From 7827c73446279b6490a745f9fe17cf4d24fc23d7 Mon Sep 17 00:00:00 2001 From: John McQuah Date: Sat, 6 Aug 2022 10:45:22 -0400 Subject: [PATCH] 3.7 Appendix: prefer a locally-hosted url for the full-disk-encryption instructions --- crux-wiki/CRUX-3.7-Encrypted.txt | 159 +++++++++++++++++++++++++++++++ crux-wiki/Handbook3-7-Appendix | 2 +- 2 files changed, 160 insertions(+), 1 deletion(-) create mode 100644 crux-wiki/CRUX-3.7-Encrypted.txt diff --git a/crux-wiki/CRUX-3.7-Encrypted.txt b/crux-wiki/CRUX-3.7-Encrypted.txt new file mode 100644 index 0000000..4c0151d --- /dev/null +++ b/crux-wiki/CRUX-3.7-Encrypted.txt @@ -0,0 +1,159 @@ +# crux-3.7.iso needs a kernel with CONFIG_CRYTPO_USER_API_SKCIPHER set for serpent cipher +# extra packages lz4 if you choose this compression mode for the kernel +# dracut and lvm2 needed to access the logical volumes when booting + +parted -s -a optimal /dev/sda \ + mklabel gpt \ + mkpart primary fat32 0% 500MiB \ + name 1 esp \ + set 1 esp on \ + mkpart primary 500MiB 4GiB \ + name 2 swap \ + mkpart primary 4GiB 100% \ + name 3 ENCRYPTED + +mkfs.vfat /dev/sda1 + +cryptsetup -q -c aes-cbc-essiv:sha256 -d /dev/urandom create swap /dev/sda2 +mkswap -f /dev/mapper/swap +swapon /dev/mapper/swap + +##### For AES Encryption +##### cryptsetup luksFormat --type luks2 -c aes-cbc-essiv:sha256 /dev/sda3 + +cryptsetup luksFormat --type luks2 -c serpent-xts-plain64 -s 512 /dev/sda3 + +##### The device node is now set up, but it needs a mapping to be usable as disk space +cryptsetup luksOpen /dev/sda3 ENCRYPTED +pvcreate /dev/mapper/ENCRYPTED + +##### On the newly-mapped physical volume, create the desired logical volumes +vgcreate ENCRYPTED /dev/mapper/ENCRYPTED + +lvcreate -L 30G ENCRYPTED -n root +lvcreate -L 4G ENCRYPTED -n var +lvcreate -L 50G ENCRYPTED -n usr +lvcreate -L 3G ENCRYPTED -n opt +lvcreate -l 100%FREE ENCRYPTED -n home + +##### Format each logical volume with the desired filesystem +##### ("flash-friendly" FS works well with the encryption overhead, but btrfs or ext4 are also possible) +mkfs.f2fs /dev/mapper/ENCRYPTED-root +mkfs.f2fs /dev/mapper/ENCRYPTED-var +mkfs.f2fs /dev/mapper/ENCRYPTED-usr +mkfs.f2fs /dev/mapper/ENCRYPTED-opt +mkfs.f2fs /dev/mapper/ENCRYPTED-home + +##### Mount the root FS where the CRUX installer expects it +mount /dev/mapper/ENCRYPTED-root /mnt + +##### Do the same for any partitions that will be written to during CRUX installation +mkdir /mnt/{var,usr,opt,home,boot} + +mount /dev/mapper/ENCRYPTED-var /mnt/var +mount /dev/mapper/ENCRYPTED-usr /mnt/usr +mount /dev/mapper/ENCRYPTED-opt /mnt/opt +mount /dev/mapper/ENCRYPTED-home /mnt/home +mount /dev/sda1 /mnt/boot + +setup # --> Install these extra packages (cryptsetup lvm2 syslinux dracut lz4) + +setup-chroot +passwd +localedef -i en_US -f UTF-8 en_US.UTF-8 + +cat < /etc/fstab + + /dev/mapper/ENCRYPTED-root / f2fs defaults 0 0 + #/dev/mapper/swap swap swap defaults 0 0 + /dev/sda1 /boot vfat defaults 0 0 + /dev/mapper/ENCRYPTED-var /var f2fs defaults 0 0 + /dev/mapper/ENCRYPTED-usr /usr f2fs defaults 0 0 + /dev/mapper/ENCRYPTED-opt /opt f2fs defaults 0 0 + /dev/mapper/ENCRYPTED-home /home f2fs defaults 0 0 +EOF + +##### Now write a custom initscript to handle the encrypted swap partition, +cat < /etc/rc.d/swap + #!/bin/sh + + PROG="/usr/sbin/cryptsetup" + SWAP="swap" + CIPH="aes-cbc-essiv:sha256" + PART="/dev/sda2" + + case $1 in + start) + if [ -e /dev/mapper/swap ] ; then + if swapon --show | grep -qs partition ; then + exit 0 + else + swapon /dev/mapper/${SWAP} + exit 0 + fi + else + ${PROG} -q -c ${CIPH} -d /dev/urandom create ${SWAP} ${PART} + mkswap -f /dev/mapper/${SWAP} + swapon /dev/mapper/${SWAP} + exit 0 + fi + ;; + stop) + swapoff -a + sleep 1 + ${PROG} close /dev/mapper/${SWAP} + ;; + status) + swapon --show + ;; + *) + echo "usage: $0 [start|stop|status]" + ;; + esac +EOF + +##### Make the above initscript executable, and add it to the SERVICES array +chmod +x /etc/rc.d/swap + +vi /etc/rc.conf + + SERVICES=(swap lo net crond) + +##### Continue configuring the network and building the kernel +vi /etc/rc.d/net + +vi /etc/dracut.conf.d/modules.conf + + add_dracutmodules+=" crypt lvm " + +cd /usr/src/linux-5.15.55 +make menuconfig +make all && make modules_install + +##### Install the kernel, syslinux bootloader, and initramfs +mkdir -p /boot/efi/BOOT +cp arch/x86/boot/bzImage /boot/efi/BOOT/vmlinuz-5.15.55 +cp System.map /boot/efi/BOOT/System.map-5.15.55 +cp .config /boot/efi/BOOT/config-5.15.55 + +dracut --kver 5.15.55 +mv /boot/initramfs-5.15.55.img /boot/efi/BOOT/ + +cp /usr/share/syslinux/efi64/syslinux.efi /boot/efi/BOOT/bootx64.efi +cp /usr/share/syslinux/efi64/ldlinux.e64 /boot/efi/BOOT + +vi /boot/efi/BOOT/syslinux.cfg + + PROMPT 1 + TIMEOUT 10 + DEFAULT CRUX + + LABEL CRUX + LINUX vmlinuz-5.15.55 + APPEND root=/dev/mapper/ENCRYPTED-root rw rd.auto=1 + INITRD initramfs-5.15.55.img + +##### Display the EFI variables to verify that the boot order has an entry for the hard disk +efibootmgr + +##### Reboot, and enjoy your new CRUX installation! diff --git a/crux-wiki/Handbook3-7-Appendix b/crux-wiki/Handbook3-7-Appendix index a029cf2..98ab453 100644 --- a/crux-wiki/Handbook3-7-Appendix +++ b/crux-wiki/Handbook3-7-Appendix @@ -249,7 +249,7 @@ full-disk encryption in CRUX. But preparation for this setup begins at the partitioning stage, when you need to call commands from the '''lvm2''' and '''cryptsetup''' packages before creating and mounting your filesystems. So this section of the appendix just points to a separate document, where an -[[https://gitlab.com/SiFuh/Documentation/-/blob/master/CRUX-3.6-Encrypted.txt | outline for installing CRUX with full-disk encryption]] +[[CRUX-3.7-Encrypted.txt | outline for installing CRUX with full-disk encryption]] is given from beginning to end. Even if full-disk encryption is not your desired endpoint and you just want to learn more about highly-modular kernel configs, the need for an initramfs is easier to motivate by considering a specific use