Enabling Dual Boot on Dell Laptop

dual_boot_dell.md

Summary

• This is a collection of resources used when trying to setup Windows 10 + Ubuntu dual-boot system on Dell Inspiron 7501
• Windows 10 was pre-installed
• This was written in Dec 2020 (LUKS vs ecryptfs, LUKS1 vs LUKS2, Intel RST problems)
• First section list requirements/choices/problems faced in this process
• Middle sections give details of steps used to solve different problems
• The last section gives the actual steps used by me.

Considerations

• Basic requirements
  • Encrypted disk for both Windows 10 and Ubuntu
  • Ability to mount Windows partition on Ubuntu
  • Final system will boot by default into Ubuntu
  • Ability to reboot Ubuntu remotely (provide key over SSH)
• Does BIOS support legacy mode or UEFI only (newer DELL laptops are UEFI only)
  • If Legacy BIOS mode can be enabled, nothing special is needed.
• How much diskspace to allocate to Linux
• If Bitlocker is used for encryption, do you want access to Windows drive in Linux.
  • Based on whether you use (TPM + PIN) or Password for encryption in Bitlocker some steps in decryption on Linux change
• Disable Windows Fast Startup (to avoid un-safe mount error when mounting on Linux, might not be needed)
  • Probably gets disabled when you disable Intel RST (see below)
  • Maybe you can keep Intel RST and disable Fast Startup (not sure if this works)
• Do you want Linux drive to be encrypted.
  • Use full disk encryption or home folder only
    • ecryptfs for home folder encryption is not recommended as it is buggy/less maintained
  • If using full disk encryption, how do you reboot and login remotely, specifically over wifi ?
• Do you want hibernate/suspend in Linux - if yes, you will need to create swap space
• Is RAID enabled on your default disk and Intel RST is active
  • Ubuntu installations might throw error for some cases and this need to be disabled.
  • Maybe Disabling Windows Fast Startup can avoid this error (did not try this)
• Create another drive for sharing data across Windows/Linux instead of mounting OS drive

References

• Dell provided steps
• Disabling Intel RST
  • Additionally search 'rebuilding BCD' on Google in case of problems beyond that given in this link
• Accessing Bitlocker encrypted drive in Linux
  • https://github.com/Aorimn/dislocker
  • https://www.linuxuprising.com/2019/04/how-to-mount-bitlocker-encrypted.html
• Details for enabling full encryption on Ubuntu https://www.mikekasberg.com/blog/2020/04/08/dual-boot-ubuntu-and-windows-with-encryption.html
  • LUKS1 encryption for root partition. None for boot partition. (LUKS2 is WIP and has problems reported)
• Unlock via initramfs remotely
  • To enable network in initramfs https://www.arminpech.de/2019/12/23/debian-unlock-luks-root-partition-remotely-by-ssh-using-dropbear/
  • To start wifi in initramfs: http://www.marcfargas.com/posts/enable-wireless-debian-initramfs/
  • You might need to copy firmware files from git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git
    • Copy iwlwifi* /lib/firmware
  • Additional reference (not used): https://github.com/ceremcem/unlock-luks-partition

Dislocker to mount Windows drive

• Derived from: https://www.linuxuprising.com/2019/04/how-to-mount-bitlocker-encrypted.html
• Install dislocker
  • When working Ubuntu Installer Stick/Disk in Try Ubuntu mode
    • Edit /etc/apt/sources.list`
    • Add universe to the internet based mirrors
    • Not needed in full system

sudo apt-get update
sudo apt-get install dislocker ntfs-3g exfat-fuse

• If using dislocker from git (not needed for Ubuntu 20.04)

sudo apt-get install cmake git libfuse-dev libmbedtls-dev
git clone https://github.com/Aorimn/dislocker
cd dislocker ; mkdir build ; cd build ; cmake ../ ; make ; sudo make install
# Possibly some more steps needed for dislocker fuse driver to work.

• If Bitlocker is encrypted with TPM+PIN (Change -t ntfs-3g as needed)

sudo mkdir -p /media/bitlocker
sudo mkdir -p /media/bitlockermount
sudo dislocker <partition> -p<recovery_key> -- /media/bitlocker
sudo mount -o loop /media/bitlocker/dislocker-file /media/bitlockermount -t ntfs-3g

• If Bitlocker is encrypted with plain password (Change -t ntfs-3g as needed)

sudo mkdir -p /media/bitlocker
sudo mkdir -p /media/bitlockermount
sudo dislocker <partition> -u<password> -- /media/bitlocker
sudo mount -o loop /media/bitlocker/dislocker-file /media/bitlockermount -t ntfs-3g

• Add to /etc/fstab for auto mount with recovery-key (Change ntfs-3g if needed)

<partition> /media/bitlocker fuse.dislocker recovery-password=<recovery_key>,nofail 0 0
/media/bitlocker/dislocker-file /media/bitlockermount ntfs-3g nofail 0 0

• Add to /etc/fstab for auto mount with user-password (Change ntfs-3g if needed)

<partition> /media/bitlocker fuse.dislocker user-password=<password>,nofail 0 0
/media/bitlocker/dislocker-file /media/bitlockermount -t ntfs-3g nofail 0 0

Installing Encrypted Ubuntu

• Derived from: https://www.mikekasberg.com/blog/2020/04/08/dual-boot-ubuntu-and-windows-with-encryption.html
• Boot up into Try Ubuntu mode with Ubuntu Installer Disk/Stick
• Create partitions for /boot (eg: /dev/sda5) (512MB) and / (eg: /dev/sda6) (200GB)
• Setup LUKS1 encryption for / partition

# Setup encryption with passphrase for root partition
cryptsetup luksFormat --type=luks1 /dev/sda6
cryptsetup open /dev/sda6 sda6_crypt
# Verify drive unlocked
ls /dev/mapper/

• Setup LVM

pvcreate /dev/mapper/sda6_crypt
vgcreate ubuntu-vg /dev/mapper/sda6_crypt
# Optionally create swap
#lvcreate -L 8G -n swap_1 ubuntu-vg 
# Create root
lvcreate -l 100%FREE -n root ubuntu-vg

• Launch the Install Ubuntu shortcut and install Ubuntu
  • Select Something else mode for disk
  • For /boot use /dev/sda6
  • For /, use /dev/mapper/ubuntu--vg-root
  • You can use base device for bootloader (eg: /dev/sda or /dev/nvme0)
  • Continue installation as usual
  • Don't reboot after installation
• Setup /etc/crypttab in the newly installed Ubuntu
  • Chroot to the newly installed Ubuntu

# Get UUID of root partition
sudo blkid /dev/sda6
mkdir /target
sudo mount /dev/mapper/ubuntu--vg-root /target
sudo mount /dev/sda5 /target/boot
for n in proc sys dev etc/resolv.conf; do mount --rbind /$n /target/$n; done 
chroot /target

• Setup crypttab

mount -a
echo 'sda6_crypt UUID=abcdefgh-1234-5678-9012-abcdefghijklm none luks,discard' >> /etc/crypttab
update-initramfs -k all -c

Setting up LUKS decryption in initramfs using dropbear SSH

• Derived from: https://www.arminpech.de/2019/12/23/debian-unlock-luks-root-partition-remotely-by-ssh-using-dropbear/

apt-get install -yy dropbear-initramfs cryptsetup-initramfs lvm2

echo 'DROPBEAR_OPTIONS="-RFEsjk -c /bin/cryptroot-unlock"' > /etc/dropbear-initramfs/config

# Add your local SSH public keys to dropbear's authorized_keys file to allow password-less logins
echo '<YOUR_PUBLIC_KEY>' > /etc/dropbear-initramfs/authorized_keys

# Check if /etc/crypttab contains an entry like below;
# LUKS volume and device names vary depending on your configuration and hardware.
sda2_crypt /dev/sda2 none luks,initramfs

# Add network support to the initramfs; replace variables with your server's network configuration
# It's important to select the right network interface name.

# For static IP:
#echo 'IP="${ip_address}::${gw_ip}:${netmask}:${optional_fqdn}:${interface_name}:none"' >  /etc/initramfs-tools/conf.d/ip
#echo 'ip="${ip_address}::${gw_ip}:${netmask}:${optional_fqdn}:${interface_name}:none"' >> /etc/initramfs-tools/conf.d/ip

# For DHCP
echo 'ip=::::${optional_fqdn}:${device}:dhcp' >  /etc/initramfs-tools/conf.d/ip
echo 'IP=::::${optional_fqdn}:${device}:dhcp' >> /etc/initramfs-tools/conf.d/ip

update-initramfs -k all -u

• Disable dropbear for normal system

echo 'NO_START=1' >> /etc/default/dropbear

Enabling Wifi in initramfs

• Derived from: http://www.marcfargas.com/posts/enable-wireless-debian-initramfs/
• Create /etc/initramfs-tools/hooks/enable-wireless

# !/bin/sh
set -e
PREREQ=""
prereqs()
{
    echo "${PREREQ}"
}
case "${1}" in
    prereqs)
        prereqs
        exit 0
        ;;
esac

. /usr/share/initramfs-tools/hook-functions

# CHANGE HERE for your correct modules.
manual_add_modules iwlwifi iwlmvm
copy_exec /sbin/wpa_supplicant
copy_exec /sbin/wpa_cli
copy_file config /etc/initramfs-tools/wpa_supplicant.conf /etc/wpa_supplicant.conf

• Create /etc/initramfs-tools/wpa_supplicant.conf

# Sample /etc/initramfs-tools/wpa_supplicant.conf
# note that this is independent of the system /etc/wpa_supplicant.conf (if any)
# only add the network you need at boot time. **And keep the ctrl_interface** !!
ctrl_interface=/tmp/wpa_supplicant

network={
    ssid="MyNetwork"
    psk="network passphrase"
}

• Copy latest wifi firmware

git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git
cd linux-firmware
sudo cp iwlwifi-* /lib/firmware/

• Create /etc/initramfs-tools/scripts/init-premount/a_enable_wireless (Change interface name here)

#!/bin/sh
PREREQ=""
prereqs()
{
    echo "$PREREQ"
}

case $1 in
prereqs)
    prereqs
    exit 0
    ;;
esac

. /scripts/functions

AUTH_LIMIT=30
INTERFACE="wlp5s0"
alias WPACLI="/sbin/wpa_cli -p/tmp/wpa_supplicant -i$INTERFACE "

log_begin_msg "Starting WLAN connection"
/sbin/wpa_supplicant  -i$INTERFACE -c/etc/wpa_supplicant.conf -P/run/initram-wpa_supplicant.pid -B -f /tmp/wpa_supplicant.log

# Wait for AUTH_LIMIT seconds, then check the status
limit=${AUTH_LIMIT}

echo -n "Waiting for connection (max ${AUTH_LIMIT} seconds)"
while [ $limit -ge 0 -a `WPACLI status | grep wpa_state` != "wpa_state=COMPLETED" ]
do
    sleep 1
    echo -n "."
    limit=`expr $limit - 1`
done
echo ""

if [ `WPACLI status | grep wpa_state` != "wpa_state=COMPLETED" ]; then
  ONLINE=0
  log_failure_msg "WLAN offline after timeout"
  panic
else
  ONLINE=1
  log_success_msg "WLAN online"
fi

configure_networking

• Create /etc/initramfs-tools/scripts/local-bottom/kill_wireless

#!/bin/sh
PREREQ=""
prereqs()
{
    echo "$PREREQ"
}

case $1 in
prereqs)
    prereqs
    exit 0
    ;;
esac

echo "Killing wpa_supplicant so the system takes over later."
kill `cat /run/initram-wpa_supplicant.pid`

• Final touches

chmod +x /etc/initramfs-tools/scripts/local-bottom/kill_wireless
chmod +x /etc/initramfs-tools/scripts/init-premount/a_enable_wireless
chmod +x /etc/initramfs-tools/hooks/enable-wireless

update-initramfs -k all -u
update-grub

Actual order of events when setting up

• Take a backup of bitlocker recovery key in Windows 10
• Shrink Windows partition and create ~200GB space for Linux
• Create Ubuntu Installer USB with https://rufus.ie/
  • Use GPT partition mode for UEFI
• Try installing Ubuntu with the USB disk (dryrun)
  • This threw an conflict error with Intel RST
    • Maybe disabling "Windows Fast Startup" can remove this
    • I did not try this - worth a try to see if this avoids the RST conflict error
• Disable Intel RST
  • Follow steps from: https://discourse.ubuntu.com/t/ubuntu-installation-on-computers-with-intel-r-rst-enabled/15347
  • The EFI paths are slightly different than given in the link above
  • Creating boot record using bcdboot did not work for me.
  • I had to rebuild BCD using bootrec /rebuildbcd
• Follow steps in Installing Encrypted Ubuntu
• Enable LUKS decryption with Dropbear SSH in initramfs
• Enable WiFi in initramfs
• Debugging initramfs
  • Add break to linux line in grub to enter initramfs without running any of the scripts
  • Add break=bottom to linux line in grub to enter initramfs after all scripts have run
• Debugging wpa_supplicant: https://wiki.archlinux.org/index.php/wpa_supplicant
  • To get the correct version of wpa_supplicant.conf for initramfs use following in normal system:

  ctrl_interface=/run/wpa_supplicant
  update_config=1
  

• Setup Dislocker to mount Windows drive