Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

[G]

Hello,
since it took a while for me to sum up all piece and a lot of trial and
error to get the whole setup working i took some notes to help other who
want to try something similar.
Please note that everything written there is public domain (so
copy-edit-whatever).

https://git.lsd.cat/g/thinkad-coreboot-qubes

I did it today in a hurry so any feedback, modification or contribution
is welcome.


Giulio

[G]

There's a typo in the url: should be
https://git.lsd.cat/g/thinkpad-coreboot-qubes

[awokd]

Nice write up, and congratulations! I was pretty happy to get Coreboot
running on my system too.

PS Have you seen Heads? http://osresearch.net/

[G]

On 2018-03-27 22:17, awokd wrote:
>
> PS Have you seen Heads? http://osresearch.net/

Nope i didn't know it. By the overview it looks like a very good idea
but i have yet to understand all the details.
Still the problem is that currently one has to choose between keeping
the Intel ME active or have a working TPM.

I tried starting a discussion on the tradeoffs of both
https://groups.google.com/forum/#!topic/qubes-users/JEEaDRZpnpA and as
other users pointed out, while it stills depend on your threat model,
the Intel ME pose a potential remote threat while the TPM should help
notice a physical attack (given coreboot is flashed with write
protection).

I looked into adding a secondary TPM, maybe in the ExpressCard slot but
it looks like no such piece of hardware exist. Or maybe there's a way to
use the integrated TPM without the Intel ME but i don't have the skills
to research in that direction.

[awokd]

On Wed, March 28, 2018 8:13 am, G wrote:

>
> I looked into adding a secondary TPM, maybe in the ExpressCard slot but
> it looks like no such piece of hardware exist. Or maybe there's a way to
> use the integrated TPM without the Intel ME but i don't have the skills to
> research in that direction.

It looks like they are cleaning ME and still using the TPM?
http://osresearch.net/Installing-Heads

[G]

You're right. So the no ME no TPM rule probably apply only when using
the stock bios. I just noticed coreboot recently pushed a commit fixing
a problem in TPM activation
https://github.com/coreboot/coreboot/commit/676887d2e2e474f70a8ebb1b6065f71e4e81001d
maybe that's the issue with my x220. I'm rebuilding my rom to check if
something changes with that commit, i'll give an update soon.

Giulio

[G]

On 2018-03-28 12:14, G wrote:
> You're right. So the no ME no TPM rule probably apply only when using
> the stock bios. I just noticed coreboot recently pushed a commit
> fixing a problem in TPM activation
> https://github.com/coreboot/coreboot/commit/676887d2e2e474f70a8ebb1b6065f71e4e81001d
> maybe that's the issue with my x220. I'm rebuilding my rom to check if
> something changes with that commit, i'll give an update soon.
>
> Giulio

I just flahed the latest commit: still no luck. By checking the source
code I think that the init_tpm() function is actually being called:

From file coreboot/src/northbridge/intel/sandybridge/romstage.c:
120 if (IS_ENABLED(CONFIG_LPC_TPM)) {
121 init_tpm(s3resume);
122 }

From my config:
CONFIG_LPC_TPM=y
CONFIG_NORTHBRIDGE_INTEL_SANDYBRIDGE=y

I think i'll try opening an issue in coreboot about this.

[Tai...@gmx.com]

- Forgot microcode updates very important in general especially with the
latest spectre stuff.
- My fan control works fine
- Don't recommend the use of a comparatively expensive non-free RPI from
the evil RPI foundation use a USB CH341A instead for $5

If you want to shut off expresscard you can use "off" in the
devicetree.cb but I see no reason to - IOMMU would prevent any issues.

[Tai...@gmx.com]

G as in g-money? hehe just had to say that.

The ME is capable of presenting a fake "softTPM" software based TPM but
in this case I doubt that is what the X220 has - and there is no reason
as to why a TPM shouldn't work with a cleaned ME as it doesn't involve
the ME it communicates directly on the LPC bus.
I also must note for everyone that it is impossible to disable ME - the
ME_Cleaner software and the HAP bit do not disable ME the kernel does in
fact run before it shuts off via HAP which is plenty of time to perform
a litany of dirty tricks....that is if you trust ME saying that it is
shutting down (there is no way to verify this without million dollar
equipment) a truly disabled ME could have its CPU physically
disconnected and the platform not work or at the least be able to
function without the ME blob without shutting off after 30 minutes which
will happen even with the HAP bit.

Of course I must mention that TXT is an intel gimmick that isn't
actually required to have an effective AEM setup, it just means that
with it you can slightly change kernel bios etc and not have to re-seal
which isn't at all necessary.

I suggest posting on the coreboot ML to inqure as to why it isn't
working - the aptitude level there is higher and someone will probably
be able to assist.

[799]

Hello,

G <giu...@anche.no> schrieb am Di., 27. März 2018, 20:10:

since it took a while for me to sum up all piece and a lot of trial and
error to get the whole setup working i took some notes to help other who
want to try something similar.
Please note that everything written there is public domain (so
copy-edit-whatever).

https://git.lsd.cat/g/thinpkad-coreboot-qubes

Nice how-to, I'm currently writing something similar for my X230.

Would you mind adding your howto to the Qubes Community doc repository, which we've established to work on howtos and docs until they're easy to be migrated to the official Qubes Docs.

If you agree, I can also add your notes there, mentioning you as the original author.

I did it today in a hurry so any feedback, modification or contribution
is welcome.

I'd like to use grub as payload but without using encrypted boot as I am afraid to damage my production Qubes environment and loosing time fixing it.

What do I need to do, if I would like to just use Grub and leave my boot untouched?

As far as I understand the benefit of having Grub as payload is to be able to encrypt /boot.

Does this mean than include that it makes no sense to run Grub instead of SeaBIOS without having boot encrypted?

[799]

[799]

Hello Giulio,

G <giu...@anche.no> schrieb am Di., 27. März 2018, 21:35:

On 2018-03-27 18:10, G wrote:
> Hello,
> since it took a while for me to sum up all piece and a lot of trial
> and error to get the whole setup working i took some notes to help
> other who want to try something similar.
> Please note that everything written there is public domain (so
> copy-edit-whatever).
>
> https://git.lsd.cat/g/thinkad-coreboot-qubes

As mentioned I have also drafted a how-to to setup Coreboot on a X230, including building the pi, flashrom and extracting Blobs.

My how-to is located in the Qubes Community docs.

While I need to fill in some small gaps how to put the hardware parts together, all the other stuff is covered including extracting Blobs and vga.rom.

The how-to is located here:

https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230.md

The coreboot config I have used is here:

https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230-configfile

I wrote the how-to as I need to look at several places to get everything together for example how to extract Blobs, how to merge two bios files into one etc.

Having everything in one place is nice for a newbie if he owns exactly the same modell/x230.

I am interested in getting the best out of both worlds (Coreboot + Qubes).

It seems that your approach (using GRUB) offers some benefits vs. using SeaBIOS as the boot partition can so be encrypted.

Are there issues going this way? For example breaking the future upgrade ability ?

It seems to me that if I run Coreboot with grub + encrypted boot, there is no need to run anti evil maid, as the boot partition can't be messed with.

Is this correct?

[799]

[799]

[G]

On 2018-04-05 19:38, 799 wrote:
> Nice how-to, I'm currently writing something similar for my X230.
>
> Would you mind adding your howto to the Qubes Community doc
> repository, which we've established to work on howtos and docs until
> they're easy to be migrated to the official Qubes Docs.
> If you agree, I can also add your notes there, mentioning you as the
> original author.
>

Hello, no problem as I said it is copyleft. Where's the Qubes Community
repository?

>
> I'd like to use grub as payload but without using encrypted boot as I
> am afraid to damage my production Qubes environment and loosing time
> fixing it.
>
> What do I need to do, if I would like to just use Grub and leave my
> boot untouched?
>
> As far as I understand the benefit of having Grub as payload is to be
> able to encrypt /boot.
> Does this mean than include that it makes no sense to run Grub instead
> of SeaBIOS without having boot encrypted?
>
> [799]

The advantage of using SeaBIOS is that it should be able to launch the
Grub on the original /boot partition which means that Grub config will
be updated with system updates and that boot options can be changed
without the need to re-flash. Also probably SeaBIOS do have more low
level configuration options similar to a vendor BIOS.

Honestly the process of encrypting /boot went far smoother than I
expected, it actually worked on the first try (even though I did a full
dd backup copy of the whole disk before and kept also a Grub entry to
boot the old way). All included it took less than a day for the
transition.

The other benefit apart from encrypting /boot is a faster boot process
i'd say and maybe a little more security: don't know if it's possible
for SeaBIOS (probably yes) but i configured Grub to ask for a user and
password for every non standard option in the menu (ex: modifying an
entry or using the command line), this way it should be very difficult
to boot an external media.

