-- Leo's gemini proxy
-- Connecting to warp.geminispace.club:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini;lang=en
ISSUED: 2023-11-15 EDITED: 2023-12-07
> 📢 this gemlog is part of series use the link below to go the main menu!
This board called actually ROC-RK3328-CC is a single board computer with the same form factor of the PI, that is shipped with a Rockchip RK3328 SOC available in 1, 2, 4GB:
Form Factor Compatible with Raspberry Pi® 2/3 Model B/B+
Quad 64-bit Low Power Cores
Quad Core 3D GPU with OpenGL ES 2.0
Rockchip Multimedia Processor
H.265
H.264
VP9
HDMI 2.0 with 4K HDR support
Up to 4GB DDR4
USB 3.0
Gigabit Ethernet MA
I read many reviews and all of them stated that is a good board, for me the most compelling aspect was the pricing.
Another feature that isn't written is that Libre Computer folks customized U-BOOT to let upstream Debian running on their board. This is a ‼️hugeee‼️ benefit over other derivatives like Armbian or DietPI.
I use these ARM boards as any other personal computer, therefore my goal was to encrypt the / (root) partition as I would do with my personal laptop, since these boards share with the laptops the same portability.
This gemlog aims to illustrate how I achieved this goal, which, let me confess you, it wasn't a breeze at all.
The list of the most relevant sources I followed:
In order to follow this walk-through you need, besides the board, also:
an SD card where to install Libre Computer Debian image;
the official Libre Computer eMMC module where bootstrapping Debian into.
For information where buying the module please check the Libre Computer website out:
> ⚠️ This walk-through assumes that you have already installed Debian on the mini SD Card and that Debian is running fine; you haven't made any changes and you are logged in as "root".
Since SSH is disabled by default to follow these instructions you need to be connected to a monitor and to a wired network.
The bootstrapping process is tedious, so find the time to do this in your best mood without pressure!
I recommend flashing the boot-loader at the beginning since one of my several attempts ended up erasing a well performed bootstrap installation… PEBCAK! 😖
You need to install git as well!
apt install git git clone https://github.com/libre-computer-project/libretech-flash-tool.git cd libretech-flash-tool ./lfth.sh bl-flash roc-rk3328-cc mmcblk0 verify ## You must follow the prompt! ## cd ..
To partition the disk I used FDISK, Its usage is pretty intuitive, you can press [m] to get the menu and read the options available, changes aren't apply until you press [w](rite).
> ⚠️ Even though I am going to use "uefi" I did not select a GPT table but MBR. Selecting GPT — which should be the right choice — ends up in a failure installation since, later on, GRUB will try to write on some memory areas inaccessible even for ROOT! Selecting MBR instead will prevent this issue, since GRUB will assume some "efi variables" are inaccessible and therefore ignored.
> 💡 /dev/mmcblk0 is the eMMC module
fdisk /dev/mmcblk0
## Below is a recap of the steps I made.
1. [o] Create a MBR table
2. [n] New partition: 1GB vfat
3. [t] Mark the partition as as efi (ef)
4. [n] New partition: 1GB Linux
5. [n] New partition: [select all] Linux
6. [w] write changes and exit
> 💡 TIPS: use +1G or +1GB to assign the size you want it prompt where to end the partition.
Once the partition are ready some of them (p1 and p2) must be formatted:
mkfs.vfat -F 16 -n EFI /dev/mmcblk0p1 mkfs.ext4 -L BOOT /dev/mmcblk0p2
Encrypting the partition is quite simple!
> ⚠️ You may need to install before cryptsetup & cryptsetup-initramfs
cryptsetup luksFormat /dev/mmcblk0p3 cryptsetup open /dev/mmcblk0p3 crypt
> 💡 watch out to "crypt", it will be used later
Managing the Logical Volume is a little bit more complicated than the encryption.
This is the recap:
1. Create logical volume group in /dev/mapper
2. Create the first volume (4GB) for the SWAP
3. Use all the remaining space for system (no /home)
4. Scan for the changes
5. Apply for the changes
6. Format "ROOT" in EXT4
7. Format SWAP
> ❓ I stopped to separate the '/home' partition many years ago, if you like to have it thus you need to create a third volume and deciding how much space assigning for each partition. Alternatively you may use BTRFS and its subvolumes to handle `/` and '/home'; either way I don't believe the benefits are worth any effort..
vgcreate lvm /dev/mapper/crypt lvcreate -L 4G lvm -n emmc-swap lvcreate -l 100%FREE lvm -n emmc-root vgscan vgchange -ay mkfs.ext4 /dev/mapper/lvm-emmc--root mkswap /devmapper/lvm-emmc--swap
Bootstrapping is the part that requires more preparation. To get the best possible setup I decided to reuse some of the settings from Libre Computer. For instance it looks to me they loaded the GPU LIMA driver into their custom kernel, thus I warmly recommend to use their custom kernel.
Based on you speed connection bootstrap Debian could take up to 10 minutes…
mkdir /mnt/emmc mount /dev/mapper/lvm-emmc--root /mnt/emmc debootstrap --arch arm64 bookworm /mnt/emmc http://deb.debian.org/debian](http://deb.debian.org/debian cp /etc/apt/sources.list /mnt/emmc/etc/apt/sources.list cp /etc/apt/sources.list.d/[tab] /mnt/emmc/etc/apt/sources.list.d/ cp /etc/apt/preference.d/[tab] /mnt/emmc/apt/preference.d/ cp /usr/share/keyrings/libre[tab] /mnt/emmc/usr/share/
> 💡 You can use Midnight-Commander to copy those files; but you must first install it: apt intall mc
The UUID value changes so you need to check out which values were generated, you can check it with:
blkid
While ROOT and SWAP are mounted in '/dev/mapper/'; if you changed the layout partition differently from this walk-through you need to modify the FSTAB accordingly.
## Manual Fstab # /dev/mmcblk0p1 PARTUUID=ab551b44-01 /boot/efi vfat defaults 0 1 # /dev/mmcblk0p2 PARTUUID=ab551b44-02 /boot ext4 defaults 0 2 # LVM Swap /dev/mapper/lvm-emmc--swap none swap sw 0 1 # LVM Root /dev/mapper/lvm-emmc-- root / ext4 defaults,noatime 0 1
> ⚠️ these values change based on your disk use `blkid` or `lsblk -f` to get the UUID of your partitions
> 💡 Prepare this file before to go inside chroot so you can copy it with MC
Also this file is only for copy, but it is important to check the UUID of the partition that must be unlocked.
> 💡 The whole procedure is designed to be performed manually!
# <target name> <source device> <key file> <options> crypt UUID=10be2758-e569-40d7-846c-8903a1a127a5 none luks,discard
> 💡 "crypt" is the name I assigned to my luks partition, if you change it you must change this value accordingly; to get the right UUID for the `crypttab` file you can use this command `blkid | grep LUKS`
> 💡 Prepare this file before to go inside chroot so you can copy it with MC
Bootstrapping installs the necessary packages on the target directory, however to finish the installation you need to CHROOT into the target directory.
> chroot - run command or interactive shell with special root directory
Basically for the ones that ignore what CHROOT means, it is way to CHange ROOT and mount an alternative system. However before to CHROOT it is important to mounts other directories that are (more or less) the representation of the hardware in use…
for i in /dev /dev/pts /proc /sys /run; do mount -B $i /mnt/emmc$i; done
Preps were made, ready to start!
LANG=C.UTF chroot /mnt/emmc/ /bin/bash mount /dev/mmcblk0p2 /boot/ mkdir -p /mnt/emmc/boot/efi mount /dev/mmcblk0p1 /boot/efi
If none a misstep was taken, the OS should be properly mounted, it is possible to check the state of the partitions with:
lsblk -f
Now it is possible to install all the packages you believe you will need reboot, I selected the following ones, you may add more.
> ⚠️ DO NOT RUN: APT UPDATE !!!
If you noticed I copied the Libre Computer Key in order to download the customized kernel, but to validate the key it is important to have installed the packages `ca-certificates` before to update the repositories
apt install ca-certificates
Not it is possible to proceed normally:
apt update apt install aptitude bash-completion bootlogd chrony cryptsetup cryptsetup-initramfs distro-info-data dosfstools fake-hwclock firmware-bnx2 firmware-bnx2x firmware-linux git grub-efi-arm64 htop linux-image-6.1.54-10001-gd517e36a604d locales lsb-release lvm2 man-db manpages mc media-types micro mmc-utils net-tools pciutils psmisc read-edid realtek-firmware rsync spi-tools tmux tree u-boot-tools usb-modeswitch usb.ids usbutils wget wpasupplicante xz-utils
> 💡 you can prepare a file called pkg.txt and copy that block into /mnt/emmc/root and run: `apt install /root/pkg.txt`
Inside the CHROOT environment you are still ROOT, but you do not have password therefore you won't be able to login at the next reboot:
passwd root
Setup your hostname of your choice:
echo "RK3328" > /etc/hostname
The debootstrap doesn't not create any kernel image to boot the OS, this must be created manually!
update-initramfs -c -k $(uname -r) -v
This is were I failed countless time till Libre Computer gave some hints.
Apparently U-BOOT has a weak UEFI implementation thus GRUB must be installed in the "extra removable path'
echo "GRUB_ENABLE_CRYPTODISK=y" /etc/default/grub grub-install --force-extra-removable/dev/mmcblk0 dpkg-reconfigure grub-efi-arm64
it will be prompt some questions, mostly are default, what you have to care are:
Install grub on the extra path
Install grub on the NVRAM
After that you can update grub:
update-grub
exit umount -flRv /mnt/emmc reboot
If everything has been made properly at next reboot you will see in order:
u-boot
grub
and a prompt asking for the passphrase
Type the latter and enjoy your Renegade ROC-RK3328 & Debian in a secure manner! 👍
This gemlog was worth a month hitting my head against an adamantine wall. Sometimes the pebcak path is full of frustration… 😩
Anyway that has been achieved and I am ready for what is coming next!
Please should you find any typos or other mistakes do not hesitate to contact me by email! 🙏
────────────
For comments or suggestions write me at:
-- Response ended
-- Page fetched on Tue May 21 13:12:04 2024