1 Topic by jim (edited by jim 2024-02-27 06:38:33)

  • jim
  • Hyper Teacher
  • Offline
  • Registered: 2023-10-18
  • Posts: 346

Topic: Install Full disk encryption (including /boot ) Luks1 T440P Libreboot

Hi all . I would like to share my experience of installing Hyperbola on T440P Libreboot 2023 https://mirror.cyberbits.eu/libreboot/s … 0625/roms/ with Full disk encryption (including /boot) /libreboot/stable/20230625/roms/

I know that this image contains blobs and I do not understand and do not share the philosophy of Libreboot)) Why introduce blobs to increase the amount of hardware .. the meaning of the project is lost ..

This example uses luksFormat --type luks1 /dev/sdb1 . Don't use Luks1 it is not safe, use Luks2+argon2id today!
Since version 2.4.0 (released August 18, 2021), cryptsetup uses Argon2id by default. You can read why in detail in this article.
https://mjg59.dreamwidth.org/66429.html


My example is just a test installation, I wanted to understand whether it would work or not.

It seems to me that a more promising test is installing Full disk encryption (including /boot) on this T400 laptop with a 4-core processor

https://thonkpeasant.xyz/guides/other/quad.html

Booting ISO from USB

root@hyperiso # cd /usr/share/kbd/consolefonts

root@hyperiso # setfonts sun12X22.psfu.gz

Now the font size is normal, you can move on))

# lsblk

# dd if=/dev/urandom   of=/dev/sdb bs=1M status=progress 
# cfdisk /dev/sdb

  ( select dos > new > enter > primary > write > yes > quit )

now we have sdb1

Connect internet 

# ip -c a

# rc-service dhcpcd start

# ip link set enp0s35 up

# dhcpcd enp0s35

Cryptsetup

# pacman -Syy cryptsetup 

# rc-update add lvm boot

# rc-update add dmcrypt boot 

# modprobe dm-mod

Create the Luks partititon. Use a more reliable option (this is just an example)

# cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --iter-time 500 --use-random --verify-passphrase luksFormat --type luks1 /dev/sdb1

Existing 'crypto_LUKS' superblock signature (offset:0 bytes) on device...
Existing 'crypto_LUKS' superblock signature (offset:16... bytes) on device...
Key slot 0 created
Command successuful

Create the volume group and logical volumes

# cryptsetup open /dev/sdb1  lvm

# pvcreate /dev/mapper/lvm
# pvs

  (check) 

# vgcreate matrix /dev/mapper/lvm
# vgs

(check) 

# lvcreate -l +100%FREE  matrix -n rootvol
# lvs

(check)

# mkfs.ext4 /dev/mapper/matrix-rootvol

# mount  /dev/matrix/rootvol  /mnt

Create the  /boot  and   /home directories 

# mkdir -p /mnt/home

# mkdir -p /mnt/boot

Install the base system

# pacstrap  /mnt

Generate an Fstab

# genfstab -U -p /mnt >> /mnt/etc/fstab
# cat /mnt/etc/fstab

  (check)

Chroot

# arch-chroot  /mnt

Setting up clock...

Setting up time zone..

Setting up the consolefont ...


Setting up Kernel Modules

# nano /etc/mkinitcpio.conf 

MODULES=i915

HOOKS="base udev autodetect modconf block keyboard keymap consolefont encrypt lvm2 filesystems fsck shutdown"

Update Kernel

# mkinitcpio -p linux-libre-lts

==>ERROR Hook 'encrypt'...
==>WARNING missing isci..

OK,

# pacman -S cryptsetup 
# pacman -S core/isci-lts-firmware

# mkinitcpio -p linux-libre-lts

Setting up hostname 

# echo " hyperbola" > /etc/hostname 

# nano /etc/hosts

127.0.0.1   localhost.localdomain     localhost   hyperbola
::1         localhost.localdomain     localhost   hyperbola

Set the root password

#  passwd

****************************
****************************

Installing Grub

#  pacman -S grub

# nano /etc/default/grub

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdb1:lvm"

GRUB_ENABLE_CRYPTODISK=y

# grub-install /dev/sdb

Generate grub.cfg

# grub-mkconfig -o /boot/grub/grub.cfg

Unmount all partition and reboot 

# exit

# umount -R /mnt

# lvchange -an /dev/matrix/rootvol

# cryptsetup close lvm

# openrc-shutdown -p now

Everything works, there is an inconvenience, if you have two SSDs, you need to enter your SSD number manually each time (for example, you press 3), after that the system boots and you need to enter the password twice, in the wiki https://wiki.parabola. nu/Installing_Parabola_on_Libreboot_with_full_disk_encryption_(including_/boot) there is an explanation of how to change this.

2 Reply by zapper

  • zapper
  • zapper
  • Hyper Cyber
  • Offline
  • Registered: 2017-10-18
  • Posts: 1,055

Re: Install Full disk encryption (including /boot ) Luks1 T440P Libreboot

I think as long as the blobs don't function in a way where they send any info over the net, like a backdoor, for example... as long as there is no remote sharing of info like that, it should be fine. Privacy should come before freedom in this case I believe. If the intel me couldn't be disabled and was constantly sending info of all types out, meaning the network stack was on, I would agree with you.

As a more related note, wondered if this guide would work in coreboot and if it would work in qemu.

Just curious.

Especially qemu though.

HyperbolaBSD: The Future of Secure Libre Lightweight Operating Systems!

3 Reply by jim (edited by jim 2023-12-19 10:46:21)

  • jim
  • Hyper Teacher
  • Offline
  • Registered: 2023-10-18
  • Posts: 346

Re: Install Full disk encryption (including /boot ) Luks1 T440P Libreboot

Hello Hyper Cyber . Thanks for your answer and your opinion. I don't use Coreboot because it is more difficult to install and if I'm not mistaken it has more blobs than Libreboot even though it is based on Coreboot.

This example is just a test installation (experiment) since I only had a T440P.

I believe that today there are only three interesting options:

1. T400 (4-core processor)  ==>  https://thonkpeasant.xyz/guides/other/quad.html

2. ASUS KGPE-D16 ==>  https://forums.hyperbola.info/search.ph … 1035883590

3. Talos™ II Secure Workstation  ==> https://www.raptorcs.com/content/TL2WK2/intro.html

4 Reply by j2rm

  • j2rm
  • Guest

Re: Install Full disk encryption (including /boot ) Luks1 T440P Libreboot

Hello, excuse me

I am trying to install hyperbola with the entire disk encrypted, but when you get to the part about:

nano /etc/default/grub

I modify the following lines

GRUB_CMLINE_LINUX_DEFAULT="loglevel=3 resume=/dev/mapper/nidejo-swap"
GRUB_CMLINE_LINUX="cryptdevice=/dev/sda:j2rm"

and when executing

grub-install /dev/sda

I get the following error

grub-install: error: unable to identify a filesystem in hostdisk//dev/sda; safety check can't be performed

when doing a lsblk -f

https://i.ibb.co/F4f7dtT/lsblk-f.png

I have been doing the installation like this


loadkeys la-latin1

cfdisk
      sda --> ALL DISK --> Linux 83

cryptsetup --cipher aes-xts-plain64 --hash sha512 --iter-time 5000 --key-size 512 --pbkdf argon2id 
                                --use-urandom --verify-passphrase luksFormat --type luks2 /dev/sda


cryptsetup luksOpen /dev/sda j2rm

pvcreate /dev/mapper/j2rm

vgcreate nidejo /dev/mapper/j2rm

lvcreate -L 500M nidejo -n boot

lvcreate -L 27G nidejo -n root

lvcreate -L 40G nidejo -n home

lvcreate -L 50G nidejo -n RpG7

lvcreate -l +100%FREE nidejo -n swap

mkfs.ext4 /dev/mapper/nidejo-root
mkfs.ext4 /dev/mapper/nidejo-home
mkfs.ext4 /dev/mapper/nidejo-boot
mkfs.ext4 /dev/mapper/nidejo-RpG7
mkswap /dev/mapper/nidejo-swap

mount /dev/mapper/nidejo-root /mnt
mkdir /mnt/home
mount /dev/mapper/nidejo-home /mnt/home
mkdir /mnt/boot
mount /dev/mapper/nidejo-boot /mnt/boot
mkdir /mnt/RpG7
mount /dev/mapper/nidejo-RpG7 /mnt/RpG7
swapon /dev/mapper/nidejo-swap

lsblk

pacman -Sy hyperbola-keyring

pacstrap /mnt base base-devel grub-bios wpa_supplicant iw kernel-firmware ldns xenocara-input-synaptics

genfstab /mnt >> /mnt/etc/fstab

arch-chroot /mnt

ln -sf /usr/share/zoneinfo/Europe/Madrid /etc/localtime

hwclock --systohc --utc

echo j2rm > /etc/hostname

echo KEYMAP=la-latin1 > /etc/vconsole.conf

nano /etc/locale.conf
    LANG="es_VE.UTF-8"
    export LANG=es_VE.UTF-8

nano /etc/locale.gen
    es_VE.utf-8

locale-gen

nano /etc/mkinitcpio.conf

HOOKS=base udev autodetect modconf block keymap encrypt lvm2 filesystems keyboard fsck

mkinitcpio -p linux-libre-lts

pacman -S cryptsetup
pacman -S core/isci-lts-firmware

mkinitcpio -p linux-libre-lts

pacman -S grub

nano /etc/default/grub

GRUB_CMLINE_LINUX_DEFAULT="loglevel=3 resume=/dev/mapper/nidejo-swap"
GRUB_CMLINE_LINUX="cryptdevice=/dev/sda:j2rm"

grub-install /dev/sda

https://i.ibb.co/tHcQLFN/error.png

Will anyone have any suggestions on what I'm doing wrong?


Thank

5 Reply by jim

  • jim
  • Hyper Teacher
  • Offline
  • Registered: 2023-10-18
  • Posts: 346

Re: Install Full disk encryption (including /boot ) Luks1 T440P Libreboot

Hello .

I did the installation on real hardware with Libreboot.

Are you installing on a virtual machine (qemu)?

Check where you install Grub.

Here's part of my setup and yours

# nano /etc/default/grub

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:lvm"

GRUB_ENABLE_CRYPTODISK=y

# grub-install /dev/sdb

=========================================

GRUB_CMLINE_LINUX_DEFAULT="loglevel=3 resume=/dev/mapper/nidejo-swap"

GRUB_CMLINE_LINUX="cryptdevice=/dev/sda:j2rm"

and when executing

grub-install /dev/sda

6 Reply by jim

  • jim
  • Hyper Teacher
  • Offline
  • Registered: 2023-10-18
  • Posts: 346

Re: Install Full disk encryption (including /boot ) Luks1 T440P Libreboot

Wiki HyperbolaGNU also tells us that LUKS version2 is not supported. There may be changes, I have not tested...

cryptsetup --cipher aes-xts-plain64 --hash sha512 --iter-time 5000 --key-size 512 --pbkdf argon2id
                                --use-urandom --verify-passphrase luksFormat --type luks2 /dev/sda

https://wiki.hyperbola.info/doku.php?id … stallation

7 Reply by zapper

  • zapper
  • zapper
  • Hyper Cyber
  • Offline
  • Registered: 2017-10-18
  • Posts: 1,055

Re: Install Full disk encryption (including /boot ) Luks1 T440P Libreboot

jim wrote:

Wiki HyperbolaGNU also tells us that LUKS version2 is not supported. There may be changes, I have not tested...

cryptsetup --cipher aes-xts-plain64 --hash sha512 --iter-time 5000 --key-size 512 --pbkdf argon2id
                                --use-urandom --verify-passphrase luksFormat --type luks2 /dev/sda

https://wiki.hyperbola.info/doku.php?id … stallation

If you test it in VM and it works however, feel free to let everyone here know.

HyperbolaBSD: The Future of Secure Libre Lightweight Operating Systems!

8 Reply by throgh

  • throgh
  • throgh
  • Package Development and Community Coordinator
  • Offline
  • From: Planet Earth
  • Registered: 2017-12-28
  • Posts: 2,666

Re: Install Full disk encryption (including /boot ) Luks1 T440P Libreboot

We will speak about the guides you have written in IRC later on as we need to rework the guides in the wiki for sure - pointed out by also community-members in IRC in the last days. So thanks for all the time you have invested.

Would you mind perhaps trying this also without "/boot"? And especially on a Libreboot-machine, as you mention to have one?

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

9 Reply by jim

  • jim
  • Hyper Teacher
  • Offline
  • Registered: 2023-10-18
  • Posts: 346

Re: Install Full disk encryption (including /boot ) Luks1 T440P Libreboot

Throgh Hello . And thank you very much, I see you always help users figure it out!

Regarding installation, do you mean install HyperbolaGNU on T440P without encrypted «/boot» partition?

10 Reply by jim (edited by jim 2023-11-28 12:45:44)

  • jim
  • Hyper Teacher
  • Offline
  • Registered: 2023-10-18
  • Posts: 346

Re: Install Full disk encryption (including /boot ) Luks1 T440P Libreboot

j2rm have you tried my instructions?

11 Reply by jim (edited by jim 2023-11-28 13:00:51)

  • jim
  • Hyper Teacher
  • Offline
  • Registered: 2023-10-18
  • Posts: 346

Re: Install Full disk encryption (including /boot ) Luks1 T440P Libreboot

Zapper Hello. I'll try one of these days, but it seems to me there are difficulties))
I read a little, in fact, it is not clear which algorithm is better and safer, the old Luks1 or the new and experimental Luks2, which requires more memory, you need to proceed from practice or find out the opinion of a real high-level professional.
If, for example, some user wrote to us that his laptop was taken away at an airport in some country where there was sensitive information and Luks1 was there and they returned it to him and they could not hack it, then we could draw conclusions. Now all the talk is simply about the fact that Luks2 is newer.

https://wiki.archlinux.org/title/Dm-cry … ire_system
The LUKS2 format has a high RAM usage per design, defaulting to 1GB per encrypted mapper. Machines with low RAM and/or multiple LUKS2 partitions unlocked in parallel may error on boot. See the --pbkdf-memory option to control memory usage

12 Reply by throgh

  • throgh
  • throgh
  • Package Development and Community Coordinator
  • Offline
  • From: Planet Earth
  • Registered: 2017-12-28
  • Posts: 2,666

Re: Install Full disk encryption (including /boot ) Luks1 T440P Libreboot

throgh wrote:

We will speak about the guides you have written in IRC later on as we need to rework the guides in the wiki for sure - pointed out by also community-members in IRC in the last days. So thanks for all the time you have invested.

Would you mind perhaps trying this also without "/boot"? And especially on a Libreboot-machine, as you mention to have one?

Yes, exactly. I would like to rework both guides as noted from users in IRC that they are not working flawless or in special the guide with "encryption without /boot" is failing direct. As I have not written those nevertheless see myself in the position to support here I would do this for sure and bring loose endings now together. smile

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

13 Reply by jim

  • jim
  • Hyper Teacher
  • Offline
  • Registered: 2023-10-18
  • Posts: 346

Re: Install Full disk encryption (including /boot ) Luks1 T440P Libreboot

throgh wrote:
throgh wrote:

We will speak about the guides you have written in IRC later on as we need to rework the guides in the wiki for sure - pointed out by also community-members in IRC in the last days. So thanks for all the time you have invested.

Would you mind perhaps trying this also without "/boot"? And especially on a Libreboot-machine, as you mention to have one?

Yes, exactly. I would like to rework both guides as noted from users in IRC that they are not working flawless or in special the guide with "encryption without /boot" is failing direct. As I have not written those nevertheless see myself in the position to support here I would do this for sure and bring loose endings now together. smile

Okay, I'll try and write here or create a separate topic.

Do you want me to install HyperbolaGNU without a desktop environment?

14 Reply by jim

  • jim
  • Hyper Teacher
  • Offline
  • Registered: 2023-10-18
  • Posts: 346

Re: Install Full disk encryption (including /boot ) Luks1 T440P Libreboot

I do not rule out the possibility that Luks2 can be installed on T440p (Libreboot) i need to check with the developers.

But as I wrote above, this PC T440P has blobs and it is better to use T400  https://ryf.fsf.org/products/TET-T400

15 Reply by throgh

  • throgh
  • throgh
  • Package Development and Community Coordinator
  • Offline
  • From: Planet Earth
  • Registered: 2017-12-28
  • Posts: 2,666

Re: Install Full disk encryption (including /boot ) Luks1 T440P Libreboot

jim wrote:
throgh wrote:
throgh wrote:

We will speak about the guides you have written in IRC later on as we need to rework the guides in the wiki for sure - pointed out by also community-members in IRC in the last days. So thanks for all the time you have invested.

Would you mind perhaps trying this also without "/boot"? And especially on a Libreboot-machine, as you mention to have one?

Yes, exactly. I would like to rework both guides as noted from users in IRC that they are not working flawless or in special the guide with "encryption without /boot" is failing direct. As I have not written those nevertheless see myself in the position to support here I would do this for sure and bring loose endings now together. smile

Okay, I'll try and write here or create a separate topic.

Do you want me to install HyperbolaGNU without a desktop environment?

I think the insallation is approval enough so we can together rework the wiki-guides step by step. I'd like to take this also as community-effort.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

16 Reply by throgh

  • throgh
  • throgh
  • Package Development and Community Coordinator
  • Offline
  • From: Planet Earth
  • Registered: 2017-12-28
  • Posts: 2,666

Re: Install Full disk encryption (including /boot ) Luks1 T440P Libreboot

Sure, if you have access to a Libreboot-system: Please feel free to make use of also. smile

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

17 Reply by Other_Cody

  • Other_Cody
  • Member
  • Offline
  • Registered: 2024-01-17
  • Posts: 47

Re: Install Full disk encryption (including /boot ) Luks1 T440P Libreboot

Thank you for this information.

Is this a way to setup something like

lsblk
NAME                    MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda                       8:0    0 465.8G  0 disk 
├─sda1                    8:1    0     1M  0 part 
├─sda2                    8:2    0   513M  0 part  /boot/efi
├─sda3                    8:3    0   1.7G  0 part  /boot
└─sda4                    8:4    0 463.6G  0 part 
  └─sda4_crypt          253:0    0 463.6G  0 crypt
    ├─vgtrisquel-root   253:1    0  23.3G  0 lvm   /
    ├─vgtrisquel-swap_1 253:2    0   5.6G  0 lvm   [SWAP]
    └─vgtrisquel-home   253:3    0 434.7G  0 lvm   /home

as on one of my computers I installed Trisquel GNU/Linux using the a graphical installer instead of the terminal or command line one.

I may have installed other things than just the default install after the install.

I do not know what all these sda parts are used for, though an encrypted hard disk drive I think can help me.

I use one password for that, another one for root, and another for my user account.

I'm thinking of switching to Hyperbola GNU/Linux-libre or HyperbolaBSD soon, though I do not know the best setup of that.

I also wish to setup it up in a secure way, maybe something like at least like those 3 passwords. And I do not know if the default installer of Hyperbola GNU/Linux-libre or HyperbolaBSD does that, has instructions to show the user how to do that, or has any graphical installer to help the user set it up that way. Though I can also learn how to use command line commands, as that can help me learn why things work the way they do.

Unless there is another way to do it better than that way, to make things as secure as possible.

18 Reply by jim

  • jim
  • Hyper Teacher
  • Offline
  • Registered: 2023-10-18
  • Posts: 346

Re: Install Full disk encryption (including /boot ) Luks1 T440P Libreboot

Hello Other_Cody . I also use Trisquel for other tasks, I still don't like that Trisquel uses SystemD and does not use the Libre-linux kernel by default, but that's their business)) A good alternative is https://www.gnuinos.org/

I can tell you my opinion. Don’t make sudden movements)) You will probably not have 70 or 80% of the programs that you have in Trisquel.

There are no ready-made ISOs with a graphical environment, etc.

19 Reply by Other_Cody (edited by Other_Cody 2024-01-22 19:08:30)

  • Other_Cody
  • Member
  • Offline
  • Registered: 2024-01-17
  • Posts: 47

Re: Install Full disk encryption (including /boot ) Luks1 T440P Libreboot

jim wrote:

Hello Other_Cody . I also use Trisquel for other tasks, I still don't like that Trisquel uses SystemD and does not use the Libre-linux kernel by default, but that's their business)) A good alternative is https://www.gnuinos.org/

I can tell you my opinion. Don’t make sudden movements)) You will probably not have 70 or 80% of the programs that you have in Trisquel.

There are no ready-made ISOs with a graphical environment, etc.

I mostly just use my computer with programs like a web browser,
a video/music player,
an image viewer,
Wide Margin though I can also just use txt or pdf files,
some way to make programs,
and minetest 5.4.1 or at least after or at minetest 5.0.0.

Sometimes lingot, though any program that can help tune a music instrument may help, or at least use a microphone, so lingot is not needed. Also some way to record music or at least sound, though that is also not needed.

I mostly just use Mate for the wifi thing I can click on to turn the wifi on and off, and to search networks. So just using any graphical wifi on/off/search thing may help. I do not think I need to use Mate for other things, if this is even part of Mate.

I also mostly have files like
some .3gp files
.blend mostly just in minetest sometimes to edit the models
.b3d I think only in minetest as minetest uses this as the main player character model in-game.
.MOV though not many
.mp4
.wmv though not many
.avi though not many
.stl though not many
.pdf
.FCStd though not many freecad files
.ogg
.webm though not many

mostly just
.JPEG
.jpg
.bmp
.png
.js
.gif
.txt
.zip
.tar.bz2
.tar.gz
File Folders
.css
.htm
.html

Some programming files
.cpp
.py
though I do not need to use a specific language, just a "free as in freedom" supporting one, and I think both Python and C++ may both support freedom.

I see Hyperbola has VLC for video files and music files, though if Hyperbola's VLC can not play all the file formats I listed I can change them to another format.

At least one pdf reader, to read the PDFs I have.

An image viewer.

Hyperbola may have ways to decompress or unzip the compressed files I have.

I may not need the .stl or .FCStd files I have, or maybe some other program can edit them, or at least view them.

I think most I was thinking of using .stl or .FCStd files somehow with a 3d printer, though I do not have a 3d printer yet, so maybe just to view or edit them as I also may not use a 3d printer soon.

I mostly use Trisquel because Trisquel has an off-line installer, that has a graphical installer to set it up.

Though I can also learn a command line way to install an operating system.

Older versions of Trisquel may have supported something like i386, I think, as well as x86_64, so HyperbolaBSD may help with that if it will have both of those. I sometimes use 32 and 64 bit computers, I do not yet know if the 32-bit ones use i386 or i686, or something inbetween those.

I think Hyperbola has most of the things I use, and maybe a large amount more, though I do not yet know how to setup Hyperbola well using the command line as I mostly just used the graphical installer to setup Trisquel.

https://forums.hyperbola.info/viewtopic … 7440#p7440
shows

throgh wrote:

I can assure you that those file-formats are fully free without any problems. You can also modify blender and blitz3d using only free dependencies or use older releases without any issues. wink So the files included in minetest are not any problem!

So I can somehow edit these files, to modify blender and blitz3d using only free dependencies, without using blender.

https://trisquel.info/en/users/othercody

shows

I have an forum account now.

I like Trisquel and really like that it can be installed off-line.
I like Trisquel's graphical installer. It is very easy to use.
If there are any problems with any Trisquel update, I know I can still use a live flash drive or DVD to install than update at a later time, seeing I do not need an internet connection.
Though I think I only had problems if I installed too many programs at one time.
I have been using Trisquel since Trisquel 8.

I used Debian before, but may have found a non-floss city building game in Debian main.

It was not even following Debian's policy. I think it was under an "Artistic license" which may still have been a non-floss license, but may have had a screenshot of it's main screen showing it was not following Debian's policy back in 9.6.0 of Debian, I think.

And this was before Debian switched to even more problematic licensed software.

I had an "ouch" Windows 8 before I very enjoyable deleted the "Windows virus like/virus" system, with Debian at that time, though did not use Windows online, thought I deleted the BIOS also but found out I may not have when installing Trisquel.

I did not like how I could not have the freedom to change even the "charms" bar's name, so I did not even like to use that "Loss-of-freedom-dows" off-line.

https://savannah.gnu.org/projects/gnuboot/

May have information about how to change the BIOS, though till I find out how to do that, hopefully quickly, I can update some at a time with a "freedom ladder"

https://www.fsf.org/blogs/community/the … dom-ladder

I think I also found Gnu/Linux with an "still ouch" "Apple iPod touch" that I do not even use now. Glad it let me at that time at least look at floss things.

The 32-bit computers I used before had Windows XP on them. I do not know what Windows XP needed or could use, though I can check if these computers use i386 or some other 32-bit hardware.

Debian 9.6.0 works on a 32-bit computer I have, though I do not use that computer online.

Some computers I wish to install Hyperbola on are

Acer Aspire E 15
a laptop computer
it may be used online, though an offline installer can still help

Dell Inspiron 1200
a laptop computer
an offline installer can help with this one

and

Dell Dimension 2400
a desktop computer
an offline installer can help with this one
.

Maybe also more types of hardware, though I do not know what HyperbolaBSD will work on yet, or how much memory will be needed.

I think Trisquel's graphical installer also shows ways to wipe the hard drive's free space as well as encrypt the hard drive. So that is why I use 3 passwords, one for the encryption, one for root, and one of the user account. I used lsblk and saw something like

NAME                    MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda                       8:0    0 465.8G  0 disk
├─sda1                    8:1    0     1M  0 part
├─sda2                    8:2    0   513M  0 part  /boot/efi
├─sda3                    8:3    0   1.7G  0 part  /boot
└─sda4                    8:4    0 463.6G  0 part
  └─sda4_crypt          253:0    0 463.6G  0 crypt
    ├─vgtrisquel-root   253:1    0  23.3G  0 lvm   /
    ├─vgtrisquel-swap_1 253:2    0   5.6G  0 lvm   [SWAP]
    └─vgtrisquel-home   253:3    0 434.7G  0 lvm   /home

on one of the computers I'm thinking of installing Hyperbola on, this was not right after an install. I installed and removed guix at least once on this computer, though I do not know if that changes anything. It does not need guix now.

20 Reply by jim (edited by jim 2024-01-22 19:31:05)

  • jim
  • Hyper Teacher
  • Offline
  • Registered: 2023-10-18
  • Posts: 346

Re: Install Full disk encryption (including /boot ) Luks1 T440P Libreboot

I understand you. Try installing on a free PC (if you have one) or a virtual machine and test it. I wrote a list of programs that can be installed after launching Hyperbola, you can add to the list if you want. As well as several instructions, users report that it works.

Only practice can answer your questions (my opinion)

1. Install Full disk encryption (including /boot ) on Virtual Machine  https://forums.hyperbola.info/viewtopic.php?id=933
2. Install Hyperbola (encryption without /boot)Libreboot T440P https://forums.hyperbola.info/viewtopic.php?id=934
3. Install Hyperbola  (GRUB on the USB) Libreboot T440P https://forums.hyperbola.info/viewtopic.php?id=937
4. Install Full disk encryption (including /boot ) on Libreboot T440P https://forums.hyperbola.info/viewtopic … 7478#p7478
5. Recommended programs after installing Hyperbola  https://forums.hyperbola.info/viewtopic.php?id=943
6. List of desktop software for Milky Way v0.4 and HyperbolaBSD https://forums.hyperbola.info/viewtopic.php?id=434

21 Reply by playr18361836

  • playr18361836
  • Guest

Re: Install Full disk encryption (including /boot ) Luks1 T440P Libreboot

jim wrote:

Hi all . I would like to share my experience of installing Hyperbola on T440P Libreboot 2023 https://mirror.cyberbits.eu/libreboot/s … 0625/roms/ with Full disk encryption (including /boot) /libreboot/stable/20230625/roms/

I know that this image contains blobs and I do not understand and do not share the philosophy of Libreboot)) Why introduce blobs to increase the amount of hardware .. the meaning of the project is lost ..

This example uses luksFormat --type luks1 /dev/sdb1 . Don't use Luks1 it is not safe, use Luks2+argon2id today!
Since version 2.4.0 (released August 18, 2021), cryptsetup uses Argon2id by default. You can read why in detail in this article.
https://mjg59.dreamwidth.org/66429.html


My example is just a test installation, I wanted to understand whether it would work or not.

It seems to me that a more promising test is installing Full disk encryption (including /boot) on this T400 laptop with a 4-core processor

https://thonkpeasant.xyz/guides/other/quad.html

Booting ISO from USB

root@hyperiso # cd /usr/share/kbd/consolefonts

root@hyperiso # setfonts sun12X22.psfu.gz

Now the font size is normal, you can move on))

# lsblk

# dd if=/dev/urandom   of=/dev/sdb bs=1M status=progress 
# cfdisk /dev/sdb

  ( select dos > new > enter > primary > write > yes > quit )

now we have sdb1

Connect internet 

# ip -c a

# rc-service dhcpcd start

# ip link set enp0s35 up

# dhcpcd enp0s35

Cryptsetup

# pacman -Syy cryptsetup 

# rc-update add lvm boot

# rc-update add dmcrypt boot 

# modprobe dm-mod

Create the Luks partititon

# cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --iter-time 500 --use-random --verify-passphrase luksFormat --type luks1 /dev/sdb1

Existing 'crypto_LUKS' superblock signature (offset:0 bytes) on device...
Existing 'crypto_LUKS' superblock signature (offset:16... bytes) on device...
Key slot 0 created
Command successuful

Create the volume group and logical volumes

# cryptsetup open /dev/sdb1  lvm

# pvcreate /dev/mapper/lvm
# pvs

  (check) 

# vgcreate matrix /dev/mapper/lvm
# vgs

(check) 

# lvcreate -l +100%FREE  matrix -n rootvol
# lvs

(check)

# mkfs.ext4 /dev/mapper/matrix-rootvol

# mount  /dev/matrix/rootvol  /mnt

Create the  /boot  and   /home directories 

# mkdir -p /mnt/home

# mkdir -p /mnt/boot

Install the base system

# pacstrap  /mnt

Generate an Fstab

# genfstab -U -p /mnt >> /mnt/etc/fstab
# cat /mnt/etc/fstab

  (check)

Chroot

# arch-chroot  /mnt

Setting up clock...

Setting up time zone..

Setting up the consolefont ...


Setting up Kernel Modules

# nano /etc/mkinitcpio.conf 

MODULES=i915

HOOKS="base udev autodetect modconf block keyboard keymap consolefont encrypt lvm2 filesystems fsck shutdown"

Update Kernel

# mkinitcpio -p linux-libre-lts

==>ERROR Hook 'encrypt'...
==>WARNING missing isci..

OK,

# pacman -S cryptsetup 
# pacman -S core/isci-lts-firmware

# mkinitcpio -p linux-libre-lts

Setting up hostname 

# echo " hyperbola" > /etc/hostname 

# nano /etc/hosts

127.0.0.1   localhost.localdomain     localhost   hyperbola
::1         localhost.localdomain     localhost   hyperbola

Set the root password

#  passwd

****************************
****************************

Installing Grub

#  pacman -S grub

# nano /etc/default/grub

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdb1:lvm"

GRUB_ENABLE_CRYPTODISK=y

# grub-install /dev/sdb

Generate grub.cfg

# grub-mkconfig -o /boot/grub/grub.cfg

Unmount all partition and reboot 

# exit

# umount -R /mnt

# lvchange -an /dev/matrix/rootvol

# cryptsetup close lvm

# openrc-shutdown -p now

Everything works, there is an inconvenience, if you have two SSDs, you need to enter your SSD number manually each time (for example, you press 3), after that the system boots and you need to enter the password twice, in the wiki https://wiki.parabola. nu/Installing_Parabola_on_Libreboot_with_full_disk_encryption_(including_/boot) there is an explanation of how to change this.

I tried this but removed udev from HOOKS= and it failed to boot. This may be because I am using an old version of libreboot. Now I have to remove lvm dmcrypt and luks to start a non encypted install but I dont know how.

22 Reply by Other_Cody

  • Other_Cody
  • Member
  • Offline
  • Registered: 2024-01-17
  • Posts: 47

Re: Install Full disk encryption (including /boot ) Luks1 T440P Libreboot

Maybe

cfdisk as shown in

https://wiki.hyperbola.info/doku.php?id … tion_disks

can help, though I did not yet test this. This way it may let to get free space back, though you may lose data in the partitions.

I'm using Trisquel now, though I'm thinking of switching to Hyperbola.

I liked the Trisquel graphical installer, and that it can be installed without an internet connection, though I'm still learning how to use the command line install of Hyperbola, as I do not yet know how I should set the sizes of partitions, and what these should be called. Though, to me, HyperbolaBSD looks like it may be more easy to install.

You may still be able to somehow use

(encryption without /boot)

if with boot does not work, as this may just put /boot
outside the encryption, I think.

Though I'm also trying to find out how to just do any Hyperbola install.

jim wrote:

I understand you. Try installing on a free PC (if you have one) or a virtual machine and test it. I wrote a list of programs that can be installed after launching Hyperbola, you can add to the list if you want. As well as several instructions, users report that it works.

Only practice can answer your questions (my opinion)

1. Install Full disk encryption (including /boot ) on Virtual Machine  https://forums.hyperbola.info/viewtopic.php?id=933
2. Install Hyperbola (encryption without /boot)Libreboot T440P https://forums.hyperbola.info/viewtopic.php?id=934
3. Install Hyperbola  (GRUB on the USB) Libreboot T440P https://forums.hyperbola.info/viewtopic.php?id=937
4. Install Full disk encryption (including /boot ) on Libreboot T440P https://forums.hyperbola.info/viewtopic … 7478#p7478
5. Recommended programs after installing Hyperbola  https://forums.hyperbola.info/viewtopic.php?id=943
6. List of desktop software for Milky Way v0.4 and HyperbolaBSD https://forums.hyperbola.info/viewtopic.php?id=434

23 Reply by jim

  • jim
  • Hyper Teacher
  • Offline
  • Registered: 2023-10-18
  • Posts: 346

Re: Install Full disk encryption (including /boot ) Luks1 T440P Libreboot

If you need help, write, I will help in any way I can. I checked all these sechems work.
But it is important to take into account what I wrote and highlighted, namely Luks2+argon2id. => https://mjg59.dreamwidth.org/66429.html
At this stage I continue testing and studying this issue..

24 Reply by jim

  • jim
  • Hyper Teacher
  • Offline
  • Registered: 2023-10-18
  • Posts: 346

Re: Install Full disk encryption (including /boot ) Luks1 T440P Libreboot

Other_Cody Ask Leah, with whom you are communicating, to write detailed instructions on how to install Hyperbola using Luks2 with argon2id. Say help the Hyperbola project, users need your support))

It’s very interesting what she will answer you))

25 Reply by throgh

  • throgh
  • throgh
  • Package Development and Community Coordinator
  • Offline
  • From: Planet Earth
  • Registered: 2017-12-28
  • Posts: 2,666

Re: Install Full disk encryption (including /boot ) Luks1 T440P Libreboot

Reminder: Please write guides as you like but not speaking on behalf of a whole community when you don't have asked the community, jim. You have made your point and demand clear. But you have send now several different points in different threads out, not being fully clear. Like this one: https://forums.hyperbola.info/viewtopic … 7577#p7577

If you want to offer a guidance with the software Hyperbola has? Fine. But just to make that clear: We won't add unapproved patches, also not rebuilding and updating packages just because someone said it "may work". Please do not use Hyperbola as your own platform for only your interests. Offer your tipps, your guide for sure. But not on behalf of Hyperbola like "we" as a whole community now ask for help. You ask for support and help. There is a clear difference! smile

Please orient on the roadmap Hyperbola has: https://wiki.hyperbola.info/doku.php?id … sd_roadmap
There is no Aargon2id and LUKS2. And before you bring in that we "need to include that": LUKS2 is also Linux-only. Simple answer: Sorry, but we do not focus on that. If you want to focus? Cool. Are there possible good working fixes without breaking the system? Okay, let's see. But as said: Roadmap is set for different parts. Hyperbola is community-oriented system, but exactly driven with system-development. That also means: You want something integrated in your installation? You need to find a way forward or test it on your own. You do not need to repeat the argumentation about "users" and your personal awaitings. That is all understood. But Hyperbola has a concrete roadmap and our goals are now:

- Version 0.4.5, reduction of number packages and the sizing of the ISO (striping)
- HyperbolaBSD

And this thread is even referenced on places for other systems and projects, keeping us busy for sure when people have questions and get in contact. When this debate is going further in that direction I have no other choice but to close this thread with underlining the reminder to create a new thread for "Aargon2id and LUKS2". The essential question stays here: Is full disk encryption possible or not? It was not the question: Is it possible with whatever newest Linux-only part people recommend. That was NOT the question and NOT part of this thread. If this is not possible to understand: It is not our task and also not mine to unravel mixed up topics like "What does Libreboot support" or "How is Canoeboot working" ... but those questions are now on the table elsewhere and mixing also within all of this. Keep it please clear and straight, not like asking everybody about whatever, this is causing only more work and binds time.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!