[SOLVED] rEFInd + LVM on LUKS Installation

[salvor_hardin]

Hi everyone.
I'm new to the forum, so please excuse me if this post isn't perfect. I tried to search for an old topic addressing the issue, but couldn't find one so here I am.

First things first: i'm typing from a laptop running Slackware64-current in dual boot with Win10. I use rEFInd to select the bootimage and the kernel's own efi stub alongside an initrd to properly boot into my LVM on LUKS Slackware system. I've no "boot" partition, since everythig i need is in the ESP, and it's quite easy to setup during the installation process (on slackware at least) and even more easy to mantain.

So, here's the question: how can I achieve the same result using Mint?

I tried to install this distro in a VM, and it all goes great as long as i let the automatic process do it's thing. I can even make it run with custom partitions... but for the love of Knut, it just refuses to boot when i set it up "my way".
For the LVMonLUKS part, i followed a post on this very forum (can't seem to find the link right now) about custom encrypted setups.

I tried half a dozen times in said VM, and then gave it up... Now that i've a little more spare time, i'd like to tackle this problem yet again, with your help, and share the results with this nice community.

Thank you in advance,
Salvor Hardin

[mr_raider]

There is a refind dedicated thread where Rod Smith hangs out in the Chat subforum. Try posting there.

Direct stub loading via efi is a bit challenging with refind for non standard installs. I managed to get it to boot btrfs subvolumes directly to switch distros on the fly.

The principle is the same: install teh default OS. Boot the OS, and then install refind from the ppa. Then modify the refind configuration files to do what you want.

[salvor_hardin]

There is a refind dedicated thread where Rod Smith hangs out in the Chat subforum. Try posting there.

Thank you, i'll check it out.

Direct stub loading via efi is a bit challenging with refind for non standard installs. I managed to get it to boot btrfs subvolumes directly to switch distros on the fly.

Really? I've being doing it since day 1 and never had any issue. I really don't think rEFInd's my problem.

The principle is the same: install teh default OS. Boot the OS, and then install refind from the ppa. Then modify the refind configuration files to do what you want.

That's my issue. I don't want to install the default OS. I want to install Mint on LVM on LUKS, without any other unencrypted partition floating around beside the ESP and those created by win10. rEFInd is already installed and properly set up in my ESP, and i'd like to avoid installing GRUB2 altogether if possible. For what i can tell, the default installer really doesn't like using ESP as boot directory... for now, my money is on the installer creating a bad initrd or not creating one at all.

For clarity, this is my current partition scheme, and the one I'm aiming to preserve:

Code: Select all

N	Size			Code
1	512.0 MiB   	EF00  ESP 
2	128.0 MiB   	0C01  Microsoft reserved space
3	248.6 GiB   	0700  Basic data partition
4	817.0 MiB   	2700  Hidden windows partition
5	681.5 GiB   	8300  Slackware

Everything I need for booting my system is on the 1st partition, along with rEFInd binaries and other files. There is 1 directory named "Slackware" which contains the kernerl efi stub (vmlinuz-version.efi) the initrd needed for unlocking the encrypted partiotion (initrd-version.gz) and the configuration file "linux.conf" with some kernel parameters.
The 5th partition contains the whole system under LUKS.

Like I said, I know it can be done. I'm writing from that configuration right now. The only issue is: how to do it with Mint and its installer.

My original plan was as follow:
1_Use my own custom partition scheme with a LVM on LUKS installation;
2_Point ad the ESP as boot partition;
3_Avoid, if at all possible, installing GRUB2;
4_Install the system;
5_ chroot into the new isntallation and recompile the kernel with efi-stub support if needed. (I have a tarball for the kernel source and I know I may need to install a few things);
6_ create a new initrd, and copy it, alongside the kernel image, into the proper directory in the ESP;
7_ reboot, enjoy.

So far, no luck.

[mr_raider]

I know a.manual install to LVM is possible in mint with no /boot partition. You need to setup the LVM from the command line first and then run the installer.

However I don't know got to avoid installing grub.

I think you have to install grub, then setup refind and then remove grub.

Ubuntu kernels have EFI stub loader support by default.

[salvor_hardin]

uhm... then I may be missing something.
The LVM stuff is identical to slackware: first use the shell to set it up and activate the vulumes, then run the installer.
I'm ok with removing GRUB after the first boot, it's fine... ok, it may be something I did or the version of Mint I used, let me run another simulation in VM with a newer iso and i'll let you know the result.

Thank you for your help.

S. Hardin

[mr_raider]

Also Ubuntus grub expect to find initrd in the /boot folder. You will have to move the files to EFI.

[salvor_hardin]

Also Ubuntus grub expect to find initrd in the /boot folder. You will have to move the files to EFI.

So does rEFInd. Since my ESP is the only non encrypted partition, that goes without saying

[z31fanatic]

Not sure if it would help you but from what I remember when I triple booted my Macbook a while ago, I opened the boot folder of Mint with elevated privileges and deleted one of the boot files which got rid of grub and only had one boot option for Mint in the refind boot menu. When I chose Mint, it would just boot to Mint, grub no longer appeared. It made me happy to say the least
I dislike grub

[fabien85]

Looks beyond my paygrade, but I will try to be helpful anyway.
I have refind booting an install with encrypted home (and /data) and that works out of the box. I believe your problem is because of the full disk encryption without /boot you have to relocate the kernel etc and then a given layout of the partitions is expected from the system, layout that you do not comply with. Things should work better if you allow for an unencrypted /boot partition for Mint. That /boot partition would contain the same files that you are currently trying to put in the ESP, so there is no downside in my opinion (except the slightly increased complexity of a small extra partition, and refind needing an EFI ext2/3/4 driver). With that /boot made, installation should work out of the box with ubiquity, just call it from a terminal with ubiquity -b so that it doesnt try to install grub.
Without a /boot I'm lost how you can do it (even with grub).
I haven't seen Rod Smith post in this forum since February 2016, so wouldnt get my hopes up on getting an answer here. However posting on the ubuntu forums (or maybe sending an email) should work, he would probably be interested in the problem.

[salvor_hardin]

Ok... first things first: I'm not dead.
Sorry for the long delay, but I've been pretty busy with a new job last few months and had to suspend any "thinkering". Real life is complicated that way.

Now, to the problem at hands.
Still nothing has changed. I made another couple of tries in a VM, but it just would not boot.

I believe your problem is because of the full disk encryption without /boot you have to relocate the kernel etc and then a given layout of the partitions is expected from the system, layout that you do not comply with. Things should work better if you allow for an unencrypted /boot partition for Mint. That /boot partition would contain the same files that you are currently trying to put in the ESP, so there is no downside in my opinion (except the slightly increased complexity of a small extra partition, and refind needing an EFI ext2/3/4 driver). With that /boot made, installation should work out of the box with ubiquity, just call it from a terminal with ubiquity -b so that it doesnt try to install grub.

But I _do_ have a /boot partition: it's the ESP! Everything the kernel needs to know should be in the initrd and the refind configs... that's the sole reason I would even need an initrd. I know it would work having another /boot partition, but _why_ would i use another partition when everything I need is _already_ in the ESP? Just mount that under /boot and it should work... should.

Without a /boot I'm lost how you can do it (even with grub).

Why? That's what I'm trying to understand... while typing from my laptop whith a full disk encryprion and no separate /boot partition.
The point is: I know it can be done since I've been doing it for ages with slackware. It's just that Mint seems to disagree...
At this point, i need to know!

I am sorry if i sound rude, but I'm writing this at 1.39 AM, in a language which is not my own, after a _very_ long day.

Thank you all,
Salvor Hardin

[fabien85]

I agree it should work if the ESP is your /boot. However how to do it is beyond my experience.
I have only one suggestion :
- leave free space on your disk and let the installer do its normal magic for a full-encrypted install
- boot the system, move all the files in /boot to the ESP, edit the fstab to point there (also remove the mounting of the ESP at /boot/efi), unmount the old /boot and /boot/efi and remount everything with sudo mount -a[/a], delete the old /boot partition
- now the system is in the state you want, you may need to update the initramfs or something so that it still works when you reboot

If that's not enough, I suggest you first try to get this working with ubuntu, asking for help on the ubuntu forums, before trying to move to Mint.
Mint is based on ubuntu, and on the ubuntu forums you will probably get more people knowing the internals of ubuntu and how its different from slackware.

[lostfarmer]

will try to post later, you do not need a /boot as you say EFI partition is good. I used grub-standalone so not sure just what modifications to the help-site will need changed. I combined 2 different how-to's to get all to work , one is in Mint fourm and one in Ubuntu fourm. I used it for both Mint and Debian. The guilds use a password file so you do not have to enter PW twice.

I have never use rEFind.

I think this is the one I used and worked for Mint but not Debian. I did not run the script, just read it and enterer needed commands manually in terminal.
https://community.linuxmint.com/tutorial/view/2231

[salvor_hardin]

lostfarmer, you may be into something...
linux-4.14.9.tar
I think I can adapt the guide at the link you provided. Steps 1-3 are pointing in the right direction (except I would not create a bios partition, but use my ESP instead).
Part 1 of Step 4 is fine, then I think i'll need to chroot into the system, mount the ESP under /boot/efi (and modify fstab), possibly update crypttab (although I never needed it under slackware, i guess the initramfs tool here uses it, move the kernel and initramfs in the correct position for rEFInd to find them... (possibly compile a custom kernel?)... and it _should_ work.... i hope.

Time to fire up the VM and run a test or two. I'll keep you all posted.

Thanks
Salvor Hardin

[lostfarmer]

should have posted https://community.linuxmint.com/tutorial/view/2061

How you write crypttab/password file will determine if you must enter the password 2 times or not (?). I installed LUKS just to mess around with it. Did notice if I coped the boot files (initrd/vmlinuz) for the luks install outside of the luks partition and made a grub entire for there new locations I could boot without password so watch out for that. Would say if you must copy initrd outside of the luks do not use a password file for crypttab. (I say this with only light testing and limited knowledge of luks ).

[salvor_hardin]

It worked!

I finally managed to boot Mint in a VM, and then tested it on my machine, and it worked: I have a FDE Mint installation, whithout GRUB (never even installed it), using rEFInd and the kernel's efi stub.

I had to modify the tutorial posted by lostfarmer in more than one point, but it gave me the informations I was missing. In particular, it made me realize that "update-initramfs" needs a line in crypttab to generate a useful ramdisk, while slackware's "mkinitrd" uses command line parameters and options. The rest is quite trivial stuff actually. Silly me.

I'm not using a keyfile right now, but it should be a no brainer. I still have some issues with KDE hanging on a black screen for too long at login, and minor stuff like that... but I was expecting those. If it boots, it can be fixed.

If someone is interested, i'm going to post a full guide here sometime soon.

N.B.:

How you write crypttab/password file will determine if you must enter the password 2 times or not (?).

No... if you are not using GRUB, you'll be prompted for the passphrase/keyfile only once: when the initramfs is ready to open the encrypted container.

I installed LUKS just to mess around with it. Did notice if I coped the boot files (initrd/vmlinuz) for the luks install outside of the luks partition and made a grub entire for there new locations I could boot without password so watch out for that. Would say if you must copy initrd outside of the luks do not use a password file for crypttab. (I say this with only light testing and limited knowledge of luks ).

That's a strange issue... never experienced it.. might be GRUB related? Are you sure you didn't copy the keyfile too?

Anyway, thank you very much!
Now I can begin to play around with this distro for real... first thing: modify all my scripts to work with it.

Salvor Hardin

EDIT:
typos.

[salvor_hardin]

Ok, so... this is a quick guide on how install Mint 18.3 without any unencrypted partition and using rEFInd in the ESP to boot your system.

Pros:
- Easier to mantain,
- All the pros of a FDE installation.
- rEFInd won't ask for Luks passphrase, so you will only need to insert it once, when the initramfs prompt you to. No need to create any auxiliary keyfile (unless you want to.
- It looks cooler.

Cons:
- Requires some tricks to set up,
- Slightly slower boot times,
- all the Cons of a FDE installation,
- people may think you are a bit paranoid.
-------------------------------------------------------------------

In order to simplify this how to, I will make the following assumptions (which you'll have to modify according to your needs)

Boot drive: sda
ESP partition : sda1
Luks container: sda2
Home and / will reside on 2 different logical volumes.

We are installing on a brand new machine with a clean drive, rEFInd is not yet installed and Linux is your only OS (although, dual booting works on my pc).

keep this in mind while reading, explecially while issuing commands.

Let's start!

1. Insert the Mint installation media of choice and boot into the Live enviroment.

2. Open a terminal emulator and issues the following commands to create the ESP and a GPT table on the drive:

Code: Select all

$ sudo bash 	// Yes, I'm lazy; Yes, I'm used to su. feel free to type sudo a million times...
# parted /dev/sda mklabel gpt
# parted /dev/sda mkpart ESP fat32 1MiB 513MiB
# mkfs.vfat -F32 /dev/sda1
# parted /dev/sda set 1 boot on
#exit

3. Now, we can create our encrypted container:

Code: Select all

$ sudo parted /dev/sda mkpart primary 513MiB 100%

3.5 For paranoid people only: let's secure wipe our container (this may take a really long time depending on how large the partition is):

Code: Select all

$ sudo bash
# cryptsetup open --type plain /dev/sda2 container --key-file /dev/random
# dd if=/dev/zero of=/dev/mapper/container status=progress
# cryptsetup close container
#exit

Please note that we are writing zeros on an encrypted partition, thus obtaining what seems to be random noise. It's much quicker than wiping the raw drive using /dev/urandom.

4. Let's create our true encrypted container:

Code: Select all

$ sudo cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --iter-time 5000 --use-random -y luksFormat /dev/sda2

5. Now that we have a luks encrypted container in place, it's time to use LVM and set up what logical volumes we need for installation:

Code: Select all

$ sudo bash
# cryptsetup luksOpen /dev/sda2 sda2_crypt	// you'll be asked for the luks passphrase, enter it and procede.
# pvcreate /dev/mapper/sda2_crypt
# vgcreate mintvg /dev/mapper/sda2_crypt
# lvcreate -L 8G mintvg -n swaplv
# lvcreate -L 50G mintvg -n rootlv
# lvcreate -l +100%FREE mintvg -n homelv
#exit

6. It's finally time to start ubiquity and install the system.

Code: Select all

$ sh "ubiquity -b gtk_ui" &

Choose "something else/manual install" and then select the newly created logical volumes as installation targets, mounting rootlv under /, homelv under /home and swaplv as swap. Then let ubiquity do its thing...

7. Do not reboot when asked at the end of the installation process, choose "continue testing" instead. We still have some work to do.

Let's configure our new system:

8. Preparing the chroot enviroment:

Code: Select all

$ sudo bash
# mount /dev/mapper/mintvg-rootlv /mnt
# mount /dev/mapper/mintvg-homelv /mnt/home
# mount --bind /dev /mnt/dev
# mount --bind /dev/pts /mnt /dev/pts
# mount --bind /sys /mnt/sys
# mount --bind /proc /mnt/proc
# mount --bind /run /mnt/run
# mkdir /mnt/boot/efi
# mount /dev/sda1 /mnt/boot/efi

9. Intalling rEFInd: download the .deb binary package from the original website using the live's firefox browser. Then

Code: Select all

 
 # cp Dowloads/refind_$VERSION_amd64.deb /mnt/root
 # chroot /mnt
 [mnt #] dpkg -i /root/refind_$VERSION_amd64.deb 
 [mnt #] exit
# mkdir /mnt/boot/efi/EFI/Mint	//this is where the kernel image and the initramfs will reside, as well as the refind_linux.conf file used to pass kernel parameters.

10. Update/create the crypttab file:

Code: Select all

$ echo "sda2_crypt UUID=`sudo blkid -s UUID -o value /dev/sda2` none luks" | sudo tee -a /mnt/etc/crypttab

11. Update the initramfs

Code: Select all

$ sudo chroot /mnt locale-gen --purge --no-archive
$ sudo chroot /mnt update initramfs -u

12. Prepare the rEFInd boot entry:

Code: Select all

$ sudo bash
# cp /mnt/boot/vmlinuz-$VER-$BLD_generic /mnt/efi/EFI/Mint/vmlinuz-$VER-$BLD_generic[b].efi[/b]
# cp /mnt/boot/initrd.img-$VER-$BLD_generic /mnt/efi/EFI/Mint/
# echo "quiet splash resume=/dev/mapper/mintvg-swaplv rootfstype=ext4 add-efi-memmap" | tee -a /mnt/boot/efi/EFI/Mint/refind_linux.conf
# exit
$ exit

13. Reboot, enjoy.
-----------------------------------------------------

Sources:
https://community.linuxmint.com/tutorial/view/2061
http://www.rodsbooks.com/refind/
------------------------------------------------------

Salvor Hardin.