Notes on LUKS + EFISTUB

Running off of an encrypted root filesystem has been one of those things that never seemed to float to the top of the todo list. However, back in December (2018, this article lived in the drafts bin for quite some time), it finally made it to the top of the todo list. At the time, one was preparing the Dell XPS 15 9550 to replace the Ideapad s405 for travel. Encrypting everything seemed prudent for a travel laptop.

As of the writing of this article, LUKS is the standard way of encrypting a filesystem in Linux. Generally, a boot loader is used to kick off an initramfs which loads the basics (need LVM, dm-crypt, and LUKS) and prompts for the passphrase for decrypting the root filesystem. If you’re fine with running a boot loader, most guides will get you going with LUKS quite quickly.

However, running a full boot loader on UEFI systems feels archaic. There is just something about using the kernel’s built-in EFISTUB that feels more elegant. And, this is where things divert from the bog-standard path. Typically, when using the EFISTUB, one does not bother with an initramfs (compile the kernel for you known hardware set and you’re good to go). However, an initramfs is integral to having an encrypted root partition.

initramfs Woes

The first problem started with trying to get a working initramfs. Since one had not used an initramfs with EFISTUB previously, there were a few hurdles to overcome. Initially, one tried to use an external initramfs. However, the 9550 does not allow/pass UEFI parameters nicely, and using the built-in kernel command line to specify an external initrfamfs in the EFI boot partition did not work. So, the initramfs needs to be built into the kernel for the XPS15 9550. This lead to a second problem.

Initially, the initramfs that genkernel builds was tried. Unfortunately, it appears this is (as of late 2018) broken/not-suitable for situations where the initramfs needs to be bundled into the kernel. Luckily, betterinitramfs can be bundled into the kernel.

Naturally, there is one gotcha to keep in mind regarding betterinitramfs. As distributed, betterinitramfs does not populate /dev/disk/by-uuid et al. as it does not provide udev (or eudev). The end result is real root needs to be specified using /dev/BLOCKDEVICENAME rather than using PARTUUID.

Conclusion

While the setup of using EFISTUB with an LUKS encrypted root partition is a little esoteric, it is possible to get working. There are a bunch of UEFI related pitfalls waiting to snare you—different platforms will have a different mix of issues. Then again, all UEFI systems should be able to use the initramfs embedded in the kernel when using the EFISTUB boot loader. Regardless, this path is not advised for those learning about/using LUKS for the first time.

-John Havlik

U2F and Firefox on Funtoo

U2F is pretty neat. It can be used locally on a machine for authentication and for two factor authentication on websites. There are even plugins for using it on WordPress powered websites. At the time this article was written, Firefox does not enable U2F by default. Though, that looks to be changing with Firefox 68.

Enable U2F in Firefox

Enabling U2F in Firefox is fairly straightforward. In the URL bar enter: about:config. Then search for u2f. There should be an entry: security.webauth.u2f, set it to true.

Install pam_u2f

However, simply enabling U2F in Firefox is not enough for a U2F device to work. To get everything working, pam_u2f needs to be installed. On Funtoo, this is quite simple:

emerge -av pam_u2f

After installing pam_u2f, Firefox should now be able to query your U2F key.

Fix Linux Boot Halting on “Run /init as init process”

In the process of removing the remaining SandForce controller based SSDs from service, the opportunity to completely refresh the Funtoo install on the XPS 15 9530 was taken. Part of this was to try to figure out why recently sddm would not start until a bit of keyboard mashing occurred (literally pushing the enter key a dozen times in a row caused sddm to start, waiting was simply not enough).

The install was fairly painless—most problems tend to be involve getting the proper device drivers compiled into the kernel. Given there was already a known good kernel config, that was used for the building the kernel on the new install. However, on the first boot off of the new SSD, the boot process halted at:

[2.754164] Freeing unused kernel image memory: 1020K
[2.756196] Write protecting the kernel read-only data: 20480k
[2.758698] Freeing unused kernel image memory: 1980K
[2.760892] Freeing unused kernel image memory: 620K
[2.764980] Run /sbin/init as init process

The init system (OpenRC), for some reason, did not actually kick off. Plugging in a USB device confirmed that the kernel itself was still running. Thus, it was not something simple such as the root device being inaccessible (that causes a kernel panic). But, in this state, the system was not usable (no login prompt).

After a bit of sleuthing and stumbling, a solution was found. The following was added to the kernel config:

CONFIG_DEVTMPFS_MOUNT=y

After rebuilding the kernel and rebooting, the system finally booted completely. Still, this is a little unnerving. This machine never needed this setting before. Additionally, I have not needed this setting on any other machine.

Tagged: ,
Updated:

U2F and KDE/SDDM on Funtoo

U2F keys, such as the yubico YubiKey are relatively easy and inexpensive way to add two factor authentication to one’s workstation. Adding U2F authentication to local accounts on a linux machine is quite easy. In Gentoo/Funtoo, the pam_u2f ebuild will provide everything you need to get started.

Continue reading

Funtoo Plex Media Server Overlay

Both Gentoo and Funtoo provide Plex Media Server within their portage repositories via the plex-media-server ebuild. However, lately, Funtoo’s plex-media-server ebuild within media-kit has fallen behind Plex releases. The quick solution is to use Ghent’s funtoo-plex overlay. With Funtoo moving to kits, local overlays are quite easy to use.

Assuming an install setup per the Funtoo default kits instructions, start by creating a directory for your overlays. Then, clone Ghent’s funtoo-plex overlay:

mkdir /var/git/overlay
cd /var/git/overlay
git clone https://github.com/Ghent/funtoo-plex.git

At the time of writing, Ghent’s overlay is still configured for a pre-kits setup. Fortunately, migrating to a kits compatible setup is straight forward: open up /var/git/overlay/funtoo-plex/metadata/layout.conf and replace masters = gentoo with masters = core-kit.

The last step is to create /etc/portage/repos.conf/funtoo-plex.conf. Place the following into /etc/portage/repos.conf/funtoo-plex.conf:

[DEFAULT]
main-repo = core-kit

[funtoo-plex]
location = /var/git/overlay/funtoo-plex
auto-sync = no
priority = 10

Now, running emerge -av plex-media-server should grab the newer ebuilds from Ghent’s funtoo-plex overlay. Note that you will need to occasionally pull the latest master branch in the repo using git pull origin master from within /var/git/overlay/funtoo-plex/.

-John Havlik

[end of transmission, stay tuned]

Tagged: ,
Updated: