Installing Ubuntu 18.04 with encrypted partitions on XPS 15 9550 with NVIDIA/CUDA/cuDNN/Tensorflow-GPU support

I recently had a lot of difficulties trying to get Ubuntu 18.04 on my XPS 15 laptop. After multiple partial successes and eventual broken installations, I’ve compiled a step-by-step guide on installing 18.04, with encrypted rootfs and home partitions, and with working NVIDIA+CUDA+CuDNN drivers, on a XPS 15 9550 machine.

Backup data & configuration files

This step is obvious, yet I still didn’t do a perfect job. You should consider backing up at least these locations:

  • $HOME/Desktop
  • $HOME/Downloads
  • public and private keys at$HOME/.ssh/id_*
  • hidden files in $HOME, e.g. .bashrc.gitconfig,.hgrc, etc.
  • manually installed software in/opt and elsewhere
  • /etc/fstab,/etc/hosts,…; heck, just zip /etc and back them all up!

Disable Secure Boot to support NVIDIA drivers

I found that Ubuntu 18.04 would not boot properly after installing the latest NVIDIA drivers. If using encrypted partitions, then the kernel stalls on:

 WARNING: Failed to connect to lvmetad. Falling back to device scanning.
 Volume group "vgroot" not found
 Cannot process volume group vgroot
 WARNING: Failed ot connect to lvmetad. Falling back to device scanning.
 Reading all physical volumes. This may take a while...
 Found volume group "vgroot" using metadata type lvm2
 WARNING: Failed ot connect to lvmetad. Falling back to device scanning.
 1 logical volume(s) in volume group "vgroot" now active
/dev/mapper/vgroot-lvroot: clean, ######/####### files, ######/####### blocks

Disabling lvmetad did not work, nor did removing the lvm=vgroot option in /etc/crypttab. I also tried installing the drivers without drive encryption, and the kernel gets stuck after repeatedly starting and stopping the NVIDIA Persistent Daemon. No dice either.

Here are multiple ways to disable Secure Boot, in decreasing order of my preferences:

  • Reboot your XPS 15 laptop, enter the BIOS (press F2 when the Dell logo appears), select Secure Boot > Secure Boot Enable > Disabled, then Apply and Exit

  • Insert an Ubuntu installation volume (e.g. Live USB), reboot, enter the Boot mode screen (press F12 when the Dell logo appears), then choose Change Boot Mode Settings, and go through the prompts to disable Secure Boot
  • If you have booted into Ubuntu, execute the following in a terminal: sudo mokutil --disable-verification, enter a passphrase, reboot, and go through the prompts to disable Secure Boot

Install Ubuntu 18.04 on XPS15 (with encrypted partitions)

If you just want a plain, non-encrypted installation of 18.04 on XPS 15, then simply go through the Ubuntu Installer process. In some situations, it is prudent to encrypt your OS installation and data to enforce security. The Ubuntu installer GUI has been offering full-drive encryption for a while now, which is great:

However, if you have a multi-boot setup (e.g. Windows and Ubuntu), or even if you wish to preserve laptop recovery partitions, then you cannot use the above method. The following steps cover how to configure encrypted partitions using LUKS before running the Ubuntu 18.04 installer. These steps were mostly copied from this post, with a few of my modifications:

Boot into Try Ubuntu with nomodeset

If I didn’t add the nomodeset boot option, then twice I found that the 18.04 installer crashed when formatting partitions. It might be related to installing into encrypted partitions, since others have not encountered this issue.

  • reboot
  • press F12 when the Dell logo appears
  • select the UEFI: ... option corresponding to your USB drive
  • after grub loads, move the cursor to Try Ubuntu
  • without pressing Enter, press e on the keyboard to edit boot options
  • navigate to the linux /boot/vmlinuz...line
  • add nomodesetat the end of the line
  • press F10 to load the kernel

Create boot/rootfs/home partitions

  • do not run the Install Ubuntu desktop option just yet if you want to configure encrypted partitions
  • open a terminal (Ctrl+Alt+t)
  • run $ sudo gparted
  • delete your existing Ubuntu and other outdated partitions
  • I’m assuming that your drive’s partition table uses EFI and not MBR, otherwise you might need to adjust steps below (especially about creating many primary partitions)
  • create a new primary partition with 500MB-1GB size, formatted to ext4, and labelled as boot; make note of its partition path (e.g. /dev/sda2 or /dev/nvme0n1p3), which I’ll hereby refer to as </dev/DEV_BOOT>
  • create another new primary partition, formatted to ext4, and labelled as rootfs. I’ll hereby refer its partition path as </dev/DEV_ROOTFS>
  • optionally, you may wish to preserve your home folder or personal data on a separate encrypted partition in case your Linux OS breaks; in this case, create a third new primary partition, formatted to ext4, and labelled as data; I’ll hereby refer its partition path as <dev/DEV_HOME>
  • I opted to have Ubuntu 18.04 create a swap file rather than a swap partition, for flexibility; if you wish to create a swap partition, then do so now (and you should probably encrypt it by adapting the steps below or from here)
  • execute the partition changes by clicking on the Checkmark icon, then close GParted once done

