MINI.V2 and QUBES - Walkthrough #1 - Install

MINI.v2 and QUBES - WALKTHROUGH #1 - INSTALL
I’m trying to learn, so comments, suggestions, and answers to questions are greatly desired!
Hi, My goal is to have as secure and private a system as I currently can, and be able to make it more secure as I learn. Here’s my starting point:

HARDWARE : Librem Mini v2. 32 GB RAM. 250 GB SSD. Secondary drive 250 GB SSD. Wireless Card.
OTHER : PureOS comes installed, LibremKey USB, Vault USB (that’s the PureBoot Bundle), and I also bought the Qubes Installation USB (turns out unnecessary).
(The LK is black, Vault USB is gold, and Qubes USB is steel grey)

I like the features of PureBoot and LibremKey. And I like PureOS, but after watching the demo linked below I really like QubesOS.
As far as I understand, the PureOS will let me do more with the Vault USB, gpg, and the LibremKey.
But I will manage my gpg in Qubes and for now I will use the LK and Vault USB just to secure the boot process.
(If anyone knows how to dual boot PureOS and have a QubesOS too, please let me know.)
Here’s a good Qubes demo: “Micah Lee Presents Qubes OS” https://www.qubes-os.org/video-tours/

INFO
PureOS-9.0 (currently the latest stable releases) is not installable on the Mini v2. I’m told the kernel needs to be a more updated version. So the Mini has PureOS-10-byzantium installed by default. I tried v9 and the kernel froze trying to install.
Qubes-4.0.4 (stable) is also supposed to be un-usable (and the installation USB that came with my order has Qubes-4.1.0 (unstable) on it. However, I was able to install the stable release Qubes-4.0.4.
I test installed both Qubes, and the unstable release leaves a lot undone. So I’m using the stable 4.0.4.

STARTING POINT
Once Qubes is installed I will not be able to change the pins on my LibremKey.
(Does anyone know how to do this, so Qubes can manage the LibremKey or the gold Vault USB?)
So first I am going to login to the installed PureOS (a debian system) and change the pins.

CONFIGURE LIBREMKEY ON PUREOS
The very first thing to do is to change the pins on the LK.
Unplug your network cable and do not enable wifi. No networking until everything is setup.
The instructions for this are here: https://docs.puri.sm/Librem_Key/Getting_Started/User_Manual.html
I will be installing Qubes and managing all my other keys there, so I only want the Vault USB and the LK to secure the boot process, PureBoot.
In PureOS (which is debian based) open a terminal and make sure scdaemon is installed:
$ sudo apt install scdaemon (enter pw). Even tho there’s no network yet it will show you that it is present.
Plug in the Vault USB and enter:
$ gpg –card-status (it will detect your card)
There are 3 pins related to the LK and the Vault USB:
LK gpg user = 6 numbers, LK gpg admin (LK) = 8 numbers, TPM admin = 8 numbers.
The Mini does not have a TPM chip so I don’t know if the last is ever used. (Anyone know?)
Change the first 2 for now. Enter the following to enter the card command line:
$gpg –card-edit
The prompt will change, enter admin mode:
> admin
> passwd (this will bring up a menu where you can change the user pin and the admin pin)
1 (change pin) = enter the default pin (123456) first, then enter your new pin code twice, and remember it.
Next do the same for the admin pin:
3 (change admin pin, (default 12345678) and remember)
q (to quit out of admin mode, and back to edit-card mode)
You can now enter help to see other things to do.
You might want to change the “name” (currently blank) to something like “yourname-LK”.
OK, LibremKey is setup. We will use the new pins going forward.

GET QUBES :
Download latest stable release of Qubes: https://www.qubes-os.org/downloads/
Verify it. Follow this: https://www.qubes-os.org/security/verifying-signatures/
(Secure the Qubes Master Signing Key, Release Signing Key, and any subkeys, etc. for implementing GPG later.)
Burn to USB: https://www.balena.io/etcher/

INSTALL QUBES
Unplug any network connection. (No internet until everything is ready)
Plug in the LibremKey and the Qubes ISO you just burned. No other USB’s should be plugged in.
Power up but don’t let it boot to default PureOS.
Go into the PureBoot Menu and select Boot Options > USB Boot.
The Qubes install menu should present. ( This will wipe out the existing OS, but can reinstall if needed.)
Pick the first one and install. Then follow this guide until you get to partitioning:


When it comes to the Installation Destination I have 2 drives and want them combined in one large volume.
I clicked on both of the big drive icons so they both had check marks in them.
Under partitioning select “Automatically configure partitioning”.
It will create an LVM partition instead of regular partitions.
I also checked “Encrypt my data” to have the disks encrypted.
Then click “Done” in the upper left corner.
It will ask for a passphrase for the disk encryption. Remember this, secure it !
(Curiously, it warns that I won’t be able to change keyboard layouts after implementing disk encryption.)
It will tell me that I don’t have enough space (because PureOs is using it all) and I must reclaim it.
Click on “Reclaim space”.
Click on “Delete all”.
And then click on “Reclaim space”.
( I think between the LVM and the disk encryption it cost me over 10% of my disk space. )
Then click Done and Begin Installation.
Create your user account and password if you want.
When install is complete, remove the Qubes ISO and press “Reboot”. Keep the LibremKey in.

On reboot the PureBoot Menu will pop up.
Choose: Options → Boot Options → Boot Menu →
At this point you will get an “ERROR: Missing Hash File!” box.
“The file containing hashes for /boot is missing!”
This is expected.
Click Yes to update your checksums now.
Your LibremKey should be inserted already.
It will ask you to insert the gold Vault USB that contains your hashes.
It will ask for the LK user pin, so enter the new 6 digit pin you set up on the LK earlier.
It will flash some lines including “Good signature from …” and then send you back to the PureBoot Menu.
The Mini doesn’t have a TPM chip, but it does use HOTP. Do not “refresh”. Instead we will create new.
Select: Options → TPM/TOTP/HOTP Options → Generate new TOTP/HOTP secret.
Select yes to replace old with new.
This time you will need to enter your 8 digit LK Admin pin (which you created above).
If success, press enter to continue.
Do not let it go to automatic boot. Press a key to get back to the PureBoot Menu.
Select: Options → Boot Options → Show OS boot menu →
Select the first one in the list: “Qubes,with_Xen_hypervisor……….”
Then select “Make Qubes, with Xen hypervisor the default” and press enter.
Enter “y” to proceed, and y if your Vault USB is still inserted.
Enter the 6 digit LK user pin.

It will start to boot. Remove the Vault USB. And enter the disk encryption passphrase.
Now Qubes will go thru the configuration process to setup all the default virtual machines.
Click on the red triangle with the exclamation point in it to finish setup of Qubes.
Here are the options ( bold are pre-selected ):

  • Create default system qubes…
  • Create default application qubes…
  • Create Whonix Gateway and Workstation qubes…
  • Enable updates over TOR (I selected this even tho it will slow updates down)
  • Create USB qube… (This will be greyed out and unselectable because USB keyboard and mouse will not work on reboot, and of course you won’t be able to enter your disk decryption phrase nor ever get to the login password).
  • Use sys-net qube for both networking and USB devices (This is also greyed. Do you need it? See notes in the install link above)

Click “Done”, then click “Finish Configuration”, and wait for it to complete and prompt you for your password.

The installation link may want you to update. Don’t do that yet.
There’s more to do before you connect to the internet.

LIBREMKEY AGAIN
Shutdown. Remove all USB’s except the LibremKey.
Boot and press any key to enter the PureBoot Menu.
Go to: Options → Update checksums and sign all files in /boot → select “Yes” to update.
Insert your gold Vault USB (Pureboot calls it your “GPG card”) and press “y”.
Enter your 6 digit LK user pin to unlock.
It will return you to the PureBoot Menu.
Remove the Vault USB. ( Never boot with anything but the LK plugged in. )
Select “Default boot” and proceed….
It boots. The LibremKey flashes red twice and then flashes green 10 times.
Then it asks for the disk encryption passphrase. Takes a minute to decrypt the disks.
And after that asks for my user password.
Then, since I clicked to “Enable Updates over TOR” in the configuration section, it asks me to configure the “[sys-whonix] Anon Connection Wizard”.
I choose connect. If you choose disable, it will ask again on the next boot. Since my network cable is unplugged for now it doesn’t matter at the moment.
Cancel when TOR tries to connect to the network.

USB
USB’s are a security vulnerability. You can read in the qubes documentation how usb keyboards are also unsafe . But the Mini doesn’t come with a plug for a PS/2 keyboard so we are stuck with it.
Qubes can make a vm named “sys-usb” to secure USB’s, but it needs a work-around for a usb-keyboard.
(Anyone know how to find/test a safe keyboard. I just chose one from a country I deem safer.)

To make an exception for the USB Keyboard (and mouse), AND setup the sys-usb qube at same time: you can read about the command that Enables your USB Keyboard at the same time as creating a USB qube.


Very Important : Do not scroll up on this page and install just the usb qube. That may be ok on a laptop, but on the Mini.v2 y ou will loose your keyboard and mouse instantly .
Make sure you enter the command below that includes enabling the usb keyboard.
We will do this from the “ dom0 ” master qube, not any of the vm’s
Go to the upper left corner and choose the 2nd option from the top: “Terminal Emulator”.
Enter the command from the linked page at the prompt. Here it is:
$ sudo qubesctl state.sls qvm.usb-keyboard

Along with your keyboard being enabled you will also see a new sys-usb qube created.
It starts automatically on boot. And will safely isolates any usb devices you plug in from the rest of the vm’s.
FYI, since the boot process now allows your usb keyboard, it is also briefly vulnerable to any other usb devices you have plugged in during the boot process.
YOU MUST REMEMBER TO NEVER BOOT WITH A USB PLUGGED IN.
Only insert usb’s after Qubes and the sys-usb qube are up and running.
As far as we have gone, the sys-usb qube has been created but not started. If you reboot it will start automatically. If you start the qube manually now you will loose your keyboard and mouse for about a minute while it disconnects all usb devices from dom0 and reattaches them to the sys-usb vm.

CONNECT TO INTERNET – UPDATE QUBES
Now plug in your network cable or connect to your wifi.
Once the network is connected, shut down and reboot. Remember, I selected TOR to handle updates, so I want the TOR Connection Wizard to run on boot and connect to the internet before I run updates.
After it is done it will say “Tor bootstrapping done. Bootstrapping phase: connected to the Tor network!”
For info on updating, read this:


Wait for a while and let the system check for updates.
You will see a bright orange star show up next to the blue Q in the upper right corner.
Click and select “Launch updater”. (Btw, updates over TOR will be slower.)
If it doesn’t show up you can manually check for updates using the link in the upper left corner.
Go to: System Tools → Qubes Update.
Click “Enable updates for qubes without known available updates.”
Select all of the qubes, and then “next” to have it check for updates.
Click on the “details” box. When there are downloads, especially for dom0 (or debian-10?) You will want to know if any of them affect the boot/bios/grub configuration.
If there are do not be surprised if the LibremKey flashes red and doesn’t boot at first. You will need to update your hashes, etc. on the LK… (As long as you know they were legitimate updates from qubes they are OK.)
Might want to remember this when you update and you see dom0 being updated.
In fact, it might be a good idea to reboot after every update, just to keep everything clear.

Since I am new at this, I am going to shutdown, reboot, and check for updates again.
…… I manually updated just dom0 and it updated some boot packages… so I reboot…
…… Updated LK…insert the Vault USB…remove the Vault USB… and boot.
…… Recheck for updates on all of them… dom0 was clear but found some on the others…
(FYI, this is consistent with an earlier test install I did. I was notified for updates a few times in the first several hours of it being up and running.)
Then reboot one final time to make sure the LibremKey is really fine with the changes.
I don’t want a problem with LK on the next boot and not be sure if it was caused by a recent update, or something bad that happened in a qube after the update.
I say this because I messed around in dom0 command line (installing a package the wrong way…) and then had a LibremKey problem. It bothered me, so that led to another new installation
OK, that’s it.

Yay! Qubes is up and running and the BIOS is secured with LibremKey.

(Please feel free to comment or answer any of the questions I posed as I went thru this. Thanks.)

6 Likes

4.0.4 was not released at the time the Mini v2 was released, so 4.1.0-alpha1 was the only option at the time. I’ll make sure we update the USBs we ship to 4.0.4 though.

2 Likes

Cool, thanks!
Btw, I’ve read many of your posts as I search thru the forum. You’ve helped in more ways than I can recount. :+1:

I haven’t tried this as I haven’t yet received my Librem, but you can assign a USB device (or the whole PCI device if it doesn’t work) to a VM. From there, you would follow the normal steps to configure your LibremKey or Vault

I tried that, but reading it again, I think I made a mistake. Thanks, I’ll try again.