Asahi Fedora Workstation with LUKS Encryption
This process will install a minimal Fedora image on an Apple M1/M2 system, setup LUKS encryption (non-encrypted boot, encrypted root), and then upgrade to a more functional Fedora Workstation install. A similar process could be used at the end to setup Fedora Server, or any of the other various Fedora spins available via virtual package groups.
Presently this process is using prebuilt Asahi Fedora images from Leif Liddy. Similar should be possible using official Fedora Asahi Remix images being worked on by the Asahi SIG. Currently the SIG is targeting F38 for a first GA release.
What the process looks like at a high level:
- Install prebuilt Asahi Fedora image.
- Create a USB drive that will boot Fedora on Apple Silicon systems.
- Boot from the Fedora USB recovery drive.
- LUKS encrypt the root filesystem in-place.
- Configure grub and rebuild initramfs to open LUKS device during startup.
- Create an admin user and install the Fedora Workstation package group.
If this is your first time installing Asahi Linux or a related remix such as Asahi Fedora, it is strongly recommended to review the Asahi Fedora Builder README as well as the Asahi Linux FAQ before you begin.
Although Apple Silicon machines cannot be bricked, data loss may occur and they can be rendered unbootable if you break your System Recovery. Consider yourself warned!
See the partitioning cheatsheet for information on recovery processes and what to do in the event something goes wrong.
This process has been tested with Fedora 37 running kernel version 6.2.0-0.rc3.asahi7.1.fc37.aarch64
.
Installing a Prebuilt Fedora Image
Install Asahi Fedora using using leifliddy/asahi-fedora-builder:
curl https://leifliddy.com/fedora.sh | sh
Reboot into Fedora following the prompts and instructions provided by the installer. On the first boot the
asahi-firstboot.service
will run, selinux will be set to enforcing and the system will reboot.Login to user
root
using passwordfedora
at the prompt.Connect to a wireless network (if necessary):
nmcli dev wifi connect NETWORK_SSID password NETWORK_PASSWORD
Install CrackLib. This is used by the
passwd
command.dnf install -y cracklib cracklib-dicts
Change the root password to something secure and only known to you.
passwd root
At this point, you should have a working Fedora installation.
Creating a Fedora USB Recovery Drive
Install dependencies for
leifliddy/asahi-fedora-usb
and clone the repo:dnf install -y mkosi arch-install-scripts systemd-container gdisk rsync git git clone https://github.com/leifliddy/asahi-fedora-usb.git
Build and install a minimal Asahi Fedora image to a USB drive. For details on this process, please see the Asahi Fedora USB README
cd asahi-fedora-usb/ ./build.sh -d /dev/sda
Note: Substitute /dev/sda
with the device id of your USB drive.
LUKS Setup (non-encrypted boot, encrypted root)
Warning: It is critical that you correctly identify device ids here. If a wrong device id is used at any point during this process, data loss may occur or you may render your machine unbootable.
Reboot from the USB drive. To do this, enter the following U-BOOT command during startup:
run bootcmd_usb0
Login to user
root
using passwordfedora
at the prompt.Connect to a wireless network (if necessary):
nmcli dev wifi connect NETWORK_SSID password NETWORK_PASSWORD
Install tooling required for LUKS encryption:
dnf install -y cryptsetup cracklib cracklib-dicts
Using
lsblk -f /dev/nvme0n1
identify the partition used for the root filesystem. This should present as abtrfs
file system with the labelfedora_asahi
. In the example below/dev/nvme0n1p6
is the Fedora root filesystem that will be encrypted in-place:[root@fedora ~]# lsblk -f /dev/nvme0n1 NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS nvme0n1 ├─nvme0n1p1 apfs 4ccf344c-1842-4ed2-98f7-d34a509f5a88 ├─nvme0n1p2 apfs dbb4789e-c51d-46bf-8332-90a43b4e4fa7 ├─nvme0n1p3 apfs b98ec259-629b-4aee-9f26-02c5098abcee ├─nvme0n1p4 vfat FAT32 EFI-FEDORA B01E-2641 419.8M 16% /run/.system-efi ├─nvme0n1p5 ext4 1.0 fedora_boot 5b094e58-d15f-4be2-85ff-147859c7b118 ├─nvme0n1p6 btrfs fedora_asahi dd08a2bf-ae63-44e1-881d-fbb8928af4fb └─nvme0n1p7 apfs b465c845-eaef-4bcb-aac9-865c42260844
Shrink the btrfs filesystem to make room for the LUKS header. Recommended minimum is 32 MiB, twice the size of a default LUKS 2 header:
mount /dev/nvme0n1p6 /mnt btrfs filesystem resize -32M /mnt umount /dev/nvme0n1p6
LUKS encrypt the root filesystem partition in-place. This will destroy everything on the partition, please be careful!
cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/nvme0n1p6
Note: On a MacBook Pro (2021, M1 Max) for example, encrypting a partition a little under 1 TiB in size takes roughly 15 minutes:
[root@fedora ~]# time cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/nvme0n1p6 WARNING! ======== This will overwrite data on LUKS2-temp-fb593537-72d7-4337-a1ae-64c064d7d8e7.new irrevocably. Are you sure? (Type 'yes' in capital letters): YES Enter passphrase for LUKS2-temp-fb593537-72d7-4337-a1ae-64c064d7d8e7.new: Verify passphrase: Finished, time 14m10s, 925 GiB written, speed 1.1 GiB/s real 14m57.106s user 9m46.741s sys 0m38.739s
Open the LUKS encrypted partition:
cryptsetup open /dev/nvme0n1p6 fedora-root cryptsetup status fedora-root
Mount everything necessary to use
dracut
within achroot
:Mount root and home filesystems from the btrfs filesystem on the LUKS mapping device:
mount -o subvol=root /dev/mapper/fedora-root /mnt mount -o subvol=home /dev/mapper/fedora-root /mnt/home
Mount boot filesystem (this should be the partition immediately preceding the one encrypted with LUKS):
mount /dev/nvme0n1p5 /mnt/boot
Bind-mount pseudo filesystems:
mount --bind /dev /mnt/dev mount --bind /dev/pts /mnt/dev/pts mount --bind /proc /mnt/proc mount --bind /run /mnt/run mount --bind /sys /mnt/sys
Store the LUKS UUID in tmp file for later use
cryptsetup luksUUID /dev/nvme0n1p6 | tee /dev/stderr > /mnt/tmp/luksUUID
Enter chroot to update grub, initramfs, etc
chroot /mnt /bin/bash
Update
crypttab
touch /etc/crypttab chmod 0600 /etc/crypttab LUKS_UUID=$(cat /tmp/luksUUID) echo "fedora-root UUID=${LUKS_UUID} none" >> /etc/crypttab cat /etc/crypttab
Update
/etc/default/grub
appendingrd.luks.uuid=LUKS_UUID
to the value forGRUB_CMDLINE_LINUX
perl -i -pe 's/(GRUB_CMDLINE_LINUX)="(.*)"/$1="$2 rd.luks.uuid='"${LUKS_UUID}"'"/' /etc/default/grub cat /etc/default/grub
Rebuild initramfs:
grub2-mkconfig -o /boot/grub2/grub.cfg dracut -f
Exit the chroot jail, then reboot.
Note the first decrypt prompt may be lost in the syslog output, making it appear that the boot process has hung. Either just start typing the decrypt password (you should see
***
in place of typed characters) or press enter to re-print the LUKS decrypt prompt.Once decrypted, the boot process should complete and you should land on the familiar linux console prompt.
Fedora Workstation Setup
Up until this point, everything we have done has been accomplished via the linux console. The following steps will upgrade from minimal Fedora to Fedora Workstation.
Add a non-root administrative user (gdm will not present a login splash screen when root is the only user present on the workstation)
useradd -G wheel USERNAME passwd USERNAME
Ensure everything installed by the prebuilt minimal Fedora image is up-to-date
dnf update -y
Install
Fedora Workstation
package group. This step could take a few minutes as there are a little over 1,300 packages to download and install.dnf group install -y 'Fedora Workstation'
Start
gdm.service
to verify GNOME works (you should see a login splash page)systemctl start gdm.service
Reboot the system one last time. GNOME Display Manager (GDM) should start automatically.