diff --git a/site/docs/grub/index.md b/site/docs/grub/index.md index f2af59a..450d6fc 100644 --- a/site/docs/grub/index.md +++ b/site/docs/grub/index.md @@ -6,7 +6,7 @@ x-toc-enable: true TODO: this guide should be reviewed and updated. Some info might be out of date. -GNU GRUB already has excellent +GRUB already has excellent documentation, but there are aspects of libreboot that deserve special treatment. libreboot provides the option to boot GRUB directly, running on bare metal (instead of using BIOS or UEFI services). diff --git a/site/docs/linux/encryption.md b/site/docs/linux/encryption.md index 8b774bf..154d304 100644 --- a/site/docs/linux/encryption.md +++ b/site/docs/linux/encryption.md @@ -1,5 +1,26 @@ # Fully Encrypted Boot and Root Partitions with Libreboot +# THIS ARTICLE IS OBSOLETE + +See news article: [Encrypted /boot/ on LUKSv2 now possible in Libreboot +GRUB (PHC argon2 imported)](../../news/argon2.html) + +The article, written below, was merged *before* argon2 support became possible +in GRUB, within Libreboot. The Libreboot 20230625 release doesn't have it, but +it will be present in releases after Libreboot 20230625. For now, you can +[download lbmk.git](../../git.md) and [build from source](../build/) to get +the latest Libreboot, if you want argon2 support. + +The guide below assumes that GRUB *cannot* handle argon2 key derivation, which +is most common now on LUKSv2 setups, so it has you using the older PBKDF2 +algorithm in GRUB. + +Encrypted LUKSv2 `/boot` is once again possible in Libreboot, but this page +has not yet been updated to contain guidance for that. You can most likely just +adapt the instructions below. + +# Article, as-is: + The following guide will explain how to create: + A boot partition (/dev/sda1 in this example) that GRUB can decrypt with 'passphrase1' diff --git a/site/docs/linux/grub_boot_installer.md b/site/docs/linux/grub_boot_installer.md index f5b8ca8..4876ad1 100644 --- a/site/docs/linux/grub_boot_installer.md +++ b/site/docs/linux/grub_boot_installer.md @@ -78,6 +78,13 @@ the OpenBSD installer to it with `dd`. Here's an example: That's it! You should now be able to boot the installer from your USB drive (the instructions for doing so will be given later). +## GRUB2 config on external media + +Pick the menu option: *Search for GRUB2 configuration on external media* + +If the distro installer image has a `grub.cfg` file inside, this menuentry is +scripted to find it. This works well for many distros. + ## Debian or Devuan net install Download the Debian or Devuan net installer. You can download the Debian ISO from [the Debian homepage](https://www.debian.org/), or the Devuan ISO from @@ -86,21 +93,9 @@ from [the Debian homepage](https://www.debian.org/), or the Devuan ISO from Secondly, create a bootable USB drive using the commands in [#prepare-the-usb-drive-in-linux](#prepare-the-usb-drive-in-linux). -Thirdly, boot the USB and enter these commands in the GRUB terminal -(for 64-bit Intel or AMD): - - set root='usb0' - linux /install.amd/vmlinuz - initrd /install.amd/initrd.gz - boot - -If you are on a 32-bit system (e.g. some Thinkpad X60's) then you will need to -use these commands (this is also true for 32-bit running on 64-bit machines): - - set root='usb0' - linux /install.386/vmlinuz - initrd /install.386/initrd.gz - boot +You can select the option, in the Libreboot GRUB menu, to load GRUB config +from external media, and that should work just fine. Alternatively, pick one +of the ISOLINUX-related menu options. ## Booting ISOLINUX Images (Automatic Method) Boot it in GRUB using the `Parse ISOLINUX config (USB)` option. A new menu diff --git a/site/docs/linux/grub_cbfs.md b/site/docs/linux/grub_cbfs.md index 37be334..21f5158 100644 --- a/site/docs/linux/grub_cbfs.md +++ b/site/docs/linux/grub_cbfs.md @@ -117,6 +117,28 @@ machine powered down) and read the contents of the boot flash. Extract grub.cfg ================ +Releases *after* Libreboot 20230625 +----------------------------------- + +Releases after Libreboot 20230625 contain `grub.cfg` inside the GRUB memdisk, +inaccessible directly from CBFS, but the memdisk is inside `grub.elf` which +gets put inside CBFS. + +An override is possible, on these Libreboot revisions. If `grub.cfg` is present +in CBFS, Libreboot's GRUB will use *that* and not the memdisk one; it will not +auto-switch to `grubtest.cfg`, but the test config will be available in the +menu to switch to, if present. + +You can find `grub.cfg` under lbmk (for this purpose, it's best to use the +lbmk one, not the release one - unless you're using a release after 20230625). +Find it at path: `resources/grub/config/grub.cfg`. + +So, you can *add* `grubtest.cfg` as normal, test that, and +then *add* `grub.cfg` once you're happy, and it will override the default. + +Libreboot 20230625 and below: +---------------------------- + libreboot images that use the GRUB bootloader will have *two* configuration files in CBFS: @@ -149,6 +171,11 @@ from your ROM image. Insert new grub.cfg =================== +NOTE: As stated above, releases after Libreboot 20230625 only default to +the config in memdisk, and lack a CBFS config, so you can skip the *remove* +step below and just directly add the new `grub.cfg` - unless you already +added one before, in which case removal is required first. + Remove the old `grub.cfg` (substitute with `grubtest.cfg` as desired): cbfstool dump.bin remove -n grub.cfg diff --git a/site/docs/linux/grub_hardening.md b/site/docs/linux/grub_hardening.md index fae507e..6b970c0 100644 --- a/site/docs/linux/grub_hardening.md +++ b/site/docs/linux/grub_hardening.md @@ -3,6 +3,9 @@ title: Hardening GRUB x-toc-enable: true ... +**NOTE: [Encrypted /boot with LUKS2 on argon2 key derivation is now +possible](../../news/argon2.md) but not yet documented by this guide.** + This article only applies to those people who use the GRUB bootloader as their default payload (options besides GRUB are also available in libreboot). Whenever this article refers to GRUB, or configuration files diff --git a/site/docs/linux/zfsbootmenu.md b/site/docs/linux/zfsbootmenu.md index 6abb4f1..e853324 100644 --- a/site/docs/linux/zfsbootmenu.md +++ b/site/docs/linux/zfsbootmenu.md @@ -3,6 +3,19 @@ title: ZFSbootmenu with Full Disk Encryption Guide x-toc-enable: true ... +This article is obsolete! +========================= + +**NOTE: [Encrypted /boot with LUKS2 on argon2 key derivation is now +possible](../../news/argon2.md) but not yet documented by this guide.** + +zfsbootmenu is still nice, but no longer required. Use latest Libreboot and +boot encrypted /boot (with argon2) directly from GRUB if you want to. Guides +need to be written for this, and are not yet present on the Libreboot site. + +Article +======= + As described in the [general encryption guide,](encryption.md) Libreboot allows for full disk encryption including the boot partition. Just as with the general guide, this explanation will demonstrate how to create a partition with moderate encryption for GRUB as well as a root partition with strong encryption. The major differences between the encryption method described in the general guide and this guide are: