Will these be loaded in initramfs though or only when switching to the regular system? In the regular system, everything is already loaded, only in initramfs the module is missing. So I guess the config file is already correct and I only have to tell initramfs which modules to load or not?
Hmmh. Yeah I get what you are asking now. CoreELEC uses something called kernel module overlay which includes the modules early through systemd. It basically creates a symlink
I got a bit further with this, but stumbled upon something else entirely: does the N2 power off the microSD card on suspend (or maybe even in regular operation)? Is there a way to disable this behavior?
I unlocked my proprietary microSD in initramfs, but some time later it was locked again and kodi could not read anything anymore, which breaks all sorts of things of course.
That’s it, the system now boots into initramfs, unlocks the storage drive and then carries on with the regular boot and it works quite flawlessly. The way to obtain the actual password will probably differ for each user and it should obviously not be written in plaintext in the script.
I might add a more detailed write-up on how I obtain my passphrase and add a link to it here.
The remaining questions are:
Would CoreELEC by willing to add the kernel modules into the kernel by default (or automatically load the modules in initramfs if they should not be always included in the kernel)? This is very important to prevent having to maintain a special CoreELEC build?
Additionally, could we also add cryptsetup and its libs to initramfs? Otherwise one would have to add them to /flash as I did above. Nothing too cumbersome, but would be nice if those utilities were already part of initramfs then.
Then the stage would be set for all customizations one could think of and the resulting passphrase/keyfile can be used to unlock a drive without having to use a custom build of CoreELEC.
Although you did a nice job, I wonder what is the percentage of CE users who wants to use encryption. If it’s barely a handful this is not enough to include it in CE IMHO.
maybe there are no users, because it’s not so easy to actually get it working (see my steps above)
it does not really hurt to include it: the initramfs (and system image to include cryptsetup also on the running system) increases by 1.4mb, the kernel by 0.1mb
One million four hundred thousand bytes… sound bigger.
I started to programming computers in machine language and when only kilobytes of memory available then every byte counts. Fortunately those times are gone.
I’ll try to remove the need for the kernel config patch and load the required kernel modules from init instead, then we probably don’t even have to change anything in CE.
The only ‘problem’ then would be if the binaries and kernel modules in the /flash partition (which only get created once and not updated during a system update) would get incompatible with the kernel somehow. I suspect this to be very very rare, though.
So this means you got luks working? I am using CE on a Beelink GT king, and would be very much interested in using luks for external hdd-s as all my hdd-s are encrypted. (I use linux exclusively, but I have never compiled anything, and the steps you took are beyond my current knowledge level.)
Yes, I use LUKS now and everything works just fine. How do you want to unlock your encrypted drives? If you only want to unlock them after booting into CE, then you can simply install cryptsetup and its tools and don’t have to change anything else on your system.
I have vanilla 9.2.0 and installed cryptsetup via opkg but I get the following when mounting an encrypted USB drive:
cryptsetup open /dev/disk/by-id/ata-ST4000LM024 myseagate1
Enter passphrase for /dev/disk/by-id/ata-ST4000LM024:
Cannot initialize device-mapper. Is dm_mod kernel module loaded?
PROJECT=Amlogic ./scripts/clean linux
PROJECT=Amlogic ./scripts/build linux
It will ask you for some other options you missed. When it is done compare file linux.aarch64.conf and build.CoreELEC-Amlogic…/linux-…/.config and copy required stuff back from .config to linux.aarch64.conf. And then repeat clean/build step.