in my original post is very confusing. It must have been tailored specifically to grub. I would not recommend following it outside that scenario.

With the encrypted root partition working, there is one remaining problem. I'd like to also have a separate /home and, possibly, swap partition present. btrfs seems to support quotas, but only at the expense of performance loss. Ideally, I would like to have everything inside a single LUKS container. Except this one thread, there isn't any relevant information available. Sadly, even this thread admits that the proposed solution does not work. And I wouldn't want to use LVM because I don't need all the power.

Does this leave me with the only option of having several LUKS containers, one for each partition? Not a perfect setup since my partition scheme will be exposed.

Many thanks.
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5121
Location: Bavaria

PostPosted: Thu Oct 17, 2024 5:59 pm    Post subject: Reply with quote

NP_complete wrote:
@pietinger, thank you for the great explanation! I can't apologize ENOUGH for slow response.

That's really not a problem ... please don't worry ... that's why I asked. :D

NP_complete wrote:
Not a perfect setup since my partition scheme will be exposed.

Unfortunately I can't help with BTRFS (as I don't use it) and as far as I know you can only hide the partition schema with LVM. But frankly: Do you think someone can draw conclusions about your data with the information: ESP+SWAP+large partition+even larger partition+also large partition? If it is known that it is a Linux installation (you can see that from the UEFI entries; what UEFI starts), then everyone knows that there is still a SWAP, and /home is possibly an extra partition ... who cares? No matter what you use, I recommend to use the swap as an extra partition (dmcrypt can easily encrypt it: with a temporary key, which is chosen randomly at every system start; and after shutdown no longer exists; i.e. it is not stored anywhere).

I wrote a (german) guide for dmcrypt encrypting the swap (please dont use the other settings for /home; just read related parts for swap):
https://forums.gentoo.org/viewtopic-p-8457358.html#8457358
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22694

PostPosted: Thu Oct 17, 2024 7:09 pm    Post subject: Reply with quote

I am not a btrfs user, but my understanding is that it allows "subvolumes" so that one btrfs filesystem is logically subdivided and parts appear at different mount points. Personally, I would just take the hit of using LVM, but if you really want to avoid it, what about having 1 LUKS container that has within it 1 btrfs filesystem, and then have N btrfs subvolumes in that 1 filesystem, one subvolume for /, one for home, etc.?

I don't see hibernation (suspend-to-disk) discussed here, but it warrants at least a minor mention. If you want to use hibernation, you need a way for your swap device's encryption key to survive reboots (LUKS can do this). pietinger's suggestion of letting dmcrypt discard the key every time is great if you want to discard swap contents with every shutdown. If you need to keep the contents around, then you cannot let the key be discarded. On the positive side, this is something you can fix later. You could choose to use ephemeral swap and no hibernation today, then later decide you want to replace your ephemeral swap with a LUKS-encrypted persistent swap, so that you can begin using hibernation. Your change at that time is only to disable swap, create the LUKS container, and prepare its contents. No reinstall would be required, and your filesystems would be untouched.
Back to top
View user's profile Send private message
NP_complete
Tux's lil' helper
Tux's lil' helper


Joined: 21 Mar 2009
Posts: 137

PostPosted: Mon Oct 28, 2024 7:05 am    Post subject: Reply with quote

Thanks to both of you. @pietinger, I did follow the section of the guide you linked to:
Code:
# mkswap -L swap /dev/nvme0n1p2
Setting up swapspace version 1, size = 32 GiB (34359734272 bytes)
LABEL=swap, UUID=5e5ea9ed-c00f-44ee-8836-5e0c820cdb77
# swapoff -a
# /etc/init.d/dmcrypt start
 * Setting up dm-crypt mappings ...
 *   crypt-swap using:  -c aes -h sha1 -d /dev/urandom create crypt-swap /dev/nvme0n1p2 ...
WARNING: Using default options for cipher (aes-cbc-plain, key size 256 bits) that could be incompatible with older versions.
For plain mode, always use options --cipher, --key-size and if no keyfile is used, then also --hash.
WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.
WARNING: Device /dev/nvme0n1p2 already contains a 'swap' superblock signature.

WARNING!
========
Detected device signature(s) on /dev/nvme0n1p2. Proceeding further may damage existing data.

Are you sure? (Type 'yes' in capital letters): YES                                                                                                                                      [ ok ]
 *     pre_mount: mkswap /dev/mapper/crypt-swap ...
# /etc/init.d/dmcrypt stop
 * Removing dm-crypt mappings
 *   crypt-swap ...
The mkswap command was necessary. Otherwise, dmcrypt could not find the partition:
Code:
# /etc/init.d/dmcrypt start
 * Caching service dependencies ...                                                                                                                                                     [ ok ]
 * Setting up dm-crypt mappings ...
 * waiting for source "LABEL=swap" for ...
 * waiting for source "LABEL=swap" for ...
 * waiting for source "LABEL=swap" for ...
 * waiting for source "LABEL=swap" for ...
 * waiting for source "LABEL=swap" for ...
 * source "LABEL=swap" for  missing, skipping...
Your guide is 100% OpenRC-based, so I am wondering how things would work in a live environment under systemd. Who, for example, would execute the mkswap? Would dmcrypt under systemd still look into /etc/conf.d/ for its config file? Not sure why, all Google search results describe exclusively OpenRC-based setups. I have a feeling that I'm missing something obvious.
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5121
Location: Bavaria

PostPosted: Mon Oct 28, 2024 12:38 pm    Post subject: Reply with quote

NP_complete wrote:
Thanks to both of you. @pietinger,

You are very Welcome! :D

NP_complete wrote:
Your guide is 100% OpenRC-based, so I am wondering how things would work in a live environment under systemd. Who, for example, would execute the mkswap? Would dmcrypt under systemd still look into /etc/conf.d/ for its config file? Not sure why, all Google search results describe exclusively OpenRC-based setups. I have a feeling that I'm missing something obvious.

Yes, I am using only OpenRC and I cannot help with systemd. Here you would need a systemd expert (maybe open a new thread?)
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22694

PostPosted: Mon Oct 28, 2024 2:19 pm    Post subject: Reply with quote

I think your current configuration is wrong, and will cause you problems with every reboot.
NP_complete wrote:
The mkswap command was necessary. Otherwise, dmcrypt could not find the partition:

It was only necessary because your configuration is wrong. You told it to find LABEL=swap. A LABEL is part of a filesystem / swap device, as appropriate, so until you ran that mkswap, there was no LABEL to find. Since you overwrote that dummy swap device with a dm-crypt device, that LABEL is now gone. I expect that on reboot, your dm-crypt mapping will fail again. You should use a PARTLABEL instead of a LABEL. A PARTLABEL can be stored in the partition table, and will survive dm-crypt overwriting the swap device. Since PARTLABEL is stored separately, you will need to use a disk management tool (such as sgdisk) to set the PARTLABEL, then you can edit /etc/conf.d/dmcrypt to use PARTLABEL instead of LABEL.
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5121
Location: Bavaria

PostPosted: Mon Oct 28, 2024 2:34 pm    Post subject: Reply with quote

Yes, @Hu is right (as always) ... before I used this/my dmcrypt solution I did:
Code:
# parted -a optimal /dev/sda
> mklabel gpt
> unit mib
> mkpart primary 1 256
> name 1 boot
> set 1 boot on
> mkpart primary 256 4096
> name 2 swap
> mkpart primary 4096 53248
> name 3 root
...
> name 4 home
> q

(it was before our switch from /boot to /efi as our mountpoint; today may first partition has the name "ESP" as PARTLABEL; but my swap partition has of course the name "swap" as PARTLABEL)
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
zen_desu
n00b
n00b


Joined: 25 Oct 2024
Posts: 23

PostPosted: Mon Oct 28, 2024 2:48 pm    Post subject: Reply with quote

NP_complete wrote:
Thanks to both of you. @pietinger, I did follow the section of the guide you linked to:
Code:
# mkswap -L swap /dev/nvme0n1p2
Setting up swapspace version 1, size = 32 GiB (34359734272 bytes)
LABEL=swap, UUID=5e5ea9ed-c00f-44ee-8836-5e0c820cdb77
# swapoff -a
# /etc/init.d/dmcrypt start
 * Setting up dm-crypt mappings ...
 *   crypt-swap using:  -c aes -h sha1 -d /dev/urandom create crypt-swap /dev/nvme0n1p2 ...
WARNING: Using default options for cipher (aes-cbc-plain, key size 256 bits) that could be incompatible with older versions.
For plain mode, always use options --cipher, --key-size and if no keyfile is used, then also --hash.
WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.
WARNING: Device /dev/nvme0n1p2 already contains a 'swap' superblock signature.

WARNING!
========
Detected device signature(s) on /dev/nvme0n1p2. Proceeding further may damage existing data.

Are you sure? (Type 'yes' in capital letters): YES                                                                                                                                      [ ok ]
 *     pre_mount: mkswap /dev/mapper/crypt-swap ...
# /etc/init.d/dmcrypt stop
 * Removing dm-crypt mappings
 *   crypt-swap ...
The mkswap command was necessary. Otherwise, dmcrypt could not find the partition:
Code:
# /etc/init.d/dmcrypt start
 * Caching service dependencies ...                                                                                                                                                     [ ok ]
 * Setting up dm-crypt mappings ...
 * waiting for source "LABEL=swap" for ...
 * waiting for source "LABEL=swap" for ...
 * waiting for source "LABEL=swap" for ...
 * waiting for source "LABEL=swap" for ...
 * waiting for source "LABEL=swap" for ...
 * source "LABEL=swap" for  missing, skipping...
Your guide is 100% OpenRC-based, so I am wondering how things would work in a live environment under systemd. Who, for example, would execute the mkswap? Would dmcrypt under systemd still look into /etc/conf.d/ for its config file? Not sure why, all Google search results describe exclusively OpenRC-based setups. I have a feeling that I'm missing something obvious.


This may work, the arch wiki has info as well. With systemd you generally use crypttab to handle dm-crypt stuff.
https://wiki.gentoo.org/wiki/Swap#Activation_.28systemd.29

The FDE wiki page was mostly designed for openrc/grub usage but has some systemd info. I'd like to update it to show a plain ESP/efi stub layout, similar to the rootfs encryption page.
The rootfs encryption page has a bit more systemd info, especially concerning initramfs/bootloader considerations.
I added a section describing a simpler partitioning scheme: https://wiki.gentoo.org/wiki/Rootfs_encryption#Simple_EFI_System_Partition_Layout


If you want to use an efi stub, using "uefi-mkconfig" with the "efistub" option on installkernel may make this easier. One important aspect of setting the efistub flag on instalkernel is that it will make it install files to your ESP instead of to /boot like it would in "compat" layout mode.

If you're using dracut, systemd is a bit of a consideration because I believe it may support using your system crypttab in hostonly mode.
If you're using ugrd, systemd is also a consideration as ugrd does not use udev, so you must use the "ugrd.fs.fakeudev" module to simulate some udev actions so systemd based mounts function.
_________________
µgRD dev
Wiki writer
Back to top
View user's profile Send private message
NP_complete
Tux's lil' helper
Tux's lil' helper


Joined: 21 Mar 2009
Posts: 137

PostPosted: Tue Nov 05, 2024 2:10 pm    Post subject: Reply with quote

Thank you, folks, for the replies. They helped a lot. IT WORKS NOW! Pls. tell me if anything looks odd. Otherwise, someone in the future may find this useful:

Partition scheme, via parted:
Code:
Number  Start   End     Size    File system  Name  Flags
 1      1049kB  1075MB  1074MB  fat32              boot, esp
 2      1075MB  35.4GB  34.4GB               swap  swap
 3      35.4GB  89.1GB  53.7GB
 4      89.1GB  1024GB  935GB                home
Code:
# lsblk
NAME        MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
nvme0n1     259:0    0 953.9G  0 disk 
├─nvme0n1p1 259:1    0     1G  0 part 
├─nvme0n1p2 259:2    0    32G  0 part 
│ └─swap    254:1    0    32G  0 crypt [SWAP]
├─nvme0n1p3 259:3    0    50G  0 part 
│ └─root    254:0    0    50G  0 crypt /
└─nvme0n1p4 259:4    0 870.9G  0 part 
  └─home    254:2    0 870.9G  0 crypt /home
Code:
# cat /proc/swaps
Filename            Type      Size      Used      Priority
/dev/dm-1
Code:
# cat /etc/crypttab
swap   PARTLABEL=swap   /dev/urandom   swap,cipher=aes-xts-plain64
home   PARTLABEL=home   /PATH/2/KEY-FILE-IN-ROOT-PARTITION luks
During boot, /home will be unlocked automatically IF the root partition has been unlocked.
Code:
cat /etc/fstab
# <fs>               <mountpoint>   <type>   <opts>             <dump/pass>
UUID=<...>         /efi      vfat   noauto,noatime   0 1
/dev/mapper/swap         none   swap   sw         0 0
LABEL=rootfs            /      ext4   defaults         0 1
/dev/mapper/home         /home   ext4   defaults,noatime   0 1
@zen_desu, I am using ugrd. This YouTube video of yours was helpful.

EDIT (Nov. 7):
Code:
# dmsetup -C info
Name          Maj Min Stat Open Targ Event  UUID                                             
home          254   2 L--w    1    1      0 CRYPT-LUKS2-[...]-home
root          254   0 L--w    1    1      0 CRYPT-LUKS2-[...]-root
swap          254   1 L--w    1    1      0 CRYPT-PLAIN-swap
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum