Linux with full disk encryption
Hello ehsjoar67, I have read your message.
The new configurations for Linux Mint 20 and Ubuntu 19.10 and above are ready and available for download.
Thank you for your interest.
Hello ismail783, I have read your message.
Step 3 is necessary to build a working EFI STUB loader. If you skip this step your new Linux Mint installation will not boot, because in Step 2 we had run Ubiquity skipping the installation of the boot loader.
I think «Step 3 — Configuring the EFI STUB loader for the Linux Mint FDE installation, require a lot of Terminal commands» is for kernel update stuff. If so, then is there any way we can do it after we login in to Linux Mint (With GUI). I mean can we just restart after step 2 and copy paste lines in `/etc/initramfs/post-update.d/objcopy_update_hook`? If so then please add the instructions in the new tutorial.
Thanks for a great tutorial!
I tried the «Linux Mint 19.X with Full Disk Encryption, directory boot included — System UEFI & HDD GPT — LVM for Hibernate function — Boot with EFI STUB loader» on Mint 20 (beta) and most everything worked (didn’t try secure boot yet). 2 things that were different. First out the efibootmgr needs to be copied to /mnt/bin/ as it is not part of the default installation. Secondly, objcopy didn’t work with paths like /vmlinuz and /initrd.img. It works if changing it to /boot/vmlinuz and /boot/initrd.img though.
Cheers,
// Jonas
Thanks for sharing, I couldn’t do the manipulation on my viturel machine.
As I previously said almost all Linux distributions support grub bootloader and use it as their default boot loader. This means that the basic grub packages are installed by default. But if your PC run in UEFI mode it needs the package ‘grub-efi’ to work. If you search the package grub-efi with Synaptic you can see that this package has not been installed, because the command «012 #: sh -c ‘ubiquity -b gtk_ui’&» in Step 2 run Ubiquity skipping the installation of the boot loader.
Anyway the grub basic packages installed by default do not hurt your EFI Stub loader and can not install a working grub bootloader on your system.
I copy pasted exactly what was in «Linux Mint 19.X with Full Disk Encryption, directory boot included — System UEFI & HDD GPT — LVM for Hibernate function — Boot with EFI STUB loader» including `sh -c ‘ubiquity -b gtk_ui’&`. The commands are mentioned bellow:
sudo parted -s /dev/sda mklabel gpt
sudo parted -s /dev/sda mkpart ESP fat32 2048s 1050624s
sudo mkfs.vfat -F32 /dev/sda1
sudo parted -s /dev/sda set 1 boot on
sudo parted -s /dev/sda mkpart primary 1052672s 488396799s
sudo cryptsetup -v —cipher aes-xts-plain64 —key-size 512 —hash sha512 —iter-time 5000 —use-random luksFormat —type luks2 /dev/sda2
sudo cryptsetup luksOpen /dev/sda2 sda2_crypt
sudo pvcreate /dev/mapper/sda2_crypt
sudo vgcreate mint /dev/mapper/sda2_crypt
sudo lvcreate -L 4G mint -n swap
sudo lvcreate -l +100%FREE mint -n root
sh -c ‘ubiquity -b gtk_ui’&
After This process is complete:
sudo mount /dev/mapper/mint-root /mnt
sudo mount —bind /dev /mnt/dev
sudo mount —bind /dev/pts /mnt/dev/pts
sudo mount —bind /sys /mnt/sys
sudo mount —bind /proc /mnt/proc
sudo mount —bind /run /mnt/run
sudo mount /dev/sda1 /mnt/boot/efi
sudo chmod -R g-rwx,o-rwx /mnt/boot
echo «sda2_crypt UUID=`sudo blkid -s UUID -o value /dev/sda2` none luks» | sudo tee -a /mnt/etc/crypttab
sudo chroot /mnt locale-gen —purge —no-archive
sudo chroot /mnt update-initramfs -u
sudo chroot /mnt mkdir /boot/efistub
sudo chroot /mnt mkdir -p /boot/efi/EFI/Boot
sudo chroot /mnt mkdir -p /boot/efi/EFI/Mint
echo «root=/dev/mapper/mint-root ro quiet splash» | sudo tee -a /mnt/boot/efistub/cmdline.txt
sudo chroot /mnt objcopy —add-section .osrel=/etc/os-release —change-section-vma .osrel=0x20000 —add-section .cmdline=/boot/efistub/cmdline.txt —change-section-vma .cmdline=0x30000 —add-section .linux=/vmlinuz —change-section-vma .linux=0x40000 —add-section .initrd=/initrd.img —change-section-vma .initrd=0x3000000 -S /usr/lib/systemd/boot/efi/linuxx64.efi.stub /boot/efistub/kernel.efi
sudo cp -f /mnt/boot/efistub/kernel.efi /mnt/boot/efi/EFI/Mint/kernel.efi
sudo cp -f /mnt/boot/efistub/kernel.efi /mnt/boot/efi/EFI/Boot/Bootx64.efi
sudo chroot /mnt efibootmgr -c -d /dev/sda -p 1 -D -L «Mint» -l «\EFI\Mint\kernel.efi»
sudo chroot /mnt mkdir -p /etc/initramfs/post-update.d
sudo chroot /mnt touch /etc/initramfs/post-update.d/objcopy_update_hook
sudo chroot /mnt chmod +x /etc/initramfs/post-update.d/objcopy_update_hook
/mnt/etc/initramfs/post-update.d/objcopy_update_hook # while install
/etc/initramfs/post-update.d/objcopy_update_hook # after restart
.
#! /bin/sh
objcopy —add-section .osrel=/etc/os-release —change-section-vma .osrel=0x20000 —add-section .cmdline=/boot/efistub/cmdline.txt —change-section-vma .cmdline=0x30000 —add-section .linux=/vmlinuz —change-section-vma .linux=0x40000 —add-section .initrd=/initrd.img —change-section-vma .initrd=0x3000000 -S /usr/lib/systemd/boot/efi/linuxx64.efi.stub /boot/efistub/kernel.efi
if [ -d /boot/efikeys ]
then
sbsign —key /boot/efikeys/db.key —cert /boot/efikeys/db.crt —output /boot/efistub/kernel.efi
/boot/efistub/kernel.efi
sync
sbverify —cert /boot/efikeys/db.crt /boot/efistub/kernel.efi
fi
knf=»`sudo readlink /vmlinuz`»
knb=»`sudo basename $knf`»
cp -f /boot/efistub/kernel.efi /boot/efistub/kernel.$knb.efi
cp -f /boot/efistub/kernel.efi /boot/efi/EFI/Mint/kernel.efi
cp -f /boot/efistub/kernel.efi /boot/efi/EFI/Boot/Bootx64.efi
.
sudo rm -r /mnt/boot/efi/EFI/ubuntu
sudo umount /mnt/boot/efi /mnt/proc /mnt/dev/pts /mnt/dev /mnt/sys /mnt/run /mnt
$ apt list —installed | grep grub
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
grub-common/bionic-updates,now 2.02-2ubuntu8.14 amd64 [installed]
grub-gfxpayload-lists/bionic,now 0.7 amd64 [installed]
grub-pc/bionic-updates,now 2.02-2ubuntu8.14 amd64 [installed]
grub-pc-bin/bionic-updates,now 2.02-2ubuntu8.14 amd64 [installed]
grub2-common/bionic-updates,now 2.02-2ubuntu8.14 amd64 [installed]
grub2-theme-mint/tricia,tricia,now 1.2.2 all [installed]
I also crosschecked with Synaptic and yes grub* stuff are there.
Even in /boot there is a directory named «grub».
Hello ismail783, I have read your message.
My answers to your questions are:
1. I think there are no obstacles for enabling Secure Boot in your configuration. I have tested the first solution (NO LVM — WITHOUT HIBERNATE) with Secure Boot on virtual machine (QEMU) and at the moment it is also working on my personal NUC6 PC. I have tested the second solution (LVM FOR HIBERNATE, your choice) with Secure Boot on virtual machine (QEMU) but not on a real PC (I do not like the Hibernation function).
2. Almost all Linux distributions support grub bootloader and use it as their default boot loader. It does not hurt your EFIStub but if you want remove it you can simply run ‘synaptic’ and uninstall it. Remember that the package name is grub-efi. Anyway if you have installed your system following my tutorial grub should not be installed. The command «012 #: sh -c ‘ubiquity -b gtk_ui’&» in Step 2 run Ubiquity skipping the installation of the boot loader.
3. You can simply add every EFIStub .efi file, with different names, in your /boot/efi/EFI/Mint directory and run efibootmgr for every one of them. They will be bootable from your PC EFI Boot Menu clicking the right function key at start-up (see you PC user manual). Another method can be installing ‘systemd-boot’ package and configuring it for booting all your EFIStub .efi files. It is a very basic but reliable boot manager (here the link for its configuration at Arch Linux Wiki — https://wiki.archlinux.org/index.php/Systemd-boot).
«Linux Mint 19.X with Full Disk Encryption, directory boot included — System UEFI & HDD GPT — LVM for Hibernate function — Boot with EFI STUB loader» is working flawlessly in my system.
I have few questions though.