The following guide is a practical example on how to create a Hybrid UEFI/Bios legacy Slackware 15.0 LVM - LUKS2 Full Disk Encryption (USB drive) system using a bootstrap/network (minimal optional) installation.
That's a big mouth full, so what's available with this installation:
- A bootstrap installation from an active Linux installation onto a new (USB) drive
- It will use Full Disk Encryption using Luks 2 and Grub
- There is an optional section on a multi tiered minimal Slackware installation
- It will work out of the box on legacy bios and UEFI systems
This will not generate a system that's bootable in a secure boot manner. Set secure boot to "Disabled/Other OS" to make this system start up and if you want or need to, re-enable it afterwards.
Without further ado, let's get started!
Create a directory for the Slackware bootstrap:
mkdir slackware; cd slackware
Fetch and extract Slackware's latest initrd image to acquire the minimal system:
wget https://mirrors.slackware.com/slackw...nux/initrd.img -O - | xz -dc | cpio -idmv
Set up the destination device (/dev/sdc in this case, adjust accordingly) correctly for all further intends and purposes:
echo "export DUSB=/dev/sdc" > ./root/.bashrc; source ./root/.bashrc
Double check that you've entered the correct drive, because this drive will be completely formatted!
Make sure the destination drive is not mounted at all:
umount ${DUSB}*
If you want you can wipe your drive in full, this may be beneficial to prevent old remnants interfering with the new system
dd if=/dev/zero of=${DUSB} bs=4096 status=progress
Clear the destination drive. This can be omitted if you opted for the full wipe above. Be mindful and careful that you've entered the proper disk, don't wipe your system disk by mistake!:
sgdisk -Z $DUSB
Create the neccesary partition table:
sgdisk --clear \
--new 1::+45M --typecode=1:0700 --change-name=1:'Multiboot' \
--new 2::+45M --typecode=2:ef00 --change-name=2:'EFI System' \
--new 3::+10M --typecode=3:ef02 --change-name=3:'BIOS boot partition' \
--new 4::-0 --typecode=4:8300 --change-name=4:'Slackware' \
$DUSB
Reload and check the disk's partition setup:
partprobe $DUSB
gdisk -l $DUSB
Format the Bios boot and EFI partition:
mkdosfs -n MULTIBOOT ${DUSB}1
mkfs.fat -F32 ${DUSB}2
Format and encrypt the main partition for LVM:
cryptsetup -s 512 luksFormat --type luks2 --pbkdf pbkdf2 ${DUSB}4
cryptsetup luksOpen ${DUSB}4 slackpv
Configuring the physical volume (adjust the swap size to your liking):
pvcreate /dev/mapper/slackpv
vgcreate slack /dev/mapper/slackpv
lvcreate -C y -L 4GB -n swap slack
lvcreate -C n -l 100%FREE -n root slack
vgscan --mknodes
vgchange -ay
lvscan
mkswap /dev/slack/swap
Prepare for chroot:
for d in dev sys proc; do mount --bind /$d ./$d; done
cp /etc/resolv.conf ./etc/resolv.conf
And chroot into the minimal Slackware system:
chroot ./ /bin/bash
source /etc/profile
Start the Slackware setup:
setup
- Pick /dev/slack/swap for your swap space
- Pick /dev/slack/root for your root fs
- Choose install from FTP/HTTP server
Pick your favorite local mirror, I used:
ftp://ftp.nluug.nl
Fill out the proper source directory (check the url to see if it matches first):
/pub/os/Linux/distr/slackware/slackware64-15.0/slackware64
Install Slackware as you see fit. Do make sure that Grub gets installed.
[Optional minimal Slackware installation]
Some users like to have their Linux installation be as mean and lean as possible. For Slackware it's much easier to just install the main categories in full and have a system that just works out of the box. As a little side project I've set up a quick and easy way to get a minimal installation that will give you the best of both worlds. If something isn't working down the line, run slackpkg file-search <missing file> to see what package is missing and subsequently install it. So, let's go Brandon, ehm, I meant, minimal install ;-):
Only select the package series A and choose "menu" or "expert" option after that. Select only the packages that have "REQUIRED" at the end of the description and start the installation.
