Installing Debian or Devuan GNU/Linux with full disk encryption (including /boot)

This guide is written for the Debian distribution, but it should also work for Devuan with the net installer.

Libreboot on x86 uses the GRUB payload by default, which means that the GRUB configuration file (where your GRUB menu comes from) is stored directly alongside libreboot and its GRUB payload executable, inside the flash chip. In context, this means that installing distributions and managing them is handled slightly differently compared to traditional BIOS systems.

On most systems, the /boot partition has to be left unencrypted while the others are encrypted. This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical access to the system.

This guide is written for Debian net installer. You can download the ISO from the homepage on debian.org. Use this on the GRUB terminal to boot it from USB (for 64-bit Intel or AMD):
set root='usb0'
linux /install.amd/vmlinuz
initrd /install.amd/initrd.gz
boot
If you are on a 32-bit system (e.g. X60):
set root='usb0'
linux /install.386/vmlinuz
initrd /install.386/initrd.gz
boot

This guide shows how to create a boot USB drive with the Debian ISO image.

This guide is *only* for the GRUB payload. If you use the depthcharge payload, ignore this section entirely.

Note: on some thinkpads, a faulty DVD drive can cause the cryptomount -a step during boot to fail. If this happens to you, try removing the drive.

Back to previous index

Set a strong user password (lots of lowercase/uppercase, numbers and symbols).

Use of the diceware method is recommended, for generating secure passphrases (instead of passwords).

when the installer asks you to set up encryption (ecryptfs) for your home directory, select 'Yes' if you want to: LUKS is already secure and performs well. Having ecryptfs on top of it will add noticeable performance penalty, for little security gain in most use cases. This is therefore optional, and not recommended. Choose 'no'.

Your user password should be different from the LUKS password which you will set later on. Your LUKS password should, like the user password, be secure.

Partitioning

Choose 'Manual' partitioning:

Further partitioning

Now you are back at the main partitioning screen. You will simply set mountpoints and filesystems to use.

Kernel

Installation will ask what kernel you want to use. linux-generic is fine.

Tasksel

For Debian, use the MATE option, or one of the others if you want. The libreboot project recommends MATE, unless you're saavy enough to choose something else.

If you want debian-testing, then you should only select barebones options here and change the entries in /etc/apt/sources.list after install to point to the new distro, and then run apt-get update and apt-get dist-upgrade as root, then reboot and run tasksel as root. This is to avoid downloading large packages twice.

NOTE: If you want the latest up to date version of the Linux kernel, Debian's kernel is sometimes outdated, even in the testing distro. You might consider using this repository instead, which contains the most up to date versions of the Linux kernel. These kernels are also deblobbed, like Debian's kernels, so you can be sure that no binary blobs are present.

Postfix configuration

If asked, choose "No Configuration" here (or maybe you want to select something else. It's up to you.)

Install the GRUB boot loader to the master boot record

Choose 'Yes'. It will fail, but don't worry. Then at the main menu, choose 'Continue without a bootloader'. You could also choose 'No'. Choice is irrelevant here.

You do not need to install GRUB at all, since in libreboot you are using the GRUB payload (for libreboot) to boot your system directly.

Clock UTC

Just say 'Yes'.

Booting your system

At this point, you will have finished the installation. At your GRUB payload, press C to get to the command line.

Do that:
grub> cryptomount -a
grub> set root='lvm/matrix-root'
grub> linux /vmlinuz root=/dev/mapper/matrix-root cryptdevice=/dev/mapper/matrix-root:root
grub> initrd /initrd.img
grub> boot

ecryptfs

If you didn't encrypt your home directory, then you can safely ignore this section.

Immediately after logging in, do that:
$ sudo ecryptfs-unwrap-passphrase

This will be needed in the future if you ever need to recover your home directory from another system, so write it down and keep the note somewhere secret. Ideally, you should memorize it and then burn the note (or not even write it down, and memorize it still)>

Modify grub.cfg (CBFS)

Now you need to set it up so that the system will automatically boot, without having to type a bunch of commands.

Modify your grub.cfg (in the firmware) using this tutorial; just change the default menu entry 'Load Operating System' to say this inside:

cryptomount -a
set root='lvm/matrix-root'
linux /vmlinuz root=/dev/mapper/matrix-root cryptdevice=/dev/mapper/matrix-root:root
initrd /initrd.img

Without specifying a device, the -a parameter tries to unlock all detected LUKS volumes. You can also specify -u UUID or -a (device).

Additionally, you should set a GRUB password. This is not your LUKS password, but it's a password that you have to enter to see GRUB. This protects your system from an attacker simply booting a live USB and re-flashing your firmware. This should be different than your LUKS passphrase and user password.

Use of the diceware method is recommended, for generating secure passphrases (as opposed to passwords).

The GRUB utility can be used like so:
$ grub-mkpasswd-pbkdf2

Give it a password (remember, it has to be secure) and it'll output something like:
grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711

Use of the diceware method is recommended, for generating secure passphrases (instead of passwords).

Put that in the grub.cfg (the one for CBFS inside the ROM) before the 'Load Operating System' menu entry like so (example):

set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
			

MAKE SURE TO DO THIS ON grubtest.cfg *BEFORE* DOING IT ON grub.cfg. Then select the menu entry that says Switch to grubtest.cfg and test that it works. Then copy that to grub.cfg once you're satisfied. WHY? BECAUSE AN INCORRECTLY SET PASSWORD CONFIG MEANS YOU CAN'T AUTHENTICATE, WHICH MEANS 'BRICK'.

(emphasis added, because it's needed. This is a common roadblock for users)

Obviously, replace it with the correct hash that you actually got for the password that you entered. Meaning, not the hash that you see above!

After this, you will have a modified ROM with the menu entry for cryptomount, and the entry before that for the GRUB password. Flash the modified ROM using this tutorial.

Troubleshooting

A user reported issues when booting with a docking station attached on an X200, when decrypting the disk in GRUB. The error AHCI transfer timed out was observed. The workaround was to remove the docking station.

Further investigation revealed that it was the DVD drive causing problems. Removing that worked around the issue.


"sudo wodim -prcap" shows information about the drive:
Device was not specified. Trying to find an appropriate drive...
Detected CD-R drive: /dev/sr0
Using /dev/cdrom of unknown capabilities
Device type    : Removable CD-ROM
Version        : 5
Response Format: 2
Capabilities   : 
Vendor_info    : 'HL-DT-ST'
Identification : 'DVDRAM GU10N    '
Revision       : 'MX05'
Device seems to be: Generic mmc2 DVD-R/DVD-RW.

Drive capabilities, per MMC-3 page 2A:

  Does read CD-R media
  Does write CD-R media
  Does read CD-RW media
  Does write CD-RW media
  Does read DVD-ROM media
  Does read DVD-R media
  Does write DVD-R media
  Does read DVD-RAM media
  Does write DVD-RAM media
  Does support test writing

  Does read Mode 2 Form 1 blocks
  Does read Mode 2 Form 2 blocks
  Does read digital audio blocks
  Does restart non-streamed digital audio reads accurately
  Does support Buffer-Underrun-Free recording
  Does read multi-session CDs
  Does read fixed-packet CD media using Method 2
  Does not read CD bar code
  Does not read R-W subcode information
  Does read raw P-W subcode data from lead in
  Does return CD media catalog number
  Does return CD ISRC information
  Does support C2 error pointers
  Does not deliver composite A/V data

  Does play audio CDs
  Number of volume control levels: 256
  Does support individual volume control setting for each channel
  Does support independent mute setting for each channel
  Does not support digital output on port 1
  Does not support digital output on port 2

  Loading mechanism type: tray
  Does support ejection of CD via START/STOP command
  Does not lock media on power up via prevent jumper
  Does allow media to be locked in the drive via PREVENT/ALLOW command
  Is not currently in a media-locked state
  Does not support changing side of disk
  Does not have load-empty-slot-in-changer feature
  Does not support Individual Disk Present feature

  Maximum read  speed:  4234 kB/s (CD  24x, DVD  3x)
  Current read  speed:  4234 kB/s (CD  24x, DVD  3x)
  Maximum write speed:  4234 kB/s (CD  24x, DVD  3x)
  Current write speed:  4234 kB/s (CD  24x, DVD  3x)
  Rotational control selected: CLV/PCAV
  Buffer size in KB: 1024
  Copy management revision supported: 1
  Number of supported write speeds: 4
  Write speed # 0:  4234 kB/s CLV/PCAV (CD  24x, DVD  3x)
  Write speed # 1:  2822 kB/s CLV/PCAV (CD  16x, DVD  2x)
  Write speed # 2:  1764 kB/s CLV/PCAV (CD  10x, DVD  1x)
  Write speed # 3:   706 kB/s CLV/PCAV (CD   4x, DVD  0x)

Supported CD-RW media types according to MMC-4 feature 0x37:
  Does write multi speed       CD-RW media
  Does write high  speed       CD-RW media
  Does write ultra high speed  CD-RW media
  Does not write ultra high speed+ CD-RW media

Copyright © 2014, 2015, 2016 Leah Rowe <info@minifree.org>
Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license or any later version published by Creative Commons; A copy of the license can be found at ../cc-by-sa-4.0.txt

Updated versions of the license (when available) can be found at https://creativecommons.org/licenses/by-sa/4.0/legalcode

UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.

TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.

The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability.