Ok so I have a Librem 14, 1TB HD with pureOS installed, whole drive encrypted and my USB keys working. My issue is I wish to resize the existing partition, create a new partition with the free space. Probably Go half and Half on the space, can’t imagine needing 500GB for my purposes. Then installing a FULL Kali linux distro on the new partition.
I’d like my Tamper Key to still light green, I’d like both partitions or the full drive encrypted once BOTH Operating Systems are installed on it. Then upon boot with valid credentials, to be able to choose from my installed OS’s (kali or PureOS), but with my tamper Key, validate no one has messed with the laptop.
I’m certain this is possible without a complete wipe and reformat. However, I lack the knowledge with this encryption system and linux to accomplish this.
Would someone be so generous as to explain it to me like I’m 5 years old on how to do this step by step? I really would appreciate the help, as my research hasn’t helped to the degree I need. Any assistance is most welcome!
I think what you want to achieve is actually quite difficult. To clarify one thing though:
You probably don’t have that. Most likely what you have is:
a very small boot partition that is not encrypted (and which is protected by the tamper detection)
a root partition that occupies almost the whole drive and which is encrypted (and which is protected by the encryption but can also optionally be protected by the tamper detection)
I’m not sure that the tamper detection from the Librem Key can support multiple boot partitions.
Just throwing another idea into the mix … can you set up a VM within PureOS and then run Kali Linux in the VM? I guess it depends on what your goal is in having multiple distros.
I could use a VM i guess. You’re correct that the PureBoot appears to be unencrypted, with a Hash check for the Tamper USB device that comes with the laptop. My intent is to use the Kali linux distro for RedTeam, Pen Testing, and mostly OSINT. Those things become tricky using a proxy AND a VM setup. I don’t want my OS telling what i’m doing one thing, while the VM is telling me another. It’s easier to just have completely separate instances to keep things sorted.
Ideally, i’d like to setup the PureBoot to recognize the dual boot config, if possible? Not sure how to do that though? Hence me looking for help here. I appreciate your ideas! Keep them coming!
I would just USB boot Kali as needed to keep things as separate as possible. Sure it’s a bit more effort to reimage the USB drive when a new build of Kali is relevant to my needs, but realistically that isn’t very often.
That’s one of my concerns. From what I understand, PureBoot only works with one operating system at a time. Is there a tamper detection boot loader, that I can use with the tamper detection key? I’ve ordered a new M.2 drive that will be here Monday for the laptop. They’re so cheap, if it saves me hours of headache, fine. But i need encryption, tamper detection, and privacy.
Suggestions are MOST welcome! Thank you for your generosity and professionalism. I really appreciate everyone’s help1
The concern is that, in a more hard-core environment, the target may fight back. Unless you are 100% confident that there are zero security defects in the Linux distro that you are using (unlikely ever to be the case) then you might have to reimage the USB drive after every session.
Another option might be to use
a Linux distro that works well in a read-only environment (Tails?), and
an external drive of some kind that has “reliable” hardware write protect.
The downsides of this approach are:
the suitable external drives that I have seen are slow (compared with NVMe), and
you have to take “reliable” on trust - may be OK but you probably can’t be sure. (It is still better to write-protect than not to write-protect.)
That is also my understanding. I think Pureboot & Librem Key & boot partition correspond 1-to-1.
You might have to refer your question to Purism for confirmation.
I mean, you could sign the USB key after creation and verify the USB key before each use with the librem key via pgp. You could even limit it to the unencrypted boot partition of the USB key and encrypt the Kali install on USB similar to how pureboot only verifies the unencrypted boot partition and not the entire encrypted disk. Just verify from within pureos before locking the key away/before use instead of on each boot, sure that’s a slightly different workflow but one I see as more practical.
Though for Kali I’d verify the whole USB drive as my workflow doesn’t require unexpected use of it and as such I have plenty of time to verify the image between uses. Engagements are typically scheduled well in advance with scoping that would make it clear whether or not there is risk of “fighting back”.
As for a USB drive being “slow”, sure it’s slower than NVMe, but it’s definitely more than serviceable for its normal use case.
Perhaps this is just my ignorance talking, but if the librem key verifies the boot partition, then is it not just a matter of re-signing after installing the 2nd distro? Or is it more complicated than that? There’s no real need to have more than one /boot.
Ok, had 2 other thoughts here. Originally I was just going to use Katoolin to add the Kali tools to the PureOS system. That does NOT work well. It throws a fit. PGP key issues, python compatibility issues, repository signing issues, and more. It’s a headache.
I’ve got the latest Librem 14. Can I just wipe out PureOS, Install a Full Kali distro, set PureBoot to work with it? The second drive i ordered, I can use for “research” I guess?
What’s the perks of PureOS that i seem to be missing? It seems like a stripped down Ubuntu distro that has A LOT of limits to me?! Granted, i may be missing things and honestly would like to know perks. As I’d like to maximize my knowlege.
Thank you again for being so generous and kind with my ignorance.
(Pureboot can be asked to verify whatever additional directories on the root partition you want - but that is optional. It would be rare to verify the entire encrypted partition but you could do it in some very specialised application, I suppose. The problem would be the “false negatives” if using a mainstream Linux distro where files in e.g. /tmp and e.g. ~ would be changing all the time.)
I’ll see you your ignorance and raise you mine.
If you can boot a choice of distro out of the one single boot partition then the Librem Key side of it could work - other than the pain in the proverbial that there would be twice as many potential re-signing events - and you might have to forgo the root partition directory verification (since there would be two root partitions).
I don’t know whether the two distros would safely stay out of each other’s way though. Maybe the way to test that is to start with a new (smaller) external disk and using a common boot partition and separate encrypted root partitions install PureOS and install another distro, without spending too much time configuring either distro - just to see that they co-exist nicely and that you can even get that set up correctly.
Ok, so I asked Purism support. This is what I got back. Hopefully it will help us achieve what we need. Incidently, what benefits does PureOS have over Kali? Why would anyone use that PureOS? Does PureBoot work with Kali as an only OS on purism 14 laptops?
Quote exchange between purism support and me:
"I’m afraid I am not aware of any such system.
Just to be completely correct (technically), you CAN setup PureBoot with dual boot easily actually: use the same boot partition for both systems. But like I mentioned previously: “it is not a good idea to have a shared /boot partition, it could create various and unexpected problems.” Problem is that both systems could overwrite each other’s boot files, so definitely not something an experienced user would do, let alone a novice user. Highly not recommended.
On Wednesday, 4 January 2023 at 00:56, David Tindell wrote:
Hello,
Thank you for generously getting back to me so quickly! It really speaks highly to your character.
One last question?
Is there any boot loader option you’re aware of that can work with your tamper resistant key, and a dual boot system? I’m happy to replace the pureboot with another for added security.
Thanks,"
Does everyone agree? I’m highly ignorant here and would appreciate any assistance!
I think only someone running both could answer that (or the opposite question i.e. benefits of Kali over PureOS).
The obvious benefit is that
Purism would test releases of PureOS on Purism hardware - but other distro producers might not do so, and
if something goes wrong and you want support from Purism, they might reasonably tell you to put PureOS back and reproduce the problem (you can’t expect Purism to install, maintain and support every Linux distro).
I personally would say - install the one Linux distro on the given computer that works best for you for the intended purpose of that computer. Ideally that is a distro that you have some experience with so that you can resolve problems if and when they arise.
Also, I have tended to steer clear of having two distros (two operating systems) on one disk - but rather use an external disk for any additional operating system (and in this case accept that it will not be covered by the Librem 14 boot integrity but, as @OpojOJirYAlG says, you can basically verify an external disk without booting it and before booting it).
FWIW I’ve dual-booted off of one disk (I do this on laptops) and not run into any issues. It wasn’t a purism laptop, but pureboot notwithstanding, its entirely possible to have a painless experience. I always did, except for dual-booting Ubuntu and Ubuntu derivatives together. It confuses the bios as the derivative shows up as a Ubuntu boot entry (in this case it was Zorin) and I’d lose the Ubuntu bootloader.
As for Kali vs PureOS, Kali is more of a suite of tools versus a proper “desktop” operating system (at least it was some years ago). Kali is great for pen testing and stuff, not so much for games and video editing or blogging. Parrot isn’t a bad way to go if you want both, though.
And then I suppose there is also the question as to whether you can run PureOS but install some or all of those tools that are available with Kali by default.
I’ve attempted using “katoolin” on pureOS to achieve exactly that. To have all the Kali tools on my laptop without the Kali install. The statement “Kali is just a bunch of tools, on top of linux” is basically accurate. You “should” be able to use ANY Linux distribution and use those tools.
Two issues arise though. 1. That’s a lot of tools to install one at a time.
2. Using a script like Katoolin throws error after error. Even using sudo update and verifying pgp keys.
Thus, if anyone can easily walk me through a bulk install of the Kali tools on latest pureOS, that’d work. I sure can’t get it to work or find anyone address that specifically.
Or… how do I get pureboot to do the same checks with only Kali installed? Dies pureboot care what OS it’s checking? Does it work with any librem key and OS setup?
I really appreciate this info! I’m truly ignorant with thus stuff and the education I’m getting is invaluable. Thank you all!
I appreciate your ideas! Keep them coming!
