Closed harmtemolder closed 2 years ago
I noticed this during mkinitcpio
:
-> Running build hook: [ykfde]
==> ERROR: module not found: `dm_integrity'
Does that mean the dm_integrity
module is not present in my kernel?
How did you encrypt the filesystem? I used the Arch Linux Arm FDE installer script. I was able to get the ykfde
hook working correctly on my installation. From my understanding, FDE on the pinephone is taken care of using the osk-sdl
hook, which also draws a keyboard on the screen, meaning you don't need a physical keyboard. A current limitation of using the ykfde
hook is that there is no virtual keyboard, so you'll have to have both the YubiKey and a physical keyboard plugged in to use 2FA. If you just want 1FA, it should work just fine.
I'm not sure why dm_integrity
wouldn't be present. It may be a Manjaro problem. Do you have any luck adding dm_integrity
to the MODULES
array in /etc/mkinitcpio.conf
?
Also, what are all the hooks you are calling in /etc/mkinitcpio.conf
?
So far I've only encrypted home
, no FDE yet.
Step 1 is to recompile the kernel from here, changing line 1741 to
CONFIG_DM_INTEGRITY=y
Then run updpkgsums
to recalculate the checksums, makepkg --syncdeps
to build the kernel and makepkg --install
to install. (Make sure to do all this on the PinePhone itself.)
My step 2 was to encrypt the SD card with cryptsetup luksFormat
using both a backup password and a key file. As a proof-of-concept I moved that key file to /etc
and set up /etc/crypttab
and /etc/fstab
to respectively decrypt and mount the SD card as /home
. I then added the encrypt
hook to /etc/mkinitcpio.conf
and ran sudo mkinitcpio -P
. These are my hooks:
HOOKS=(base udev keyboard autodetect modconf block encrypt filesystems fsck)
That works, so at least I know encrypting home
is possible. My next step is to use a YubiKey instead of the key file, so at least 1FA (instead of my current 0FA).
I'm not sure about full disk encryption, because then you need to play around with the kernel parameters in /boot/boot.txt
, and I'm not familiar with the U-Boot bootloader.
I did not know about osk-sdl
. I'll have to dive into that, but it reads like a feasible method for 2FA.
Ok, so it sounds like you're no longer missing the dm_integrity
module after recompiling the kernel.
Also, in my setup, I didn't need to mess with the kernel parameters in /boot/boot.txt
. As long as YKFDE_DISK_UUID
and YKFDE_LUKS_NAME
are properly set in /etc/ykfde.conf
, the ykfde
hook should still work. You have the option of setting these parameters in /boot/boot.txt
, but it's not necessary.
To be clear, I think osk-sdl
only accepts passphrases at the moment with no YubiKey support. So the only options at the moment for FDE on the PinePhone are:
ykfde
- 1FA with YubiKeyosk-sdl
- 1FA with passphrase2FA is possible with ykfde
, but it requires:
quiet
kernel parameter from /boot/boot.txt
so you can see the promptTo make 2FA usable with yubikey-full-disk-encryption on the PinePhone, there would need to be some sort of virtual keyboard that displays when prompting for the challenge. I suppose a similar approach could be taken to how osk-sdl
does it, but that would probably be a non-trivial amount of work.
@crispy-landslide Did you actually get the ykfde
hook to work? Whenever I add it, my PinePhone won't boot anymore. Just the LED and then black. The only way to recover is to reflash the image and start over
Yes, adding the ykfde
hook works for me. I think you mentioned before that you did not have full-disk encryption setup on your PinePhone, but I think that is a pre-requisite to getting this to work. Did you end up using FDE, or are you still just encrypting your home
directory?
You're right, it makes sense that ykfde
only works for fde
. I'll take a look at the Arch Linux Arm FDE installer script you mentioned
I was trying to see if I could rewrite that script to use Manjaro ARM instead, but since that uses finished img
files that was going to be more complicated than I thought. I'll try with Arch first
I can confirm that ykfde
works with Arch Linux ARM installed with the Arch Linux Arm FDE installer script. That means that ykfde
is fine, and the work needs to be done on the Manjaro ARM side. I'll focus on this issue and close this one
I tried setting up
ykfde
on my PinePhone (running Manjaro ARM) the same way I did on my laptop, but it doesn't work:/etc/ykfde.conf
ykfde
hook to/etc/mkinitcpio.conf
sudo mkinitcpio -P
/dev/mapper
I am able to manually decrypt it using the YubiKey with
ykfde-open
, so it has something to do with the hook, probably. I tried moving thekeyboard
hook to the front, but that didn't help.What else can I try to debug this?