aboutsummaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorRaghav Gururajan <rvgn@disroot.org>2019-05-23 17:28:19 +0000
committerrvgn <rvgn@disroot.org>2019-05-26 14:16:14 -0400
commita5d8218a9531bd5d15a045277c0bc6d7b2623186 (patch)
tree46fc097c94231879f3c72cf2c231423a57b6b629 /docs
parent43fa74047323066f53065b53387d77fdc2e29203 (diff)
downloadlibrebootfr-a5d8218a9531bd5d15a045277c0bc6d7b2623186.tar.gz
librebootfr-a5d8218a9531bd5d15a045277c0bc6d7b2623186.zip
Guix System with Full-Disk Encryption on Libreboot
Diffstat (limited to 'docs')
-rw-r--r--docs/gnulinux/guix_system.md371
-rw-r--r--docs/gnulinux/index.md2
2 files changed, 373 insertions, 0 deletions
diff --git a/docs/gnulinux/guix_system.md b/docs/gnulinux/guix_system.md
new file mode 100644
index 00000000..1c89254f
--- /dev/null
+++ b/docs/gnulinux/guix_system.md
@@ -0,0 +1,371 @@
+# Guix System with Full Disk Encryption on Libreboot
+
+## 1 Objective
+
+To provide step-by-step guide for setting up guix system (stand-alone guix)
+with full disk encryption (including /boot) on devices powered by libreboot.
+
+## 2 Scope
+
+Any users, for their generalised use cases, need not stumble away from this
+guide to accomplish the setup.
+
+Advanced users, for deviant use cases, will have to explore outside this
+guide for customisation; although this guide provides information that is
+of paramount use.
+
+## 3 Process
+
+### 3.1 Preparation
+
+In your current GNU/Linux System, open terminal as root user.
+
+Insert USB drive and get the USB device name /dev/sdX, where “X” is the
+variable to make a note of.
+
+`lsblk`
+
+Unmount the USB drive just in case if it’s auto-mounted.
+
+`umount /dev/sdX`
+
+Download the latest (a.b.c) Guix System ISO Installer Package (sss) and
+it’s GPG Signature; where “a.b.c” is the variable for version number and
+“sss” is the variable for system architecture.
+
+`wget https://ftp.gnu.org/gnu/guix/guix-system-install-a.b.c.sss-linux.iso.xz`
+
+`wget https://ftp.gnu.org/gnu/guix/guix-system-install-a.b.c.sss-linux.iso.xz.sig`
+
+Import required public key.
+
+`gpg --keyserver pool.sks-keyservers.net --recv-keys 3CE464558A84FDC69DB40CFB090B11993D9AEBB5`
+
+Verify the GPG Signature of the downloaded package.
+
+`gpg --verify guix-system-install-a.b.c.sss-linux.iso.xz.sig`
+
+Extract the ISO Image from the downloaded package.
+
+`xz -d guix-system-install-a.b.c.sss-linux.iso.xz`
+
+Write the extracted ISO Image to the USB drive.
+
+`dd if=guix-system-install-a.b.c.sss-linux.iso of=/dev/sdX; sync`
+
+Reboot the device.
+
+`reboot`
+
+### 3.2 Pre-Installation
+
+On reboot, as soon as you see the Libreboot Graphic Art, press arrow keys
+to change the menu entry.
+
+Choose “Search for GRUB2 configuration on external media [s]” and wait
+for the Guix System from USB drive to load.
+
+Set your keyboard layout lo, where “lo” is the two-letter keyboard layout
+code (example: us or uk).
+
+`loadkeys lo`
+
+Unblock network interfaces (if any).
+
+`rfkill unblock all`
+
+Get the names of your network interfaces.
+
+`ifconfig -a`
+
+Bring your required network interface nwif (wired or wireless) up, where
+“nwif” is the variable for interface name. For wired connections,
+this should be enough.
+
+`ifconfig nwif up`
+
+For wireless connection, create a configuration file using text editor,
+where “fname” is the variable for any desired filename.
+
+`nano fname.conf`
+
+Choose, type and save ONE of the following snippets, where ‘nm’ is the
+name of the network you want to connect, ‘pw’ is the corresponding
+network’s password or passphrase and ‘un’ is user identity.
+
+For most private networks:
+```
+network={
+ ssid="nm"
+ key_mgmt=WPA-PSK
+ psk="pw"
+}
+```
+
+(or)
+
+For most public networks:
+```
+network={
+ ssid="nm"
+ key_mgmt=NONE
+}
+```
+
+(or)
+
+For most organisational networks:
+```
+network={
+ ssid="nm"
+ scan_ssid=1
+ key_mgmt=WPA-EAP
+ identity="un"
+ password="pw"
+ eap=PEAP
+ phase1="peaplabel=0"
+ phase2="auth=MSCHAPV2"
+}
+```
+
+Connect to the configured network, where “fname” is the filename and
+“nwif” is the network interface name.
+
+`wpa_supplicant -c fname.conf -i nwif -B`
+
+Assign an IP address to your network interface, where “nwif” is the
+network interface name.
+
+`dhclient -v nwif`
+
+Obtain the device name /dev/sdX in which you would like to deploy and
+install Guix System, where “X” is the variable to make a note of.
+
+`lsblk`
+
+Wipe the respective device. Wait for the command operation to finish.
+
+`dd if=/dev/urandom of=/dev/sdX; sync`
+
+Load device-mapper module in the current kernel.
+
+`modprobe dm_mod`
+
+Partition the respective device. Just do, GPT --> New --> Write --> Quit;
+defaults will be set.
+
+`cfdisk /dev/sdX`
+
+Encrypt the respective partition.
+
+`cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --iter-time 500 --use-random --verify-passphrase luksFormat /dev/sdX1`
+
+Obtain and note down the “LUKS UUID”.
+
+`cryptsetup luksUUID /dev/sdX1`
+
+Open the respective encrypted partition, where “partname” is any
+desired partition name.
+
+`cryptsetup luksOpen /dev/sdX1 partname`
+
+Make filesystem on the respective partition, where “fsname” is any
+desired filesystem name.
+
+`mkfs.ext4 -L fsname /dev/mapper/partname`
+
+Mount the respective filesystem under the current system.
+
+`mount LABEL=fsname /mnt`
+
+Create a swap file and make it readable cum writable only by root.
+
+`dd if=/dev/zero of=/mnt/swapfile bs=1MiB count=2048`
+
+`chmod 600 /mnt/swapfile`
+
+`mkswap /mnt/swapfile`
+
+`swapon /mnt/swapfile`
+
+### 3.3 Installation
+
+Make the installation packages to be written on the respective
+mounted filesystem.
+
+`herd start cow-store /mnt`
+
+Create the required directory.
+
+`mkdir /mnt/etc`
+
+Create, edit and save the configuration file by typing the following
+code snippet. WATCH-OUT for variables in the code snippet and
+replace them with your relevant values.
+
+`nano /mnt/etc/config.scm`
+
+Snippet:
+
+```
+(use-modules
+ (gnu)
+ (gnu system nss))
+(use-service-modules
+ xorg
+ desktop)
+(use-package-modules
+ certs
+ gnome)
+(operating-system
+ (host-name "hostname")
+ (timezone "Zone/SubZone")
+ (locale "ab_XY.1234")
+ (keyboard-layout
+ (keyboard-layout
+ "xy"
+ "altgr-intl"))
+ (bootloader
+ (bootloader-configuration
+ (bootloader
+ (bootloader
+ (inherit grub-bootloader)
+ (installer #~(const #t))))
+ (keyboard-layout keyboard-layout)))
+ (mapped-devices
+ (list
+ (mapped-device
+ (source
+ (uuid "luks-uuid"))
+ (target "partname")
+ (type luks-device-mapping))))
+ (file-systems
+ (append
+ (list
+ (file-system
+ (device
+ (file-system-label "fsname"))
+ (mount-point "/")
+ (type "ext4")
+ (dependencies mapped-devices)))
+ %base-file-systems))
+ (users
+ (append
+ (list
+ (user-account
+ (name "username")
+ (comment "Full Name")
+ (group "users")
+ (supplementary-groups '("wheel" "netdev" "audio" "video" "lp" "cdrom" "tape" "kvm"))))
+ %base-user-accounts))
+ (packages
+ (append
+ (list
+ nss-certs
+ gvfs)
+ %base-packages))
+ (services
+ (append
+ (list
+ (extra-special-file "/usr/bin/env"
+ (file-append coreutils "/bin/env"))
+ (set-xorg-configuration
+ (xorg-configuration
+ (keyboard-layout keyboard-layout)))
+ (service gnome-desktop-service-type))
+ %desktop-services))
+ (name-service-switch %mdns-host-lookup-nss))
+```
+
+Initialise new Guix System.
+
+`guix system init /mnt/etc/config.scm /mnt`
+
+Reboot the device.
+
+`reboot`
+
+### 3.4 Post-Installation
+
+On reboot, as soon as you see the Libreboot Graphic Art, choose
+the option 'Load Operating System [o]'
+
+Enter LUKS Key, for libreboot's grub, as prompted.
+
+You may have to go through warning prompts by repeatedly
+pressing the "enter/return" key.
+
+You will now see guix's grub menu from which you can go with the
+default option.
+
+Enter LUKS Key again, for kernel, as prompted.
+
+Upon GNOME Login Screen, login as "root" with password field empty.
+
+Open terminal from the GNOME Dash.
+
+Set passkey for "root" user. Follow the prompts.
+
+`passwd root`
+
+Set passkey for "username" user. Follow the prompts.
+
+`passwd username`
+
+Update the guix distribution. Wait for the process to finish.
+
+`guix pull`
+
+Update the search paths.
+
+`export PATH="$HOME/.config/guix/current/bin:$PATH"`
+
+`export INFOPATH="$HOME/.config/guix/current/share/info:$INFOPATH"`
+
+Update the guix system. Wait for the process to finish.
+
+`guix system reconfigure /etc/config.scm`
+
+Reboot the device.
+
+`reboot`
+
+## 4 Conclusion
+
+Everything should be stream-lined from now. You can follow your
+regular boot steps without requiring manual intervention. You can
+start logging in as regualar user with the respective "username".
+
+You will have to periodically (at your convenient time) login as root
+and do the latter part of section 3.4, to keep your guix distribution
+and guix system updated.
+
+That is it! You have now setup guix system with full-disk encryption
+on your device powered by libreboot. Enjoy!
+
+## 5 References
+
+[1] Guix Manual (http://guix.gnu.org/manual/en/).
+
+[2] Libreboot Documentation (https://libreboot.org/docs/).
+
+## 6 Acknowledgements
+
+[1] Thanks to Guix Developer, Clement Lassieur (clement@lassieur.org),
+for helping me with the Guile Scheme Code for the Bootloader Configuration.
+
+[2] Thanks to Libreboot Founder and Developer,
+Leah Rowe (leah@libreboot.org), for helping me to understand the
+libreboot’s functionalities better.
+
+## 7 License
+
+Copyright (C) RAGHAV GURURAJAN (rvgn@disroot.org).
+
+Permission is granted to copy, distribute and/or modify this document
+under the terms of the GNU Free Documentation License, Version 1.3
+or any later version published by the Free Software Foundation;
+with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
+
+A copy of the license can be found at
+"https://www.gnu.org/licenses/fdl-1.3.en.html". \ No newline at end of file
diff --git a/docs/gnulinux/index.md b/docs/gnulinux/index.md
index bc7a04f8..76d98941 100644
--- a/docs/gnulinux/index.md
+++ b/docs/gnulinux/index.md
@@ -16,6 +16,8 @@ However, with Libreboot, GRUB is already included directly (as a payload), so ev
- [Modifying the GRUB Configuration in Libreboot Systems](grub_cbfs.md)
+- [Guix System with Full-Disk Encryption on Libreboot](guix_system.md)
+
- [Installing Parabola or Arch GNU+Linux-Libre, with Full-Disk Encryption (including /boot)](encrypted_parabola.md)
- Follow-Up Tutorial: [Configuring Parabola (Post-Install)](configuring_parabola.md)