December 3

Linux: Dual boot Windows/Ubuntu with secure LVM

The following is a very good tutorial it is not all inclusive, but very close:
  • Based on https://askubuntu.com/a/293029/286776
  • Installation date: 15-09-2018
  • Additional notes based on my own experience
  • The process describes a completely fresh installation with a complete repartitioning, however it should work fine when Windows is already installed (eg. brand new machine with Windows preinstalled).
  • The process was conducted on Dell’s XPS 15 9570 (2018) with specs:
    • CPU: i7-8750H
    • Screen: 4K with Touch
    • RAM: 16 GB (original) / 32 GB (manually upgraded)
    • Drive: 512 GB (SK Hynix PC401)
    • Windows 10 Pro license
    • BIOS version: 1.3.1
      • Suprisingly, Ubuntu’s update manager supports BIOS updates out of the box
  • My installation did not require to disable TPM nor Secure Boot
  • My installation did not force me to recover Bitlocker after Ubuntu’s installation
    • Some people report that it was needed in their case
    • See “Additional notes” for more info about GRUB & Booting into Windows

1. Preparation (using another computer with Ubuntu)

  1. Create Windows installation USB stick
    • Download .ISO file from Microsoft’s webpage
    • Create bootable USB using WoeUSB
      • Ubuntu has an option to “restore” ISO images using Disks utility, but it does not work correctly (Windows installer asks for additional drivers)
      • I also had to compile WoeUSB because of some weird bug in the default Ubuntu’s (PPA’s) supplied package that would not let me finish the installation process
  2. Create Ubuntu installation USB stick
    • Download .ISO file from Ubuntu’s webpage
    • Create bootable USB using “whatever”
  3. Go to BIOS (F2) and switch from SSD’s “RAID mode” to “AHCI mode”

2. Install Windows

  1. Insert newly created bootable USB and start the installation process
  2. Re-partition your drive
    • My partitioning scheme (devices might have be labeled differently!):
      1. Boot drive for Linux: 1GB
        • /dev/nvme0n1p1
      2. Windows OS drive: ~75GB
        • /dev/nvme0n1p5
        • Will automatically create additional drives before the actual OS drive as soon as you create the first “regular” partition
      3. Windows data drive: ~100GB
        • /dev/nvme0n1p6
      4. Ubuntu LUKS drive: ~300GB
        • /dev/nvme0n1p7
        • Can be created later
  3. Install Windows on the “Windows OS drive”
  4. Boot to Windows after installation, install all updates
  5. Enable BitLocker on “Windows data drive” (“Windows OS drive” was already encrypted)
  6. Create recovery data for both Bitlocker-protected drives and store them somewhere (eg. additional USB)

3. Install Ubuntu

  1. Insert newly created bootable USB and start the installation process
  2. Create LUKS container on “Ubuntu LUKS drive” and “wipe it”:
    • sudo cryptsetup luksFormat /dev/nvme0n1p7
    • sudo cryptsetup luksOpen /dev/nvme0n1p7 cryptdrive
    • sudo dd if=/dev/zero of=/dev/mapper/cryptdrive bs=16M
  3. Create LVM physical volume, a volume group & logical volumes:
    • Volumes are sized as follows:
      • OS drive: 60GB
      • Swap: 16GB
      • Home: rest
    • Commands:
      • sudo pvcreate /dev/mapper/cryptdrive
      • sudo vgcreate vglinux /dev/mapper/cryptdrive
      • sudo lvcreate -n root -L 60g vglinux
      • sudo lvcreate -n swap -L 16g vglinux
      • sudo lvcreate -n home -l 100%FREE vglinux
  4. Start the installation process using GUI:
    • Connect to WiFi network
    • Installation options:
      • Pick “minimal installation”
      • Pick “install updates during installation”
      • Pick “install 3rd party drivers” (no need to “reset Secure Boot password”)
    • Pick “custom installation process” (the one which lets you repartition stuff)
      • Pick /dev/mapper/vglinux-root as ext4 FS & mount it to /
      • Pick /dev/mapper/vglinux-home as ext4 FS & mount it to /home
      • Pick /dev/mapper/vglinux-swap as swap
      • Pick /dev/nvm0n1p1 as ext4 FS & mount it to /boot
        • Without doing this, installation will fail when configuring GRUB
      • Pick “boot drive” (the select list at the bottom) and assign it to /dev/nvm0n1p1
    • Proceed with the installation
  5. After GUI installation completes, stay within the Live USB environment
  6. Check the UUID of the LUKS drive:
    • sudo blkid /dev/nvme0n1p7
    • Example output:
      • /dev/nvme0n1p7: UUID="abcdefgh-1234-5678-9012-abcdefghijklm" TYPE="crypto_LUKS"
  7. Mount root & boot drives and chroot into the main mount:
    • sudo mount /dev/mapper/vglinux-root /mnt
    • sudo mount /dev/nvme0n1p1 /mnt/boot
    • sudo mount --bind /dev /mnt/dev
    • sudo chroot /mnt
    • mount -t proc proc /proc
    • mount -t sysfs sys /sys
    • mount -t devpts devpts /dev/pts
  8. In chroot env, configure crypttab allowing to boot Ubuntu with Encryption unlocker
    • sudo nano /etc/crypttab:# <target name> <source device> <key file> <options> # options used: # luks - specifies that this is a LUKS encrypted device # tries=0 - allows to re-enter password unlimited number of times # discard - allows SSD TRIM command, WARNING: potential security risk (more: "man crypttab") # loud - display all warnings cryptdrive UUID=abcdefgh-1234-5678-9012-abcdefghijklm none luks,tries=0,discard,loud
    • update-initramfs -k all -c
  9. Reboot into Ubuntu

