Install Slackware Linux with Full Disk Ecryption on a UEFI system
683 words, 4 minutes
On some previous post, I installed Slackware Linux on a ThinkPad T460s . This was my first time back on Slackware for a long time and, after reading and experimenting, it seems to me that there is a better / smarter / simpler way to install Slackware using FDE on an UEFI system.
There seem to be a very cleavage point when adressing the need to encrypt the
/boot partition. Long story short, keeping /boot unencrypted lets your
computer opened to various attacks. I looked at how various distributions were
configuring FDE. And it seems this point is half religious and half a software
issue ; mostly around what Grub can or can’t do. Distributions like Fedora or
Linux Mint configure FDE while keeping /boot unencrypted. Arch Linux documents
three or four ways to achieve FDE ; some with, some without encrypted /boot.
Pop!OS and Manjaro offer a complete encrypted system ; although using different
bootloaders.
Slackware documentation concentrates on using LILO on MBR system. Booting an UEFI system requires either ELILO or Grub. There later not being the most documented choice, to my tastes, I went for using ELILO and encrypt as much FS as possible. So the big picture goes like this:
- an EFI partition will contain the boot stuff and the kernel image ;
- an encrypted Linux partition will contain various mountpoints using LVM.
You may proceed to Slackware installation via SSH . I find this very convenient as this allows easy copy-paste commands. All the commands can be copy-pasted as follow in a shell. BEWARE TO REVIEW THE COMMANDS BEFORE EXECUTING THEM. I shall not be held responsible if your screw up your computer ;-)
Setup variables to describe disk device, partitions ids and size.
DISK=nvme0n1
PART_EFI=nvme0n1p1
PART_LUKS=nvme0n1p2
LV_SWAP=24G
LV_ROOT=120G
LV_HOME=100%FREE
dd if=/dev/urandom of=/dev/$DISK bs=10M
Create the EFI and Linux partitions. Format the EFI one.
# Create GPT disklabel
echo -e "g\nw\nq" | fdisk /dev/$DISK
sleep 2
# Create EFI System partition
echo -e "n\n1\n\n+64M\nt\n1\nw\nq" | fdisk /dev/$DISK
sleep 2
# Create LUKS/LVM partition
echo -e "n\n2\n\n\nt\n2\n30\nw\nq\n" | fdisk /dev/$DISK
mkfs.vfat /dev/$PART_EFI
The sleep commands may not be required. They just proved to be required when testing in Virtualbox test instances.
Create the LUKS encrypted partition and open it.
cryptsetup -y luksFormat /dev/$PART_LUKS
cryptsetup luksOpen /dev/$PART_LUKS tatooine
Create the LVM partitions.
vgcreate slacker /dev/mapper/tatooine
lvcreate -L ${LV_SWAP} -n swap slacker
lvcreate -L ${LV_ROOT} -n root slacker
lvcreate -l ${LV_HOME} -n home slacker
My personnal choices are to separate system from home directory. I also
include /boot into /. Using ELILO, we don’t really use it to boot.
Prepare the swap partition and run the installer.
mkswap /dev/slacker/swap
setup
Nothing special here except the trick to correct EFI when installing Slackware from a USB stick. See here .
Once installation is finished, choose to Exit Slackware Linux Setup
but there are required changes so DO NOT (R)eboot but exit to (S)hell.
Copy the EFI files from USB to /boot/efi/... and apply changes to
/mnt/etc/fstab ; if required.
Switch to the installed system using chroot.
chroot /mnt
Build a proper / custom initrd image. My usage includes a French
keyboard layout, hibernation on encrypted swap and USB keyboard support.
$(/usr/share/mkinitrd/mkinitrd_command_generator.sh -r \
-a "-l fr -h /dev/slacker/swap" -m "uhci-hcd:usbhid")
(...)
/boot/initrd.gz created.
Be sure to run lilo again if you use it.
ELILO should already be installed. If it was not, you may run elilo
now. On kernel upgrades, your will have to run the mkinitrd command again,
specifying the new kernel version. Then, you shall copy both the kernel
and initrd files. Something like this:
$(/usr/share/mkinitrd/mkinitrd_command_generator.sh -r -k 5.15.80 \
-a "-l fr -h /dev/slacker/swap" -m "uhci-hcd:usbhid")
cp -pHv /boot/{initrd.gz,vmlinuz} /boot/efi/EFI/Slackware/
As stated in the documenation, elilo.conf should be amended to allow hibernation on swap. Mine looks like this:
# cat /boot/efi/EFI/Slackware/elilo.conf
chooser=simple
delay=1
timeout=1
#
image=vmlinuz
label=vmlinuz
initrd=initrd.gz
read-only
append="root=/dev/slacker/root vga=normal ro resume=/dev/slacker/swap"
Reboot can now be proceeded.
exit
reboot
ELILO will boot straight away. The booting process will ask for the encryption passphrase and continue to the Linux | Xorg console.
Now is time to get some slack.