Libreboot with full disk encryption (including /boot) Luks2+argon2id

Hi all .
Please tell me, has anyone tried installing a fully encrypted disk including the boot partition using Libreboot(20231106 ) +Luks2+argon2id?

https://mirrors.mit.edu/libreboot/testing/20231106/roms/

I used this option but at this stage Grub Libreboot does not boot the system, I did not install grub from the repository

2 Likes

What hardware are you thinking of / trying to do this on? Any x86? Some specific Librem device?

1 Like

Full disk encryption normally refers to encrypting every partition except /boot, as boot firmware typically does not have the necessary tools to decrypt partitions and must delegate that task to a payload with Pre-Boot Authentication capabilities.

If you want to encrypt /boot, you will need to use hardware full-disk encryption, otherwise known as a self-encrypting drive (SED).

Self-encrypting drives - ArchWiki

In addition to all of this, Libreboot is not supported on any Purism product.

For a more in-depth explanation, see this:

@FranklyFlawless Hello.

Thank you for your answer. If you are ready to argue with Debian professionals what the concept of Full Disk Encrypted means, then I’m going to buy popcorn))

So called “full disk encryption” is often a misnomer, because there is typically a separate plaintext partition holding /boot. For instance the Debian Installer does this in its “encrypted LVM” partitioning method. Since not all bootloaders are able to unlock LUKS devices, a plaintext /boot is the only solution that works for all of them.

https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html

If experience allows, you should definitely encrypt the entire disk, including the /boot partition, and also protect it with a Grub password, etc.

Why use Luks2+argon2id:

https://mjg59.dreamwidth.org/66429.html

https://tails.net/security/argon2id/index.en.html

2 Likes

Right, so we agree on the misnomer. Before we continue addressing on how to encrypt /boot and other cryptographic subjects, you should at least provide information about what hardware you are trying to use Libreboot on first.

@irvinewade @FranklyFlawless Hello . Thank you for your answer . On the hardware on which Coreboot or Libreboot is installed, Librem or Thinkpad does not matter since in this case it will work where Grub supports Luks2+argon2id.

1 Like

I have Luks2+argon in GnuBoot on GnuMachine T-X60.

1 Like

Hello . Thank you for your answer. I also have argon2id now)) But this is not what I wrote about at the very beginning!
So, Gnuboot does not support Luks2 and argno2id for boot partition encryption. You can ask Neox again in the IRC chat, he will confirm for you.

I have a request to the community, I would be grateful if you help me correctly compose grub.cfg (attached below) so that I do not receive a message in SeaBios:

“Booting from Hard Disk…”

I added the lines but it didn’t work…

menuentry 'Load LIbre'{
cryptomount -a
set root='lvm/matrix-rootvol'
linux /boot/vmlinuz-linux-libre root=/dev/matrix/rootvol cryptdevice=/dev/sda1:lvm
initrd /boot/initramfs-linux-libre.img
}

But the big plus is that I can boot the system (kernel, init) using the cryptomount command which means everything works…

grub.cfg


set prefix=(memdisk)/boot/grub

insmod at_keyboard
insmod usb_keyboard
insmod nativedisk
insmod ehci
insmod ohci
insmod uhci
insmod usb
insmod usbms
insmod regexp

terminal_input --append at_keyboard
terminal_input --append usb_keyboard
terminal_output --append cbmemc

gfxpayload=keep
terminal_output --append gfxterm

if [ -f (cbfsdisk)/background.png ]; then
    insmod png
    background_image (cbfsdisk)/background.png
elif [ -f (cbfsdisk)/background.jpg ]; then
    insmod jpeg
    background_image (cbfsdisk)/background.jpg
fi

set default="0"
if [ -f (cbfsdisk)/timeout.cfg ]; then
    source (cbfsdisk)/timeout.cfg
else   
    set timeout=5
fi
set grub_scan_disk="both"
if [ -f (cbfsdisk)/scan.cfg ]; then
    source (cbfsdisk)/scan.cfg
fi

if [ -f (cbfsdisk)/keymap.gkb ]; then
    keymap (cbfsdisk)/keymap.gkb
fi

function try_user_config {
    set root="${1}"

