I’m a bit unclear about how the migration to an encrypted NVME works and what the consequences are and I’d like to know before proceeding.
As far as I understand it, the entire OS is moved over to the SSD so it must be unlocked during boot, correct?
I assume that means entering both the passphrase for the encryption and the password for a user to log in. Is there a way to log in a user automatically when the SSD is unlocked? Since there’s only ever going to be one account using the device via a graphical session, the extra login step doesn’t add much when the encryption is already unlocked.
What happens to the eMMC storage? I think the small partition that is mounted as /boot remains there. But the rest? Does that become unused? Does the migration script delete the files that where migrated or do I need to clean that up myself? And is it safe to delete the contents of the former root partition after booting from the NVME?
Yes. The initramfs contains the code that knows what to unlock and how to do the unlocking and how to ask the user for the passphrase.
Yes. The default Reform Debian installation uses greetd to do the login. You can configure greetd by editing /etc/greetd/config.toml. At the bottom of the manual page of greetd(5) you can read:
initial_session
This optional section describes the initial session, commonly referred to as "auto-lo‐
gin".
The initial session will only be executed during the first run of greetd since boot in
order to ensure signing out works properly and to prevent security issues whenever
greetd or the greeter exit. This is checked through the presence of the runfile.
command = command-line
The command-line that greetd will run to start the initial session, e.g. "sway". The
initial session will be started exactly once when greetd is initially launched.
The command-line is run by sh(1), and as such accepts standard POSIX shell syntax.
user = user
The user to use for running the initial session.
Further down is an example.
One can see it like that yes. If somebody has physical access to your machine and knows the disk passphrase, then they will also be able to access your account.
At the end of reform-setup-encrypted-nvme there will be a prompt asking you whether to put /boot on the sd-card or emmc. You probably want to use the latter, yes.
Yes.
It does not delete anything in your old rootfs. You do not need to clean anything up unless you want to use the space on emmc for something else.
Yes, it is safe to remove those parts as they have been copied to nvme.
I ran reform-setup-encrypted-nvme and everything transferred over but I never get prompted for a password and it boots from emmc still. On my big reform I remember the script changing the root partition over to the nvme drive as well. It’s been a while since I did that though, am I missing a step?
It seems like there is a bug in either reform-setup-encrypted-nvme or in one of the scripts it’s using on the pocket reform. If anybody could try tracking this down, that would be great. I cannot test this on my own reform as it’s my only computer. And my LS1028A is currently in repair. If it still boots from emmc, it might also be a bug in reform-boot-config. Maybe somebody could put a set -x in the relevant scripts and re-run them and post the output somewhere to track down what’s happening?
I connected a USB/UART cable to pins 4, 5, 6 on the motherboard to get access to the console. I connected via minicom -D /dev/ttyUSB0 and started a log capture. The process failed after doing the migrate. The full log is 14 megs. I uploaded it here:
Luckily, literally 99% of those are just rsync progress output and only 14kb of useful information remain after removing those. The issue is the following:
/dev/mmcblk2p1 is still mounted somewhere, which means that it is probably used by the currently running system and that replacing
its contents might make the currently running system unbootable.
Should this script run ‘umount /dev/mmcblk2p1’ for you? [y/N]
You did not answer “y” to this question and thus the reform-boot-config utility cannot set up your /boot to load your rootfs from nvme.
