[SOLVED]Using LVM + uEFI secure boot - a couple of questions

[johngalt]

Hi, all,

I'm building Gentoo on 2 laptops - Dell Inspiron 3521 and Lenovo ThinkPad Edge E545. Specs:

1. Inspiron
   
   Intel Celeron 1007U CPU w/ integrated Intel HD Graphics (Ivy Bridge)
   4 GM RAM
   Intel X25-M 9gen 2) 80 GB SSD SATA II
   
   
2. Lenovo
   
   AMD A6-5350M CPU w/ integrated Radeon HD 8450G
   8 GB RAM
   Intel Cherryville 520 series 180 GB SSD SATA 'III'
   

Both machines have optical drives, and I plan to obtain HD caddies to swap them out and add additional storage (SSDs) (ordered one for Lenovo already, still sourcing one for the Dell). As I do not have them yet, and as I have become rather versatile in installing Gentoo for a basic boot to CLI, Ive started looking at alternatives to just adding the disks in and making a new mount.

My understanding is that, from reading a whole slew of sources on it, LVM would be an optimal way for me to build the install now, and after I get SSD and caddy and install, I could extend the LVM onto the new drive and then extend my / partition to use the new space, or else add new partitions and move stuff around as I see fit.

Is this a valid assumption on my part?

Also, the vast majority of forum posts and other resources dealing with LVM also end up mentioning the use of LUKS for encryption - as these are machines that I am using solely at home and solely for the purpose of re-familiarizing myself with Gentoo, my gut tells me that I don't really need LUKS at the moment, and to keep my learning curve at a tolerable level I can just ignore using it now and worry about it later on. But, I've done a bit of searching, and I cannot really see an answer to this at all:

Does LUKS introduce any overhead when the system is in actual use, or is it only using CPU cycles at boot and shutdown / reboot?

My plan is to partition the drives on both machines with 1 ESP (vfat), keeping it 550 MB (just in case I get a wild hair up where the sun doesn't shine and I decide that I want to install a different OS on the additional SSDs that come in, so keeping it large enough for compatibility with a possible Windows dual boot later on) and the rest as the logical volume for each drive. So, both machines' drives end up looking like this:

[Hu]

[russK]

On this point:

[johngalt]

@Hu - Thanks for the answers. I don't live in a high crime area, and these are test-beds for me - I'm re-learning my way around Gentoo, and figured I'd dive straight into the deep end of the pool and tackle tougher projects like direct uEFI booting vs using a boot manager like Grub2 (and have decided to not use rEFInd since the Dell is no longer going to my father - I gave him a much newer Acer with Windows 10 on it, and h is happy). So, even if they were to be purloined from my house, no significant data on there for thieves, and the overall valuation of each laptop is significantly low due to age - even the SSDs in them are cheap these days.

As for doing it later, yeah, I knew it wasn't going to be an in-place upgrade of any type - If the need arises for me to learn how it works / I decided that it is a good time to tackle it as the next step in my learning process, I'll copy any files I need off the machine and wipe the drive and start over.

@russK - I ran genkernel over the weekend on both machines and neither produced a file that explicitly had vmlinuz in the name, so I either did something wrongly, or else I didn't realize that one of the files copied to /boot was, in fact, the correct file to use for efi boot.

Which file am I supposed to copy over to the ESP under /efi/boot/ in order to use efimanager to add it to the uEFI bootmanager?
_________________

[charles17]

[russK]

[johngalt]

@Charles17 - Yeah it does, but the interface limits the number of characters I can use for a path to the .efi files - mine looks almost exactly like an old Phoenix BIOS screen except that it is actually uEFI. And unless the path is exactly or shorter in length than /efi/boot/bootx64.efi I cannot use it.

But I already verified that I could interface with the Dell via efibootmgr because I used it (booted off SystemRescueCD) to remove entries from the uEFI list that I will never use, such as a portable floppy drive and add a test entry on the last install iteration on this machine, and sure enough, the next time I rebooted the machine and entered the uEFI interface, that fd entry was gone and the one I had created was now there.

So I am happy to use efibootmgr to set my items up - in fact, I'll probably set up at least one fallback, as well as a couple of test entries for testing new kernels and the like, and a basic kernel for CLI only with SSH so I can continue to work on it via SSH until I get my replacement screen put on.

As for the initramfs - https://wiki.gentoo.org/wiki/EFI_stub_kernel#Optional:_Initramfs says it can be done either way, so I was going to try that first, but seeing as how my uEFI looks even older than yours, it might just be that Dell uEFI prior to last year is just FUBAR and I'll have to embed it anyway as you did. But at least that will be easy enough.

Plus, this is all a learning experience for me, so the more things break the more I get to find answers, from all the resources available - including you guys here on the forums...

Can't count the number of times these past few weeks I've had a question, googled it and got pointed to a particular forum topic that answered what I was going to ask lol.

Thanks for your advice - I'll keep it all in mind as I plow forward.