Create encrypted volumes using LUKS and LVM

We will now create LUKS containers cryptroot and crypthome on </dev/DEV_ROOTFS>  and</dev/DEV_HOME>, initialize LVM physical volumes lvroot and lvhome, and configure logical volumes vgroot and vghome. Run the following commands in a terminal:

  • $ sudo cryptsetup luksFormat </dev/DEV_ROOTFS>
  • $ sudo cryptsetup luksOpen </dev/DEV_ROOTFS> cryptroot
  • $ sudo cryptsetup luksFormat </dev/DEV_HOME>
  • $ sudo cryptsetup luksOpen </dev/DEV_HOME> crypthome

At this point, if you want to be really secure, overwrite the containers to erase existing content (which will take some time; I didn’t do this):

  • $ sudo dd if=/dev/zero of=/dev/mapper/cryptroot bs=16M status=progress
  • $ sudo dd if=/dev/zero of=/dev/mapper/crypthome bs=16M status=progress

Continuing:

  • $ sudo pvcreate /dev/mapper/cryptroot
  • $ sudo vgcreate vgroot /dev/mapper/cryptroot
  • $ sudo lvcreate -n lvroot -l 100%FREE vgroot
  • $ sudo pvcreate /dev/mapper/crypthome
  • $ sudo vgcreate vghome /dev/mapper/crypthome
  • $ sudo lvcreate -n lvhome -l 100%FREE vghome

After these steps, you will have the following mounted encrypted partitions: /dev/mapper/vgroot-lvroot and /dev/mapper/vghome-lvhome.

Sidenote: if you previously created these encrypted partitions but failed the installer, you only need to run the cryptsetup luksOpen ... commands to remount the existing partitions.

Go through the Ubuntu installer process

  • double-clicking the Install Ubuntu icon on the desktop
  • choose your language, keyboard layout, optionally configure WiFi settings, choose installation options (I chose Normal installation and checked boxes for Download updates ... and Install third-party software ...)
  • on the Installation type screen (refer to the first image of this post), select Something else

In the next screen, configure the following partitions by double-clicking on their paths:

  • </dev/DEV_BOOT>: use as ext4, format, mount as /boot
  • /dev/mapper/vgroot-lvroot: use as ext4, format, mount as /
  • /dev/mapper/vghome-lvhome: use as ext4, format, mount as /home
  • if you have a swap partition, use as swap
  • then, choose your entire drive as the target device for boot loader installation, e.g. choose /dev/nvme0n1 or /dev/sda, and not partitions like /dev/nvme0n1p6 or /dev/sda3

Here’s my installation setup for reference (I replaced vghome-lvhome with vgdata-lvdata):

The rest of the installer process should be straight-forward.

DO NOT REBOOT after the installer finishes, and instead click Continue testing.

Update kernel to load encrypted partitions

First, note down the UUIDs of your encrypted partitions by running the following commands in a terminal:

  • $ sudo blkid </dev/DEV_ROOTFS>
  • $ sudo blkid </dev/DEV_HOME>

Next, mount the installed OS on /mnt and chroot into it:

  • $ sudo mount /dev/mapper/vgroot-lvroot /mnt
  • $ sudo mount </dev/DEV_BOOT> /mnt/boot
  • $ sudo mount /dev/mapper/vghome-lvhome /mnt/home
  • $ sudo mount --bind /dev /mnt/dev
  • $ sudo chroot /mnt
  • $ > mount -t proc proc /proc
  • $ > mount -t sysfs sys /sys
  • $ > mount -t devpts devpts /dev/pts

Now, create a file named /etc/crypttab in the chrooted environment, e.g.

  • $ > sudo nano /etc/crypttab

and write the following lines, while replacing <UUID_ROOTFS> and <UUID_HOME>:

# <target name> <source device> <key file> <options>
cryptroot UUID=<UUID_ROOTFS> none luks,discard
crypthome UUID=<UUID_HOME> none luks,discard

Sidenote: I needed to modify the above content from the original instructions, otherwise sometimes upon reboot the kernel complains about lvmetad and vgroot volume not found.

Then, recreate the initramfs in the chrooted environment:

$ > update-initramfs -k all -c

Finally, reboot out of the Live environment and into your newly installed Ubuntu 18.04 OS!

Install Tensorflow 1.8 with GPU support

Below are instructions for installing Tensorflow 1.8 with GPU support, which requires CUDA Toolkit 9.0 and cuDNN 7.0 library.

Install NVIDIA 390 drivers

In the past, I preferred to install the latest drivers from nvidia.com. However, after failing multiple times during my encrypted 18.04 installation, I instead opted to install the NVIDIA drivers via apt:

  • open a terminal (Ctrl+Alt+t)
  • $ sudo apt-get update
  • $ sudo apt-get install nvidia-384

Note that nvidia-384 is a transitional package for nvidia-driver-390, so we are getting a pretty recent version of the driver this way.

Importantly, I found that you need to change from the nomodeset kernel boot option to nouveau.modeset=0 option instead. So, do the following before rebooting:

  • open /etc/default/grub in an editor (e.g. $ sudo nano /etc/default/grub)
  • change the line GRUB_CMDLINE_LINUX="nomodeset"  into GRUB_CMDLINE_LINUX="nouveau.modeset=0", then save the file
  • $ sudo update-grub
  • reboot

Install CUDA Toolkit 9.0

I found that it was better to install the .run versions of these drivers rather than .deb, or else cuDNN installation would fail (or, more precisely, I couldn’t find where to place the cuDNN files).

Since CUDA 9.0 was compiled against gcc/g++ 6, we need to install them and set them as default. To do so using update-alternatives, copy and run the following commands in a terminal:

  • sudo apt-get update
  • sudo apt-get install build-essential gcc-6 g++-6
  • sudo update-alternatives --remove-all gcc
  • sudo update-alternatives --remove-all g++
  • sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-7 10
  • sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-6 20
  • sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-7 10
  • sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-6 20
  • sudo update-alternatives --install /usr/bin/cc cc /usr/bin/gcc 30
  • sudo update-alternatives --set cc /usr/bin/gcc
  • sudo update-alternatives --install /usr/bin/c++ c++ /usr/bin/g++ 30
  • sudo update-alternatives --set c++ /usr/bin/g++

Now download CUDA 9.0 and all patches, and install them sequentially, e.g.:

  • sudo sh cuda_9.0.176_384.81_linux.run
  • sudo sh cuda_9.0.176.1_linux.run
  • sudo sh cuda_9.0.176.2_linux.run
  • sudo sh cuda_9.0.176.3_linux.run

When running the base installer, do not install NVIDIA Accelerated Graphics Driver for Linux-x86_64 ... (answer no). Also, do accept to install a symbolic link at /usr/local/cuda.

Finally, you need to add the CUDA directories to your environmental paths. Either do this manually, or copy and execute the following in a terminal to have them added to your ~/.bashrc script:

  • echo 'export PATH=/usr/local/cuda/bin${PATH:+:${PATH}}' >> ~/.bashrc
  • echo 'export LD_LIBRARY_PATH=/usr/local/cuda/lib64:${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}' >> ~/.bashrc
  • source ~/.bashrc

Install cuDNN v7.0

Download the latest cuDNN v7.0 library (e.g. cuDNN v7.0.5 Library for Linux), then open a terminal, navigate to where you have downloaded the .tgz library file, and execute the following commands:

    • cudnn_tgz=$(ls cudnn*.tgz)
    • tar xvzf $cudnn_tgz --directory /tmp
    • sudo cp -P /tmp/cuda/include/cudnn.h /usr/local/cuda/include
    • sudo cp -P /tmp/cuda/lib64/libcudnn* /usr/local/cuda/lib64
    • sudo chmod a+r /usr/local/cuda/include/cudnn.h /usr/local/cuda/lib64/libcudnn*

Install Tensorflow-GPU

At this point, you can basically follow your most preferred instructions for installing Tensorflow with GPU support. This is what I did for installing Tensorflow v1.8 in Python 3:

  • $ sudo apt-get install libcupti-dev python-pip python3-pip
  • $ sudo -H pip3 install --upgrade tensorflow-gpu

You can test your tensorflow installation following these instructions.

Enjoy your new shiny encrypted OS and installation!

 

3 thoughts on “Installing Ubuntu 18.04 with encrypted partitions on XPS 15 9550 with NVIDIA/CUDA/cuDNN/Tensorflow-GPU support”

  1. Thanks a lot for this tutorial. It works really great. I tested it on a Dell precision m4800 without a separate home partition.

    At the end of the process, when creating the file with the UUID I first got an error saying that the UUID was invalid. It turns out that the double quotes caused the error even if the output of the blkid command had them.

    It may be related to this bug https://bugs.launchpad.net/ubuntu/maverick/+source/cryptsetup/+bug/332950/comments/19

    Thanks again!

  2. Thank you so much for this guide! It really saved my bacon! I was trying to get Elementary OS Juno Beta installed on my XPS15 and was having serious issues with the installation (restart option at the end of the installer is borked, unable to get past “decryption successful” screen).

    One thing that I did that deviated from your guide is that I had completely removed Windows from the system and wiped the drive. This meant that I did not have an efi boot partition, which I eventually realized was my issue when the installer failed on me at first. Just wanted to leave a comment in case anyone else runs into the same issue.

    TL;DR – If you completely wiped the drive, make sure to add a small, ~500MB FAT32 partition with the “boot” flag set, otherwise Ubiquity will fail when it tries to install grub.

  3. Great tutorial/How-to – Thank you! Used it with minor adaptations to install base os with encryption on my Thinkpad T440.

Leave a Reply to Eduardo Cancel reply

Your email address will not be published. Required fields are marked *