4. Ubuntu Tweaks

  1. Run some of the dell-xps-9570-ubuntu-respin tweaks:
    • Main script is here: https://github.com/JackHack96/dell-xps-9570-ubuntu-respin/blob/master/xps-tweaks.sh
    • Modify the GRUB editting code to include splash option
    • Nvidia & WiFi card changes were not performed
    • Running this script yielded power consumption reduction from ~16W to ~7W (much closer to Windows) in Idle
  2. Additional packages (some might have been included in the Respin):
    • sudo apt-get install smbios-utils
  3. More Tips & Tricks related to Thermals:
    • Some useful tips and tricks: https://github.com/JackHack96/dell-xps-9570-ubuntu-respin/wiki/Some-useful-tips-and-tricks
    • Switch to Battery-Mode on AC for better Thermals:
      sudo tlp bat
  4. Enable right-mouse-click:
    • Follow these instructions: https://askubuntu.com/a/1029458/286776
  5. Enable Yaru-dark in GNOME Shell:
    • Follow these instructions: https://www.linuxuprising.com/2019/10/how-to-get-dark-gnome-shell-menus-and.html
  • Latest commit used: 7486bc9b3bbf3aca26bd8ab48b39788a7f9392aa
  • Nvidia Drivers used: 390

Additional notes

  • Switching between OSes:
    • Ubuntu (GRUB) is the default boot option
    • Windows can be accessed using F12’s boot option menu
      • It can also be accessed using GRUB’s menu, however, then it prompts me to use the BitLocker’s recovery key
      • Cancelling the recovery and using F12 -> Windows Boot Manager trick did not prompt to use recovery key again…
  • Both, when installing Ubuntu, and sometimes when rebooting installed Ubuntu, “poweroff” or “reboot” results in prolonged shutdown with locked up display.
    • Fixed with dell-xps-9570-ubuntu-respin tweak script
  • About BIOS upgrade:
    • An upgrade from 1.3.0 to 1.3.1 required to swap RAM sticks to the original ones again, because the machine would not boot with white & amber LED flashes (supposedly indicating “memory problem”). After booting just once with the original sticks, I’ve swapped to the 2x16GB sticks again without a problem.

Changelog

  • [2019.10.24]
    • Added link to an article related to enabling Yaru-dark in GNOME Shell (eg. notification center background adjustment, which by default is white).

By: M Dziekon


Copyright 2021. All rights reserved.

Posted December 3, 2021 by Timothy Conrad in category "Linux

About the Author

If I were to describe myself with one word it would be, creative. I am interested in almost everything which keeps me rather busy. Here you will find some of my technical musings. Securely email me using - PGP: 4CB8 91EB 0C0A A530 3BE9 6D76 B076 96F1 6135 0A1B