Lenovo ideapad 530S - Debian
Hardware info on main page.
Links
Install Debian 12 with encrypted Root-on-ZFS, ZFSBootMenu, zfsbootmenu-sb,
Work log
2024-06-15: no, signing the FreeBSD loader wasn't enough, it starts to boot, then restarts (perhaps failing to load an unsigned kernel?).
2024-06-15: zroot - now, for fun, try to sign the FreeBSD loader too. first copy it
tingo@kg-pod530lin:~/work$ mkdir fbsd tingo@kg-pod530lin:~/work$ cd fbsd tingo@kg-pod530lin:~/work/fbsd$ cp -v /boot/efi/EFI/FreeBSD/BOOTx64.efi . '/boot/efi/EFI/FreeBSD/BOOTx64.efi' -> './BOOTx64.efi'
check it
tingo@kg-pod530lin:~/work/fbsd$ sbverify --list BOOTx64.efi warning: data remaining[86016 vs 393216]: gaps between PE/COFF sections? No signature table present
change the name
tingo@kg-pod530lin:~/work/fbsd$ mv BOOTx64.efi BOOTx64.efi_org
sign
tingo@kg-pod530lin:~/work/fbsd$ sbsign --key ../pod530_local.key --cert ../pod530_local.crt --output BOOTx64.efi BOOTx64.efi_org warning: data remaining[86016 vs 393216]: gaps between PE/COFF sections? Signing Unsigned original image
verify
tingo@kg-pod530lin:~/work/fbsd$ sbverify --list BOOTx64.efi warning: data remaining[87584 vs 394784]: gaps between PE/COFF sections? signature 1 image signature issuers: - /CN=Torfinn Ingolfsen image signature certificates: - subject: /CN=Torfinn Ingolfsen issuer: /CN=Torfinn Ingolfsen
copy it back.
tingo@kg-pod530lin:~/work/fbsd$ sudo cp -v BOOTx64.efi /boot/efi/EFI/FreeBSD/ 'BOOTx64.efi' -> '/boot/efi/EFI/FreeBSD/BOOTx64.efi'
2024-06-15: zroot - reboot, enroll the new mok, reboot, enable Secure Boot, reboot, and check:
tingo@kg-pod530lin:~$ sudo dmesg | grep -i secure [ 0.000000] secureboot: Secure boot could not be determined (mode 0) [ 0.937566] Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1' [ 0.937589] Loaded X.509 cert 'Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f' [ 0.952235] ima: secureboot mode enabled [ 0.953311] integrity: Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1' tingo@kg-pod530lin:~$ mokutil --sb-state SecureBoot enabled
yes!
2024-06-15: zroot - interesting, there is a mok in /var/lib/dkms/
tingo@kg-pod530lin:~$ ls -l /var/lib/dkms/ total 18 -rw------- 1 root root 1704 Apr 28 18:03 mok.key -rw-r--r-- 1 root root 811 Apr 28 18:03 mok.pub drwxr-xr-x 3 root root 4 Apr 28 18:07 zfs
it just needs to be enrolled, and enabled in /etc/dkms/framework.conf
tingo@kg-pod530lin:~$ grep -i mok /etc/dkms/framework.conf # mok_signing_key can also be a "pkcs11:..." string for PKCS#11 engine, as # mok_signing_key=/var/lib/dkms/mok.key # mok_certificate=/var/lib/dkms/mok.pub
like this
tingo@kg-pod530lin:~$ file /var/lib/dkms/mok.* /var/lib/dkms/mok.key: regular file, no read permission /var/lib/dkms/mok.pub: Certificate, Version=3 tingo@kg-pod530lin:~$ sudo file /var/lib/dkms/mok.* /var/lib/dkms/mok.key: ASCII text /var/lib/dkms/mok.pub: Certificate, Version=3
check if the zfs module is signed
tingo@kg-pod530lin:~$ sudo modinfo zfs | grep sig sig_id: PKCS#7 signer: DKMS module signing key sig_key: 5B:8C:B6:02:F3:64:65:67:93:23:6D:DC:0E:D5:4A:69:B4:97:78:15 sig_hashalgo: sha256 signature: 41:C8:A6:E8:A6:FE:22:63:47:52:C9:C0:EC:08:70:C6:E5:69:EF:76:
indeed. Lets enroll this key then.
tingo@kg-pod530lin:~$ sudo mokutil --import /var/lib/dkms/mok.pub input password: input password again:
verify
tingo@kg-pod530lin:~$ sudo mokutil --list-new [key 1] SHA1 Fingerprint: 08:88:a0:fe:df:e9:af:16:50:31:d4:38:56:9b:9e:d7:d2:d6:0c:62 Certificate: Data: Version: 3 (0x2) Serial Number: 5b:8c:b6:02:f3:64:65:67:93:23:6d:dc:0e:d5:4a:69:b4:97:78:15 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=DKMS module signing key Validity Not Before: Apr 28 16:03:54 2024 GMT Not After : Apr 4 16:03:54 2124 GMT Subject: CN=DKMS module signing key Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b8:0b:dc:71:c2:2f:08:8d:83:09:20:36:31:58: a2:6a:3b:24:10:0b:1e:55:e8:9a:6b:30:ac:22:a0: 5b:dd:51:67:37:7a:62:f3:6b:f5:25:7e:90:d9:b9: 87:0b:75:e8:ab:e3:45:c3:94:60:52:e2:f7:70:a8: db:8d:ad:f7:1b:c5:32:7d:bc:22:ec:38:65:0a:36: 22:e4:23:08:46:47:bc:51:be:54:66:40:d7:97:d7: 82:b3:cf:88:03:11:a4:70:41:aa:05:a6:b6:d6:12: 55:da:59:c6:b3:0c:4d:7b:87:a3:48:11:d2:59:0a: ab:d2:c4:a0:27:47:01:66:ed:03:f1:b0:56:5c:c3: de:8e:8d:3a:5f:43:ae:65:82:3c:da:7a:ef:fa:a4: 50:11:3b:3c:9c:a3:08:4e:ac:36:fd:d5:77:90:90: 02:d9:91:b2:28:6e:84:2d:0f:ee:22:f0:1c:10:98: d9:b4:86:9f:d0:8f:45:20:bb:36:e3:29:78:c6:26: 21:91:a8:19:29:2a:2b:0b:8b:a1:63:63:58:1c:b2: df:30:13:74:54:32:d3:96:89:e8:81:b5:0a:63:90: 5e:5b:cb:79:74:79:c2:6a:15:48:0b:33:26:ac:07: da:a8:85:db:3d:a3:f8:2e:85:1f:ee:8b:59:fa:fc: fc:7d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 23:7A:E1:BE:8A:F6:A3:C9:25:57:B3:2B:A3:A6:D4:00:B4:EA:2E:14 X509v3 Authority Key Identifier: 23:7A:E1:BE:8A:F6:A3:C9:25:57:B3:2B:A3:A6:D4:00:B4:EA:2E:14 X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha256WithRSAEncryption Signature Value: 43:76:51:b0:17:33:87:53:cf:fc:40:f2:c9:1c:45:c0:e2:48: d0:58:20:4a:93:68:d3:cf:3e:b7:7e:49:31:c3:aa:0f:46:76: c2:e9:db:54:a4:68:fa:22:f3:d3:6b:ea:9b:fd:28:30:d6:56: de:b8:6c:e3:26:c5:c4:3a:5c:db:01:c5:47:d9:8e:96:a7:dd: 18:9d:64:53:32:ab:50:1b:4b:2b:bc:a5:77:46:a1:d8:3a:16: 10:6b:df:b5:6b:0b:c6:81:f6:38:90:51:34:0f:8f:a9:eb:3b: 86:56:e4:6a:42:a3:cc:27:4c:69:b2:27:f4:fa:c5:5f:f9:a6: dc:15:a9:b7:0f:6c:bd:83:ae:87:ac:6b:48:92:e0:8c:84:97: 53:fd:4d:37:b0:ca:58:68:83:14:52:70:a7:45:10:3f:b3:53: f0:4c:61:a2:60:ab:f3:4a:ef:d5:c6:eb:9d:5a:38:c2:8d:08: f5:1d:21:cd:d2:7b:02:e1:3f:41:3d:6c:09:62:e4:75:1c:17: 57:23:f5:b2:9c:0d:65:5a:0a:75:5b:e0:5c:da:7e:cd:f8:ef: c3:0b:ea:7e:3e:26:0b:ce:2b:2b:7f:44:9c:9e:98:8d:dd:5c: a7:bf:d3:9a:45:79:39:75:c9:7b:fc:88:3a:68:5b:af:77:70: 65:65:a6:05
2024-06-15: Secure Boot - with SB enabled, ZBM starts, but then
Failed to load ZFS modules. Manually load the modules and exit. (initramfs)
unfortunately I can't get the modules loaded, I've tried /sbin/modprobe zfs and many other things, but it doesn't help.
