Hi all,
Here's how you install Ubuntu 14 with a LUKS-encrypted / and /boot partition when using Apple's "quirky and fun" EFI:
- Insert a USB stick, and boot the installer into "Try Ubuntu" mode (you need to be able to start an xterm before rebooting).
- Install Ubuntu. On the hard disk, you'll want to create a 64M empty partition, a 256M /boot (unencrypted), and a LUKS container with LVM for /. Format the USB stick as an EFI system partition and let the installer put files there.
- BEFORE rebooting the installer, change the HDD's empty 64M partition's type code (call it /dev/sda1) to Apple Boot (gdisk type code AB00) and format it HFS+.
- Mount the new / to /mnt, and the new /boot to /mnt/boot. (The installer might just leave these two filesystems mounted at the end of the installation; I don't remember.
- Mount the new Apple Boot partition (on the HDD). We'll say you mounted it to /mnt/boot/efi.
touch /mnt/boot/efi/mach_kernel
mkdir -p /mnt/boot/efi/EFI/ubuntu/ /mnt/boot/efi/System/Library/CoreServices/
cd /mnt/boot/efi/EFI/ubuntu/
ln -s ../../System
touch mach_kernel
chroot /mnt/ grub-install -v (in theory grub2 knows how to generate Mac-compatible files, though it puts them in the wrong location)
- Reboot to Mac OSX.
diskutil mount /dev/disk0s1
- Open Preferences, Startup Disk, select the Ubuntu install.
- Reboot the system to prove that Linux boots correctly.
apt-get purge grub-efi-amd64-signed (the signed grub image does not have LUKS/cryptodisk support)
- Copy the contents of /boot somewhere, and note the device (say /dev/sda2 for this example).
cryptsetup luksFormat /dev/sda2 -c aes-xts-plain64
DO NOT install LVM here; grub2 refuses to allow FS writes to LVM volumes, which is needed for recordfail.
- Create an entry in /etc/crypttab for the new LUKS container. We'll assume you called the device-mapper node "boot_crypt".
/etc/init.d/cryptdisks-early start (prove that crypttab works)
mkfs.ext4 /dev/mapper/boot_crypt -L boot (or whatever filesystem you want here)
- Edit /etc/fstab to point /boot to /dev/mapper/boot_crypt.
- Copy the saved files from step 17 into the new /boot.
echo 'GRUB_ENABLE_CRYPTODISK=y' >> /etc/default/grub
grub-install -v (verify that grub-mkimage is called with luks/cryptodisk modules included)
update-grub
- Reboot to Mac OSX.
diskutil mount /dev/disk0s1
- Open Preferences, Startup Disk, select the Ubuntu install. Again.
- Reboot. Grub should now prompt to unlock the disk before showing the boot menu. For extra credit, set up LUKS keys for automount, since the only thing unencrypted on your HDD is grub, and (in theory) you could stash the rootfs LUKS keys in the initramfs. Macs don't support SecureBoot, at least not the 2012 models.
N.B. The Apple firmware will try to boot whatever the HFS+ startup file points to; using efibootmgr does no good here. If you rewrite the boot.efi file the safe way (write boot.efi.new, mv boot.efi.new boot.efi) you'll have to set the startup disk in OSX again, because the "startup file" is really an extent map in the HFS+ superblock. Quite possibly OSX simply copies the contents of boot.efi into the blocks pointed to by the startup file when a Startup Disk is set.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
