Flashing to Byzantium

patch · December 11, 2021, 10:32pm

Just flashed my Amber Librem 5 to Byzantium with LUKS encryption.

Here is a summary of some points that it took me some time to gather together. None of this is really new information. I just thought it would be good to put it all in one post. Most of this has been covered in this thread or elsewhere on this forum already.

General points

I found building uuu from source to be fairly painless using the instructions at https://developer.puri.sm/Librem5/Development_Environment/Boards/HowTo/Building_uuu.html. I skipped the part about creating udev rules, because the next set of instructions covers that. I used export PATH=/path/to/where/my/freshly/built/uuu/binary/was:$PATH) to make sure the librem5-flash-image script could find uuu.
I copied data I wanted to keep from the phone into an archive file on an SD card, so that I could restore it after reflashing.
I flashed the phone by following the instructions at https://developer.puri.sm/Librem5/Development_Environment/Phone/Troubleshooting/Reflashing_the_Phone.html
On my laptop, sudo apt build-dep . failed to work, so I manually identified and installed the Python dependencies by reading through the imports in the librem5-flash-image script and determining which were available but not already installed.

Flashing with LUKS encryption

When flashing using the librem5-flash-image script, remember to specify --variant luks if you want LUKS encryption.
It’s known that flashing the LUKS image results in an insecure cloned master key for the encryption. This is not the encryption passphrase. The passphrase can be easily changed (and indeed you can have more than one passphrase at a time), but the master key can’t be changed without re-writing all the encrypted data on disk, and you can’t do that while the encrypted filesystem is mounted, so it’s best done before flashing the image.
I first ran the librem5-flash-image script with --skip-cleanup to obtain the image and a uuu script (.lst file).
To re-encrypt with a new master key, I mapped the image as a loop device and ran cryptsetup-reencrypt on it. (References: 1, 2)
The re-encrypted image can then be flashed by running uuu directly, giving uuu the path to the uuu script as its only argument.
The encrypted image does not expand to fill the available space by default. I used cfdisk on the phone to delete /dev/mmcblk0p2 and to make a new partition filling the space. Then I deleted /etc/resize_rootfs-resized and rebooted the phone. This caused the partition to be resized to fill the available space. (References: 1, 2)

My first impression is that Byzantium seems more polished and complete than Amber. I now need to restore my data and selected configurations before trying it out properly.