From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id YFLAAN2k+GC4LwAAgWs5BA (envelope-from ) for ; Thu, 22 Jul 2021 00:51:09 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id uA/TN9yk+GALdgAAbx9fmQ (envelope-from ) for ; Wed, 21 Jul 2021 22:51:08 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 9A58CBC72 for ; Thu, 22 Jul 2021 00:51:07 +0200 (CEST) Received: from localhost ([::1]:52752 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1m6L3S-00028N-KK for larch@yhetil.org; Wed, 21 Jul 2021 18:51:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:44430) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m6L3O-00028F-9p for guix-patches@gnu.org; Wed, 21 Jul 2021 18:51:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:55627) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1m6L3O-0004IL-2R for guix-patches@gnu.org; Wed, 21 Jul 2021 18:51:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1m6L3N-0003KJ-VZ for guix-patches@gnu.org; Wed, 21 Jul 2021 18:51:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#49654] [PATCH] doc: Add full disc encryption guide to the cookbook Resent-From: Sarah Morgensen Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 21 Jul 2021 22:51:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 49654 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Joshua Branson Cc: 49654@debbugs.gnu.org, rg@raghavgururajan.name Received: via spool by 49654-submit@debbugs.gnu.org id=B49654.162690785312773 (code B ref 49654); Wed, 21 Jul 2021 22:51:01 +0000 Received: (at 49654) by debbugs.gnu.org; 21 Jul 2021 22:50:53 +0000 Received: from localhost ([127.0.0.1]:38940 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1m6L38-0003Jl-6a for submit@debbugs.gnu.org; Wed, 21 Jul 2021 18:50:53 -0400 Received: from out1.migadu.com ([91.121.223.63]:33020) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1m6L34-0003JZ-3L for 49654@debbugs.gnu.org; Wed, 21 Jul 2021 18:50:44 -0400 X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mgsn.dev; s=key1; t=1626907840; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+RIUt6vvVIvG012FhCwQqkdqLCo51wrvZniSYGWunWI=; b=QUZ/rvFPZGFk2ltjJOIRUbuLV5Zk9zCxEL/Cm0JYSYdiOsgl6vXJhEBiD4W3eI6SlEM6Fu /YCalaDuOiQpil5bXH1EjtEJsKKz7Y6GF8jUObSZMvaf+Fg5EoNr4iEl2WHWcVF/K0/FM5 Ek3gRy824pLppsY/eaG8CL36IRwmJwo= From: Sarah Morgensen References: <20210720052229.15438-1-jbranso@dismail.de> Date: Wed, 21 Jul 2021 15:50:35 -0700 In-Reply-To: <20210720052229.15438-1-jbranso@dismail.de> (Joshua Branson's message of "Tue, 20 Jul 2021 01:22:24 -0400") Message-ID: <86tukns2mc.fsf@mgsn.dev> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Migadu-Auth-User: iskarian@mgsn.dev X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1626907868; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=+RIUt6vvVIvG012FhCwQqkdqLCo51wrvZniSYGWunWI=; b=tz1L1CAgEX+tXDvId1KtfZOqqyn28cFlKoJhaJHWHefWoiBjAkmSpGGJikPIp5u+4nCBPm gjhJizSUmrZAaqKt4uuYg2V4tQER6nPoK0+4UY1gH+GIJabd6EPbj+XZS9bqOBO4QfQeCQ vbTVLqRjHVV3IXG8iRRS2kTVbPJKF0IcSH9lxGmGceY2xtGHm7wFU5YKiyZsXCorZpO45s sJCrlpdVJXgiU+IZUoEncns2hfb6XkVIiyHNbMk8KCTr3rBK03/do789KOj4LrqfZ9YZkW bL9GcGPZjM1sdnBzd/l66wZG7/6iL6joDOPvxWvaJxfwK7kCmgd/80YyMKkngQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1626907868; a=rsa-sha256; cv=none; b=IBTjf+Xn0MGzMyVrRhqjoltbIELjfwtHvnyz0/BTrjzkuokFYPjhgHh6S1qbOVcgmPI0so NcCH2ssx7R4hAiUvBUxQBf1OZvzL6jV+Lg02OscB3G19IMSO9P6sA5C9XBi9iJ+KCeY+1I sNvEXe+7IMoS7vF4ZXu+5RVuA7/TLysq9ftQ0vTfbs2mrfGdHUrj4UCy6imyxXim+6g67w YIs7FeShKAy5aSkEoecjAR+tIdB1QdpfPyPsKKFP/YGZPdBA6H8ex2AbY2UqRb6FVEdBMs jR43wHpeQUWWT8ZSUXlFTKhEGrEVzrL+TngQOiazuPA1KUuZExw+PAIHQPVSxg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=mgsn.dev header.s=key1 header.b="QUZ/rvFP"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=mgsn.dev (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -1.32 