libreboot
/
lbwww
1
0
Fork 0
Code Packages Projects Releases Activity

Merge branch 'zfsboot' of shmalebx9/lbwww into master

hslick-master
Leah Rowe 2023-03-25 18:32:14 +00:00 committed by Gogs
parent e9d6c5991e 73b90a4394
commit a96b7a0cc5
3 changed files with 217 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

102
site/docs/gnulinux/encryption.md Normal file
View File

@ -0,0 +1,102 @@
# Fully Encrypted Boot and Root Partitions with Libreboot
The following guide will explain how to create:
+ A boot partition (/dev/sda1 in this example) that GRUB can decrypt with 'passphrase1'
+ A root partition (/dev/sda2) with stronger encryption using 'passphrase2'
This guide assumes you are working from a live disk of your preffered distro.
# Creating Encrypted Boot Partition
Grub2 currently (Oct 2021) supports luks2 encryption, which is great, but only the (not very strong) PBKDF2 algorithm.
Start by creating a boot partition of around 1GB, you don't have to format it to anything as LUKS will overwrite it anyway.
**Step 1:**
Create a LUKS2 formatted device with the PBKDF2 algorithm.
You can play around with the iteration count.
A higher iteration is more secure but will take GRUB a **very** long time to decrypt.
The [debian encrypted boot guide](https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html) recommends a count of 500,000 which will still take GRUB a very long time (around 25 seconds) but is faster than the default 1000,000.
Use whatever count makes you feel comfortable.
I'll use and arbitrarily low count.
You'll also want to use a different password than you intend to use for your root partition.
We don't want someone to be able to get our root key by brute-forcing our less secure boot key.
`sudo cryptsetup luksFormat /dev/sda1 --type luks2 --pbkdf pbkdf2 --pbkdf-force-iterations 200000`
**Step 2:**
Format and mount the new LUKS2 device.
```
sudo cryptsetup luksOpen /dev/sda1 boot
sudo mkfs.ext4 -L boot /dev/mapper/boot
sudo mount /dev/mapper/boot /boot
```
**Note:**
If you wish to change the passphrase for the boot partition in the future then you'll need to pass the same arguments to cryptsetup as when you created it.
If you don't pass any special arguments, the key will be changed to the distro's default encryption and grub won't be able to decrypt it.
The command to use is:
`cryptsetup luksChangeKey /dev/sda1 --type luks2 --pbkdf pbkdf2 --pbkdf-force-iterations 200000`
# Root Partition
Setting up the root partion is generally simple.
Use the same command without the given parametres used to make the device decryptable by GRUB.
`cryptsetup luksFormat /dev/sda2 root`
# Set Up Grub and Install
You will need to pass the correct kernel parametres to your kernel on boot to allow you to use your encryption passphrase to decrypt the root partition.
These parametres can be passed via a grub config in the boot partition by editing `/etc/default/grub.`
Add the necessary parametres to the line `GRUB_CMDLINE_LINUX_DEFAULT` as follows:
`GRUB_CMDLINE_LINUX_DEFAULT="loglevel=4 rd.auto=1 cryptdevice=/dev/sda2:root"`
*rd.auto=1* tells linux that you want to decrypt all disks.
*cryptdevice* tells linux the block device and mapped name you want to use for the root partition.
Note that the mapped name **must** match what you have it `/etc/fstab.`
From here, you can generally follow the install guide from your distro's docs.
Make sure that the generated `/boot/grub/grub.cfg` file indeed contains the necessary kernel parametres and that the `/etc/default/grub` file on the disk has the same modifications described above.
# Set up Fstab
> The device holding the kernel (and the initramfs image) is unlocked by GRUB, but the root device needs to be unlocked again at initramfs stage, regardless whether its the same device. This is because GRUB boots with the given vmlinuz and initramfs images, but there is currently no way to securely pass cryptographic material (or Device Mapper information) to the kernel. Hence the Device Mapper table is initially empty at initramfs stage; in other words, all devices are locked, and the root device needs to be unlocked again.
>
> \- [Debian Guide](https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html)
**Step 1:**
Here, we're not trying to store the root key as we don't want to jeopardize the integrity of our root device.
Instead, we want to store the key for the boot device on the root partition.
```
sudo mkdir -m0700 /etc/keys
su -c '( umask 0077 && dd if=/dev/urandom bs=1 count=64 of=/etc/keys/boot.key conv=excl,fsync )'
sudo cryptsetup luksAddKey /dev/sda1 /etc/keys/boot.key
```
**Step 2:**
Add your boot device to your crypttab.
You'll need to have the device's UUID.
You can obtain the UUID from `blkid` or simply use the linux block device name `/dev/sda1,` acknowleding it may lead to another device if your disk configuration changes.
```bash
lsblk -o 'PATH,LABEL,UUID' # to get UUID
sudo vim /etc/crypttab
> boot_crypt UUID=YOUR_UUID /etc/keys/boot.key luks,key-slot=1
```
**Step 3:**
Add the crypt device to your fstab.
Use 'mount -a' to test your fstab configuration.
NOTE: you will not be able to mount the device until it has been unlocked and mapped, rebooting with your new crypttab should do this automatically.
```
sudo vim /etc/fstab
> /dev/mapper/boot_crypt /boot ext4 defaults 0 1
sudo mount -a
```

23
site/docs/gnulinux/index.md
View File

@ -26,14 +26,7 @@ Refer to the following pages:
Encrypted (LUKS/dm-crypt) installations
=======================================
You should install with unencrypted `/boot` partition, but everything else
encrypted. The GRUB payload has LUKSv1 support and (buggy) LUKSv2 support.
There used to be guides for encrypted `/boot` on libreboot.org, but it's not
really viable to do that anymore (with GRUB), due to buggy/incomplete LUKS
support in GRUB.
A better solution for that would be a Linux payload in flash, handling the
A better solution for encryption would be a Linux payload in flash, handling the
encryption, at least if you want to use Linux, because then it'll have
perfect LUKS support.
@ -43,18 +36,10 @@ logic in it that will try to automatically use whatever you have installed,
by switching to it. In this way, most installations Just Work, so long as
the `/boot` partition is accessible.
If you do want encrypted /boot in your distro, please ensure that you have
downgraded to LUKSv1, and generic advice for booting is this (press C to
access a GRUB terminal, when you're in the GRUB payload):
Full encryption for basic LUKS2 is supported in libreboot.
See [the guide](encryption.md) for more detail.
```
set root=`lvm/bla-bla`
linux /vmlinuz root=/dev/mapper/bla-bla cryptdevice=/dev/mapper/bla-bla:root
initrd /initrd.img
boot
```
Adapt according to your configuration.
[The ZFSbootmenu guide](zfsbootmenu.md) builds upon the main encryption guide but describes a setup with ZFS native encryption and ZFSbootmenu.
Rebooting system in case of freeze
===================================

111
site/docs/gnulinux/zfsbootmenu.md Normal file
View File

@ -0,0 +1,111 @@
---
title: ZFSbootmenu with Full Disk Encryption Guide
x-toc-enable: true
...
As described in the [general encryption guide,](encryption.md) Libreboot allows for full disk encryption including the boot partition.
Just as with the general guide, this explanation will demonstrate how to create a partition with moderate encryption for GRUB as well as a root partition with strong encryption.
The major differences between the encryption method described in the general guide and this guide are:
+ `/boot` must remain on the *root* zfs encrypted partition
+ The root partition will be encrypted with ZFS native encryption rather than LUKS
+ ZFSbootmenu will be loaded at the second boot stage (after Libreboot itself) rather than directly loading the operating system kernel/initramfs
[ZFSbootmenu](https://docs.zfsbootmenu.org/en/latest/) works by placing modified versions of the operating system kernel where they can be loaded by the system's bootloader.
ZFSbootmenu provides installation guides for various major distros in their [official docs.](https://docs.zfsbootmenu.org/en/latest/)
You should follow those docs for installation, only noting the differences necessary for full disk encryption described below.
The only differences between this guide and the docs are:
+ You need not install/configure syslinux as GRUB in Libreboot will be used to load the ZFSbootmenu kernel/initramfs
+ The ZFSbootmenu kernel/initramfs will reside on a LUKS encrypted partition you will create in this guide
+ Cryptsetup must be installed and configured to mount the LUKS encrypted partition
## Creating Encrypted Partition for GRUB
The following section is mostly identical to the main encryption guide except for the naming conventions of the partition in question.
When using ZFSbootmenu, the OS kernel/initramfs will reside on the root partion in the `/boot` directory; **not** on a separate boot partition.
The partition created in this section is only used to load the ZFSbootmenu kernel/initramfs itself and is therefore referred to as the 'pre-boot environment' *(pbe)* partition.
**Step 1:**
Create a LUKS2 formatted device with the PBKDF2 algorithm.
You can play around with the iteration count.
A higher iteration is more secure but will take GRUB a **very** long time to decrypt.
The [debian encrypted boot guide](https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html) recommends a count of 500,000 which will still take GRUB a very long time (around 25 seconds) but is faster than the default 1,000,000.
Use whatever count makes you feel comfortable.
I'll use an arbitrarily low count.
You'll also want to use a different password than you intend to use for your root partition.
We don't want someone to be able to get our root key by brute-forcing our less secure boot key.
`sudo cryptsetup luksFormat /dev/sda1 --type luks2 --pbkdf pbkdf2 --pbkdf-force-iterations 200000`
**Step 2:**
Format and mount the new LUKS2 device.
```
sudo cryptsetup luksOpen /dev/sda1 pbe
sudo mkfs.ext4 -L boot /dev/mapper/pbe
sudo mkdir -p /boot/pbe
sudo mount /dev/mapper/boot /boot/pbe
```
**Note:**
If you wish to change the passphrase for the boot partition in the future then you'll need to pass the same arguments to cryptsetup as when you created it.
If you don't pass any special arguments, the key will be changed to the distro's default encryption and grub won't be able to decrypt it.
The command to use is:
`cryptsetup luksChangeKey /dev/sda1 --type luks2 --pbkdf pbkdf2 --pbkdf-force-iterations 200000`
## Configure ZFSbootmenu
The [official ZFSbootmenu docs](https://docs.zfsbootmenu.org/en/latest/guides/general.html) will provide the most up-to-date information.
The only differences from the official documentation relevant here are that anything related to syslinux can be ignored and the configuration must be tailored to create only a single kernel/initramfs set.
Note that you should follow the *MBR/syslinux* guide for your distro if you are using the ZFSbootmenu guides.
Here is an example configuration:
```
> vim /etc/zfsbootmenu/config.yaml
Global:
ManageImages: true
BootMountPoint: /boot/pbe
DracutConfDir: /etc/zfsbootmenu/dracut.conf.d
PreHooksDir: /etc/zfsbootmenu/generate-zbm.pre.d
PostHooksDir: /etc/zfsbootmenu/generate-zbm.post.d
InitCPIOConfig: /etc/zfsbootmenu/mkinitcpio.conf
Components:
ImageDir: /boot/pbe/zfsbootmenu
Versions: false
Enabled: true
syslinux:
Config: /boot/syslinux/syslinux.cfg
Enabled: false
EFI:
ImageDir: /boot/pbe
Versions: false
Enabled: false
Kernel:
CommandLine: ro quiet loglevel=4
```
## Final Steps
Refer to the [general guide](encryption.md) on how to set up fstab/crypttab to mount the pre-boot environment on boot.
Replace references to *boot* with *pbe* if copying commands from the guide.
For example: make sure the partition is mounted at `/boot/pbe` rather than just `/boot.`
Ensure that your OS kernel/initramfs is generated with LUKS support.
LUKS support is generally automatically enabled in the kernel upon installing *cryptsetup.*
Create a simulated grub configuration to point Libreboot's GRUB to ZFSbootmenu.
Libreboot will search for and source a grub configuration file on boot/decryption automatically.
**Do not** actually install GRUB.
Simply create a file on the partition created for GRUB at `/boot/pbe/grub/grub.cfg` which points to the ZFSbootmenu kernel/initramfs.
```
mkdir -p /boot/pbe/grub
> vim /boot/pbe/grub/grub.cfg
linux /zfsbootmenu/vmlinuz-* loglevel=4
initrd /zfsbootmenu/initramfs-*
boot
```