Open a second root console and go to the slackware directory that you created in the beginning:
cd slackware/mnt
Create the following base installation file (feel free to add to these packages if you like):
echo "# base
a: bzip2 cpio cryptsetup dbus dialog dosfstools elogind exfatprogs file findutils floppy gawk gettext glibc-zoneinfo gpm gptfdisk grub hwdata infozip kernel-generic logrotate lzip lvm mkinitrd mlocate patch sdparm smartmontools sysklogd usb_modeswitch usbutils which
# necessary apps
ap: diffutils dmidecode groff man-db man-pages nano slackpkg
# development
d: perl m4
# libraries
l: ncurses libunistring
# networking
n: ca-certificates dhcp gnupg iproute2 libmnl iputils libtirpc net-tools network-scripts ntp openssh openssl wget-" > slackware-minimal.txt
Create this perl script to download the listed packages (adjust the mirror to suit your needs):
echo '#!/usr/bin/perl -w
# Enter your Slackware mirror of choice below
$mirror = "https://ftp.nluug.nl/os/Linux/distr/slackware/slackware64-15.0/slackware64/";
mkdir "smi";
($_ = qx|cat slackware-minimal.txt|) =~ s/^#.*\n//mg;
for (split(/\n/, $_)){
@fetch = split(/\ /, $_);
($cat = shift @fetch) =~ s/://;
system "wget -r -l1 -np -nd \"$mirror$cat/\" -A \"$_*.txz\" -P ./smi" for @fetch;
}' > smi.pl
Make this script executable:
chmod +x smi.pl
And start it up:
./smi.pl
Once the slackware installer is done with it's software and minimal configuration (do not exit it yet!), chroot into the newly installed system and let's supplement the installation with the downloaded packages (make sure you are still in the "slackware" directory):
cd ..
cp -L ./root/.bashrc ./mnt/root/
cp /etc/resolv.conf ./mnt/etc/resolv.conf
cp /etc/resolv.conf ./mnt/etc/resolv.conf2
chroot ./mnt /bin/bash
source /etc/profile
And install the packages:
installpkg ./smi/*.txz
Remove the files we just created/fetched:
rm -rf smi* slackware-minimal.txt
Return to the regular Slackware installation program and choose "CONFIGURE" to reconfigure your Linux system after those packages where installed
It's possible to get slackpkg up and update the system to the lastest packages right away:
cp /etc/resolv.conf2 /etc/resolv.conf
nano /etc/slackpkg/mirrors
Uncomment your favorite mirror, save and exit, run:
slackpkg update
Upgrade the packages to the latest iterations:
slackpkg upgrade-all
If you want Network Manager functional in one go, run:
slackpkg install NetworkManager nss libndp libgio glib2 icu4c nghttp2 sasl sqlite brotli
For more portability (Wi-Fi, full hardware support), this can be a USB drive installation after all, run:
slackpkg install wpa_supplicant wireless_tools libnl3 newt pcre2 kernel-huge
The NetworkManager applet in XFCE to connect to a wireless network will not prompt you for a password after clicking on the desired network with this basic installation. Right click on the applet and hit "edit connections", edit the Wi-Fi network you picked and after that fill out the password under the "Wi-Fi Security" tab.
For a minimal X installation with XFCE to top it off (qt, kde and plasma items can be deselected):
slackpkg install GConf Greybird ModemManager NetworkManager acl adwaita-icon-theme alsa-lib alsa-oss alsa-plugins at-spi2-atk at-spi2-core atk attr audiofile bash bin boost brotli bzip2 cairo coreutils cpio cups cups-filters cyrus-sasl dbus dbus-glib dbus-python dconf dconf-editor dcron dejavu-fonts-ttf desktop-file-utils devs dialog diffutils dmidecode dosfstools e2fsprogs egl-wayland elementary-xfce elogind etc eudev exfatprogs exo flac floppy font-alias font-misc-misc fontconfig freetype fribidi fuse fuse3 garcon gawk gcr gdk-pixbuf2 gdk-pixbuf2-xlib gegl gettext giflib glib glib-networking glib2 glibc glibc-i18n glibc-profile gnome-keyring gnome-themes-extra gnupg gnupg2 gnutls gptfdisk graphene graphite2 grep groff grub gsettings-desktop-schemas gtk+ gtk+2 gtk+3 gtk4 gtksourceview3 gtkspell gvfs gzip harfbuzz hicolor-icon-theme hostname hwdata iceauth icu4c infozip iproute2 iso-codes itstool jansson json-glib json-glib kernel-generic kernel-modules keybinder3 keyutils libICE libSM libX11 libXau libXaw libXcomposite libXcursor libXdamage libXdmcp libXext libXfixes libXfont2 libXft libXi libXinerama libXmu libXpm libXpresent libXrandr libXrender libXres libXt libXtst libXxf86vm libassuan libasyncns libdbusmenu libdbusmenu-qt