since it took a while for me to sum up all piece and a lot of trial and
error to get the whole setup working i took some notes to help other who
want to try something similar.
Please note that everything written there is public domain (so
copy-edit-whatever).
I did it today in a hurry so any feedback, modification or contribution
is welcome.
On 2018-03-27 18:10, G wrote:
> Hello,
> since it took a while for me to sum up all piece and a lot of trial
> and error to get the whole setup working i took some notes to help
> other who want to try something similar.
> Please note that everything written there is public domain (so
> copy-edit-whatever).
>
> https://git.lsd.cat/g/thinkad-coreboot-qubes
On Fri, Apr 06, 2018 at 09:22:52AM +0000, 799 wrote:
> As mentioned I have also drafted a how-to to setup Coreboot on a X230,
> including building the pi, flashrom and extracting Blobs.
out of curiosity: does resume work reliably for you? For me it didnt
with coreboot (and the free VGA bios) but it does with legacy bios...
qvm-pci ls <APPVM>
qvm-pci detach <APPVM> <DEVICE>
I had to open Qubes Settings for the sys-net VM to assign the Wifi Network controller back to the VM.
It got lost after flasing coreboot.
> The coreboot config I have used is here:
> https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230-configfile
thanks, depending on your answer to the above question I probably
compare yours with mine ;)
> I wrote the how-to as I need to look at several places to get everything
> together for example how to extract Blobs, how to merge two bios files into
> one etc.
> It seems to me that if I run Coreboot with grub + encrypted boot, there is
> no need to run anti evil maid, as the boot partition can't be messed with.
> Is this correct?
mostly. The boot partition cannot be messed up but the components of
your computer can be changed (eg a keyboard controller recording your
keystrokes) and anti-evil-maid is designed to also detect those attacks.
However these attacks are also much more sophisticated and require more
time and are harder to do that just replacing a kernel image on an
unencrypted boot partition.
I have a small question about encrypted /boot.
>dd conv=notrunc bs=512 iflag=fullblock if=/dev/sda1 count=100 skip=$((2099199-2048)) seek=0 2> /dev/null | file -s -
/dev/stdin: LUKS encrypted file, ver 1 [aes, xts-plain64, sha256] UUID: 8453f049-6322-4e5d-b05a-a6c4688fd3a5
This procedure can't find any LUKS patition if you do this
>Using fdisk, cfdisk or parted delete both sda1 and sda2 and create a new partition using the whole disk called sda.
If you remove /dev/sda1 and /dev/sda2 use fdisk and then make /dev/sda1
>If the file command detect a LUKS encrypted file it should be safe to continue.
file didn't detect luks patition :(