1 (edited by gnu 2022-03-21 13:23:33)

Topic: [Hyperbola 0.4] full disk encryption

This method still works?

grub> cryptomount -a
grub> set root='lvm/matrix-rootvol'
grub> linux /boot/vmlinuz-linux-libre-lts root=/dev/matrix/rootvol cryptdevice=/dev/sda1:root
grub> initrd /boot/initramfs-linux-libre-lts.img
grub> boot

2 (edited by zapper 2022-03-22 03:37:05)

Re: [Hyperbola 0.4] full disk encryption

gnu wrote:

This method still works?

grub> cryptomount -a
grub> set root='lvm/matrix-rootvol'
grub> linux /boot/vmlinuz-linux-libre-lts root=/dev/matrix/rootvol cryptdevice=/dev/sda1:root
grub> initrd /boot/initramfs-linux-libre-lts.img
grub> boot

Good question, I got tired of using full disk encryption due to having to type in the same password twice. This happened back when it was 0.3, so I don't exactly know...

I cannot confirm at this time, but as long as you know what you are doing and have done this before, you should succeed.

This part is the easier part. The hard part comes when you want to no longer need to do that to boot your computer.

I hope it will go well for you.

Actually to clarify, I do use a form of FDE, but without /boot encrypted for the reasons above, but yeah as long as you follow the guide correctly, I think it will work.

HyperbolaBSD: The Future of Secure Libre Lightweight Operating Systems!

3 (edited by gnu 2022-03-22 12:02:09)

Re: [Hyperbola 0.4] full disk encryption

I've tried to start a full encryption disc (it's a test disc not my main) in a
Libreboot X200 but it does not start. The error is always 'lvm/matrix-rootvol'
NOT FOUND. I tried to change the paths of the "lvm" without success, The same
installation with HYP 0.3.1 worked perfectly.

grub> set root='lvm/matrix/rootvol'
grub> set root=/matrix/rootvol'
etc.. etc..
grub> linux /boot/vmlinuz-linux-libre-lts root=/dev/mapper/matrix-rootvol cryptdevice=/dev/sda1:root
etc.. etc..

libreboot version: 20160907

4 (edited by zapper 2022-03-22 16:16:11)

Re: [Hyperbola 0.4] full disk encryption

gnu wrote:

I've tried to start a full encryption disc (it's a test disc not my main) in a
Libreboot X200 but it does not start. The error is always 'lvm/matrix-rootvol'
NOT FOUND. I tried to change the paths of the "lvm" without success, The same
installation with HYP 0.3.1 worked perfectly.

grub> set root='lvm/matrix/rootvol'
grub> set root=/matrix/rootvol'
etc.. etc..
grub> linux /boot/vmlinuz-linux-libre-lts root=/dev/mapper/matrix-rootvol cryptdevice=/dev/sda1:root
etc.. etc..

libreboot version: 20160907

Question, but did you remember to do this part of the guide?

"Be aware, when you add i915 into the uncommented modules line, that you remove these “ “ before you add i915, otherwise, it will not boot and will drop to a shell. When you install with full disk encryption, this is a requirement."

https://wiki.hyperbola.info/doku.php?id … stallation

And, also, is it the new iso, or the 0.3.1 iso?

I'll see if someone can help you though.


Actually question, can you show me what errors you ran into?

Otherwise, helping you will be even harder.

HyperbolaBSD: The Future of Secure Libre Lightweight Operating Systems!

5 (edited by gnu 2022-03-22 21:24:56)

Re: [Hyperbola 0.4] full disk encryption

Question, but did you remember to do this part of the guide?

"Be aware, when you add i915 into the uncommented modules line, that you remove these “ “ before you add i915, otherwise, it will not boot and will drop to a shell. When you install with full disk encryption, this is a requirement."

Yes, so I do

And, also, is it the new iso, or the 0.3.1 iso?

I tryied to install with the 0.4 iso

Actually question, can you show me what errors you ran into?

grub> cryptomount -a
grub> (OK)
        > set root='lvm/matrix-rootvol'
grub> (OK)
grub> linux /boot/vmlinuz-linux-libre-lts root=/dev/matrix/rootvol cryptdevice=/dev/sda1:root
grub> 'lvm/matrix-rootvol' not found  (something like that)

the disc does not start

6 (edited by zapper 2022-03-25 20:44:54)

Re: [Hyperbola 0.4] full disk encryption

gnu wrote:

Question, but did you remember to do this part of the guide?

"Be aware, when you add i915 into the uncommented modules line, that you remove these “ “ before you add i915, otherwise, it will not boot and will drop to a shell. When you install with full disk encryption, this is a requirement."

Yes, so I do

And, also, is it the new iso, or the 0.3.1 iso?

I tryied to install with the 0.4 iso

Actually question, can you show me what errors you ran into?

grub> cryptomount -a
grub> (OK)
        > set root='lvm/matrix-rootvol'
grub> (OK)
grub> linux /boot/vmlinuz-linux-libre-lts root=/dev/matrix/rootvol cryptdevice=/dev/sda1:root
grub> 'lvm/matrix-rootvol' not found  (something like that)

the disc does not start

Sorry for being majorly late to reply, let me see:

grub> cryptomount -a
OK
grub> set root='lvm/matrix-rootvol'
OK
grub> linux /boot/vmlinuz-linux-libre-lts root=/dev/matrix/rootvol cryptdevice=/dev/sda1:root
OK
grub> initrd /boot/initramfs-linux-libre-lts.img
Not Done...
grub> boot

Seems I was too quick to reply...

Actually, I just realized, there is something else...

I don't know the answer to this yet,

Sorry, I thought I had figured it out, this will take more thought.

Did you add this issue to the issue tracker here:

https://issues.hyperbola.info/

If you don't plan to let me know, so someone does this.

The only other way this could have gone wrong to be honest, is if you screwed up on the libreboot full disk encryption guide, which idk, how you did it or not, so its up in the air as far as I know.

Hmm, I looked back and forth a few times, this is clearly either A: a bug or B: something went wrong when you did FDE and you forgot.

I am going to guess its probably a bug. 

Although, which version of the libreboot bios do you have, I forget, but I recall hearing Throgh say that this issue could be with the new testing, or the last stable, but I forget which. Also, there are two current testing releases of libreboot last I checked that are very recent, so this might be part of the situation.

HyperbolaBSD: The Future of Secure Libre Lightweight Operating Systems!

7 (edited by aether 2022-03-31 07:11:55)

Re: [Hyperbola 0.4] full disk encryption

It works 100%.
Here is my menuentry in grub.cfg (inside cbfs with coreboot 4.16) to start hyperbola.

menuentry 'Load hyperbola' {
        insmod ahci
        insmod part_msdos
        insmod part_gpt
        cryptomount -u 071b188644b14c528d1853efdf96d74c
        set root="lvm/matrix-root"
        echo  'Loading vmlinuz-linux-libre-lts ...'
        linux /boot/vmlinuz-linux-libre-lts \
        cryptdevice=UUID=071b1886-44b1-4c52-8d18-53efdf96d74c:root \
        cryptkey=rootfs:/etc/keys/ssd.key \
        root=UUID=bcea465c-b5ba-4df0-936d-04679c422904 \
        resume=UUID=9c3a41a5-672a-46bb-ac88-c70a5f1aba75 \
        keymap=de net.ifnames=0 biosdevname=0 acpi_osi=Linux

        echo  'Loading initramfs-linux-libre-lts.img ...'
        initrd /boot/initramfs-linux-libre-lts.img
        boot
}

The keyfile is stored in : '/etc/keys/ssd.key' so 'cryptkey=rootfs:/etc/keys/ssd.key' is used.
It will only asks your password one time at start (with grub in cbfs)

As usual, make sure that dmcrypt and lvm are added to boot runlevel.

rc-update add dmcrypt boot
rc-update add lvm boot

Modifications in /etc/mkiniticpio.conf

MODULES="i915"
FILES="/etc/keys/ssd.key"
HOOKS="base udev autodetect modconf block keyboard keymap consolefont encrypt lvm2 filesystems fsck shutdown"
COMPRESSION="xz"

then..

mkinitcpio -p linux-libre-lts

8 (edited by zapper 2022-03-31 01:03:15)

Re: [Hyperbola 0.4] full disk encryption

aether wrote:

It works 100%.
Here is my menuentry in grub.cfg (inside cbfs with coreboot 4.16) to start hyperbola.

menuentry 'Load hyperbola' {
        insmod ahci
        insmod part_msdos
        insmod part_gpt
        cryptomount -u 071b1886-44b1-4c52-8d18-53efdf96d74c
        set root="lvm/matrix-root"
        echo  'Loading vmlinuz-linux-libre-lts ...'
        linux /boot/vmlinuz-linux-libre-lts \
        cryptdevice=UUID=071b1886-44b1-4c52-8d18-53efdf96d74c:root \
        cryptkey=rootfs:/etc/keys/ssd.key \
        root=UUID=bcea465c-b5ba-4df0-936d-04679c422904 \
        resume=UUID=9c3a41a5-672a-46bb-ac88-c70a5f1aba75 \
        keymap=de net.ifnames=0 biosdevname=0 acpi_osi=Linux

        echo  'Loading initramfs-linux-libre-lts.img ...'
        initrd /boot/initramfs-linux-libre-lts.img
        boot
}