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=mgsn.dev header.s=key1 header.b="QUZ/rvFP"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=mgsn.dev (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 9A58CBC72 X-Spam-Score: -1.32 X-Migadu-Scanner: scn0.migadu.com X-TUID: KuVITZrXWAPn Hello Joshua, Raghav, Good to see more guides like this. In addition to what others have already pointed out, I've got few readability suggestions, reading this as a layperson :) (Questions are intentended to be rhetorical, to illustrate where a layperson might have questions or be confused.) Joshua Branson writes: > From: Joshua Branson > > The original guide was written by Raghav Gururajan > and edited by Joshua Branson . > > * doc/guix-cookbook.texi (System Configuration): New section of full disc > encryption via libreboot. > --- > doc/guix-cookbook.texi | 724 +++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 724 insertions(+) > > diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi > index 2e627ecc51..ef8f3425d6 100644 > --- a/doc/guix-cookbook.texi > +++ b/doc/guix-cookbook.texi > @@ -18,6 +18,7 @@ Copyright @copyright{} 2020 Brice Waegeneire@* > Copyright @copyright{} 2020 Andr=C3=A9 Batista@* > Copyright @copyright{} 2020 Christopher Lemmer Webber > Copyright @copyright{} 2021 Joshua Branson@* > +Copyright @copyright{} 2021 Raghav Gururajan@* >=20=20 > Permission is granted to copy, distribute and/or modify this document > under the terms of the GNU Free Documentation License, Version 1.3 or > @@ -1358,6 +1359,7 @@ reference. > * Customizing the Kernel:: Creating and using a custom Linux kerne= l on Guix System. > * Guix System Image API:: Customizing images to target specific p= latforms. > * Connecting to Wireguard VPN:: Connecting to a Wireguard VPN. > +* Guix System with Full Disk Encryption:: Guix System with Full Disk = Encryption > * Customizing a Window Manager:: Handle customization of a Window manage= r on Guix System. > * Running Guix on a Linode Server:: Running Guix on a Linode Server > * Setting up a bind mount:: Setting up a bind mount in the file-systems = definition. > @@ -1938,6 +1940,728 @@ For more specific information about NetworkManage= r and wireguard > @uref{https://blogs.gnome.org/thaller/2019/03/15/wireguard-in-networkman= ager/,see > this post by thaller}. >=20=20 > +@node Guix System with Full Disk Encryption > +@section Guix System with Full Disk Encryption > +@cindex libreboot, full disk encryption > + > +Guix System is an exotic distribution of GNU/Linux operating system, ^ the > +with Guix as package/system manager, Linux-Libre as kernel and > +Shepherd as init system. > + > +Libreboot is a de-blobbed distribution of Coreboot firmware. By > +default, Libreboot comes with GRUB bootloader as a payload. > + > +The objective of this manual is to provide step-by-step guide for ^ a > +setting up Guix System (stand-alone Guix), with Full Disk ^ You already defined Guix System above > +Encryption (FDE), on devices powered by Libreboot. > + > +Any users, for their generalized use cases, need not stumble away from > +this guide to accomplish the setup. Advanced users, for deviant use > +cases, will have to explore outside this guide for customization; > +although this guide provides information that is of paramount use. Above paragraph does not add useful information and the tone does not match the rest of the Cookbook. (Sorry!) > + > +Let us begin! > + > +@menu > +* Create Boot-able USB:: ^ Bootable > +* Installing and Setup:: > +* Tweaking Libreboot's Grub Payload:: > +* Closing Thoughts:: > +* Special Thanks:: > +@end menu > + > +@node Create Boot-able USB > +@subsection Create Boot-able USB Likewise. > + > +In the current GNU+Linux system, open terminal as root user. "open a terminal as root" or "open a terminal as the root user" > + > +Insert USB drive and get the device