[nezhac]

Hi to all, and a pre-emptive thanks for having a read through this.

I've got archlinux ARM working wonderfully on the A20 OlinuXino LIME2, burned the image to a microSD card and setup everything from there. However, I'm a little lost finding instructions on setting up an encrypted microSD card with dm-crypt and the simplest partition layout with LUKS. I've been following the arch wiki info https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Simple_partition_layout_with_LUKS

I've done this before with a raspberry pi 2, and the part I can't find is telling the bootloader where to look for the encrypted partition. In the wiki, this is under the section configuring the bootloader, where you need to specify a cryptdevice by UUID and a root location somewhere in /dev/mapper/
On the raspberry 2 this would be set in /boot/cmdline.txt. With the A20 the closest equivalent I've found is the /boot/boot.txt file. There is some info available on https://linux-sunxi.org/U-Boot/Configuration but my boot.txt file looks like:
$this->bbcode_second_pass_code('', '# After modifying, run ./mkscr

if test -n ${distro_bootpart}; then setenv bootpart ${distro_bootpart}; else setenv bootpart 1; fi
part uuid ${devtype} ${devnum}:${bootpart} uuidwith

setenv bootargs console=${console} root=PARTUUID=${uuid} rw rootwait

if load ${devtype} ${devnum}:${bootpart} ${kernel_addr_r} /boot/zImage; then
if load ${devtype} ${devnum}:${bootpart} ${fdt_addr_r} /boot/dtbs/${fdtfile}; then
if load ${devtype} ${devnum}:${bootpart} ${ramdisk_addr_r} /boot/initramfs-linux.img; then
bootz ${kernel_addr_r} ${ramdisk_addr_r}:${filesize} ${fdt_addr_r};
else
bootz ${kernel_addr_r} - ${fdt_addr_r};
fi;
fi;
fi
')

The syntax is very different from what was on the RPi2 or on the linux-sunxi page.
I'm honestly at a loss for where to specify the cryptdevice and root options, haven't gotten lucky with previous search efforts.
Any insight is greatly appreciated!

Kind regards,
Nezhac

[nezhac]

I've managed to figure it out after some trial and error.
For anyone that wants to do the same thing and was a little lost here's a rough outline:

You need a 2 partition layout, the first partition is going to be the unencrypted boot partition and the second the LUKS encrypted partition. Here's a some good info on the Arch wiki https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Simple_partition_layout_with_LUKS
I did these two partitions the raspberry way, the first being FAT32 and 100M, and the next an ext4 taking up the rest of the space. I think u-boot can also handle reading ext4, as this is how the 'stock' arch linux install is set up, but I haven't tried it.

Next you can install u-boot the normal way:
$this->bbcode_second_pass_code('', 'wget http://os.archlinuxarm.org/os/sunxi/boot/a20-olinuxino-lime2/u-boot-sunxi-with-spl.bin
dd if=u-boot-sunxi-with-spl.bin of=/dev/sdX bs=1024 seek=8')

Transfer all the files from the boot folder of the standard arch image to the first unencrypted boot partition. My boot.txt looks like:
$this->bbcode_second_pass_code('', '
# After modifying, run ./mkscr

if test -n ${distro_bootpart}; then setenv bootpart ${distro_bootpart}; else setenv bootpart 1; fi
part uuid ${devtype} ${devnum}:${bootpart} uuid

setenv bootargs cryptdevice=/dev/mmcblk0p2:cryptarch root=/dev/mapper/cryptarch rw rootwait console=ttyAMA0,115200 console=tty1

if load ${devtype} ${devnum}:${bootpart} ${kernel_addr_r} /zImage; then
if load ${devtype} ${devnum}:${bootpart} ${fdt_addr_r} /dtbs/${fdtfile}; then
if load ${devtype} ${devnum}:${bootpart} ${ramdisk_addr_r} /initramfs-linux.img; then
bootz ${kernel_addr_r} ${ramdisk_addr_r}:${filesize} ${fdt_addr_r};
else
bootz ${kernel_addr_r} - ${fdt_addr_r};
fi;
fi;
fi

')
The part with 'console=..,115200 console = ' is important for displaying the appropriate output so you are able to enter your password during unlocking of the LUKS partition

This is good for testing, but once functional it's better to replace the /dev/mmc part with UUIDs, in case new devices are plugged in or out before rebooting this will avoid failing when trying to unlock a different root partition
$this->bbcode_second_pass_code('', 'cryptdevice=UUID=#fill in the blkid of the second encrypted partition here#:cryptarch')

Generate a new initramfs with $this->bbcode_second_pass_code('', 'mkinitcpio -k $(uname -r) -g /boot/initramfs-linux.img -c /etc/mkinitcpio.conf')
Make sure you are reading the correct .conf file and that the output (-g) is going in to the correct unencrypted boot partition

Be sure to run mkscr to generate a new boot.scr with the right settings

There, this doesn't cover the entire process of setting up an encrypted root with u-boot, but only the lime2 (and probably others too) specifics. Nico Hood wrote a really good guide for the raspberry pi with btrfs https://github.com/NicoHood/NicoHood.github.io/wiki/Raspberry-Pi-Encrypted-Btrfs-Root
There is even a mention for u-boot users about modifying boot.txt and running mkscr. If you don't want btrfs like me you can ignore all the parts with btrfs subvolumes, adding btrfs binaries to mkinitcpio.conf and the rootflag=subvol part. Using -i 3000 for luksFormat is also more reasonable than the 30000 in the guide.

Happy encrypting!
don't hesitate to ask if you'd like some help setting this up