2024-06-15: zroot - EFI boot entries
tingo@kg-pod530lin:~/work/zbm$ efibootmgr -v BootCurrent: 0000 Timeout: 0 seconds BootOrder: 0000,0006,0002,0003,0001,2001,2002,2003 Boot0000* SB rEFInd HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\refind\shimx64s.efi)s.h.i.m.x.6.4.s...e.f.i. .r.e.f.i.n.d._.x.6.4...e.f.i. Boot0001* ZFSBootMenu (Backup) HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ-BACKUP.EFI) Boot0002* FreeBSD HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\FreeBSD\BOOTx64.efi) Boot0003* ZFSBootMenu HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ.EFI) Boot0006* rEFInd HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\refind\refind_x64.efi) Boot2001* EFI USB Device RC Boot2002* EFI DVD/CDROM RC Boot2003* EFI Network RC
2024-06-15: zroot - copy the signed ZBM to the ESP verify that it is signed
tingo@kg-pod530lin:~/work/zbm$ sbverify --list VMLINUZ-BACKUP.EFI warning: data remaining[48316960 vs 48326376]: gaps between PE/COFF sections? signature 1 image signature issuers: - /CN=Torfinn Ingolfsen image signature certificates: - subject: /CN=Torfinn Ingolfsen issuer: /CN=Torfinn Ingolfsen
before
tingo@kg-pod530lin:~/work/zbm$ ls -l /boot/efi/EFI/ZBM total 94400 -rwxr-xr-x 1 root root 48324804 Apr 28 18:21 VMLINUZ-BACKUP.EFI -rwxr-xr-x 1 root root 48324804 Apr 28 18:20 VMLINUZ.EFI
copy
tingo@kg-pod530lin:~/work/zbm$ sudo cp -v VMLINUZ-BACKUP.EFI /boot/efi/EFI/ZBM/ 'VMLINUZ-BACKUP.EFI' -> '/boot/efi/EFI/ZBM/VMLINUZ-BACKUP.EFI'
after
tingo@kg-pod530lin:~/work/zbm$ ls -l /boot/efi/EFI/ZBM total 94400 -rwxr-xr-x 1 root root 48326376 Jun 15 19:02 VMLINUZ-BACKUP.EFI -rwxr-xr-x 1 root root 48324804 Apr 28 18:20 VMLINUZ.EFI
2024-06-15: zroot - copy the MOK to the ESP (why?)
tingo@kg-pod530lin:~/work$ sudo cp -v pod530_local.cer /boot/efi/EFI/refind/keys/ 'pod530_local.cer' -> '/boot/efi/EFI/refind/keys/pod530_local.cer'
2024-06-15: zroot - sign the ZBM binaries with the MOK
tingo@kg-pod530lin:~/work/zbm$ sbsign --key ../pod530_local.key --cert ../pod530_local.crt --output VMLINUZ-signed.EFI VMLINUZ.EFI warning: data remaining[48315392 vs 48324804]: gaps between PE/COFF sections? warning: data remaining[48315392 vs 48324808]: gaps between PE/COFF sections? Signing Unsigned original image
the backup too
tingo@kg-pod530lin:~/work/zbm$ sbsign --key ../pod530_local.key --cert ../pod530_local.crt --output VMLINUZ-BACKUP-signed.EFI VMLINUZ-BACKUP.EFI warning: data remaining[48315392 vs 48324804]: gaps between PE/COFF sections? warning: data remaining[48315392 vs 48324808]: gaps between PE/COFF sections? Signing Unsigned original image
verify
tingo@kg-pod530lin:~/work/zbm$ sbverify --list VMLINUZ-signed.EFI warning: data remaining[48316960 vs 48326376]: gaps between PE/COFF sections? signature 1 image signature issuers: - /CN=Torfinn Ingolfsen image signature certificates: - subject: /CN=Torfinn Ingolfsen issuer: /CN=Torfinn Ingolfsen tingo@kg-pod530lin:~/work/zbm$ sbverify --list VMLINUZ-BACKUP-signed.EFI warning: data remaining[48316960 vs 48326376]: gaps between PE/COFF sections? signature 1 image signature issuers: - /CN=Torfinn Ingolfsen image signature certificates: - subject: /CN=Torfinn Ingolfsen issuer: /CN=Torfinn Ingolfsen
check the originals
tingo@kg-pod530lin:~/work/zbm$ sbverify --list VMLINUZ.EFI warning: data remaining[48315392 vs 48324804]: gaps between PE/COFF sections? warning: data remaining[48315392 vs 48324808]: gaps between PE/COFF sections? No signature table present tingo@kg-pod530lin:~/work/zbm$ sbverify --list VMLINUZ-BACKUP.EFI warning: data remaining[48315392 vs 48324804]: gaps between PE/COFF sections? warning: data remaining[48315392 vs 48324808]: gaps between PE/COFF sections? No signature table present
they are not signed.
2024-06-15: zroot - import the new MOK with mokutil check the new list first
tingo@kg-pod530lin:~/work$ sudo mokutil --list-new
import the key
tingo@kg-pod530lin:~/work$ sudo mokutil -i pod530_local.cer input password: input password again:
you need to create a password here. Verify
tingo@kg-pod530lin:~/work$ sudo mokutil --list-new [key 1] SHA1 Fingerprint: 3e:9b:b2:2d:bb:d6:dd:d7:54:f9:c9:0a:06:ee:5b:81:58:f4:4b:c0 Certificate: Data: Version: 3 (0x2) Serial Number: 43:fb:f9:c4:33:dd:9a:fa:ea:26:80:0e:6c:b5:6e:e1:b5:4e:4d:b3 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=Torfinn Ingolfsen Validity Not Before: Jun 15 16:31:23 2024 GMT Not After : Jun 13 16:31:23 2034 GMT Subject: CN=Torfinn Ingolfsen Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:de:51:40:e9:af:ab:c5:39:33:ba:08:44:0c:ae: e6:90:3a:e3:87:cf:3c:42:a5:0a:f2:c6:fc:ce:da: b0:17:ac:55:39:b9:6b:d4:d9:98:bf:6d:1d:19:f7: 07:b2:7a:ed:7e:22:c6:7e:83:44:82:3f:7f:ce:26: cd:fc:6a:95:53:db:a0:d3:48:d6:c3:62:71:c0:24: 10:63:b0:e5:ca:f7:c1:a7:dd:18:d0:65:f0:bb:a2: bc:a3:ba:90:f2:18:7d:d6:b1:59:57:53:dc:73:35: 55:d9:84:4c:b1:a8:82:7d:58:85:77:19:4d:8e:09: a9:81:42:78:d0:14:4c:51:69:82:9b:c9:b9:c1:77: 11:87:25:e7:e3:39:29:1b:c9:9a:12:7f:94:ec:d4: cd:9c:39:98:5d:c6:40:a4:1e:22:e7:e5:75:f3:1c: 85:55:98:c8:80:4c:3e:bd:d0:b1:68:7c:ed:28:a6: f7:06:df:94:89:f7:b4:e9:84:74:d0:08:4a:b5:6b: 03:8a:70:61:bb:56:89:1b:8f:e0:82:01:5d:b5:73: 44:66:1d:06:fb:7a:cf:3e:b2:9e:a6:21:1d:1e:be: 28:8a:f0:c6:9c:bd:e5:95:43:26:88:71:9c:13:32: 9e:83:bc:8d:3e:73:8e:20:98:a8:49:c6:c5:70:17: 44:79 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: ED:21:85:6F:F4:B0:B0:4B:9C:0E:87:2C:FB:D2:1C:E3:69:6D:69:85 X509v3 Authority Key Identifier: ED:21:85:6F:F4:B0:B0:4B:9C:0E:87:2C:FB:D2:1C:E3:69:6D:69:85 X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha256WithRSAEncryption Signature Value: 63:2e:9a:f7:d0:79:c6:3a:00:f1:00:a0:be:ef:22:0f:88:ea: 7e:d8:fd:5d:cd:ec:40:07:e5:3d:71:79:ba:a6:93:fe:07:73: db:40:5d:b5:d1:7c:69:d4:19:53:8a:d6:06:93:69:b6:86:ad: e5:02:07:4f:52:b5:c1:63:5b:ec:8f:d5:fa:75:8d:f2:06:f9: 2e:2f:c9:35:be:5e:c9:50:f9:c4:63:83:92:28:95:c3:90:25: 47:78:c8:19:87:ba:fe:46:d1:2d:83:c0:a9:a7:98:a1:3e:d0: b1:d3:c7:02:22:2b:35:d1:4c:84:7f:21:6d:ed:68:71:28:e2: 23:c7:7e:37:9f:20:75:10:a1:76:49:0d:40:5d:66:b9:c8:d1: 41:65:d4:97:ca:83:0f:dd:20:d1:4a:a4:bf:44:f6:3f:c7:a1: 14:fb:6b:41:54:f9:d7:92:9f:9d:54:3a:b6:a8:33:6e:7b:94: 05:3d:c3:cf:3d:30:21:66:75:51:35:3e:d1:4b:f5:a9:ba:58: 22:2a:ab:05:9d:75:e8:9d:e0:5c:65:4e:19:01:ac:31:ac:99: d3:57:1f:df:21:64:5a:75:97:a9:4e:0f:f0:0a:6b:b2:f0:9b: e8:ba:ff:82:71:9c:c4:b0:a8:ab:ce:14:df:5b:31:23:87:e9: af:05:8c:e4
it is there. And it lasts ten years.
