View Full Version : Installing Kali in steel for Macs with FDE - dual boot or encrypted USB

2013-10-30, 22:36
This walkthrough provides detailed steps for installing Kali in steel with FDE for EFI based Macs. You can use this method to either produce a dual boot system or to create a bootable encrypted USB install. Other walkthroughs on the internet provided the foundation for my post, but I have found the methods in these other sources to be somewhat unreliable and requiring significant tweaking. The major reference for my work is acknowledged in Note vi below, and kudos to 0xBADCA7 for doing the initial heavy lifting.

1. Prepare installation destination.
a. If doing a dual boot, decrypt OS X partition, shrink and then re-encrypt.
b. If using a USB stick, install to that dev.
2. Install Kali.
a. Set up following partitions:
i. /boot - ext2 - 10-100 MB - make sure the bootable flag is set.
ii. /sdx-crypt - logical volume for encryption.
b. Set up encrypted partition to be logical volume for LVM.
c. Set up LVM partition as ext4 - mount point /. Name it root to produce a volumeName-root LVM entry.
Note: If you have your heart set on a swap partition, harvest it from this LV.
d. Confirm changes and follow through installer to write the system files.
3. Install bootloader to /boot partition. It will fail, but has copied across the kernel etc. Finish the installation regardless.
4. Mount the /boot partition, copy all files from it, reformat in gparted to FAT32, copy back the files. Make sure boot flag is set.
5. Download the contents of the EFI folder at ftp://mirrors.kernel.org/fedora/releases/18/Fedora/x86_64/os/
6. Copy this folder to /boot.
7. Replace /boot/EFI/BOOT/grub.cfg with:

set default="0"

function load_video {
insmod efi_gop
insmod efi_uga
insmod video_bochs
insmod video_cirrus
insmod all_video

insmod gzio
insmod part_gpt
insmod ext2
insmod part_msdos
set root='(hd1,gpt4)'
insmod png

set timeout=5
### END /etc/grub.d/00_header ###

### BEGIN /etc/grub.d/10_linux ###
menuentry 'Kali' --class debian --class gnu-liux --class gnu --clas os {
insmod gzio
insmod part_msdos
insmod ext2
set root='(hd1,gpt4)'
echo 'Loading kernel....'
linuxefi /vmlinuz-3.7-trunk-amd64 root=/dev/mapper/volumeName-root
echo 'Loading ramdisk...'
initrdefi /initrd.img-3.7-trunk-amd64


8. Amend the roots above with the relevant (hdX,gptY) for the /boot partition, and ensure that volumeName-root reflects your volume name.
9. Type following commands:

umount /boot
crypsetup luksOpen /dev/sdx volumeName
vgchange -ay
mkdir /newRoot
mount /dev/mapper/volumeName-root /newRoot
mount /dev/sdxn /newRoot/boot #sdxn should be your boot partition
cd /newRoot
mount -t proc proc proc/
mount -t sysfs sys sys/
mount -o bind /dev dev/
chroot .
10. Edit /etc/fstab to comment out the /dev/mapper/volumeName-root line, then change the UUID of the /boot partition to reflect the shorter UUID of the /boot partition after formatting as FAT32. You can get UUIDs by invoking blkid.
11. Edit /etc/crypttab and change sdX_crypt to volumeName-root. Leave the rest of the line intact.
12. Save changes and execute:

update-initramfs -u
13. You should get the required grub boot loader on reboot, and if you've done it right then you'll start the boot process. After a short time it will spawn an error and drop to an (initramfs) shell. At this stage, type:

cryptsetup luksOpen /dev/<id of encrypted partition> volumeName
vgchange -ay
14. The boot process will then continue, and you'll come to the login screen shortly.

i. You will have to type the commands in step 13 each time you boot. This is because the volumeName-root entry is commented out in /etc/fstab. If you uncomment this line, I have found that the system stalls when it tries to automatically mount the encrypted volumes and you're stuck without a bootable OS. You then have to mount the encrypted volume using another install of Kali, re-comment the line and rebuild the initial RAM disk. I suggest you accept this as a quirk of encrypted EFI booting.
ii. This method works for both dual boot and USB drive installs on Macs.
iii. It is possible that other errors will be thrown after manually mounting the encrypted disks on load. If this happens, just acknowledge/continue/exit out of them and the boot process should continue.
iv. If this method doesn't work for you, try it again from scratch. EFI booting is a tricky thing, and I have verified this walkthrough as valid for both dual boots and USB installs. If it isn't working for you, it may well be a PEBCAK problem.
v. rEFInd/rEFIt are not necessary if using OS X 10.9.
vi. Foundation information provided at http://securetty.standard.io/post/56600762295/kali-linux-macbook-usb-boot-full-disk-encryption.
vii. I usually hang out on #vulnhub if you have questions.

2014-01-20, 09:34
Further to the main post above, should you wish to update your installation to avoid manually unlocking volumes, follow these additional steps:

Ensure cryptab entry references the UUID of the /dev/sdX partition which hosts the LVM encrypted partition.
Insert following line into /etc/fstab:

dev/map/per/<crypted volume>-root / ext4 defaults 0 1
Run following command:

echo 'CRYPTOPTS=target=<crypted volume>,source=/dev/<sdXX>,lvm=<crypted volume>-root' > /etc/initramfs-tools/conf.d/cryptroot


update-initramfs -u -k all
update-grub reboot

Make sure you replace all the required values above in <>, and note that this will now allow you to use luksNuke on Macs.