From a5d8218a9531bd5d15a045277c0bc6d7b2623186 Mon Sep 17 00:00:00 2001 From: Raghav Gururajan Date: Thu, 23 May 2019 17:28:19 +0000 Subject: Guix System with Full-Disk Encryption on Libreboot --- docs/gnulinux/guix_system.md | 371 +++++++++++++++++++++++++++++++++++++++++++ docs/gnulinux/index.md | 2 + 2 files changed, 373 insertions(+) create mode 100644 docs/gnulinux/guix_system.md (limited to 'docs') diff --git a/docs/gnulinux/guix_system.md b/docs/gnulinux/guix_system.md new file mode 100644 index 00000000..1c89254f --- /dev/null +++ b/docs/gnulinux/guix_system.md @@ -0,0 +1,371 @@ +# Guix System with Full Disk Encryption on Libreboot + +## 1 Objective + +To provide step-by-step guide for setting up guix system (stand-alone guix) +with full disk encryption (including /boot) on devices powered by libreboot. + +## 2 Scope + +Any users, for their generalised use cases, need not stumble away from this +guide to accomplish the setup. + +Advanced users, for deviant use cases, will have to explore outside this +guide for customisation; although this guide provides information that is +of paramount use. + +## 3 Process + +### 3.1 Preparation + +In your current GNU/Linux System, open terminal as root user. + +Insert USB drive and get the USB device name /dev/sdX, where “X” is the +variable to make a note of. + +`lsblk` + +Unmount the USB drive just in case if it’s auto-mounted. + +`umount /dev/sdX` + +Download the latest (a.b.c) Guix System ISO Installer Package (sss) and +it’s GPG Signature; where “a.b.c” is the variable for version number and +“sss” is the variable for system architecture. + +`wget https://ftp.gnu.org/gnu/guix/guix-system-install-a.b.c.sss-linux.iso.xz` + +`wget https://ftp.gnu.org/gnu/guix/guix-system-install-a.b.c.sss-linux.iso.xz.sig` + +Import required public key. + +`gpg --keyserver pool.sks-keyservers.net --recv-keys 3CE464558A84FDC69DB40CFB090B11993D9AEBB5` + +Verify the GPG Signature of the downloaded package. + +`gpg --verify guix-system-install-a.b.c.sss-linux.iso.xz.sig` + +Extract the ISO Image from the downloaded package. + +`xz -d guix-system-install-a.b.c.sss-linux.iso.xz` + +Write the extracted ISO Image to the USB drive. + +`dd if=guix-system-install-a.b.c.sss-linux.iso of=/dev/sdX; sync` + +Reboot the device. + +`reboot` + +### 3.2 Pre-Installation + +On reboot, as soon as you see the Libreboot Graphic Art, press arrow keys +to change the menu entry. + +Choose “Search for GRUB2 configuration on external media [s]” and wait +for the Guix System from USB drive to load. + +Set your keyboard layout lo, where “lo” is the two-letter keyboard layout +code (example: us or uk). + +`loadkeys lo` + +Unblock network interfaces (if any). + +`rfkill unblock all` + +Get the names of your network interfaces. + +`ifconfig -a` + +Bring your required network interface nwif (wired or wireless) up, where +“nwif” is the variable for interface name. For wired connections, +this should be enough. + +`ifconfig nwif up` + +For wireless connection, create a configuration file using text editor, +where “fname” is the variable for any desired filename. + +`nano fname.conf` + +Choose, type and save ONE of the following snippets, where ‘nm’ is the +name of the network you want to connect, ‘pw’ is the corresponding +network’s password or passphrase and ‘un’ is user identity. + +For most private networks: +``` +network={ + ssid="nm" + key_mgmt=WPA-PSK + psk="pw" +} +``` + +(or) + +For most public networks: +``` +network={ + ssid="nm" + key_mgmt=NONE +} +``` + +(or) + +For most organisational networks: +``` +network={ + ssid="nm" + scan_ssid=1 + key_mgmt=WPA-EAP + identity="un" + password="pw" + eap=PEAP + phase1="peaplabel=0" + phase2="auth=MSCHAPV2" +} +``` + +Connect to the configured network, where “fname” is the filename and +“nwif” is the network interface name. + +`wpa_supplicant -c fname.conf -i nwif -B` + +Assign an IP address to your network interface, where “nwif” is the +network interface name. + +`dhclient -v nwif` + +Obtain the device name /dev/sdX in which you would like to deploy and +install Guix System, where “X” is the variable to make a note of. + +`lsblk` + +Wipe the respective device. Wait for the command operation to finish. + +`dd if=/dev/urandom of=/dev/sdX; sync` + +Load device-mapper module in the current kernel. + +`modprobe dm_mod` + +Partition the respective device. Just do, GPT --> New --> Write --> Quit; +defaults will be set. + +`cfdisk /dev/sdX` + +Encrypt the respective partition. + +`cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --iter-time 500 --use-random --verify-passphrase luksFormat /dev/sdX1` + +Obtain and note down the “LUKS UUID”. + +`cryptsetup luksUUID /dev/sdX1` + +Open the respective encrypted partition, where “partname” is any +desired partition name. + +`cryptsetup luksOpen /dev/sdX1 partname` + +Make filesystem on the respective partition, where “fsname” is any +desired filesystem name. + +`mkfs.ext4 -L fsname /dev/mapper/partname` + +Mount the respective filesystem under the current system. + +`mount LABEL=fsname /mnt` + +Create a swap file and make it readable cum writable only by root. + +`dd if=/dev/zero of=/mnt/swapfile bs=1MiB count=2048` + +`chmod 600 /mnt/swapfile` + +`mkswap /mnt/swapfile` + +`swapon /mnt/swapfile` + +### 3.3 Installation + +Make the installation packages to be written on the respective +mounted filesystem. + +`herd start cow-store /mnt` + +Create the required directory. + +`mkdir /mnt/etc` + +Create, edit and save the configuration file by typing the following +code snippet. WATCH-OUT for variables in the code snippet and +replace them with your relevant values. + +`nano /mnt/etc/config.scm` + +Snippet: + +``` +(use-modules + (gnu) + (gnu system nss)) +(use-service-modules + xorg + desktop) +(use-package-modules + certs + gnome) +(operating-system + (host-name "hostname") + (timezone "Zone/SubZone") + (locale "ab_XY.1234") + (keyboard-layout + (keyboard-layout + "xy" + "altgr-intl")) + (bootloader + (bootloader-configuration + (bootloader + (bootloader + (inherit grub-bootloader) + (installer #~(const #t)))) + (keyboard-layout keyboard-layout))) + (mapped-devices + (list + (mapped-device + (source + (uuid "luks-uuid")) + (target "partname") + (type luks-device-mapping)))) + (file-systems + (append + (list + (file-system + (device + (file-system-label "fsname")) + (mount-point "/") + (type "ext4") + (dependencies mapped-devices))) + %base-file-systems)) + (users + (append + (list + (user-account + (name "username") + (comment "Full Name") + (group "users") + (supplementary-groups '("wheel" "netdev" "audio" "video" "lp" "cdrom" "tape" "kvm")))) + %base-user-accounts)) + (packages + (append + (list + nss-certs + gvfs) + %base-packages)) + (services + (append + (list + (extra-special-file "/usr/bin/env" + (file-append coreutils "/bin/env")) + (set-xorg-configuration + (xorg-configuration + (keyboard-layout keyboard-layout))) + (service gnome-desktop-service-type)) + %desktop-services)) + (name-service-switch %mdns-host-lookup-nss)) +``` + +Initialise new Guix System. + +`guix system init /mnt/etc/config.scm /mnt` + +Reboot the device. + +`reboot` + +### 3.4 Post-Installation + +On reboot, as soon as you see the Libreboot Graphic Art, choose +the option 'Load Operating System [o]' + +Enter LUKS Key, for libreboot's grub, as prompted. + +You may have to go through warning prompts by repeatedly +pressing the "enter/return" key. + +You will now see guix's grub menu from which you can go with the +default option. + +Enter LUKS Key again, for kernel, as prompted. + +Upon GNOME Login Screen, login as "root" with password field empty. + +Open terminal from the GNOME Dash. + +Set passkey for "root" user. Follow the prompts. + +`passwd root` + +Set passkey for "username" user. Follow the prompts. + +`passwd username` + +Update the guix distribution. Wait for the process to finish. + +`guix pull` + +Update the search paths. + +`export PATH="$HOME/.config/guix/current/bin:$PATH"` + +`export INFOPATH="$HOME/.config/guix/current/share/info:$INFOPATH"` + +Update the guix system. Wait for the process to finish. + +`guix system reconfigure /etc/config.scm` + +Reboot the device. + +`reboot` + +## 4 Conclusion + +Everything should be stream-lined from now. You can follow your +regular boot steps without requiring manual intervention. You can +start logging in as regualar user with the respective "username". + +You will have to periodically (at your convenient time) login as root +and do the latter part of section 3.4, to keep your guix distribution +and guix system updated. + +That is it! You have now setup guix system with full-disk encryption +on your device powered by libreboot. Enjoy! + +## 5 References + +[1] Guix Manual (http://guix.gnu.org/manual/en/). + +[2] Libreboot Documentation (https://libreboot.org/docs/). + +## 6 Acknowledgements + +[1] Thanks to Guix Developer, Clement Lassieur (clement@lassieur.org), +for helping me with the Guile Scheme Code for the Bootloader Configuration. + +[2] Thanks to Libreboot Founder and Developer, +Leah Rowe (leah@libreboot.org), for helping me to understand the +libreboot’s functionalities better. + +## 7 License + +Copyright (C) RAGHAV GURURAJAN (rvgn@disroot.org). + +Permission is granted to copy, distribute and/or modify this document +under the terms of the GNU Free Documentation License, Version 1.3 +or any later version published by the Free Software Foundation; +with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. + +A copy of the license can be found at +"https://www.gnu.org/licenses/fdl-1.3.en.html". \ No newline at end of file diff --git a/docs/gnulinux/index.md b/docs/gnulinux/index.md index bc7a04f8..76d98941 100644 --- a/docs/gnulinux/index.md +++ b/docs/gnulinux/index.md @@ -16,6 +16,8 @@ However, with Libreboot, GRUB is already included directly (as a payload), so ev - [Modifying the GRUB Configuration in Libreboot Systems](grub_cbfs.md) +- [Guix System with Full-Disk Encryption on Libreboot](guix_system.md) + - [Installing Parabola or Arch GNU+Linux-Libre, with Full-Disk Encryption (including /boot)](encrypted_parabola.md) - Follow-Up Tutorial: [Configuring Parabola (Post-Install)](configuring_parabola.md) -- cgit v1.2.3-54-g00ecf