[G]

On 2018-04-06 09:22, 799 wrote:
>
> As mentioned I have also drafted a how-to to setup Coreboot on a X230,
> including building the pi, flashrom and extracting Blobs.
>
> My how-to is located in the Qubes Community docs.
>
> While I need to fill in some small gaps how to put the hardware parts
> together, all the other stuff is covered including extracting Blobs
> and vga.rom.
>
> The how-to is located here:
> https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230.md
>
> The coreboot config I have used is here:
> https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230-configfile
>

Good guide, thank you. I'm looking forward in better understanding Heads
(http://osresearch.net/) and maybe adding some notes on it.

Currently i do not have a Github account set up, so i will not be able
to make a pull request adding my guide. If anyone can do it would be
much appreciated, otherwise i'll probably do it given some time.

> I am interested in getting the best out of both worlds (Coreboot +
> Qubes).
> It seems that your approach (using GRUB) offers some benefits vs.
> using SeaBIOS as the boot partition can so be encrypted.
>
> Are there issues going this way? For example breaking the future
> upgrade ability ?
>
> It seems to me that if I run Coreboot with grub + encrypted boot,
> there is no need to run anti evil maid, as the boot partition can't be
> messed with.
>
> Is this correct?
>

Currently i have hardcoded the kernel version in the grub config inside
the ROM. This is an ugly temporary solution as obviously even if i
upgrade i'll continue to boot the old kernel by default. My idea is to
modify the update script to always add/update a symlink to the newest
kernel and use that naming in Grub but i have yet to look into it.

As for the AEM, i guess that if you are satisfied with your Grub config
you could set the lock bits in coreboot and flash the rom as read only.
Also preventing the boot of external device should be a good idea.
However as far as I can understand, while this is better than the
standard it doesn't really provide a valid chain of trust. There are
still additional measures that can be taken like signing your kernel and
using the TPM, see https://trmm.net/Heads for more deatils.

[Holger Levsen]

hi,

On Fri, Apr 06, 2018 at 09:22:52AM +0000, 799 wrote:
> As mentioned I have also drafted a how-to to setup Coreboot on a X230,
> including building the pi, flashrom and extracting Blobs.

out of curiosity: does resume work reliably for you? For me it didnt
with coreboot (and the free VGA bios) but it does with legacy bios...

(and btw, with legacy bios resume is quite very reliable again, just
sometimes/often the wireless doesnt work after resume; though now I
found out a workaround: just suspend+resume until it comes back with
working wireless... ;)

> The coreboot config I have used is here:
> https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230-configfile

thanks, depending on your answer to the above question I probably
compare yours with mine ;)

> I wrote the how-to as I need to look at several places to get everything
> together for example how to extract Blobs, how to merge two bios files into
> one etc.

> It seems to me that if I run Coreboot with grub + encrypted boot, there is
> no need to run anti evil maid, as the boot partition can't be messed with.
>
> Is this correct?

mostly. The boot partition cannot be messed up but the components of
your computer can be changed (eg a keyboard controller recording your
keystrokes) and anti-evil-maid is designed to also detect those attacks.
However these attacks are also much more sophisticated and require more
time and are harder to do that just replacing a kernel image on an
unencrypted boot partition.


--
cheers,
Holger

[799]

Hello,

On 6 April 2018 at 15:05, Holger Levsen <hol...@layer-acht.org> wrote:

On Fri, Apr 06, 2018 at 09:22:52AM +0000, 799 wrote:
> As mentioned I have also drafted a how-to to setup Coreboot on a X230,
> including building the pi, flashrom and extracting Blobs.

out of curiosity: does resume work reliably for you? For me it didnt
with coreboot (and the free VGA bios) but it does with legacy bios...

as described in the howto I have extracted the vga.rom from my own BIOS-files.

I can use resume and the laptop reconnects its network adapters as soon as it wakes up.

So far no issues at all.

I've run into one problem when I tried to start my AppVMs after flashing coreboot.

Problem:
Some VMs where unable to boot (sys-net and also some other AppVMs),

Error message:
Get the message PCI device <qubes.ext.pci.PCIDevice object at 0xblablabla> does not exist

Solution:

Following the suggestions mentioned here and removing some devices which doesn't make sense.
https://github.com/QubesOS/qubes-issues/issues/3619

qvm-pci ls <APPVM>
qvm-pci detach <APPVM> <DEVICE>



I had to open Qubes Settings for the sys-net VM to assign the Wifi Network controller back to the VM.


It got lost after flasing coreboot.



> The coreboot config I have used is here:
> https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230-configfile

thanks, depending on your answer to the above question I probably
compare yours with mine ;)

Can you share your config file?

I am sure that there is room for improvement in my config.
 

> I wrote the how-to as I need to look at several places to get everything
> together for example how to extract Blobs, how to merge two bios files into
> one etc.
> It seems to me that if I run Coreboot with grub + encrypted boot, there is
> no need to run anti evil maid, as the boot partition can't be messed with.
> Is this correct?

mostly. The boot partition cannot be messed up but the components of
your computer can be changed (eg a keyboard controller recording your
keystrokes) and anti-evil-maid is designed to also detect those attacks.
However these attacks are also much more sophisticated and require more
time and are harder to do that just replacing a kernel image on an
unencrypted boot partition.

Ok, I have not yet understand all the pieces of anti evil maid and of course you are right that replacing my keyboard with a keyboard which has a keylogger installed will make my system reasonable unsecure.

On the other hand, I don't think that I am a high profile target and if this would change, I guess there are much easier ways to get the data/information.
https://en.wikipedia.org/wiki/Enhanced_interrogation_techniques ... :-o

[799]

[Tai...@gmx.com]

On 04/06/2018 05:22 AM, 799 wrote:

> It seems to me that if I run Coreboot with grub + encrypted boot, there is
> no need to run anti evil maid, as the boot partition can't be messed with.

Assuming you set the write-lock on the flash descriptor and have a
physical anti-tamper sticker on the case screws.

[799]

what exactly does it mean "set write-lock on flash descriptor" and where can I do this.

Regarding Stickers I think it is very easy to replace those for someone who is willing to sneak silently into my laptop.

What kind of stickers do you suggest?

[799]

[awokd]

On Fri, April 6, 2018 11:18 pm, 799 wrote:
> Am 07.04.2018 12:35 vorm. schrieb "Tai...@gmx.com" <Tai...@gmx.com>:
>
>
> On 04/06/2018 05:22 AM, 799 wrote:
>
>
>> It seems to me that if I run Coreboot with grub + encrypted boot, there
>> is no need to run anti evil maid, as the boot partition can't be messed
>> with.
> Assuming you set the write-lock on the flash descriptor and have a
> physical anti-tamper sticker on the case screws.
>
>
> what exactly does it mean "set write-lock on flash descriptor" and where
> can I do this.

Not sure how exactly, but it makes it so you have to physically flash it
again.

> Regarding Stickers I think it is very easy to replace those for someone
> who is willing to sneak silently into my laptop. What kind of stickers do
> you suggest?

Glitter fingernail polish and take a picture.

[Holger Levsen]

Hi,

On Fri, Apr 06, 2018 at 08:25:37PM +0200, 799 wrote:
> as described in the howto I have extracted the vga.rom from my own
> BIOS-files.
> I can use resume and the laptop reconnects its network adapters as soon as
> it wakes up.
> So far no issues at all.

thanks for explaining.

> > The coreboot config I have used is here:
> > > https://github.com/Qubes-Community/Contents/blob/
> > master/docs/coreboot/x230-configfile
> >
> > thanks, depending on your answer to the above question I probably
> > compare yours with mine ;)
> >
>
> Can you share your config file?
> I am sure that there is room for improvement in my config.

http://layer-acht.org/thinking/blog/20170827-coreboot-build-environment/
has a link to the config I used. (which doesnt use the nonfree vgabios
blob, but then I also had resume issues, which you dont have...)


--
cheers,
Holger

[Tai...@gmx.com]

Hey guys you don't need a VGA ROM for the integrated graphics - they use
coreboot native init.

[aantis...@gmail.com]

Hi to all! All works fine. but last step have some problems

I have a small question about encrypted /boot.

>dd conv=notrunc bs=512 iflag=fullblock if=/dev/sda1 count=100 skip=$((2099199-2048)) seek=0 2> /dev/null | file -s -
/dev/stdin: LUKS encrypted file, ver 1 [aes, xts-plain64, sha256] UUID: 8453f049-6322-4e5d-b05a-a6c4688fd3a5

This procedure can't find any LUKS patition if you do this

>Using fdisk, cfdisk or parted delete both sda1 and sda2 and create a new partition using the whole disk called sda.

If you remove /dev/sda1 and /dev/sda2 use fdisk and then make /dev/sda1

>If the file command detect a LUKS encrypted file it should be safe to continue.

file didn't detect luks patition :(