I want to setup a fully encrypted external SSD bootable running off Librem hardware, that is as secure as it can be. Searching around I come across this guide:
A few things don’t make sense, and want a 2nd opinion:
A) Is there really any security benefit separating the boot partition from the drive on a separate USB? What is the security risk having an unencrypted boot partition?
B) Is there any unintended consequences to destroying the mapping & overriding the header?
I believe the problem with that is some sort of evil maid attack. Let’s say you leave your laptop unprotected in your room, someone goes in and changes the boot partition into an altered version that will record the disk encryption password. The attacker can then retrieve your password and read your data.
If you are using PureBoot, you should be able to detect that this attack has happened (thus preventing you from typing your password into a compromised system). However, you will not be able to prevent the attack.
With /boot in a separate USB, you can prevent it by keeping your boot partition close to you at all times. Of course, this just moves the problem and you must now protect the boot drive from any threat.
Also, I don’t know if Heads (and by extension PureBoot) is able to verify the integrity of the boot partition in a USB drive. If not, you can not verify the integrity of /boot and this is a bad idea.
It should be noted that a generic attack on /boot does not require physical presence. However, if you are able to compromise a system to such a level that you have write access to /boot, you can probably already read all the information from the drives, so stealing the disk encryption key is probably useless.
If I kept boot on an SD card with the hardware lock on, can I assume it would prevent any boot loader attacks?
If the write protect in the SD card works as advertised, yes. It is a matter of trust (or if you can audit that the SD card does as it says, even better).
May I ask what device do you intend to do this on? If you have access to PureBoot, this is unnecessary, unless you really care about getting access to your device after it has been compromised, which you would be able to do anyway by keeping a backup of the boot partition and restoring it should its integrity verification fail.
Isolating the boot partition in an external drive and keeping it inaccessible after the device has booted might sound like a good idea, but any updates to /boot will have to installed manually. And given that the /boot integrity verification is already good enough to detect these attacks, I wouldn’t even bother with isolating the boot loader in a separate drive
You can buy a USB flash drive that has hardware write-protect. As @dpr says though … same problem, you don’t really know whether the write-protect works as advertised.
I tested it… it didn’t work as advertised 
I’m using a LIbrem with Pureboot. What I’m going for though is an SDD I could plug into any Linux hardware and still boot to it.
So far, I’ve tried making a boot partition on the SSD (unencyrpted), and a separate one on an SD card.
…Neither have worked yet.
I’m getting the same error on reboot:
DMAR: DRHD: handling fault status reg 3
DMAR: [DMA Read} Request device [00:02.0] PASID ffffffff fault ad
[fault reason 06] PTE Read access is not set
I’m setting up the Swap, Home, and Root in the same encrypted container.
Somewhere in the bootloader, its not asking me for the password to open the SSD encrypted container
with the Root, Home, Swap partitions?
Any ideas of the fix?
Does this mean it works once, then you reboot and get an error?
No. So far I haven’t got it to work, regardless of where I put the bootloader.
I think the bootloader is the problem. Grub isn’t prompting for a password to decrypt and mount the SDD system partition.
So far, I can’t see where/how to change the settings to prompt for a password.
I would hypothesize that Grub might be losing track of where your OS is if they’re on different devices. I have MX Linux and its boot partition on an external SSD (I just selected the external drive in the installer, told it to encrypt, and let it run normally) and it boots fine. I haven’t tried it on a different computer, though.
Drilling down in grub config file, it looks like several hours of searching to figure this one out.
Have you ever seen some kind of grub config file generator that would allow user to input startup disk params, and it would generate a bootloader to match?
I never tried this because I’ve never had the need, but grub customizer is the only thing that comes to mind that might do what you want. Worth a look, anyway.
i think the live PureOS (devel’) installer allows one to set WHERE the bootloader is installed/configured from.
you have to format the drive/device initially as GPT with an unformated partition labeled ‘BIOS/grub’ but that information is available during initial install in the formatting procedure. maybe this information will connect some dots as to why you’re having problems (it doesn’t for me though 
)
so after boot/install you have :
GDisks shows me that this is the first partition that i left un-formatted ‘BIOS/GRUB’ and now, AFTER install it shows as ext2 because it was changed by the installation automatically.
it’s says /dev/nvme0n1p1 because it’s an SSD-NVME m2 drive not SATA based.
initially i was surprised that the PureOS Calamares install goes with ext2 not FAT which is still universal but i guess that ext2 does the job too since it’s a non journal-ed file system type …
All right (I was not focused), wanted to say that the first partition Code is EF02 and not 8300 (as usually created ones). Thanks @reC!
i wonder why the EF02 (as you say it is) shows up as ‘unmounted’ as opposed to all the other partitions that show ‘mounted’ followed by path. do you know why ?
I’d say it is having dialog with Coreboot (or Legacy BIOS) only/directly (perhaps during booting stage only). Therefore first partition isn’t part of visible/regular (mounted) PureOS partitions (just my quick thought as I’m not at this moment using PureOS).
But still (or anyway), I think (but not sure) that this feature is essential part of PureOS and not found in any other Linux distribution. Thanks for asking!
yes. my thoughts on this exactly. i haven’t seen other GNU/Linux distributions that employ this means of booting as the label ‘BIOS/GRUB’ isn’t the same thing as /boot. interesting enough, PureOS doesn’t boot for me if i try to make /boot as part of / with /home. it ONLY works if the first two are individual partitions distinct from / …