Hi all .
Please tell me, has anyone tried installing a fully encrypted disk including the boot partition using Libreboot(20231106 ) +Luks2+argon2id?
https://mirrors.mit.edu/libreboot/testing/20231106/roms/
I used this option but at this stage Grub Libreboot does not boot the system, I did not install grub from the repository
What hardware are you thinking of / trying to do this on? Any x86? Some specific Librem device?
Full disk encryption normally refers to encrypting every partition except /boot, as boot firmware typically does not have the necessary tools to decrypt partitions and must delegate that task to a payload with Pre-Boot Authentication capabilities.
If you want to encrypt /boot, you will need to use hardware full-disk encryption, otherwise known as a self-encrypting drive (SED).
Self-encrypting drives - ArchWiki
In addition to all of this, Libreboot is not supported on any Purism product.
For a more in-depth explanation, see this:
@FranklyFlawless Hello.
Thank you for your answer. If you are ready to argue with Debian professionals what the concept of Full Disk Encrypted means, then I’m going to buy popcorn))
So called “full disk encryption” is often a misnomer, because there is typically a separate plaintext partition holding /boot. For instance the Debian Installer does this in its “encrypted LVM” partitioning method. Since not all bootloaders are able to unlock LUKS devices, a plaintext /boot is the only solution that works for all of them.
https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html
If experience allows, you should definitely encrypt the entire disk, including the /boot partition, and also protect it with a Grub password, etc.
Why use Luks2+argon2id:
Right, so we agree on the misnomer. Before we continue addressing on how to encrypt /boot and other cryptographic subjects, you should at least provide information about what hardware you are trying to use Libreboot on first.
@irvinewade @FranklyFlawless Hello . Thank you for your answer . On the hardware on which Coreboot or Libreboot is installed, Librem or Thinkpad does not matter since in this case it will work where Grub supports Luks2+argon2id.
I have Luks2+argon in GnuBoot on GnuMachine T-X60.
Hello . Thank you for your answer. I also have argon2id now)) But this is not what I wrote about at the very beginning!
So, Gnuboot does not support Luks2 and argno2id for boot partition encryption. You can ask Neox again in the IRC chat, he will confirm for you.
I have a request to the community, I would be grateful if you help me correctly compose grub.cfg (attached below) so that I do not receive a message in SeaBios:
“Booting from Hard Disk…”
I added the lines but it didn’t work…
menuentry 'Load LIbre'{
cryptomount -a
set root='lvm/matrix-rootvol'
linux /boot/vmlinuz-linux-libre root=/dev/matrix/rootvol cryptdevice=/dev/sda1:lvm
initrd /boot/initramfs-linux-libre.img
}
But the big plus is that I can boot the system (kernel, init) using the cryptomount command which means everything works…
grub.cfg
set prefix=(memdisk)/boot/grub
insmod at_keyboard
insmod usb_keyboard
insmod nativedisk
insmod ehci
insmod ohci
insmod uhci
insmod usb
insmod usbms
insmod regexp
terminal_input --append at_keyboard
terminal_input --append usb_keyboard
terminal_output --append cbmemc
gfxpayload=keep
terminal_output --append gfxterm
if [ -f (cbfsdisk)/background.png ]; then
insmod png
background_image (cbfsdisk)/background.png
elif [ -f (cbfsdisk)/background.jpg ]; then
insmod jpeg
background_image (cbfsdisk)/background.jpg
fi
set default="0"
if [ -f (cbfsdisk)/timeout.cfg ]; then
source (cbfsdisk)/timeout.cfg
else
set timeout=5
fi
set grub_scan_disk="both"
if [ -f (cbfsdisk)/scan.cfg ]; then
source (cbfsdisk)/scan.cfg
fi
if [ -f (cbfsdisk)/keymap.gkb ]; then
keymap (cbfsdisk)/keymap.gkb
fi
function try_user_config {
set root="${1}"
# The @/... entries are for cases where the BTRFS filesystem is being used
for dir in boot grub grub2 boot/grub boot/grub2 @/boot @/grub @/grub2 @/boot/grub @/boot/grub2; do
for name in '' osboot_ autoboot_ libreboot_ coreboot_; do
if [ -f /"${dir}"/"${name}"grub.cfg ]; then
unset superusers
configfile /"${dir}"/"${name}"grub.cfg
fi
done
done
}
function search_grub {
echo -n "Attempting to load grub.cfg from '${1}' devices"
for i in 0 1 2 3 4 5 6 7 8 9 10 11; do
for part in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
try_user_config "(${1}${i},${part})"
done
# raw devices e.g. (ahci0) instead of (ahci0,1)
try_user_config "(${1}${i})"
done
echo # Insert newline
}
function try_isolinux_config {
set root="${1}"
for dir in '' /boot /EFI /boot/EFI /@ /@/boot /@/boot/EFI /@/EFI; do
if [ -f "${dir}"/isolinux/isolinux.cfg ]; then
syslinux_configfile -i "${dir}"/isolinux/isolinux.cfg
elif [ -f "${dir}"/syslinux/syslinux.cfg ]; then
syslinux_configfile -s "${dir}"/syslinux/syslinux.cfg
elif [ -f "${dir}"/syslinux/extlinux.conf ]; then
syslinux_configfile -s "${dir}"/syslinux/extlinux.conf
elif [ -f "${dir}"/extlinux/extlinux.conf ]; then
syslinux_configfile -s "${dir}"/extlinux/extlinux.conf
fi
done
}
function search_isolinux {
echo "\nAttempting to parse iso/sys/extlinux config from '${1}' devices"
for i in 0 1 2 3 4 5 6 7 8 9 10 11; do
for part in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
try_isolinux_config "(${1}${i},${part})"
done
# raw devices e.g. (usb0) instead of (usb0,1)
try_isolinux_config "(${1}${i})"
done
echo # Insert newline
}
function try_bootcfg {
try_user_config "${1}"
try_isolinux_config "${1}"
}
function search_bootcfg {
search_grub "${1}"
search_isolinux "${1}"
}
menuentry 'Load Operating System (incl. fully encrypted disks) [o]' --hotkey='o' {
if [ "${grub_scan_disk}" != "ata" ]; then
search_bootcfg ahci
fi
if [ "${grub_scan_disk}" != "ahci" ]; then
search_bootcfg ata
fi
# grub device enumeration is very slow, so checks are hardcoded
# TODO: add more strings, based on what distros set up when
# the user select auto-partitioning on those installers
lvmvol="lvm/grubcrypt-bootvol lvm/grubcrypt-rootvol"
raidvol="md/0 md/1 md/2 md/3 md/4 md/5 md/6 md/7 md/8 md/9"
# in practise, doing multiple redundant checks is perfectly fast and
# TODO: optimize grub itself, and use */? here for everything
for vol in ${lvmvol} ${raidvol} ; do
try_bootcfg "${vol}"
done
unset ahcidev
unset atadev
for i in 11 10 9 8 7 6 5 4 3 2 1 0; do
for part in 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1; do
if [ "${grub_scan_disk}" != "ata" ]; then
ahcidev="(ahci${i},${part}) ${ahcidev}"
fi
if [ "${grub_scan_disk}" != "ahci" ]; then
atadev="(ata${i},${part}) ${atadev}"
fi
done
done
set pager=0
echo -n "Attempting to unlock encrypted volumes"
for dev in ${ahcidev} ${atadev} ${lvmvol} ${raidvol}; do
if cryptomount "${dev}" ; then break ; fi
done
set pager=1
echo
# after cryptomount, lvm volumes might be available
for vol in ${lvmvol}; do
try_bootcfg "${vol}"
done
search_bootcfg crypto
for vol in lvm/* ; do
try_bootcfg "${vol}"
done
true # Prevent pager requiring to accept each line instead of whole screen
}
menuentry 'Search for GRUB/SYSLINUX/EXTLINUX/ISOLINUX on USB [s]' --hotkey='s' {
search_bootcfg usb
}
menuentry 'Search for GRUB/SYSLINUX/EXTLINUX/ISOLINUX on AHCI [a]' --hotkey='a' {
search_bootcfg ahci
}
menuentry 'Search for GRUB/SYSLINUX/EXTLINUX/ISOLINUX on ATA/IDE [d]' --hotkey='d' {
search_bootcfg ahci
}
if [ -f (cbfsdisk)/grubtest.cfg ]; then
menuentry 'Load test configuration (grubtest.cfg) inside of CBFS [t]' --hotkey='t' {
set root='(cbfsdisk)'
if [ -f /grubtest.cfg ]; then
configfile /grubtest.cfg
fi
}
fi
if [ -f (cbfsdisk)/seabios.elf ]; then
menuentry 'Load SeaBIOS (payload) [b]' --hotkey='b' {
set root='cbfsdisk'
chainloader /seabios.elf
}
fi
if [ -f (cbfsdisk)/img/grub2 ]; then
menuentry 'Return to SeaBIOS [b]' --hotkey='b' {
set root='cbfsdisk'
chainloader /fallback/payload
}
fi
menuentry 'Poweroff [p]' --hotkey='p' {
halt
}
menuentry 'Reboot [r]' --hotkey='r' {
reboot
}
if [ -f (cbfsdisk)/img/memtest ]; then
menuentry 'Load MemTest86+ [m]' --hotkey='m' {
set root='cbfsdisk'
chainloader /img/memtest
}
fi
In the PureOS repositories Index of /pureos/pool/main/g/grub2 I see Grub 2.06 which does not support Luks2 and argon2id to encrypt the entire disk including the boot partition.
@giulio Hello . Did you manage to encrypt your computer using PureOS+ partition /boot+Luks2+argon2id?
I found a solution on the Hyperbola website Install Full disk encryption (including /boot ) Luks2+argon2id T440P (Page 1) — Install/Update — HyperForum
Great, mark your answer as a solution.
Hello . Tell me please, did you install GnuBoot and your entire disk is encrypted with argon2id?
I see Grub version 2.12, but as far as I know the GnuBoot developers didn’t have argon2id support.
I using Gnuboot v1.0 devel version which fully supports argon2id via Gnugrub v2.12. However current available Gnuboot RC still not support argon2id. Stay tuned for Gnuboot v1.0 release. However if you want testing Gnuboot v1.0 let me know your Machine model, to share the Binary.
Purism | GNU
Libre Software
FWIW, the Argon family of functions are password-based key derivation functions (PBKDF). They aren’t used to encrypt the disk at all.
A PBKDF is used to encrypt a key slot that contains the disk encryption master key. Specifically, the PBKDF is used to derive an encryption key from the passphrase that you enter, and the encryption key is used to encrypt the key slot. (There can be multiple key slots, each using a different passphrase, and some even encrypted by some means other than a passphrase - but they all contain the same master key.)
The original PBKDF used with LUKS was called, unimaginatively, PBKDF (or, more accurately, PBKDF2). However PBKDF2 is considered too weak these days i.e. vulnerable to a brute force attack with a zillion GPUs or dedicated ASICs.
The disk itself is, by default, encrypted with AES (in XTS mode) using the disk encryption master key.
Thank you for the information, I would like to test it on the T400.
I see there is a release of gnuboot-0.1-rc3 Index of /gnu/gnuboot if I understood you correctly, you meant this release which does not yet support argon2id.
Where can I download the release you mentioned Gnuboot v1.0 via Gnugrub v2.12? Or maybe you have an installation guide?
Thank you very much for your detailed answer.
What is the rom for the chipset? 4MiB or 8MiB? if not howto: sudo flashrom -p internal.
Thanks
