1 (edited by jim 2024-02-14 09:36:32)

Topic: Install Full disk encryption (including /boot ) Luks2+argon2id T440P

Hi all.

I would like to share my experience of installing Hyperbola with Libreboot+Luks2+argon2id with an encrypted boot partition.
This is a test setup. There are still questions left:

1. Password for Grub  https://libreboot.org/docs/linux/grub_h … t-with-gpg
2. If you insert a second SSD, how to configure Grub so that it is also encrypted.
3. Change the picture, I would put the Hyperbola screensaver if there is a beautiful photo https://github.com/vinceliuice/grub2-themes

A short preface.

Unfortunately, there is very little documentation on this installation, what I found on the Internet were options
installations without an encrypted boot partition or option with Luks1. Sometimes it seemed to me as if the information was deliberately hidden from the user)) I also looked for answers in reddit, but very often I came across answers like this https://teddit.zaggy.nl/r/coreboot/comm … ncryption/ or https //teddit.zaggy.nl/r/coreboot/comments/1903q0o/grub2_as_coreboot_payload/ that is, 95% of users do not receive answers to questions on this topic.
On the Libreboot website there is a section dedicated to "Encrypted /boot via LUKS2 with argon2" https://libreboot.org/docs/linux/#encry … ith-argon2 which, in my opinion, provides general information, but this is not similar to the instructions or Arch wiki or how it was done in Parabola https://wiki.parabola.nu/Installing_Par … e_the_ROM.


I wanted to say thank you to Throgh who helped me and answered my questions, which helped me. Wael from Parabola also helped me answer questions. The user Cat also helped me. Coreboot and Libreboot did not help me on the IRC channel!

My test was carried out on a T440P computer. If the GRUB in the ROM supports LUKS2, then it can unlock the drive and boot the distribution directly - you don't even have to install GRUB in your distribution. GRUB is already part of libreboot and is flashed together
with it as payload
There is code in GRUB that can be used to unlock LUKS1 and LUKS2 dm-crypt using the cryptomount command.
Thanks to this, you can boot with full disk encryption by encrypting /boot.
Libreboot’s argon2 patches are based on this AUR repository https://aur.archlinux.org/cgit/aur.git/ … 9fa4c2f50d which patched GRUB 2.06, and the patches were rebased for use with GRUB 2.12 which Libreboot uses; the rebase was performed by Nicholas Johnson https://libreboot.org/news/argon2.html#introduction

This assumes you are doing a fresh installation, I followed my instructions but used:

--pbkdf argon2id
--type luks2

# cryptsetup  -v  --cipher aes-xts-plain64  --hash sha512 --iter-time 10000  --key-size 512  --pbkdf argon2id  --use-urandom --verify-passphrase luksFormat  --type luks2 /dev/sda1


This computer requires the implementation of blob-objects, if you do not do this it will not work.
In order for Luks2 to work with argon2id, it is recommended to download the latest versions of Libreboot 20231106 or 20240126 https://mirrors.mit.edu/libreboot/testi … 1106/roms/ (argon2/luks2 has been supported since August)
I used 20231106 in the test. You need to download libreboot-20231106_t440pmrc_12mb.tar.xz to check the authenticity of the file, then unpack and select the version grub_t440pmrc_12mb_libgfxinit_corebootfb_usqwerty.rom or select your language, at the end of the file you will see deqwertz.rom  de German etc.
Next, you need to embed blobs into ROM; this is a peculiar procedure that requires about 8GB of free disk space and about an hour of time (this was the case for me)
Written in detail here https://libreboot.org/docs/install/t440p_external.html. You don't need to disassemble your computer, you embed the blobs and then use the flashrom utility.

Install flashrom

$ doas pacman -S flashrom

Before updating the release, you need to boot into Linux with the kernel parameter "iomem=relaxed". The Linux kernel, starting with version 4.4, blocks access to the ROM as a security measure, so when starting the flashrom, an error like “/dev/mem mmap error” will be displayed. To get around this, you need to tell the kernel to allow access to low-level hardware for boot time.

Once you get to the grub menu, you can edit the default menu entry by pressing "e". Use your arrow keys to navigate to the line starting with "linux" and add "iomem=relaxed" to the end of the line. After editing, press Ctrl +x


or

Turn on your computer and, depending on the version of SeaBios (press "Esc" then "c") or Grub (press "c"), enter:

cryptomount -a
set root='lvm/matrix-rootvol'
linux /boot/vmlinuz-linux-libre root=/dev/matrix/rootvol cryptdevice=/dev/sda1:lvm  iomem=relaxed
initrd /boot/initramfs-linux-libre.img
boot

After the computer has booted, let's check by entering in the terminal:

$ cat /proc/cmdline

you should see at the end iomem=relaxed

BOOT_IMAGE=/boot/vmlinuz-linux-libre root=/dev/matrix/rootvol cryptdevice=/dev/sda1:lvm  iomem=relaxed

Your computer is now ready.

Next you need to edit Libreboot's grub.cfg and add these lines:


.......
  echo #Insert newline
}

menuentry 'Load Hyperbola GNU/Linux-Libre (LTS)' {

insmod ahci
insmod part_msdos
insmod lvm
insmod cryptodisk
cryptomount -a
set root='lvm/matrix-rootvol'
linux /boot/vmlinuz-linux-libre root=/dev/matrix/rootvol cryptdevice=/dev/sda1:lvm 
initrd /boot/initramfs-linux-libre.img
}


menuentry 'Search ISOLINUX menu (AHCI) [a]' --hotkey='a' {
......

Remove this part of the code since I'm not using raid:

menuentry 'Load Operating System (incl. fully encrypted disks)  [o]' --hotkey='o' {

    if [ "${grub_scan_disk}" != "ata" ]; then
        search_grub ahci
    fi
    if [ "${grub_scan_disk}" != "ahci" ]; then
        search_grub ata
    fi

    # grub device enumeration is very slow, so checks are hardcoded

    # TODO: add more strings, based on what distros set up when
    # the user select auto-partitioning on those installers
    lvmvol="lvm/matrix-bootvol lvm/matrix-rootvol"

    raidvol="md/0 md/1 md/2 md/3 md/4 md/5 md/6 md/7 md/8 md/9"

    # in practise, doing multiple redundant checks is perfectly fast and
    # TODO: optimize grub itself, and use */? here for everything

    for vol in ${lvmvol} ${raidvol} ; do
        try_user_config "${vol}"
    done

    unset ahcidev
    unset atadev
    for i in 11 10 9 8 7 6 5 4 3 2 1 0; do
        for part in 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1; do
            if [ "${grub_scan_disk}" != "ata" ]; then
                ahcidev="(ahci${i},${part}) ${ahcidev}"
            fi
            if [ "${grub_scan_disk}" != "ahci" ]; then
                atadev="(ata${i},${part}) ${atadev}"
            fi
        done
    done

    set pager=0
    echo -n "Attempting to unlock encrypted volumes"
    for dev in ${ahcidev} ${atadev} ${lvmvol} ${raidvol}; do
        if cryptomount "${dev}" ; then break ; fi
    done
    set pager=1
    echo

    # after cryptomount, lvm volumes might be available
    for vol in ${lvmvol}; do
        try_user_config "${vol}"
    done

    search_grub crypto

    if [ "${grub_scan_disk}" != "ata" ]; then
        # Last resort, if all else fails
        set root=ahci0,1
        for p in / /boot/; do
            if [ -f "${p}vmlinuz" ]; then
                linux ${p}vmlinuz root=/dev/sda1 rw
                if [ -f "${p}initrd.img" ]; then
                    initrd ${p}initrd.img
                fi
            fi
        done
    fi

    if [ "${grub_scan_disk}" != "ahci" ]; then
        # Last resort (for setups that use IDE instead of SATA)
        set root=ata0,1
        for p in / /boot/; do
            if [ -f "${p}vmlinuz" ]; then
                linux ${p}vmlinuz root=/dev/sda1 rw
                if [ -f "${p}initrd.img" ]; then
                    initrd ${p}initrd.img
                fi
            fi
        done
    fi

    true # Prevent pager requiring to accept each line instead of whole screen

Saves changes.

To add, change or remove grub.cfg you need the "cbfstool" utility
You can download the utility like this:

wget https://mrchromebox.tech/files/util/cbfstool.tar.gz  && tar -zxf cbfstool.tar.gz

Let's check the Libreboot ROM with the command:

./cbfstool let to your ROM print

./cbfstool /home/jim/Downloads/grub_t440pmrc_12mb_libgfxinit_corebootfb_usqwerty.rom ptint

You will find that there is no grub.cfg in the Libreboot ROM because https://libreboot.org/docs/linux/grub_c … t-grub.cfg has changed.

FMAP REGION: COREBOOT
Name                           Offset     Type           Size   Comp
cbfs_master_header             0x0        cbfs header        32 none
fallback/romstage              0x80       stage           45464 none
cpu_microcode_blob.bin         0xb2c0     microcode       63488 none
intel_fit                      0x1ab00    (unknown)         112 none
fallback/ramstage              0x1abc0    stage          115811 LZMA (241176 decompressed)
config                         0x37080    raw              3008 LZMA (9738 decompressed)
revision                       0x37c80    raw               705 none
build_info                     0x37f80    raw                90 none
fallback/dsdt.aml              0x38000    raw             14002 none
vbt.bin                        0x3b700    raw              1410 LZMA (4608 decompressed)
cmos.default                   0x3bcc0    cmos_default      256 none
cmos_layout.bin                0x3be00    cmos_layout      1296 none
fallback/postcar               0x3c340    stage           20940 none
img/memtest                    0x41580    simple elf      58104 none
seabios.elf                    0x4f8c0    simple elf      64092 none
etc/ps2-keyboard-spinup        0x5f340    raw                 8 none
etc/pci-optionrom-exec         0x5f380    raw                 8 none
etc/optionroms-checksum        0x5f3c0    raw                 8 none
vgaroms/seavgabios.bin         0x5f400    raw             26112 none
fallback/payload               0x65a40    simple elf     533608 none
background.png                 0xe7f00    raw              3451 none
scan.cfg                       0xe8cc0    raw                26 none
keymap.cfg                     0xe8d00    raw                16 none
(empty)                        0xe8d40    null          7352100 none
bootblock                      0x7ebc80   bootblock       16704 none

Now, before using the updated grub.cfg, let's check how it works using grubtest.cfg. It is very important!
grubtest.cfg contains the same information as grub.cfg .

Add grubtest.cfg to your ROM with the command:

./cbfstool /home/jim/Downloads/grub_t440pmrc_12mb_libgfxinit_corebootfb_usqwerty.rom add -n grubtest.cfg -f /home/jim/grubtest.cfg -t raw

To remove grubtest.cfg or grub.cfg use the command:

./cbfstool /home/jim/Downloads/grub_t440pmrc_12mb_libgfxinit_corebootfb_usqwerty.rom remove -n grubtest.cfg

Extract grub.cfg

./cbfstool /home/jim/Downloads/grub_t440pmrc_12mb_libgfxinit_corebootfb_usqwerty.rom extract -n grub.cfg -f grub.cfg

Now check again, you should see grubtest.cfg at the very bottom of the list

./cbfstool /home/jim/Downloads/grub_t440pmrc_12mb_libgfxinit_corebootfb_usqwerty.rom ptint

Now we need to update our ROM. Since our computer is already ready for this trick) Execute:

$ doas flashrom -p internal

There are no errors, ok, now let’s execute:

$ doas flashrom -p internal -w grub_t440pmrc_12mb_libgfxinit_corebootfb_usqwerty.rom

...and wait for the message “Verifying flash... VERIFIED.”. Once you do this, turn off your computer and boot into the new configuration.

The boot process may ask for the passphrase twice: first GRUB asks for it, and then the init system asks for it again because GRUB cannot pass the passphrase or the unlock state to the init system.

in the Grub menu you will see:

*Load test configuration (grubtest.cfg) inside of CBFS(t)

https://files.catbox.moe/c3wsow.png

Select and press "Enter"

You will be greeted by the following message that will ask you to enter a password.

Enter passphrase for ahci1,msdos (9283749-23423429-2893749823-23894):

Next, you need to enter the password for your encrypted disk again.

Enter passphrase for /dev/sda1

If everything went well, change grubtest.cfg to grub.cfg and try this trick again. Just rename the file.

You can also change grub.cfg so that after booting the computer you do not have the Grub menu.

set timeout=10

on

set timeout=0

and after booting the computer, instead of the Grub menu you will see the following message:

Enter passphrase for ahci1,msdos (9283749-23423429-2893749823-23894):


At the moment everything is working well, but after entering the password I get the message:

error: AHCI transfer error 

but even with this error everything works stably.

When I deleted the DVD there was no more error)) And I liked it so much, it’s old school))


If you have anything to add, please write...

2 (edited by jim 2024-02-11 19:31:11)

Re: Install Full disk encryption (including /boot ) Luks2+argon2id T440P

Create a key file to prevent GRUB from needing to login twice on boot

Login as root user

login:root
passwd *****
# dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin

Even root doesn't need to access this

# chmod 000 /crypto_keyfile.bin  
# nano /etc/mkinitcpio.conf

find the inscription "FILE" in the file add   /crypto_keyfile.bin

FILES="/crypto_keyfile.bin" 
# mkinitcpio -p linux-libre-lts

reboot your PC

Everything is working ! Now I enter the password once!

3

Re: Install Full disk encryption (including /boot ) Luks2+argon2id T440P

jim wrote:

This computer requires the implementation of blob-objects, if you do not do this it will not work.

I do not know if Gnu boot works with

Full disk encryption (including /boot ) and Luks2+argon2id

yet, though maybe it can be patched or put in somehow, if it does not yet work.

Though Coreboot and Libreboot have "blobs" that may not be under a free as in freedom license now, so patching freedom supporting code into Gnu boot may help, if that is something that can be done.

Or those blobs may be a technological or "legal" backdoor into your computer, bypassing the encryption.

4

Re: Install Full disk encryption (including /boot ) Luks2+argon2id T440P

Hello Other_Cody . Gnuboot does not support Luks2+argon2id at the moment. Maybe in the future ...

5 (edited by jim 2024-02-18 08:27:42)

Re: Install Full disk encryption (including /boot ) Luks2+argon2id T440P

GRUB Password

We need the grub-mkpasswd utility, which is included with GRUB, so we will download it temporarily. (Remember that GRUB does not need to be installed
into our distribution since it is already included in the bootflash.)

$ doas pacman -S grub

If you don't have Display Server installed, let's do it.

$ doas pacman -S xenocara-server xenocara-xinit xorg xenocara-video-intel ttf-liberation

Let's update the font:

$ fc-cache -v -f
$ doas reboot

We start the server without a desktop:

$ xinit  xterm

Let's change the font and size of the terminal to make it convenient to copy our hash.

$ xterm -fa 'Liberation Mono' -fs 20x20

You can also use:

Ctrl+MiddleMouse
Ctrl+LeftMouse

Next, enter the command in the terminal:

$ grub-mkpasswd-pbkdf2

Enter your password twice, it should be long and complex))

and your hash will be shown in the terminal:

PBKDF2 hash of your password is grub.pbkdf2.sha512.1000.RWE3274682SHFJSDF34820349023LJFSD08082049284......

Now let's add these lines to grubtest.cfg to check how everything works. Don't forget to boot your computer
with the parameter "iomem=relaxed"

This is what the entire configuration looks like:

.......
  echo #Insert newline
}


set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.RWE3274682SHFJSDF34820349023LJFSD08082049284.....

menuentry 'Load Hyperbola GNU/Linux-Libre (LTS)' {
insmod ahci
insmod part_msdos
insmod lvm
insmod cryptodisk
cryptomount -a
set root='lvm/matrix-rootvol'
linux /boot/vmlinuz-linux-libre root=/dev/matrix/rootvol cryptdevice=/dev/sda1:lvm
initrd /boot/initramfs-linux-libre.img
}


menuentry 'Search ISOLINUX menu (AHCI) [a]' --hotkey='a' {
......

After you have changed your grubtest.cfg update your ROM with the command:

$ doas flashrom -p internal -w grub_t440pmrc_12mb_libgfxinit_corebootfb_usqwerty.rom

Once you reboot, select grubtest.cfg you will be prompted for a username and password. Enter root and the password you entered during the grub-mkpasswd-pbkdf2 command. If the credentials are correct, the system will boot the selected boot entry.

https://files.catbox.moe/g665yt.png

Remove Grub

$ doas  pacman -Rc grub

If everything went well, do the same trick by changing grubtest.cfg to grub.test


P.S  The user/password is required to restrict access to the GRUB shell which allows running arbitrary commands. The GRUB documentation states that check_signatures=enforce will prevent any future loading of unsigned files so an attacker shouldn’t be able to load any modified files, but better be safe.

Change root name to your variant after tests

Note that even with GRUB password protection, GRUB itself cannot prevent someone with physical access to the machine from altering that machine’s firmware (e.g., Coreboot or BIOS) configuration to cause the machine to boot from a different (attacker-controlled) device. GRUB is at best only one link in a secure boot chain.
https://www.gnu.org/software/grub/manua … horisation

6

Re: Install Full disk encryption (including /boot ) Luks2+argon2id T440P

Nice words)) written by Tthrogh : I love to help because Hyperbola has such a nice, little community with outstanding people helping each other. smile Let's learn together so you can create a nice, minimalistic installation at all - that's also a major goal as I even see bloated packages back in the BSD-world and the idea behind HyperbolaBSD is even more great under this perspective.

7

Re: Install Full disk encryption (including /boot ) Luks2+argon2id T440P

Additional information. I found two scripts to automatically install Hyperbola (I haven't tested them) but this could serve as a base for the future.

1. https://git.sr.ht/~heckyel/hyperfi/blob/master/hyperfi 
2. https://www.zerocat.org/projects/zeroca … perbola.sh

8

Re: Install Full disk encryption (including /boot ) Luks2+argon2id T440P

jim wrote:

Nice words)) written by Tthrogh : I love to help because Hyperbola has such a nice, little community with outstanding people helping each other. smile Let's learn together so you can create a nice, minimalistic installation at all - that's also a major goal as I even see bloated packages back in the BSD-world and the idea behind HyperbolaBSD is even more great under this perspective.

This I appreciate most of the time. There are a few times here and there where its annoying, but more than not, its what I want as well.

many of the linux frameworks are just over-engineered wastes of space. But Hyperbola, kicked all of them out of their projects hence my love for it.

HyperbolaBSD: The Future of Secure Libre Lightweight Operating Systems!

9

Re: Install Full disk encryption (including /boot ) Luks2+argon2id T440P

Try it, you often asked about Luks2 encryption with argon2id)) I’ll test it when I have time and write your comments here.