2024-06-15: zroot - create a MOK with openssl
tingo@kg-pod530lin:~$ mkdir work tingo@kg-pod530lin:~$ cd work
create
tingo@kg-pod530lin:~/work$ openssl req -new -x509 -newkey rsa:2048 -keyout pod530_local.key -out pod530_local.crt -nodes -days 3650 -subj "/CN=Torfinn Ingolfsen/" .....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+............+..+......+..........+...+......+..............+.+.........+..+....+...+.....+.+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ .+.+...+...........+....+..+...+.+........+......+.+..............+.+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*............+...+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...........+..+....+...+......+......+...+...+............+...........+................+........+......+.+.........+...............+.........+..+...+.+.....+.+...+...+.....+.......+..+.........+............+...+.+...+..+...+...+...+....+..+......+...+....+.....+.+...........+..........+......+..+......+.......+..................+......+........+.......+.....+......+...+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -----
generate .cer file
tingo@kg-pod530lin:~/work$ openssl x509 -in pod530_local.crt -out pod530_local.cer -outform DER
verify
tingo@kg-pod530lin:~/work$ ls -l total 14 -rw-r--r-- 1 tingo tingo 797 Jun 15 18:35 pod530_local.cer -rw-r--r-- 1 tingo tingo 1135 Jun 15 18:31 pod530_local.crt -rw------- 1 tingo tingo 1704 Jun 15 18:31 pod530_local.key
2024-05-09: zroot - SecureBoot - with it enabled, shim works and loads rEFInd, but ZFSBootMenu (and the FreeBSD loader) are not signed, so it fails to load them.
2024-05-09: zroot - shim - it seems that shim (from shim-signed) requires that the program to load is named 'grubx64.efi' or something else it knows. I copied refind_x64.efi to grubx64.efi and shim booted without complaint, and efibootmgr verifies
tingo@kg-pod530lin:~$ efibootmgr BootCurrent: 0000 Timeout: 0 seconds BootOrder: 0000,0006,0002,0003,0001,2001,2002,2003 Boot0000* SB rEFInd Boot0001* ZFSBootMenu (Backup) Boot0002* FreeBSD Boot0003* ZFSBootMenu Boot0006* rEFInd Boot2001* EFI USB Device Boot2002* EFI DVD/CDROM Boot2003* EFI Network
secureboot is still off
tingo@kg-pod530lin:~$ mokutil --sb-state SecureBoot disabled
2024-05-09: zroot - efibootmgr - the created entry didn't stick around, after a reboot, I'm back to
tingo@kg-pod530lin:~$ efibootmgr -v BootCurrent: 0006 Timeout: 0 seconds BootOrder: 0006,0002,0003,0001,2001,2002,2003 Boot0001* ZFSBootMenu (Backup) HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ-BACKUP.EFI) Boot0002* FreeBSD HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\FreeBSD\BOOTx64.efi) Boot0003* ZFSBootMenu HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ.EFI) Boot0006* rEFInd HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\refind\refind_x64.efi) Boot2001* EFI USB Device RC Boot2002* EFI DVD/CDROM RC Boot2003* EFI Network RC
try again
tingo@kg-pod530lin:~$ sudo efibootmgr -c -d /dev/nvme0n1 -l /EFI/refind/shimx64s.efi -L "SB rEFInd" -u "shimx64s.efi refind_x64.efi" BootCurrent: 0006 Timeout: 0 seconds BootOrder: 0000,0006,0002,0003,0001,2001,2002,2003 Boot0001* ZFSBootMenu (Backup) Boot0002* FreeBSD Boot0003* ZFSBootMenu Boot0006* rEFInd Boot2001* EFI USB Device Boot2002* EFI DVD/CDROM Boot2003* EFI Network Boot0000* SB rEFInd
verify
tingo@kg-pod530lin:~$ efibootmgr -v BootCurrent: 0006 Timeout: 0 seconds BootOrder: 0000,0006,0002,0003,0001,2001,2002,2003 Boot0000* SB rEFInd HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\refind\shimx64s.efi)s.h.i.m.x.6.4.s...e.f.i. .r.e.f.i.n.d._.x.6.4...e.f.i. Boot0001* ZFSBootMenu (Backup) HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ-BACKUP.EFI) Boot0002* FreeBSD HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\FreeBSD\BOOTx64.efi) Boot0003* ZFSBootMenu HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ.EFI) Boot0006* rEFInd HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\refind\refind_x64.efi) Boot2001* EFI USB Device RC Boot2002* EFI DVD/CDROM RC Boot2003* EFI Network RC
looks better now.
2024-05-09: zroot - efibootmgr - set up a boot entry for the shim enabled rEFInd
tingo@kg-pod530lin:~$ sudo efibootmgr -c -d /dev/nvme0n1 -l /boot/efi/EFI/refind/shimx64s.efi -L "SB rEFInd" -u "shimx64s.efi refind_x64.efi" BootCurrent: 0006 Timeout: 0 seconds BootOrder: 0000,0006,0002,0003,0001,2001,2002,2003 Boot0001* ZFSBootMenu (Backup) Boot0002* FreeBSD Boot0003* ZFSBootMenu Boot0006* rEFInd Boot2001* EFI USB Device Boot2002* EFI DVD/CDROM Boot2003* EFI Network Boot0000* SB rEFInd
verify
tingo@kg-pod530lin:~$ efibootmgr -v BootCurrent: 0006 Timeout: 0 seconds BootOrder: 0000,0006,0002,0003,0001,2001,2002,2003 Boot0000* SB rEFInd HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\boot\efi\EFI\refind\shimx64s.efi)s.h.i.m.x.6.4.s...e.f.i. .r.e.f.i.n.d._.x.6.4...e.f.i. Boot0001* ZFSBootMenu (Backup) HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ-BACKUP.EFI) Boot0002* FreeBSD HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\FreeBSD\BOOTx64.efi) Boot0003* ZFSBootMenu HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ.EFI) Boot0006* rEFInd HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\refind\refind_x64.efi) Boot2001* EFI USB Device RC Boot2002* EFI DVD/CDROM RC Boot2003* EFI Network RC
2024-05-09: zroot - copy the signed shim to the refind directory
tingo@kg-pod530lin:~$ sudo cp -pv /usr/lib/shim/shimx64.efi.signed /boot/efi/EFI/refind/shimx64s.efi '/usr/lib/shim/shimx64.efi.signed' -> '/boot/efi/EFI/refind/shimx64s.efi'
2024-05-09: zroot - check the ZFSBootMenu binaries with sbverify too
tingo@kg-pod530lin:~$ sbverify --list /boot/efi/EFI/ZBM/VMLINUZ.EFI warning: data remaining[48315392 vs 48324804]: gaps between PE/COFF sections? warning: data remaining[48315392 vs 48324808]: gaps between PE/COFF sections? No signature table present tingo@kg-pod530lin:~$ sbverify --list /boot/efi/EFI/ZBM/VMLINUZ-BACKUP.EFI warning: data remaining[48315392 vs 48324804]: gaps between PE/COFF sections? warning: data remaining[48315392 vs 48324808]: gaps between PE/COFF sections? No signature table present
not signed, I expected that.
2024-05-09: zroot - apt - install shim-signed
tingo@kg-pod530lin:~$ sudo apt install shim-signed Reading package lists... Done Building dependency tree... Done Reading state information... Done The following additional packages will be installed: gettext-base grub-common grub-efi-amd64-bin grub-efi-amd64-signed grub2-common libfuse2 os-prober shim-helpers-amd64-signed shim-signed-common Suggested packages: multiboot-doc grub-emu mtools xorriso Recommended packages: secureboot-db The following NEW packages will be installed: gettext-base grub-common grub-efi-amd64-bin grub-efi-amd64-signed grub2-common libfuse2 os-prober shim-helpers-amd64-signed shim-signed shim-signed-common 0 upgraded, 10 newly installed, 0 to remove and 0 not upgraded. Need to get 7,105 kB of archives. After this operation, 57.2 MB of additional disk space will be used. [..] Setting up shim-signed:amd64 (1.39+15.7-1) ... Secure Boot not enabled on this system. Processing triggers for man-db (2.11.2-2) ... Processing triggers for libc-bin (2.36-9+deb12u6) ...
files in shim-signed
tingo@kg-pod530lin:~$ dpkg-query -L shim-signed /. /usr /usr/lib /usr/lib/shim /usr/lib/shim/shimx64.efi.signed /usr/share /usr/share/doc /usr/share/doc/shim-signed /usr/share/doc/shim-signed/changelog.gz /usr/share/doc/shim-signed/copyright
check signature
tingo@kg-pod530lin:~$ sbverify --list /usr/lib/shim/shimx64.efi.signed warning: data remaining[823184 vs 948768]: gaps between PE/COFF sections? signature 1 image signature issuers: - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011 image signature certificates: - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011 issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root
2024-05-09: zroot - sbsigntool - see what's signed and not
tingo@kg-pod530lin:~$ sbverify --list /boot/efi/EFI/refind/refind_x64.efi signature 1 image signature issuers: - /CN=Roderick W. Smith, rodsmith@rodsbooks.com image signature certificates: - subject: /CN=Roderick W. Smith, rodsmith@rodsbooks.com issuer: /CN=Roderick W. Smith, rodsmith@rodsbooks.com tingo@kg-pod530lin:~$ sbverify --list /boot/efi/EFI/refind/shimx64.efi warning: data remaining[813568 vs 939147]: gaps between PE/COFF sections? warning: data remaining[813568 vs 939152]: gaps between PE/COFF sections? No signature table present tingo@kg-pod530lin:~$ sbverify --list /boot/efi/EFI/refind/mmx64.efi warning: data remaining[730112 vs 848137]: gaps between PE/COFF sections? warning: data remaining[730112 vs 848144]: gaps between PE/COFF sections? No signature table present
ok, so neither shim nor mokmanager are signed.
tingo@kg-pod530lin:~/dl/refind-bin-0.14.2$ sbverify --cert keys/refind.crt /boot/efi/EFI/refind/refind_x64.efi Signature verification OK
and the signature on refind checks out.
2024-05-09: zroot - apt - install sbsigntool
tingo@kg-pod530lin:~$ sudo apt install sbsigntool Reading package lists... Done Building dependency tree... Done Reading state information... Done The following NEW packages will be installed: sbsigntool 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 68.4 kB of archives. After this operation, 429 kB of additional disk space will be used. Get:1 http://deb.debian.org/debian bookworm/main amd64 sbsigntool amd64 0.9.4-3.1 [68.4 kB] Fetched 68.4 kB in 0s (1,012 kB/s) Selecting previously unselected package sbsigntool. (Reading database ... 130478 files and directories currently installed.) Preparing to unpack .../sbsigntool_0.9.4-3.1_amd64.deb ... Unpacking sbsigntool (0.9.4-3.1) ... Setting up sbsigntool (0.9.4-3.1) ... Processing triggers for man-db (2.11.2-2) ...
files in package
tingo@kg-pod530lin:~$ dpkg-query -L sbsigntool /. /usr /usr/bin /usr/bin/sbattach /usr/bin/sbkeysync /usr/bin/sbsiglist /usr/bin/sbsign /usr/bin/sbvarsign /usr/bin/sbverify /usr/share /usr/share/doc /usr/share/doc/sbsigntool /usr/share/doc/sbsigntool/NEWS.gz /usr/share/doc/sbsigntool/README /usr/share/doc/sbsigntool/changelog.Debian.gz /usr/share/doc/sbsigntool/changelog.gz /usr/share/doc/sbsigntool/copyright /usr/share/man /usr/share/man/man1 /usr/share/man/man1/sbattach.1.gz /usr/share/man/man1/sbkeysync.1.gz /usr/share/man/man1/sbsiglist.1.gz /usr/share/man/man1/sbsign.1.gz /usr/share/man/man1/sbvarsign.1.gz /usr/share/man/man1/sbverify.1.gz
2024-05-09: zroot - current EFI boot entries
tingo@kg-pod530lin:~$ efibootmgr -v BootCurrent: 0006 Timeout: 0 seconds BootOrder: 0006,0002,0003,0001,2001,2002,2003 Boot0001* ZFSBootMenu (Backup) HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ-BACKUP.EFI) Boot0002* FreeBSD HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\FreeBSD\BOOTx64.efi) Boot0003* ZFSBootMenu HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ.EFI) Boot0006* rEFInd HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\refind\refind_x64.efi) Boot2001* EFI USB Device RC Boot2002* EFI DVD/CDROM RC Boot2003* EFI Network RC
2024-05-09: Secure boot - ok, booting with Secure Boot on still refuses to let rEFInd boot.
2024-05-09: zroot - use mokutil to import the refind key
tingo@kg-pod530lin:~/dl/refind-bin-0.14.2$ mokutil -i keys/refind.cer Failed to accesss kernel trusted keyring: Required key not available input password: input password again: Failed to enroll new keys
try with sudo
ingo@kg-pod530lin:~/dl/refind-bin-0.14.2$ sudo mokutil -i keys/refind.cer input password: input password again:
check
tingo@kg-pod530lin:~/dl/refind-bin-0.14.2$ sudo mokutil --list-new [key 1] SHA1 Fingerprint: d8:a8:6a:e5:b8:29:86:d0:b4:96:f3:85:f3:89:e7:72:f6:a4:28:ad Certificate: Data: Version: 3 (0x2) Serial Number: e0:c5:ec:74:0c:15:52:4e Signature Algorithm: sha1WithRSAEncryption Issuer: CN=Roderick W. Smith, rodsmith@rodsbooks.com Validity Not Before: Dec 6 21:38:28 2012 GMT Not After : Dec 1 21:38:28 2032 GMT Subject: CN=Roderick W. Smith, rodsmith@rodsbooks.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:aa:4e:75:93:bd:f7:a6:1f:55:cf:e1:1a:a2:08: 84:e6:d5:9b:af:c2:29:75:f9:78:5c:71:8c:76:61: 0d:b7:21:4f:de:d4:3b:dd:9f:9c:6d:93:a4:24:d0: 84:1a:f2:96:06:f0:3a:d0:74:e4:09:90:8b:6f:dc: f0:d8:b8:eb:b4:67:1f:dd:1d:59:bd:de:89:07:04: 04:b5:5f:62:49:72:c9:6c:c0:7b:ff:84:00:13:b3: 45:e7:bf:77:c9:b7:7d:26:27:48:da:f8:a0:db:48: e6:77:57:43:07:fa:98:c1:91:cf:fa:3e:4e:f1:1e: e3:a4:5b:08:c9:ea:23:f9:9d:e3:de:0f:ca:06:bd: 07:06:bb:06:5e:f5:78:62:2b:53:4a:6b:6d:e3:f5: 6c:d5:53:c8:65:d1:bb:a1:c9:ab:41:77:fc:40:4a: cf:49:9d:4b:26:12:1b:06:76:a6:ac:76:65:a9:e9: 0a:93:be:3f:d0:c1:6a:09:77:b2:79:ce:65:34:93: 94:86:b7:92:34:90:a4:06:2a:8f:de:a4:25:3d:5d: d0:1f:e7:3d:7d:f0:9d:03:e9:7c:8f:7c:dd:f2:d9: 96:13:3c:66:ff:d6:b3:0d:75:c7:90:5c:3c:61:97: fa:6c:de:7e:00:fe:a2:0a:89:95:b7:2a:cf:1c:3a: 3f:87 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: D3:0C:06:BD:39:58:A6:6C:98:75:7F:09:A8:08:55:E1:74:4A:5A:70 X509v3 Authority Key Identifier: D3:0C:06:BD:39:58:A6:6C:98:75:7F:09:A8:08:55:E1:74:4A:5A:70 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption Signature Value: a8:f7:fb:e1:46:21:bd:a0:c1:1a:26:d8:a1:cb:8f:e9:61:3b: 3d:12:22:82:43:a7:b0:cd:c6:d0:68:1c:fb:98:f5:de:73:b8: 79:13:82:ee:c6:11:3b:46:5f:fe:d7:fc:6a:df:d5:fc:0f:b0: b4:99:b0:f2:37:40:eb:b7:73:af:7f:e8:61:cd:67:69:90:32: 10:ff:b3:fa:49:d4:53:c4:05:c4:fb:fc:54:3a:3e:7b:8c:43: 4f:5d:95:95:d2:30:ed:53:2d:4c:19:93:7d:20:a0:14:5d:f9: cf:7e:6b:fb:d8:56:0d:f5:7a:14:56:fd:dd:e7:2c:bd:c1:20: 9c:ff:d0:25:18:7c:7c:94:60:c9:fe:9e:c3:25:25:c6:98:12: 8e:05:05:7f:d5:8d:fd:18:2c:5a:49:67:72:ad:c8:e7:57:5b: 30:50:12:ce:f6:d7:ac:7c:24:70:7e:8a:3f:ac:d8:7e:c2:02: bd:3f:e7:a6:2d:b8:7e:8d:24:cb:ff:35:bf:61:ed:4d:4b:45: 57:0f:7a:56:4e:cc:00:ec:ce:d7:60:ec:ba:28:e3:76:bc:ab: a9:17:21:e1:0e:3d:cd:33:3b:29:ab:cf:e8:0d:01:cb:bd:4c: ea:d4:8f:33:f7:db:1d:8a:df:76:79:62:76:24:aa:07:ea:74: 8a:0c:a5:ea
2024-05-09: zroot - refind - copy shim and MokManager to the refind directory
root@kg-pod530lin:/boot/efi/EFI# cp -pv /usr/lib/shim/shimx64.efi ./refind/ '/usr/lib/shim/shimx64.efi' -> './refind/shimx64.efi' root@kg-pod530lin:/boot/efi/EFI# cp -pv /usr/lib/shim/mmx64.efi ./refind/ '/usr/lib/shim/mmx64.efi' -> './refind/mmx64.efi'
copy the refind key to the refind directory
tingo@kg-pod530lin:~/dl/refind-bin-0.14.2$ sudo cp -v keys/refind.cer /boot/efi/EFI/refind/ 'keys/refind.cer' -> '/boot/efi/EFI/refind/refind.cer'
2024-05-09: zroot - refind - I renamed the old refind directory
root@kg-pod530lin:/boot/efi/EFI# mv refind refind_0.12
then created an empty one
root@kg-pod530lin:/boot/efi/EFI# mkdir refind
then I installed refind 0.14.2 from a zip file usinfg the script
tingo@kg-pod530lin:~/dl/refind-bin-0.14.2$ ./refind-install Not running as root; attempting to elevate privileges via sudo.... [sudo] password for tingo: ShimSource is none Installing rEFInd on Linux.... ESP was found at /boot/efi using vfat Copied rEFInd binary files Copying sample configuration file as refind.conf; edit this file to configure rEFInd. Keeping existing NVRAM entry rEFInd is set as the default boot manager. Creating //boot/refind_linux.conf; edit it to adjust kernel options. Installation has completed successfully.
