Encrypted /boot partition
89 views
Skip to first unread message
qu...@sigaint.org
Oct 16, 2016, 7:43:21 AM10/16/16
to qubes...@googlegroups.com
I've been experimenting with both encrypted /boot partitions and booting
from a hidden encrypted volume inside an outer encrypted volume, and have
been successful with Debian based systems. I'd like to get it working with
Qubes, but I've run into some issues.
The implementation requires decrypting the volumes from grub, then a
manual boot of the kernal and initram, then some pre-boot scripts added to
the initramfs are needed to properly decrypt and mount the volumes and
then re-scan and activate LVM volume groups during the handover between
grub, initram and the final boot. However, the Qubes Mananger is
non-functional after boot.
I notice when booting from a normal install, Grub briefly displays
something like:
Loading Xen-4.6.1
Loading vmlinuz-4***
Loading intramfs-4***
In what way does the Xen image get loaded? I think this is what's missing
from my boot sequence. If I'm going through the boot sequence manually, or
loading the components from a bash script in initram, what needs to be
done with the /boot/xen-4.6.1 file?
Any help would be greatly appreciated.
from a hidden encrypted volume inside an outer encrypted volume, and have
been successful with Debian based systems. I'd like to get it working with
Qubes, but I've run into some issues.
The implementation requires decrypting the volumes from grub, then a
manual boot of the kernal and initram, then some pre-boot scripts added to
the initramfs are needed to properly decrypt and mount the volumes and
then re-scan and activate LVM volume groups during the handover between
grub, initram and the final boot. However, the Qubes Mananger is
non-functional after boot.
I notice when booting from a normal install, Grub briefly displays
something like:
Loading Xen-4.6.1
Loading vmlinuz-4***
Loading intramfs-4***
In what way does the Xen image get loaded? I think this is what's missing
from my boot sequence. If I'm going through the boot sequence manually, or
loading the components from a bash script in initram, what needs to be
done with the /boot/xen-4.6.1 file?
Any help would be greatly appreciated.
Chris Laprise
Oct 17, 2016, 3:38:56 PM10/17/16
to qu...@sigaint.org, qubes...@googlegroups.com
Anti-Evil-Maid? Or with coreboot?
https://www.qubes-os.org/doc/anti-evil-maid/
https://github.com/QubesOS/qubes-issues/issues/2118
Chris
qu...@sigaint.org
Oct 23, 2016, 6:09:51 PM10/23/16
to qubes...@googlegroups.com
is one kernel and two initram images, and a xen image:
vmlinuz-4.4.14-11.pvops.qubes.x86_64
initramfs-4.4.14-11.pvops.qubes.x86_64
initrd-plymouth.img
xen-4.6.1.gz
For manually booting from grub I need to specify the kernel and initram. I
am using the vmlinuz and initramfs files, like so:
grub> linux (lvm/vg-cryptroot)/boot/vmlinuz-4.4.14-11.pvops.qubes.x86_64
grub> initrd (lvm/vg-cryptroot)/boot/initramfs-4.4.14-11.pvops.qubes.x86_64
grub> boot
How do I pass the xen image?
Marek Marczykowski-Górecki
Oct 23, 2016, 6:17:20 PM10/23/16
to qu...@sigaint.org, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
You should do this like:
grub> multiboot (lvm/vg-cryptroot)/boot/xen-4.6.1.gz
grub> module
(lvm/vg-cryptroot)/boot/vmlinuz-4.4.14-11.pvops.qubes.x86_64 kernel
parameters
grub> module
(lvm/vg-cryptroot)/boot/initramfs-4.4.14-11.pvops.qubes.x86_64
grub> boot
Generally, take a look at generated grub.cfg.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJYDTbsAAoJENuP0xzK19csbA0H+weOWK66FFDSyfv3Nkonohol
+04LvWrPrJxCbxDOqzUkFjP2qzBaF1uBJnvbEX40xwUdBKu9ggZAPWYv4XhNJcSz
ebX3j6Q0wMpOAQfiG9pJqjgd1EFg73Tn1gjvnKaXT7OlIpNjpL+UhoOd4U0ejKm1
414Y5SVlJsIdI8nJObQLtZYXPH6el+L1znEaa1fh1i1E3b53EIdrwX5pUC8/P8Bu
pyVyfTOHoJXzNumrqmBPyQOoyDLPt+7Yxc4zX9D763pR+MKNab17cpT2Fnw6YyU4
3xjF/8t8a2Xlc4lI29afcBkZ/jEBfY1TrhqMQ94mMtMkfCRQu6UvhJ/cYOcPxbs=
=Xyvs
-----END PGP SIGNATURE-----
Hash: SHA256
grub> multiboot (lvm/vg-cryptroot)/boot/xen-4.6.1.gz
grub> module
(lvm/vg-cryptroot)/boot/vmlinuz-4.4.14-11.pvops.qubes.x86_64 kernel
parameters
grub> module
(lvm/vg-cryptroot)/boot/initramfs-4.4.14-11.pvops.qubes.x86_64
grub> boot
Generally, take a look at generated grub.cfg.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJYDTbsAAoJENuP0xzK19csbA0H+weOWK66FFDSyfv3Nkonohol
+04LvWrPrJxCbxDOqzUkFjP2qzBaF1uBJnvbEX40xwUdBKu9ggZAPWYv4XhNJcSz
ebX3j6Q0wMpOAQfiG9pJqjgd1EFg73Tn1gjvnKaXT7OlIpNjpL+UhoOd4U0ejKm1
414Y5SVlJsIdI8nJObQLtZYXPH6el+L1znEaa1fh1i1E3b53EIdrwX5pUC8/P8Bu
pyVyfTOHoJXzNumrqmBPyQOoyDLPt+7Yxc4zX9D763pR+MKNab17cpT2Fnw6YyU4
3xjF/8t8a2Xlc4lI29afcBkZ/jEBfY1TrhqMQ94mMtMkfCRQu6UvhJ/cYOcPxbs=
=Xyvs
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages