1 Topic by jim (edited by jim 2023-12-02 22:37:55)

  • jim
  • Hyper User
  • Online
  • Registered: 2023-10-18
  • Posts: 60

Topic: Install Full disk encryption (including /boot ) on Libreboot T440P

Hi all . I would like to share my experience of installing Hyperbola on T440P Libreboot 2023 https://mirror.cyberbits.eu/libreboot/s … 0625/roms/ with Full disk encryption (including /boot)

I know that this image contains blobs and I do not understand and do not share the philosophy of Libreboot)) Why introduce blobs to increase the amount of hardware .. the meaning of the project is lost ..


If I understand correctly, only here the user can find free images for his computer.

https://ftp.gnu.org/gnu/gnuboot/gnuboot-0.1-rc1/

My example is just a test installation, I wanted to understand whether it would work or not.

It seems to me that a more promising test is installing Full disk encryption (including /boot) on this T400 laptop with a 4-core processor

https://thonkpeasant.xyz/guides/other/quad.html

Booting ISO from USB

root@hyperiso # cd /usr/share/consolefonts

root@hyperiso # setfonts sun12X22.psfu.gz

Now the font size is normal, you can move on))

# lsblk

# dd if=/dev/urandom   of=/dev/sdb bs=1M status=progress 
# cfdisk /dev/sdb

  ( select dos > primary etc)

now we have sdb1

Connect internet 

# ip -c a

# rc-service dhcpcd start

# ip link set enp0s35 up

# dhcpcd enp0s35

Cryptsetup

# pacman -Syy cryptsetup 

# rc-update add lvm boot

# rc-update add dmcrypt boot 

# modprobe dm-mod

Create the Luks partititon

# cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --iter-time 500 --use-random --verify-passphrase luksFormat --type luks1 /dev/sdb1

Existing 'crypto_LUKS' superblock signature (offset:0 bytes) on device...
Existing 'crypto_LUKS' superblock signature (offset:16... bytes) on device...
Key slot 0 created
Command successuful

Create the volume group and logical volumes

# cryptsetup open /dev/sdb1  lvm

# pvcreate /dev/mapper/lvm
# pvs

  (check) 

# vgcreate matrix /dev/mapper/lvm
# vgs

(check) 

# lvcreate -l +100%FREE  matrix -n rootvol
# lvs

(check)

# mkfs.ext4 /dev/mapper/matrix-rootvol

# mount  /dev/matrix/rootvol  /mnt

Create the  /boot  and   /home directories 

# mkdir -p /mnt/home

# mkdir -p /mnt/boot

Install the base system

# pacstrap  /mnt

Generate an Fstab

# genfstab -U -p /mnt >> /mnt/etc/fstab
# cat /mnt/etc/fstab

  (check)

Chroot

# arch-chroot  /mnt

Setting up clock...

Setting up time zone..

Setting up the consolefont ...


Setting up Kernel Modules

# nano /etc/mkinitcpio.conf 

MODULES=i915

HOOKS="base udev autodetect modconf block keyboard keymap consolefont encrypt lvm2 filesystems fsck shutdown"

Update Kernel

# mkinitcpio -p linux-libre-lts

==>ERROR Hook 'encrypt'...
==>WARNING missing isci..

OK,

# pacman -S cryptsetup 
# pacman -S core/isci-lts-firmware

# mkinitcpio -p linux-libre-lts

Setting up hostname 

# echo " hyperbola" > /etc/hostname 

# nano /etc/hosts

127.0.0.1   localhost.localdomain     localhost   hyperbola
::1         localhost.localdomain     localhost   hyperbola

Set the root password

#  passwd

****************************
****************************

Installing Grub

#  pacman -S grub

# nano /etc/default/grub

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdb1:lvm"

GRUB_ENABLE_CRYPTODISK=y

# grub-install /dev/sdb

Generate grub.cfg

# grub-mkconfig -o /boot/grub/grub.cfg

Unmount all partition and reboot 

# exit

# umount -R /mnt

# lvchange -an /dev/matrix/rootvol

# cryptsetup close lvm

# openrc-shutdown -p now

Everything works, there is an inconvenience, if you have two SSDs, you need to enter your SSD number manually each time (for example, you press 3), after that the system boots and you need to enter the password twice, in the wiki https://wiki.parabola. nu/Installing_Parabola_on_Libreboot_with_full_disk_encryption_(including_/boot) there is an explanation of how to change this.

2 Reply by zapper

  • zapper
  • zapper
  • Hyper Cyber
  • Offline
  • Registered: 2017-10-18
  • Posts: 980

Re: Install Full disk encryption (including /boot ) on Libreboot T440P

I think as long as the blobs don't function in a way where they send any info over the net, like a backdoor, for example... as long as there is no remote sharing of info like that, it should be fine. Privacy should come before freedom in this case I believe. If the intel me couldn't be disabled and was constantly sending info of all types out, meaning the network stack was on, I would agree with you.

As a more related note, wondered if this guide would work in coreboot and if it would work in qemu.

Just curious.

Especially qemu though.

HyperbolaBSD: The Future of Secure Libre Lightweight Operating Systems!

3 Reply by jim

  • jim
  • Hyper User
  • Online
  • Registered: 2023-10-18
  • Posts: 60

Re: Install Full disk encryption (including /boot ) on Libreboot T440P

Hello Hyper Cyber . Thanks for your answer and your opinion. I don't use Coreboot because it is more difficult to install and if I'm not mistaken it has more blobs than Libreboot even though it is based on Coreboot.

This example is just a test installation (experiment) since I only had a T440P.

I believe that today there are only three interesting options:

1. T400 (4-core processor)  ==>  https://thonkpeasant.xyz/guides/other/quad.html

2. ASUS KGPE-D16 ==>  https://trisquel.info/en/forum/how-asse … yourself-0

3. Talos™ II Secure Workstation  ==> https://www.raptorcs.com/content/TL2WK2/intro.html

4 Reply by j2rm

  • j2rm
  • Beginner
  • Offline
  • Registered: 2023-11-19
  • Posts: 1

Re: Install Full disk encryption (including /boot ) on Libreboot T440P

Hello, excuse me

I am trying to install hyperbola with the entire disk encrypted, but when you get to the part about:

nano /etc/default/grub

I modify the following lines

GRUB_CMLINE_LINUX_DEFAULT="loglevel=3 resume=/dev/mapper/nidejo-swap"
GRUB_CMLINE_LINUX="cryptdevice=/dev/sda:j2rm"

and when executing

grub-install /dev/sda

I get the following error

grub-install: error: unable to identify a filesystem in hostdisk//dev/sda; safety check can't be performed

when doing a lsblk -f

https://i.ibb.co/F4f7dtT/lsblk-f.png

I have been doing the installation like this


loadkeys la-latin1

cfdisk
      sda --> ALL DISK --> Linux 83

cryptsetup --cipher aes-xts-plain64 --hash sha512 --iter-time 5000 --key-size 512 --pbkdf argon2id 
                                --use-urandom --verify-passphrase luksFormat --type luks2 /dev/sda


cryptsetup luksOpen /dev/sda j2rm

pvcreate /dev/mapper/j2rm

vgcreate nidejo /dev/mapper/j2rm

lvcreate -L 500M nidejo -n boot

lvcreate -L 27G nidejo -n root

lvcreate -L 40G nidejo -n home

lvcreate -L 50G nidejo -n RpG7

lvcreate -l +100%FREE nidejo -n swap

mkfs.ext4 /dev/mapper/nidejo-root
mkfs.ext4 /dev/mapper/nidejo-home
mkfs.ext4 /dev/mapper/nidejo-boot
mkfs.ext4 /dev/mapper/nidejo-RpG7
mkswap /dev/mapper/nidejo-swap

mount /dev/mapper/nidejo-root /mnt
mkdir /mnt/home
mount /dev/mapper/nidejo-home /mnt/home
mkdir /mnt/boot
mount /dev/mapper/nidejo-boot /mnt/boot
mkdir /mnt/RpG7
mount /dev/mapper/nidejo-RpG7 /mnt/RpG7
swapon /dev/mapper/nidejo-swap

lsblk

pacman -Sy hyperbola-keyring

pacstrap /mnt base base-devel grub-bios wpa_supplicant iw kernel-firmware ldns xenocara-input-synaptics

genfstab /mnt >> /mnt/etc/fstab

arch-chroot /mnt

ln -sf /usr/share/zoneinfo/Europe/Madrid /etc/localtime

hwclock --systohc --utc

echo j2rm > /etc/hostname

echo KEYMAP=la-latin1 > /etc/vconsole.conf

nano /etc/locale.conf
    LANG="es_VE.UTF-8"
    export LANG=es_VE.UTF-8

nano /etc/locale.gen
    es_VE.utf-8

locale-gen

nano /etc/mkinitcpio.conf

HOOKS=base udev autodetect modconf block keymap encrypt lvm2 filesystems keyboard fsck

mkinitcpio -p linux-libre-lts

pacman -S cryptsetup
pacman -S core/isci-lts-firmware

mkinitcpio -p linux-libre-lts

pacman -S grub

nano /etc/default/grub

GRUB_CMLINE_LINUX_DEFAULT="loglevel=3 resume=/dev/mapper/nidejo-swap"
GRUB_CMLINE_LINUX="cryptdevice=/dev/sda:j2rm"

grub-install /dev/sda

https://i.ibb.co/tHcQLFN/error.png

Will anyone have any suggestions on what I'm doing wrong?


Thank

5 Reply by jim

  • jim
  • Hyper User
  • Online
  • Registered: 2023-10-18
  • Posts: 60

Re: Install Full disk encryption (including /boot ) on Libreboot T440P

Hello .

I did the installation on real hardware with Libreboot.

Are you installing on a virtual machine (qemu)?

Check where you install Grub.

Here's part of my setup and yours

# nano /etc/default/grub

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:lvm"

GRUB_ENABLE_CRYPTODISK=y

# grub-install /dev/sdb

=========================================

GRUB_CMLINE_LINUX_DEFAULT="loglevel=3 resume=/dev/mapper/nidejo-swap"

GRUB_CMLINE_LINUX="cryptdevice=/dev/sda:j2rm"

and when executing

grub-install /dev/sda

6 Reply by jim

  • jim
  • Hyper User
  • Online
  • Registered: 2023-10-18
  • Posts: 60

Re: Install Full disk encryption (including /boot ) on Libreboot T440P

Wiki HyperbolaGNU also tells us that LUKS version2 is not supported. There may be changes, I have not tested...

cryptsetup --cipher aes-xts-plain64 --hash sha512 --iter-time 5000 --key-size 512 --pbkdf argon2id
                                --use-urandom --verify-passphrase luksFormat --type luks2 /dev/sda

https://wiki.hyperbola.info/doku.php?id … stallation

7 Reply by zapper

  • zapper
  • zapper
  • Hyper Cyber
  • Offline
  • Registered: 2017-10-18
  • Posts: 980

Re: Install Full disk encryption (including /boot ) on Libreboot T440P

jim wrote:

Wiki HyperbolaGNU also tells us that LUKS version2 is not supported. There may be changes, I have not tested...

cryptsetup --cipher aes-xts-plain64 --hash sha512 --iter-time 5000 --key-size 512 --pbkdf argon2id
                                --use-urandom --verify-passphrase luksFormat --type luks2 /dev/sda

https://wiki.hyperbola.info/doku.php?id … stallation

If you test it in VM and it works however, feel free to let everyone here know.

HyperbolaBSD: The Future of Secure Libre Lightweight Operating Systems!

8 Reply by throgh

  • throgh
  • throgh
  • Package Development and Community Coordinator
  • Online
  • From: Planet Earth
  • Registered: 2017-12-28
  • Posts: 2,239

Re: Install Full disk encryption (including /boot ) on Libreboot T440P

We will speak about the guides you have written in IRC later on as we need to rework the guides in the wiki for sure - pointed out by also community-members in IRC in the last days. So thanks for all the time you have invested.

Would you mind perhaps trying this also without "/boot"? And especially on a Libreboot-machine, as you mention to have one?

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

9 Reply by jim

  • jim
  • Hyper User
  • Online
  • Registered: 2023-10-18
  • Posts: 60

Re: Install Full disk encryption (including /boot ) on Libreboot T440P

Throgh Hello . And thank you very much, I see you always help users figure it out!

Regarding installation, do you mean install HyperbolaGNU on T440P without encrypted «/boot» partition?

10 Reply by jim (edited by jim 2023-11-28 12:45:44)

  • jim
  • Hyper User
  • Online
  • Registered: 2023-10-18
  • Posts: 60

Re: Install Full disk encryption (including /boot ) on Libreboot T440P

j2rm have you tried my instructions?

11 Reply by jim (edited by jim 2023-11-28 13:00:51)

  • jim
  • Hyper User
  • Online
  • Registered: 2023-10-18
  • Posts: 60

Re: Install Full disk encryption (including /boot ) on Libreboot T440P

Zapper Hello. I'll try one of these days, but it seems to me there are difficulties))
I read a little, in fact, it is not clear which algorithm is better and safer, the old Luks1 or the new and experimental Luks2, which requires more memory, you need to proceed from practice or find out the opinion of a real high-level professional.
If, for example, some user wrote to us that his laptop was taken away at an airport in some country where there was sensitive information and Luks1 was there and they returned it to him and they could not hack it, then we could draw conclusions. Now all the talk is simply about the fact that Luks2 is newer.

https://wiki.archlinux.org/title/Dm-cry … ire_system
The LUKS2 format has a high RAM usage per design, defaulting to 1GB per encrypted mapper. Machines with low RAM and/or multiple LUKS2 partitions unlocked in parallel may error on boot. See the --pbkdf-memory option to control memory usage

12 Reply by throgh

  • throgh
  • throgh
  • Package Development and Community Coordinator
  • Online
  • From: Planet Earth
  • Registered: 2017-12-28
  • Posts: 2,239

Re: Install Full disk encryption (including /boot ) on Libreboot T440P

throgh wrote:

We will speak about the guides you have written in IRC later on as we need to rework the guides in the wiki for sure - pointed out by also community-members in IRC in the last days. So thanks for all the time you have invested.

Would you mind perhaps trying this also without "/boot"? And especially on a Libreboot-machine, as you mention to have one?

Yes, exactly. I would like to rework both guides as noted from users in IRC that they are not working flawless or in special the guide with "encryption without /boot" is failing direct. As I have not written those nevertheless see myself in the position to support here I would do this for sure and bring loose endings now together. smile

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

13 Reply by jim

  • jim
  • Hyper User
  • Online
  • Registered: 2023-10-18
  • Posts: 60

Re: Install Full disk encryption (including /boot ) on Libreboot T440P

throgh wrote:
throgh wrote:

We will speak about the guides you have written in IRC later on as we need to rework the guides in the wiki for sure - pointed out by also community-members in IRC in the last days. So thanks for all the time you have invested.

Would you mind perhaps trying this also without "/boot"? And especially on a Libreboot-machine, as you mention to have one?

Yes, exactly. I would like to rework both guides as noted from users in IRC that they are not working flawless or in special the guide with "encryption without /boot" is failing direct. As I have not written those nevertheless see myself in the position to support here I would do this for sure and bring loose endings now together. smile

Okay, I'll try and write here or create a separate topic.

Do you want me to install HyperbolaGNU without a desktop environment?

14 Reply by jim

  • jim
  • Hyper User
  • Online
  • Registered: 2023-10-18
  • Posts: 60

Re: Install Full disk encryption (including /boot ) on Libreboot T440P

I do not rule out the possibility that Luks2 can be installed on T440p (Libreboot) i need to check with the developers.

But as I wrote above, this PC T440P has blobs and it is better to use T400  https://ryf.fsf.org/products/TET-T400

15 Reply by throgh

  • throgh
  • throgh
  • Package Development and Community Coordinator
  • Online
  • From: Planet Earth
  • Registered: 2017-12-28
  • Posts: 2,239

Re: Install Full disk encryption (including /boot ) on Libreboot T440P

jim wrote:
throgh wrote:
throgh wrote:

We will speak about the guides you have written in IRC later on as we need to rework the guides in the wiki for sure - pointed out by also community-members in IRC in the last days. So thanks for all the time you have invested.

Would you mind perhaps trying this also without "/boot"? And especially on a Libreboot-machine, as you mention to have one?

Yes, exactly. I would like to rework both guides as noted from users in IRC that they are not working flawless or in special the guide with "encryption without /boot" is failing direct. As I have not written those nevertheless see myself in the position to support here I would do this for sure and bring loose endings now together. smile

Okay, I'll try and write here or create a separate topic.

Do you want me to install HyperbolaGNU without a desktop environment?

I think the insallation is approval enough so we can together rework the wiki-guides step by step. I'd like to take this also as community-effort.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

16 Reply by throgh

  • throgh
  • throgh
  • Package Development and Community Coordinator
  • Online
  • From: Planet Earth
  • Registered: 2017-12-28
  • Posts: 2,239

Re: Install Full disk encryption (including /boot ) on Libreboot T440P

Sure, if you have access to a Libreboot-system: Please feel free to make use of also. smile

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!