From ca0cbef01f12e31f62c3832a5cb39de31891413f Mon Sep 17 00:00:00 2001 From: Leah Rowe Date: Tue, 27 Sep 2016 21:28:52 +0100 Subject: docs/gnulinux: rename encrypted_trisquel.html to encrypted_debian.html --- docs/gnulinux/encrypted_debian.html | 519 ++++++++++++++++++++++++++++++++++++ 1 file changed, 519 insertions(+) create mode 100644 docs/gnulinux/encrypted_debian.html (limited to 'docs/gnulinux/encrypted_debian.html') diff --git a/docs/gnulinux/encrypted_debian.html b/docs/gnulinux/encrypted_debian.html new file mode 100644 index 00000000..e7e9c773 --- /dev/null +++ b/docs/gnulinux/encrypted_debian.html @@ -0,0 +1,519 @@ + + + + + + + + + Installing Debian or Trisquel GNU/Linux with full disk encryption (including /boot) + + + +
+

Installing Debian or Trisquel GNU/Linux with full disk encryption (including /boot)

+

+ The libreboot project recommends Debian, because it is more stable and up to date, + while still being entirely free software by default. Leah Rowe, libreboot's + lead maintainer, also runs Debian. See: + ../distros/ +

+

+ Libreboot on x86 uses the GRUB payload + by default, which means that the GRUB configuration file + (where your GRUB menu comes from) is stored directly alongside libreboot + and its GRUB payload executable, inside + the flash chip. In context, this means that installing distributions and managing them + is handled slightly differently compared to traditional BIOS systems. +

+ +

+ On most systems, the /boot partition has to be left unencrypted while the others are encrypted. + This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware + can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a + payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical + access to the system. +

+

+ This guide is written for Debian. + This also works in Trisquel 7 (probably Trisquel 8), and probably Trisquel 6. Boot the 'net installer' (Install Trisquel in Text Mode). + How to boot a GNU/Linux installer. +

+

+ This guide is *only* for the GRUB payload. If you use the depthcharge payload, ignore this section entirely. +

+ + +

+ Note: on some thinkpads, a faulty DVD drive can cause the cryptomount -a step during boot to fail. If this happens to you, try removing the drive. +

+

Back to previous index

+
+ +
+ +

+ Set a strong user password (lots of lowercase/uppercase, numbers and symbols). +

+ +

+ Use of the diceware method is recommended, for generating secure passphrases (instead of passwords). +

+ +

+ when the installer asks you to set up + encryption (ecryptfs) for your home directory, select 'Yes' if you want to: LUKS is already secure and performs well. Having ecryptfs on top of it + will add noticeable performance penalty, for little security gain in most use cases. This is therefore optional, and not recommended. + Choose 'no'. +

+ +

+ + Your user password should be different from the LUKS password which you will set later on. + Your LUKS password should, like the user password, be secure. + +

+ +
+ +
+ +

Partitioning

+ +

Choose 'Manual' partitioning:

+ + +
+ +
+ +

Further partitioning

+ +

+ Now you are back at the main partitioning screen. You will simply set mountpoints and filesystems to use. +

+ + +
+ +
+ +

Kernel

+ +

+ Installation will ask what kernel you want to use. linux-generic is fine. +

+ +
+ +
+ +

Tasksel (Debian or Trisquel)

+ +

+ Choose "Trisquel Desktop Environment" if you want GNOME, + "Trisquel-mini Desktop Environment" if you + want LXDE or "Triskel Desktop Environment" if you want KDE. + If you want to have no desktop (just a basic shell) + when you boot or if you want to create your own custom setup, then choose nothing here (don't select anything). + You might also want to choose some of the other package groups; it's up to you. +

+

+ For Debian, use the MATE option, or one of the others if you want. +

+

+ On Debian or Trisquel, you may also want to select the option for a printer server, + so that you can print. +

+

+ If you want debian-testing, then you should only select barebones options here + and change the entries in /etc/apt/sources.list after install to point to the new distro, + and then run apt-get update and apt-get dist-upgrade + as root, then reboot and run tasksel as root. This is to avoid downloading large + packages twice. +

+ +
+ +
+ +

Postfix configuration

+ +

+ If asked, choose "No Configuration" here (or maybe you want to select something else. It's up to you.) +

+ +
+ +
+ +

Install the GRUB boot loader to the master boot record

+ +

+ Choose 'Yes'. It will fail, but don't worry. Then at the main menu, choose 'Continue without a bootloader'. + You could also choose 'No'. Choice is irrelevant here. +

+ +

+ You do not need to install GRUB at all, since in libreboot you are using the GRUB payload (for libreboot) to boot your system directly. +

+ +
+ +
+ +

Clock UTC

+ +

+ Just say 'Yes'. +

+ +
+ +
+ +

+ Booting your system +

+ +

+ At this point, you will have finished the installation. At your GRUB payload, press C to get to the command line. +

+ +

+ Do that:
+ grub> cryptomount -a
+ grub> set root='lvm/matrix-root'
+ grub> linux /vmlinuz root=/dev/mapper/matrix-root cryptdevice=/dev/mapper/matrix-root:root
+ grub> initrd /initrd.img
+ grub> boot +

+ +
+ +
+ +

+ ecryptfs +

+ +

+ If you didn't encrypt your home directory, then you can safely ignore this section. +

+ +

+ Immediately after logging in, do that:
+ $ sudo ecryptfs-unwrap-passphrase +

+ +

+ This will be needed in the future if you ever need to recover your home directory from another system, so write it down and keep the note + somewhere secret. Ideally, you should memorize it and then burn the note (or not even write it down, and memorize it still)> +

+ +
+ +
+ +

+ Modify grub.cfg (CBFS) +

+ +

+ Now you need to set it up so that the system will automatically boot, without having to type a bunch of commands. +

+ +

+ Modify your grub.cfg (in the firmware) using this tutorial; + just change the default menu entry 'Load Operating System' to say this inside: +

+ +

+ cryptomount -a
+ set root='lvm/matrix-root'
+ linux /vmlinuz root=/dev/mapper/matrix-root cryptdevice=/dev/mapper/matrix-root:root
+ initrd /initrd.img +

+ +

+ Without specifying a device, the -a parameter tries to unlock all detected LUKS volumes. + You can also specify -u UUID or -a (device). +

+ +

+ Additionally, you should set a GRUB password. This is not your LUKS password, but it's a password that you have to enter to see + GRUB. This protects your system from an attacker simply booting a live USB and re-flashing your firmware. This should be different than your LUKS passphrase and user password. +

+

+ Use of the diceware method is recommended, for generating secure passphrases (as opposed to passwords). +

+ +

+ The GRUB utility can be used like so:
+ $ grub-mkpasswd-pbkdf2 +

+ +

+ Give it a password (remember, it has to be secure) and it'll output something like:
+ grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711 +

+

+ Use of the diceware method is recommended, for generating secure passphrases (instead of passwords). +

+ +

+ Put that in the grub.cfg (the one for CBFS inside the ROM) before the 'Load Operating System' menu entry like so (example):
+

+ 
+set superusers="root"
+password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
+
+

+ MAKE SURE TO DO THIS ON grubtest.cfg *BEFORE* DOING IT ON grub.cfg. + Then select the menu entry that says Switch to grubtest.cfg and test that it works. + Then copy that to grub.cfg once you're satisfied. + WHY? BECAUSE AN INCORRECTLY SET PASSWORD CONFIG MEANS YOU CAN'T AUTHENTICATE, WHICH MEANS 'BRICK'. +

+

+ (emphasis added, because it's needed. This is a common roadblock for users) +

+ +

+ Obviously, replace it with the correct hash that you actually got for the password that you entered. Meaning, not the hash that you see above! +

+ +

+ After this, you will have a modified ROM with the menu entry for cryptomount, and the entry before that for the GRUB password. Flash the modified ROM + using this tutorial. +

+ +
+ +
+ +

Troubleshooting

+ +

+ A user reported issues when booting with a docking station attached + on an X200, when decrypting the disk in GRUB. The error + AHCI transfer timed out was observed. The workaround + was to remove the docking station. +

+ +

+ Further investigation revealed that it was the DVD drive causing problems. + Removing that worked around the issue. +

