update linux guides based on lbmk changes

Signed-off-by: Leah Rowe <leah@libreboot.org>
master
Leah Rowe 2023-09-03 16:07:34 +01:00
parent e201621c94
commit 308b6c5237
6 changed files with 75 additions and 16 deletions

View File

@ -6,7 +6,7 @@ x-toc-enable: true
TODO: this guide should be reviewed and updated. Some info might be out of TODO: this guide should be reviewed and updated. Some info might be out of
date. date.
GNU GRUB already has excellent GRUB already has excellent
documentation, but there are aspects of libreboot that deserve special documentation, but there are aspects of libreboot that deserve special
treatment. libreboot provides the option to boot GRUB directly, running on treatment. libreboot provides the option to boot GRUB directly, running on
bare metal (instead of using BIOS or UEFI services). bare metal (instead of using BIOS or UEFI services).

View File

@ -1,5 +1,26 @@
# Fully Encrypted Boot and Root Partitions with Libreboot # Fully Encrypted Boot and Root Partitions with Libreboot
# THIS ARTICLE IS OBSOLETE
See news article: [Encrypted /boot/ on LUKSv2 now possible in Libreboot
GRUB (PHC argon2 imported)](../../news/argon2.html)
The article, written below, was merged *before* argon2 support became possible
in GRUB, within Libreboot. The Libreboot 20230625 release doesn't have it, but
it will be present in releases after Libreboot 20230625. For now, you can
[download lbmk.git](../../git.md) and [build from source](../build/) to get
the latest Libreboot, if you want argon2 support.
The guide below assumes that GRUB *cannot* handle argon2 key derivation, which
is most common now on LUKSv2 setups, so it has you using the older PBKDF2
algorithm in GRUB.
Encrypted LUKSv2 `/boot` is once again possible in Libreboot, but this page
has not yet been updated to contain guidance for that. You can most likely just
adapt the instructions below.
# Article, as-is:
The following guide will explain how to create: The following guide will explain how to create:
+ A boot partition (/dev/sda1 in this example) that GRUB can decrypt with 'passphrase1' + A boot partition (/dev/sda1 in this example) that GRUB can decrypt with 'passphrase1'

View File

@ -78,6 +78,13 @@ the OpenBSD installer to it with `dd`. Here's an example:
That's it! You should now be able to boot the installer from your USB drive That's it! You should now be able to boot the installer from your USB drive
(the instructions for doing so will be given later). (the instructions for doing so will be given later).
## GRUB2 config on external media
Pick the menu option: *Search for GRUB2 configuration on external media*
If the distro installer image has a `grub.cfg` file inside, this menuentry is
scripted to find it. This works well for many distros.
## Debian or Devuan net install ## Debian or Devuan net install
Download the Debian or Devuan net installer. You can download the Debian ISO Download the Debian or Devuan net installer. You can download the Debian ISO
from [the Debian homepage](https://www.debian.org/), or the Devuan ISO from from [the Debian homepage](https://www.debian.org/), or the Devuan ISO from
@ -86,21 +93,9 @@ from [the Debian homepage](https://www.debian.org/), or the Devuan ISO from
Secondly, create a bootable USB drive using the commands in Secondly, create a bootable USB drive using the commands in
[#prepare-the-usb-drive-in-linux](#prepare-the-usb-drive-in-linux). [#prepare-the-usb-drive-in-linux](#prepare-the-usb-drive-in-linux).
Thirdly, boot the USB and enter these commands in the GRUB terminal You can select the option, in the Libreboot GRUB menu, to load GRUB config
(for 64-bit Intel or AMD): from external media, and that should work just fine. Alternatively, pick one
of the ISOLINUX-related menu options.
set root='usb0'
linux /install.amd/vmlinuz
initrd /install.amd/initrd.gz
boot
If you are on a 32-bit system (e.g. some Thinkpad X60's) then you will need to
use these commands (this is also true for 32-bit running on 64-bit machines):
set root='usb0'
linux /install.386/vmlinuz
initrd /install.386/initrd.gz
boot
## Booting ISOLINUX Images (Automatic Method) ## Booting ISOLINUX Images (Automatic Method)
Boot it in GRUB using the `Parse ISOLINUX config (USB)` option. A new menu Boot it in GRUB using the `Parse ISOLINUX config (USB)` option. A new menu

View File

@ -117,6 +117,28 @@ machine powered down) and read the contents of the boot flash.
Extract grub.cfg Extract grub.cfg
================ ================
Releases *after* Libreboot 20230625
-----------------------------------
Releases after Libreboot 20230625 contain `grub.cfg` inside the GRUB memdisk,
inaccessible directly from CBFS, but the memdisk is inside `grub.elf` which
gets put inside CBFS.
An override is possible, on these Libreboot revisions. If `grub.cfg` is present
in CBFS, Libreboot's GRUB will use *that* and not the memdisk one; it will not
auto-switch to `grubtest.cfg`, but the test config will be available in the
menu to switch to, if present.
You can find `grub.cfg` under lbmk (for this purpose, it's best to use the
lbmk one, not the release one - unless you're using a release after 20230625).
Find it at path: `resources/grub/config/grub.cfg`.
So, you can *add* `grubtest.cfg` as normal, test that, and
then *add* `grub.cfg` once you're happy, and it will override the default.
Libreboot 20230625 and below:
----------------------------
libreboot images that use the GRUB bootloader will have *two* configuration libreboot images that use the GRUB bootloader will have *two* configuration
files in CBFS: files in CBFS:
@ -149,6 +171,11 @@ from your ROM image.
Insert new grub.cfg Insert new grub.cfg
=================== ===================
NOTE: As stated above, releases after Libreboot 20230625 only default to
the config in memdisk, and lack a CBFS config, so you can skip the *remove*
step below and just directly add the new `grub.cfg` - unless you already
added one before, in which case removal is required first.
Remove the old `grub.cfg` (substitute with `grubtest.cfg` as desired): Remove the old `grub.cfg` (substitute with `grubtest.cfg` as desired):
cbfstool dump.bin remove -n grub.cfg cbfstool dump.bin remove -n grub.cfg

View File

@ -3,6 +3,9 @@ title: Hardening GRUB
x-toc-enable: true x-toc-enable: true
... ...
**NOTE: [Encrypted /boot with LUKS2 on argon2 key derivation is now
possible](../../news/argon2.md) but not yet documented by this guide.**
This article only applies to those people who use the GRUB bootloader as This article only applies to those people who use the GRUB bootloader as
their default payload (options besides GRUB are also available in their default payload (options besides GRUB are also available in
libreboot). Whenever this article refers to GRUB, or configuration files libreboot). Whenever this article refers to GRUB, or configuration files

View File

@ -3,6 +3,19 @@ title: ZFSbootmenu with Full Disk Encryption Guide
x-toc-enable: true x-toc-enable: true
... ...
This article is obsolete!
=========================
**NOTE: [Encrypted /boot with LUKS2 on argon2 key derivation is now
possible](../../news/argon2.md) but not yet documented by this guide.**
zfsbootmenu is still nice, but no longer required. Use latest Libreboot and
boot encrypted /boot (with argon2) directly from GRUB if you want to. Guides
need to be written for this, and are not yet present on the Libreboot site.
Article
=======
As described in the [general encryption guide,](encryption.md) Libreboot allows for full disk encryption including the boot partition. As described in the [general encryption guide,](encryption.md) Libreboot allows for full disk encryption including the boot partition.
Just as with the general guide, this explanation will demonstrate how to create a partition with moderate encryption for GRUB as well as a root partition with strong encryption. Just as with the general guide, this explanation will demonstrate how to create a partition with moderate encryption for GRUB as well as a root partition with strong encryption.
The major differences between the encryption method described in the general guide and this guide are: The major differences between the encryption method described in the general guide and this guide are: