From 9a321884379a71b5f0986fdfb97a2b6c5bdccd8a Mon Sep 17 00:00:00 2001
From: Francis Rowe
+ Because GRUB is installed directly as a payload of libreboot (or coreboot), you don't need an unencrypted /boot partition
+ when setting up an encrypted system. This means that your machine can really secure data while powered off.
+
+ This works in Trisquel 7, and probably Trisquel 6. Boot the 'net installer' (Install Trisquel in Text Mode). How to boot a GNU/Linux installer.
+
+ Set a strong user password (ideally above 40 characters, of lowercase/uppercase, numbers and symbols) and when the installer asks you to setup
+ encryption (ecryptfs) for your home directory, select 'Yes'.
+
+
+ Your user password should be different than the LUKS password which you will set later on.
+ Your LUKS password should, like the user password, be secure.
+
+ Choose 'Manual' partitioning:
+ Now you are back at the main partitioning screen. You will simply set mountpoints and filesystems to use.
+
+ Installation will ask what kernel you want to use. linux-generic is fine.
+
+ Just continue here, without selecting anything. You can install everything later (it's really easy).
+
+ Choose 'Yes'. It will fail, but don't worry. Then at the main menu, choose 'Continue without a bootloader'.
+
+ You do not need to install GRUB at all, since in libreboot you are using the GRUB payload (for libreboot) to boot your system directly.
+
+ Just say 'Yes'.
+
+ At this point, you will have finished the installation. At your GRUB payload, press C to get to the command line.
+
+ Do that:
+ Immediately after logging in, do that:
+ This will be needed in the future if you ever need to recover your home directory from another system, so write it down and keep the note
+ somewhere secret. Ideally, you should memorize it and then burn the note (or not even write it down, and memorize it still)>
+
+ Now you need to set it up so that the system will automatically boot, without having to type a bunch of commands.
+
+ Modify your grub.cfg (in the firmware) using this tutorial;
+ just change the default menu entry 'Load Operating System' to say this inside:
+
+ cryptomount -a (ahci0,msdos1)
+ Additionally, you should set a GRUB password. This is not your LUKS password, but it's a password that you have to enter to see
+ GRUB. This protects your system from an attacker simply booting a live USB and re-flashing your firmware. This should be different than your LUKS passphrase and user password.
+
+ The GRUB utility can be used like so:
+ Give it a password (remember, it has to be secure) and it'll output something like:
+ Put that in the grub.cfg (the one for CBFS inside the ROM) before the 'Load Operating System' menu entry like so (example):
+ Obviously, replace it with the correct hash that you actually got for the password that you entered. Meaning, not the hash that you see above!
+
+ After this, you will have a modified ROM with the menu entry for cryptomount, and the entry before that for the GRUB password. Flash the modified ROM
+ using this tutorial.
+
+ $ sudo apt-get update
+ At the time of writing, Trisquel 7 had this
+ bug from upstream. The workaround identified in this page
+ was as follows:
+ Installs the default desktop:
+ It might ask for postfix configuration. I just choose 'No configuration'.
+
+ Next time you boot, it'll start lightdm and you can login. To start lightdm now, do:
+ Go back to the terminal (ctrl-alt-f1) and exit:
+ Go back to lightdm (ctrl-alt-f7) and login.
+
+ Since you installed using net install and you only installed the base system, network-manager isn't controlling
+ your eth0 but instead /etc/network/interfaces is. Comment out the eth0 lines in that file, and then do:
+ If you followed all that correctly, you should now have a fully encrypted system.
+
+ Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
+ This document is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information.
+ Installing Trisquel GNU/Linux with full disk encryption (including /boot)
+
+ Partitioning
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Further partitioning
+
+
+
+
+
+
+
+
+ Kernel
+
+ Tasksel
+
+ Install the GRUB boot loader to the master boot record
+
+ Clock UTC
+
+
+ Booting your system
+
+
+
+ grub> cryptomount -a (ahci0,msdos1)
+ grub> set root='lvm/buzz-distro'
+ grub> linux /vmlinuz root=/dev/mapper/buzz-distro cryptdevice=/dev/mapper/buzz-distro:root quiet splash ro
+ grub> initrd /initrd.img
+ grub> boot
+
+ ecryptfs
+
+
+
+ $ sudo ecryptfs-unwrap-passphrase
+
+ Modify grub.cfg (CBFS)
+
+
+
+ set root='lvm/buzz-distro'
+ linux /vmlinuz root=/dev/mapper/buzz-distro cryptdevice=/dev/mapper/buzz-distro:root quiet splash ro
+ initrd /initrd.img
+
+ $ grub-mkpasswd-pbkdf2
+
+ grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
+
+
+set superusers="root"
+password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
+
+
+
+ Update Trisquel
+
+
+
+ $ sudo apt-get upgrade
+
+ $ sudo apt-get remove libpam-smbpass
+
+ Install a desktop (optional)
+
+
+
+ $ sudo apt-get install trisquel
+
+ $ sudo service lightdm start
+
+ $ exit
+
+ $ sudo /etc/init.d/networking stop
+ $ sudo service network-manager restart
+
+ Conclusion
+
+
+
+
+
+ This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions.
+ A copy of the license can be found at ../license.txt.
+
+ When using the ROM images that use coreboot's "text mode" instead of the coreboot framebuffer,
+ booting the Trisquel net installer results in graphical corruption because it is trying to switch to a framebuffer which doesn't
+ exist. Use that kernel parameter on the 'linux' line when booting it:
+ vga=normal fb=false
+
+ Tested in Trisquel 6 (and 7). This forces debian-installer to start in text-mode, instead of trying to switch to a framebuffer. +
+ ++ If selecting text-mode from a GRUB menu created using the ISOLINUX parser, you can press E on the menu entry to add this. + Or, if you are booting manually (from GRUB terminal) then just add the parameters. +
+ ++ This workaround was found on the page: https://www.debian.org/releases/stable/i386/ch05s04.html. + It should also work for gNewSense, Debian and any other apt-get distro that provides debian-installer (text mode) net install method. +
+
- Copyright © 2014 Francis Rowe, All Rights Reserved.
- See ../license.html for license conditions.
+ Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
+ This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions.
+ A copy of the license can be found at ../license.txt.
+ This document is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. +
+