Skip to content

Instantly share code, notes, and snippets.

@aesophor

aesophor/Prepare NVME SSD for moving an Archlinux installation.md

Forked from HugoPoi/Prepare NVME SSD for moving an Archlinux installation.md
Created July 4, 2020 13:32
Show Gist options
  • Save aesophor/251bf715d65fc0104c7951a865074a4c to your computer and use it in GitHub Desktop.
Save aesophor/251bf715d65fc0104c7951a865074a4c to your computer and use it in GitHub Desktop.
Download ZIP
Prepare NVME SSD for moving an Archlinux installation
Raw
Prepare NVME SSD for moving an Archlinux installation.md

Prepare a NVME SSD for moving an ArchLinux Installation

Readings

1. Secure erase the device

  1. pacman -S nvme-cli
  2. nvme id-ctrl -H /dev/nvme0 | grep -iP "format|erase" See details
  3. nvme format /dev/nvme0n1 --ses=1
  4. Optional blkdiscard /dev/nvme0n1 an alternative to nvme format

I pretty sure --ses option is ignored because not supported by my device

2. Create the partition table

  1. gdisk /dev/nvme0n1
Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048         1050623   512.0 MiB   EF00  EFI System
   2         1050624      1953525134   931.0 GiB   8309  Linux LUKS

3. Prepare UEFI boot partition

  1. mkfs.fat -F32 /dev/nvme0n1p1

4. Prepare LUKS volume

  1. cryptsetup luksFormat /dev/nvme0n1p2
  2. cryptsetup open /dev/nvme0n1p2 cryptlvm

5. Make a LVM and filesystems

  1. pvcreate /dev/mapper/cryptlvm
  2. vgcreate blackssd /dev/mapper/cryptlvm
  3. lvcreate -L 16G blackssd -n swap
  4. lvcreate -L 50G blackssd -n root
  5. lvcreate -L 8G blackssd -n tmp
  6. lvcreate -L 30G blackssd -n var
  7. lvcreate -L 340G blackssd -n home

6. Copy the filesystems from the old VG to the new one

Theorically it make much more sense to use pvmove but I want to be able to boot the old system if my attempt to make it boot failed.

https://askubuntu.com/questions/90940/how-to-move-copy-logical-volume-lv-to-another-volume-group-vg#answer-931082

  1. pacman -S partclone
  2. Then :
lvcreate --snapshot --size 1G /dev/ssd/root --name root-backup && \
  partclone.ext4 --dev-to-dev --source /dev/ssd/root-backup --output /dev/blackssd/root && \
  lvremove --yes /dev/ssd/root-backup

lvcreate --snapshot --size 1G /dev/ssd/var --name var-backup && \
  partclone.ext4 --dev-to-dev --source /dev/ssd/var-backup --output /dev/blackssd/var && \
  lvremove --yes /dev/ssd/var-backup

lvcreate --snapshot --size 1G /dev/ssd/tmp --name tmp-backup && \
  partclone.ext4 --dev-to-dev --source /dev/ssd/tmp-backup --output /dev/blackssd/tmp && \
  lvremove --yes /dev/ssd/tmp-backup

lvcreate --snapshot --size 5G /dev/ssd/home --name home-backup && \
  partclone.ext4 --dev-to-dev --source /dev/ssd/home-backup --output /dev/blackssd/home && \
  lvremove --yes /dev/ssd/home-backup

Here you can just follow the installation process in place of copying the old one see the next section.

7. Configure the installed OS for booting properly

Archlinux installation details

  1. Mount file-systems
mount /dev/blackssd/root /mnt/newsys
mount /dev/blackssd/var /mnt/newsys/var
mount /dev/blackssd/tmp /mnt/newsys/tmp
mount /dev/blackssd/home /mnt/newsys/home
mount /dev/nvme0n1p1 /mnt/newsys/boot

  1. Copy the old /boot to the new one rsync -av /boot/ /mnt/newsys/boot/

  2. pacman -S arch-install-scripts

  3. Check UUID lsblk -f, you just need to change UUID for boot partition and the mapper name of all LVs. Or you can use genfstab -L /mnt/newsys

  4. Make the swap mkswap /dev/mapper/blackssd-swap

  5. Chroot in the new fs arch-chroot /mnt/newsys

  6. Edit /etc/mkinitcpio.conf with HOOKS="base udev autodetect keyboard keymap modconf block encrypt lvm2 filesystems fsck"

  7. Build the initramfs mkinitcpio -p linux

  8. Add the boot entry efibootmgr --disk /dev/nvme0n1 --part 1 --create --label "Black Install" --loader /vmlinuz-linux --unicode 'cryptdevice=UUID=ab7080d3-7ec1-454d-bf6e-3cdd4eeb0cbe:cryptlvm:allow-discards root=/dev/mapper/blackssd-root resume=/dev/mapper/blackssd-swap initrd=\intel-ucode.img initrd=\initramfs-linux.img' --verbose

  9. Unmount fs umount -R /mnt/newsys

8. Enable FStrim

You can enable trim on dmcrypt device but beware it can reveal what kind of filesystems and partitions you have inside. Details about DmCrypt discard feature. I'm not very concerns about this because the kernel and init image reveal what kind of stuff I used. You have better performance and ssd lifespan using it.

  1. Enable trim on the dm-crypt with :allow-discards after cryptdevice boot paramater see ahead efibootmgr command.
  2. Enable fstrim weekly timer systemctl enable fstrim.timer
  3. Do a manual trim systemctl start fstrim.service
  4. See the logs journalctl -u fstrim.service

9. Securing the boot partition aka SecureBoot

This step is purely optional but ensure that the bootloader, kernel and initramfs is not modified by some attacker between shutdowns.

  1. Generate the keys PK KEK DB with this script in /etc/efi-keys
  2. Copy all PUBLIC keys to the ESP cp /etc/efi-keys/*.{cer,esl,auth} /boot/efi-keys
  3. Install sbupdate-git tools from aur with yaourt sbupdate-git
  4. Change CMDLINE_DEFAULT in /etc/sbupdate.conf like CMDLINE_DEFAULT="cryptdevice=UUID=ab7080d3-7ec1-454d-bf6e-3cdd4eeb0cbe:cryptlvm:allow-discards root=/dev/mapper/blackssd-root resume=/dev/mapper/blackssd-swap"
  5. Signing the kernel and the initramfs sudo sbupdate
  6. Add the new boot entry efibootmgr --disk /dev/nvme0n1 --part 1 --create --label "Black Arch" --loader /EFI/Arch/linux-signed.efi --verbose
  7. Registering the keys in UEFI better to do it directly within UEFI
  8. Add an UEFI password

In my case, I had to include the Microsoft Third Party Key to my DB. Because MSI UEFI firmware checking the VBIOS of my graphic card against the DB at boot, and the VBIOS is signed with Microsoft Third Party Key. Making this secure boot pretty much pointless.

  1. Download Microsoft Third Party Cert wget https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt
  2. Convert to DER openssl x509 -inform DER -outform PEM -in MicCorUEFCA2011_2011-06-27.crt -out MicCorUEFCA2011_2011-06-27.crt.pem
  3. Craft a .esl file cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicCorUEFCA2011_2011-06-27.crt.pem MS_UEFI_db.esl
  4. Craft the signed .auth file sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b -k KEK.key -c KEK.crt db MS_db.esl add_MS_db.auth
  5. Copy esl and auth file to boot partition
  6. Append the esl or the auth file to your DB with your firmware utility

10. Erase my old SATA SSD

SSD cleraing guide

  1. hdparm -I /dev/sdX | grep frozen
  2. hdparm --user-master u --security-set-pass PasSWorD /dev/sdX
  3. hdparm --user-master u --security-erase PasSWorD /dev/sdX
  4. blkdiscard /dev/sdX
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment