site  contact  subhomenews

rEFInd patch for ext4 fscrypt

July 08, 2020 — BarryK

rEFInd is a boot manager for computers with UEFI firmware, which usually means x86_64 PCs. The author, Roderick, has a home page for rEFInd, with detailed documentation:

And the project source code is hosted here:

Early in 2019, I discovered a problem with the ext4 driver in rEFInd, that severely limited it's usefulness with EasyOS:

...I did contact the author of the driver, but he declined to get involved with it again.

So, time went by, and I was hoping that someone would fix the ext4 driver. But no one did, so today decided to tackle it myself.

But I got help. I found this post by Grub developer Eric:

Which showed me how to do it. I have created a patch for rEFInd version 0.12.0, 'refind-ext4-fscrypt.patch':

diff -Naur refind-0.12.0ORIG/filesystems/fsw_ext4.c refind-0.12.0/filesystems/fsw_ext4.c
--- refind-0.12.0ORIG/filesystems/fsw_ext4.c 2017-05-26 21:19:44.000000000 +0800
+++ refind-0.12.0/filesystems/fsw_ext4.c 2020-07-08 08:50:16.213221072 +0800
@@ -141,7 +141,8 @@
if (vol->sb->s_rev_level == EXT4_DYNAMIC_REV &&

if (vol->sb->s_rev_level == EXT4_DYNAMIC_REV &&
diff -Naur refind-0.12.0ORIG/filesystems/fsw_ext4_disk.h refind-0.12.0/filesystems/fsw_ext4_disk.h
--- refind-0.12.0ORIG/filesystems/fsw_ext4_disk.h 2015-11-30 02:54:48.000000000 +0800
+++ refind-0.12.0/filesystems/fsw_ext4_disk.h 2020-07-08 08:47:29.526557586 +0800
@@ -400,6 +400,7 @@
#define EXT4_FEATURE_INCOMPAT_BG_USE_META_CSUM 0x2000 /* use crc32c for bg */
#define EXT4_FEATURE_INCOMPAT_LARGEDIR 0x4000 /* >2GB or 3-lvl htree */
#define EXT4_FEATURE_INCOMPAT_INLINEDATA 0x8000 /* data in inode */
+#define EXT4_FEATURE_INCOMPAT_ENCRYPT 0x10000 /* BK ext4 fscrypt encryption */


Simple, and it works!

OK, the practical significance of this fix...

If we want a working-partition with encrypted folders support, which is highly desirable, as if your drive with EasyOS on it is stolen, no one will be able to read the content. It does require entry of a password at bootup, but I reckon that is a small price to pay.

The problem was, if encryption is enabled in the ext4 filesystem, rEFInd did not recognise that partition. This meant that the boot-partition had to be in some other partition -- that would have the 'vmlinux', 'initrd' and 'easy.sfs' files.

Now, boot-partition and working-partition can be the same. For example, say that you have /dev/sda9, with ext4 f.s., and you have run 'tune2fs -O encrypt /dev/sda9' to enable encryption of folders. And run 'dumpe2fs /dev/sda9' to see if encryption is enabled ("encrypt" will be in "Filesystem features"). You want to install EasyOS to sda9, and have both boot-partition and working-partition in sda9.

Now if you create two folders 'boot' and 'easyos' in /mnt/sda9, and copy 'vmlinuz', 'initrd' and easy.sfs' into 'boot', then click on 'initrd' to setup 'BOOT_SPECS' file correctly, you are good-to-go, just need to edit /EFI/BOOT/refind.conf in the esp partition, like this:

menuentry "EasyOS Buster TEST (wkg-part sda9)" {
volume hdd96gb2
loader /boot/vmlinuz
initrd /boot/initrd
ostype Linux
options rw

Where the "volume" parameter is the filesystem label, reported by 'blkid':

# blkid /dev/sda9
/dev/sda9: LABEL="hdd96gb2" UUID="22b8fd34-d453-46c2-9ecf-d65b344a3be7" TYPE="ext4"

Fantastic! If you want to read more about how to install EasyOS:   

Tags: easy