LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   Slackware 14.1 install with LUKS/LVM/GRUB (https://www.linuxquestions.org/questions/slackware-14/slackware-14-1-install-with-luks-lvm-grub-4175552001/)

drgibbon 08-28-2015 10:37 AM

Slackware 14.1 install with LUKS/LVM/GRUB
 
I'm installing Slackware64 14.1 on my X200 with libreboot, and I'm following the Slackware README_CRYPT.TXT instructions for disk encryption using LUKS and LVM. The setup is:
Code:

/dev/sda1 100MB /boot  (unencrypted boot partition)
/dev/sda2 240GB /    (this is a big LUKS block with LVM swap and / partitions).

Everything is fine there, but libreboot actually has GRUB loaded onto the firmware, and it looks for /boot/grub/libreboot_grub.cfg as a way to boot the system. My question is how do I generate the appropriate libreboot_grub.cfg file with
Code:

grub-mkconfig -o /boot/grub/libreboot_grub.cfg
That is, how do I tell GRUB about the kernel, initrd, LVM, and whatever else GRUB needs to boot? I've only installed Slackware with LILO/ELILO and GRUB seems pretty complicated in comparison.

orbea 08-28-2015 10:50 AM

Here are some links that might help if you took some time to read them. :)

http://www.jveweb.net/en/archives/20...ypted-lvm.html
http://blog.darknedgy.net/technology/2014/07/27/1/
http://www.funtoo.org/Rootfs_over_encrypted_lvm
http://libreboot.org/docs/gnulinux/index.html

Especially check out all the articles listed on the last link.

drgibbon 08-28-2015 07:21 PM

Thanks but the first and second links do not deal with GRUB, the funtoo link has something but it looks Funtoo specific (emerge grub2 with device-mapper support? better-initramfs/genkernel/boot-update?). I have read the last links already, but they deal with encrypting the entire OS and modifying the libreboot firmware which I do not want to do at present (actually cannot do).

What I'm after is the right way to generate /boot/grub/libreboot_grub.cfg from inside the Slackware install environment (after installing everything and doing a chroot /mnt and making the initram). I suppose trial and error will get me there eventually, but I was hoping someone might know the method for doing it.

orbea 08-29-2015 01:14 AM

The first two links deal with encrypting in slackware, try following them up to making an initrd.gz. The funtoo link provides an additional explanation that helps elaborate on the concept and the last links deal with libreboot and grub.

You can boot with something like:
Quote:

Booting your system

At this point, you will have finished the installation. At your GRUB payload, press C to get to the command line.

Do that:
grub> cryptomount -a
grub> set root='lvm/grubcrypt-trisquel'
grub> linux /vmlinuz root=/dev/mapper/grubcrypt-trisquel cryptdevice=/dev/mapper/grubcrypt-trisquel:root
grub> initrd /initrd.img
grub> boot
http://libreboot.org/docs/gnulinux/e..._trisquel.html

You also don't have to flash the firmware:
Quote:

1st option: don't re-flash

By default, GRUB in libreboot is configured to scan all partitions on the main storage for /boot/grub/libreboot_grub.cfg or /grub/libreboot_grub.cfg(for systems where /boot is on a dedicated partition), and then use it automatically.

Simply create your custom GRUB configuration and save it to /boot/grub/libreboot_grub.cfg on the running system. The next time you boot, GRUB (in libreboot) will automatically switch to this configuration file. This means that you do not have to re-flash, recompile or otherwise modify libreboot at all!

Ideally, your distribution should automatically generate a libreboot_grub.cfg file that is written specifically under the assumption that it will be read and used on a libreboot system that uses GRUB as a payload. If your distribution does not do this, then you can try to add that feature yourself or politely ask someone involved with or otherwise knowledgeable about the distribution to do it for you. The libreboot_grub.cfg could either contain the full configuration, or it could chainload another GRUB ELF executable (built to be used as a coreboot payload) that is located in a partition on the main storage.

If you want to adapt a copy of the existing libreboot GRUB configuration and use that for the libreboot_grub.cfg file, then follow #tools, #rom and #extract_testconfig to get the grubtest.cfg. Rename grubtest.cfg to libreboot_grub.cfg and save it to /boot/grub/ on the running system where it is intended to be used. Modify the file at that location however you see fit, and then stop reading this guide (the rest of this page is irrelevant to you); in libreboot_grub.cfg on disk, if you are adapting it based on grub.cfg from CBFS then remove the check for libreboot_grub.cfg otherwise it will loop..

This is all well and good, but what should you actually put in your GRUB configuration file? Read grub_config.html for more information.
http://libreboot.org/docs/gnulinux/g...1_dont_reflash

drgibbon 08-29-2015 03:15 AM

Yep, I had done all those steps, and I can get into the Slack system that way. But my original question was how do I generate the appropriate /boot/grub/libreboot_grub.cfg file? That is the part that I cannot get working. The problem is that I cannot get to grips with Slackware+LUKS+LVM+GRUB. I've been reading but and it just doesn't make sense to me.

drgibbon 08-29-2015 10:54 PM

After a lot of playing around, I found out that this is not that hard at all. If you follow the instructions under "Combining LUKS and LVM" in the Slack docs on encryption, then at the end after you do:
Code:

chroot /mnt
$( /usr/share/mkinitrd/mkinitrd_command_generator.sh -r )

you can ignore the LILO part and instead
Code:

mkdir /boot/grub
grub-mkconfig -o /boot/grub/libreboot_grub.cfg

then edit the /boot/grub/libreboot_grub.cfg file and then just after the first echo 'Loading Linux 3.10.17 ...' change
Code:

linux /vmlinuz-huge-3.10.17 root=/dev/mapper/cryptvg-root ro
to
Code:

linux /vmlinuz-generic-3.10.17 root=/dev/mapper/cryptvg-root ro
and it should work. I was actually forgetting to put the unencrypted /boot partition in fstab during setup, and I think that was the problem. I suppose if you are running libreboot you would carry on with the FreeSlack stuff.

Btw, if you can edit your libreboot firmware grub file then you can follow their docs and probably encrypt everything, including /boot, because grub can unlock LUKS and handle LVM too.

bsd1101 04-27-2016 01:11 AM

have you tired full disk encryption.
 
I updated the grub.cfg within the rom and have a fully encrypted drive. My issue now is having to enter the luks password twice. Once on the grub menu and a second time during kernel boot. According to the instructions at the end here https://libreboot.org/docs/gnulinux/..._parabola.html it is possible to use a keyfile, but unless I'm misunderstanding it's not possible on Slackware because mkinitrd requires a separate fat partition with the file; and not one that can be stored locally.

So for this line

mkinitrd -c -k 4.4.8-smp -m ext4 -f ext4 -r /dev/cryptvg/root -C /dev/sdx2 -L -K LABEL=TRAVELSTICK:/keys/alien.luks

I can't do something like

mkinitrd -c -k 4.4.8-smp -m ext4 -f ext4 -r /dev/cryptvg/root -C /dev/sdx2 -L -K LABEL=root:/etc/keyfile


All times are GMT -5. The time now is 05:56 PM.