libdrm libepoxy libevdev libexif libfontenc libgcrypt libglvnd libgnome-keyring libgpg-error libgphoto2 libinput libjpeg-turbo libmng libmnl libndp libnma libnotify libogg libpciaccess libpng libproxy librsvg libsecret libsndfile libsoup libtheora libtiff libtirpc libunistring libusb libusb-compat libvorbis libwacom libwebp libwnck libwnck3 libxcb libxfce4ui libxfce4util libxkbcommon libxkbfile libxklavier libxml2 libxshmfence libxslt libzip linuxdoc-tools lm_sensors logrotate lvm2 lz4 lzip m4 man-db man-pages mesa mkfontscale mlocate mousepad mozilla-nss mtdev nano nettle network-manager-applet network-scripts nghttp2 npth nss-pam-ldapd ntp openssh opus opus-tools orc p11-kit pam pango patch pavucontrol perl pixman pkgtools polkit polkit-gnome procps-ng pulseaudio rxvt-unicode sbc sdl sdparm sed setxkbmap shared-mime-info sharutils slackpkg smartmontools sound-theme-freedesktop speex speexdsp sqlite startup-notification sysvinit-scripts tango-icon-theme tango-icon-theme-extras tar texinfo upower utempter utf8proc util-linux vte wavpack wayland wayland-protocols x11-skel xauth xcb-util xcb-util-cursor xcb-util-errors xcb-util-image xcb-util-keysyms xcb-util-renderutil xcb-util-wm xf86-input-evdev xf86-input-libinput xfce xinit xkbcomp xkbevd xkeyboard-config xorg-server xorg-server-xephyr xorg-server-xnest xorg-server-xvfb xorg-server-xwayland xorgproto xrdb xtrans zlib
To get the audiomixer working in XFCE (pavucontrol) right off the bat, run:
slackpkg install gtkmm3 atkmm glibmm pangomm cairomm libsigc libcanberra
Reconfigure your system one last time (in the main installation console) after installing these packages and move resolv2.conf over
mv /etc/resolv.conf2 /etc/resolv.conf
[/Optional minimal Slackware installation]
Complete the setup without installing the (E)LILO bootloader. Upon exit select to *not* reboot and drop back to the root shell.
Exit the initial chroot environment and chroot into the new installation (skip this and jump to crypt key file creation if you opted for the optional minimal installation):
exit
cp /etc/resolv.conf ./mnt/etc/resolv.conf
cp -L ./root/.bashrc ./mnt/root/
chroot ./mnt /bin/bash
source /etc/profile
Set up and add a key file to cryptsetup for unlocking the drive during boot:
dd bs=512 count=4 if=/dev/urandom of=/rei.key
cryptsetup luksAddKey ${DUSB}4 /rei.key
chmod 000 /rei.key
Patch initrd to allow the key to become integrated into the initrd file:
mkdir /tmp/initrd-tree
tar xpzf /usr/share/mkinitrd/initrd-tree.tar.gz -C /tmp/initrd-tree
cd /tmp/initrd-tree
wget https://gitlab.com/slackernetuk/slac...d_by_grub.diff
patch init < key_file_in_the_initrd_and_drive_unlocked_by_grub.diff
mv /rei.key ./
tar cpzf /usr/share/mkinitrd/initrd-tree.tar.gz *
cd /
Create a new initrd, capable of unlocking the drive with the generated keyfile:
mkinitrd -c -k $(perl -e '(qx|ls /boot/vmlinuz-*|)[-1] =~/^.*-(\d\.\d+\.\d+).*$/; print $1;') -f ext4 -C "UUID=$(blkid -s UUID -o value ${DUSB}4)" -r /dev/slack/root -L -K /rei.key -h /dev/slack/swap -m usb-storage:xhci-hcd:xhci-pci:ohci-pci:ehci-pci:uhci-hcd:ehci-hcd:hid:usbhid:i2c-hid:hid_generic:hid-asus:hid-cherry:hid-logitech:hid-logitech-dj:hid-logitech-hidpp:hid-lenovo:hid-microsoft:hid_multitouch:jbd2:mbcache:crc32c_intel:crc32c_generic:ext4 -u -o /boot/initrd.gz
Add "-w 10" to the command above if you are installing this to a USB-drive
[Sidenote]
I find it convenient to have the command above in a file like initrd.sh and making it executable:
printf "mkinitrd -c -k $(perl -e '(qx|ls /boot/vmlinuz-*|)[-1] =~/^.*-(\d\.\d+\.\d+).*$/; print $1;') -f ext4 -C "UUID=$(blkid -s UUID -o value ${DUSB}4)" -r /dev/slack/root -L -K /rei.key -h /dev/slack/swap -m usb-storage:xhci-hcd:xhci-pci:ohci-pci:ehci-pci:uhci-hcd:ehci-hcd:hid:usbhid:i2c-hid:hid_generic:hid-asus:hid-cherry:hid-logitech:hid-logitech-dj:hid-logitech-hidpp:hid-lenovo:hid-microsoft:hid_multitouch:jbd2:mbcache:crc32c_intel:crc32c_generic:ext4 -u -o /boot/initrd.gz" > /root/initrd.sh
nano /root/initrd.sh
Change the kernel version back to the perl command to obtain the latest kernel version:
for instance "5.15.38" becomes "$(perl -e '(qx|ls /boot/vmlinuz-*|)[-1] =~/^.*-(\d\.\d+\.\d+).*$/; print $1;')"
chmod +x /root/initrd.sh
Run that command manually or through that file. You should have a properly set up initial ramdisk now.
After a kernel upgrade on the system you only have to run this command below. This is an example, don't run the grub command just yet!:
/root/initrd.sh; grub-mkconfig -o /boot/grub/grub.cfg
[/Sidenote]
Edit /etc/default/grub and make the following changes, cryptdevice UUID comes from ${DUSB}4 (run: 'blkid -s UUID -o value ${DUSB}4' to get it):
GRUB_CMDLINE_LINUX="cryptdevice=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxx:slackpv root=/dev/slack/root cryptkey=/rei.key resume=/dev/slack/swap"
GRUB_ENABLE_CRYPTODISK=y
If you are installing to a USB-drive, add this line:
GRUB_DISABLE_OS_PROBER=true
Uncomment to disable graphical terminal (needed for legacy bios grub loading the OS' grub.cfg without messing up the screen/fonts)
GRUB_TERMINAL=console
Generate the grub config file to boot the Slackware system
grub-mkconfig -o /boot/grub/grub.cfg
The last bit of this installation is setting up grub for efi and legacy boot.
Let's start by mounting the multiboot partition:
mkdir /media/boot/
mount ${DUSB}1 /media/boot
Create the necessary subdirectories:
mkdir -p /media/boot/boot/grub
mkdir -p /media/boot/EFI/BOOT
Next let's mount the efi partition:
mkdir /boot/efi
mount ${DUSB}2 /boot/efi
Create the necessary subdirectories:
mkdir -p /boot/efi/EFI/BOOT
cd /boot/efi/EFI/BOOT
Add a simple grub.cfg config file that hooks onto the main grub.cfg file and create the grub efi image:
printf "cryptomount -u $(perl -e '$_ = qx|blkid -s UUID -o value \${DUSB}4|; s/-//g; print;')\nconfigfile (lvm/slack-root)/boot/grub/grub.cfg\n" > /media/boot/boot/grub/grub.cfg
/usr/bin/grub-mkimage --format=x86_64-efi -p /efi/boot -c /media/boot/boot/grub/grub.cfg --output=bootx64.efi --compression=xz part_gpt part_msdos fat f2fs ext2 hfs hfsplus iso9660 udf ufs1 ufs2 zfs chain linux boot appleldr configfile normal regexp minicmd reboot halt search search_fs_file search_fs_uuid search_label efi_gop efi_uga all_video loadbios gzio echo true probe loadenv bitmap_scale font cat help ls png jpeg tga test at_keyboard usb_keyboard zstd luks luks2 cryptodisk lvm gcry_sha256 gcry_sha512 gcry_rijndael
Copy the grub image to the multiboot partition:
cp bootx64.efi /media/boot/EFI/BOOT
Installation for bios legacy boot:
grub-install --target=i386-pc \
--root-directory=/media/boot \
--boot-directory=/media/boot/boot \
--modules="part_gpt part_msdos fat f2fs ext2 hfs hfsplus iso9660 udf ufs1 ufs2 zfs chain linux boot configfile normal regexp minicmd reboot halt search search_fs_file search_fs_uuid search_label all_video gzio echo true probe loadenv bitmap_scale font cat help ls png jpeg tga test at_keyboard usb_keyboard zstd luks luks2 cryptodisk lvm gcry_sha256 gcry_sha512 gcry_rijndael" \
${DUSB}
We're pretty much done now:
cd /
umount /media/boot
umount /boot/efi
Exit the chroot and start cleaning up:
exit
umount ./dev ./mnt/dev ./sys ./mnt/sys ./proc ./mnt/proc
Reboot and give your new system a whirl!
Don't forget the cleanup after (as root and after cd'ing to the proper directerory) run:
rm -rf slackware
After all of this you should have a robust hybrid BIOS/Legacy and UEFI Slackware installation up and running on this (USB) drive. Reboot your system and enjoy.
This guide wouldn't have been possible without these amazing posts/guides:
-
https://blog.heckel.io/2017/05/28/cr...e-linux-system
-
https://gitlab.com/slackernetuk/slac.../luks-full.txt
-
https://www.normalesup.org/~george/c...ub_hybrid.html
Further references:
-
https://www.linuxquestions.org/quest...sb-4175663008/
-
https://www.gnu.org/software/grub/ma...iguration.html
-
https://bbs.archlinux.org/viewtopic.php?id=268460