now the refind directory has
root@kg-pod530lin:/boot/efi/EFI# ls -lF refind total 336 -rwxr-xr-x 1 root root 140 May 9 17:01 BOOT.CSV* drwxr-xr-x 3 root root 8192 May 9 17:01 icons/ drwxr-xr-x 2 root root 8192 May 9 17:01 keys/ -rwxr-xr-x 1 root root 36351 May 9 17:01 refind.conf* -rwxr-xr-x 1 root root 278328 May 9 17:01 refind_x64.efi*
2024-05-09: zroot - check things with mokutil
tingo@kg-pod530lin:~$ mokutil --sb-state SecureBoot disabled tingo@kg-pod530lin:~$ mokutil --list-enrolled
2024-05-09: zroot - apt - install mokutil
tingo@kg-pod530lin:~$ sudo apt install mokutil Reading package lists... Done Building dependency tree... Done Reading state information... Done The following NEW packages will be installed: mokutil 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 26.9 kB of archives. After this operation, 81.9 kB of additional disk space will be used. Get:1 http://deb.debian.org/debian bookworm/main amd64 mokutil amd64 0.6.0-2 [26.9 kB] Fetched 26.9 kB in 0s (211 kB/s) Selecting previously unselected package mokutil. (Reading database ... 130472 files and directories currently installed.) Preparing to unpack .../mokutil_0.6.0-2_amd64.deb ... Unpacking mokutil (0.6.0-2) ... Setting up mokutil (0.6.0-2) ... Processing triggers for man-db (2.11.2-2) ...
files in the package
tingo@kg-pod530lin:~$ dpkg-query -L mokutil /. /usr /usr/bin /usr/bin/mokutil /usr/share /usr/share/bash-completion /usr/share/bash-completion/completions /usr/share/bash-completion/completions/mokutil /usr/share/doc /usr/share/doc/mokutil /usr/share/doc/mokutil/changelog.Debian.gz /usr/share/doc/mokutil/copyright /usr/share/man /usr/share/man/man1 /usr/share/man/man1/mokutil.1.gz
2024-05-09: zroot - apt - install shim-unsigned
tingo@kg-pod530lin:~$ sudo apt install shim-unsigned Reading package lists... Done Building dependency tree... Done Reading state information... Done The following NEW packages will be installed: shim-unsigned 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 436 kB of archives. After this operation, 1,907 kB of additional disk space will be used. Get:1 http://deb.debian.org/debian bookworm/main amd64 shim-unsigned amd64 15.7-1 [436 kB] Fetched 436 kB in 0s (2,259 kB/s) Selecting previously unselected package shim-unsigned. (Reading database ... 130464 files and directories currently installed.) Preparing to unpack .../shim-unsigned_15.7-1_amd64.deb ... Unpacking shim-unsigned (15.7-1) ... Setting up shim-unsigned (15.7-1) ...
files in package
tingo@kg-pod530lin:~$ dpkg-query -L shim-unsigned /. /usr /usr/lib /usr/lib/shim /usr/lib/shim/BOOTX64.CSV /usr/lib/shim/fbx64.efi /usr/lib/shim/mmx64.efi /usr/lib/shim/shimx64.efi /usr/share /usr/share/doc /usr/share/doc/shim-unsigned /usr/share/doc/shim-unsigned/changelog.Debian.gz /usr/share/doc/shim-unsigned/copyright
2024-05-09: Secure Boot - (pressed F2 to enter UEFI, switched on Secure Boot) with Secure Boot enabled, rEFInd can NOT boot, ZFSBootMenu can NOT boot.
2024-04-28: zroot - yes - that worked, but I ended up without networking, I had to connect a usb-to-ethenet adapter and run dhclient manually, so I could install missing pieces, like firmware-atheros, a desktop environment and network-manager. Status
tingo@kg-pod530lin:~$ date;acpi -t;/sbin/swapon --show;df -h;uptime Sun Apr 28 07:28:47 PM CEST 2024 NAME TYPE SIZE USED PRIO /dev/dm-0 partition 4G 0B -2 Filesystem Size Used Avail Use% Mounted on udev 1.7G 0 1.7G 0% /dev tmpfs 346M 1.4M 345M 1% /run zroot/ROOT/debian 55G 2.6G 52G 5% / tmpfs 1.7G 0 1.7G 0% /dev/shm tmpfs 5.0M 12K 5.0M 1% /run/lock /dev/nvme0n1p1 200M 95M 105M 48% /boot/efi tmpfs 1.7G 8.0K 1.7G 1% /tmp zroot/home 52G 1.2M 52G 1% /home tmpfs 346M 60K 346M 1% /run/user/1000 19:28:47 up 7 min, 2 users, load average: 0.04, 0.08, 0.05
lsblk info
tingo@kg-pod530lin:~$ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS nvme0n1 259:0 0 119.2G 0 disk ├─nvme0n1p1 259:1 0 200M 0 part /boot/efi ├─nvme0n1p2 259:2 0 4G 0 part ├─nvme0n1p3 259:3 0 55G 0 part ├─nvme0n1p4 259:4 0 4G 0 part │ └─swap 254:0 0 4G 0 crypt [SWAP] └─nvme0n1p5 259:5 0 56G 0 part
blkid info
tingo@kg-pod530lin:~$ sudo blkid /dev/nvme0n1p5: LABEL="zroot" UUID="17433648056724219961" UUID_SUB="15808678309036509384" BLOCK_SIZE="4096" TYPE="zfs_member" PARTLABEL="pool" PARTUUID="245b8887-fe70-468e-b937-746f73cfee83" /dev/nvme0n1p3: UUID="5f2027ccb14aecab" BLOCK_SIZE="4096" TYPE="ufs" PARTUUID="182bde44-d0d6-11ea-a01f-9ffdf410df40" /dev/nvme0n1p1: SEC_TYPE="msdos" UUID="8F86-1AF2" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40" /dev/nvme0n1p4: PARTLABEL="swap" PARTUUID="c505c44e-c36e-4913-905b-2048e195e6f5" /dev/nvme0n1p2: PARTUUID="e1424b7a-d0d5-11ea-a01f-9ffdf410df40" /dev/mapper/swap: LABEL="swap" UUID="fed42fad-b7f3-40a6-92b7-dc98a2a8dc31" TYPE="swap"
zpool status
tingo@kg-pod530lin:~$ zpool status zroot pool: zroot state: ONLINE config: NAME STATE READ WRITE CKSUM zroot ONLINE 0 0 0 245b8887-fe70-468e-b937-746f73cfee83 ONLINE 0 0 0 errors: No known data errors
cryptsetup status
tingo@kg-pod530lin:~$ sudo cryptsetup status swap /dev/mapper/swap is active and is in use. type: PLAIN cipher: aes-xts-plain64 keysize: 512 bits key location: dm-crypt device: /dev/nvme0n1p4 sector size: 512 offset: 2048 sectors size: 8386560 sectors mode: read/write
zfs list
tingo@kg-pod530lin:~$ zfs list NAME USED AVAIL REFER MOUNTPOINT zroot 2.59G 51.7G 192K none zroot/ROOT 2.59G 51.7G 192K none zroot/ROOT/debian 2.59G 51.7G 2.59G / zroot/home 1.11M 51.7G 1.11M /home
encryption
tingo@kg-pod530lin:~$ zfs get encryption zroot NAME PROPERTY VALUE SOURCE zroot encryption aes-256-gcm -
key status
tingo@kg-pod530lin:~$ zfs get keystatus zroot NAME PROPERTY VALUE SOURCE zroot keystatus available -
2024-04-28: zfs - configure ZFSBootMenu properties on datasets
root@debian:/# zfs set org.zfsbootmenu:commandline="quiet loglevel=4" zroot/ROOT root@debian:/# zfs set org.zfsbootmenu:keysource="zroot/ROOT/${ID}" zroot
key caching in zfsbootmenu, set up a cachefile
root@debian:/# zpool set cachefile=/etc/zfs/zpool.cache zroot
fetch and install ZFSBootMenu
root@debian:/# mkdir -p /boot/efi/EFI/ZBM root@debian:/# curl -o /boot/efi/EFI/ZBM/VMLINUZ.EFI -L https://get.zfsbootmenu.org/efi % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:03 --:--:-- 0 100 46.0M 100 46.0M 0 0 8572k 0 0:00:05 0:00:05 --:--:-- 30.6M root@debian:/# cp /boot/efi/EFI/ZBM/VMLINUZ.EFI /boot/efi/EFI/ZBM/VMLINUZ-BACKUP.EFI
configure EFI boot entries
root@debian:/# mount -t efivarfs efivarfs /sys/firmware/efi/efivars root@debian:/# efibootmgr -c -d /dev/nvme0n1 -p 1 -L "ZFSBootMenu (Backup)" -l '\EFI\ZBM\VMLINUZ-BACKUP.EFI' BootCurrent: 0006 Timeout: 0 seconds BootOrder: 0001,0006,0002,0000,2001,2002,2003 Boot0000* Linpus lite Boot0002* FreeBSD Boot0006* rEFInd Boot2001* EFI USB Device Boot2002* EFI DVD/CDROM Boot2003* EFI Network Boot0001* ZFSBootMenu (Backup) root@debian:/# efibootmgr -c -d /dev/nvme0n1 -p 1 -L "ZFSBootMenu" -l '\EFI\ZBM\VMLINUZ.EFI' BootCurrent: 0006 Timeout: 0 seconds BootOrder: 0003,0001,0006,0002,0000,2001,2002,2003 Boot0000* Linpus lite Boot0001* ZFSBootMenu (Backup) Boot0002* FreeBSD Boot0006* rEFInd Boot2001* EFI USB Device Boot2002* EFI DVD/CDROM Boot2003* EFI Network Boot0003* ZFSBootMenu
check order
root@debian:/# efibootmgr BootCurrent: 0006 Timeout: 0 seconds BootOrder: 0003,0001,0006,0002,0000,2001,2002,2003 Boot0000* Linpus lite Boot0001* ZFSBootMenu (Backup) Boot0002* FreeBSD Boot0003* ZFSBootMenu Boot0006* rEFInd Boot2001* EFI USB Device Boot2002* EFI DVD/CDROM Boot2003* EFI Network
fix it
root@debian:/# efibootmgr -o 6,2,3,1,2001,2002,2003,0 BootCurrent: 0006 Timeout: 0 seconds BootOrder: 0006,0002,0003,0001,2001,2002,2003,0000 Boot0000* Linpus lite Boot0001* ZFSBootMenu (Backup) Boot0002* FreeBSD Boot0003* ZFSBootMenu Boot0006* rEFInd Boot2001* EFI USB Device Boot2002* EFI DVD/CDROM Boot2003* EFI Network
clean up. exit chroot and unmount
root@debian:/# exit exit root@debian:~# umount -n -R /mnt
export the zfs pool
root@debian:~# zpool export zroot
then reboot.
2024-04-28: zfs - configure zfs apt - install required packages
root@debian:/# apt install linux-headers-amd64 linux-image-amd64 zfs-initramfs dosfstools Reading package lists... Done Building dependency tree... Done Reading state information... Done dosfstools is already the newest version (4.2-1). The following additional packages will be installed: apparmor binutils binutils-common binutils-x86-64-linux-gnu build-essential busybox bzip2 cpp cpp-12 dirmngr dkms dpkg-dev fakeroot file firmware-linux-free fontconfig-config fonts-dejavu-core g++ g++-12 gcc gcc-12 gnupg gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm initramfs-tools initramfs-tools-core klibc-utils libabsl20220623 libalgorithm-diff-perl libalgorithm-diff-xs-perl libalgorithm-merge-perl libaom3 libasan8 libassuan0 libatomic1 libavif15 libbinutils libc-dev-bin libc-devtools libc6-dev libcc1-0 libcrypt-dev libctf-nobfd0 libctf0 libdav1d6 libde265-0 libdeflate0 libdpkg-perl libfakeroot libfile-fcntllock-perl libfontconfig1 libfreetype6 libgav1-1 libgcc-12-dev libgd3 libgdbm-compat4 libgdbm6 libgomp1 libgprofng0 libheif1 libisl23 libitm1 libjbig0 libjpeg62-turbo libklibc libksba8 liblerc4 liblsan0 libmagic-mgc libmagic1 libmpc3 libmpfr6 libnpth0 libnsl-dev libnuma1 libnvpair3linux libperl5.36 libpng16-16 libpython3-stdlib libpython3.11-minimal libpython3.11-stdlib libquadmath0 librav1e0 libsqlite3-0 libstdc++-12-dev libsvtav1enc1 libtiff6 libtirpc-dev libtsan2 libubsan1 libuutil3linux libwebp7 libx265-199 libxpm4 libyuv0 libzfs4linux libzpool5linux linux-base linux-compiler-gcc-12-x86 linux-headers-6.1.0-20-amd64 linux-headers-6.1.0-20-common linux-image-6.1.0-20-amd64 linux-kbuild-6.1 linux-libc-dev lsb-release make manpages manpages-dev media-types patch perl perl-modules-5.36 pinentry-curses python3 python3-distutils python3-lib2to3 python3-minimal python3.11 python3.11-minimal rpcsvc-proto sudo xz-utils zfs-dkms zfs-zed zfsutils-linux zstd Suggested packages: apparmor-profiles-extra apparmor-utils binutils-doc bzip2-doc cpp-doc gcc-12-locales cpp-12-doc pinentry-gnome3 tor menu debian-keyring g++-multilib g++-12-multilib gcc-12-doc gcc-multilib autoconf automake libtool flex bison gdb gcc-doc gcc-12-multilib parcimonie xloadimage scdaemon bash-completion glibc-doc git bzr libgd-tools gdbm-l10n libstdc++-12-doc linux-doc-6.1 debian-kernel-handbook grub-pc | grub-efi-amd64 | extlinux make-doc man-browser ed diffutils-doc perl-doc libterm-readline-gnu-perl | libterm-readline-perl-perl libtap-harness-archive-perl pinentry-doc python3-doc python3-tk python3-venv python3.11-venv python3.11-doc binfmt-support debhelper nfs-kernel-server samba-common-bin The following NEW packages will be installed: apparmor binutils binutils-common binutils-x86-64-linux-gnu build-essential busybox bzip2 cpp cpp-12 dirmngr dkms dpkg-dev fakeroot file firmware-linux-free fontconfig-config fonts-dejavu-core g++ g++-12 gcc gcc-12 gnupg gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm initramfs-tools initramfs-tools-core klibc-utils libabsl20220623 libalgorithm-diff-perl libalgorithm-diff-xs-perl libalgorithm-merge-perl libaom3 libasan8 libassuan0 libatomic1 libavif15 libbinutils libc-dev-bin libc-devtools libc6-dev libcc1-0 libcrypt-dev libctf-nobfd0 libctf0 libdav1d6 libde265-0 libdeflate0 libdpkg-perl libfakeroot libfile-fcntllock-perl libfontconfig1 libfreetype6 libgav1-1 libgcc-12-dev libgd3 libgdbm-compat4 libgdbm6 libgomp1 libgprofng0 libheif1 libisl23 libitm1 libjbig0 libjpeg62-turbo libklibc libksba8 liblerc4 liblsan0 libmagic-mgc libmagic1 libmpc3 libmpfr6 libnpth0 libnsl-dev libnuma1 libnvpair3linux libperl5.36 libpng16-16 libpython3-stdlib libpython3.11-minimal libpython3.11-stdlib libquadmath0 librav1e0 libsqlite3-0 libstdc++-12-dev libsvtav1enc1 libtiff6 libtirpc-dev libtsan2 libubsan1 libuutil3linux libwebp7 libx265-199 libxpm4 libyuv0 libzfs4linux libzpool5linux linux-base linux-compiler-gcc-12-x86 linux-headers-6.1.0-20-amd64 linux-headers-6.1.0-20-common linux-headers-amd64 linux-image-6.1.0-20-amd64 linux-image-amd64 linux-kbuild-6.1 linux-libc-dev lsb-release make manpages manpages-dev media-types patch perl perl-modules-5.36 pinentry-curses python3 python3-distutils python3-lib2to3 python3-minimal python3.11 python3.11-minimal rpcsvc-proto sudo xz-utils zfs-dkms zfs-initramfs zfs-zed zfsutils-linux zstd 0 upgraded, 135 newly installed, 0 to remove and 10 not upgraded. Need to get 194 MB of archives. After this operation, 928 MB of additional disk space will be used. [..] update-initramfs: Generating /boot/initrd.img-6.1.0-20-amd64 Setting up zfs-initramfs (2.1.11-1) ... Setting up zfs-zed (2.1.11-1) ... Running in chroot, ignoring request. Created symlink /etc/systemd/system/zed.service → /lib/systemd/system/zfs-zed.service. Created symlink /etc/systemd/system/zfs.target.wants/zfs-zed.service → /lib/systemd/system/zfs-zed.service. Processing triggers for initramfs-tools (0.142) ... update-initramfs: Generating /boot/initrd.img-6.1.0-20-amd64
and do this
echo "REMAKE_INITRD=yes" > /etc/dkms/zfs.conf
enable systemd zfs services
root@debian:/# systemctl enable zfs.target root@debian:/# systemctl enable zfs-import-cache root@debian:/# systemctl enable zfs-mount Synchronizing state of zfs-mount.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable zfs-mount root@debian:/# systemctl enable zfs-import.target
configure initramfs
root@debian:/# echo "UMASK=0077" > /etc/initramfs-tools/conf.d/umask.conf
Because the encryption key is stored in the /etc/zfs directory, it will automatically be copied into the initramfs. rebuild intramfs
root@debian:/# update-initramfs -c -k all update-initramfs: Generating /boot/initrd.img-6.1.0-20-amd64
2024-04-28: create encrypted swap
root@debian:/# echo "swap /dev/disk/by-partlabel/swap /dev/urandom swap,offset=2048,cipher=aes-xts-plain64,size=512" >> /etc/crypttab
verify
root@debian:/# cat /etc/crypttab # <target name> <source device> <key file> <options> swap /dev/disk/by-partlabel/swap /dev/urandom swap,offset=2048,cipher=aes-xts-plain64,size=512
This will map /dev/disk/by-partlabel/swap to /dev/mapper/swap as a swap partition that can be added in /etc/fstab like a normal swap. set up fstab
root@debian:/# cat /etc/fstab /dev/nvme0n1p1 /boot/efi vfat defaults 0 0 /dev/mapper/swap none swap defaults 0 0 tmpfs /tmp tmpfs defaults,nosuid,nodev 0 0
mount efi
root@debian:/# mkdir -p /boot/efi root@debian:/# mount /boot/efi
2024-04-28: install Debian
root@debian:~# debootstrap bookworm /mnt I: Target architecture can be executed I: Retrieving InRelease I: Checking Release signature I: Valid Release signature (key id 4D64FEC119C2029067D6E791F8D2585B8783D481) I: Retrieving Packages I: Validating Packages I: Resolving dependencies of required packages... I: Resolving dependencies of base packages... I: Checking component main on http://deb.debian.org/debian... I: Retrieving adduser 3.134 [..] I: Configuring libc-bin... I: Base system installed successfully.
