Dual booting linux mint
Dual boot for Linux Mint 20.X(*) with EFI STUB loader + Windows 10
Linux configured with Full System Encryption (directory /boot included)
PC with UEFI firmware & HDD with GPT partitioning scheme
UEFI Boot Manager ‘systemd-boot’ equipped with Linux Extended Boot Partition (a.k.a. XBOOTLDR)
Author: Naldi Stefano (linux22 at Mint Forum)
First Release: October 2015
Last update: 15 November 2020
(*) Works also with Ubuntu 20.04.X
Hits since 22/10/2016
Other tutorials concerning Linux Mint with Full Disk Encryption, directory /boot included:
Table of contents
GNU LICENSES
Disclaimer and acknowledgments
Useful links
Preface
INSTALLATION FOR PC WITH UEFI AND HDD WITH GPT, EFI STUB LOADER
Step 1 — Check your HDD and build a Linux Extended Boot Partition (a.k.a. XBOOTLDR)
Step 2 — Set up for Ubiquity configuration file ’07crypto_check_mountpoints’
Step 3 — Set up of HDD and partitions
Step 4 — Set up of the Linux FDE installation
Step 5 — Configuring the EFI STUB loader for the Linux FDE installation
Step 6 — Installing and configuring the ‘systemd-boot’ boot manager
Appendix A — Emergency tools — How to access your encrypted partition with your Live Linux
Appendix B — Emergency tools — How to reinstall EFI STUB loader after …
Appendix C — Enabling Secure Boot for both Linux FDE and Windows 10
Method α — Using the original Microsoft UEFI Secure Boot certificates of your PC UEFI platform
Method β — Using the original Microsoft UEFI Secure Boot certificates, downloaded from Microsoft repositories
Secure Boot check
Appendix D — Dual boot Linux Mint 20.X FDE + Windows 10 without XBOOTLDR partition
GNU Free Documentation License
Version 1.3, 3 November 2008
Dual boot for Linux Mint 20.X with EFI STUB loader + Windows 10
Linux Full System Encryption (directory /boot included)
PC with UEFI & HDD with GPT and ‘systemd-boot’ UEFI Boot Manager
Copyright (C) 2015 2016 2017 2018 2019 2020 2021 Naldi Stefano.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
You should have received a copy of the «GNU Free Documentation License» along with this document.
If not, see < https://www.gnu.org/licenses/fdl.html >.
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Dual boot for Linux Mint 20.X with EFI STUB loader + Windows 10
Linux Full System Encryption (directory /boot included)
PC with UEFI & HDD with GPT and ‘systemd-boot’ UEFI Boot Manager
Copyright (C) 2015 2016 2017 2018 2019 2020 2021 Naldi Stefano.
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the «GNU General Public License» along with this program.
If not, see < https://www.gnu.org/licenses/gpl.html >.
Disclaimer and acknowledgments
I wrote this guide/tutorial with the hope that it will be useful for everyone who need a dual boot Linux FDE (Full Disk Encryption) + Windows 10 installation. The solution here reported is EXPERIMENTAL and need a good experience with Linux and its installation. At the moment I have successfully experimented this solution with Linux Mint 20.X Cinnamon and Mate and Ubuntu 20.04, all 64 bit version.
This guide/tutorial comes with ABSOLUTELY NO WARRANTY.
Prior of all I must thank Matthew Bentley (https://bentley.link/secureboot), because his publications show very well the whole process of building and configuring a reliable EFI STUB loader for Linux systems. You can see that his solution was published on 12 May 2016, more than 4 year ago.
Another thanks go to Michal Krenek (Mikos) for its ‘cryptboot’ software package (https://github.com/xmikos/cryptboot). In a few pages he has condensed all we need to BUILD and RUN a working UEFI Secure Boot Linux installation.
Altought these two software solutions seem both developed for ArchLinux distros we can find within them the rights commands and advices for almost every Linux distribution.
Useful links
• https://bentley.link/secureboot
• https://wiki.archlinux.org/index.php/EFISTUB
• https://wiki.debian.org/EFIStub
• https://kernel-team.pages.debian.net/kernel-handbook/ch-update-hooks.html
• http://www.rodsbooks.com/efi-bootloaders/efistub.html
• https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system
• https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Keyfiles
• https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration
• https://wiki.archlinux.org/index.php/Systemd-boot
• https://bbs.archlinux.org/viewtopic.php?id=158003
• http://blog.uncooperative.org/blog/2014/02/06/the-efi-system-partition/
• https://systemd.io/BOOT_LOADER_SPECIFICATION/
• https://systemd.io/BOOT_LOADER_INTERFACE/
• https://www.freedesktop.org/wiki/Software/systemd/systemd-boot/
• https://www.freedesktop.org/wiki/Specifications/BootLoaderSpec/
• https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki’s_EFI_Install_Guide/Configuring_Secure_Boot
The 4 major difficulties dealing with Dual Boot Linux Full Disk Encryption + Windows 10 are:
— the correct configuration of the boot loader, normally GRUB, for stand alone Linux Full Disk Encryption, especially when also directory ‘/boot’ is encrypted
— the correct configuration of the GRUB Boot Loader for dual booting with Linux Full Disk Encryption + Windows 10, especially when also directory ‘/boot’ is encrypted
— the correct configuration of the GRUB Boot Loader when used on PCs with UEFI platform and Secure Boot enabled
— the current GRUB package, used in most Linux Distro’s, DO NOT support LUKS2 on Linux Full Disk Encryption when also directory ‘/boot’ is encrypted. Recently the GRUB package has been updated for LUKS2 support and some Distro’s are working for updating their latest builds but the update is still problematic and the LUKS2 support is guaranteed only if the —pbkdf option (Password-Based Key Derivation Function algorithm) is set to pbkdf2.
My previous solutions were developed using GRUB Boot Loader but every time I got a Linux Kernel update, a GRUB update, an initrd update or the most weird update I was forced to reinvent the wheel and search for a new correct configuration of GRUB, if possible.
Finally I have found 2 new tools, very spartan, very simple and very light that solved almost every major problem that I encountered dealing with GRUB and Dual Boot with Linux Full Disk Encryption + Windows 10.
The 2 tools are EFISTUB Boot Loader and ‘systemd-boot’ UEFI Boot Manager.
The first tool is EFISTUB Boot Loader, a very simple tool that turns a Linux kernel image into an EFI executable file which can be directly launched from the PC UEFI firmware. This tool, combined with the Linux command ‘objcopy’, can build a single composite EFI file containing the Linux kernel, a text file containing the Linux kernel’s command-line parameters and the initrd.img file.
This configuration can manage and boot up also LUKS2 encrypted partition, without any limitation.
This single efi file can be re-built automatically every time we get a Linux Kernel update and/or a initrd update.
The major disadvantage of EFISTUB+objcopy efi files is its size (almost 100 MB).
In dual boot systems with Linux Full Disk Encryption + Windows 10 this problem can be overcomed using a Linux Extended Boot Partition (a.k.a. XBOOTLDR) as a container for the composite EFI files produced by EFISTUB+objcopy tools.
The second tool is the ‘systemd-boot’ UEFI Boot Manager. Also this tool is a spartan, simple and extremely light executable efi file. Its configuration is done with simple text configuration files.
The major disadvantage of ‘systemd-boot’ UEFI Boot Manager is the lack of adequate documentation.
Lastly we can also sign these efi executable files with our own Custom Secure Boot keys and run them on PCs UEFI platforms with Secure Boot enabled.
I have used these tools for a while and I have never got the annoying problems encountered using GRUB.
If instead is possible installing Windows 10 with an ESP partition size ≥ 1GB you can choose the very simpler solution depicted in Appendix D (tutorial not yet ready).
The topic for this tutorial at the Mint Forum is:
You can download the latest version of this tutorial from my cloud storage. The zip file contains the tutorial in pdf format and a text file with all the Terminal commands listed inside it (for more reliable ‘Copy and Paste’ operations). The link to the zip file is: