From 4c3d46238022f0c9955ae7e8b10c9f1716dd871a Mon Sep 17 00:00:00 2001 From: Francis Rowe Date: Wed, 04 Feb 2015 04:14:49 -0500 Subject: Documentation: implement theme, drastically improve readability --- (limited to 'docs/gnulinux/encrypted_parabola.html') diff --git a/docs/gnulinux/encrypted_parabola.html b/docs/gnulinux/encrypted_parabola.html index a48e489..85cb6ce 100644 --- a/docs/gnulinux/encrypted_parabola.html +++ b/docs/gnulinux/encrypted_parabola.html @@ -12,262 +12,293 @@ -
+

Installing Parabola GNU/Linux with full disk encryption (including /boot)

- -
- -

- Libreboot uses the GRUB payload - by default, which means that the GRUB configuration file - (where your GRUB menu comes from) is stored directly alongside libreboot - and it's GRUB payload executable, inside - the flash chip. In context, this means that installing distributions and managing them - is handled slightly differently compared to traditional BIOS systems. -

- -

- On most systems, the /boot partition has to be left unencrypted while the others are encrypted. - This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware - can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a - payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical - access to the machine. -

- -

- Boot Parabola's install environment. How to boot a GNU/Linux installer. -

- -

- For this guide I used the 2013 09 01 image to boot the live installer and install the system. -

- -

- Parabola is much more flexible than Trisquel, but also more involved to set up. -

- -

- Firstly if you use an SSD, beware there are issues with TRIM (not enabled through luks) and security issues if you do enable it. - See this page - for more info. -

- -

- If you are using an SSD for this, make sure it's brand-new (or barely used). Or, otherwise, be sure that it never previously - contained plaintext copies of your data. -

- -

- Wipe the MBR (if you use MBR):
- # lsblk
- Your HDD is probably /dev/sda: - # dd if=/dev/zero of=/dev/sda bs=446 count=1; sync
- Never use SeaBIOS! The MBR section can easily be changed with malicious code, which SeaBIOS will blindly execute. - This guide is for libreboot with GRUB-as-payload only. -

- -

- Securely wipe the drive:
- # dd if=/dev/urandom of=/dev/sda; sync
- NOTE: If you have an SSD, only do this the first time. If it was already LUKS-encrypted before, - use the info below to wipe the LUKS header. Also, check online for your SSD what the recommended - erase block size is. For example if it was 2MiB:
- # dd if=/dev/urandom of=/dev/sda bs=2M; sync -

-

- If your drive was already LUKS encrypted (maybe you are re-installing your distro) then - it is already 'wiped'. You should just wipe the LUKS header. - https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/ - showed me how to do this. It recommends doing the first 3MiB. Now, that guide is recommending putting zero there. I'm doing to use urandom. Do this:
- # head -c 3145728 /dev/urandom > /dev/sda; sync
- (wiping the LUKS header is important, since it has hashed passphrases and so on. It's 'secure', but 'potentially' a risk). -

-

- - If you do plan to use an SSD, make sure to read - https://wiki.archlinux.org/index.php/Solid_State_Drives
- Edit /etc/fstab later on when chrooted into your install. Also, read the whole article and keep all points in mind, adapting - them for this guide. - -

- -

- This guide will go through the installation steps taken at the time of writing, which may or may not change due to - the volatile nature of Parabola (it changes all the time). In general most of it should remain the same. If you spot mistakes, - please say so! This guide will be ported to the Parabola wiki at a later date. For up to date Parabola install guide, go to - the Parabola wiki. This guide essentially cherry picks the useful information (valid at the time of writing: 2014-09-15). -

- -

- Change keyboard layout -

-

- Parabola live shell assumes US Qwerty. If you have something different, use:
- # loadkeys LAYOUT
- For me, LAYOUT would have been dvorak-uk. -

+

+ Libreboot uses the GRUB payload + by default, which means that the GRUB configuration file + (where your GRUB menu comes from) is stored directly alongside libreboot + and it's GRUB payload executable, inside + the flash chip. In context, this means that installing distributions and managing them + is handled slightly differently compared to traditional BIOS systems. +

-

Getting started

-

- The beginning is based on https://wiki.parabolagnulinux.org/Installation_Guide. - Then I referred to https://wiki.archlinux.org/index.php/Partitioning at first. -

+

+ On most systems, the /boot partition has to be left unencrypted while the others are encrypted. + This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware + can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a + payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical + access to the machine. +

+

+ Back to previous index +

+ -

dm-mod

+
+

- device-mapper will be used - a lot. Make sure that the kernel module is loaded:
- # modprobe dm-mod + Boot Parabola's install environment. How to boot a GNU/Linux installer.

-

Create LUKS partition

-

- I am using MBR partitioning, so I use cfdisk:
- # cfdisk /dev/sda -

-

- I create a single large sda1 filling the whole drive, leaving it as the default type 'Linux' (83). -

- Now I refer to https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#Partitioning:
- I am then directed to https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption. + For this guide I used the 2013 09 01 image to boot the live installer and install the system.

+

- Parabola forces you to RTFM. -

-

- It tells me to run:
- # cryptsetup benchmark (for making sure the list below is populated)
- Then:
- # cat /proc/crypto
- This gives me crypto options that I can use. It also provides a representation of the best way to set up LUKS (in this case, security is a priority; speed, a distant second). - To gain a better understanding, I am also reading:
- # man cryptsetup -

-

- Following that page, based on my requirements, I do the following based on https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode. - Reading through, it seems like Serpent (encryption) and Whirlpool (hash) is the best option. -

-

- I am initializing LUKS with the following:
- # cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --use-random --verify-passphrase luksFormat /dev/sda1 - -- choose a secure passphrase here. Ideally lots of lowercase/uppercase numbers, letters, symbols etc all in a random pattern. The password - length should be as long as you are able to handle without writing it down or storing it anywhere. Ideally, 100 characters or more. - It might take you a while to memorize a long passphrase before beginning this step. + This guide will go through the installation steps taken at the time of writing, which may or may not change due to + the volatile nature of Parabola (it changes all the time). In general most of it should remain the same. If you spot mistakes, + please say so! This guide will be ported to the Parabola wiki at a later date. For up to date Parabola install guide, go to + the Parabola wiki. This guide essentially cherry picks the useful information (valid at the time of writing: 2014-09-15).

+ +
-

Create LVM

-

- Now I refer to https://wiki.archlinux.org/index.php/LVM. -

+
+

- Open the LUKS partition:
- # cryptsetup open --type luks /dev/sda1 lvm
- (it will be available at /dev/mapper/lvm)
- I'm told that the above is old syntax, which is what I did anyway. You could also try:
- # cryptsetup luksOpen /dev/sda1 lvm -

-

- Create LVM partition:
- # pvcreate /dev/mapper/lvm
- Show that you just created it:
- # pvdisplay -

-

- Now I create the volume group, inside of which the logical volumes will be created:
- # vgcreate matrix /dev/mapper/lvm (volume group name is 'matrix')
- Show that you created it:
- # vgdisplay -

-

- Now create the logical volumes:
- # lvcreate -L 2G matrix -n swapvol (2G swap partition, named swapvol)
- # lvcreate -l +100%FREE matrix -n rootvol (single large partition in the rest of the space, named rootvol)
- You can also be flexible here, for example you can specify a /boot, a /, a /home, a /var, a /usr, etc. For example, - if you will be running a web/mail server then you want /var in its own partition (so that if it fills up with logs, it won't crash your system). - For a home/laptop system (typical use case), a root and a swap will do (really). -

-

- Verify that the logical volumes were created, using the following command:
- # lvdisplay + Firstly if you use an SSD, beware there are issues with TRIM (not enabled through luks) and security issues if you do enable it. + See this page + for more info.

-

Create / and swap partitions

- For the swapvol LV I use:
- # mkswap /dev/mapper/matrix-swapvol -

-

- For the rootvol LV I use:
- # mkfs.ext4 /dev/mapper/matrix-rootvol + If you are using an SSD for this, make sure it's brand-new (or barely used). Or, otherwise, be sure that it never previously + contained plaintext copies of your data.

-

Continue with Parabola installation

-

- Mount the root (/) partition:
- # mount /dev/matrix/rootvol /mnt
-

-

- This guide is really about GRUB, Parabola and cryptomount. I have to show how to install Parabola - so that the guide can continue. -

- Now I am following the rest of https://wiki.parabolagnulinux.org/Installation_Guide. - I also cross referenced https://wiki.archlinux.org/index.php/Installation_guide. -

-

- Create /home and /boot on rootvol mountpoint:
- # mkdir /mnt/home
- # mkdir /mnt/boot -

-

- The wiki says to enable the swap so that it can be detected by 'genfstab':
- # swapon /dev/matrix/swapvol -

-

- DHCP was already working for me, so I had internet during the install. Therefore, I ignore the 'Connect to the Internet' section of the install guide. - I also ignore wifi, since I can set that up after the install. For now, I am just using ethernet. - Otherwise, refer to https://wiki.archlinux.org/index.php/Configuring_Network. - You can test to see if internet is already working by pinging a few domains. + Wipe the MBR (if you use MBR):
+ # lsblk
+ Your HDD is probably /dev/sda: + # dd if=/dev/zero of=/dev/sda bs=446 count=1; sync
+ Never use SeaBIOS! The MBR section can easily be changed with malicious code, which SeaBIOS will blindly execute. + This guide is for libreboot with GRUB-as-payload only.

- I commented out all lines except the Server line for the UK Parabola server (main server) in /etc/pacman.d/mirrorlist and then did:
- # pacman -Syy
- # pacman -Syu
- # pacman -Sy pacman (and then I did the other 2 steps above, again)
- In my case I did the steps in the next paragraph, and followed the steps in this paragraph again. + Securely wipe the drive:
+ # dd if=/dev/urandom of=/dev/sda; sync
+ NOTE: If you have an SSD, only do this the first time. If it was already LUKS-encrypted before, + use the info below to wipe the LUKS header. Also, check online for your SSD what the recommended + erase block size is. For example if it was 2MiB:
+ # dd if=/dev/urandom of=/dev/sda bs=2M; sync

- <troubleshooting>
-    The following is based on 'Verification of package signatures' in the Parabola install guide.
-    Check there first to see if steps differ by now.
-    Now you have to update the default Parabola keyring. This is used for signing and verifying packages:
-    # pacman -Sy parabola-keyring
-    It says that if you get GPG errors, then it's probably an expired key and, therefore, you should do:
-    # pacman-key --populate parabola
-    # pacman-key --refresh-keys
-    # pacman -Sy parabola-keyring
-    To be honest, you should do the above anyway. Parabola has a lot of maintainers, and a lot of keys. Really!
-    Also, it says that if the clock is set incorrectly then you have to manually set the correct time
-    (if keys are listed as expired because of it):
-    # date MMDDhhmm[[CC]YY][.ss]
-    I also had to install:
-    # pacman -S archlinux-keyring
-    # pacman-key --populate archlinux
-    In my case I saw some conflicting files reported in pacman, stopping me from using it.
-    I deleted the files that it mentioned - and then it worked. Specifically, I had this error:
-    licenses: /usr/share/licenses/common/MPS exists in filesystem
-    I rm -rf'd the file and then pacman worked. I'm told that the following would have also made it work:
-    # pacman -Sf licenses
- </troubleshooting>
+ If your drive was already LUKS encrypted (maybe you are re-installing your distro) then + it is already 'wiped'. You should just wipe the LUKS header. + https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/ + showed me how to do this. It recommends doing the first 3MiB. Now, that guide is recommending putting zero there. I'm doing to use urandom. Do this:
+ # head -c 3145728 /dev/urandom > /dev/sda; sync
+ (wiping the LUKS header is important, since it has hashed passphrases and so on. It's 'secure', but 'potentially' a risk).

- I also like to install other packages (base-devel, compilers and so on) and wpa_supplicant/dialog are needed for wireless after the install:
- # pacstrap /mnt base base-devel wpa_supplicant dialog + + If you do plan to use an SSD, make sure to read + https://wiki.archlinux.org/index.php/Solid_State_Drives
+ Edit /etc/fstab later on when chrooted into your install. Also, read the whole article and keep all points in mind, adapting + them for this guide. +

+ +
+ +
+ +

+ Change keyboard layout +

+

+ Parabola live shell assumes US Qwerty. If you have something different, use:
+ # loadkeys LAYOUT
+ For me, LAYOUT would have been dvorak-uk. +

+ +
+ +
+ +

Getting started

+

+ The beginning is based on https://wiki.parabolagnulinux.org/Installation_Guide. + Then I referred to https://wiki.archlinux.org/index.php/Partitioning at first. +

+ +
+ +
+ +

dm-mod

+

+ device-mapper will be used - a lot. Make sure that the kernel module is loaded:
+ # modprobe dm-mod +

+ +

Create LUKS partition

+

+ I am using MBR partitioning, so I use cfdisk:
+ # cfdisk /dev/sda +

+

+ I create a single large sda1 filling the whole drive, leaving it as the default type 'Linux' (83). +

+

+ Now I refer to https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#Partitioning:
+ I am then directed to https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption. +

+

+ Parabola forces you to RTFM. +

+

+ It tells me to run:
+ # cryptsetup benchmark (for making sure the list below is populated)
+ Then:
+ # cat /proc/crypto
+ This gives me crypto options that I can use. It also provides a representation of the best way to set up LUKS (in this case, security is a priority; speed, a distant second). + To gain a better understanding, I am also reading:
+ # man cryptsetup +

+

+ Following that page, based on my requirements, I do the following based on https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode. + Reading through, it seems like Serpent (encryption) and Whirlpool (hash) is the best option. +

+

+ I am initializing LUKS with the following:
+ # cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --use-random --verify-passphrase luksFormat /dev/sda1 + -- choose a secure passphrase here. Ideally lots of lowercase/uppercase numbers, letters, symbols etc all in a random pattern. The password + length should be as long as you are able to handle without writing it down or storing it anywhere. Ideally, 100 characters or more. + It might take you a while to memorize a long passphrase before beginning this step. +

+ +
-

Configure the system

+
+ +

Create LVM

+

+ Now I refer to https://wiki.archlinux.org/index.php/LVM. +

+

+ Open the LUKS partition:
+ # cryptsetup open --type luks /dev/sda1 lvm
+ (it will be available at /dev/mapper/lvm)
+ I'm told that the above is old syntax, which is what I did anyway. You could also try:
+ # cryptsetup luksOpen /dev/sda1 lvm +

+

+ Create LVM partition:
+ # pvcreate /dev/mapper/lvm
+ Show that you just created it:
+ # pvdisplay +

+

+ Now I create the volume group, inside of which the logical volumes will be created:
+ # vgcreate matrix /dev/mapper/lvm (volume group name is 'matrix')
+ Show that you created it:
+ # vgdisplay +

+

+ Now create the logical volumes:
+ # lvcreate -L 2G matrix -n swapvol (2G swap partition, named swapvol)
+ # lvcreate -l +100%FREE matrix -n rootvol (single large partition in the rest of the space, named rootvol)
+ You can also be flexible here, for example you can specify a /boot, a /, a /home, a /var, a /usr, etc. For example, + if you will be running a web/mail server then you want /var in its own partition (so that if it fills up with logs, it won't crash your system). + For a home/laptop system (typical use case), a root and a swap will do (really). +

+

+ Verify that the logical volumes were created, using the following command:
+ # lvdisplay +

+ +
+ +
+ +

Create / and swap partitions

+

+ For the swapvol LV I use:
+ # mkswap /dev/mapper/matrix-swapvol +

+

+ For the rootvol LV I use:
+ # mkfs.ext4 /dev/mapper/matrix-rootvol +

+ +
+ +
+ +

Continue with Parabola installation

+

+ Mount the root (/) partition:
+ # mount /dev/matrix/rootvol /mnt
+

+

+ This guide is really about GRUB, Parabola and cryptomount. I have to show how to install Parabola + so that the guide can continue. +

+

+ Now I am following the rest of https://wiki.parabolagnulinux.org/Installation_Guide. + I also cross referenced https://wiki.archlinux.org/index.php/Installation_guide. +

+

+ Create /home and /boot on rootvol mountpoint:
+ # mkdir /mnt/home
+ # mkdir /mnt/boot +

+

+ The wiki says to enable the swap so that it can be detected by 'genfstab':
+ # swapon /dev/matrix/swapvol +

+

+ DHCP was already working for me, so I had internet during the install. Therefore, I ignore the 'Connect to the Internet' section of the install guide. + I also ignore wifi, since I can set that up after the install. For now, I am just using ethernet. + Otherwise, refer to https://wiki.archlinux.org/index.php/Configuring_Network. + You can test to see if internet is already working by pinging a few domains. +

+ +

+ I commented out all lines except the Server line for the UK Parabola server (main server) in /etc/pacman.d/mirrorlist and then did:
+ # pacman -Syy
+ # pacman -Syu
+ # pacman -Sy pacman (and then I did the other 2 steps above, again)
+ In my case I did the steps in the next paragraph, and followed the steps in this paragraph again. +

+

+ <troubleshooting>
+    The following is based on 'Verification of package signatures' in the Parabola install guide.
+    Check there first to see if steps differ by now.
+    Now you have to update the default Parabola keyring. This is used for signing and verifying packages:
+    # pacman -Sy parabola-keyring
+    It says that if you get GPG errors, then it's probably an expired key and, therefore, you should do:
+    # pacman-key --populate parabola
+    # pacman-key --refresh-keys
+    # pacman -Sy parabola-keyring
+    To be honest, you should do the above anyway. Parabola has a lot of maintainers, and a lot of keys. Really!
+    Also, it says that if the clock is set incorrectly then you have to manually set the correct time
+    (if keys are listed as expired because of it):
+    # date MMDDhhmm[[CC]YY][.ss]
+    I also had to install:
+    # pacman -S archlinux-keyring
+    # pacman-key --populate archlinux
+    In my case I saw some conflicting files reported in pacman, stopping me from using it.
+    I deleted the files that it mentioned + and then it worked. Specifically, I had this error:
+    licenses: /usr/share/licenses/common/MPS exists in filesystem
+    I rm -rf'd the file and then pacman worked. I'm told that the following would have also made it work:
+    # pacman -Sf licenses
+ </troubleshooting>
+

+

+ I also like to install other packages (base-devel, compilers and so on) and wpa_supplicant/dialog are needed for wireless after the install:
+ # pacstrap /mnt base base-devel wpa_supplicant dialog +

+ +
+ +
+ +

Configure the system

From the Parabola installation guide (Arch's one was identical):
# genfstab -p /mnt >> /mnt/etc/fstab @@ -359,8 +390,12 @@ # mkinitcpio -p linux-libre-grsec + +

-

Set a root password

+
+ +

Set a root password

At the time of writing, Parabola used SHA512 by default for it's password hashing.

@@ -374,8 +409,12 @@ # passwd root
Make sure to set a secure password! Also, it must never be the same as your LUKS password.

+ +
+ +
-

Extra security tweaks

+

Extra security tweaks

Based on https://wiki.archlinux.org/index.php/Security.

@@ -397,8 +436,12 @@ Configure sudo - not covered here. Will be covered post-installation in another tutorial, at a later date. If this is a single-user system, you don't really need sudo.

+ +
+ +
-

Unmount, reboot!

+

Unmount, reboot!

Exit from chroot:
# exit @@ -421,8 +464,12 @@ # shutdown -h now
Then boot up again.

+ +
-

Booting from GRUB

+
+ +

Booting from GRUB

Initially you will have to boot manually. Press C to get to the GRUB command line. The underlined parts are optional (using those 2 underlines will boot lts kernel instead of normal). @@ -437,132 +484,144 @@

You could also make it load /boot/vmlinuz-linux-libre-grsec and /boot/initramfs-linux-libre-grsec.img

+ +
-
+
+ +

Modify grub.cfg inside the ROM

-

Modify grub.cfg inside the ROM

+

+ Now you need to modify the ROM, so that Parabola can boot automatically with this configuration. + grub_cbfs.html shows you how. Follow that guide, using the configuration details below. +

+

+ Inside the 'Load Operating System' menu entry, change the contents to:
+ + cryptomount -a (ahci0,msdos1)
+ set root='lvm/matrix-rootvol'
+ linux /boot/vmlinuz-linux-libre-lts root=/dev/matrix/rootvol cryptdevice=/dev/sda1:root
+ initrd /boot/initramfs-linux-libre-lts.img + +

-

- Now you need to modify the ROM, so that Parabola can boot automatically with this configuration. - grub_cbfs.html shows you how. Follow that guide, using the configuration details below. -

-

- Inside the 'Load Operating System' menu entry, change the contents to:
- - cryptomount -a (ahci0,msdos1)
- set root='lvm/matrix-rootvol'
- linux /boot/vmlinuz-linux-libre-lts root=/dev/matrix/rootvol cryptdevice=/dev/sda1:root
- initrd /boot/initramfs-linux-libre-lts.img - -

+

+ Note: the underlined parts above (-lts) can also be removed, to boot the latest kernel instead of LTS (long-term support) kernels. + You could also copy the menu entry and in one have -lts, and without in the other menuentry. + You could also create a menu entry to load /boot/vmlinuz-linux-libre-grsec and /boot/initramfs-linux-libre-grsec.img +

-

- Note: the underlined parts above (-lts) can also be removed, to boot the latest kernel instead of LTS (long-term support) kernels. - You could also copy the menu entry and in one have -lts, and without in the other menuentry. - You could also create a menu entry to load /boot/vmlinuz-linux-libre-grsec and /boot/initramfs-linux-libre-grsec.img -

+

+ Personally, I opted to have the entry for linux-libre-grsec at the top, so that it would load by default. +

-

- Personally, I opted to have the entry for linux-libre-grsec at the top, so that it would load by default. -

+

+ Above the 'Load Operating System' menu entry you should also add a GRUB password, like so: +

+ 
set superusers="root"
+	password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
+
-

- Above the 'Load Operating System' menu entry you should also add a GRUB password, like so: -

-
set superusers="root"
-password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
-
+

+ Note that the above entry specifies user 'root'; this is just a username for GRUB. You don't even need to use root. + Change root on both of those 2 lines to whatever you want. +

-

- Note that the above entry specifies user 'root'; this is just a username for GRUB. You don't even need to use root. - Change root on both of those 2 lines to whatever you want. -

+

+ Start dhcp on ethernet:
+ # systemctl start dhcpcd.service + This is just for the step below. I won't cover network configuration here. That is for another Parabola article. +

-

- Start dhcp on ethernet:
- # systemctl start dhcpcd.service - This is just for the step below. I won't cover network configuration here. That is for another Parabola article. -

+

+ The password hash (it's password, by the way) after 'password_pbkdf2 root' should be changed and is created by the grub-mkpasswd-pbkdf2 utility, which you need to install or otherwise compile, + like so:
+ # pacman -S grub +

+ +

+ GRUB isn't needed for booting, since it's already included as a payload in libreboot. This is only so that the utility needed becomes available. Get your hash + by entering your chosen password at the prompt, when running this command:
+ # grub-mkpasswd-pbkdf2 +

-

- The password hash (it's password, by the way) after 'password_pbkdf2 root' should be changed and is created by the grub-mkpasswd-pbkdf2 utility, which you need to install or otherwise compile, - like so:
- # pacman -S grub -

- -

- GRUB isn't needed for booting, since it's already included as a payload in libreboot. This is only so that the utility needed becomes available. Get your hash - by entering your chosen password at the prompt, when running this command:
- # grub-mkpasswd-pbkdf2 -

+

+ It will output the hash for the password that you entered. Make sure to specify a password that is different from both your LUKS *and* your root/user password. + Use it to replace the default hash mentioned above. +

-

- It will output the hash for the password that you entered. Make sure to specify a password that is different from both your LUKS *and* your root/user password. - Use it to replace the default hash mentioned above. -

+

+ With this setup, you will have to enter a password at boot time, in GRUB, before being able to use any of the menu entries or switch to the terminal. + This protects your system from an attacker simply booting a live usb distro and re-flashing the boot firmware. +

-

- With this setup, you will have to enter a password at boot time, in GRUB, before being able to use any of the menu entries or switch to the terminal. - This protects your system from an attacker simply booting a live usb distro and re-flashing the boot firmware. -

+

+ You probably only need base-devel (compilers and so on) to build and use cbfstool. It was already installed if you followed this tutorial, but here it is:
+ # pacman -S base-devel +

-

- You probably only need base-devel (compilers and so on) to build and use cbfstool. It was already installed if you followed this tutorial, but here it is:
- # pacman -S base-devel -

+

+ For flashing the modified ROM, I just used flashrom from the Parabola repo's:
+ # pacman -S flashrom
+ I also installed dmidecode:
+ # pacman -S dmidecode +

-

- For flashing the modified ROM, I just used flashrom from the Parabola repo's:
- # pacman -S flashrom
- I also installed dmidecode:
- # pacman -S dmidecode -

+

+ When done, deleted GRUB (remember, we only needed it for the grub-mkpasswd-pbkdf2 utility; + GRUB is already part of libreboot, flashed alongside it as a payload):
+ # pacman -R grub +

+ +
+ +

- When done, deleted GRUB (remember, we only needed it for the grub-mkpasswd-pbkdf2 utility; - GRUB is already part of libreboot, flashed alongside it as a payload):
- # pacman -R grub + If you followed all that correctly, you should now have a fully encrypted Parabola installation. + This is a very barebones Parabola install (the default one). Refer to the wiki for how to do the rest + (desktop, etc).

+ +
-
+
-

- If you followed all that correctly, you should now have a fully encrypted Parabola installation. - This is a very barebones Parabola install (the default one). Refer to the wiki for how to do the rest - (desktop, etc). -

+

Further security tips

+

+ https://wiki.archlinux.org/index.php/Security.
+ https://wiki.parabolagnulinux.org/User:GNUtoo/laptop +

+ +
-
+
-

Further security tips

-

- https://wiki.archlinux.org/index.php/Security.
- https://wiki.parabolagnulinux.org/User:GNUtoo/laptop -

+

Follow-up tutorial: configuring Parabola

+

+ configuring_parabola.html shows my own notes post-installation. Using these, you can get a basic + system similar to the one that I chose for myself. You can also cherry pick useful notes and come up with your own system. + Parabola is user-centric, which means that you are in control. For more information, read The Arch Way + (Parabola also follows it). +

+ +
-
+
-

Follow-up tutorial: configuring Parabola

- configuring_parabola.html shows my own notes post-installation. Using these, you can get a basic - system similar to the one that I chose for myself. You can also cherry pick useful notes and come up with your own system. - Parabola is user-centric, which means that you are in control. For more information, read The Arch Way - (Parabola also follows it). + Copyright © 2014, 2015 Francis Rowe <info@gluglug.org.uk>
+ This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. + A copy of the license can be found at ../license.txt.

-
- -

- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at ../license.txt. -

- -

- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -

+

+ This document is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. +

+ +
-- cgit v0.9.1