Difference between pages "FLOP:Boot-Update Redesign" and "Rootfs over encrypted lvm"

From Funtoo
(Difference between pages)
Jump to: navigation, search
(Created page with " This page describes a proposed rewrite of boot-update. The goals in rewriting boot-update are as follows: # Refactor code # Add UEFI support # Simplify Kernel Layout == Re...")
 
(Create logical volumes)
 
Line 1: Line 1:
 +
This howto describes how to setup LVM and rootfs with cryptoLUKS-encrypted drive
  
This page describes a proposed rewrite of boot-update.
+
= Prepare the hard drive and partitions =
 +
This is an example partition scheme, you may want to choose differently.
 +
<code>/dev/sda1</code> used as <code>/boot</code>. <code>/dev/sda2</code> will be encrypted drive with LVM.
  
The goals in rewriting boot-update are as follows:
+
<pre>/dev/sda1
 +
/dev/sda2
 +
dd if=/dev/zero of=/dev/sda2 bs=100M
 +
dd if=/dev/urandom of=/dev/sda2 bs=100M</pre>
 +
dd part is optional, only for security reason by overwriting the lingering data on the device with random data. It takes around 6 hours to complete for a 200GB drive.
  
# Refactor code
+
Note that you will get a message about reaching the end of the device. That's intentional and desired in this case so that this command works without knowing the size of your device.
# Add UEFI support
+
# Simplify Kernel Layout
+
  
== Refactor Code ==
+
= Encrypting the drive =
  
Boot-update could use some code simplification. This will be accomplished by using a simpler design using templates for text generation, and also simplifying the kernel layout (described below.)
+
<console>
 +
##r### ##b##cryptsetup -c aes-xts-plain64 luksFormat /dev/sda2
 +
##r### ##b##cryptsetup luksOpen /dev/sda2 dmcrypt_root
 +
</console>
  
== UEFI Support ==
+
There you'll be prompted to enter your password phrase for encrypted drive, type your paranoid password there.
  
Boot-update currently doesn't support UEFI booting directly, and must be manually configured via the [[UEFI Install Guide]]. Part of this proposal involves adding UEFI support to boot-update.
+
= Create logical volumes =
 +
<console>
 +
##r## ##b##pvcreate /dev/mapper/dmcrypt_root
 +
##r## ##b##vgcreate vg /dev/mapper/dmcrypt_root
 +
##r## ##b##lvcreate -L10G --name root vg         
 +
##r## ##b##lvcreate -L2G --name swap vg
 +
##r## ##b##lvcreate -L5G --name portage vg
 +
##r## ##b##lvcreate -l 100%FREE -nhome vg
 +
</console>
 +
Feel free to specify your desired size by altering the numbers after the -L flag. For example, to make your portage dataset 20GB's, use the flag -L20G instead of -L5G.
  
== Simplify Kernel Layout ==
+
= Create a filesystem on volumes =
 +
<pre>mkfs.ext2 /dev/sda1
 +
mkswap /dev/mapper/vg-swap
 +
mkfs.ext4 /dev/mapper/vg-root
 +
mkreiserfs /dev/mapper/vg-portage
 +
mkfs.xfs /dev/mapper/vg-home</pre>
  
Currently, all kernels and initramfs images are installed into <tt>/boot</tt> directly and typically have the names <tt>kernel-SUFFIX</tt> or <tt>bzImage-SUFFIX</tt> and <tt>initramfs-SUFFIX</tt>. Boot-update needs to find the kernel and initramfs images and associate them with each other, and then parse the filename for version information.
+
= Basic system setup =
 +
<pre>swapon /dev/mapper/vg-swap
 +
mount /dev/mapper/vg-root /mnt/funtoo
 +
mkdir /mnt/funtoo/boot
 +
mount /dev/sda1 /mnt/funtoo/boot</pre>
 +
Now perform all the steps required for basic system install, please follow [http://docs.funtoo.org/wiki/Funtoo_Linux_Installation]
 +
don't forget to emerge next packages:
  
This is not an optimal way to organize kernels. A much cleaner approach would be to have a <tt>/boot/kernels/VERSION/</tt> directory that contains files <tt>initramfs.gz</tt>, <tt>bzImage</tt>, <tt>System.map</tt>, etc. without any suffix. boot-update would then scan <tt>/boot/kernels</tt> and make all directory names available as kernels that could be booted. This simplifies kernel management as everything related to a particular kernel is organized in its own sub-directory.
+
<pre># emerge cryptsetup lvm2 grub foo-sources</pre>
  
