Skip to content

Instantly share code, notes, and snippets.

@h3po

h3po/bookworm-secureboot-uki-lvm-luks-raid1.md

Last active December 16, 2022 16:12
Show Gist options
  • Save h3po/fabc90b5c92e65998374157d34c2a047 to your computer and use it in GitHub Desktop.
Save h3po/fabc90b5c92e65998374157d34c2a047 to your computer and use it in GitHub Desktop.
Download ZIP
Debian bookworm secure-booting unified kernel from lvm on luks on md raid1
Raw
bookworm-secureboot-uki-lvm-luks-raid1.md

references

preparing live environment for debootstrap

apt update
apt install --yes openssh-server debootstrap gdisk dosfstools mdadm lvm2
systemctl start sshd

DISK1=/dev/vda
DISK2=/dev/vdb
HOSTNAME=bookworm-secureboot-test
MIRROR=http://deb.debian.org/debian
NIC=$(ip -o -4 route show to default | awk '{print $5}')

disk formatting

sgdisk -Z -n1:2048:+512M -t1:EF00 -n2:0:0 -t2:FD00 $DISK1
sgdisk -R $DISK2 $DISK1

#todo: optimize chunksize
mdadm --create --verbose /dev/md127 --level=1 --raid-devices=2 --metadata=0.90 ${DISK1}1 ${DISK2}1
mdadm --create --verbose /dev/md126 --level=1 --raid-devices=2 --metadata=1.2 ${DISK1}2 ${DISK2}2

#todo: optimize chunksize
cryptsetup luksFormat /dev/md126
cryptsetup luksOpen /dev/md126 raid_crypt

pvcreate pv_root /dev/mapper/raid_crypt
vgcreate vg_root /dev/mapper/raid_crypt
lvcreate lv_root vg_root
lvcreate -l100%free -n lv_root vg_root

mkdosfs -F 32 -s 1 -n EFI /dev/md127
#todo: optimize blocksize
mkfs -t ext4 -L root /dev/mapper/vg_root-lv_root

mount /dev/mapper/vg_root-lv_root /mnt
mkdir /mnt/efi
mount /dev/md127 /mnt/efi

debootstrap the installation

mkdir /mnt/run
mount -t tmpfs tmpfs /mnt/run
mkdir /mnt/run/lock
debootstrap bookworm /mnt $MIRROR

echo "/dev/disk/by-id/md-uuid-$(mdadm --detail /dev/md127 | grep "UUID" | cut -d ":" -f2- | cut -d " " -f2) /efi vfat defaults 0 0" > /mnt/etc/fstab
echo $HOSTNAME > /mnt/etc/hostname
echo -e "127.0.1.1\t$HOSTNAME" >> /mnt/etc/hosts
echo -e "auto $NIC\niface $NIC inet dhcp" > /mnt/etc/network/interfaces.d/$NIC
echo "deb [check-valid-until=false] $MIRROR bookworm main" > /mnt/etc/apt/sources.list

mount --make-private --rbind /dev /mnt/dev
mount --make-private --rbind /proc /mnt/proc
mount --make-private --rbind /sys /mnt/sys
chroot /mnt bash --login

finalize the configuration for first boot

passwd

ln -s /proc/self/mounts /etc/mtab
apt update
apt install --yes console-setup locales chrony dosfstools wget dracut efitools efibootmgr sbsigntool python3 tpm2-tools linux-image-amd64 linux-doc systemd-boot systemd-boot-efi mokutil gdisk
dpkg-reconfigure locales tzdata keyboard-configuration console-setup
# locale en_US.UTF8 + keyboard German + timezone Europe/Berlin + "Latin1 and Latin5" + Terminus + 8x16

mkdir /root/secure-boot-keys
cd /root/secure-boot-keys
wget https://www.rodsbooks.com/efi-bootloaders/mkkeys.sh
chmod +x mkkeys.sh
sed -i 's/rsa:2048/rsa:4096/g' mkkeys.sh
sed -i 's/read NAME/NAME=$1/g' mkkeys.sh
./mkkeys.sh "$(cat /etc/hostname)"
cp DB.cer PK.cer KEK.cer /efi/

nano /etc/dracut.conf.d/99-uki.conf
cat /etc/dracut.conf.d/99-uki.conf
    hostonly=yes
    hostonly_cmdline=yes
    reproducible=yes
    uefi=yes
    uefi_stub=/usr/lib/systemd/boot/efi/linuxx64.efi.stub
    uefi_secureboot_cert=/root/secure-boot-keys/DB.crt
    uefi_secureboot_key=/root/secure-boot-keys/DB.key
    add_dracutmodules+=" tpm2-tss "
    early_microcode=yes

dracut --kver 6.0.0-5-amd64 --force
systemd-cryptenroll --wipe-slot=tpm2 /dev/md126
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+1+2+3+4+5+7 /dev/md126

SYSTEMD_RELAX_ESP_CHECKS=1 bootctl install
sbsign --key /root/secure-boot-keys/DB.key --cert /root/secure-boot-keys/DB.crt --output /efi/EFI/systemd/systemd-bootx64.efi /efi/EFI/systemd/systemd-bootx64.efi
sbsign --key /root/secure-boot-keys/DB.key --cert /root/secure-boot-keys/DB.crt --output /efi/EFI/BOOT/bootx64.efi /efi/EFI/BOOT/bootx64.efi

booting with a missing/broken drive

wait for boot to fail and drop into the dracut emergency shell

mdadm --assemble --scan
# -> /dev/md127 has been started with 1 drive (out of 2)
systemctl start cryptsetup.target
lvm pvscan
lvm vgscan
lvm lvscan
lvm lvchange -ay vg_root/lv_root
mount -t ext4 /dev/mapper/vg_root-lv_root /sysroot
# ctrl+D to continue boot

replace a broken drive

# /dev/vda: working drive, /dev/vdb: new drive
sgdisk -R /dev/vdb /dev/vda
mdadm --grow /dev/md126 --raid-devices=1 --force # get rid of "removed" devices
mdadm --grow /dev/md127 --raid-devices=1 --force
mdadm --manage /dev/md126 --add /dev/vdb2
mdadm --manage /dev/md127 --add /dev/vdb1
mdadm --grow /dev/md127 --raid-devices=2
mdadm --grow /dev/md126 --raid-devices=2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment