Mint 17.X to 21.X and LMDE 6 Full Disk Encryption (directory /boot included) - Using LUKS2, SecureBoot & TPM 2.0+PIN

Write tutorials for Linux Mint here
More tutorials on https://github.com/orgs/linuxmint/discu ... /tutorials and (archive) on https://community.linuxmint.com/tutorial
Forum rules
Don't add support questions to tutorials; start your own topic in the appropriate sub-forum instead. Before you post read forum rules
dobp
Level 1
Level 1
Posts: 27
Joined: Thu Sep 26, 2019 1:32 pm

Re: Mint 17.X to 20.X (but also Ubuntu) Full Disk Encryption (directory /boot included) - Using LUKS, SecureBoot & TPM 2

Post by dobp »

Hi lofi,
lofi wrote: Wed Nov 16, 2022 1:12 pm
It is very easy to set up a home partition
ok, I remember repeating here what I heard elsewhere, that it was hard. Of course it depends on our level. That sentence was probably addressed to a beginner, of course here we are in the Chad thread! Can't be that hard!
Indeed setting up a home partition is more advanced compared to the standard install process, but still relatively easy considering you were able to follow linux22's tutorial.
It all boils down to creating 2 partitions (say mint-root and mint-home) out of your sda2_encrypt partition and add adequate mountpoints to your system's /etc/fstab file.
  • If only willing to modify an existing install, it would involve performing the operations from a Live USB system (after making sure to have up to date backups just in case since an error with partitioning can cause data loss and messing with fstab might prevent your system to reboot though that issue can always be fixed restoring or correcting fstab file from a Live USB System...).
  • If you perform a clean install, that would be even easier, just create the partition layout (I did it using LVM and you can find for inspiration the commands I used and a note of warning in the two first points of this post) and then in Ubiquity you will be able to add the /home mountpoint via the GUI (cf. first screenshot of p.11 of linux22 FDE tutorial v1.4 - it would be one more step similar to that one for root mountpoint).
Good luck with your upgrade!
lofi
Level 2
Level 2
Posts: 65
Joined: Sun Mar 10, 2019 3:10 pm
Location: France

Re: Mint 17.X to 20.X (but also Ubuntu) Full Disk Encryption (directory /boot included) - Using LUKS, SecureBoot & TPM 2

Post by lofi »

Hi dobp,

As you guessed, I haven't updated yet! I want to do it soon to benefit from the effect of your encouragement and useful tips. I'm also listing everything that will be better after upgrading (for example I've had to do a backport of Midnight Commander, because of a bug fixed 4 years ago...)
Yes, I'll try a separate /home install with FDE, thanks a lot for the LVM (lvcreate) commands. I think I'll do a fresh install. But if I can separate my home folder from the rest from Live USB, it would be already done, and safer.

>mfw the paranoid thread is full of good people

thanks a lot dobp
lofi
linux22
Level 2
Level 2
Posts: 56
Joined: Mon Jun 08, 2015 2:41 pm

Re: Mint 17.X to 20.X (but also Ubuntu) Full Disk Encryption (directory /boot included) - Using LUKS, SecureBoot & TPM 2

Post by linux22 »

Hello dobp, sorry, I know I am still late but now I can answer the questions from your post of Fri Oct 21, 2022 3:08 pm.

Point 1,2 and 3: I am very happy about your explorations of the Linux FDE world and the new tips and tricks you discovered for resolving many issues.
Nevertheless I think that a tutorial must be ESSENTIAL !!!
So I put in my tutorials only the stuff I think is indispensable for a minimal setup of a working Linux FDE system.
That is an ugly truth I learned from my first tutorial https://community.linuxmint.com/tutorial/view/2026 published in June 2015.
Indeed many feedback from the readers of my tutorials often says that they are too long or too dispersive (for a striking example see the comments at the bottom of my tutorial https://community.linuxmint.com/tutorial/view/2496). Therefore, right or wrong, I chose to keep my tutorials very essential and provide a link to this topic on Mint Forum for the discussions, question and answers concerning peculiar issues.
So I appreciate your efforts explained at points 1, 2 and 3 of your post.