@russK - OK, thanks. I've gone through a few genkernel pages, the handbook, (which is not geared directly toward uEFI booting but touches on it briefly) and several threads in the forum, but only found one reference to copying a bZimage file - which was not at the location that the page said it should be at. But I'm well aware that it very well was PEBKAC

Anyhoo, since I am doing both laptops at the same time (and the neat thing is that even with the Dell screen not working, after booting from SRCD on the Lenovo and only changing root pw and enabling a titled screen, I started doing everything else from my desktop via ssh into the Lenovo. So, without being able to see anything, I also booted SRCD on the Dell and waited a good while to ensure it had completely booted, did the exact same there, and am able to also SSH into it. Of course, it helps that I use static IPs on the DHCP server in my Mesh kit for all my devices....) I'm currently manually configuring the kernel on the Lenovo only, configuring the parts of the kernel that are going to be the same on both machines, e.g. the required items for LVM support and use, filesystem support, etc.

Then I'll save the .config, SCP to the Dell, so I only have to finish the config specific to each machine.
_________________

[johngalt]

I'm marking this solved as all of my original questions have been answered, but please, if anyone wants to contribute to the thread, feel free to enlighten me - I'm more rusty at this, which I haven't touched in 13 years, than I am at playing tennis, which I recently took back up - and it has been almost 20 years for that
_________________

[russK]

[johngalt]

No, your script told me that I was, in fact, not really reading carefully enough. The script, in and of itself, told me exactly what needed to go where - and if I still had those compiled files around I would have use it as a template to copy those files as needed.

In first starting all of this new learning experience, I decided that the Dell, the first machine I tackled, would be a rEFInd machine. But tracking back and forth between various different pages as I attempted to get the base system working left me a little FUBARd because, doing things the rEFInd way, I was supposed to mount /boot/efi to the ESP, whereas every other resource (including the Gentoo rEFInd wiki itself @ https://wiki.gentoo.org/wiki/Refind ) uses /boot as the mount point. But Rob says in the rEFInd pages that you can use /boot as the mount point with no issues, just adjust his instructions accordingly. In making the transitions between several pages trying to get everytihing installed, I managed to goof it up - multiple times.

As this was as much for a learning experience for me as it was for getting the laptop ready to deliver, I kept at it - over and over (3 attempts). Finally, when the screen gave way, I started working on the Lenovo, which, thogh also uEFI based, was a completley different machine - all AMD based versu the Dell being all Intel based.

That got me to thinknig on how I could refine my current work process, and so I started noticing where files could be used across machines - for example, my make.conf - the only thing that changes between the machines (for now) is that I have differing hardware, so CPUflags, video, and MAKEOPTS (and between the two laptops, MAKEOPTS is the same as both are dual core CPUs with no virtual cores). I tried using CPU specific -march and it broke tingson my Dell when emerging stuff, so I went back to the default native, which I am using everywhere until I can test on working, booting systems if going CPU specific gives me any advantage at all (without brekaing anything lol).

As I was configuring the kernel on the Lenovo, I realized that if I configured everything else that I wanted / needed in terms of system setup, like filesystems, etc. and leave off the hardware specific entries, I could easily also copy that .config ove rto hte Dell and save myself a lot of time. If you will, it's like a mini-pappy-seed, only for my strict personal use. Shortened my workload again - a lot of stuff I don't have to configure on the Dell, because I already have.

Then, after only a single failed install attempt on the Lenovo, I realized that I can streamliine it even more - instead of having to refer to so many different pages, if I add a bit of uniformity to my installs, I can make my own 'document' to perform installs, following all the required steps in order but also making sure that I add in the correct steps from other pages as needed for my install, with all the extra caveats that I might need (for example, writing down the altered mount steps needed if booting from an ubuntu live disc versus a gentoo-based distro like srcd or a direct gentoo live disc). Now that I have that document partially completeled (all the way through kernel config), it's made it even easier - I have my flow and in less than an hour (or a couple of hours if I perform the optional first emerge --deep @world after profile change) I'm on to configuring bootloaders.

At any rate, your script did help me out a lot, and that is why I said I realized it was a PEBKAC moment - I had the files, but because more than one reference said to copy the vmlinuz-named file as an .efi file, I got lost. With rEFInd, it has its own .efi file, and then is able to boot whichever kernel you point it to - which was the initial reason I opted to use it - but my frustration at the getting the actual local boot process to work led me to abandon it, especially when I read further about how efibootmgr works, and after verifying that efibootmgr was able to successfully interact with both uEFI systems on the laptops.

At any rate, though, I'm now also tackling my desktop, having made a full backup of he partitions that Windows was installed to, so I'm probably going to tackle each machine slightly differently - the desktop is BIOS based, so obviously, no efibootmgr / rEFInd. the Dell is by far the slowest machine of the group, so it will probably get genkerneled and I'll call it a day, as rEFInd on a mchine that has no worknig scren is a bit .. pretentious. lol.

The Lenovo - not 100% sure yet. I think I'm going to go the efibootmgr route on it as well, and boot kernels directly, as the kernel compile time on it is 1/4 that of the ell. But I haven't ruled out rEFInd, as it would be the only machine I currently have that I can actually use rEFInd on.

Regardless, though, I do sincerely thank you for your insight and your notes - they helped me a lot.
_________________