copy files into the new install
root@debian:~# cp /etc/hostid /mnt/etc/ root@debian:~# cp /etc/resolv.conf /mnt/etc/ root@debian:~# mkdir /mnt/etc/zfs root@debian:~# cp /etc/zfs/zroot.key /mnt/etc/zfs/
chroot into new os
root@debian:~# mount -t proc proc /mnt/proc root@debian:~# mount -t sysfs sys /mnt/sys root@debian:~# mount -B /dev /mnt/dev root@debian:~# mount -t devpts pts /mnt/dev/pts root@debian:~# chroot /mnt /bin/bash root@debian:/#
set hostname
root@debian:/# echo 'kg-pod530lin' > /etc/hostname root@debian:/# echo -e '127.0.1.1\tkg-pod530lin' >> /etc/hosts
update /etc/apt/sources.list
root@debian:/# cat <<EOF > /etc/apt/sources.list deb http://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware deb-src http://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware deb-src http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware deb http://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware deb-src http://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware deb http://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware deb-src http://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware EOF
and run apt update
root@debian:/# apt update [..] 12 packages can be upgraded. Run 'apt list --upgradable' to see them.
apt - install additional base packages
root@debian:/# apt install console-setup cryptsetup curl dosfstools efibootmgr keyboard-configuration Reading package lists... Done Building dependency tree... Done The following additional packages will be installed: ca-certificates console-setup-linux cryptsetup-bin kbd libbrotli1 libcurl4 libefiboot1 libefivar1 libldap-2.5-0 libldap-common libnghttp2-14 libpsl5 librtmp1 libsasl2-2 libsasl2-modules libsasl2-modules-db libssh2-1 openssl publicsuffix xkb-data Suggested packages: locales cryptsetup-initramfs keyutils libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal libsasl2-modules-ldap libsasl2-modules-otp libsasl2-modules-sql The following NEW packages will be installed: ca-certificates console-setup console-setup-linux cryptsetup cryptsetup-bin curl dosfstools efibootmgr kbd keyboard-configuration libbrotli1 libcurl4 libefiboot1 libefivar1 libldap-2.5-0 libldap-common libnghttp2-14 libpsl5 librtmp1 libsasl2-2 libsasl2-modules libsasl2-modules-db libssh2-1 openssl publicsuffix xkb-data 0 upgraded, 26 newly installed, 0 to remove and 12 not upgraded. Need to get 7857 kB of archives. After this operation, 25.3 MB of additional disk space will be used. [..] Setting up console-setup (1.221) ... locale: Cannot set LC_CTYPE to default locale: No such file or directory locale: Cannot set LC_MESSAGES to default locale: No such file or directory locale: Cannot set LC_ALL to default locale: No such file or directory locale: Cannot set LC_CTYPE to default locale: No such file or directory locale: Cannot set LC_MESSAGES to default locale: No such file or directory locale: Cannot set LC_ALL to default locale: No such file or directory locale: Cannot set LC_CTYPE to default locale: No such file or directory locale: Cannot set LC_MESSAGES to default locale: No such file or directory locale: Cannot set LC_ALL to default locale: No such file or directory Processing triggers for libc-bin (2.36-9+deb12u4) ... Processing triggers for ca-certificates (20230311) ... Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done.
set timezone
root@debian:/# dpkg-reconfigure tzdata perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LANG = "en_US.UTF-8" are supported and installed on your system. perl: warning: Falling back to the standard locale ("C"). locale: Cannot set LC_CTYPE to default locale: No such file or directory locale: Cannot set LC_MESSAGES to default locale: No such file or directory locale: Cannot set LC_ALL to default locale: No such file or directory /usr/bin/locale: Cannot set LC_CTYPE to default locale: No such file or directory /usr/bin/locale: Cannot set LC_MESSAGES to default locale: No such file or directory /usr/bin/locale: Cannot set LC_ALL to default locale: No such file or directory Current default time zone: 'Europe/Oslo' Local time is now: Sun Apr 28 17:17:20 CEST 2024. Universal Time is now: Sun Apr 28 15:17:20 UTC 2024.
configure locales
root@debian:/# dpkg-reconfigure locales perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LANG = "en_US.UTF-8" are supported and installed on your system. perl: warning: Falling back to the standard locale ("C"). locale: Cannot set LC_CTYPE to default locale: No such file or directory locale: Cannot set LC_MESSAGES to default locale: No such file or directory locale: Cannot set LC_ALL to default locale: No such file or directory dpkg-query: package 'locales' is not installed and no information is available Use dpkg --info (= dpkg-deb --info) to examine archive files. /usr/sbin/dpkg-reconfigure: locales is not installed
aha - apt - fix it
root@debian:/# apt install locales Reading package lists... Done Building dependency tree... Done Reading state information... Done The following additional packages will be installed: libc-bin libc-l10n libc6 Suggested packages: glibc-doc libnss-nis libnss-nisplus Recommended packages: manpages The following NEW packages will be installed: libc-l10n locales The following packages will be upgraded: libc-bin libc6 2 upgraded, 2 newly installed, 0 to remove and 10 not upgraded. Need to get 7936 kB of archives. After this operation, 20.7 MB of additional disk space will be used. [..] Generating locales (this might take a while)... Generation complete.
retry
root@debian:/# dpkg-reconfigure locales perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LANG = "en_US.UTF-8" are supported and installed on your system. perl: warning: Falling back to the standard locale ("C"). locale: Cannot set LC_CTYPE to default locale: No such file or directory locale: Cannot set LC_MESSAGES to default locale: No such file or directory locale: Cannot set LC_ALL to default locale: No such file or directory /usr/bin/locale: Cannot set LC_CTYPE to default locale: No such file or directory /usr/bin/locale: Cannot set LC_MESSAGES to default locale: No such file or directory /usr/bin/locale: Cannot set LC_ALL to default locale: No such file or directory Generating locales (this might take a while)... en_US.UTF-8... done nb_NO.UTF-8... done Generation complete.
set console font
root@debian:/# dpkg-reconfigure console-setup root@debian:/# setupcon setupcon: We are not on the console, the console is left unconfigured.
keyboard setup
root@debian:/# dpkg-reconfigure keyboard-configuration
add a user
root@debian:/# adduser tingo Adding user `tingo' ... Adding new group `tingo' (1000) ... Adding new user `tingo' (1000) with group `tingo (1000)' ... Creating home directory `/home/tingo' ... Copying files from `/etc/skel' ... New password: Retype new password: passwd: password updated successfully Changing the user information for tingo Enter the new value, or press ENTER for the default Full Name []: Torfinn Ingolfsen Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] Adding new user `tingo' to supplemental / extra groups `users' ... Adding user `tingo' to group `users' ...
I added it to some more groups
root@debian:/# groups tingo tingo : tingo adm lp dialout cdrom floppy sudo audio dip video plugdev users netdev
apt - install openssh-server
root@debian:/# apt install openssh-server Reading package lists... Done Building dependency tree... Done Reading state information... Done The following additional packages will be installed: dbus dbus-bin dbus-daemon dbus-session-bus-common dbus-system-bus-common dbus-user-session libcbor0.8 libdbus-1-3 libexpat1 libfido2-1 libnsl2 libpam-systemd libwrap0 libx11-6 libx11-data libxau6 libxcb1 libxdmcp6 libxext6 libxmuu1 ncurses-term openssh-client openssh-sftp-server runit-helper ucf xauth Suggested packages: keychain libpam-ssh monkeysphere ssh-askpass molly-guard ufw The following NEW packages will be installed: dbus dbus-bin dbus-daemon dbus-session-bus-common dbus-system-bus-common dbus-user-session libcbor0.8 libdbus-1-3 libexpat1 libfido2-1 libnsl2 libpam-systemd libwrap0 libx11-6 libx11-data libxau6 libxcb1 libxdmcp6 libxext6 libxmuu1 ncurses-term openssh-client openssh-server openssh-sftp-server runit-helper ucf xauth 0 upgraded, 27 newly installed, 0 to remove and 10 not upgraded. Need to get 4,775 kB of archives. After this operation, 19.8 MB of additional disk space will be used. [..] Setting up openssh-server (1:9.2p1-2+deb12u2) ... Creating config file /etc/ssh/sshd_config with new version Creating SSH2 RSA key; this may take some time ... 3072 SHA256:UQ/h42Hqk/HUOoX8MLqfLVb25IOLjKx1ZVej1EV9YzM root@debian (RSA) Creating SSH2 ECDSA key; this may take some time ... 256 SHA256:8vjFesYkjt4H6kury2HzmeHB6K12rH4giBZMYBFJf2U root@debian (ECDSA) Creating SSH2 ED25519 key; this may take some time ... 256 SHA256:OU4+ArV+LJ9dMScoDXHXK97wKjV8ywCqruXUc/S5N9Q root@debian (ED25519) Running in chroot, ignoring request. Created symlink /etc/systemd/system/sshd.service → /lib/systemd/system/ssh.service. Created symlink /etc/systemd/system/multi-user.target.wants/ssh.service → /lib/systemd/system/ssh.service. Setting up dbus-user-session (1.14.10-1~deb12u1) ... Processing triggers for libc-bin (2.36-9+deb12u6) ...
