Pinebook Pro: Manjaro Linux for ARM with full-disk encryption on eMMC

This slightly updated and for Manjaro adapted guide is based on that one for Arch Linux, kudos to Rudis Muiznieks for all the tinkering and sharing!

1. Boot from an SD (assuming Manjaro)

2. Ensure that these tools are available:

   $ sudo pacman -S manjaro-tools gparted rsync f2fs-tools
   

   • fstabgen (formerly known as genfstab, part of manjaro-tools)
   • manjaro-chroot (fka as arch-chroot, part of manjaro-tools)
   • gparted (you can also use fdisk if you like)
   • rsync
   • f2fs-tools

3. Ensure that the eMMC partitions are available

   $ lsblk
   

   If there is no mmcblk2 try to activate it:

   $ echo fe330000.sdhci >/sys/bus/platform/drivers/sdhci-arasan/unbind
   $ echo fe330000.sdhci >/sys/bus/platform/drivers/sdhci-arasan/bind
   $ lsblk
   NAME         MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
   mmcblk1      179:0    0  59,5G  0 disk 
   ├─mmcblk1p1  179:1    0 213,6M  0 part /boot
   └─mmcblk1p2  179:2    0  59,2G  0 part /
   mmcblk2      179:32   0 116,5G  0 disk 
   ├─mmcblk2p1  179:33   0 213,6M  0 part 
   └─mmcblk2p2  179:34   0 116,2G  0 part 
   mmcblk2boot0 179:64   0     4M  1 disk 
   mmcblk2boot1 179:96   0     4M  1 disk 
   zram0        252:0    0   5,6G  0 disk [SWAP]
   

4. Become root and create a backup directory on the SD card, e.g. in ~/backup

   $ sudo su
   # mkdir ~/backup
   

5. Mount the partitions of mmcblk2:

   # mount /dev/mmcblk2p2 /mnt
   # mount /dev/mmcblk2p1 /mnt/boot
   # ls /mnt/boot
   dtbs  extlinux  idbloader.img  Image  Image.gz  initramfs-linux.img  u-boot.itb
   # ls /mnt/
   bin  boot  dev  etc  home  lib  lost+found  mnt  opt  overlay.txt  proc  root  run  sbin  srv  sys  tmp  usr  var
   

6. rsync the content of mmcblk2 to the backup directory on the SD card:

   # rsync -aAXv --exclude={"/mnt/dev/*","/mnt/proc/*","/mnt/sys/*","/mnt/tmp/*","/mnt/run/*","/mnt/mnt/*","/mnt/media/*","/mnt/lost+found"} /mnt/ ~/backup/
   

7. Unmount the eMMC partitions:

   # umount /mnt/boot
   # umount /mnt
   

8. Delete the unencrypted root partition of the eMMC:

   # fdisk /dev/mmcblk2
   p
   d 2
   n
   

   When creating the new partition, ensure that it begins after the boot partition mmcblk2p1, at least in my case I had a small amount of free space before the boot partition.

   p
   w
   

9. Create an encrypted partition according to the guide in the ArchWiki:

   # cryptsetup -y -v luksFormat /dev/mmcblk2p2
   # cryptsetup open /dev/mmcblk2p2 ROOT_MNJRO
   # mkfs.f2fs /dev/mapper/ROOT_MNJRO
   # umount /mnt
   # cryptsetup close /dev/mapper/ROOT_MNJRO
   # cryptsetup open /dev/mmcblk2p2 ROOT_MNJRO
   # mount /dev/mapper/ROOT_MNJRO /mnt
   

10. Restore the backup to the mounted encrypted volume:

    # rsync -aAXv ~/backup/ /mnt/
    

11. Generate the fstab in /mnt/etc/fstab:

    # fstabgen -U /mnt
    

12. chroot into the restored installation:

    # manjaro-chroot /mnt
    

13. Edit /etc/mkinitcpio.conf and ensure that HOOKS and MODULES look like:

    HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt filesystems fsck)
    MODULES=(panfrost rockchipdrm drm_kms_helper hantro_vpu analogix_dp rockchip_rga panel_simple arc_uart cw2015_battery i2c-hid iscsi_boot_sysfs jsm pwm_bl uhid)
    

14. Edit /boot/extlinux/extlinux.conf (only the APPEND line) according to "Configuring the boot loader" in the ArchWiki. To figure out the UUID of the LUKS volume, use:

    # blkid -s UUID | grep mmcblk2p2
    

15. Ensure that the F2FS tools are available in the chroot environment:

    sh-5.0# pacman -S f2fs-tools
    

16. Rebuild initramfs images from within the chroot environment:

    sh-5.0# mkinitcpio -P
    

    This process should run without errors.

17. Leave the chroot environment with exit, unmount properly:

    sh-5.0# exit
    # umount /mnt/boot
    # umount /mnt
    

18. Shutdown the machine, remove the SD card and ... engage!

In general that was supposed to be enough to boot properly and get a prompt to enter a passphrase. Unfortunately, there seems to be a timing issue or something else which every now and then causes the boot process to wait for the eMMC, run into a timeout and drop into an emergency console. I tried this advice, replaced uboot-pinebookpro package with uboot-pinebookpro-bsp and afterwards executed some dd instructions that were mentioned by the installer (compare below but when in doubt follow the ones from the installer):

# pacman -S uboot-pinebookpro-bsp
# dd if=/boot/idbloader.img of=/dev/mmcblk2 seek=64 conv=notrunc
# dd if=/boot/uboot.img of=/dev/mmcblk2 seek=16384 conv=notrunc
# dd if=/boot/trust.img of=/dev/mmcblk2 seek=24576 conv=notrunc

Since then, my Pinebook Pro boots reliably and always asks for the passphrase.

Happy encrypted hacking! :)

About the author

Jan Beilicke is a long-time IT professional and full-time nerd. Open source enthusiast, advocating security and privacy. Sees the cloud as other people's computers. Find him on Mastodon.