I recently ordered a ODROID N2 and set up CoreELEC with it. I’m quite impressed, I only used Kodi on a FTV Stick before and it was always a bit slow etc, great job guys.
Since years, I have the habit of using a full disk encryption (via dm-crypt and luks) on all the devices I use, so I wanted to bring this to CoreELEC. There are various ideas floating around my head how to actually do this (including authentication servers, smcart cards, etc.), but I want to start with the simplest: prompt me for a password on bootup to unlock the SD card (or a second partition) - obviously this is not really user friendly, but should me get going with the boot procedure etc.
In the end, as much of the system as possible should be encrypted, with only the necessary parts for booting staying in clear text. I plan to actually unlock the boot through ssh or from my phone in the end, but this is still a bit unclear.
Where can I find information about how CoreELEC (especially on the ODROID N2) boots and how the startup can be modified? Which git repos are used to build the complete image including uboot?
I imagine the boot process of the N2 to be something like this:
- first stage bootloader from ROM: search uboot in emmc / microsd / usb -> run uboot
- uboot: do some stuff (what exactly?), mount rootfs -> run kernel
- regular system startup
Is there something like initramfs in CoreELEC (this is where luks is usually integrated in regular systems) or does everything happen in uboot and then boot directly into the system? If the latter, then everything related to decryption of the rootfs must be done in uboot directly.
As you see, I’m a bit lost here, but maybe you guys can give me a few pointers in the right direction and point me to the relevant github repos. @anon83429610 I’m pinging you here since you were quite active in the N2 nightlies thread and I assume you know how this might be achieved the easiest.
EDIT: another idea, that’s probably way easier to achieve, is to leave
/storage/.config unencrypted and put the decryption script into a systemd service that starts before
kodi.service. Then all userdata could be mounted before kodi starts and be symlinked into
/storage/.kodi etc. The raw system would then be readable but should only reveal the contents of
/storage/.config, which should not contain any privacy related data I guess.