Hi sky42: thanks for the pointers, and they are the good ones, and I'm pretty sure they would have worked should I have relied on wired network, but I'm making it difficult for myself by trying to build this for my raspberry pi3 boxes which work over wifi.
My ultimate goal is to be able to disable every player in my network by turning off a single machine, not just from playing content, but also from third party accessing any logs, history, or caches after physically removing device. My previous setup was with OSMC over initrd, with initializing interface using wpa_supplicant and then asking NAS for disk decryption key and decrypting root; however lately I cannot make initrd work with osmc. Approach that LibreELEC has (read/only root) also works, as root partition is static, so encrypting only /storage is sufficient.
With your build I almost succeeded, and here were the issues I faced:
- wlan driver will not work, as it requires loaded modules
- once you get modules loaded, they still don't work due to missing firmware
I used a plugin in /flash/post-sysroot.sh , and made it invoke a variant of /usr/sbin/kernel-overlays-setup, but was still unable to make a builtin wifi module work. With that said, an external 802.11AC module did work, and I was looking to use it anyway, so that hurdle I did pass, but then without wpa_supplicant I had to use something else;
- connmanctl requires interactive session to connect, and
- iwctl hangs, I think because it too requires an agent service running (the one spawned by systemd later)
for now I settled with just shrinking /storage partition to make space for encrypted data, and creating systemd service, which forces itself before kodi, and it mounts encrypted partition over .kodi and all other non-dot directories
If you are willing to have wpa_supplicant added to the build (which really serves no other purpose than my specific configuration) I could try again making /storage fully encrypted using air-supplied key. Not sure if that is worth the effort, but I leave it up to you.
Thanks again for the build, it got me much further than before
le3b nice to see somebody else to be interessted to encrypt user data
here is the place you can use
https://github.com/sky42src/Libre…ripts/init#L604
last line in your "mount-storage.sh" should be
mount_part "$disk" "/storage" "rw,noatime"
or something else that does the job
for fast testing i use kernel command line and nfs backend (that is encrypted)
add to your kernel command line "ip=dhcp disk=NFS=server:/kodi/21/client,vers=4 ipv6.disable=1" normally in /flash/syslinux.cfg
that works with the official image too
And i already build LE12 Generic, but did not upload it or opened a new thread for it. Testing it for 4 days now with my new Intel N100 box (not yet checked out the part encrypotion).
Display More