Point 4: My tutorial for the configuration of "Dual boot for Linux Mint 20.X Full Disk Encryption with EFI STUB loader + Windows 10" was made after a long
experimentation. I tried to implement the system the way it was described in the following documents, listed in section "USEFUL LINKS" like https://systemd.io/BOOT_LOADER_SPECIFICATION/, https://systemd.io/BOOT_LOADER_INTERFACE/, https://www.freedesktop.org/wiki/Softwa ... temd-boot/, https://www.freedesktop.org/wiki/Specif ... oaderSpec/ but the facts were different !!!
The configuration of my tutorial was the only one that got working. That is also due to the different implementation of ESP and XBOOTLDR directories in different distro like ArchLinux, Fedora, ecc. In Debian/Ubuntu/Mint distros that was the only scheme that worked to me.

Point 5: Part A - See my previous post of Sun Oct 30, 2022 8:29 pm, and YES, I think an encrypted system protected with TPM with PCR registers + PIN is much more secure than one with Secure Boot only.
Part B - See my previous post of Sun Oct 30, 2022 8:29 pm.

Point 6: I think that the real protection of a Linux FDE solution is linked to: a good full disk encryption scheme, a working Secure Boot with your own custom keys and a TPM with PCR registers + PIN. At the moment my TPM solution is not satisfactory. In my opinion the locking of GRUB or other bootloaders is not so fundamental.

PS: I will answer the following posts in the next weeks.

Regards.

linux22
dobp
Level 1
Level 1
Posts: 27
Joined: Thu Sep 26, 2019 1:32 pm

Re: Mint 17.X to 20.X (but also Ubuntu) Full Disk Encryption (directory /boot included) - Using LUKS, SecureBoot & TPM 2

Post by dobp »

Hello linux22,
Thank you for the follow-up!
linux22 wrote: Tue Dec 06, 2022 8:06 am Indeed many feedback from the readers of my tutorials often says that they are too long or too dispersive (for a striking example see the comments at the bottom of my tutorial https://community.linuxmint.com/tutorial/view/2496). Therefore, right or wrong, I chose to keep my tutorials very essential and provide a link to this topic on Mint Forum for the discussions, question and answers concerning peculiar issues.
So I appreciate your efforts explained at points 1, 2 and 3 of your post.
Well I don't know if there is one or really many feedbacks such as the comment to your tutorial you point out as an example, but in my opinion that one is most inappropriate and unappreciative of the work done. Your tutorials are long because the topic is rather complex and that you intend to be quite thorough. Which I personally much appreciate - it actually contributed the first time to give me confidence into your solution (only commands without explanation would have made things much more difficult, especially considering the adaptations a user might want to do to suit its system). That comment might be referring to an older tutorial I didn't read, but from the tutorials you wrote that I read so far, I don't see what could be negatively referred to as "self-promotion".
So yes, apprehending your FDE tutorials takes quite some time (especially if like me you had not dived into anything like that before), but that is what I feel the minimum required focus not to mess with one's system and understand a bit what one is doing... Also I find them well structured, with one main section and other optional sections which helps solving specific issues or go further on specific points. The only thing I can see to make it go faster would be a script which is additional work and has the drawback that - unless writing an alternative to Ubiquity (interactive script) which is even more work - it could not foresee all possible cases and people using it might be less attentive. As far as I am concerned I am no command-line maniac, but I believe that in this specific process I was happy to go the "manual" way (also I was not performing the installation on a empty hard drive).
Eventually the only real improvement to this continuous work of yours I could see is what you said somewhere you were planning to do - combining all your FDE-related tutorials into a unique one. It would prove more convenient to update along the way, and for the readers all the info would be centralised in one place rather than having to spot the updates in various tutorials as I did) and as long as it is well structured, I don't really see the problem of it being even longer. But I do realise that all this is a lot of additional work. By the way if you want help for the tutorials' combination work now there are still relatively fresh in my mind, let me know.
As for points 1,2 & 3, there were indeed my 2 cents for the FAQ section, whether in the tutorial or on the forum, never mind.
Point 4: My tutorial for the configuration of "Dual boot for Linux Mint 20.X Full Disk Encryption with EFI STUB loader + Windows 10" was made after a long
experimentation. I tried to implement the system the way it was described in the following documents, listed in section "USEFUL LINKS" like https://systemd.io/BOOT_LOADER_SPECIFICATION/, https://systemd.io/BOOT_LOADER_INTERFACE/, https://www.freedesktop.org/wiki/Softwa ... temd-boot/, https://www.freedesktop.org/wiki/Specif ... oaderSpec/ but the facts were different !!!
The configuration of my tutorial was the only one that got working. That is also due to the different implementation of ESP and XBOOTLDR directories in different distro like ArchLinux, Fedora, ecc. In Debian/Ubuntu/Mint distros that was the only scheme that worked to me.
Would you be able to let me know with which version of Linux Mint did you last tried with the configuration recommended by one of systemd's developper quoted in my "Point 4" (and the approximate date at which you did it maybe) in order to understand whether it could be useful trying it again with a newer version of systemd ?

Best,
dobp
linux22
Level 2
Level 2
Posts: 56
Joined: Mon Jun 08, 2015 2:41 pm

Re: Mint 17.X to 20.X (but also Ubuntu) Full Disk Encryption (directory /boot included) - Using LUKS, SecureBoot & TPM 2

Post by linux22 »

Hello folks, I am happy to announce my first success in unlocking my Linux FDE Mint 21.1 (Secure Boot On) with systemd v. 249, using systemd-cryptenroll tools.

At the moment it works like 'clevis', without the PIN option introduced in systemd v. 251.

Anyway this is the first time I get it working !
lofi
Level 2
Level 2
Posts: 65
Joined: Sun Mar 10, 2019 3:10 pm
Location: France

Re: Mint 17.X to 20.X (but also Ubuntu) Full Disk Encryption (directory /boot included) - Using LUKS, SecureBoot & TPM 2

Post by lofi »

Thanks for your pioneering work, linux22. I may use this in the future.
dobp
Level 1
Level 1
Posts: 27
Joined: Thu Sep 26, 2019 1:32 pm

Re: Mint 17.X to 20.X (but also Ubuntu) Full Disk Encryption (directory /boot included) - Using LUKS, SecureBoot & TPM 2

Post by dobp »

linux22 wrote: Fri Dec 30, 2022 6:57 pm I am happy to announce my first success in unlocking my Linux FDE Mint 21.1 (Secure Boot On) with systemd v. 249, using systemd-cryptenroll tools.
Late congrats! I'll be happy to learn more on how you made it work if you ever find time to write about that.
Cheers
linux22
Level 2
Level 2
Posts: 56
Joined: Mon Jun 08, 2015 2:41 pm

Re: Mint 17.X to 20.X (but also Ubuntu) Full Disk Encryption (directory /boot included) - Using LUKS2, SecureBoot & TPM

Post by linux22 »

Hello folks and dobp, I am very sorry because I know I am late in answering your latest posts !!!

But as I previously said I am still in trouble with my work, my family, my house ecc. :? :( :oops:

Anyway if you are interested in unlocking Linux FDE Mint 21.1 (Secure Boot On) with systemd v. 249, using systemd-cryptenroll tools, you only need to take a look at the script from W. McElderry at this link: https://github.com/wmcelderry/systemd_with_tpm2

Remember that the script only work for distros derived from Ubuntu 22.04.

I experimented it on my latest Linux Mint 21.1 and it worked flawlessy.

As you know systemd-cryptenroll in systemd v. 249 does not ask for a pin, so it work like the other package 'clevis', starting the PC at power on without asking for any pin nor password. This solution, in my opinion, is not the best, because still vulnerable for cold boot attacks.
Last edited by linux22 on Sat Jan 13, 2024 7:38 am, edited 1 time in total.
User avatar
SMG
Level 25
Level 25
Posts: 31313
Joined: Sun Jul 26, 2020 6:15 pm
Location: USA

Re: Mint 17.X to 20.X (but also Ubuntu) Full Disk Encryption (directory /boot included) - Using LUKS, SecureBoot & TPM 2

Post by SMG »

Moderator note: lofi's posts about Conference about linux and UKI (unified kernel image) focused on new things and the future. have been moved to Chat about Linux.

Please do not post conference announcements in Tutorial topics.
Image
A woman typing on a laptop with LM20.3 Cinnamon.
linux22
Level 2
Level 2
Posts: 56
Joined: Mon Jun 08, 2015 2:41 pm

Re: Mint 17.X to 20.X (but also Ubuntu) Full Disk Encryption (directory /boot included) - Using LUKS2, SecureBoot & TPM

Post by linux22 »

Last update: 12 October 2023

Hi folks, I am happy to announce my success in unlocking my Linux Mint Debian Edition LMDE 6 'Faye' with systemd v. 252, enrolling the LUKS2 key and a PIN inside the TPM 2.0 using systemd-cryptenroll.

I think I will release the tutorial explaining the hardware & software configuration within the end of October 2023.
Last edited by linux22 on Sat Jan 13, 2024 7:37 am, edited 1 time in total.
linux22
Level 2
Level 2
Posts: 56
Joined: Mon Jun 08, 2015 2:41 pm

Re: Mint 17.X to 21.X and LMDE 6 Full Disk Encryption (directory /boot included) - Using LUKS2, SecureBoot & TPM 2.0+PIN

Post by linux22 »

Hi folks, I am finally ready to publish my tutorial for LMDE 6 Full Disk Encryption with LUKS2+SECURE-BOOT+TPM2.0+PIN.

This solution is quite weird and I do not like it so much but it is the only one working, at the moment.

You know that almost all Debian based distros available today have systemd installed but their support to LUKS,
SECURE BOOT and TPM 2.0 is quite poor.

At the moment, October 2023, none of the Debian based distros I know can deal with LUKS and/or SECURE BOOT and/or
TPM 2.0 in a reasonable manner.

Have you ever experimented the following ‘crypttab’ related error trying to activate the LUKS automatic unlock via TPM 2.0 ?:

cryptsetup: WARNING: sda3_crypt: ignoring unknown option 'tpm2-device'

This error is due to the lack of update for the “initramfs-tools” package modules concerning the TPM 2.0.

So I thought I had to switch forward a solution that has yet implemented some working and useful tools for LUKS,
SECURE BOOT and TPM 2.0+PIN.

SO WHY NOT TO SWITCH FROM ‘initramfs-tool’ TO ‘dracut’ ?

This way I have finally get rid of systemd-cryptenroll and initramfs, managing to get a functioning unlocking of a Linux Full
Disk Encryption system using a LUKS+SECURE BOOT+TPM 2.0+PIN chain, at least until we have a working ‘initramfs-tool’
package !!!

This outcome has been possible thank to the new Linux LMDE 6 with kernel version 6.1, systemd version 252 and ‘dracut’
initramfs tools.

You can get the tutorial downloading the zip file linked to my Linux Mint Community web page at:

https://community.linuxmint.com/tutorial/view/2438

The file is linked at the bottom of the page and is named:

LMDE 6 with Full Disk Encryption - UKI - Version 1.0.zip

The tutorial pdf file embed 7 txt files, containing the list of all required Terminal commands.
Click on the pin at the top left corner of the pdf file pages 8, 15, 18, 20, 21, 23, 30 to open the txt files.
For more details read page 7 of the tutorial.

The installation process consist of:

Step 1
Step 2
Step 3
Step 4
Step 5
Appendix C
Appendix D

Appendix A and B are for emergency/rescue cases only.

Please send me your evalutions and tell me if this solution works on your workstations.

Cheers.

linux22
Last edited by linux22 on Sat Jan 13, 2024 7:37 am, edited 1 time in total.
lofi
Level 2
Level 2
Posts: 65
Joined: Sun Mar 10, 2019 3:10 pm
Location: France

Re: Mint 17.X to 21.X and LMDE 6 Full Disk Encryption (directory /boot included) - Using LUKS, SecureBoot & TPM 2.0+PIN

Post by lofi »

Hi linux22, dobp and folks,

Congrats, Naldi, for managing to do LUKS unlocking with TPM2 + PIN, with LMDE + `dracut` ! I actually stumbled upon `dracut` a couple months ago, that looked exciting (solving many problems), but I understood somehow that it was not available to us. Your explanations about late Debian implementation of TPM management are interesting (they'r probably not lazy, there are probably complex struggles behind this. Debian is the most democratic distro). It's nice to see that now the PIN solution can work with LMDE. Have you heard about the upcoming ukify command, by systemd? It will make a UKI with one command, apparently.

I recently understood a basic thing. A year ago I asked here for confirmation that `/boot/efi` was or wasn't encrypted. Dobp replied first, with interesting points about security, but what I still did not understand (I thought there was a contradiction because your tutorials say "with /boot encrypted", and I saw that the partition that boots the OS is not encrypted...). Now I get it. I found our (I say "our" because I followed your tutorials) Secure Boot keys in /boot, and I thought holy sh... if `/boot` is not encrypted, then for 3 years, anyone could have stolen my EFI keys! But then I understood that while yes, `/boot/efi` is not encrypted, `/boot` *IS* indeed encrypted. It doesn't show on `lsblk` because `/boot` is just a subfolder of `/`, but it is encrypted. /boot/efi on the other hand is not encrypted, but as dobp explained, only signed binaries can be ran from it (and I add : our keys are not inside it).

When I followed your tutorial in 2019, I just wanted Secure Boot. Only much later did I understand the difference between "simple" Secure Boot, and UKI, Unified Kernel Image UEFI apps.
I stumbled upon old posts, where you said (or maybe in a "preface" of your tutorials) why you chose UKI in the first place (a long, long time ago). Because all your other successful attempts at Mint secure boot were ruined at the first kernel update. So that happened by chance!

So, years later I understood that I happened to be one of the happy few who had their `initrd` protected from tampering. Not just a simple Secure Boot, but a premium secure boot!
I hadn't reached that level of understanding when I made my last post ITT, that was moved to another section of the forums (of course nobody replied, it would have needed lots of rephrasing and contextualisation to be interesting as a separate thread).
In the Kroah-Hartman article I posted
, he precisely explains how UKI is better than simple secure boot, and is the future. But of course that is still vulnerable, until (he says) we have (like Windows??) a fully measured boot, meaning that when a secure stage is completed in the boot process, a cryptographic key is computed, stored in a TPM register, then when the second stage is done, another key is computed with the 1st one, in a chain a bit like the blockchain principle, making the boot process cryptographically secure.
I see that you are now also using these unused TPM registers, but I'd have to dig deeper, I don't know if it's the same thing as what I read.

I haven't checked this thread here in a long time, so I just saw your post about https://github.com/wmcelderry/systemd_with_tpm2. Well, he says it's not a UKI ! And now I want a UKI ! But he says,
NB2: Apparently the Linux kernel now measures it's own initrd, so if the systemd-cryptenroll is called with the correct registers, then that may be covered off
but it is not quite satisfying. (but he has another repo with UKI, which I will check.)

Anyway, I learnt lots of interesting things about encryption and security, it wouldn't have happened without your tutorials!
As for me, I disabled TPM, I think I will do your 2019 tutorial again, I'm exhausted, I don't want to think anymore. (but I've had to, because I'm doing something a little but custom) (I also dived into LibreBoot for a moment, fertig! (enough! (for me)))
Lots of congrats again for bringing more security to Mint and Debian based distros!
t42
Level 11
Level 11
Posts: 3708
Joined: Mon Jan 20, 2014 6:48 pm

Re: Mint 17.X to 21.X and LMDE 6 Full Disk Encryption (directory /boot included) - Using LUKS, SecureBoot & TPM 2.0+PIN

Post by t42 »

I appreciate substantive values of this highly educational thread. But I think it remains to be explained how it is relevant to such desktop oriented OS as Linux Mint. Why single user typing the passphrase on a keyboard in front of their monitor is not enough for standard desktop system. Such additional measures as FIDO2 and what else are trying to change focus from encryption to authentication. In fact user gives away their encryption power to various authentication authorities such as Microsoft, motherboard vendor, TPM vendor, Google two-factor authentication, network administrator, OS vendor and systemd developer.
-=t42=-
t42
Level 11
Level 11
Posts: 3708
Joined: Mon Jan 20, 2014 6:48 pm

Re: Mint 17.X to 21.X and LMDE 6 Full Disk Encryption (directory /boot included) - Using LUKS, SecureBoot & TPM 2.0+PIN

Post by t42 »

lofi wrote: Sun Nov 12, 2023 10:12 pm In the Kroah-Hartman article I posted
https://0pointer.net/blog/brave-new-tru ... world.html
Please don't settle Kroah-Hartman into this, the article belongs to Lennart Poettering.
-=t42=-
linux22
Level 2
Level 2
Posts: 56
Joined: Mon Jun 08, 2015 2:41 pm

Re: Mint 17.X to 21.X and LMDE 6 Full Disk Encryption (directory /boot included) - Using LUKS2, SecureBoot & TPM 2.0+PIN

Post by linux22 »

Hello lofi, I have read your post. Again, thank you for your interest in my work.

Ukify is a new tool from systemd ver. 253 and above. It is not yet available in LMDE 6 because it ships with systemd ver. 252.
It seems an interesting tool but quite complex and still EXPERIMENTAL.

As you can see in my tutorial for LMDE 6 'dracut' has performances similar to 'ukify' when building the UKI images.
You can see that setting up a custom dracut conf file in '/etc/dracut.d' directory you can get an automatic building of UKI .efi
files for every kernel version installed on the system. Furthermore, when it detect 'systemd-boot' installed it put all them in
the directory '/boot/efi/EFI/Linux' directory, populating the systemd-boot menu also.

I must admit that 'dracut' is VERY cool but I still do not like it. It is too 'low level' for me.
It does its job using binary executables that you can not analize step by step, unless you go to read its source files.

I prefer initramfs builders like 'update-initramfs' or 'mkinitcpio' with their structure build over bash scripts, where you can read
what happens step by step.

About '/boot' encryption you know how it works. The directory is part of the whole encrypted filesystem but the ESP directory
is NOT encrypted and it is mounted on '/boot/efi' directory. Consequently this branch of the filesystem remain unencrypted but
we provide the protection for our .efi booting files signing them for Secure Boot and now also configuring the unlock of the LUKS
partition with TPM2.0+PIN. This way, configuring TPM2.0 with an adequate set of PCR's (0, 1, 2, 3, 4, 5, 7, 8, 9 ecc.), we can
detect further threats at boot-up (long story !!!).

At the moment I have not yet experimented with protections using fido2 keys ...

Anyway my last tutorial is ready. It is tailored for BTRFS filesystem, but also deal with a new 'dracut' configuration that automatically
build all UKI .efi files and also sign them for Secure Boot. It will be ready for publication within a few days.

But I must admit that I understand when you say "I'm exhausted ...".

I think that this race for 'Linux FDE' is over also for me, now.

I also do not see a great interest from the "Linux World" for the topic of 'Full Disk Encryption'.

I think that going any further is pointless, at least until new security solutions emerge.

Regards.

linux22
Last edited by linux22 on Sat Jan 13, 2024 7:36 am, edited 1 time in total.
linux22
Level 2
Level 2
Posts: 56
Joined: Mon Jun 08, 2015 2:41 pm

Re: Mint 17.X to 21.X and LMDE 6 Full Disk Encryption (directory /boot included) - Using LUKS2, SecureBoot & TPM 2.0+PIN

Post by linux22 »

Hi folks, release Ver. 1.1 of tutorials for LMDE 6 Full Disk Encryption with LUKS2+SECURE^BOOT+TPM2.0+PIN for EXT4 and BTRFS filesystems are now available for downloading.

You can get the tutorials from my Linux Mint Community web page at:

https://community.linuxmint.com/tutorial/view/2438

The zip files are linked at the bottom of the page and are named:

Linux Mint Debian Edition LMDE 6 with Full Disk Encryption - UKI - ext4 Version 1.1.zip

Linux Mint Debian Edition LMDE 6 with Full Disk Encryption - UKI - btrfs Version 1.1.zip

Cheers.

linux22
mortenpj
Level 1
Level 1
Posts: 20
Joined: Thu Sep 02, 2021 5:03 am

Re: Mint 17.X to 21.X and LMDE 6 Full Disk Encryption (directory /boot included) - Using LUKS2, SecureBoot & TPM 2.0+PIN

Post by mortenpj »

Hi
First time following this guide and even encrypting a disk in Linux, so far so good.
However I have encountered an issue with one of the commands, it gives me an error. Its in the step of setting up the EFI stub loader.
The following command:

Code: Select all

sudo chroot /mnt efibootmgr -c -d /dev/sda -p 1 -D -L "Mint" -l "\EFI\Mint\kernel.efi"
Gives me the error "EFI variables are not supported on this system."

I'm following this guide with version 21.3 Cinnamon (Edge)

Anyone who have any idea what I can do to solve this issue?

Thanks in advance

After some more searching

FIXED.
After some more searching and googling, and in my case at least this command fixed my issue, just in case anyone else runs in to the same issue as me

Code: Select all

sudo mount --bind /sys/firmware/efi/efivars /mnt/sys/firmware/efi/efivars
linux22
Level 2
Level 2
Posts: 56
Joined: Mon Jun 08, 2015 2:41 pm

Re: Mint 17.X to 21.X and LMDE 6 Full Disk Encryption (directory /boot included) - Using LUKS2, SecureBoot & TPM 2.0+PIN

Post by linux22 »

Hello mortenpj, I have read your post. You are right. With the last versions of efibootmgr you can not run it in chroot mode.

But you can simply remove chroot and run instead:

sudo efibootmgr -c -d /dev/sda -p 1 -D -L "Mint" -l "\EFI\Mint\kernel.efi"

You can run efibootmgr from the root console without chroot, because it seem it do not do a check for the existence of the
target file (i.e. -l "\EFI\Mint\kernel.efi").

Regards.

linux22
Post Reply

Return to “Tutorials”