Stay Protected with Librem 14’s Latest Pureboot Feature

david.hamner · January 21, 2022, 3:42am

dallas87 · January 21, 2022, 9:43am

This new option to hash /root will not work, unfortunatelly, on an encrypted filesystem

MrChromebox · January 21, 2022, 3:54pm

sure it does, you just supply the LUKS password prior to the check. All Purism Librems ship with an encrypted root filesystem, and we designed this feature with that in mind.

dallas87 · January 22, 2022, 8:30am

I thought this is the case as when I want to create root hashed I receive this:
No valid root disk found

I have Qubes installed. Is it there something I can do to have root hashes?

MrChromebox · January 22, 2022, 4:56pm

that’s odd, will have to test here and see why that’s happening

dallas87 · January 22, 2022, 7:12pm

can I help with something?

ComprehensiveAddict · January 23, 2022, 12:42am

Same situation on my end for both the Release 19 & Release 20 PureBoot versions. IIRC the error, it stated there was no valid root disk (qubes_dom0-root). Maybe something to do with how Qubes uses LVM?

I haven’t yet troubleshooted this, nor have I read the source for the root FS check in PureBoot yet, so I might be completely off.

Edit:

To spit ball, maybe a temporary fix could be an additional check so to specifically check for qubes_dom0-root in this function:

# check $CONFIG_ROOT_DEV if set/valid
  if [ -e "$CONFIG_ROOT_DEV" ]; then
    if cryptsetup isLuks $CONFIG_ROOT_DEV >/dev/null 2>&1; then
      if cryptsetup luksOpen $CONFIG_ROOT_DEV rootdisk; then
        if mount -o ro /dev/mapper/rootdisk $ROOT_MOUNT >/dev/null 2>&1; then
          if cd $ROOT_MOUNT && ls -d $CONFIG_ROOT_DIRLIST >/dev/null 2>&1; then # CONFIG_ROOT_DEV is valid device and contains an installed OS
            return 0
          fi
        fi
      fi
    fi
  fi

deutschlaender · January 23, 2022, 9:13pm

Hello, I have problems with the new feature too.
I am using qubes os on a librem 14. When I try to find the root hash I get the error response:
“No valid root disk found”.
Has someone an idea what I can do?

MrChromebox · January 24, 2022, 6:14pm

wait for me to fix it? In the mean time, disable the feature

MrChromebox · January 24, 2022, 9:16pm

@ComprehensiveAddict @dallas87 the issue is that Pureboot is using an older version of cryptsetup, which was unable to unlock the LUKS2 encrypted root used by Qubes. I’ll update Pureboot with a fix shortly

jlariviere · January 25, 2022, 2:10am

I’m getting the same error. Not sure how to fix it

dallas87 · January 25, 2022, 6:52am

Thank you @MrChromebox
Waiting to use this new feature

MrChromebox · January 28, 2022, 11:26pm

@dallas87 @ComprehensiveAddict @jlariviere @deutschlaender please test out new Pureboot release 20.1 for your respective devices: https://source.puri.sm/firmware/releases/-/tree/Pureboot-Release-20.1

If all good, will merge/release. TIA

dallas87 · January 29, 2022, 7:09pm

@MrChromebox :::(((
Unfortunately for me doesn’t work

It is asking 2 times for luks pass
After that it will say: unable to locate /root files on any mounted disk

deutschlaender · January 29, 2022, 10:06pm

Yes, after flashing the BIOS I get exactly the same error.

MrChromebox · January 29, 2022, 11:53pm

ok, digging further here

edit: looks like it’s an issue with the partition being used as a thin-provisioned LVM, so additional handling will be needed. this will take some time.

dallas87 · March 3, 2022, 9:24am

@MrChromebox any updates on this ?

MrChromebox · March 3, 2022, 2:07pm

I’ve been busy with other tasks and haven’t had time to investigate further. It’s still on my to-do list though

Ass113 · June 27, 2022, 12:16am

Hi @MrChromebox is there any update with this fix for root file check in pureboot for Qubesos?

MrChromebox · June 27, 2022, 4:43pm

unfortunately not, the issue is a bit more complicated than original thought