The keyfile is stored in : '/etc/keys/ssd.key' so 'cryptkey=rootfs:/etc/keys/ssd.key' is used.
It will only asks your password one time at start (with grub in cbfs)

As usual, make sure that dmcrypt and lvm are added to boot runlevel.

rc-update add dmcrypt boot
rc-update add lvm boot

Modifications in /etc/mkiniticpio.conf

MODULES="i915"
FILES="/etc/keys/ssd.key"
HOOKS="base udev autodetect modconf block keyboard keymap consolefont encrypt lvm2 filesystems fsck shutdown"
COMPRESSION="xz"

then..

mkinitcpio -p linux-libre-lts

Interesting indeed! I do have one major question, this one would be consider mega hard to do probably, is it possible to make it so you can have multibooted full disk encryption?

Aka, if you have a few solid state drives around, a usb 3.1 connector, a device with coreboot and intel me disabled, that you want to do this on...

You know where I am going with this already, I assume... wink

But yeah, is it possible to make it so when the screen comes up, you can choose between one given disk or another?

typo:

I had said partition here, but I meant, like /dev/sdb vs /dev/sda type thing.

hehe...

If you know that question, here's one that goes way beyond the first:


The most insane question of all that I can think of regarding FDE + /boot encrypted... multiboot full disk encryption when you are having many different installations on one friggin SSD.  This one is more or less of one I am not as interested in, I just asked it for the luls...

If you don't know the answer to either one, I will understand, but yeah lol...

I just wondered if anyone knows how to do either.

That being said,  unless anyone knows either answer to the above, I won't even bother asking how to do it with coreboot/heads bios.

Heads is the bios that can make you feel like your chasing your  own tail...

tongue

HyperbolaBSD: The Future of Secure Libre Lightweight Operating Systems!

9 (edited by zapper 2022-03-31 01:06:01)

Re: [Hyperbola 0.4] full disk encryption

gnu wrote:

This method still works?

grub> cryptomount -a
grub> set root='lvm/matrix-rootvol'
grub> linux /boot/vmlinuz-linux-libre-lts root=/dev/matrix/rootvol cryptdevice=/dev/sda1:root
grub> initrd /boot/initramfs-linux-libre-lts.img
grub> boot

Btw, refer to Aether's reply near the bottom, I think he knows how to do this on Libreboot also.

The only thing that puzzles me, is that he seems to have the apostrophes between i915...

Dunno if that problem is gone, very peculiar if so.

HyperbolaBSD: The Future of Secure Libre Lightweight Operating Systems!

10

Re: [Hyperbola 0.4] full disk encryption

I had not read this:

https://forums.hyperbola.info/viewtopic … 4091#p4091

So it's not just my problem
Someone tried to install without LVM?

11

Re: [Hyperbola 0.4] full disk encryption

Yeah, seems to be the case, I think that thread has a possible solution on it, not sure if page 1 or 2...

HyperbolaBSD: The Future of Secure Libre Lightweight Operating Systems!

12

Re: [Hyperbola 0.4] full disk encryption

UPDATE:
I have the same problem with Trsiquel 10 so I think is the old libreboot 2016 to have problems with the new systems.

13

Re: [Hyperbola 0.4] full disk encryption

gnu wrote:

UPDATE:
I have the same problem with Trsiquel 10 so I think is the old libreboot 2016 to have problems with the new systems.

That is extremely likely,

old releases of libreboot probably don't get anywhere near as much support...

Btw, I wonder if the FSF/GNU priority list includes either A: getting people to work on a free bios like libreboot/osboot,

or B:  forking libreboot and actually maintaining it.

I know what some want here, but its honestly better to have A PLAN, then NO PLAN!

smile

HyperbolaBSD: The Future of Secure Libre Lightweight Operating Systems!

14

Re: [Hyperbola 0.4] full disk encryption

It took me a long time to find a solution so I'll share so someone else doesn't reinvent the wheel.
Thinkpad x220 installed libreboot 20230319
grub_x220_8mb_libgfxinit_corebootfb_usqwerty.rom

System boots, asks for password then drops emergency shell with error
device '/dev/mapper/matrix-rootvol' not found

I tried many ways, and the solution turned out to be an entry in the /etc/default/grub file
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda1:lvm"

by the way wiki entry
"Be aware, when you add i915 into the uncommented modules line, that you remove these “ “ before you add i915, otherwise, it will not boot and will drop to a shell. When you install with full disk encryption, this is a requirement."

In my case it doesn't matter, it boots with "" as well as without.