Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic:  UEFI plus dm-crypt  (Read 3279 times)

Offline oneself

  • User
  • Posts: 70
UEFI plus dm-crypt
« on: 2018/10/07, 05:04:12 »
Hi,


I'm tying to install Siduction on a laptop that seems to only support UEFI (Lenovo t480) using full disk encryption.  I've used full disk encryption in the past successfully with Siduction, but the added UEFI is throwing me for a loop.  I've done the following:
  • I've created an UEFI partition using parted (formatted as vfat32).
  • Created an encrypted partition on the rest of the disk.
  • Divided it up using lvm to include a root, home, etc. partitions.
This is where I get into some trouble, when I use the latest installer that's available on the desktop (calamares, patience), it will not recognize the lvm partitions for some reason.  So, I can't tell it where my root, home, etc. partitions are.  I've also tried using cli-installer.  That works fine, however, it will not let me set a custom path for the UEFI partition.  So, I cannot mount it during the install and nothing gets install there.


Is there a different installer I can try?  Am I use the default installer incorrectly?  Can I get the right files into the UEFI partition manually?


Thank you for any help.
There are 10 types of people, those who know binary and those who don't.

Offline devil

  • Administrator
  • User
  • *****
  • Posts: 4.838
Re: UEFI plus dm-crypt
« Reply #1 on: 2018/10/07, 07:56:10 »
There is and always will be the text-installer called cli-installer. That should work for you

Offline ReinerS

  • User
  • Posts: 1.061
Re: UEFI plus dm-crypt
« Reply #2 on: 2018/10/07, 10:14:28 »
Hmm, I reinstalled my laptop not too far ago with Lvm, luks/dmcypt via clamares and it works.
regards
Reiner
slackware => SuSE => kanotix => sidux => aptosid  => siduction

Offline melmarker

  • User
  • Posts: 2.799
    • g-com.eu
Re: UEFI plus dm-crypt
« Reply #3 on: 2018/10/07, 11:10:55 »
calamares is not ready for dm-crypt right now. This is intentional. And right now i'm veto to activate crypt support - this will change if calamares is able to handle our preferred way to do encryption (LVM2+LUKS). We can talk about it again when cala fully support this way of doing things. Second this will depend on people who are able and willing to support it. Without i'm not convinced that enabling crypt is a good idea.

Beside of that: For supported hardware (UEFi, SSD) i just recommend transparent  hardware encryption instead.

Final: devil mentioned the cli-installer. cli-installer works just fine for this use case. There is a big but: With the upcoming release the cli-installer will not work anymore unless someone fix it for usr-merged systems. usr-merge will be default with our upcoming release. We accept patches.
Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. (Benjamin Franklin, November 11, 1755)
Never attribute to malice that which can be adequately explained by stupidity. (Hanlons razor)

Offline oneself

  • User
  • Posts: 70
Re: UEFI plus dm-crypt
« Reply #4 on: 2018/10/07, 16:29:54 »
I think a little more details to understand what I'm doing wrong.

I don't think I need calamares to support encryption outright, I just need it to support lvm.  I've setup encryption manually myself behind the scenes, but when I start up the installer it does not see the lvm partitions.  It just shows me two partitions, the efi partition and one large partition which cover the entire rest of the drive (this is the one that has lvm on it).  Is this expect?  Am I doing something wrong.


As for cli-installer.  I've tried that as well.  The problem I am getting into is that I believe that the efi partition needs to be mounted under /boot/efi, but the cli-installer does not allow me to set a custom path for mounting.  Is this right?  Can I mount the efi partition somewhere else? or is there some other workaround?


Could someone that has gotten cli-installer to work tell me what steps they've taken?  Which partition did you mount on /boot and where did you mount your efi partition?  Where did you install the bootloader during the installation "MBR" or "partition"?  Did you run efibootmgr manually afterwards?  If so, what was the command?
« Last Edit: 2018/10/07, 22:39:24 by oneself »
There are 10 types of people, those who know binary and those who don't.

Offline oneself

  • User
  • Posts: 70
Re: UEFI plus dm-crypt
« Reply #5 on: 2018/10/09, 16:05:22 »
Bumping this thread.  I'm really stuck here :(.


Is there any way to install the UEFI manually after the installation has completed?
Or maybe mount / and /boot/efi manually before the installer runs?


Any suggestion would be welcome.
There are 10 types of people, those who know binary and those who don't.

Offline GoinEasy9

  • User
  • Posts: 560
Re: UEFI plus dm-crypt
« Reply #6 on: 2018/10/09, 20:29:02 »
I haven't done any UEFI installs for a while, but, if you want to look into it further, you might want to look into the man page for efibootmgr. While you can copy files into /boot/efi from the installation disk, you need to tell the UEFI bios what its looking at. This might be different since I last played with it. My ASUS UEFI bios dates from 2011, and I believe it was 2014 when I last put siduction on that computer. Hopefully, it's easier to deal with now.  Heh, I've been hoping for a workable CoreBoot for a long time.
Linux Counter number 348347

Offline oneself

  • User
  • Posts: 70
Re: UEFI plus dm-crypt
« Reply #7 on: 2018/10/10, 16:00:10 »
Where would I get a working .efi file?  Do I need to use the one from the livecd or do I need to generate a new one somehow?
There are 10 types of people, those who know binary and those who don't.

Offline slaughterer

  • User
  • Posts: 40
Re: UEFI plus dm-crypt
« Reply #8 on: 2018/10/12, 14:51:13 »
I will make a “silly” proposition: if not all laptops most of them support backward compability.
Give it a try. You can still use uefi.

Offline oneself

  • User
  • Posts: 70
Re: UEFI plus dm-crypt
« Reply #9 on: 2018/10/12, 16:13:02 »
I'm definitely not married to UEFI.  The only part I really need is the full disk encryption.


When I first installed Siduction on this new laptop (it's a Lenovo t480, btw) and it didn't boot up, the first thing I tried was to make the firmware use BIOS instead of UEFI.  I tried turning everything I could see to "legacy" mode, but could not get the laptop to boot.
There are 10 types of people, those who know binary and those who don't.

Offline tranquil

  • User
  • Posts: 111
Re: UEFI plus dm-crypt
« Reply #10 on: 2018/10/15, 00:20:17 »
Bumping this thread.  I'm really stuck here :( .

Is there any way to install the UEFI manually after the installation has completed?
Or maybe mount / and /boot/efi manually before the installer runs?

Any suggestion would be welcome.
Maybe the following might be helpful:  Partitioning hard disk drives for BIOS-MBR, BIOS-GPT and UEFI-GPT in Linux

At the risk of getting flamed, why does anyone need to encrypt their whole disk?  Why not create a separate encrypted partition/conatiner/file and use that to store your sensitive stuff?  I've never understood the need to encrypt the whole disk for personal use.
« Last Edit: 2018/10/15, 01:14:06 by tranquil »
Dual-booting Debian Stable and Unstable with Openbox window manager and Tint2 panel.

Offline oneself

  • User
  • Posts: 70
Re: UEFI plus dm-crypt
« Reply #11 on: 2018/10/15, 05:32:34 »
Thank you for the info.  I've managed to make some progress cobbling together some information from other posts.  I believe the problem I'm having is with properly registering the UEFI boot partition with the laptop firmware.  I believe I've found the right way to do this but the post you link to seems to go into that with more detail.  So, I'll give that a try.


Regarding full disk encryption, I'm using it on a work computer, and even though I admit it's a little paranoid (*he said while removing his tin foil hat*), I'm not 100% sure what the OS logs or saves to my unencrypted root partition and I would like to avoid taking any chances.  Furthermore, it used to be pretty straightforward to get this working when I first tried it.  Create an unecrypted boot partition and an encrypted partition.  Then create whatever structure you want using lvm.  Easy peasy.
There are 10 types of people, those who know binary and those who don't.

Offline tranquil

  • User
  • Posts: 111
Re: UEFI plus dm-crypt
« Reply #12 on: 2018/10/16, 01:32:34 »
You're quite welcome.  I hope the info ends up being useful.  The post helped me with an ASUS laptop issue.  Seems the laptop has a funky UEFI implementation and eventually kernel/grub updates would render it unbootable.  I ended up having to format the hard drive as BIOS-MBR.  It has ran flawlessly since.
Dual-booting Debian Stable and Unstable with Openbox window manager and Tint2 panel.

Offline oneself

  • User
  • Posts: 70
[solved] Re: UEFI plus dm-crypt
« Reply #13 on: 2018/10/22, 21:37:53 »
I've tried a few different options and wasn't fully able to get it to work.  I think that the key is how to setup the partitions correctly.  My error was to create /boot in a separate partition instead of /boot/efi I finally got it to work the following way:

Code: [Select]
/dev/sda1 -> /boot/efi
/dev/sda2 -> /
/dev/sda3 -> /home
/dev/sda4 -> swap

I gave up on lvm and I have only 1 encrypted partition (/home) which I enabled through the graphical setup tool.  So, some compromises, but at least things work.  I could probably tweak this more but this is good enough for my purposes.
There are 10 types of people, those who know binary and those who don't.