2024-04-28: zfs - create filesystems first, set id
root@debian:~# source /etc/os-release root@debian:~# export ID root@debian:~# echo $ID debian
then create filesystems
root@debian:~# zfs create -o mountpoint=none zroot/ROOT root@debian:~# zfs create -o mountpoint=/ -o canmount=noauto zroot/ROOT/${ID} root@debian:~# zfs create -o mountpoint=/home zroot/home
set preferred boot file system
root@debian:~# zpool set bootfs=zroot/ROOT/${ID} zroot
export and re-import the pool
root@debian:~# zpool export zroot root@debian:~# zpool import -N -R /mnt zroot
mount root and /home
root@debian:~# zfs load-key -L prompt zroot Enter passphrase for 'zroot': root@debian:~# zfs mount zroot/ROOT/${ID} root@debian:~# zfs mount zroot/home
verify mount points
root@debian:~# mount -t zfs zroot/ROOT/debian on /mnt type zfs (rw,relatime,xattr,posixacl) zroot/home on /mnt/home type zfs (rw,relatime,xattr,posixacl)
update device symlinks
root@debian:~# udevadm trigger
2024-04-28: zfs - create the pool
root@debian:~# zpool create -f -o ashift=12 -O compression=lz4 -O acltype=posixacl -O xattr=sa -O relatime=on -o autotrim=on -O encryption=aes-256-gcm -O keylocation=file:///etc/zfs/zroot.key -O keyformat=passphrase -m none zroot "/dev/disk/by-partuuid/245b8887-fe70-468e-b937-746f73cfee83" cannot create 'zroot': Passphrase too short (min 8).
ok, fix that
root@debian:~# zpool create -f -o ashift=12 -O compression=lz4 -O acltype=posixacl -O xattr=sa -O relatime=on -o autotrim=on -O encryption=aes-256-gcm -O keylocation=file:///etc/zfs/zroot.key -O keyformat=passphrase -m none zroot "/dev/disk/by-partuuid/245b8887-fe70-468e-b937-746f73cfee83"
2024-04-28: set up a zfs passphrase to unlock the encrypted pool
# echo 'SomeKeyphrase' > /etc/zfs/zroot.key root@debian:~# chmod 000 /etc/zfs/zroot.key
2024-04-28: zfs partition needs to be located by partuuid, to ensure that the zfs import doesn't fail. Baby steps
root@debian:~# blkid /dev/nvme0n1p1: SEC_TYPE="msdos" UUID="8F86-1AF2" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40" /dev/nvme0n1p3: UUID="5f2027ccb14aecab" BLOCK_SIZE="4096" TYPE="ufs" PARTUUID="182bde44-d0d6-11ea-a01f-9ffdf410df40" /dev/sda1: BLOCK_SIZE="2048" UUID="2023-12-10-17-43-24-00" LABEL="d-live 12.4.0 xf amd64" TYPE="iso9660" PARTUUID="2d331e75-01" /dev/loop0: TYPE="squashfs" /dev/nvme0n1p5: PARTLABEL="pool" PARTUUID="245b8887-fe70-468e-b937-746f73cfee83" /dev/nvme0n1p4: PARTLABEL="swap" PARTUUID="c505c44e-c36e-4913-905b-2048e195e6f5" /dev/nvme0n1p2: PARTUUID="e1424b7a-d0d5-11ea-a01f-9ffdf410df40" /dev/sda2: SEC_TYPE="msdos" UUID="6575-F8BC" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="2d331e75-02"
get the pool partition
root@debian:~# blkid | grep /dev/nvme0n1p5 /dev/nvme0n1p5: PARTLABEL="pool" PARTUUID="245b8887-fe70-468e-b937-746f73cfee83"
step
root@debian:~# blkid | grep /dev/nvme0n1p5 | cut -d ' ' -f 3 PARTUUID="245b8887-fe70-468e-b937-746f73cfee83"
by step
root@debian:~# blkid | grep /dev/nvme0n1p5 | cut -d ' ' -f 3 | cut -d '"' -f 2 245b8887-fe70-468e-b937-746f73cfee83
so the correct line is
root@debian:~# ls -l /dev/disk/by-partuuid/245b8887-fe70-468e-b937-746f73cfee83 lrwxrwxrwx 1 root root 15 Apr 28 14:01 /dev/disk/by-partuuid/245b8887-fe70-468e-b937-746f73cfee83 -> ../../nvme0n1p5
2024-04-28: situation now
root@debian:~# lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS loop0 7:0 0 2.5G 1 loop /usr/lib/live/mount/rootfs/filesystem.squashfs /run/live/rootfs/filesystem.squashfs sda 8:0 1 7.5G 0 disk ├─sda1 8:1 1 3G 0 part /usr/lib/live/mount/medium │ /run/live/medium └─sda2 8:2 1 5M 0 part nvme0n1 259:0 0 119.2G 0 disk ├─nvme0n1p1 259:6 0 200M 0 part ├─nvme0n1p2 259:7 0 4G 0 part ├─nvme0n1p3 259:8 0 55G 0 part ├─nvme0n1p4 259:9 0 4G 0 part └─nvme0n1p5 259:10 0 56G 0 part
so /dev/nvme0n1p5 is the pool partition.
2024-04-28: create a swap partition
root@debian:~# sgdisk -n "4:0:+4g" -t "4:8200" -c 0:swap "/dev/nvme0n1" The operation has completed successfully.
verify
root@debian:~# sgdisk -p /dev/nvme0n1 Disk /dev/nvme0n1: 250069680 sectors, 119.2 GiB Model: RPFTJ128PDD2EWX Sector size (logical/physical): 512/512 bytes Disk identifier (GUID): F891D804-265E-42D8-BF50-78240F5C4180 Partition table holds up to 128 entries Main partition table begins at sector 2 and ends at sector 33 First usable sector is 34, last usable sector is 250069646 Partitions will be aligned on 8-sector boundaries Total free space is 117539437 sectors (56.0 GiB) Number Start (sector) End (sector) Size Code Name 1 40 409639 200.0 MiB EF00 2 409640 8798247 4.0 GiB A502 3 8798248 124141607 55.0 GiB A503 4 124141608 132530215 4.0 GiB 8200 swap
create a partition for the zfs pool
root@debian:~# sgdisk -n "5:0:-10m" -t "5:bf00" -c 0:pool "/dev/nvme0n1" The operation has completed successfully.
verify
root@debian:~# sgdisk -p /dev/nvme0n1 Disk /dev/nvme0n1: 250069680 sectors, 119.2 GiB Model: RPFTJ128PDD2EWX Sector size (logical/physical): 512/512 bytes Disk identifier (GUID): F891D804-265E-42D8-BF50-78240F5C4180 Partition table holds up to 128 entries Main partition table begins at sector 2 and ends at sector 33 First usable sector is 34, last usable sector is 250069646 Partitions will be aligned on 8-sector boundaries Total free space is 20486 sectors (10.0 MiB) Number Start (sector) End (sector) Size Code Name 1 40 409639 200.0 MiB EF00 2 409640 8798247 4.0 GiB A502 3 8798248 124141607 55.0 GiB A503 4 124141608 132530215 4.0 GiB 8200 swap 5 132530216 250049166 56.0 GiB BF00 pool
2024-04-28: I booted Debian from a live usb stick, and intend to install Debian with root on zfs, and encrypted, and still have it dual boot with FreeBSD.
root@debian:~# sgdisk -p /dev/nvme0n1 Disk /dev/nvme0n1: 250069680 sectors, 119.2 GiB Model: RPFTJ128PDD2EWX Sector size (logical/physical): 512/512 bytes Disk identifier (GUID): F891D804-265E-42D8-BF50-78240F5C4180 Partition table holds up to 128 entries Main partition table begins at sector 2 and ends at sector 33 First usable sector is 34, last usable sector is 250069646 Partitions will be aligned on 8-sector boundaries Total free space is 125928045 sectors (60.0 GiB) Number Start (sector) End (sector) Size Code Name 1 40 409639 200.0 MiB EF00 2 409640 8798247 4.0 GiB A502 3 8798248 124141607 55.0 GiB A503
running sgdisk to print out the existing partiion table on the internal ssd, there is 60 GB free space. EF00 is the EFI partion, A502 is FreeBSD swap, A503 is FreeBSD UFS.