This board called actually ROC-RK3328-CC is a single board computer with the same form factor of the PI, that is shipped with a Rockchip RK3328 SOC available in 1, 2, 4GB:
Official product features
Form Factor Compatible with Raspberry Pi® 2/3 Model B/B+
Quad 64-bit Low Power Cores
Quad Core 3D GPU with OpenGL ES 2.0
Rockchip Multimedia Processor
H.265
H.264
VP9
HDMI 2.0 with 4K HDR support
Up to 4GB DDR4
USB 3.0
Gigabit Ethernet MA
I read many reviews and all of them stated that is a good board, for me the most compelling aspect was the pricing.
Another feature that isn't written is that Libre Computer folks customized U-BOOT to let upstream Debian running on their board. This is a ‼️hugeee‼️ benefit over other derivatives like Armbian or DietPI.
My goal
I use these ARM boards as any other personal computer, therefore my goal was to encrypt the / (root) partition as I would do with my personal laptop, since these boards share with the laptops the same portability.
This gemlog aims to illustrate how I achieved this goal, which, let me confess you, it wasn't a breeze at all.
⚠️ This walk-through assumes that you have already installed Debian on the mini SD Card and that Debian is running fine; you haven't made any changes and you are logged in as "root".
Since SSH is disabled by default to follow these instructions you need to be connected to a monitor and to a wired network.
Let's rock(chip)
The bootstrapping process is tedious, so find the time to do this in your best mood without pressure!
1. Flash the `bootloader`
I recommend flashing the boot-loader at the beginning since one of my several attempts ended up erasing a well performed bootstrap installation… PEBCAK! 😖
You need to install git as well!
apt install git
git clone https://github.com/libre-computer-project/libretech-flash-tool.git
cd libretech-flash-tool
./lfth.sh bl-flash roc-rk3328-cc mmcblk0 verify
## You must follow the prompt! ##
cd ..
2. Partitioning
To partition the disk I used FDISK, Its usage is pretty intuitive, you can press [m] to get the menu and read the options available, changes aren't apply until you press [w](rite).
⚠️ Even though I am going to use "uefi" I did not select a GPT table but MBR. Selecting GPT — which should be the right choice — ends up in a failure installation since, later on, GRUB will try to write on some memory areas inaccessible even for ROOT! Selecting MBR instead will prevent this issue, since GRUB will assume some "efi variables" are inaccessible and therefore ignored.
💡 /dev/mmcblk0 is the eMMC module
fdisk /dev/mmcblk0
## Below is a recap of the steps I made.
1. [o] Create a MBR table
2. [n] New partition: 1GB vfat
3. [t] Mark the partition as as efi (ef)
4. [n] New partition: 1GB Linux
5. [n] New partition: [select all] Linux
6. [w] write changes and exit
💡 TIPS: use +1G or +1GB to assign the size you want it prompt where to end the partition.
Once the partition are ready some of them (p1 and p2) must be formatted:
⚠️ You may need to install before cryptsetup & cryptsetup-initramfs
cryptsetup luksFormat /dev/mmcblk0p3
cryptsetup open /dev/mmcblk0p3 crypt
💡 watch out to "crypt", it will be used later
4. LVM setup
Managing the Logical Volume is a little bit more complicated than the encryption.
This is the recap:
1. Create logical volume group in /dev/mapper
2. Create the first volume (4GB) for the SWAP
3. Use all the remaining space for system (no /home)
4. Scan for the changes
5. Apply for the changes
6. Format "ROOT" in EXT4
7. Format SWAP
❓ I stopped to separate the '/home' partition many years ago, if you like to have it thus you need to create a third volume and deciding how much space assigning for each partition. Alternatively you may use BTRFS and its subvolumes to handle `/` and '/home'; either way I don't believe the benefits are worth any effort..
Bootstrapping is the part that requires more preparation. To get the best possible setup I decided to reuse some of the settings from Libre Computer. For instance it looks to me they loaded the GPU LIMA driver into their custom kernel, thus I warmly recommend to use their custom kernel.
Based on you speed connection bootstrap Debian could take up to 10 minutes…
💡 You can use Midnight-Commander to copy those files; but you must first install it: apt intall mc
5.1 DEBOOTSTRAP: FSTAB /mnt/emmc/etc/fstab
The UUID value changes so you need to check out which values were generated, you can check it with:
blkid
While ROOT and SWAP are mounted in '/dev/mapper/'; if you changed the layout partition differently from this walk-through you need to modify the FSTAB accordingly.
💡 "crypt" is the name I assigned to my luks partition, if you change it you must change this value accordingly; to get the right UUID for the `crypttab` file you can use this command `blkid | grep LUKS`
💡 Prepare this file before to go inside chroot so you can copy it with MC
5.3 DEBOOTSTRAP: mounting system directories
Bootstrapping installs the necessary packages on the target directory, however to finish the installation you need to CHROOT into the target directory.
chroot - run command or interactive shell with special root directory
Basically for the ones that ignore what CHROOT means, it is way to CHange ROOT and mount an alternative system. However before to CHROOT it is important to mounts other directories that are (more or less) the representation of the hardware in use…
for i in /dev /dev/pts /proc /sys /run; do mount -B $i /mnt/emmc$i;
done
6 CHROOT: initialization
Preps were made, ready to start!
LANG=C.UTF chroot /mnt/emmc/ /bin/bash
mount /dev/mmcblk0p2 /boot/
mkdir -p /mnt/emmc/boot/efi
mount /dev/mmcblk0p1 /boot/efi
If none a misstep was taken, the OS should be properly mounted, it is possible to check the state of the partitions with:
lsblk -f
6.1 CHROOT: install more packages
Now it is possible to install all the packages you believe you will need reboot, I selected the following ones, you may add more.
⚠️ DO NOT RUN: APT UPDATE !!!
If you noticed I copied the Libre Computer Key in order to download the customized kernel, but to validate the key it is important to have installed the packages `ca-certificates` before to update the repositories