Hi @Rex.
I spent a few days creating a custom image with my daily tools and games preloaded / preinstalled and properly configured, using your bookworm lite image.
It works great, thanks a lot for the work you have done !
However, I store a lot of personal data on my sdcard and I want to adapt my previous procedure for Bullseye to encrypt my root partition with LUKS (Guide : encrypted root partition on uConsole).
In theory I cannot see why it would not be possible, but there are definitely some changes with bookworm, notably with initramfs…
I found some resources that helped me a bit :
- I just experimented some simplifications for Debian 12 based RPi OS · Issue #11 · rr-developer/LUKS-on-Raspberry-Pi · GitHub
- [Bookworm] cannot unlock LUKS2 volume from initramfs · Issue #362 · RPi-Distro/repo · GitHub
My current procedure looks like this.
On the live OS on uconsole, install the pre-requisite packages :
sudo apt install busybox cryptsetup initramfs-tools cryptsetup-initramfs
Some of them are already installed by default now.
Next, create a hook script to ensure LUKS is on initramfs : /etc/initramfs-tools/hooks/luks_hooks. Some other binaries are apparently needed :
#!/bin/sh -e
PREREQS=""
case $1 in
prereqs) echo "${PREREQS}"; exit 0;;
esac
. /usr/share/initramfs-tools/hook-functions
copy_exec /usr/lib/aarch64-linux-gnu/libgcc_s.so.1 /usr/lib/aarch64-linux-gnu
copy_exec /usr/lib/aarch64-linux-gnu/libpthread.so.0 /usr/lib/aarch64-linux-gnu
copy_exec /sbin/resize2fs /sbin
copy_exec /sbin/fdisk /sbin
copy_exec /sbin/cryptsetup /sbin
Making it executable :
sudo chmod +x /etc/initramfs-tools/hooks/luks_hooks
add the following to /etc/initramfs-tools/modules :
algif_skcipher
xchacha20
adiantum
aes_arm
sha256
nhpoly1305
dm-crypt
aes_generic
chacha_generic
nhpoly1350
xts
And finally rebuilding initramfs:
sudo update-initramfs -u
Modify /etc/fstab to expect an open luks container :
/dev/mapper/sdcard / ext4 defaults,noatime 0 1
Edit /etc/crypttab in the same way :
sdcard /dev/mmcblk0p2 none luks
The next stage would be to try to boot this initramfs image after altering /boot/firmware/cmdline.txt :
console=serial0,115200 console=tty1 root=/dev/mapper/sdcard rootfstype=ext4 cryptdevice=/dev/mmcblk0p2:sdcard fsck.repair=yes rootwait fbcon=rotate:1 psi=1
Next, i remove the sdcard from the uconsole, and plug it in my laptop using a USB dongle (recognized as /dev/sda).
I backup my data partition : sudo dd bs=4k if=/dev/sda2 of=./data.img status=progress
Format the LUKS-encrypted partition to-be :
sudo cryptsetup --type luks2 --cipher xchacha20,aes-adiantum-plain64 --hash sha256 --iter-time 5000 --key-size 256 --pbkdf argon2i luksFormat /dev/sda2
I then use parted / gparted to expend the /dev/sda2 partition a bit (some Gb), to ensure my data fill fit in.
Open the LUKS partition : sudo cryptsetup luksOpen /dev/sda2 sdcard
Copy back my data on the LUKS partition : sudo dd bs=4k if=./data.img of=/dev/mapper/sdcard status=progress
Quick fsck : sudo e2fsck -f /dev/mapper/sdcard
And close the LUKS partition : sudo cryptsetup luksClose /dev/mapper/sdcard
At this stage, we should be able to attempt to boot and see it fail to open this partition without someone typing a passphrase and open an initramfs shell, where I would type cryptsetup luksOpen /dev/mmcblk0p2 sdcard, exit the shell, finish proper boot to the os and generate a final initramfs with sudo update-initramfs -u. Thus ensuring that our initramfs is now properly loaded at boot.
I did not manage to have the built-in uconsole screen print these early boot messages, but plugging an external hdmi screen does the trick.
And that’s where I am stuck :
And it stays there indefinitely.
I don’t understand very well how the debian / raspberry pi OS boot process works. But I think that something is wrong at an early stage, since I expected the boot process to fail and drop me to an initramfs shell at the very least.
I am not even sure that my new initramfs is loaded.
I tried to add auto_initramfs=1 in /boot/firmware/config.txt with no success.
I also tried to mount the boot partition on my laptop, manually copy the latest built initramfs (initrd.img-6.6.78-v8-16k+ as initramfs.gz or initramfs) to the /boot/ partition (/dev/sda1 / /dev/mmcblk0p1) and appending initramfs initramfs.gz followkernel or initramfs initramfs followkernel to /boot/firmware/config.txt, but to no avail.
Also, from my understanding, the directory /boot/firmware is a mapping at OS run time of /dev/mmcblk0p1 partition. Is this right ?
For sure I am missing something. I know you have already done a lot, but if with your high linux wisdom you could give me some pointers or a tip to where to look at, I would greatly appreciate it 
P.S.: I am on a CM4 8Gb RAM no EMMC, not a CM5.