I am moving to a ThinkPad P50 from my W530 and decided to document the steps of preparing a 18.04 box which complies with our corporate policies. The first step is to enter firmware setup and go through the setting, then boot into a 18.04 LiveUSB and erase the preinstalled closed source OS. What follows is the custom LUKS/LVM disk setup done before running the installer, then running the installer itself, finally, a few extra steps which in themselves are simple but will cause head-scratching if skipped...
LUKS/LVM setup from the terminal
The terminal history should be self-explanatory for those who have followed up earlier posts, so rather than explaining each and every command in detail, I decided to just dump the exact commands and their output that was used to prepare the disk before running the installer.
To run a command as administrator (user "root"), use "sudo ".
See "man sudo_root" for details.
ubuntu@ubuntu:~$ sudo gdisk /dev/sda
GPT fdisk (gdisk) version 1.0.3
Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present
Found valid GPT with protective MBR; using GPT.
Command (? for help): p
Disk /dev/sda: 1000215216 sectors, 476.9 GiB
Model: SAMSUNG MZNLN512
Sector size (logical/physical): 512/512 bytes
Disk identifier (GUID): 126AD2BA-4B0A-45B8-97D0-845A43DDD3C7
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 1000215182
Partitions will be aligned on 2048-sector boundaries
Total free space is 2669 sectors (1.3 MiB)
Number Start (sector) End (sector) Size Code Name
1 2048 264191 128.0 MiB EF00 EFI system partition
2 264192 2099199 896.0 MiB 8300 BOOT
3 2099200 1000214527 475.9 GiB 8300 SYSTEM
Command (? for help): q
ubuntu@ubuntu:~$ cryptsetup benchmark
# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1 1466539 iterations per second for 256-bit key
PBKDF2-sha256 1688528 iterations per second for 256-bit key
PBKDF2-sha512 1322290 iterations per second for 256-bit key
PBKDF2-ripemd160 1052787 iterations per second for 256-bit key
PBKDF2-whirlpool 771011 iterations per second for 256-bit key
argon2i 6 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
argon2id 6 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
# Algorithm | Key | Encryption | Decryption
aes-cbc 128b 1033.7 MiB/s 3213.1 MiB/s
serpent-cbc 128b 86.0 MiB/s 660.5 MiB/s
twofish-cbc 128b 191.6 MiB/s 359.0 MiB/s
aes-cbc 256b 801.6 MiB/s 2593.6 MiB/s
serpent-cbc 256b 87.3 MiB/s 659.5 MiB/s
twofish-cbc 256b 193.8 MiB/s 359.4 MiB/s
aes-xts 256b 1959.5 MiB/s 1959.9 MiB/s
serpent-xts 256b 635.3 MiB/s 651.2 MiB/s
twofish-xts 256b 352.8 MiB/s 354.6 MiB/s
aes-xts 512b 1819.2 MiB/s 1823.0 MiB/s
serpent-xts 512b 638.8 MiB/s 650.9 MiB/s
twofish-xts 512b 353.7 MiB/s 355.1 MiB/s
ubuntu@ubuntu:~$ sudo cryptsetup -c aes-xts-plain64 -s 512 -h sha512 luksFormat /dev/sda3
WARNING!
========
This will overwrite data on /dev/sda3 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/sda3:
Verify passphrase:
ubuntu@ubuntu:~$ sudo cryptsetup luksOpen /dev/sda3 sda3_crypt
Enter passphrase for /dev/sda3:
ubuntu@ubuntu:~$ ll /dev/mapper
total 0
drwxr-xr-x 2 root root 80 Apr 26 18:02 ./
drwxr-xr-x 21 root root 4520 Apr 26 18:02 ../
crw------- 1 root root 10, 236 Apr 26 17:44 control
lrwxrwxrwx 1 root root 7 Apr 26 18:02 sda3_crypt -> ../dm-0
ubuntu@ubuntu:~$ sudo pvcreate /dev/mapper/sda3_crypt
Physical volume "/dev/mapper/sda3_crypt" successfully created.
ubuntu@ubuntu:~$ sudo vg
vgcfgbackup vgconvert vgextend vgmknodes vgs
vgcfgrestore vgcreate vgimport vgreduce vgscan
vgchange vgdisplay vgimportclone vgremove vgsplit
vgck vgexport vgmerge vgrename
ubuntu@ubuntu:~$ sudo vgcreate system /dev/mapper/sda3_crypt
Volume group "system" successfully created
ubuntu@ubuntu:~$ sudo lvcreate -n root -L 32G system
Logical volume "root" created.
ubuntu@ubuntu:~$ ll /dev/mapper
total 0
drwxr-xr-x 2 root root 100 Apr 26 18:16 ./
drwxr-xr-x 22 root root 4560 Apr 26 18:16 ../
crw------- 1 root root 10, 236 Apr 26 17:44 control
lrwxrwxrwx 1 root root 7 Apr 26 18:16 sda3_crypt -> ../dm-0
lrwxrwxrwx 1 root root 7 Apr 26 18:16 system-root -> ../dm-1
ubuntu@ubuntu:~$ sudo lvcreate -n home -l 100%FREE system
Logical volume "home" created.
ubuntu@ubuntu:~$ ll /dev/mapper
total 0
drwxr-xr-x 2 root root 120 Apr 26 18:16 ./
drwxr-xr-x 22 root root 4580 Apr 26 18:16 ../
crw------- 1 root root 10, 236 Apr 26 17:44 control
lrwxrwxrwx 1 root root 7 Apr 26 18:16 sda3_crypt -> ../dm-0
lrwxrwxrwx 1 root root 7 Apr 26 18:16 system-home -> ../dm-2
lrwxrwxrwx 1 root root 7 Apr 26 18:16 system-root -> ../dm-1
Running the installer
Once with the steps above, run the installer, and select partitioning option "something else". Just map code>BOOT, code>ROOT and code>HOME to the appropriate partition and logical volumes. Once the installer has run to completion, do not reboot, but return to the terminal.
Post installation steps
Unfortunately, installing Ubuntu this way would leave you with an unbootable system. The kernel itself and the initial ramdisk are located in the unencrypted BOOT partition. The initial ramdisk needs to be rebuilt in a way that it will be able to open the encryted LUKS volume and mount the logical volumes within it, the installer currently does not do that for us. The missing steps are editing one line in two files each, then running one command. The list of commands below puts these steps into context, starting with mounting the required file systems and entering a chroot from within which the few steps have to be carried out.
ubuntu@ubuntu:~$ sudo mount /dev/mapper/system-root /mnt
ubuntu@ubuntu:~$ sudo mount /dev/sda2 /mnt/boot
ubuntu@ubuntu:~$ sudo mount --bind /dev /mnt/dev
ubuntu@ubuntu:~$ sudo chroot /mnt
root@ubuntu:/# mount -t proc proc /proc
root@ubuntu:/# mount -t sysfs sys /sys
root@ubuntu:/# mount -t devpts devtps /dev/pts
root@ubuntu:/# blkid /dev/sda3
/dev/sda3: UUID="01c3aa4e-5ed1-4ed7-9394-9c2ef3d85922" TYPE="crypto_LUKS" PARTLABEL="SYSTEM" PARTUUID="8b5f0ba1-c0e3-4072-91c3-b9c79ec4d8a8"
root@ubuntu:/# nano /etc/crypttab
root@ubuntu:/# cat /etc/crypttab
sda3_crypt UUID=01c3aa4e-5ed1-4ed7-9394-9c2ef3d85922 none luks,discard
root@ubuntu:/# nano /etc/cryptsetup-initramfs/conf-hook # set CRYPTSETUP=Y
root@ubuntu:/# grep ^CRYPTSETUP= /etc/cryptsetup-initramfs/conf-hook
CRYPTSETUP=y
root@ubuntu:/# update-initramfs -c -k all
update-initramfs: Generating /boot/initrd.img-4.18.0-18-generic
W: Possible missing firmware /lib/firmware/nvidia/gv100/sec2/sig.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/sec2/image.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/sec2/desc.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/nvdec/scrubber.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/gr/sw_method_init.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/gr/sw_bundle_init.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/gr/sw_nonctx.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/gr/sw_ctx.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/gr/gpccs_sig.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/gr/gpccs_data.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/gr/gpccs_inst.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/gr/gpccs_bl.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/gr/fecs_sig.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/gr/fecs_data.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/gr/fecs_inst.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/gr/fecs_bl.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/acr/ucode_unload.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/acr/ucode_load.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/acr/unload_bl.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/acr/bl.bin for module nouveau
update-initramfs: Generating /boot/initrd.img-4.18.0-15-generic
W: Possible missing firmware /lib/firmware/nvidia/gv100/sec2/sig.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/sec2/image.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/sec2/desc.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/nvdec/scrubber.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/gr/sw_method_init.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/gr/sw_bundle_init.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/gr/sw_nonctx.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/gr/sw_ctx.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/gr/gpccs_sig.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/gr/gpccs_data.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/gr/gpccs_inst.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/gr/gpccs_bl.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/gr/fecs_sig.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/gr/fecs_data.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/gr/fecs_inst.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/gr/fecs_bl.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/acr/ucode_unload.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/acr/ucode_load.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/acr/unload_bl.bin for module nouveau
W: Possible missing firmware /lib/firmware/nvidia/gv100/acr/bl.bin for module nouveau
root@ubuntu:/# # ignore the warnings above
root@ubuntu:/# exit
exit
ubuntu@ubuntu:~$ # done
Once done, the system can be rebooted and the first steps of configuring the freshly installed Ubuntu 18.04 can be processed. These will be covered in the upcoming posts.
