Stay Protected with Librem 14’s Latest Pureboot Feature

@ComprehensiveAddict @dallas87 the issue is that Pureboot is using an older version of cryptsetup, which was unable to unlock the LUKS2 encrypted root used by Qubes. I’ll update Pureboot with a fix shortly

4 Likes

I’m getting the same error. Not sure how to fix it

Thank you @MrChromebox
Waiting to use this new feature

1 Like

@dallas87 @ComprehensiveAddict @jlariviere @deutschlaender please test out new Pureboot release 20.1 for your respective devices: https://source.puri.sm/firmware/releases/-/tree/Pureboot-Release-20.1

If all good, will merge/release. TIA

1 Like

@MrChromebox :::(((
Unfortunately for me doesn’t work

  1. It is asking 2 times for luks pass
  2. After that it will say: unable to locate /root files on any mounted disk

Yes, after flashing the BIOS I get exactly the same error.

ok, digging further here

edit: looks like it’s an issue with the partition being used as a thin-provisioned LVM, so additional handling will be needed. this will take some time.

@MrChromebox any updates on this :frowning: ?

I’ve been busy with other tasks and haven’t had time to investigate further. It’s still on my to-do list though

Hi @MrChromebox is there any update with this fix for root file check in pureboot for Qubesos?

unfortunately not, the issue is a bit more complicated than original thought

for some reason, i didn’t see the mention of my username until now, sorry.
I just updated to the latest pureboot, and did not have any issues booting.

1 Like

@MrChromebox has this been addressed?

He has left Purism

1 Like

Will this be address?

1 Like

@jonathon.hall

Hi all, I’ll check this out. I’m not aware of any fixes made to root hashing for Qubes OS, so the status is probably the same, but I’ll take a look and see what is needed to get this working. Thanks for bringing it to my attention.

1 Like

I looked into this - it’s still not working currently with Qubes’ default partitioning (as expected).

The default partition layout puts root on an LVM2 thin-provisioned volume, the LVM2 container is in turn LUKS-encrypted. We need a few things:

  • kernel support for LVM2 thin provisioned volumes (trivial)
  • LVM2 tooling wants a ‘thin_check’ tool before activating a thin volume, either need to build this and include it or disable the check
  • We need scripting to find the correct root volume, probably an initial version could just look for the default name used by Qubes

It’s solvable. I’ll need to look into ‘thin_check’ more, see if any other dependencies are needed, what we lose if we disable it, how big it is, etc.

1 Like

Got this working for the default Qubes partitioning layout, should work for any combination of LVM/LUKS using the ‘root’ LVM logical volume.

Upstream PR: Root file hashing: support Qubes default partition layout by JonathonHall-Purism · Pull Request #1586 · linuxboot/heads · GitHub

It’s also in the purism_next branch of PureBoot for the upcoming Release 29.

If you’re comfortable building PureBoot/Heads, you can build from source now to give it a try. (As always, please be aware that the full release tests haven’t been run yet, and have a hardware recovery method if you are building your own firmware.)

I’ll start building release candidates for the next firmware releases next week. Once I’ve done basic testing, I can post them for anyone interested to try.

2 Likes

The first PureBoot 29 release candidate is up including this improvement, details here: PureBoot 29 Release Candidate

1 Like