Feature Request: full disk/ root encryption

[superkeyor]

Feature Description

Is it possible to support Luks encrypted full disk encryption? Like what Armbian did: armbian/build#947

[Aelliari]

I run ubuntu with root patrition on btrfs.
I think you can get what you want in the same way.

Is possible to do it manually, if /boot is not encrypted on separate partition
To do this you will have to put dtb/dtbo on /boot, and set the mount parameters in /etc/kernel/cmdline, set /etc/fstab, set new path to dtb/dtbo in /etc/default/u-boot.
And also need fix in /usr/sbin/u-boot-update
Personally, I removed the check for the dtb file in the specified path because it caused problems during this installation. Since the path in the mounted file system and the path at boot for U-boot were different. Since in the current form, with verification - extlinux.conf was generated without specifying dtb. After that I could not get a boot

P.S. Also, I personally made a simple systemd-script that updates dtb/dtbo in /boot after startup if they have changed and reboots sbc

[superkeyor]

@Aelliari did you encrypt after burning the image from this repo? I was thinking of an easy way: encryption will be achieved via burning itself. Would you mind sharing some scripts in your case?

[Aelliari]

Sorry, I partitioned the disk, deployed the image, and set the mount points completely manually. I can give you an example of what and how to fix in the configuration files, I can give you my systemd unit keeping dtb/dtbo up to date in case of an update, but I didn't prepare scripts for automated installation.

I guess I could try to make an automated script, but I'm not ready to do that today

[superkeyor]

Whenever you have some time, could you provide detailed steps for this? Your earlier explanation went a bit over my head. I'm okay with manual operations.

It seems you're the only person online who has managed to get LUKS working with this image! Something like this guide would be great: https://codeberg.org/keks24/raspberry-pi-luks/src/branch/debian_10_buster#encrypting-the-root-partition-manually

Thanks a lot!

[DiegoBM]

Also interested in this

[jsiddall]

I run ubuntu with root patrition on btrfs. I think you can get what you want in the same way.

Is possible to do it manually, if /boot is not encrypted on separate partition To do this you will have to put dtb/dtbo on /boot, and set the mount parameters in /etc/kernel/cmdline, set /etc/fstab, set new path to dtb/dtbo in /etc/default/u-boot. And also need fix in /usr/sbin/u-boot-update Personally, I removed the check for the dtb file in the specified path because it caused problems during this installation. Since the path in the mounted file system and the path at boot for U-boot were different. Since in the current form, with verification - extlinux.conf was generated without specifying dtb. After that I could not get a boot

P.S. Also, I personally made a simple systemd-script that updates dtb/dtbo in /boot after startup if they have changed and reboots sbc

I am trying to get a btrfs root like you said you have working. I got a working ext4 root on NVMe so I know u-boot is setup for SPI booting. I then replaced the ext4 root with a btrfs root, moved /boot to a separate ext4 partition, updated /etc/fstab on the btrfs filesystem to show btrfs root and ext4 /boot with correct UUIDs, then chrooted to the btrfs root and ran u-boot-update. I can see the UUID of extlinux.conf has the btrfs UUID so it definitely got updated. However, the OPI5 gets stuck in a boot loop (nothing on screen) when I try to boot.

@Aelliari Can you provide some tips on what else I need to do?

Thanks!

[Aelliari]

@jsiddall path to dtb/dtbo in extinux.conf set correctly?
I placed them in /boot, and specified the paths in /etc/default/u-boot. It is also worth considering that at the time of loading, the paths will differ from those in the loaded system, and I specified the path to dtb/dtbo as if my partition for /boot is the root of the fs.
P.S. I never did it right because I was too lazy, and this crutch is still with me

And also need fix in /usr/sbin/u-boot-update
Personally, I removed the check for the dtb file in the specified path because it caused problems during this installation

[jsiddall]

@jsiddall path to dtb/dtbo in extinux.conf set correctly? I placed them in /boot, and specified the paths in /etc/default/u-boot. It is also worth considering that at the time of loading, the paths will differ from those in the loaded system, and I specified the path to dtb/dtbo as if my partition for /boot is the root of the fs. P.S. I never did it right because I was too lazy, and this crutch is still with me

And also need fix in /usr/sbin/u-boot-update
Personally, I removed the check for the dtb file in the specified path because it caused problems during this installation

Thanks for the advice!

I did try putting rk3588s-orangepi-5.dtb in the U_BOOT_FDT line in the /etc/default/u-boot file, and also in the root of the /boot filesystem, but nothing showed up in the extlinux.conf when I ran the u-boot-update. So I manually put an entry in the extlinux,conf file but, of course, that didn't work. Hmmm...

I might just follow the path of least resistance and keep a small root on ext4 and add a btrfs on another partition to hold all the useful stuff.

[Aelliari]

@jsiddall maybe this help you

My fstree:

├── bin -> usr/bin
├── bin.usr-is-merged
├── boot
│   ├── config-6.1.0-1023-rockchip
│   ├── config-6.1.0-1025-rockchip
│   ├── DTB
│   │   ├── rk3588-orangepi-5-plus.dtb
│   │   └── rk3588-pwm14-m2.dtbo
│   ├── extlinux
│   │   └── extlinux.conf
│   ├── extlinux.bak
│   ├── initrd.img -> initrd.img-6.1.0-1025-rockchip
│   ├── initrd.img-6.1.0-1023-rockchip
│   ├── initrd.img-6.1.0-1025-rockchip
│   ├── initrd.img.old -> initrd.img-6.1.0-1023-rockchip
│   ├── lost+found
│   ├── System.map-6.1.0-1023-rockchip
│   ├── System.map-6.1.0-1025-rockchip
│   ├── vmlinuz -> vmlinuz-6.1.0-1025-rockchip
│   ├── vmlinuz-6.1.0-1023-rockchip
│   ├── vmlinuz-6.1.0-1025-rockchip
│   └── vmlinuz.old -> vmlinuz-6.1.0-1023-rockchip
├── dev
├── etc
├── home
├── lib -> usr/lib
├── lib.usr-is-merged
├── lost+found
├── media
├── mnt
├── opt
├── proc
├── root
├── run
├── sbin -> usr/sbin
├── sbin.usr-is-merged
├── srv
├── swap
├── sys
├── tmp
├── usr
├── var

/etc/default/u-boot

#U_BOOT_ALTERNATIVES="default recovery"
#U_BOOT_DEFAULT="l0"
#U_BOOT_PROMPT="1"
#U_BOOT_ENTRIES="all"
#U_BOOT_MENU_LABEL="Debian GNU/Linux"
#U_BOOT_PARAMETERS="ro earlycon"
#U_BOOT_ROOT=""
#U_BOOT_TIMEOUT="50"
U_BOOT_FDT="/DTB/rk3588-orangepi-5-plus.dtb"
#U_BOOT_FDT_DIR="/firmware/$(uname -r)/device-tree/"
U_BOOT_FDT_OVERLAYS="DTB/rk3588-pwm14-m2.dtbo"
#U_BOOT_FDT_OVERLAYS_DIR="/lib/firmware/"
#U_BOOT_SYNC_DTBS="true"

/usr/sbin/u-boot-update

--        if [ -e "${U_BOOT_FDT}" ] && [ -n "${U_BOOT_FDT}" ] && [ "/" = $(echo "${U_BOOT_FDT}" | head -c1) ]
++        if [ -n "${U_BOOT_FDT}" ] && [ "/" = $(echo "${U_BOOT_FDT}" | head -c1) ]

P.S. /boot is a separate EFI partition. I leave it as ext4

[jsiddall]

Thanks for the details, very helpful. I was missing the overlay (I thought that was optional?) but I need to figure out what that should be for a Pi 5. I also didn't have the patch on u-boot update. This should get me further.

[Aelliari]

I was missing the overlay (I thought that was optional?

Yep, overlay it’s optional, I use it for FAN control. if you don't use overlays you don't need it
P.S. if you ever want to use overlays in the future, the missing "/" in overlay line "/etc/default/u-boot" is not a typo. It's been three months and I still haven't gotten around to doing it right. I was too lazy to do this

[jsiddall]

Got it, thanks for the clarification!