search

fornellas / tcg_opal_rootfs

TCG OPAL Root Filesystem
13 stars 5 forks source link

setupLockingRange & setup initramfs-tools on an existing system? #3

Closed Demetrio92 closed 1 year ago

Demetrio92 commented 1 year ago

I don't quite understand why can't I simply do

1) sedutil-cli --setupLockingRange 1 $RANGE_START $RANGE_LENGTH $PASS $DEVICE 2) setup initramfs-tools to ask for the password for the drive if it is locked on boot

My partition table is already pretty much the way it would be expected. 

$ lsblk
NAME          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
nvme0n1       259:0    0   1.8T  0 disk  
├─nvme0n1p1   259:1    0  1022M  0 part  /boot/efi
├─nvme0n1p2   259:2    0     4G  0 part  /recovery
├─nvme0n1p3   259:3    0   1.8T  0 part  /
└─nvme0n1p4   259:4    0     4G  0 part  
  └─cryptswap 253:0    0     4G  0 crypt [SWAP]
fornellas commented 1 year ago

TBH, it may just work, assuming your partition scheme is fit, I just haven't tried that myself :-D If you figure out a working recipe, I'm happy to merge a PR updating the documentation with your working recipe.

Demetrio92 commented 1 year ago

I managed to encrypt without reinstalling, although I bricked my system twice in the process.

Whoever wants to repeat this journey

  1. back up the full drive: sudo dd if=/dev/nvme0n1 status=progress bs=1M | gzip -c --best > /DIFFERENT_DRIVE/full_disk.img.gz

  2. learn how to chroot (guide for pop os, seems fairly generic though)

I can't verify if this will work from scratch, but definitely dding into an already initialized drive worked. Most importantly, though, the order of operations should be swapped compared to the original guide, and you shouldn't doing any of that from the booted system

  1. enable tpm: sudo kernelstub -a "libata.allow_tpm=1" or any other way of setting kernel prams

  2. boot into a live USB

  3. chroot

  4. set up boot hooks

    git clone https://github.com/fornellas/tcg_opal_rootfs
cd tcg_opal_rootfs/
git submodule init
git submodule update
make
sudo make install

  5. exit chroot, umount your nvme

  6. encrypt

sedutil-cli --initialsetup $PASS $DEVICE
sedutil-cli --setMBREnable off $PASS $DEVICE
sedutil-cli --setupLockingRange 1 $RANGE_START $RANGE_LENGTH $PASS $DEVICE
sedutil-cli --enablelockingrange 1 $PASS $DEVICE
  1. reboot into the target system

I've spent most of my time troubleshooting various intricacies of sedutil-cli. PSA: take a picture of your NVMe. You might need that PSID code that's printed on it.

Everything was tested on pop os 22.04 with ubuntu 22.04 live for chroot

adrian5 commented 1 year ago

Thanks for the feedback Demetrio!

fornellas commented 1 year ago

Thanks @Demetrio92 , from the looks of it:

While I acknowledge that in some cases, with enough knowledge it is definitely possible to setup things non-destructively, it is very hard to generalise the solution.

I'm gonna close this issue, as it seems to be "impossible" to implement generically. If you feel differently, please cut a PR with your ideas.

The shared steps here can be a good reference for more "adventurous" people anyway :-D

fornellas commented 1 year ago

https://github.com/fornellas/tcg_opal_rootfs/commit/54be7e38d8b91ad72357940c30c523a3ce228401

I learned the hard way that, altering the locking range essentially crypto-erases it, so it seems there's no clear path towards tweaking the locking range over a pre-existing system.

mjm987 commented 9 months ago

So if I correctly understand, it should be sufficient to save/restore only the EFI partition on the live system by 'dd' just before/after executing 'sedutil-cli --setupLockingRange ...' ? And this way you also could easily change the size of the EFI partition?

fornellas commented 9 months ago

I suppose that's theoretically possible, though it is super error prone, I'd not try anything like that without having full backups.