Let’s say I use gentoo linux. I changed files in /boot. Librem key is going to complain that /boot files are not signed. How am I supposed to sign files in /boot with librem key on any linux distro?
2 Likes
If the files in the boot partition have changed, then PureBoot will prompt you to sign each file within it again.
So, linux distribution doesn’t need to do anything?
Does pureboot boot from unified kernel images used by UEFI and grub UEFI images?
1 Like
Yes to the first question. As for the second question:
Does that mean if I want to use gnu guix, I have to write a new bootloader for gnu guix?
Gnu guix currently supports grub-bootloader(for legacy bios), grub-efi-bootloader, grub-efi-removable-bootloader, grub-efi-netboot-bootloader, grub-efi-netboot-removable-bootloader, extlinux-bootloader and u-boot-bootloader. It will add uefi-uki bootloader and uefi-uki-signed bootloader.
2 Likes
GNU Guix is currently not supported by PureBoot:
1 Like
If pureboot treats kernel and initrd as a bootloader, then in theory, I can write kernel-initrd bootloader for gnu guix. It will just copy kernel and initrd to /boot.
How does pureboot distinguish multiple pairs of kernel and initrd?
1 Like
I do not know that answer, but you may be interested in a related topic with another user configuring Gentoo Linux with PureBoot on their Librem 14:
1 Like
If I flash coreboot/SeaBIOS, do I get any tamper detection?
1 Like
No, but in exchange, the SeaBIOS payload was designed as a compatible open-source replacement for the x86 BIOS, so it will work with legacy operating systems.
On gentoo linux, you can just install kernel images with initrd and run grub-mkconfig -o /boot/grub/grub.cfg without running grub-install. On gentoo linux, most tasks are manually done, so gentoo linux is incredibly flexible.
Gnu guix is different. It tries to configure the entire system through guile scheme.
On gnu guix, to support the current version of heads, you will have to write a new bootloader such as grub-heads which will write /boot/grub/grub.cfg and just install kernel images with initrd in /boot.
Is there anything that a linux distribution can do to sign the files in /boot for heads? Perhaps, is it just adding gpg signatures?
Can I flash coreboot with edk 2?
2 Likes
PureBoot and the Librem Key handle those cryptographic functions using GPG signatures, so it may be possible to do so through the operating system instead. You can use this resource to learn more about PureBoot:
Yes, Tianocore is unofficially supported on Librem devices:
However, the Purism devices are no longer listed in the documentation, so I suggest directly contacting @MrChromebox if you want to pursue this option further:
PureBoot/Heads parses the operating system’s GRUB configuration files to locate the kernel, initrd, and command line. Tamper detection signs all the files in /boot, which includes these configuration files as well as all kernels/initrds.
PureBoot/Heads never invokes GRUB. It reads the config files itself and directly executes the operating system’s kernel+initrd+command line.
The problem with Guix (summarized here) is that:
- it does not store its kernel and initrd on the /boot partition (they are on the root partition)
- its GRUB configuration files are too complex for PureBoot/Heads, which only implements a subset of the functionality offered by GRUB itself
So this would need some specific improvements to PureBoot/Heads. While it’s certainly possible to implement your own kernel + initrd stub loader that would kexec into Guix, it’d be simpler to do this in PureBoot/Heads as we have much of the foundation for this there already.
- PureBoot/Heads needs to understand enough of the Guix GRUB configuration files to locate the kernel / initrd (in particular, it does not implement GRUB’s
searchto locate a partition by UUID)- Or, as a stopgap, the user could configure this manually somehow
- PureBoot/Heads would need to know how to load the kernel and initrd from a partition other than /boot (currently it assumes they are on /boot)
- The /boot signatures for integrity checks would need to be extended to also include the kernel and initrd when they are not on the /boot partition (otherwise, it would still do an integrity check on files in /boot, but it wouldn’t actually be checking your kernel)
Or I suppose another way to go about it would be to alter Guix itself so it would put the kernels on /boot, which would probably also simplify its GRUB config enough for PureBoot/Heads (it would not need to search for the root partition)
1 Like
Another consideration is the file system type. If you boot from /boot then / can be any file system type for which support exists in the code in /boot (and /boot itself still has to be more vanilla e.g. ext* or *fat). If you boot directly from / then it pushes that file system type support requirement into lower level code or restricts your / file system type.
1 Like
I think guix should get a new bootloader that writes a minimal grub.cfg and puts kernel images and initrd into /boot. The new bootloader can also sign everything with a gpg private key so heads doesn’t have to.
If I end up using computers that have heads, I might write heads bootloader and heads-signed bootloader for gnu guix.
If kernel and initrd are stored as packages in /gnu/store, then the root filesystem can be encrypted zfs or btrfs on luks.
Decrypting all sorts of encrypted file systems is going to be too much work, and finding packages in /gnu/store complicates heads.
1 Like
Great, looking forward to your upstream contributions.