In addition, special text files could exist in the <tt>/boot/kernels/VERSION/</tt> directory, such as <tt>label</tt>, which could contain a regular text name for the kernel that appears in the menu. A <tt>/boot/kernels/VERSION/grub.cfg</tt> could allow users to manually specify a <tt>grub.cfg</tt> section that is used to boot this kernel, which boot-update would use if found. touching <tt>/boot/kernels/VERSION/default</tt> would allow a user to set the default kernel for booting. These types of changes would reduce the complexity contained in the <tt>/etc/boot.conf</tt> file, as more configuration data would be stored on the filesystem itself.
+
Re-emerge sys-apps/busybox and sys-fs/cryptsetup with the "static" USE flag
  
[[Category:FLOP]]
+
= Kernel options =
 +
Important, do not miss this part.
 +
Under General setup --->
 +
<pre>[*] Initial RAM filesystem and RAM disk (initramfs/initrd) support</pre>
 +
 
 +
Under Device Drivers --->
 +
<pre>Generic Driver Options  --->
 +
  [*] Maintain a devtmpfs filesystem to mount at /dev
 +
[*] Multiple devices driver support  --->
 +
  <*>Device Mapper Support
 +
  <*> Crypt target support
 +
</pre>
 +
 
 +
Under Cryptographic API --->
 +
<pre>-*-AES cipher algorithms
 +
 
 +
<*> XTS support (EXPERIMENTAL)</pre>
 +
 
 +
 
 +
= Initramfs setup and configuration =
 +
Build your initramfs with [https://bitbucket.org/piotrkarbowski/better-initramfs better-initramfs] project.
 +
 
 +
{{fancynote|better-initramfs supports neither dynamic modules nor udev, so you should compile your kernel with built-in support for your block devices.}}
 +
 
 +
<pre># git clone git@bitbucket.org:piotrkarbowski/better-initramfs.git
 +
# cd better-initramfs
 +
# less README.rst
 +
# bootstrap/bootstrap-all
 +
# make prepare
 +
# make image
 +
</pre>
 +
 
 +
Copy resulting <code>initramfs.cpio.gz</code> to <code>/boot</code>.
 +
<pre># cp output/initramfs.cpio.gz /boot
 +
</pre>
 +
Alternatively pre-compiled binary initramfs available at https://bitbucket.org/piotrkarbowski/better-initramfs/downloads
 +
<pre># wget https://bitbucket.org/piotrkarbowski/better-initramfs/downloads/release-x86_64-v0.7.2.tar.bz2
 +
# tar xf release-x86_64-v0.5.tar.bz2
 +
# cd release*
 +
# gzip initramfs.cpio
 +
# cp initramfs.cpio.gz /boot</pre>
 +
 
 +
Remember, better-initramfs project is a work in progress, so you need to update from time to time. It can be done easily with <code>git</code>. Go to the better-initramfs source dir and follow:
 +
<pre># git pull
 +
# less ChangeLog
 +
</pre>
 +
Please, read the ChangeLog carefuly and do necessary updates, to <code>/etc/boot.conf</code>, the example config below. Please, backup working <code>initramfs.cpio.gz</code> and <code>/etc/boot.conf</code> before updating initramfs.
 +
 
 +
= Genkernel approach =
 +
Funtoo's genkernel capable to create initramfs for encrypted drive. Compile and install kernel and initramfs of your favorite kernel sources:
 +
<pre>genkernel --kernel-config=/path/to/your/custom-kernel-config --no-mrproper --makeopts=-j5 --install --lvm --luks all</pre>
 +
Configure the bootloader as described above, with correct kernel and initramfs images names. An example for genkernel and grub2:
 +
 
 +
{{code|/etc/boot.conf|<pre>
 +
boot {
 +
  generate grub
 +
  default "Funtoo Linux"
 +
  timeout 3
 +
}
 +
"Funtoo Linux" {
 +
  kernel kernel-genkernel-x86_64-2.6.39
 +
  initrd initramfs-genkernel-x86_64-2.6.39
 +
  params += crypt_root=/dev/sda2 dolvm real_root=/dev/mapper/vg-root  rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
 +
}</pre>}}
 +
 
 +
= Grub2 configuration =
 +
An example of <code>/etc/boot.conf</code> for better-initramfs
 +
{{code|/etc/boot.conf|<pre>
 +
boot {
 +
  generate grub
 +
  default "Funtoo Linux"
 +
  timeout 3
 +
}
 +
"Funtoo Linux" {
 +
  kernel bzImage[-v]
 +
  initrd /initramfs.cpio.gz
 +
  params += enc_root=/dev/sda2 lvm luks root=/dev/mapper/vg-root  rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
 +
}</pre>}}
 +
 
 +
{{code|/etc/fstab|
 +
<pre>
 +
# <fs>                  <mountpoint>  <type>    <opts>                          <dump/pass>
 +
/dev/sda1              /boot        ext2      noauto,noatime                  1 2
 +
/dev/mapper/vg-swap    none          swap      sw                              0 0
 +
/dev/mapper/vg-root    /            ext4      noatime,nodiratime,defaults    0 1
 +
/dev/sr0                /mnt/cdrom    auto      noauto,ro                      0 0
 +
/dev/mapper/vg-portage  /usr/portage  reiserfs  noatime,nodiratime              0 0
 +
/dev/mapper/vg-home    /home        xfs      noatime,nodiratime,osyncisdsync 0 0</pre>}}
 +
 
 +
= Lilo configuration =
 +
For oldschool geeks, an example for lilo bootloader. Emerge lilo with device-mapper support
 +
<pre>
 +
# echo 'sys-boot/lilo device-mapper' >> /etc/portage/package.use/lilo
 +
# emerge lilo</pre>
 +
 
 +
{{code|/etc/lilo.conf|<pre>append="init=/linuxrc dolvm crypt_root=/dev/sda2 real_root=/dev/mapper/vg-root"
 +
boot=/dev/sda
 +
compact
 +
default=funtoo
 +
lba32
 +
prompt
 +
read-only
 +
timeout=50
 +
image=/boot/kernel-genkernel-x86_64-2.6.39
 +
initrd=/boot/initramfs-genkernel-x86_64-2.6.39
 +
label=funtoo
 +
</pre>}}
 +
= Syslinux bootloader setup =
 +
Syslinux is another advanced bootloader which you can find on all live CD's.
 +
<pre>
 +
# emerge syslinux
 +
# mkdir /boot/extlinux
 +
# extlinux --install /boot/extlinux
 +
# dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/mbr.bin of=/dev/sda
 +
- or -
 +
# sgdisk /dev/sda --attributes=1:set:2
 +
# dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/gptmbr.bin of=/dev/sda, for GPT partition</pre>
 +
{{code|/boot/extlinux/extlinux.conf|<pre>LABEL kernel1_bzImage-3.2.1
 +
MENU LABEL Funtoo Linux bzImage-3.2.1
 +
LINUX /bzImage-3.2.1
 +
INITRD /initramfs.cpio.gz
 +
APPEND rootfstype=ext4 luks enc_root=/dev/sda2 lvm root=/dev/mapper/vg-root
 +
</pre>}}
 +
 
 +
= Final steps =
 +
Umount everything, close encrypted drive and reboot
 +
<pre>umount /mnt/funtoo/proc (/dev, /home, /usr/portage, /boot)
 +
vgchange -a n
 +
cryptsetup luksClose /dev/sda2 dmcrypt_root</pre>
 +
After reboot you will get the following:
 +
<pre>>>> better-initramfs started. Kernel version 2.6.35-gentoo-r10
 +
>>> Create all the symlinks to /bin/busybox.
 +
>>> Initiating /dev/dir
 +
>>> Getting LVM volumes up (if any)
 +
Reding all physical volumes. This make take awhile...
 +
No volume group found
 +
No volume group found
 +
>>> Opening encrypted partition and mapping to /dev/mapper/dmcrypt_root
 +
Enter passphrase fore /dev/sda2:</pre>
 +
Type your password
 +
 
 +
<pre>>>> Again, getting LVM volumes up (if any, after map dmcrypt).
 +
  Reading all physical volumes.  This may take a while...
 +
  Found volume group "vg" using metadata type lvm2
 +
  4 logical volume(s) in volume group "vg" now active
 +
>>> Mounting rootfs to /newroot
 +
>>> Umounting /sys and /proc.
 +
>>> Switching root to /newroot and executing /sbin/init.
 +
INIT: version 2.88 booting
 +
Loading /libexec/rc/console/keymap
 +
  OpenRC 0.6.1 is starting up Funtoo Linux (x86_64)
 +
...boot messages omitted for clarity
 +
 
