2

I'm trying to achieve LUKS-encrypted CentOS 7 install with separate /boot partition and lvm on EFI-friendly motherboard.

I've done partitioning fresh CentOS install from old CentOS(installed from GUI) and it looks like this:

sdb             8:16   0 745,2G  0 disk  
├─sdb1          8:17   0   200M  0 part  /home/user/target/boot/efi
├─sdb2          8:18   0     1G  0 part  /home/user/target/boot
├─sdb3          8:19   0   700G  0 part  
│ └─crypto    253:3    0   700G  0 crypt 
│   ├─lv-swap 253:4    0    16G  0 lvm   
│   ├─lv-root 253:5    0    50G  0 lvm   /home/user/target
│   └─lv-home 253:6    0   634G  0 lvm   /home/user/target/home

Bootstrapping also succeded in CentOS chroot (used this and this tutorials) and now ready to generate boot image.

The matter is that I've decided to use non-standart algorithm in cryptsetup:

cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash sha256 --iter-time 3000 --use-random luksFormat /dev/sdb3

and now I wonder how to to generate correct initrd with my parameters.

Tutorials tell me that the next step is:

mkinitcpio -p linux however there is no mkinitcpio command or /etc/mkinitcpio.conf to change HOOKS list in order to lvm and encrypt work correct.

However, there is only initrd that is unfamiliar to me due to lack of knowledge about rpm-based distros. Search of initrd examples for my case was out of luck.

Now there are several files/directories in /boot inside chroot:

bash-4.2# ls
config-3.10.0-514.16.1.el7.x86_64  grub2                                     symvers-3.10.0-514.16.1.el7.x86_64.gz
efi                                initramfs-3.10.0-514.16.1.el7.x86_64.img  System.map-3.10.0-514.16.1.el7.x86_64
grub                               lost+found                                vmlinuz-3.10.0-514.16.1.el7.x86_64

But I doubt that they are support serpent encryption or even luks as soon as these files were generated during bootstrap.

So, my question is how do I make correct boot toolchain with luks and serpent starting from kernel image generation?

Though maybe I should use initramfs instead of initrd, so any hints about this approach is also appreciated.

Improve this question

1 Answer 1

Reset to default
1

Finally I've finished set up and ready to share finite instruction set of how its done for CentOS 7.

I've skipped partitioning and manual bootstrapping - there are plenty complete manuals elsewhere.

So, start having this partitioning variant:

sdb             8:16   0 745,2G  0 disk  
├─sdb1          8:17   0   200M  0 part
├─sdb2          8:18   0     1G  0 part
└─sdb3          8:19   0   700G  0 part  
  └─crypto    253:3    0   700G  0 crypt 
    ├─lv-swap 253:4    0    16G  0 lvm   
    ├─lv-root 253:5    0    50G  0 lvm
    └─lv-home 253:6    0   634G  0 lvm

then, mount necessary drives, so it becomes:

sdb             8:16   0 745,2G  0 disk  
├─sdb1          8:17   0   200M  0 part  /home/user/target/boot/efi
├─sdb2          8:18   0     1G  0 part  /home/user/target/boot
└─sdb3          8:19   0   700G  0 part  
  └─crypto    253:3    0   700G  0 crypt 
    ├─lv-swap 253:4    0    16G  0 lvm   
    ├─lv-root 253:5    0    50G  0 lvm   /home/user/target
    └─lv-home 253:6    0   634G  0 lvm

Step 0. Prepare chroot script. Repeating mount's every reboot is tedious so I've end up with this elementary chroot script:

#!/bin/bash
sudo mount /dev/mapper/lv-root /home/user/target
sudo mount /dev/sdb2 /home/user/target/boot
sudo mount /dev/sdb1 /home/user/target/boot/efi
sudo mount --bind /proc /home/user/target/proc
sudo mount --bind /dev /home/user/target/dev
sudo mount --bind /sys /home/user/target/sys
sudo chroot /home/user/target /bin/bash -l

Step 1. Install missing EFI-specific modules (outside chroot):

sudo yum --installroot=/home/user/target install -y efibootmgr grub2-efi-modules

Step 2. Edit /etc/crypttab

crypto UUID=UUID_of_/dev/sdb3 none luks,discard

Reason for discard - I'm using ssd and neglecting a bit of security for better TRIM performance. Details.

Step 3. Edit /etc/dracut.conf

omit_dracutmodules+="systemd"
add_dracutmodules+="crypt lvm" #sequencing could matter
hostonly="yes" #optional
lvmconf="yes"

Step 4. Edit /etc/fstab

UUID=UUID_of_/dev/sdb1                      /boot/efi       vfat    umask=0077  0 0
UUID=UUID_of_/dev/sdb2                      /boot           ext2    defaults    0 0
UUID=UUID_of_/dev/mapper/lv-root            /               ext4    defaults    0 0
UUID=UUID_of_/dev/mapper/lv-home            /home           ext4    defaults    0 0
UUID=UUID_of_/dev/mapper/lv-swap            none            swap    sw          0 0

Step 5. Edit /etc/default/grub

GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_CMDLINE_LINUX="rd.lvm.lv=lv/swap vconsole.font=latarcyrheb-sun16 vconsole.keymap=us rd.luks.options=discard rd.luks.uuid=UUID_of_/dev/sdb3 crashkernel=auto rd.lvm.lv=lv/root rd.lvm.lv=lv/home nomodeset"
GRUB_THEME="/boot/grub2/themes/system/theme.txt"

rd.luks.options=discard - may be redundant, correct me if it is.

nomodeset - to eliminate hw driver concurrency (noveaufb vs EFI VGA)

Step 6. Execute grub2-mkconfig -o /boot/grub2/grub.cfg

Step 7. Execute grub2-install --target=x86_64-efi --efi-directory=/boot/efi

Step 8. Execute dracut -fv

All above steps need to be done inside chroot unless otherwise stated.

Turned out that encryption algorithm chosen not influenced in any way - grub have all needed drivers loaded automatically.

Here are materials that helped me: 1, 2, 3, 4, 5

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.