From 98cc00d45b3bdf62ab4b1cbe813d95aea4f8c9f9 Mon Sep 17 00:00:00 2001 From: Scott Bonds Date: Wed, 12 Oct 2016 10:09:21 -0700 Subject: cleaned up the OpenBSD docs --- docs/bsd/encrypted_debian.html | 519 ----------------------------------------- 1 file changed, 519 deletions(-) delete mode 100644 docs/bsd/encrypted_debian.html (limited to 'docs/bsd/encrypted_debian.html') diff --git a/docs/bsd/encrypted_debian.html b/docs/bsd/encrypted_debian.html deleted file mode 100644 index 64f4668d..00000000 --- a/docs/bsd/encrypted_debian.html +++ /dev/null @@ -1,519 +0,0 @@ - - - - - - - - - Installing Debian or Trisquel GNU/Linux with full disk encryption (including /boot) - - - -
-

Installing Debian or Trisquel GNU/Linux with full disk encryption (including /boot)

-

- The libreboot project recommends Debian, because it is more stable and up to date, - while still being entirely free software by default. Leah Rowe, libreboot's - lead maintainer, also uses Debian. See: - ../distros/ -

-

- Libreboot on x86 uses the GRUB payload - by default, which means that the GRUB configuration file - (where your GRUB menu comes from) is stored directly alongside libreboot - and its GRUB payload executable, inside - the flash chip. In context, this means that installing distributions and managing them - is handled slightly differently compared to traditional BIOS systems. -

- -

- On most systems, the /boot partition has to be left unencrypted while the others are encrypted. - This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware - can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a - payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical - access to the system. -

-

- This guide is written for Debian. - This also works in Trisquel 7 (probably Trisquel 8), and probably Trisquel 6. Boot the 'net installer' (Install Trisquel in Text Mode). - How to boot a GNU/Linux installer. -

-

- This guide is *only* for the GRUB payload. If you use the depthcharge payload, ignore this section entirely. -

- - -

- Note: on some thinkpads, a faulty DVD drive can cause the cryptomount -a step during boot to fail. If this happens to you, try removing the drive. -

-

Back to previous index

-
- -
- -

- Set a strong user password (lots of lowercase/uppercase, numbers and symbols). -

- -

- Use of the diceware method is recommended, for generating secure passphrases (instead of passwords). -

- -

- when the installer asks you to set up - encryption (ecryptfs) for your home directory, select 'Yes' if you want to: LUKS is already secure and performs well. Having ecryptfs on top of it - will add noticeable performance penalty, for little security gain in most use cases. This is therefore optional, and not recommended. - Choose 'no'. -

- -

- - Your user password should be different from the LUKS password which you will set later on. - Your LUKS password should, like the user password, be secure. - -

- -
- -
- -

Partitioning

- -

Choose 'Manual' partitioning:

- - -
- -
- -

Further partitioning

- -

- Now you are back at the main partitioning screen. You will simply set mountpoints and filesystems to use. -

- - -
- -
- -

Kernel

- -

- Installation will ask what kernel you want to use. linux-generic is fine. -

- -
- -
- -

Tasksel (Debian or Trisquel)

- -

- Choose "Trisquel Desktop Environment" if you want GNOME, - "Trisquel-mini Desktop Environment" if you - want LXDE or "Triskel Desktop Environment" if you want KDE. - If you want to have no desktop (just a basic shell) - when you boot or if you want to create your own custom setup, then choose nothing here (don't select anything). - You might also want to choose some of the other package groups; it's up to you. -

-

- For Debian, use the MATE option, or one of the others if you want. -

-

- On Debian or Trisquel, you may also want to select the option for a printer server, - so that you can print. -

-

- If you want debian-testing, then you should only select barebones options here - and change the entries in /etc/apt/sources.list after install to point to the new distro, - and then run apt-get update and apt-get dist-upgrade - as root, then reboot and run tasksel as root. This is to avoid downloading large - packages twice. -

- -
- -
- -

Postfix configuration

- -

- If asked, choose "No Configuration" here (or maybe you want to select something else. It's up to you.) -

- -
- -
- -

Install the GRUB boot loader to the master boot record

- -

- Choose 'Yes'. It will fail, but don't worry. Then at the main menu, choose 'Continue without a bootloader'. - You could also choose 'No'. Choice is irrelevant here. -

- -

- You do not need to install GRUB at all, since in libreboot you are using the GRUB payload (for libreboot) to boot your system directly. -

- -
- -
- -

Clock UTC

- -

- Just say 'Yes'. -

- -
- -
- -

- Booting your system -

- -

- At this point, you will have finished the installation. At your GRUB payload, press C to get to the command line. -

- -

- Do that:
- grub> cryptomount -a
- grub> set root='lvm/matrix-root'
- grub> linux /vmlinuz root=/dev/mapper/matrix-root cryptdevice=/dev/mapper/matrix-root:root
- grub> initrd /initrd.img
- grub> boot -

- -
- -
- -

- ecryptfs -

- -

- If you didn't encrypt your home directory, then you can safely ignore this section. -

- -

- Immediately after logging in, do that:
- $ sudo ecryptfs-unwrap-passphrase -

- -

- This will be needed in the future if you ever need to recover your home directory from another system, so write it down and keep the note - somewhere secret. Ideally, you should memorize it and then burn the note (or not even write it down, and memorize it still)> -

- -
- -
- -

- Modify grub.cfg (CBFS) -

- -

- Now you need to set it up so that the system will automatically boot, without having to type a bunch of commands. -

- -

- Modify your grub.cfg (in the firmware) using this tutorial; - just change the default menu entry 'Load Operating System' to say this inside: -

- -

- cryptomount -a
- set root='lvm/matrix-root'
- linux /vmlinuz root=/dev/mapper/matrix-root cryptdevice=/dev/mapper/matrix-root:root
- initrd /initrd.img -

- -

- Without specifying a device, the -a parameter tries to unlock all detected LUKS volumes. - You can also specify -u UUID or -a (device). -

- -

- Additionally, you should set a GRUB password. This is not your LUKS password, but it's a password that you have to enter to see - GRUB. This protects your system from an attacker simply booting a live USB and re-flashing your firmware. This should be different than your LUKS passphrase and user password. -

-

- Use of the diceware method is recommended, for generating secure passphrases (as opposed to passwords). -

- -

- The GRUB utility can be used like so:
- $ grub-mkpasswd-pbkdf2 -

- -

- Give it a password (remember, it has to be secure) and it'll output something like:
- grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711 -

-

- Use of the diceware method is recommended, for generating secure passphrases (instead of passwords). -

- -

- Put that in the grub.cfg (the one for CBFS inside the ROM) before the 'Load Operating System' menu entry like so (example):
-

- 
-set superusers="root"
-password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
-
-

- MAKE SURE TO DO THIS ON grubtest.cfg *BEFORE* DOING IT ON grub.cfg. - Then select the menu entry that says Switch to grubtest.cfg and test that it works. - Then copy that to grub.cfg once you're satisfied. - WHY? BECAUSE AN INCORRECTLY SET PASSWORD CONFIG MEANS YOU CAN'T AUTHENTICATE, WHICH MEANS 'BRICK'. -

-

- (emphasis added, because it's needed. This is a common roadblock for users) -

- -

- Obviously, replace it with the correct hash that you actually got for the password that you entered. Meaning, not the hash that you see above! -

- -

- After this, you will have a modified ROM with the menu entry for cryptomount, and the entry before that for the GRUB password. Flash the modified ROM - using this tutorial. -

- -
- -
- -

Troubleshooting

- -

- A user reported issues when booting with a docking station attached - on an X200, when decrypting the disk in GRUB. The error - AHCI transfer timed out was observed. The workaround - was to remove the docking station. -

- -

- Further investigation revealed that it was the DVD drive causing problems. - Removing that worked around the issue. -

- -
-
-"sudo wodim -prcap" shows information about the drive:
-Device was not specified. Trying to find an appropriate drive...
-Detected CD-R drive: /dev/sr0
-Using /dev/cdrom of unknown capabilities
-Device type    : Removable CD-ROM
-Version        : 5
-Response Format: 2
-Capabilities   : 
-Vendor_info    : 'HL-DT-ST'
-Identification : 'DVDRAM GU10N    '
-Revision       : 'MX05'
-Device seems to be: Generic mmc2 DVD-R/DVD-RW.
-
-Drive capabilities, per MMC-3 page 2A:
-
-  Does read CD-R media
-  Does write CD-R media
-  Does read CD-RW media
-  Does write CD-RW media
-  Does read DVD-ROM media
-  Does read DVD-R media
-  Does write DVD-R media
-  Does read DVD-RAM media
-  Does write DVD-RAM media
-  Does support test writing
-
-  Does read Mode 2 Form 1 blocks
-  Does read Mode 2 Form 2 blocks
-  Does read digital audio blocks
-  Does restart non-streamed digital audio reads accurately
-  Does support Buffer-Underrun-Free recording
-  Does read multi-session CDs
-  Does read fixed-packet CD media using Method 2
-  Does not read CD bar code
-  Does not read R-W subcode information
-  Does read raw P-W subcode data from lead in
-  Does return CD media catalog number
-  Does return CD ISRC information
-  Does support C2 error pointers
-  Does not deliver composite A/V data
-
-  Does play audio CDs
-  Number of volume control levels: 256
-  Does support individual volume control setting for each channel
-  Does support independent mute setting for each channel
-  Does not support digital output on port 1
-  Does not support digital output on port 2
-
-  Loading mechanism type: tray
-  Does support ejection of CD via START/STOP command
-  Does not lock media on power up via prevent jumper
-  Does allow media to be locked in the drive via PREVENT/ALLOW command
-  Is not currently in a media-locked state
-  Does not support changing side of disk
-  Does not have load-empty-slot-in-changer feature
-  Does not support Individual Disk Present feature
-
-  Maximum read  speed:  4234 kB/s (CD  24x, DVD  3x)
-  Current read  speed:  4234 kB/s (CD  24x, DVD  3x)
-  Maximum write speed:  4234 kB/s (CD  24x, DVD  3x)
-  Current write speed:  4234 kB/s (CD  24x, DVD  3x)
-  Rotational control selected: CLV/PCAV
-  Buffer size in KB: 1024
-  Copy management revision supported: 1
-  Number of supported write speeds: 4
-  Write speed # 0:  4234 kB/s CLV/PCAV (CD  24x, DVD  3x)
-  Write speed # 1:  2822 kB/s CLV/PCAV (CD  16x, DVD  2x)
-  Write speed # 2:  1764 kB/s CLV/PCAV (CD  10x, DVD  1x)
-  Write speed # 3:   706 kB/s CLV/PCAV (CD   4x, DVD  0x)
-
-Supported CD-RW media types according to MMC-4 feature 0x37:
-  Does write multi speed       CD-RW media
-  Does write high  speed       CD-RW media
-  Does write ultra high speed  CD-RW media
-  Does not write ultra high speed+ CD-RW media
-
-
- -
- -
- -

- Copyright © 2014, 2015 Leah Rowe <info@minifree.org>
- Permission is granted to copy, distribute and/or modify this document - under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license - or any later version published by Creative Commons; - - A copy of the license can be found at ../cc-by-sa-4.0.txt -

- -

- Updated versions of the license (when available) can be found at - https://creativecommons.org/licenses/by-sa/4.0/legalcode -

- -

- UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE - EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS - AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF - ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, - IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, - WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR - PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, - ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT - KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT - ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. -

-

- TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE - TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, - NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, - INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, - COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR - USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN - ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR - DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR - IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. -

-

- The disclaimer of warranties and limitation of liability provided - above shall be interpreted in a manner that, to the extent - possible, most closely approximates an absolute disclaimer and - waiver of all liability. -

- -
- - - -- cgit v1.2.3-70-g09d2