Grub with encrypted boot
53 views
Skip to first unread message
lambo...@protonmail.com
May 6, 2020, 2:21:10 AM5/6/20
to qubes-users
Hello all,
I am wondering if anyone knows how I might install grub for use with an encrypted boot partition, or no boot partition at all. I have recently decided to use btrfs, and I have grub working fine. The grub2-efi config from the qubes-dom0-unstable repo is working fine, but it's very complex. Reading about grub on the arch-wiki, it says you can enable this feature in grub just by adding ENABLE_CRYPTODISK=y in /etc/default/grub then running grub2-install. I need to know if that will actually work with Qubes, and how to generate a proper grub.cfg for use with the feature.
I am wondering if anyone knows how I might install grub for use with an encrypted boot partition, or no boot partition at all. I have recently decided to use btrfs, and I have grub working fine. The grub2-efi config from the qubes-dom0-unstable repo is working fine, but it's very complex. Reading about grub on the arch-wiki, it says you can enable this feature in grub just by adding ENABLE_CRYPTODISK=y in /etc/default/grub then running grub2-install. I need to know if that will actually work with Qubes, and how to generate a proper grub.cfg for use with the feature.
dhorf-hfre...@hashmail.org
May 6, 2020, 3:16:54 AM5/6/20
to lambo...@protonmail.com, qubes-users
On Wed, May 06, 2020 at 06:21:00AM +0000, lamboicarus via qubes-users wrote:
> I am wondering if anyone knows how I might install grub for use with
> an encrypted boot partition, or no boot partition at all. I have
> recently decided to use btrfs, and I have grub working fine. The
> grub2-efi config from the qubes-dom0-unstable repo is working fine,
> but it's very complex. Reading about grub on the arch-wiki, it says
boot security is a very complex topic.
> I am wondering if anyone knows how I might install grub for use with
> an encrypted boot partition, or no boot partition at all. I have
> recently decided to use btrfs, and I have grub working fine. The
> grub2-efi config from the qubes-dom0-unstable repo is working fine,
> but it's very complex. Reading about grub on the arch-wiki, it says
just encrypting your /boot but keeping an unencrypted grub
around that opens that /boot is not increasing your security
in any meaningful way. it just adds a pile of fragility.
for actual cryptographic boot security, you need a "verified"
and/or "measured" boot setup.
since you mentioned "efi", i would recommend an efi-heads hybrid.
deploy a linux kernel with _internal_ initrd (!) as efi-verified
boot payload. this way you have to do the efi-signing "just once",
and from that linux kernel you can open your encrypted /boot
in the "natural linux ways".
if your "bios" takes measurements during boot, do tpmtotp (or similar)
from the first stage linux (before unlocking your /boot) you dont even
have to do any modifications to the payloads inside /boot ...
so no resigning/resealing on every payload-xen/kernel update either!
this setup does not involve grub at all. this is intentional.
alex.b...@gmail.com
May 6, 2020, 4:40:38 PM5/6/20
to qubes-users
Can you elaborate on this a bit please? Or point at some manual that could help get started with th topic? While the concept sounds familiar I don't have enough experience to build a secure boot environment from scratch - and that's what needs to be done in case of Qubes.
Reply all
Reply to author
Forward
0 new messages