update linux guides based on lbmk changes
Signed-off-by: Leah Rowe <leah@libreboot.org>master
parent
e201621c94
commit
308b6c5237
|
@ -6,7 +6,7 @@ x-toc-enable: true
|
||||||
TODO: this guide should be reviewed and updated. Some info might be out of
|
TODO: this guide should be reviewed and updated. Some info might be out of
|
||||||
date.
|
date.
|
||||||
|
|
||||||
GNU GRUB already has excellent
|
GRUB already has excellent
|
||||||
documentation, but there are aspects of libreboot that deserve special
|
documentation, but there are aspects of libreboot that deserve special
|
||||||
treatment. libreboot provides the option to boot GRUB directly, running on
|
treatment. libreboot provides the option to boot GRUB directly, running on
|
||||||
bare metal (instead of using BIOS or UEFI services).
|
bare metal (instead of using BIOS or UEFI services).
|
||||||
|
|
|
@ -1,5 +1,26 @@
|
||||||
# Fully Encrypted Boot and Root Partitions with Libreboot
|
# Fully Encrypted Boot and Root Partitions with Libreboot
|
||||||
|
|
||||||
|
# THIS ARTICLE IS OBSOLETE
|
||||||
|
|
||||||
|
See news article: [Encrypted /boot/ on LUKSv2 now possible in Libreboot
|
||||||
|
GRUB (PHC argon2 imported)](../../news/argon2.html)
|
||||||
|
|
||||||
|
The article, written below, was merged *before* argon2 support became possible
|
||||||
|
in GRUB, within Libreboot. The Libreboot 20230625 release doesn't have it, but
|
||||||
|
it will be present in releases after Libreboot 20230625. For now, you can
|
||||||
|
[download lbmk.git](../../git.md) and [build from source](../build/) to get
|
||||||
|
the latest Libreboot, if you want argon2 support.
|
||||||
|
|
||||||
|
The guide below assumes that GRUB *cannot* handle argon2 key derivation, which
|
||||||
|
is most common now on LUKSv2 setups, so it has you using the older PBKDF2
|
||||||
|
algorithm in GRUB.
|
||||||
|
|
||||||
|
Encrypted LUKSv2 `/boot` is once again possible in Libreboot, but this page
|
||||||
|
has not yet been updated to contain guidance for that. You can most likely just
|
||||||
|
adapt the instructions below.
|
||||||
|
|
||||||
|
# Article, as-is:
|
||||||
|
|
||||||
The following guide will explain how to create:
|
The following guide will explain how to create:
|
||||||
|
|
||||||
+ A boot partition (/dev/sda1 in this example) that GRUB can decrypt with 'passphrase1'
|
+ A boot partition (/dev/sda1 in this example) that GRUB can decrypt with 'passphrase1'
|
||||||
|
|
|
@ -78,6 +78,13 @@ the OpenBSD installer to it with `dd`. Here's an example:
|
||||||
That's it! You should now be able to boot the installer from your USB drive
|
That's it! You should now be able to boot the installer from your USB drive
|
||||||
(the instructions for doing so will be given later).
|
(the instructions for doing so will be given later).
|
||||||
|
|
||||||
|
## GRUB2 config on external media
|
||||||
|
|
||||||
|
Pick the menu option: *Search for GRUB2 configuration on external media*
|
||||||
|
|
||||||
|
If the distro installer image has a `grub.cfg` file inside, this menuentry is
|
||||||
|
scripted to find it. This works well for many distros.
|
||||||
|
|
||||||
## Debian or Devuan net install
|
## Debian or Devuan net install
|
||||||
Download the Debian or Devuan net installer. You can download the Debian ISO
|
Download the Debian or Devuan net installer. You can download the Debian ISO
|
||||||
from [the Debian homepage](https://www.debian.org/), or the Devuan ISO from
|
from [the Debian homepage](https://www.debian.org/), or the Devuan ISO from
|
||||||
|
@ -86,21 +93,9 @@ from [the Debian homepage](https://www.debian.org/), or the Devuan ISO from
|
||||||
Secondly, create a bootable USB drive using the commands in
|
Secondly, create a bootable USB drive using the commands in
|
||||||
[#prepare-the-usb-drive-in-linux](#prepare-the-usb-drive-in-linux).
|
[#prepare-the-usb-drive-in-linux](#prepare-the-usb-drive-in-linux).
|
||||||
|
|
||||||
Thirdly, boot the USB and enter these commands in the GRUB terminal
|
You can select the option, in the Libreboot GRUB menu, to load GRUB config
|
||||||
(for 64-bit Intel or AMD):
|
from external media, and that should work just fine. Alternatively, pick one
|
||||||
|
of the ISOLINUX-related menu options.
|
||||||
set root='usb0'
|
|
||||||
linux /install.amd/vmlinuz
|
|
||||||
initrd /install.amd/initrd.gz
|
|
||||||
boot
|
|
||||||
|
|
||||||
If you are on a 32-bit system (e.g. some Thinkpad X60's) then you will need to
|
|
||||||
use these commands (this is also true for 32-bit running on 64-bit machines):
|
|
||||||
|
|
||||||
set root='usb0'
|
|
||||||
linux /install.386/vmlinuz
|
|
||||||
initrd /install.386/initrd.gz
|
|
||||||
boot
|
|
||||||
|
|
||||||
## Booting ISOLINUX Images (Automatic Method)
|
## Booting ISOLINUX Images (Automatic Method)
|
||||||
Boot it in GRUB using the `Parse ISOLINUX config (USB)` option. A new menu
|
Boot it in GRUB using the `Parse ISOLINUX config (USB)` option. A new menu
|
||||||
|
|
|
@ -117,6 +117,28 @@ machine powered down) and read the contents of the boot flash.
|
||||||
Extract grub.cfg
|
Extract grub.cfg
|
||||||
================
|
================
|
||||||
|
|
||||||
|
Releases *after* Libreboot 20230625
|
||||||
|
-----------------------------------
|
||||||
|
|
||||||
|
Releases after Libreboot 20230625 contain `grub.cfg` inside the GRUB memdisk,
|
||||||
|
inaccessible directly from CBFS, but the memdisk is inside `grub.elf` which
|
||||||
|
gets put inside CBFS.
|
||||||
|
|
||||||
|
An override is possible, on these Libreboot revisions. If `grub.cfg` is present
|
||||||
|
in CBFS, Libreboot's GRUB will use *that* and not the memdisk one; it will not
|
||||||
|
auto-switch to `grubtest.cfg`, but the test config will be available in the
|
||||||
|
menu to switch to, if present.
|
||||||
|
|
||||||
|
You can find `grub.cfg` under lbmk (for this purpose, it's best to use the
|
||||||
|
lbmk one, not the release one - unless you're using a release after 20230625).
|
||||||
|
Find it at path: `resources/grub/config/grub.cfg`.
|
||||||
|
|
||||||
|
So, you can *add* `grubtest.cfg` as normal, test that, and
|
||||||
|
then *add* `grub.cfg` once you're happy, and it will override the default.
|
||||||
|
|
||||||
|
Libreboot 20230625 and below:
|
||||||
|
----------------------------
|
||||||
|
|
||||||
libreboot images that use the GRUB bootloader will have *two* configuration
|
libreboot images that use the GRUB bootloader will have *two* configuration
|
||||||
files in CBFS:
|
files in CBFS:
|
||||||
|
|
||||||
|
@ -149,6 +171,11 @@ from your ROM image.
|
||||||
Insert new grub.cfg
|
Insert new grub.cfg
|
||||||
===================
|
===================
|
||||||
|
|
||||||
|
NOTE: As stated above, releases after Libreboot 20230625 only default to
|
||||||
|
the config in memdisk, and lack a CBFS config, so you can skip the *remove*
|
||||||
|
step below and just directly add the new `grub.cfg` - unless you already
|
||||||
|
added one before, in which case removal is required first.
|
||||||
|
|
||||||
Remove the old `grub.cfg` (substitute with `grubtest.cfg` as desired):
|
Remove the old `grub.cfg` (substitute with `grubtest.cfg` as desired):
|
||||||
|
|
||||||
cbfstool dump.bin remove -n grub.cfg
|
cbfstool dump.bin remove -n grub.cfg
|
||||||
|
|
|
@ -3,6 +3,9 @@ title: Hardening GRUB
|
||||||
x-toc-enable: true
|
x-toc-enable: true
|
||||||
...
|
...
|
||||||
|
|
||||||
|
**NOTE: [Encrypted /boot with LUKS2 on argon2 key derivation is now
|
||||||
|
possible](../../news/argon2.md) but not yet documented by this guide.**
|
||||||
|
|
||||||
This article only applies to those people who use the GRUB bootloader as
|
This article only applies to those people who use the GRUB bootloader as
|
||||||
their default payload (options besides GRUB are also available in
|
their default payload (options besides GRUB are also available in
|
||||||
libreboot). Whenever this article refers to GRUB, or configuration files
|
libreboot). Whenever this article refers to GRUB, or configuration files
|
||||||
|
|
|
@ -3,6 +3,19 @@ title: ZFSbootmenu with Full Disk Encryption Guide
|
||||||
x-toc-enable: true
|
x-toc-enable: true
|
||||||
...
|
...
|
||||||
|
|
||||||
|
This article is obsolete!
|
||||||
|
=========================
|
||||||
|
|
||||||
|
**NOTE: [Encrypted /boot with LUKS2 on argon2 key derivation is now
|
||||||
|
possible](../../news/argon2.md) but not yet documented by this guide.**
|
||||||
|
|
||||||
|
zfsbootmenu is still nice, but no longer required. Use latest Libreboot and
|
||||||
|
boot encrypted /boot (with argon2) directly from GRUB if you want to. Guides
|
||||||
|
need to be written for this, and are not yet present on the Libreboot site.
|
||||||
|
|
||||||
|
Article
|
||||||
|
=======
|
||||||
|
|
||||||
As described in the [general encryption guide,](encryption.md) Libreboot allows for full disk encryption including the boot partition.
|
As described in the [general encryption guide,](encryption.md) Libreboot allows for full disk encryption including the boot partition.
|
||||||
Just as with the general guide, this explanation will demonstrate how to create a partition with moderate encryption for GRUB as well as a root partition with strong encryption.
|
Just as with the general guide, this explanation will demonstrate how to create a partition with moderate encryption for GRUB as well as a root partition with strong encryption.
|
||||||
The major differences between the encryption method described in the general guide and this guide are:
|
The major differences between the encryption method described in the general guide and this guide are:
|
||||||
|
|
Loading…
Reference in New Issue