Date: Fri, 06 Nov 2015 17:43:29 -0500 Subject: convert documentation to texinfo --- (limited to 'docs/gnulinux/encrypted_trisquel.html') diff --git a/docs/gnulinux/encrypted_trisquel.html b/docs/gnulinux/encrypted_trisquel.html deleted file mode 100644 index 0904809..0000000 --- a/docs/gnulinux/encrypted_trisquel.html +++ /dev/null @@ -1,493 +0,0 @@ - - - - - - - - - Installing Trisquel GNU/Linux with full disk encryption (including /boot) - - - -

Installing Trisquel GNU/Linux with full disk encryption (including /boot)

- Libreboot on x86 uses the GRUB payload - by default, which means that the GRUB configuration file - (where your GRUB menu comes from) is stored directly alongside libreboot - and its GRUB payload executable, inside - the flash chip. In context, this means that installing distributions and managing them - is handled slightly differently compared to traditional BIOS systems. -

- -

- On most systems, the /boot partition has to be left unencrypted while the others are encrypted. - This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware - can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a - payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical - access to the system. -

- This works in Trisquel 7, and probably Trisquel 6. Boot the 'net installer' (Install Trisquel in Text Mode). - How to boot a GNU/Linux installer. -

- This guide is *only* for the GRUB payload. If you use the depthcharge payload, ignore this section entirely. -

Back to previous index

- -

- Set a strong user password (lots of lowercase/uppercase, numbers and symbols). -

- -

- Use of the diceware method is recommended, for generating secure passphrases (instead of passwords). -

- -

- when the installer asks you to set up - encryption (ecryptfs) for your home directory, select 'Yes' if you want to: LUKS is already secure and performs well. Having ecryptfs on top of it - will add noticeable performance penalty, for little security gain in most use cases. This is therefore optional, and not recommended. - Choose 'no'. -

- -

- - Your user password should be different from the LUKS password which you will set later on. - Your LUKS password should, like the user password, be secure. - -

- -

Partitioning

- -

Choose 'Manual' partitioning:

Select drive and create new partition table
- Single large partition. The following are mostly defaults: -
- Use as: physical volume for encryption
- Encryption: aes
- key size: 256
- IV algorithm: xts-plain64
- Encryption key: passphrase
- erase data: Yes (only choose 'No' if it's a new drive that doesn't contain your private data)
-
- Select 'configure encrypted volumes' -
- Create encrypted volumes
- Select your partition
- Finish
- Really erase: Yes
- (erase will take a long time. be patient)
- (if your old system was encrypted, just let this run for about a minute to - make sure that the LUKS header is wiped out)
-
- Select encrypted space: -
- use as: physical volume for LVM
- Choose 'done setting up the partition'
-
- Configure the logical volume manager: -
- Keep settings: Yes
-
- Create volume group: -
- Name: grubcrypt (you can use whatever you want here, this is just an example)
- Select crypto partition
-
- Create logical volume -
- select grubcrypt (or whatever you named it before)
- name: trisquel (you can use whatever you want here, this is just an example)
- size: default, minus 2048 MB
-
- Create logical volume -
- select grubcrypt (or whatever you named it before)
- name: swap (you can use whatever you want here, this is just an example)
- size: press enter
-

- -

Further partitioning

- -

- Now you are back at the main partitioning screen. You will simply set mountpoints and filesystems to use. -

- LVM LV trisquel -
- use as: ext4
- mount point: /
- done setting up partition
-
- LVM LV swap -
- use as: swap area
- done setting up partition
-
Now you select 'Finished partitioning and write changes to disk'.

- -

Kernel

- -

- Installation will ask what kernel you want to use. linux-generic is fine. -

- -

Tasksel

- -

- Choose "Trisquel Desktop Environment" if you want GNOME, - "Trisquel-mini Desktop Environment" if you - want LXDE or "Triskel Desktop Environment" if you want KDE. - If you want to have no desktop (just a basic shell) - when you boot or if you want to create your own custom setup, then choose nothing here (don't select anything). - You might also want to choose some of the other package groups; it's up to you. -

- -

Postfix configuration

- -

- If asked, choose "No Configuration" here (or maybe you want to select something else. It's up to you.) -

- -

Install the GRUB boot loader to the master boot record

- -

- Choose 'Yes'. It will fail, but don't worry. Then at the main menu, choose 'Continue without a bootloader'. - You could also choose 'No'. Choice is irrelevant here. -

- -

- You do not need to install GRUB at all, since in libreboot you are using the GRUB payload (for libreboot) to boot your system directly. -

- -

Clock UTC

- -

- Just say 'Yes'. -

- -

- Booting your system -

- -

- At this point, you will have finished the installation. At your GRUB payload, press C to get to the command line. -

- -

- Do that:
- grub> cryptomount -a
- grub> set root='lvm/grubcrypt-trisquel'
- grub> linux /vmlinuz root=/dev/mapper/grubcrypt-trisquel cryptdevice=/dev/mapper/grubcrypt-trisquel:root
- grub> initrd /initrd.img
- grub> boot -

- -

- ecryptfs -

- -

- If you didn't encrypt your home directory, then you can safely ignore this section. -

- -

- Immediately after logging in, do that:
- $ sudo ecryptfs-unwrap-passphrase -

- -

- This will be needed in the future if you ever need to recover your home directory from another system, so write it down and keep the note - somewhere secret. Ideally, you should memorize it and then burn the note (or not even write it down, and memorize it still)> -

- -

- Modify grub.cfg (CBFS) -

- -

- Now you need to set it up so that the system will automatically boot, without having to type a bunch of commands. -

- -

- Modify your grub.cfg (in the firmware) using this tutorial; - just change the default menu entry 'Load Operating System' to say this inside: -

- -

- cryptomount -a
- set root='lvm/grubcrypt-trisquel'
- linux /vmlinuz root=/dev/mapper/grubcrypt-trisquel cryptdevice=/dev/mapper/grubcrypt-trisquel:root
- initrd /initrd.img -

- -

- Without specifying a device, the -a parameter tries to unlock all detected LUKS volumes. - You can also specify -u UUID or -a (device). -

- -

- Additionally, you should set a GRUB password. This is not your LUKS password, but it's a password that you have to enter to see - GRUB. This protects your system from an attacker simply booting a live USB and re-flashing your firmware. This should be different than your LUKS passphrase and user password. -

- Use of the diceware method is recommended, for generating secure passphrases (as opposed to passwords). -

- -

- The GRUB utility can be used like so:
- $ grub-mkpasswd-pbkdf2 -

- -

- Give it a password (remember, it has to be secure) and it'll output something like:
- grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711 -

- Use of the diceware method is recommended, for generating secure passphrases (instead of passwords). -

- -

- Put that in the grub.cfg (the one for CBFS inside the ROM) before the 'Load Operating System' menu entry like so (example):
-

-set superusers="root"
-password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
-

- MAKE SURE TO DO THIS ON grubtest.cfg *BEFORE* DOING IT ON grub.cfg. - Then select the menu entry that says Switch to grubtest.cfg and test that it works. - Then copy that to grub.cfg once you're satisfied. - WHY? BECAUSE AN INCORRECTLY SET PASSWORD CONFIG MEANS YOU CAN'T AUTHENTICATE, WHICH MEANS 'BRICK'. -

- (emphasis added, because it's needed. This is a common roadblock for users) -

- -

- Obviously, replace it with the correct hash that you actually got for the password that you entered. Meaning, not the hash that you see above! -

- -

- After this, you will have a modified ROM with the menu entry for cryptomount, and the entry before that for the GRUB password. Flash the modified ROM - using this tutorial. -

- -

Troubleshooting

- -

- A user reported issues when booting with a docking station attached - on an X200, when decrypting the disk in GRUB. The error - AHCI transfer timed out was observed. The workaround - was to remove the docking station. -

- -

- Further investigation revealed that it was the DVD drive causing problems. - Removing that worked around the issue. -

- -

-
-"sudo wodim -prcap" shows information about the drive:
-Device was not specified. Trying to find an appropriate drive...
-Detected CD-R drive: /dev/sr0
-Using /dev/cdrom of unknown capabilities
-Device type    : Removable CD-ROM
-Version        : 5
-Response Format: 2
-Capabilities   : 
-Vendor_info    : 'HL-DT-ST'
-Identification : 'DVDRAM GU10N    '
-Revision       : 'MX05'
-Device seems to be: Generic mmc2 DVD-R/DVD-RW.
-
-Drive capabilities, per MMC-3 page 2A:
-
-  Does read CD-R media
-  Does write CD-R media
-  Does read CD-RW media
-  Does write CD-RW media
-  Does read DVD-ROM media
-  Does read DVD-R media
-  Does write DVD-R media
-  Does read DVD-RAM media
-  Does write DVD-RAM media
-  Does support test writing
-
-  Does read Mode 2 Form 1 blocks
-  Does read Mode 2 Form 2 blocks
-  Does read digital audio blocks
-  Does restart non-streamed digital audio reads accurately
-  Does support Buffer-Underrun-Free recording
-  Does read multi-session CDs
-  Does read fixed-packet CD media using Method 2
-  Does not read CD bar code
-  Does not read R-W subcode information
-  Does read raw P-W subcode data from lead in
-  Does return CD media catalog number
-  Does return CD ISRC information
-  Does support C2 error pointers
-  Does not deliver composite A/V data
-
-  Does play audio CDs
-  Number of volume control levels: 256
-  Does support individual volume control setting for each channel
-  Does support independent mute setting for each channel
-  Does not support digital output on port 1
-  Does not support digital output on port 2
-
-  Loading mechanism type: tray
-  Does support ejection of CD via START/STOP command
-  Does not lock media on power up via prevent jumper
-  Does allow media to be locked in the drive via PREVENT/ALLOW command
-  Is not currently in a media-locked state
-  Does not support changing side of disk
-  Does not have load-empty-slot-in-changer feature
-  Does not support Individual Disk Present feature
-
-  Maximum read  speed:  4234 kB/s (CD  24x, DVD  3x)
-  Current read  speed:  4234 kB/s (CD  24x, DVD  3x)
-  Maximum write speed:  4234 kB/s (CD  24x, DVD  3x)
-  Current write speed:  4234 kB/s (CD  24x, DVD  3x)
-  Rotational control selected: CLV/PCAV
-  Buffer size in KB: 1024
-  Copy management revision supported: 1
-  Number of supported write speeds: 4
-  Write speed # 0:  4234 kB/s CLV/PCAV (CD  24x, DVD  3x)
-  Write speed # 1:  2822 kB/s CLV/PCAV (CD  16x, DVD  2x)
-  Write speed # 2:  1764 kB/s CLV/PCAV (CD  10x, DVD  1x)
-  Write speed # 3:   706 kB/s CLV/PCAV (CD   4x, DVD  0x)
-
-Supported CD-RW media types according to MMC-4 feature 0x37:
-  Does write multi speed       CD-RW media
-  Does write high  speed       CD-RW media
-  Does write ultra high speed  CD-RW media
-  Does not write ultra high speed+ CD-RW media
-
-

- -

- Copyright © 2014, 2015 Francis Rowe <info@gluglug.org.uk>
- Permission is granted to copy, distribute and/or modify this document - under the terms of the GNU Free Documentation License, Version 1.3 - or any later version published by the Free Software Foundation; - with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. - A copy of the license can be found at ../gfdl-1.3.txt -

- -

- Updated versions of the license (when available) can be found at - https://www.gnu.org/licenses/licenses.html -

- -

- UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE - EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS - AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF - ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, - IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, - WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR - PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, - ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT - KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT - ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. -

- TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE - TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, - NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, - INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, - COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR - USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN - ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR - DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR - IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. -

- The disclaimer of warranties and limitation of liability provided - above shall be interpreted in a manner that, to the extent - possible, most closely approximates an absolute disclaimer and - waiver of all liability. -

- -

- - - -- cgit v0.9.1