Add support for PinePhone/Manjaro ARM

[harmtemolder]

I tried setting up ykfde on my PinePhone (running Manjaro ARM) the same way I did on my laptop, but it doesn't work:

1. Set up an encrypted filesystem on the phone's SD card
2. Then set up /etc/ykfde.conf
3. Add ykfde hook to /etc/mkinitcpio.conf
4. sudo mkinitcpio -P
5. When I reboot, my drive does not appear under /dev/mapper

I am able to manually decrypt it using the YubiKey with ykfde-open, so it has something to do with the hook, probably. I tried moving the keyboard hook to the front, but that didn't help.

What else can I try to debug this?

[harmtemolder]

I noticed this during mkinitcpio:

  -> Running build hook: [ykfde]
==> ERROR: module not found: `dm_integrity'

Does that mean the dm_integrity module is not present in my kernel?

[crispy-landslide]

How did you encrypt the filesystem? I used the Arch Linux Arm FDE installer script. I was able to get the ykfde hook working correctly on my installation. From my understanding, FDE on the pinephone is taken care of using the osk-sdl hook, which also draws a keyboard on the screen, meaning you don't need a physical keyboard. A current limitation of using the ykfde hook is that there is no virtual keyboard, so you'll have to have both the YubiKey and a physical keyboard plugged in to use 2FA. If you just want 1FA, it should work just fine.

I'm not sure why dm_integrity wouldn't be present. It may be a Manjaro problem. Do you have any luck adding dm_integrity to the MODULES array in /etc/mkinitcpio.conf?

Also, what are all the hooks you are calling in /etc/mkinitcpio.conf?

[harmtemolder]

So far I've only encrypted home, no FDE yet.

Step 1 is to recompile the kernel from here, changing line 1741 to

CONFIG_DM_INTEGRITY=y

Then run updpkgsums to recalculate the checksums, makepkg --syncdeps to build the kernel and makepkg --install to install. (Make sure to do all this on the PinePhone itself.)

My step 2 was to encrypt the SD card with cryptsetup luksFormat using both a backup password and a key file. As a proof-of-concept I moved that key file to /etc and set up /etc/crypttab and /etc/fstab to respectively decrypt and mount the SD card as /home. I then added the encrypt hook to /etc/mkinitcpio.conf and ran sudo mkinitcpio -P. These are my hooks:

HOOKS=(base udev keyboard autodetect modconf block encrypt filesystems fsck)

That works, so at least I know encrypting home is possible. My next step is to use a YubiKey instead of the key file, so at least 1FA (instead of my current 0FA).

I'm not sure about full disk encryption, because then you need to play around with the kernel parameters in /boot/boot.txt, and I'm not familiar with the U-Boot bootloader.

I did not know about osk-sdl. I'll have to dive into that, but it reads like a feasible method for 2FA.

[crispy-landslide]

Ok, so it sounds like you're no longer missing the dm_integrity module after recompiling the kernel.

Also, in my setup, I didn't need to mess with the kernel parameters in /boot/boot.txt. As long as YKFDE_DISK_UUID and YKFDE_LUKS_NAME are properly set in /etc/ykfde.conf, the ykfde hook should still work. You have the option of setting these parameters in /boot/boot.txt, but it's not necessary.

To be clear, I think osk-sdl only accepts passphrases at the moment with no YubiKey support. So the only options at the moment for FDE on the PinePhone are:

1. ykfde - 1FA with YubiKey
2. osk-sdl - 1FA with passphrase

2FA is possible with ykfde, but it requires:

1. Physical keyboard with a dock or PinePhone keyboard add-on
2. Remove the quiet kernel parameter from /boot/boot.txt so you can see the prompt

To make 2FA usable with yubikey-full-disk-encryption on the PinePhone, there would need to be some sort of virtual keyboard that displays when prompting for the challenge. I suppose a similar approach could be taken to how osk-sdl does it, but that would probably be a non-trivial amount of work.

[harmtemolder]

@crispy-landslide Did you actually get the ykfde hook to work? Whenever I add it, my PinePhone won't boot anymore. Just the LED and then black. The only way to recover is to reflash the image and start over

[crispy-landslide]

Yes, adding the ykfde hook works for me. I think you mentioned before that you did not have full-disk encryption setup on your PinePhone, but I think that is a pre-requisite to getting this to work. Did you end up using FDE, or are you still just encrypting your home directory?

[harmtemolder]

You're right, it makes sense that ykfde only works for fde. I'll take a look at the Arch Linux Arm FDE installer script you mentioned

[harmtemolder]

I was trying to see if I could rewrite that script to use Manjaro ARM instead, but since that uses finished img files that was going to be more complicated than I thought. I'll try with Arch first

[harmtemolder]

I can confirm that ykfde works with Arch Linux ARM installed with the Arch Linux Arm FDE installer script. That means that ykfde is fine, and the work needs to be done on the Manjaro ARM side. I'll focus on this issue and close this one