Mint 17.X, 18.X, 19.X and 20.X (but also Ubuntu) Full Disk Encryption (directory /boot included)

Write tutorials here
There are more tutorials here http://community.linuxmint.com/tutorial/welcome
Forum rules
Please don't add support questions to tutorials,start your own thread in the appropriate sub-forum instead. Before you post please read this
linux22
Level 1
Level 1
Posts: 40
Joined: Mon Jun 08, 2015 2:41 pm

Re: Mint 17.X, 18.X, 19.X and 20.X (but also Ubuntu) Full Disk Encryption (directory /boot included)

Post by linux22 »

Hello questionbot, if you have installed my FDE tutorial 2438 PC UEFI + HDD GPT + EFI STUB + tutorial 2496 (ex 2360, Secure Boot) you can do these test:

1) Temporary disable Secure Boot and try to boot your system.

2) If your system boot normally with Secure Boot disabled check if you have correctly installed the following file:
"/etc/initramfs/post-update.d/objcopy_update_hook".
The file should contain the commands listed in the example reported at the end of Step 3 of my tutorial 2438. Remember that the file content should be different if you have installed Linux Mint 20 or previous Linux Mint versions !

3) Check that your "/boot/efikeys" directory has been populated with all your Secure Boot own Custom keys.

4) PAY ATTENTION that the command "objcopy" inside file "/etc/initramfs/post-update.d/objcopy_update_hook" is correctly formatted (no LF inside the
command) !!!

5) Launch this command: "sudo /etc/initramfs/post-update.d/objcopy_update_hook" , then check that it ends without error. This command build a new copy of your kernel.efi and bootx64.efi files (these files are build from your last vmlinuz, initrd.img and boot/efistub/cmdline.txt files. When the command ends you should see a message like "Signature verification OK", or something like that.

6) Now try to reboot your PC. If it boot correctly re-enable Secure Boot and try to reboot your PC again. If it boot correctly your system is OK.


Remember to check the correct update of your kernel.efi and bootx64.efi files at every kernel e/o initrd update/upgrade !!!


Please keep me informed about your progress.

Regards.

linux22
questionbot
Level 1
Level 1
Posts: 4
Joined: Thu Aug 20, 2020 9:20 pm

Re: Mint 17.X, 18.X, 19.X and 20.X (but also Ubuntu) Full Disk Encryption (directory /boot included)

Post by questionbot »

Thanks... I was more just letting you know. I went back to Void Linux already. My mint test was not positive.
dobp
Level 1
Level 1
Posts: 11
Joined: Thu Sep 26, 2019 1:32 pm

Re: Mint 17.X, 18.X, 19.X and 20.X (but also Ubuntu) Full Disk Encryption (directory /boot included)

Post by dobp »

linux22 wrote:
Sun Aug 16, 2020 10:39 am
Hello dobp. I have read your message and, as you said in your EDIT note, the problems with GRUB is the most important reason because I have switched to EFI STUB. In my past tutorial concerning Linux FDE I was always dealing with GRUB with great difficulties. So when I switched to UEFI I have found an alternative to bypass GRUB and boot Linux with a simple and reliable new method, EFI STUB. You can try this new method also on PC with dual boot W10+Linux but your PC UEFI Boot Manager must be able to deal with many boot .efi file. Most PCs with UEFI firmware have a Boot Manager that can be started pressing a Fn key at start-up (typically F8, F10, F12 ecc.). Once pressed the Boot Manager Fn key at boot-up the system load a list of all bootable .efi images found in EFI boot partition. You can then select Mint or W10 and then press Enter to start the selected OS.

About the error you get after updating GRUB I do not know how to solve your problem. If you have installed Linux Mint FDE using my old tutorial (Dual Boot) I have no clue about the error you get. Anyway you can try to sign with your own Custom keys your kernel image with 'sgsign' command and all your kernel module using 'scripts/sign-file' script but I can not say if that will work correctly.

UPDATE:

You can read more about signing Linux kernel & modules for Secure Boot at the following links:

- https://wiki.debian.org/SecureBoot

- https://ubuntu.com/blog/how-to-sign-thi ... ecure-boot

- https://wiki.gentoo.org/wiki/Signed_ker ... le_support


Very interesting the first one, especially paragraph "Secure Boot limitations" !


Regards.

linux22
Hello linux22,

Thank you very much for your kind support as always. I did not address the issue yet although I still plan to do it (try and fix the current error when SB is enabled). I will keep you posted here.

Regards,
dobp
linux22
Level 1
Level 1
Posts: 40
Joined: Mon Jun 08, 2015 2:41 pm

Re: Mint 17.X, 18.X, 19.X and 20.X (but also Ubuntu) Full Disk Encryption (directory /boot included)

Post by linux22 »

Hello dobp, I have read your last post. At the moment I am working on a new solution for Dual Boot Windows 10 + Linux Mint FDE.

As explained in my tutorial at https://community.linuxmint.com/tutorial/view/2191 the new solution will be:

Dual boot for Windows 10 + Linux Mint 20.X with EFI STUB loader
Linux Full System Encryption (directory /boot included)
PC with UEFI & HDD with GPT and Boot Manager ‘systemd-boot’
Solution using the Linux Extended Boot Partition (a.k.a. XBOOTLDR)


Release within the end of October 2020

When using the EFISTUB+objcopy tools you get an .efi executable, containing kernel(with modules)+initrd+kernel’s command-line parameters,
that can be signed for Secure Boot with a single shot.

Regards.

linux22
Post Reply

Return to “Tutorials”