Qubes can't FDE?
89 views
Skip to first unread message
get
Sep 18, 2018, 12:29:54 PM9/18/18
to qubes-users
FDE in my understanding this is a scheme partition look like
sda 8:0 0 99999,9G 0 disk
└─sda1 8:1 0 99999,9G 0 LUKS
└──luks-<UUID> crypt
├─qubes_dom0-boot lvm /boot (encrypted)
├─qubes_dom0-swap lvm [SWAP] (encrypted)
└─qubes_dom0-root lvm / (encrypted)
FDE = cryptsetup whole disk (including /boot). Not only root partition.
Anaconda can't do it by default. Installation success only with grub missing.
OS research HEADS can't kexec into FDE disk.
Is it only possible to boot from grub2 coreboot ?
cryptomount -a
set root='hd0,msdos1'
linux=... vmlinuz=...
I have been trying to do the coreboot firmware for a month already
to get a load of Qubes with full disk encryption (including /boot). Is it possible? Can anyone help me ?:)
sda 8:0 0 99999,9G 0 disk
└─sda1 8:1 0 99999,9G 0 LUKS
└──luks-<UUID> crypt
├─qubes_dom0-boot lvm /boot (encrypted)
├─qubes_dom0-swap lvm [SWAP] (encrypted)
└─qubes_dom0-root lvm / (encrypted)
FDE = cryptsetup whole disk (including /boot). Not only root partition.
Anaconda can't do it by default. Installation success only with grub missing.
OS research HEADS can't kexec into FDE disk.
Is it only possible to boot from grub2 coreboot ?
cryptomount -a
set root='hd0,msdos1'
linux=... vmlinuz=...
I have been trying to do the coreboot firmware for a month already
to get a load of Qubes with full disk encryption (including /boot). Is it possible? Can anyone help me ?:)
awokd
Sep 18, 2018, 1:02:19 PM9/18/18
to qubes...@googlegroups.com
get:
I've seen others on this list report it as successful, but haven't done
it myself. I think they had to use the Seabios payload for the initial
install, then switch to coreboot's grub2. Afraid that's about all I know...
it myself. I think they had to use the Seabios payload for the initial
install, then switch to coreboot's grub2. Afraid that's about all I know...
Jonathan Seefelder
Sep 18, 2018, 1:16:10 PM9/18/18
to qubes-users, turb...@gmail.com
yes its possible, do you want to encrypt /boot and /root separately so
you will need a different password for each partition, or do you want to
encrypt it all together with 2fa etc?
The first one is relatively easy, you will have to modify the grub.cfg
of your coreboot image.Also, the uuid will have to match, you can either
do a "normal" install and change the uuid in the grub.cfg, or change the
uuid of /root.
check out the libreboot-side, there should be all the necessary
information. I will write a tutorial some day.
cheers
--
Kind Regards
Jonathan Seefelder
CryptoGS IT-Security Solutions
you will need a different password for each partition, or do you want to
encrypt it all together with 2fa etc?
The first one is relatively easy, you will have to modify the grub.cfg
of your coreboot image.Also, the uuid will have to match, you can either
do a "normal" install and change the uuid in the grub.cfg, or change the
uuid of /root.
check out the libreboot-side, there should be all the necessary
information. I will write a tutorial some day.
cheers
Kind Regards
Jonathan Seefelder
CryptoGS IT-Security Solutions
get
Sep 18, 2018, 3:11:38 PM9/18/18
to qubes-users
вторник, 18 сентября 2018 г., 20:02:19 UTC+3 пользователь awokd написал:
Hi, awokd. I agree, this is also the only way I know.
http://www.zerocat.org/coreboot-machines/md_doc_build-coreboot-x220.html
http://www.zerocat.org/coreboot-machines/md_doc_build-coreboot-x230.html
Do you mean that? seabios (main) + grub2(elf payload)
I'm trying to learn HEADS, but it's quite difficult. there is a built-in cryptsetup and kexec. but I have not yet found the information how to boot without a loader to FDE Qubes (include /boot use kexec. Also branch "master" only 4.7 coreboot version,
found this
https://github.com/flammit/heads/tree/coreboot-4.8
I can not compile (build fails).
Also I tried to add gpg keys to the firmware
https://libreboot.org/docs/gnulinux/grub_hardening.html#GPG keys
cfbstool test.rom print - writes that everything is fine, but after the flash firmware in the heads (initrd/etc/.gnupg) there are no keys
seal-totp works strange.
Have you any experience?
unfortunately, too little information is available
http://www.zerocat.org/coreboot-machines/md_doc_build-coreboot-x220.html
http://www.zerocat.org/coreboot-machines/md_doc_build-coreboot-x230.html
Do you mean that? seabios (main) + grub2(elf payload)
I'm trying to learn HEADS, but it's quite difficult. there is a built-in cryptsetup and kexec. but I have not yet found the information how to boot without a loader to FDE Qubes (include /boot use kexec. Also branch "master" only 4.7 coreboot version,
found this
https://github.com/flammit/heads/tree/coreboot-4.8
I can not compile (build fails).
Also I tried to add gpg keys to the firmware
https://libreboot.org/docs/gnulinux/grub_hardening.html#GPG keys
cfbstool test.rom print - writes that everything is fine, but after the flash firmware in the heads (initrd/etc/.gnupg) there are no keys
seal-totp works strange.
Have you any experience?
unfortunately, too little information is available
get
Sep 18, 2018, 3:20:47 PM9/18/18
to qubes-users
вторник, 18 сентября 2018 г., 20:16:10 UTC+3 пользователь Jonathan Seefelder написал:
Hi, Jonathan Seefelder.
I'm looking for different ways of how to encrypt the whole disk (include /boot) and load it using coreboot modifications.
I know how to load this way Parabola FDE (include /boot)
menuentry 'Linux-libre kernel' {
cryptomount -a (ahci0,msdos1)
set root='lvm/matrix-rootvol'
linux /boot/vmlinuz-linux-libre root=/dev/matrix/rootvol cryptdevice=/dev/sda1:root
initrd /boot/initramfs-linux-libre.img
}
Is the same method for xen?
Did you try Heads/Petitboot?
https://www.raptorengineering.com/content/kb/1.html
https://github.com/osresearch/heads
Did you try to add
https://en.wikipedia.org/wiki/PBKDF2 to grub use qubes FDE?
Did you try add gpg keys?
Thanks.
I'm looking for different ways of how to encrypt the whole disk (include /boot) and load it using coreboot modifications.
I know how to load this way Parabola FDE (include /boot)
menuentry 'Linux-libre kernel' {
cryptomount -a (ahci0,msdos1)
set root='lvm/matrix-rootvol'
linux /boot/vmlinuz-linux-libre root=/dev/matrix/rootvol cryptdevice=/dev/sda1:root
initrd /boot/initramfs-linux-libre.img
}
Is the same method for xen?
Did you try Heads/Petitboot?
https://www.raptorengineering.com/content/kb/1.html
https://github.com/osresearch/heads
Did you try to add
https://en.wikipedia.org/wiki/PBKDF2 to grub use qubes FDE?
Did you try add gpg keys?
Thanks.
Jonathan Seefelder
Sep 18, 2018, 3:50:16 PM9/18/18
to get, qubes-users
Hello, yes,
altough i personally never used HEADS productive, ive set it up, the
last time is quite some time ago tough. I remember i had to troubleshoot
quite a bit.
About petitboot, i just started to look into it myself, so i wont be
much help there probably, what exactly are you trying to achieve?
I will send you a grub.cfg which is working tomorrow morning, you will
have to edit /adjust it tough.(either change the uuid in the config file
ore the uuid of /boot )
I used kernelsigning, but i wasnt to happy with it in the long run, for
usability, 2fa with one partition or /boot and /root encrypted so far
is the best , we use it every day.
Talking about usability, i highly recommend to add SEAbios as a
secondary payload, at least if you want to boot live-usb from time to time.
cheers
altough i personally never used HEADS productive, ive set it up, the
last time is quite some time ago tough. I remember i had to troubleshoot
quite a bit.
About petitboot, i just started to look into it myself, so i wont be
much help there probably, what exactly are you trying to achieve?
I will send you a grub.cfg which is working tomorrow morning, you will
have to edit /adjust it tough.(either change the uuid in the config file
ore the uuid of /boot )
I used kernelsigning, but i wasnt to happy with it in the long run, for
usability, 2fa with one partition or /boot and /root encrypted so far
is the best , we use it every day.
Talking about usability, i highly recommend to add SEAbios as a
secondary payload, at least if you want to boot live-usb from time to time.
cheers
Reply all
Reply to author
Forward
0 new messages