[How To] PoC dual-boot Manjaro LUKS / Windows BitLocker

Use rEFInd to dual-boot Manjaro LUKS / Windows BitLocker with Secure Boot

These notes has been made from scratch using a laptop with two separate disks.

Windows was installed first - then Manjaro LUKS

• Disk 1 with Windows 10 using BitLocker
• Disk 2 with encrypted Manjaro installation using luks1, grub and btrfs.

Disclaimer

• Unified Extensible Firmware Interface/Secure Boot - ArchWiki
• [INFO] What is it with Secure Boot, why is it not supported OOB?

The PoC is provided AS IS with no promise or any guarantee that it will work for you.

THE PROOF OF CONCEPT IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS DOCUMENT INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OF THIS PROOF OF CONCEPT.

Boot into Firmware

Ensure Secure Boot is in Setup Mode - see your system’s manual

Boot a live ISO

• convert container to luks2

  cryptsetup convert /dev/<part> --luks2
  cryptsetup luksConvertKey /dev/<part> --pbkdf argon2id
  

• add label to root partition cryptsystem

  e2label cryptsystem /dev/<part>
  

• mount btrfs subvolumes - see Basic Rescue and Recovery

• set label on btrfs fileystem root mount point to system

  btrfs filesystem label /mnt system
  udevadm trigger
  

• create mount point for EFI partition

  mkdir /mnt/efi
  

• mount efi partition

  mount /dev/<efipart> /mnt/efi
  

• enter chroot

  manjaro-chroot /mnt /bin/bash
  

System Configuration

• edit: add FONT and FONT_MAP to /etc/vconsole.conf (example)

  KEYMAP=dk
  FONT=lat2-16
  FONT_MAP=8859-1
  

• edit: remove or comment root directive from /etc/crypttab

• edit: change efi mount in /etc/fstab to be /efi (created beforehand)

• edit: modify /etc/fstab to use the system partition label for all btrfs subvolumes for all subvolumes

  LABEL=system  /  btrfs  subvol=/@,defaults,compress=zstd:1  0  0
  LABEL=system  /home  btrfs  subvol=/@home,defaults,compress=zstd:1  0  0
  LABEL=system  /var/log  btrfs  subvol=/@log,defaults,compress=zstd:1  0  0
  LABEL=system  /var/cache  btrfs  subvol=/@cache,defaults,compress=zstd:1  0  0
  

• create: file /etc/crypttab.initramfs with content

  system /dev/disk/by-partlabel/cryptsystem none timeout=120
  

• create: file /etc/kernel/cmdline with content (cat /proc/cmdline)

  fbcon=nodefer rd.luks.allow-discards bgrt_disable root=LABEL=system rootflags=subvol=@,rw quiet splash udevlog_priority=3 vt.global_cursor_default=0
  

• edit: mkintcpio.conf

  • FILES array - remove keyfile
  • HOOKS array
    • add systemd, sd-vconsole and sd-encrypt

  FILES=()
  HOOKS=(base systemd microcode autodetect kms modconf block keyboard sd-vconsole sd-encrypt filesystems btrfs fsck)
  

• configure plymouth to use spinfinity (or another theme providing a nice passphrase input)

  plymouth-set-default-theme spinfinity
  

• generate initramfs

  mkinitcpio -P
  

• setup sbctl

   $ sbctl bundle --help
  Bundle the needed files for an EFI stub image
  
  Usage:
    sbctl bundle [flags]
  
  Flags:
    -a, --amducode string     AMD microcode location
    -c, --cmdline string      Cmdline location (default "/etc/kernel/cmdline")
    -e, --efi-stub string     EFI Stub location (default "/usr/lib/systemd/boot/efi/linuxx64.efi.stub")
    -p, --esp string          ESP location (default "/boot/efi")
    -h, --help                help for bundle
    -f, --initramfs string    Initramfs location (default "/boot/initramfs-linux.img")
    -i, --intelucode string   Intel microcode location
    -k, --kernel-img string   Kernel image location (default "/boot/vmlinuz-linux")
    -o, --os-release string   OS Release file location (default "/usr/lib/os-release")
    -s, --save                save bundle to the database
    -l, --splash-img string   Boot splash image location
  
  Global Flags:
        --config string      Path to configuration file
        --debug              Enable verbose debug logging
        --disable-landlock   Disable landlock sandboxing
        --json               Output as json
        --quiet              Mute info from logging
  
  

• create keys

  sbctl create-keys
  

• create bundle

  sbctl bundle -c '/etc/kernel/cmdline' -p '/efi' -f '/boot/<initrmfs.img>' -k '/boot/<vmlinuz>' -s 'EFI/Manjaro/main.efi'
  

• sign bundle

  sbctl generate-bundle --sign
  

• enroll keys into firmware (must in setup mode) side-by-side with Microsoft

  sbctl enroll-keys --microsoft
  

• install refind

  pacman -Syu refind
  

• install refind to EFI and set as primary loader

  refind-install
  

• sign /efi/EFI/refind/refind_x64.efi

  sbctl sign -s /efi/EFI/refind/refind_x84.efi
  

• remove grub efi stubs

  rm -r /ef/EFI/boot
  rm /ef/EFI/Manjaro/grubx64.efi
  

• remove grub related packages and mkinitcpio-openswap

  pacman -Rns grub-theme-manjaro install-grub update-grub grub grub-btrfs mkinitcpio-openswap
  

That’s all folks!

This is not a discussing topic.

If you have questions - create a new topic and link back.

https://forum.manjaro.org/t/180808