160 lines
4.5 KiB
Plaintext
160 lines
4.5 KiB
Plaintext
|
# crux-3.7.iso needs a kernel with CONFIG_CRYTPO_USER_API_SKCIPHER set for serpent cipher
|
||
|
# extra packages lz4 if you choose this compression mode for the kernel
|
||
|
# dracut and lvm2 needed to access the logical volumes when booting
|
||
|
|
||
|
parted -s -a optimal /dev/sda \
|
||
|
mklabel gpt \
|
||
|
mkpart primary fat32 0% 500MiB \
|
||
|
name 1 esp \
|
||
|
set 1 esp on \
|
||
|
mkpart primary 500MiB 4GiB \
|
||
|
name 2 swap \
|
||
|
mkpart primary 4GiB 100% \
|
||
|
name 3 ENCRYPTED
|
||
|
|
||
|
mkfs.vfat /dev/sda1
|
||
|
|
||
|
cryptsetup -q -c aes-cbc-essiv:sha256 -d /dev/urandom create swap /dev/sda2
|
||
|
mkswap -f /dev/mapper/swap
|
||
|
swapon /dev/mapper/swap
|
||
|
|
||
|
##### For AES Encryption
|
||
|
##### cryptsetup luksFormat --type luks2 -c aes-cbc-essiv:sha256 /dev/sda3
|
||
|
|
||
|
cryptsetup luksFormat --type luks2 -c serpent-xts-plain64 -s 512 /dev/sda3
|
||
|
|
||
|
##### The device node is now set up, but it needs a mapping to be usable as disk space
|
||
|
cryptsetup luksOpen /dev/sda3 ENCRYPTED
|
||
|
pvcreate /dev/mapper/ENCRYPTED
|
||
|
|
||
|
##### On the newly-mapped physical volume, create the desired logical volumes
|
||
|
vgcreate ENCRYPTED /dev/mapper/ENCRYPTED
|
||
|
|
||
|
lvcreate -L 30G ENCRYPTED -n root
|
||
|
lvcreate -L 4G ENCRYPTED -n var
|
||
|
lvcreate -L 50G ENCRYPTED -n usr
|
||
|
lvcreate -L 3G ENCRYPTED -n opt
|
||
|
lvcreate -l 100%FREE ENCRYPTED -n home
|
||
|
|
||
|
##### Format each logical volume with the desired filesystem
|
||
|
##### ("flash-friendly" FS works well with the encryption overhead, but btrfs or ext4 are also possible)
|
||
|
mkfs.f2fs /dev/mapper/ENCRYPTED-root
|
||
|
mkfs.f2fs /dev/mapper/ENCRYPTED-var
|
||
|
mkfs.f2fs /dev/mapper/ENCRYPTED-usr
|
||
|
mkfs.f2fs /dev/mapper/ENCRYPTED-opt
|
||
|
mkfs.f2fs /dev/mapper/ENCRYPTED-home
|
||
|
|
||
|
##### Mount the root FS where the CRUX installer expects it
|
||
|
mount /dev/mapper/ENCRYPTED-root /mnt
|
||
|
|
||
|
##### Do the same for any partitions that will be written to during CRUX installation
|
||
|
mkdir /mnt/{var,usr,opt,home,boot}
|
||
|
|
||
|
mount /dev/mapper/ENCRYPTED-var /mnt/var
|
||
|
mount /dev/mapper/ENCRYPTED-usr /mnt/usr
|
||
|
mount /dev/mapper/ENCRYPTED-opt /mnt/opt
|
||
|
mount /dev/mapper/ENCRYPTED-home /mnt/home
|
||
|
mount /dev/sda1 /mnt/boot
|
||
|
|
||
|
setup # --> Install these extra packages (cryptsetup lvm2 syslinux dracut lz4)
|
||
|
|
||
|
setup-chroot
|
||
|
passwd
|
||
|
localedef -i en_US -f UTF-8 en_US.UTF-8
|
||
|
|
||
|
cat <<EOF > /etc/fstab
|
||
|
|
||
|
/dev/mapper/ENCRYPTED-root / f2fs defaults 0 0
