Slackware ARM project web site | Forum | Slackware ARM development documentation | Slackware ARM installation guides

This is an outline about how to install Slackware ARM with full disk encryption. The process is slightly different on the supported hardware models. The focus will be on the Pine64 RockPro64 and the HoneyComb LX2K Workstation. Some recommendations:

• A fresh full installation of Slackware ARM
• Strongly suggested that you do not use a SD Card as the root disk
• SD Card stores the unencrypted boot partition
• Use logical volumes (LVM) to store the encrypted partitions

A list of supported hardware models is here. This guide may require slightly different configuration to fit your hardware model.

A basic partition schema is used to simplify this guide. Partitioning is mostly already covered on other pages of this wiki. The goal is to provide an example that can be modified for other configurations.

A NVMe solid state drive is the targeted root disk. A root partition named /dev/nvme0n1p1 will be created that fills the entire disk. Be aware that disk could be identified differently on your system. Make sure you check the output of the “lsblk” command.

The general partition table layout on the NVMe drive:

# lsblk
NAME               MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
mtdblock0           31:0    0    16M  0 disk  
mmcblk1            179:0    0  14.8G  0 disk  
└─mmcblk1p1        179:1    0  14.8G  0 part  /boot
nvme0n1            259:0    0 232.9G  0 disk  
└─nvme0n1p1        259:1    0 232.9G  0 part  
  └─luksnvme0n1p1  252:0    0 232.9G  0 crypt 
    ├─cryptvg-swap 252:1    0     4G  0 lvm   [SWAP]
    └─cryptvg-root 252:2    0 228.9G  0 lvm   /

The swap and root partition are located within the LVM + LUKS schema.

Run the cryptsetup command and encrypt the partition.

 cryptsetup luksFormat /dev/nvme0n1p1 

You will be asked for a password by cryptsetup. Keep this password in a safe place. Additionally, make sure it is a strong password. The next step requires the disk be unlocked. Execute cryptsetup once more:

cryptsetup luksOpen /dev/nvme0n1p1 luksnvme0n1p1

The focus of this guide is on LUKS + LVM storage encryption. The following is modified directions from the README_CRYPT.TXT found here .

The LVM physical volume will be named “luksnvme0n1p1”. The name can be whatever name you wish to use to identify your volume. Create the physical volume and volume group:

# pvcreate /dev/mapper/luksnvme0n1p1

# vgcreate cryptvg /dev/mapper/luksnvme0n1p1

Create a 4GB logical volume that will store the swap partition:

# lvcreate -L 4G -n swap cryptvg

Your swap partition can be of any size. Here a 4 Gigabyte swap is used.

Allocate the remaining space in the volume group to your root partition:

# lvcreate -l 100%FREE -n root cryptvg

Normally the Slackware installer will identify your swap partition. It will not find the swap partition in the encrypted volume on its own. Format your swap partition (/dev/cryptvg/swap) so it will be found by the installer. This is not a necessary step for the root partition.

You can now format your swap partition:

mkswap /dev/cryptvg/swap

Launch the Slackware installer:

setup

The full installation process is not covered here. If you require assistance with the installation process, see the installation documentation. Help is also available on the LinuxQuestions.org support forums.

Notes:

• The Slackware installer handles formatting and mounting the storage devices.
• Be certain you select the correct root disk (/dev/cryptvg/root) and swap partition (/dev/cryptvg/swap)
• If your hardware model utilizes a SD Card, it will be mounted as /boot automatically by the installer

Your system will be unable to boot if you shut it down before updating the initial ram disk. Enter a chroot shell and specify where and what for your encrypted root disk, LUKS block device, and root filesystem.

Enter a chroot:

# chroot /mnt /bin/bash

Set up a default Slackware environment in the chroot:

# source /etc/profile 

Take a look at the /boot/local/README.txt. See section 2 about the initrd configuration. Create the files in the /boot/local directory to configure it.

Create, rootdev, rootfs, luksdev, lukstrim:

# cd /boot/local
# touch rootdev rootfs luksdev lukstrim 

Add the name of your root partition that resides within the logical volume (LVM). Edit rootdev and add:

/dev/cryptvg/root

Add the filesystem on your root partition. (ext4, f2fs, xfs, btrfs) Edit rootfs and enter:

ext4

Specify the encrypted block device that contains the LUKS LVM partition(s). Edit luksdev and add:

/dev/nvme0n1p3

Edit lukstrim and add this:

/dev/nvme0n1p3

The luksdev and lukstrim can contain a list of multiple LUKS block devices.

The HoneyComb LX2K uses the Grub boot loader instead of U-Boot. If you reference the installation guides you will notice that the partitioning is slightly different with disk encryption. This is so that the /boot partition is separate and exposes the kernel assets and initrd prior to decrypting the root partition. The system cannot boot otherwise.

This requires the grub.cfg being edited. In a standard installation the kernel is located at /boot/Image-armv8 and the initrd at /boot/initrd-armv8.

The line that sets the grub root as SLKroot should be changed to SLKboot

search --no-floppy --set=root --label SLKboot

The line that sets the path to the kernel:

linux /Image-armv8 rootfstype=xfs root=LABEL=SLKroot irqpoll arm-smmu.disable_bypass=0 iommu.passthrough=1 amdgpu.pcie_gen_cap=0x4 amdgpu.noretry=0

The line that sets the path to the initial ram disk:

initrd /initrd-armv8

Now you can generate a new initrd and include those files within it:

# os-initrd-mgr

The output should be similar to the following:

root@slackware:/boot/local# os-initrd-mgr 
Scanning for loaded firmware ... 
Searching for local customisations ... 
Found: /boot/local/rootdev
Found: /boot/local/rootfs
Found: /boot/local/luksdev
Found: /boot/local/lukstrim

Unpacking /boot/initrd-armv8 ...
Adding customisations ...
Repacking /boot/initrd-armv8 ...
Successfully rebuilt the OS InitRD.

Exit the chroot shell:

# exit

You can now begin using Slackware ARM system.

# reboot 

• None at this time