Libreboot uses the GRUB payload by default, which means that the GRUB configuration file (where your GRUB menu comes from) is stored directly alongside libreboot and it's GRUB payload executable, inside the flash chip. In context, this means that installing distributions and managing them is handled slightly differently compared to traditional BIOS systems.
On most systems, the /boot partition has to be left unencrypted while the others are encrypted. This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical access to the machine.
This works in Trisquel 7, and probably Trisquel 6. Boot the 'net installer' (Install Trisquel in Text Mode). How to boot a GNU/Linux installer.
Set a strong user password (ideally above 40 characters, of lowercase/uppercase, numbers and symbols).
when the installer asks you to setup encryption (ecryptfs) for your home directory, select 'Yes' if you want to: LUKS is already secure and performs well. Having ecryptfs on top of it will add noticeable performance penalty, for little security gain in most use cases. This is therefore optional, and not recommended. Choose 'no'.
Your user password should be different than the LUKS password which you will set later on. Your LUKS password should, like the user password, be secure.
Choose 'Manual' partitioning:
Now you are back at the main partitioning screen. You will simply set mountpoints and filesystems to use.
Installation will ask what kernel you want to use. linux-generic is fine.
Choose "Trisquel Desktop Environment" if you want GNOME, "Trisquel-mini Desktop Environment" if you want LXDE or "Triskel Desktop Environment" if you want KDE. If you want to have no desktop (just a basic shell) when you boot or if you want to create your own custom setup, then choose nothing here (don't select anything). You might also want to choose some of the other package groups; it's up to you.
If asked, choose "No Configuration" here (or maybe you want to select something else. It's up to you.)
Choose 'Yes'. It will fail, but don't worry. Then at the main menu, choose 'Continue without a bootloader'. You could also choose 'No'. Choice is irrelevant here.
You do not need to install GRUB at all, since in libreboot you are using the GRUB payload (for libreboot) to boot your system directly.
Just say 'Yes'.
At this point, you will have finished the installation. At your GRUB payload, press C to get to the command line.
Do that:
grub> cryptomount -a (ahci0,msdos1)
grub> set root='lvm/buzz-distro'
grub> linux /vmlinuz root=/dev/mapper/buzz-distro cryptdevice=/dev/mapper/buzz-distro:root
grub> initrd /initrd.img
grub> boot
If you didn't encrypted your home directory, then you can safely ignore this section.
Immediately after logging in, do that:
$ sudo ecryptfs-unwrap-passphrase
This will be needed in the future if you ever need to recover your home directory from another system, so write it down and keep the note somewhere secret. Ideally, you should memorize it and then burn the note (or not even write it down, and memorize it still)>
Now you need to set it up so that the system will automatically boot, without having to type a bunch of commands.
Modify your grub.cfg (in the firmware) using this tutorial; just change the default menu entry 'Load Operating System' to say this inside:
cryptomount -a (ahci0,msdos1)
set root='lvm/buzz-distro'
linux /vmlinuz root=/dev/mapper/buzz-distro cryptdevice=/dev/mapper/buzz-distro:root
initrd /initrd.img
Additionally, you should set a GRUB password. This is not your LUKS password, but it's a password that you have to enter to see GRUB. This protects your system from an attacker simply booting a live USB and re-flashing your firmware. This should be different than your LUKS passphrase and user password.
The GRUB utility can be used like so:
$ grub-mkpasswd-pbkdf2
Give it a password (remember, it has to be secure) and it'll output something like:
grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
Put that in the grub.cfg (the one for CBFS inside the ROM) before the 'Load Operating System' menu entry like so (example):
set superusers="root" password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
Obviously, replace it with the correct hash that you actually got for the password that you entered. Meaning, not the hash that you see above!
After this, you will have a modified ROM with the menu entry for cryptomount, and the entry before that for the GRUB password. Flash the modified ROM using this tutorial.
$ sudo apt-get update
$ sudo apt-get upgrade
If you followed all that correctly, you should now have a fully encrypted system.
Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions.
A copy of the license can be found at ../license.txt.
This document is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information.