+ +
+
+"sudo wodim -prcap" shows information about the drive:
+Device was not specified. Trying to find an appropriate drive...
+Detected CD-R drive: /dev/sr0
+Using /dev/cdrom of unknown capabilities
+Device type    : Removable CD-ROM
+Version        : 5
+Response Format: 2
+Capabilities   : 
+Vendor_info    : 'HL-DT-ST'
+Identification : 'DVDRAM GU10N    '
+Revision       : 'MX05'
+Device seems to be: Generic mmc2 DVD-R/DVD-RW.
+
+Drive capabilities, per MMC-3 page 2A:
+
+  Does read CD-R media
+  Does write CD-R media
+  Does read CD-RW media
+  Does write CD-RW media
+  Does read DVD-ROM media
+  Does read DVD-R media
+  Does write DVD-R media
+  Does read DVD-RAM media
+  Does write DVD-RAM media
+  Does support test writing
+
+  Does read Mode 2 Form 1 blocks
+  Does read Mode 2 Form 2 blocks
+  Does read digital audio blocks
+  Does restart non-streamed digital audio reads accurately
+  Does support Buffer-Underrun-Free recording
+  Does read multi-session CDs
+  Does read fixed-packet CD media using Method 2
+  Does not read CD bar code
+  Does not read R-W subcode information
+  Does read raw P-W subcode data from lead in
+  Does return CD media catalog number
+  Does return CD ISRC information
+  Does support C2 error pointers
+  Does not deliver composite A/V data
+
+  Does play audio CDs
+  Number of volume control levels: 256
+  Does support individual volume control setting for each channel
+  Does support independent mute setting for each channel
+  Does not support digital output on port 1
+  Does not support digital output on port 2
+
+  Loading mechanism type: tray
+  Does support ejection of CD via START/STOP command
+  Does not lock media on power up via prevent jumper
+  Does allow media to be locked in the drive via PREVENT/ALLOW command
+  Is not currently in a media-locked state
+  Does not support changing side of disk
+  Does not have load-empty-slot-in-changer feature
+  Does not support Individual Disk Present feature
+
+  Maximum read  speed:  4234 kB/s (CD  24x, DVD  3x)
+  Current read  speed:  4234 kB/s (CD  24x, DVD  3x)
+  Maximum write speed:  4234 kB/s (CD  24x, DVD  3x)
+  Current write speed:  4234 kB/s (CD  24x, DVD  3x)
+  Rotational control selected: CLV/PCAV
+  Buffer size in KB: 1024
+  Copy management revision supported: 1
+  Number of supported write speeds: 4
+  Write speed # 0:  4234 kB/s CLV/PCAV (CD  24x, DVD  3x)
+  Write speed # 1:  2822 kB/s CLV/PCAV (CD  16x, DVD  2x)
+  Write speed # 2:  1764 kB/s CLV/PCAV (CD  10x, DVD  1x)
+  Write speed # 3:   706 kB/s CLV/PCAV (CD   4x, DVD  0x)
+
+Supported CD-RW media types according to MMC-4 feature 0x37:
+  Does write multi speed       CD-RW media
+  Does write high  speed       CD-RW media
+  Does write ultra high speed  CD-RW media
+  Does not write ultra high speed+ CD-RW media
+
+
+ +
+ +
+ +

+ Copyright © 2014, 2015 Leah Rowe <info@minifree.org>
+ Permission is granted to copy, distribute and/or modify this document + under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license + or any later version published by Creative Commons; + + A copy of the license can be found at ../cc-by-sa-4.0.txt +

+ +

+ Updated versions of the license (when available) can be found at + https://creativecommons.org/licenses/by-sa/4.0/legalcode +

+ +

+ UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE + EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS + AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF + ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, + IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, + WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR + PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, + ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT + KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT + ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. +

+

+ TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE + TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, + NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, + INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, + COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR + USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN + ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR + DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR + IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. +

+

+ The disclaimer of warranties and limitation of liability provided + above shall be interpreted in a manner that, to the extent + possible, most closely approximates an absolute disclaimer and + waiver of all liability. +

+ +
+ + + -- cgit v1.2.3-70-g09d2