Pinebook Pro: Manjaro Linux for ARM with full-disk encryption on eMMC
This slightly updated and for Manjaro adapted guide is based on that one for Arch Linux, kudos to Rudis Muiznieks for all the tinkering and sharing!
- Boot from an SD (assuming Manjaro)
-
Ensure that these tools are available:
$ sudo pacman -S manjaro-tools gparted rsync f2fs-tools
fstabgen
(formerly known asgenfstab
, part ofmanjaro-tools
)manjaro-chroot
(fka asarch-chroot
, part ofmanjaro-tools
)gparted
(you can also usefdisk
if you like)rsync
f2fs-tools
-
Ensure that the eMMC partitions are available
$ lsblk
If there is no
mmcblk2
try to activate it:$ echo fe330000.sdhci >/sys/bus/platform/drivers/sdhci-arasan/unbind $ echo fe330000.sdhci >/sys/bus/platform/drivers/sdhci-arasan/bind $ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT mmcblk1 179:0 0 59,5G 0 disk ├─mmcblk1p1 179:1 0 213,6M 0 part /boot └─mmcblk1p2 179:2 0 59,2G 0 part / mmcblk2 179:32 0 116,5G 0 disk ├─mmcblk2p1 179:33 0 213,6M 0 part └─mmcblk2p2 179:34 0 116,2G 0 part mmcblk2boot0 179:64 0 4M 1 disk mmcblk2boot1 179:96 0 4M 1 disk zram0 252:0 0 5,6G 0 disk [SWAP]
-
Become root and create a backup directory on the SD card, e.g. in
~/backup
$ sudo su # mkdir ~/backup
-
Mount the partitions of
mmcblk2
:# mount /dev/mmcblk2p2 /mnt # mount /dev/mmcblk2p1 /mnt/boot # ls /mnt/boot dtbs extlinux idbloader.img Image Image.gz initramfs-linux.img u-boot.itb # ls /mnt/ bin boot dev etc home lib lost+found mnt opt overlay.txt proc root run sbin srv sys tmp usr var
-
rsync the content of
mmcblk2
to the backup directory on the SD card:# rsync -aAXv --exclude={"/mnt/dev/*","/mnt/proc/*","/mnt/sys/*","/mnt/tmp/*","/mnt/run/*","/mnt/mnt/*","/mnt/media/*","/mnt/lost+found"} /mnt/ ~/backup/
-
Unmount the eMMC partitions:
# umount /mnt/boot # umount /mnt
-
Delete the unencrypted root partition of the eMMC:
# fdisk /dev/mmcblk2 p d 2 n
When creating the new partition, ensure that it begins after the boot partition
mmcblk2p1
, at least in my case I had a small amount of free space before the boot partition.p w
-
Create an encrypted partition according to the guide in the ArchWiki:
# cryptsetup -y -v luksFormat /dev/mmcblk2p2 # cryptsetup open /dev/mmcblk2p2 ROOT_MNJRO # mkfs.f2fs /dev/mapper/ROOT_MNJRO # umount /mnt # cryptsetup close /dev/mapper/ROOT_MNJRO # cryptsetup open /dev/mmcblk2p2 ROOT_MNJRO # mount /dev/mapper/ROOT_MNJRO /mnt
-
Restore the backup to the mounted encrypted volume:
# rsync -aAXv ~/backup/ /mnt/
-
Generate the fstab in
/mnt/etc/fstab
:# fstabgen -U /mnt
-
chroot into the restored installation:
# manjaro-chroot /mnt
-
Edit
/etc/mkinitcpio.conf
and ensure thatHOOKS
andMODULES
look like:HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt filesystems fsck) MODULES=(panfrost rockchipdrm drm_kms_helper hantro_vpu analogix_dp rockchip_rga panel_simple arc_uart cw2015_battery i2c-hid iscsi_boot_sysfs jsm pwm_bl uhid)
-
Edit
/boot/extlinux/extlinux.conf
(only theAPPEND
line) according to "Configuring the boot loader" in the ArchWiki. To figure out the UUID of the LUKS volume, use:# blkid -s UUID | grep mmcblk2p2
-
Ensure that the F2FS tools are available in the chroot environment:
sh-5.0# pacman -S f2fs-tools
-
Rebuild initramfs images from within the chroot environment:
sh-5.0# mkinitcpio -P
This process should run without errors.
-
Leave the chroot environment with
exit
, unmount properly:sh-5.0# exit # umount /mnt/boot # umount /mnt
-
Shutdown the machine, remove the SD card and ... engage!
In general that was supposed to be enough to boot properly and get a prompt to enter a passphrase. Unfortunately, there seems to be a timing issue or something else which every now and then causes the boot process to wait for the eMMC, run into a timeout and drop into an emergency console. I tried this advice, replaced uboot-pinebookpro
package with uboot-pinebookpro-bsp
and afterwards executed some dd
instructions that were mentioned by the installer (compare below but when in doubt follow the ones from the installer):
# pacman -S uboot-pinebookpro-bsp
# dd if=/boot/idbloader.img of=/dev/mmcblk2 seek=64 conv=notrunc
# dd if=/boot/uboot.img of=/dev/mmcblk2 seek=16384 conv=notrunc
# dd if=/boot/trust.img of=/dev/mmcblk2 seek=24576 conv=notrunc
Since then, my Pinebook Pro boots reliably and always asks for the passphrase.
Happy encrypted hacking! :)
About the author
Jan Beilicke is a long-time IT professional and full-time nerd. Open source enthusiast, advocating security and privacy. Sees the cloud as other people's computers. Find him on Mastodon.