Mint 17.X to 20.X (but also Ubuntu) Full Disk Encryption (directory /boot included) - Using LUKS, SecureBoot & TPM 2.0

Write tutorials here
There are more tutorials here http://community.linuxmint.com/tutorial/welcome
Forum rules
Please don't add support questions to tutorials,start your own thread in the appropriate sub-forum instead. Before you post please read this
linux22
Level 1
Level 1
Posts: 45
Joined: Mon Jun 08, 2015 2:41 pm

Re: Mint 17.X, 18.X, 19.X and 20.X (but also Ubuntu) Full Disk Encryption (directory /boot included)

Post by linux22 »

Hello questionbot, if you have installed my FDE tutorial 2438 PC UEFI + HDD GPT + EFI STUB + tutorial 2496 (ex 2360, Secure Boot) you can do these test:

1) Temporary disable Secure Boot and try to boot your system.

2) If your system boot normally with Secure Boot disabled check if you have correctly installed the following file:
"/etc/initramfs/post-update.d/objcopy_update_hook".
The file should contain the commands listed in the example reported at the end of Step 3 of my tutorial 2438. Remember that the file content should be different if you have installed Linux Mint 20 or previous Linux Mint versions !

3) Check that your "/boot/efikeys" directory has been populated with all your Secure Boot own Custom keys.

4) PAY ATTENTION that the command "objcopy" inside file "/etc/initramfs/post-update.d/objcopy_update_hook" is correctly formatted (no LF inside the
command) !!!

5) Launch this command: "sudo /etc/initramfs/post-update.d/objcopy_update_hook" , then check that it ends without error. This command build a new copy of your kernel.efi and bootx64.efi files (these files are build from your last vmlinuz, initrd.img and boot/efistub/cmdline.txt files. When the command ends you should see a message like "Signature verification OK", or something like that.

6) Now try to reboot your PC. If it boot correctly re-enable Secure Boot and try to reboot your PC again. If it boot correctly your system is OK.


Remember to check the correct update of your kernel.efi and bootx64.efi files at every kernel e/o initrd update/upgrade !!!


Please keep me informed about your progress.

Regards.

linux22
questionbot
Level 1
Level 1
Posts: 5
Joined: Thu Aug 20, 2020 9:20 pm

Re: Mint 17.X, 18.X, 19.X and 20.X (but also Ubuntu) Full Disk Encryption (directory /boot included)

Post by questionbot »

Thanks... I was more just letting you know. I went back to Void Linux already. My mint test was not positive.
dobp
Level 1
Level 1
Posts: 11
Joined: Thu Sep 26, 2019 1:32 pm

Re: Mint 17.X, 18.X, 19.X and 20.X (but also Ubuntu) Full Disk Encryption (directory /boot included)

Post by dobp »

linux22 wrote:
Sun Aug 16, 2020 10:39 am
Hello dobp. I have read your message and, as you said in your EDIT note, the problems with GRUB is the most important reason because I have switched to EFI STUB. In my past tutorial concerning Linux FDE I was always dealing with GRUB with great difficulties. So when I switched to UEFI I have found an alternative to bypass GRUB and boot Linux with a simple and reliable new method, EFI STUB. You can try this new method also on PC with dual boot W10+Linux but your PC UEFI Boot Manager must be able to deal with many boot .efi file. Most PCs with UEFI firmware have a Boot Manager that can be started pressing a Fn key at start-up (typically F8, F10, F12 ecc.). Once pressed the Boot Manager Fn key at boot-up the system load a list of all bootable .efi images found in EFI boot partition. You can then select Mint or W10 and then press Enter to start the selected OS.

About the error you get after updating GRUB I do not know how to solve your problem. If you have installed Linux Mint FDE using my old tutorial (Dual Boot) I have no clue about the error you get. Anyway you can try to sign with your own Custom keys your kernel image with 'sgsign' command and all your kernel module using 'scripts/sign-file' script but I can not say if that will work correctly.

UPDATE:

You can read more about signing Linux kernel & modules for Secure Boot at the following links:

- https://wiki.debian.org/SecureBoot

- https://ubuntu.com/blog/how-to-sign-thi ... ecure-boot

- https://wiki.gentoo.org/wiki/Signed_ker ... le_support


Very interesting the first one, especially paragraph "Secure Boot limitations" !


Regards.

linux22
Hello linux22,

Thank you very much for your kind support as always. I did not address the issue yet although I still plan to do it (try and fix the current error when SB is enabled). I will keep you posted here.

Regards,
dobp
linux22
Level 1
Level 1
Posts: 45
Joined: Mon Jun 08, 2015 2:41 pm

Re: Mint 17.X, 18.X, 19.X and 20.X (but also Ubuntu) Full Disk Encryption (directory /boot included)

Post by linux22 »

Hello dobp, I have read your last post. At the moment I am working on a new solution for Dual Boot Windows 10 + Linux Mint FDE.

As explained in my tutorial at https://community.linuxmint.com/tutorial/view/2191 the new solution will be:

Dual boot for Windows 10 + Linux Mint 20.X with EFI STUB loader
Linux Full System Encryption (directory /boot included)
PC with UEFI & HDD with GPT and Boot Manager ‘systemd-boot’
Solution using the Linux Extended Boot Partition (a.k.a. XBOOTLDR)


Release within the end of November 2020

When using the EFISTUB+objcopy tools you get an .efi executable, containing kernel(with modules)+initrd+kernel’s command-line parameters,
that can be signed for Secure Boot with a single shot.

Regards.

linux22
linux22
Level 1
Level 1
Posts: 45
Joined: Mon Jun 08, 2015 2:41 pm

Re: Mint 17.X to 20.X (but also Ubuntu) Full Disk Encryption (directory /boot included) - Using LUKS, SecureBoot & TPM 2

Post by linux22 »

Hi folks, tutorials "Linux Mint with Full Disk Encryption, directory /boot included - PC UEFI & HDD GPT - Booting with EFI STUB loader" have been updated today. This release include "Appendix F (Experimental) - How to enable LUKS AutoUnlock via TPM 2.0". This configuration works similar to Windows Bitlocker. Once correctly configured the unlocking of your Linux FDE system is performed at boot-up by the TPM module of your PC, which release the key for automatic unlock of the root LUKS partition, performed by the initramfs scripts.
See details at:
https://community.linuxmint.com/tutorial/view/2438
throwaway_5521
Level 1
Level 1
Posts: 1
Joined: Tue Feb 23, 2021 12:52 am

Re: Mint 17.X to 20.X (but also Ubuntu) Full Disk Encryption (directory /boot included) - Using LUKS, SecureBoot & TPM 2

Post by throwaway_5521 »

Hey, sorry for bumping a slightly old thread

I would like to thank OP (linux22) for giving us instructions on how to do a FDE and secure boot activation in linux mint.

However, is there a method on how to sign NVIDIA/Radeon Drivers using my keys/certificates that i created when setting up secure boot on some laptops without relying on shim/MOK? and if possible, include that in your own guide linux22?

once again, thanks for the guide.
linux22
Level 1
Level 1
Posts: 45
Joined: Mon Jun 08, 2015 2:41 pm

Re: Mint 17.X to 20.X (but also Ubuntu) Full Disk Encryption (directory /boot included) - Using LUKS, SecureBoot & TPM 2

Post by linux22 »

Hello throwaway_5521, I have read your message. I cannot test the installation of NVIDIA drivers on my systems because I do not have PCs with NVIDIA card installed.

Anyway I have done some searchs and I have found some interesting NVIDIA documents concerning installation of NVIDIA Linux drivers and how to sign them with your own custom keys.

Below I leave 2 links from nvidia.com named "Installing the NVIDIA Driver" and "Listing of Installed Components". Pay attention to paragraph "Signing the NVIDIA Kernel Module" within the first document (see link 1 below), where you can find the correct procedure for signing NVIDIA kernel modules during the installation process.

1) https://download.nvidia.com/XFree86/Lin ... river.html
2) https://download.nvidia.com/XFree86/Lin ... nents.html

If that procedure does not work you can do a manual signing of your NVIDIA kernel modules (i.e nvidia.ko and others) following the instructions listed in post 66 of this topic and the tips reported within the second document (see link 2 above).

The manual signing will be something like that:

sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 /boot/efikeys/db.key /boot/efikeys/db.crt /lib/modules/$(uname -r)/pathtonvidiadrivers/nvidia.ko

where the correct 'pathtonvidiadrivers' is that where the NVIDIA kernel drivers of your Linux system are located !!!

Please keep me informed about your progress.

Regards.

linux22
Post Reply

Return to “Tutorials”