    # The @/... entries are for cases where the BTRFS filesystem is being used
    for dir in boot grub grub2 boot/grub boot/grub2 @/boot @/grub @/grub2 @/boot/grub @/boot/grub2; do
        for name in '' osboot_ autoboot_ libreboot_ coreboot_; do
            if [ -f /"${dir}"/"${name}"grub.cfg ]; then
                unset superusers
                configfile /"${dir}"/"${name}"grub.cfg
            fi
        done
    done
}
function search_grub {
    echo -n "Attempting to load grub.cfg from '${1}' devices"
    for i in 0 1 2 3 4 5 6 7 8 9 10 11; do
        for part in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
            try_user_config "(${1}${i},${part})"
        done
        # raw devices e.g. (ahci0) instead of (ahci0,1)
        try_user_config "(${1}${i})"
    done
    echo # Insert newline
}

function try_isolinux_config {
    set root="${1}"
    for dir in '' /boot /EFI /boot/EFI /@ /@/boot /@/boot/EFI /@/EFI; do
        if [ -f "${dir}"/isolinux/isolinux.cfg ]; then
            syslinux_configfile -i "${dir}"/isolinux/isolinux.cfg
        elif [ -f "${dir}"/syslinux/syslinux.cfg ]; then
            syslinux_configfile -s "${dir}"/syslinux/syslinux.cfg
        elif [ -f "${dir}"/syslinux/extlinux.conf ]; then
            syslinux_configfile -s "${dir}"/syslinux/extlinux.conf
        elif [ -f "${dir}"/extlinux/extlinux.conf ]; then
            syslinux_configfile -s "${dir}"/extlinux/extlinux.conf
        fi
    done
}
function search_isolinux {
    echo "\nAttempting to parse iso/sys/extlinux config from '${1}' devices"
    for i in 0 1 2 3 4 5 6 7 8 9 10 11; do
        for part in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
            try_isolinux_config "(${1}${i},${part})"
        done
        # raw devices e.g. (usb0) instead of (usb0,1)
        try_isolinux_config "(${1}${i})"
    done
    echo # Insert newline
}
function try_bootcfg {
    try_user_config "${1}"
    try_isolinux_config "${1}"
}
function search_bootcfg {
    search_grub "${1}"
    search_isolinux "${1}"
}
menuentry 'Load Operating System (incl. fully encrypted disks)  [o]' --hotkey='o' {

    if [ "${grub_scan_disk}" != "ata" ]; then
        search_bootcfg ahci
    fi
    if [ "${grub_scan_disk}" != "ahci" ]; then
        search_bootcfg ata
    fi

    # grub device enumeration is very slow, so checks are hardcoded

    # TODO: add more strings, based on what distros set up when
    # the user select auto-partitioning on those installers
    lvmvol="lvm/grubcrypt-bootvol lvm/grubcrypt-rootvol"

    raidvol="md/0 md/1 md/2 md/3 md/4 md/5 md/6 md/7 md/8 md/9"

    # in practise, doing multiple redundant checks is perfectly fast and
    # TODO: optimize grub itself, and use */? here for everything

    for vol in ${lvmvol} ${raidvol} ; do
        try_bootcfg "${vol}"
    done

    unset ahcidev
    unset atadev
    for i in 11 10 9 8 7 6 5 4 3 2 1 0; do
        for part in 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1; do
            if [ "${grub_scan_disk}" != "ata" ]; then
                ahcidev="(ahci${i},${part}) ${ahcidev}"
            fi
            if [ "${grub_scan_disk}" != "ahci" ]; then
                atadev="(ata${i},${part}) ${atadev}"
            fi
        done
    done

    set pager=0
    echo -n "Attempting to unlock encrypted volumes"
    for dev in ${ahcidev} ${atadev} ${lvmvol} ${raidvol}; do
        if cryptomount "${dev}" ; then break ; fi
    done
    set pager=1
    echo

    # after cryptomount, lvm volumes might be available
    for vol in ${lvmvol}; do
        try_bootcfg "${vol}"
    done

    search_bootcfg crypto

    for vol in lvm/* ; do
        try_bootcfg "${vol}"
    done

    true # Prevent pager requiring to accept each line instead of whole screen
}

menuentry 'Search for GRUB/SYSLINUX/EXTLINUX/ISOLINUX on USB  [s]' --hotkey='s' {
    search_bootcfg usb
}
menuentry 'Search for GRUB/SYSLINUX/EXTLINUX/ISOLINUX on AHCI  [a]' --hotkey='a' {
    search_bootcfg ahci
}
menuentry 'Search for GRUB/SYSLINUX/EXTLINUX/ISOLINUX on ATA/IDE  [d]' --hotkey='d' {
    search_bootcfg ahci
}
if [ -f (cbfsdisk)/grubtest.cfg ]; then
menuentry 'Load test configuration (grubtest.cfg) inside of CBFS  [t]' --hotkey='t' {
    set root='(cbfsdisk)'
    if [ -f /grubtest.cfg ]; then
        configfile /grubtest.cfg
    fi
}
fi
if [ -f (cbfsdisk)/seabios.elf ]; then
menuentry 'Load SeaBIOS (payload) [b]' --hotkey='b' {
    set root='cbfsdisk'
    chainloader /seabios.elf
}
fi
if [ -f (cbfsdisk)/img/grub2 ]; then
menuentry 'Return to SeaBIOS [b]' --hotkey='b' {
    set root='cbfsdisk'
    chainloader /fallback/payload
}
fi
menuentry 'Poweroff  [p]' --hotkey='p' {
    halt
}
menuentry 'Reboot  [r]' --hotkey='r' {
    reboot
}
if [ -f (cbfsdisk)/img/memtest ]; then
menuentry 'Load MemTest86+  [m]' --hotkey='m' {
    set root='cbfsdisk'
    chainloader /img/memtest
}
fi
1 Like

In the PureOS repositories Index of /pureos/pool/main/g/grub2 I see Grub 2.06 which does not support Luks2 and argon2id to encrypt the entire disk including the boot partition.

1 Like

@giulio Hello . Did you manage to encrypt your computer using PureOS+ partition /boot+Luks2+argon2id?

1 Like

I found a solution on the Hyperbola website Install Full disk encryption (including /boot ) Luks2+argon2id T440P (Page 1) — Install/Update — HyperForum

1 Like

Great, mark your answer as a solution.

1 Like

Picture taken on Xperia Lena and Sailfish Sauna.

3 Likes

Hello . Tell me please, did you install GnuBoot and your entire disk is encrypted with argon2id?
I see Grub version 2.12, but as far as I know the GnuBoot developers didn’t have argon2id support.

1 Like

I using Gnuboot v1.0 devel version which fully supports argon2id via Gnugrub v2.12. However current available Gnuboot RC still not support argon2id. Stay tuned for Gnuboot v1.0 release. However if you want testing Gnuboot v1.0 let me know your Machine model, to share the Binary.

Purism | GNU
Libre Software

2 Likes

FWIW, the Argon family of functions are password-based key derivation functions (PBKDF). They aren’t used to encrypt the disk at all.

A PBKDF is used to encrypt a key slot that contains the disk encryption master key. Specifically, the PBKDF is used to derive an encryption key from the passphrase that you enter, and the encryption key is used to encrypt the key slot. (There can be multiple key slots, each using a different passphrase, and some even encrypted by some means other than a passphrase - but they all contain the same master key.)

The original PBKDF used with LUKS was called, unimaginatively, PBKDF (or, more accurately, PBKDF2). However PBKDF2 is considered too weak these days i.e. vulnerable to a brute force attack with a zillion GPUs or dedicated ASICs.

The disk itself is, by default, encrypted with AES (in XTS mode) using the disk encryption master key.

2 Likes

Thank you for the information, I would like to test it on the T400.

I see there is a release of gnuboot-0.1-rc3 Index of /gnu/gnuboot if I understood you correctly, you meant this release which does not yet support argon2id.

Where can I download the release you mentioned Gnuboot v1.0 via Gnugrub v2.12? Or maybe you have an installation guide?

2 Likes

Thank you very much for your detailed answer.

1 Like

What is the rom for the chipset? 4MiB or 8MiB? if not howto: sudo flashrom -p internal.

Thanks

1 Like