Asahi Fedora Workstation with LUKS Encryption

Posted on Feb 27, 2023

#fedora #asahilinux #applesilicon

This process will install a minimal Fedora image on an Apple M1/M2 system, setup LUKS encryption (non-encrypted boot, encrypted root), and then upgrade to a more functional Fedora Workstation install. A similar process could be used at the end to setup Fedora Server, or any of the other various Fedora spins available via virtual package groups.

Presently this process is using prebuilt Asahi Fedora images from Leif Liddy. Similar should be possible using official Fedora Asahi Remix images being worked on by the Asahi SIG. Currently the SIG is targeting F38 for a first GA release.

What the process looks like at a high level:

Install prebuilt Asahi Fedora image.
Create a USB drive that will boot Fedora on Apple Silicon systems.
Boot from the Fedora USB recovery drive.
LUKS encrypt the root filesystem in-place.
Configure grub and rebuild initramfs to open LUKS device during startup.
Create an admin user and install the Fedora Workstation package group.

If this is your first time installing Asahi Linux or a related remix such as Asahi Fedora, it is strongly recommended to review the Asahi Fedora Builder README as well as the Asahi Linux FAQ before you begin.

Although Apple Silicon machines cannot be bricked, data loss may occur and they can be rendered unbootable if you break your System Recovery. Consider yourself warned!

See the partitioning cheatsheet for information on recovery processes and what to do in the event something goes wrong.

This process has been tested with Fedora 37 running kernel version 6.2.0-0.rc3.asahi7.1.fc37.aarch64.

Installing a Prebuilt Fedora Image

Install Asahi Fedora using using leifliddy/asahi-fedora-builder:
```
curl https://leifliddy.com/fedora.sh | sh
```
Reboot into Fedora following the prompts and instructions provided by the installer. On the first boot the asahi-firstboot.service will run, selinux will be set to enforcing and the system will reboot.
Login to user root using password fedora at the prompt.

Connect to a wireless network (if necessary):

nmcli dev wifi connect NETWORK_SSID password NETWORK_PASSWORD

Install CrackLib. This is used by the passwd command.
```
dnf install -y cracklib cracklib-dicts
```
Change the root password to something secure and only known to you.
```
passwd root
```
At this point, you should have a working Fedora installation.

Creating a Fedora USB Recovery Drive

Install dependencies for leifliddy/asahi-fedora-usb and clone the repo:

dnf install -y mkosi arch-install-scripts systemd-container gdisk rsync git
git clone https://github.com/leifliddy/asahi-fedora-usb.git

Build and install a minimal Asahi Fedora image to a USB drive. For details on this process, please see the Asahi Fedora USB README
```
cd asahi-fedora-usb/
./build.sh -d /dev/sda
```

Note: Substitute /dev/sda with the device id of your USB drive.

LUKS Setup (non-encrypted boot, encrypted root)

Warning: It is critical that you correctly identify device ids here. If a wrong device id is used at any point during this process, data loss may occur or you may render your machine unbootable.

Reboot from the USB drive. To do this, enter the following U-BOOT command during startup:
```
run bootcmd_usb0
```
Login to user root using password fedora at the prompt.

Connect to a wireless network (if necessary):

nmcli dev wifi connect NETWORK_SSID password NETWORK_PASSWORD

Install tooling required for LUKS encryption:

dnf install -y cryptsetup cracklib cracklib-dicts

Using lsblk -f /dev/nvme0n1 identify the partition used for the root filesystem. This should present as a btrfs file system with the label fedora_asahi. In the example below /dev/nvme0n1p6 is the Fedora root filesystem that will be encrypted in-place:

[root@fedora ~]# lsblk -f /dev/nvme0n1
NAME        FSTYPE FSVER LABEL        UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
nvme0n1
├─nvme0n1p1 apfs                      4ccf344c-1842-4ed2-98f7-d34a509f5a88
├─nvme0n1p2 apfs                      dbb4789e-c51d-46bf-8332-90a43b4e4fa7
├─nvme0n1p3 apfs                      b98ec259-629b-4aee-9f26-02c5098abcee
├─nvme0n1p4 vfat   FAT32 EFI-FEDORA   B01E-2641                             419.8M    16% /run/.system-efi
├─nvme0n1p5 ext4   1.0   fedora_boot  5b094e58-d15f-4be2-85ff-147859c7b118
├─nvme0n1p6 btrfs        fedora_asahi dd08a2bf-ae63-44e1-881d-fbb8928af4fb
└─nvme0n1p7 apfs                      b465c845-eaef-4bcb-aac9-865c42260844

Shrink the btrfs filesystem to make room for the LUKS header. Recommended minimum is 32 MiB, twice the size of a default LUKS 2 header:
```
mount /dev/nvme0n1p6 /mnt
btrfs filesystem resize -32M /mnt
umount /dev/nvme0n1p6
```

LUKS encrypt the root filesystem partition in-place. This will destroy everything on the partition, please be careful!

cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/nvme0n1p6

Note: On a MacBook Pro (2021, M1 Max) for example, encrypting a partition a little under 1 TiB in size takes roughly 15 minutes:

[root@fedora ~]# time cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/nvme0n1p6

WARNING!
========
This will overwrite data on LUKS2-temp-fb593537-72d7-4337-a1ae-64c064d7d8e7.new irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for LUKS2-temp-fb593537-72d7-4337-a1ae-64c064d7d8e7.new:
Verify passphrase:
Finished, time 14m10s,  925 GiB written, speed   1.1 GiB/s

real    14m57.106s
user    9m46.741s
sys 0m38.739s

Open the LUKS encrypted partition:

cryptsetup open /dev/nvme0n1p6 fedora-root
cryptsetup status fedora-root

Mount everything necessary to use dracut within a chroot:

Mount root and home filesystems from the btrfs filesystem on the LUKS mapping device:

mount -o subvol=root /dev/mapper/fedora-root /mnt
mount -o subvol=home /dev/mapper/fedora-root /mnt/home

Mount boot filesystem (this should be the partition immediately preceding the one encrypted with LUKS):
```
mount /dev/nvme0n1p5 /mnt/boot
```

Bind-mount pseudo filesystems:

mount --bind /dev /mnt/dev
mount --bind /dev/pts /mnt/dev/pts
mount --bind /proc /mnt/proc
mount --bind /run /mnt/run
mount --bind /sys /mnt/sys

Store the LUKS UUID in tmp file for later use

cryptsetup luksUUID /dev/nvme0n1p6 | tee /dev/stderr > /mnt/tmp/luksUUID

Enter chroot to update grub, initramfs, etc
```
chroot /mnt /bin/bash
```

Update crypttab

touch /etc/crypttab
chmod 0600 /etc/crypttab

LUKS_UUID=$(cat /tmp/luksUUID)
echo "fedora-root UUID=${LUKS_UUID} none" >> /etc/crypttab

cat /etc/crypttab

Update /etc/default/grub appending rd.luks.uuid=LUKS_UUID to the value for GRUB_CMDLINE_LINUX

perl -i -pe 's/(GRUB_CMDLINE_LINUX)="(.*)"/$1="$2 rd.luks.uuid='"${LUKS_UUID}"'"/' /etc/default/grub
cat /etc/default/grub

Rebuild initramfs:

grub2-mkconfig -o /boot/grub2/grub.cfg
dracut -f

Exit the chroot jail, then reboot.
Note the first decrypt prompt may be lost in the syslog output, making it appear that the boot process has hung. Either just start typing the decrypt password (you should see *** in place of typed characters) or press enter to re-print the LUKS decrypt prompt.
Once decrypted, the boot process should complete and you should land on the familiar linux console prompt.

Fedora Workstation Setup

Up until this point, everything we have done has been accomplished via the linux console. The following steps will upgrade from minimal Fedora to Fedora Workstation.

Add a non-root administrative user (gdm will not present a login splash screen when root is the only user present on the workstation)
```
useradd -G wheel USERNAME
passwd USERNAME
```
Ensure everything installed by the prebuilt minimal Fedora image is up-to-date
```
dnf update -y
```
Install Fedora Workstation package group. This step could take a few minutes as there are a little over 1,300 packages to download and install.
```
dnf group install -y 'Fedora Workstation'
```
Start gdm.service to verify GNOME works (you should see a login splash page)
```
systemctl start gdm.service
```
Reboot the system one last time. GNOME Display Manager (GDM) should start automatically.