 +
orion login: oleg
 +
Password:
 +
Last login: Thu Oct 14 20:49:21 EEST 2010 on tty1
 +
oleg@orion ~ %</pre>
 +
 
 +
= Additional links =
 +
* [[gentoo-wiki:Root filesystem over LVM2, DM-Crypt and RAID|Root filesystem over LVM2, DM-Crypt, and RAID]]
 +
* [http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt System Encryption with LUKS for dm-crypt]
 +
 
 +
[[Category:HOWTO]]

Revision as of 22:47, 6 December 2013

This howto describes how to setup LVM and rootfs with cryptoLUKS-encrypted drive

Contents

Prepare the hard drive and partitions

This is an example partition scheme, you may want to choose differently. /dev/sda1 used as /boot. /dev/sda2 will be encrypted drive with LVM.

/dev/sda1 
/dev/sda2
dd if=/dev/zero of=/dev/sda2 bs=100M 
dd if=/dev/urandom of=/dev/sda2 bs=100M

dd part is optional, only for security reason by overwriting the lingering data on the device with random data. It takes around 6 hours to complete for a 200GB drive.

Note that you will get a message about reaching the end of the device. That's intentional and desired in this case so that this command works without knowing the size of your device.

Encrypting the drive

# cryptsetup -c aes-xts-plain64 luksFormat /dev/sda2
# cryptsetup luksOpen /dev/sda2 dmcrypt_root

There you'll be prompted to enter your password phrase for encrypted drive, type your paranoid password there.

Create logical volumes

 pvcreate /dev/mapper/dmcrypt_root
 vgcreate vg /dev/mapper/dmcrypt_root
 lvcreate -L10G --name root vg           
 lvcreate -L2G --name swap vg
 lvcreate -L5G --name portage vg
 lvcreate -l 100%FREE -nhome vg

Feel free to specify your desired size by altering the numbers after the -L flag. For example, to make your portage dataset 20GB's, use the flag -L20G instead of -L5G.

Create a filesystem on volumes

mkfs.ext2 /dev/sda1
mkswap /dev/mapper/vg-swap
mkfs.ext4 /dev/mapper/vg-root
mkreiserfs /dev/mapper/vg-portage
mkfs.xfs /dev/mapper/vg-home

Basic system setup

swapon /dev/mapper/vg-swap
mount /dev/mapper/vg-root /mnt/funtoo
mkdir /mnt/funtoo/boot
mount /dev/sda1 /mnt/funtoo/boot

Now perform all the steps required for basic system install, please follow [1] don't forget to emerge next packages:

# emerge cryptsetup lvm2 grub foo-sources

Re-emerge sys-apps/busybox and sys-fs/cryptsetup with the "static" USE flag

Kernel options

Important, do not miss this part. Under General setup --->

[*] Initial RAM filesystem and RAM disk (initramfs/initrd) support

Under Device Drivers --->

Generic Driver Options  --->
   [*] Maintain a devtmpfs filesystem to mount at /dev
[*] Multiple devices driver support  --->
   <*>Device Mapper Support
   <*> Crypt target support

Under Cryptographic API --->

-*-AES cipher algorithms

<*> XTS support (EXPERIMENTAL)


Initramfs setup and configuration

Build your initramfs with better-initramfs project.

Note: better-initramfs supports neither dynamic modules nor udev, so you should compile your kernel with built-in support for your block devices.
# git clone git@bitbucket.org:piotrkarbowski/better-initramfs.git
# cd better-initramfs
# less README.rst
# bootstrap/bootstrap-all
# make prepare
# make image

Copy resulting initramfs.cpio.gz to /boot.

# cp output/initramfs.cpio.gz /boot

Alternatively pre-compiled binary initramfs available at https://bitbucket.org/piotrkarbowski/better-initramfs/downloads

# wget https://bitbucket.org/piotrkarbowski/better-initramfs/downloads/release-x86_64-v0.7.2.tar.bz2
# tar xf release-x86_64-v0.5.tar.bz2
# cd release*
# gzip initramfs.cpio
# cp initramfs.cpio.gz /boot

Remember, better-initramfs project is a work in progress, so you need to update from time to time. It can be done easily with git. Go to the better-initramfs source dir and follow:

# git pull
# less ChangeLog

Please, read the ChangeLog carefuly and do necessary updates, to /etc/boot.conf, the example config below. Please, backup working initramfs.cpio.gz and /etc/boot.conf before updating initramfs.

Genkernel approach

Funtoo's genkernel capable to create initramfs for encrypted drive. Compile and install kernel and initramfs of your favorite kernel sources:

genkernel --kernel-config=/path/to/your/custom-kernel-config --no-mrproper --makeopts=-j5 --install --lvm --luks all

Configure the bootloader as described above, with correct kernel and initramfs images names. An example for genkernel and grub2:

Code: /etc/boot.conf
boot {
  generate grub
  default "Funtoo Linux"
  timeout 3
}
"Funtoo Linux" {
  kernel kernel-genkernel-x86_64-2.6.39
  initrd initramfs-genkernel-x86_64-2.6.39
  params += crypt_root=/dev/sda2 dolvm real_root=/dev/mapper/vg-root  rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
}

Grub2 configuration

An example of /etc/boot.conf for better-initramfs

Code: /etc/boot.conf
boot {
  generate grub
  default "Funtoo Linux"
  timeout 3
}
"Funtoo Linux" {
  kernel bzImage[-v]
  initrd /initramfs.cpio.gz
  params += enc_root=/dev/sda2 lvm luks root=/dev/mapper/vg-root  rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
}
Code: /etc/fstab
# <fs>                  <mountpoint>  <type>    <opts>                          <dump/pass>
/dev/sda1               /boot         ext2      noauto,noatime                  1 2
/dev/mapper/vg-swap     none          swap      sw                              0 0
/dev/mapper/vg-root     /             ext4      noatime,nodiratime,defaults     0 1
/dev/sr0                /mnt/cdrom    auto      noauto,ro                       0 0
/dev/mapper/vg-portage  /usr/portage  reiserfs  noatime,nodiratime              0 0
/dev/mapper/vg-home     /home         xfs       noatime,nodiratime,osyncisdsync 0 0

Lilo configuration

For oldschool geeks, an example for lilo bootloader. Emerge lilo with device-mapper support

# echo 'sys-boot/lilo device-mapper' >> /etc/portage/package.use/lilo
# emerge lilo
Code: /etc/lilo.conf
append="init=/linuxrc dolvm crypt_root=/dev/sda2 real_root=/dev/mapper/vg-root"
boot=/dev/sda
compact
default=funtoo
lba32
prompt
read-only
timeout=50
image=/boot/kernel-genkernel-x86_64-2.6.39
initrd=/boot/initramfs-genkernel-x86_64-2.6.39
label=funtoo

Syslinux bootloader setup

Syslinux is another advanced bootloader which you can find on all live CD's.

# emerge syslinux
# mkdir /boot/extlinux
# extlinux --install /boot/extlinux
# dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/mbr.bin of=/dev/sda
- or -
# sgdisk /dev/sda --attributes=1:set:2
# dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/gptmbr.bin of=/dev/sda, for GPT partition
Code: /boot/extlinux/extlinux.conf
LABEL kernel1_bzImage-3.2.1
MENU LABEL Funtoo Linux bzImage-3.2.1
LINUX /bzImage-3.2.1
INITRD /initramfs.cpio.gz
APPEND rootfstype=ext4 luks enc_root=/dev/sda2 lvm root=/dev/mapper/vg-root

Final steps

Umount everything, close encrypted drive and reboot

umount /mnt/funtoo/proc (/dev, /home, /usr/portage, /boot) 
vgchange -a n
cryptsetup luksClose /dev/sda2 dmcrypt_root

After reboot you will get the following:

>>> better-initramfs started. Kernel version 2.6.35-gentoo-r10
>>> Create all the symlinks to /bin/busybox.
>>> Initiating /dev/dir
>>> Getting LVM volumes up (if any)
Reding all physical volumes. This make take awhile...
No volume group found
No volume group found
>>> Opening encrypted partition and mapping to /dev/mapper/dmcrypt_root
Enter passphrase fore /dev/sda2:

Type your password

>>> Again, getting LVM volumes up (if any, after map dmcrypt).
  Reading all physical volumes.  This may take a while...
  Found volume group "vg" using metadata type lvm2
  4 logical volume(s) in volume group "vg" now active
>>> Mounting rootfs to /newroot
>>> Umounting /sys and /proc.
>>> Switching root to /newroot and executing /sbin/init.
INIT: version 2.88 booting
Loading /libexec/rc/console/keymap
  OpenRC 0.6.1 is starting up Funtoo Linux (x86_64)
...boot messages omitted for clarity
   
orion login: oleg
Password:
Last login: Thu Oct 14 20:49:21 EEST 2010 on tty1
oleg@orion ~ %

Additional links