从T450笔记本迁移archlinux操作系统之T460s笔记本,同时:
1。 使用cryptsetup做底层块加密。
2. 全新使用btrfs文件系统。
一,硬盘分区。 1T的SSD,使用UEFI启动。
parted /dev/nvme0n1 mkpart fat32 1MiB 512MiB mkpart linux-swap 513MiB 107530MiB mkpart xfs 107530MiB 100% set 1 boot on
name 1 PARTITION_BOOT
name 2 PARTITION_SWAP
name 3 PARTITION_SECURITY
二, 块加密
[cipher][archlinux][disk encryption][btrfs] 磁盘分区加密 + btrfs
cryptsetup luksFormat /dev/nvme0n1p3 cryptsetup open /dev/nvme0n1p3 crypto_disk mkfs.btrfs -L CRYPTO_DISK /dev/mapper/crypto_disk mount /dev/mapper/crypto_disk mnt btfs subvolume create mnt/_top btfs subvolume create mnt/_top/root btfs subvolume create mnt/_top/home mkdir mnt/snapshot mkdir mnt/snapshot/home mkdir mnt/snapshot/root btrfs subvolume set-default 257 ./
三,挂载
umount mnt/ mount -o compress=lzo,subvol=_top/root /dev/mapper/crypto_disk mnt mkdir mnt/home mkdir mnt/boot mount -o compress=lzo,subvol=_top/home /dev/mapper/crypto_disk mnt/home mount /dev/nvme0n1p1 mnt/boot swapon /dev/nvme0n1p2
四, rsync 从备份服务器做系统迁移
参考:[daily][archlinux][rsync] rsync
使用进行备份时同样的命令。
五,修改fstab,并安装EFISTUB
# genfstab -U /mnt >> /mnt/etc/fstab
https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration
当前的配置 HOOKS="base systemd autodetect modconf block bcache sd-lvm2 filesystems keyboard fsck" 修改后的配置 HOOKS="base systemd autodetect modconf block sd-encrpt filesystems keyboard fsck" BINARES="/usr/bin/btrfs"
# mkinitcpio -p linux
https://wiki.archlinux.org/index.php/Arch_boot_process
https://wiki.archlinux.org/index.php/EFISTUB
参考:
[troubleshoot][archlinux][bcache] 修改linux文件系统 / 分区方案 / 做混合硬盘 / 系统转生大!手!术!(调整底层架构,不!重!装!)
以及:https://wiki.archlinux.org/index.php/EFISTUB#Using_UEFI_directly
中的第11,15小节,用如下命令:
#efibootmgr -d /dev/nvme0n1 -p 1 -c -L "T7" -l /vmlinuz-linux -u "cryptdevice=UUID=`cat uuid.txt`:crypto_data root=/dev/mapper/crypto_data
initrd=/initramfs-linux.img resume=/dev/nvme0n1p2"
因为我们是加密的,所以内容上有些特殊。
六:因为我们用的是SSD,需要支持TRIM
https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Discard.2FTRIM_support_for_solid_state_drives_.28SSD.29
6.1 fstab 增加discard选项
6.2 增加启动选项
#efibootmgr -d /dev/nvme0n1 -p 1 -c -L "T7" -l /vmlinuz-linux -u "cryptdevice=UUID=`cat uuid.txt`:crypto_data:allow_discards
root=/dev/mapper/crypto_data initrd=/initramfs-linux.img resume=/dev/nvme0n1p2 rd.luks.options=discard"
七: 重启
reboot
八: 启动失败
报错如下:
sed_opal:OPAL: Error on step function:0 with error -95: unknown Error
https://vxlabs.com/2015/02/11/use-the-hardware-based-full-disk-encryption-your-tcg-opal-ssd-with-msed/
http://resources.infosecinstitute.com/linux-tpm-encryption-initializing-and-using-the-tpm/
https://security.stackexchange.com/questions/54921/opal-hardware-encryption
https://www.pugetsystems.com/labs/articles/Introduction-to-Self-Encrypting-Drives-SED-557/
经过调查:
这个事叫做: SED(Self-Encrypting Drivers)https://wiki.archlinux.org/index.php/Self-Encrypting_Drives
T460s的硬盘是 NVME的ssd,
可是目前,他们不支持:
Note: NVMe disks are only partially supported: The sedutil-cli --scan command and the Linux PBA (pre-boot-authorisation) image currently
only see SATA disks. It is possible to enable self-encryption on an NVMe device by passing the name to sedutil-cli, but not possible to
boot from a locked NVMe disk (the PBA image does not see it). More details here.
如果想用,貌似不行要自己fork然后patch一段代码进去,用于启动时解密, 这就尴尬了。。。hhh
https://github.com/Drive-Trust-Alliance/sedutil/issues/120
yaourt -S sedutil
果然使用 sedutil-cli 无法看见我的硬盘。
只能放弃加密。
不对,我不是全盘加密啊。。。。 我只加密了根分区。要再调查一下。
也许是STUB启动出了问题。用grub再启动一次。
成功启动,555555555,只需要在/etc/default/grub 中增加一个参数
GRUB_CMDLINE_LINUX_DEFAULT="luks.uuid=652c137a-xxxx-xxxx-xxxxxxx quiet"
也就是说,之前写的内核参数是不对的,因为我们用了sd-crypt, 却给了crypto的参数。
sd-crypt参数详见:https://www.freedesktop.org/software/systemd/man/systemd-cryptsetup-generator.html
根据以上内容,参照grub的内核参数,重新修改STUB的内核参数。
成功启动!
增加 intel-ucode 支持:
另外测试了,将两个img cat到一个文件里,也是好用的:
修改其他硬件相关的配置:
网卡重命名等。略。
指点杆力度设置:
https://wiki.archlinux.org/index.php/TrackPoint
KVM错误
/home/tong/VM/kingkong-centos6.3 [tong@T7] [11:04] > sudo qemu-system-x86_64 -enable-kvm Could not access KVM kernel module: No such file or directory failed to initialize KVM: No such file or directory
参考:https://bobcares.com/blog/how-to-fix-error-could-not-access-kvm-kernel-module/
原因有二: 1. CPU没有开启虚拟化。 2. kernel 没有加载KVM模块。
/home/tong/VM/kingkong-centos6.3 [tong@T7] [11:14] > lsmod |grep ^kvm kvm 528384 0
很显然,BIOS中没有开启。
完!
TODO:
https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface
https://wiki.archlinux.org/index.php/Secure_Boot