|
||
|
#/dev/mapper/swap swap swap defaults 0 0
|
||
|
/dev/sda1 /boot vfat defaults 0 0
|
||
|
/dev/mapper/ENCRYPTED-var /var f2fs defaults 0 0
|
||
|
/dev/mapper/ENCRYPTED-usr /usr f2fs defaults 0 0
|
||
|
/dev/mapper/ENCRYPTED-opt /opt f2fs defaults 0 0
|
||
|
/dev/mapper/ENCRYPTED-home /home f2fs defaults 0 0
|
||
|
EOF
|
||
|
|
||
|
##### Now write a custom initscript to handle the encrypted swap partition,
|
||
|
cat <<EOF > /etc/rc.d/swap
|
||
|
#!/bin/sh
|
||
|
|
||
|
PROG="/usr/sbin/cryptsetup"
|
||
|
SWAP="swap"
|
||
|
CIPH="aes-cbc-essiv:sha256"
|
||
|
PART="/dev/sda2"
|
||
|
|
||
|
case $1 in
|
||
|
start)
|
||
|
if [ -e /dev/mapper/swap ] ; then
|
||
|
if swapon --show | grep -qs partition ; then
|
||
|
exit 0
|
||
|
else
|
||
|
swapon /dev/mapper/${SWAP}
|
||
|
exit 0
|
||
|
fi
|
||
|
else
|
||
|
${PROG} -q -c ${CIPH} -d /dev/urandom create ${SWAP} ${PART}
|
||
|
mkswap -f /dev/mapper/${SWAP}
|
||
|
swapon /dev/mapper/${SWAP}
|
||
|
exit 0
|
||
|
fi
|
||
|
;;
|
||
|
stop)
|
||
|
swapoff -a
|
||
|
sleep 1
|
||
|
${PROG} close /dev/mapper/${SWAP}
|
||
|
;;
|
||
|
status)
|
||
|
swapon --show
|
||
|
;;
|
||
|
*)
|
||
|
echo "usage: $0 [start|stop|status]"
|
||
|
;;
|
||
|
esac
|
||
|
EOF
|
||
|
|
||
|
##### Make the above initscript executable, and add it to the SERVICES array
|
||
|
chmod +x /etc/rc.d/swap
|
||
|
|
||
|
vi /etc/rc.conf
|
||
|
|
||
|
SERVICES=(swap lo net crond)
|
||
|
|
||
|
##### Continue configuring the network and building the kernel
|
||
|
vi /etc/rc.d/net
|
||
|
|
||
|
vi /etc/dracut.conf.d/modules.conf
|
||
|
|
||
|
add_dracutmodules+=" crypt lvm "
|
||
|
|
||
|
cd /usr/src/linux-5.15.55
|
||
|
make menuconfig
|
||
|
make all && make modules_install
|
||
|
|
||
|
##### Install the kernel, syslinux bootloader, and initramfs
|
||
|
mkdir -p /boot/efi/BOOT
|
||
|
cp arch/x86/boot/bzImage /boot/efi/BOOT/vmlinuz-5.15.55
|
||
|
cp System.map /boot/efi/BOOT/System.map-5.15.55
|
||
|
cp .config /boot/efi/BOOT/config-5.15.55
|
||
|
|
||
|
dracut --kver 5.15.55
|
||
|
mv /boot/initramfs-5.15.55.img /boot/efi/BOOT/
|
||
|
|
||
|
cp /usr/share/syslinux/efi64/syslinux.efi /boot/efi/BOOT/bootx64.efi
|
||
|
cp /usr/share/syslinux/efi64/ldlinux.e64 /boot/efi/BOOT
|
||
|
|
||
|
vi /boot/efi/BOOT/syslinux.cfg
|
||
|
|
||
|
PROMPT 1
|
||
|
TIMEOUT 10
|
||
|
DEFAULT CRUX
|
||
|
|
||
|
LABEL CRUX
|
||
|
LINUX vmlinuz-5.15.55
|
||
|
APPEND root=/dev/mapper/ENCRYPTED-root rw rd.auto=1
|
||
|
INITRD initramfs-5.15.55.img
|
||
|
|
||
|
##### Display the EFI variables to verify that the boot order has an entry for the hard disk
|
||
|
efibootmgr
|
||
|
|
||
|
##### Reboot, and enjoy your new CRUX installation!
|