letter @code{/dev/sdX}, where =E2=80= =9CX=E2=80=9D is the > +device letter. What USB drive? This is the first I've heard of it! Do I need to make sure it's a specific kind? Is it okay if there's important information on there that I haven't backed up? Also note that while usually the device identifier will be 'sdX' this is not guaranteed; sometimes you'll see 'hdX' or 'mmcblkX'. > + > +@example > +lsblk --list > +@end example > + > +@example > +NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT > +sda 8:0 0 223.6G 0 disk > +sda1 8:1 0 2M 0 part > +sda2 8:2 0 3.7G 0 part > +sda3 8:3 0 219.9G 0 part / > +zram0 251:0 0 512M 0 disk [SWAP] > +@end example Why are these separate examples? IMO it would be more clear (and is the usual style in such guides) to combine them and simply add '$ ' to the beginning of any line that is a command the user should run. > + > + > +Just in case the device is auto-mounted, unmount the device. > + > +@example > +umount /dev/sdX --verbose > +@end example > + > +Download the Guix System ISO installer package and it=E2=80=99s GPG sign= ature; ^ its > +where @code{A.B.C} is the version number and @code{SSS} is the system > +architecture. > + > +@example > +wget --verbose https://ftp.gnu.org/gnu/guix/guix-system-install-A.B.C.SS= S-linux.iso.xz > +wget --verbose https://ftp.gnu.org/gnu/guix/guix-system-install-A.B.C.SS= S-linux.iso.xz.sig > +@end example > + > +Import the Guix's public key. ^ "the Guix" or "Guix's" > + > +@example > +gpg --verbose --keyserver pool.sks-keyservers.net =E2=80=93-receive-keys= 3CE464558A84FDC69DB40CFB090B11993D9AEBB5 > +@end example > + > +Verify the GPG signature of the downloaded package. > + > +@example > +gpg --verbose --verify guix-system-install-A.B.C.SSS-linux.iso.xz.sig > +@end example > + > +Extract ISO image from the downloaded package. > + > +@example > +xz --verbose --decompress guix-system-install-A.B.C.SSS-linux.iso.xz > +@end example > + > +Write the extracted ISO image to the drive. > + > +@example > +dd if=3Dguix-system-install-A.B.C.SSS-linux.iso of=3D/dev/sdX status=3Dp= rogress; sync > +@end example > + > +Reboot the device. > + > +@example > +reboot > +@end example > + > +@node Installing and Setup > +@subsection Installing and Setup > + > +On reboot, as soon as the Libreboot's graphic art appears, press "S" ^ "the" is not necessary > +or choose @code{Search for GRUB2 configuration on external media [s]}. W= ait > +for the Guix System from USB drive to load. This sounds awkward. Perhaps "Wait for Guix System to load from the USB drive." or "Wait for the Guix System [you just] installed on the USB drive to load."? > + > +Once Guix System installer starts, choose @code{Install using the shell > +based process}. > + > +Set your keyboard layout, where @code{lo} is the two-letter keyboard > +layout code (lower-case). How do I know out what my keyboard layout code should be? Even "layout code (lower-case), for example @code{us} or @code{ru}." would be helpful. > + > +@example > +loadkeys --verbose lo > +@end example > + > +Unblock network interfaces. > + > +@example > +rfkill unblock all > +@end example > + > +Get the names of network interfaces. > + > +@example > +ifconfig -v -a > +@end example > + > +@example > +enp0s25 Link encap:Ethernet HWaddr 00:1C:25:9A:37:BA > + UP BROADCAST MULTICAST MTU:1500 Metric:1 > + RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > + TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > + collisions:0 txqueuelen:1000 > + RX bytes:0 TX bytes:0 > + Interrupt:16 Memory:98800000-98820000 > + > +lo Link encap:Local Loopback > + inet addr:127.0.0.1 Bcast:0.0.0.0 Mask:255.0.0.0 > + UP LOOPBACK RUNNING MTU:65536 Metric:1 > + RX packets:265 errors:0 dropped:0 overruns:0 frame:0 > + TX packets:265 errors:0 dropped:0 overruns:0 carrier:0 > + collisions:0 txqueuelen:1000 > + RX bytes:164568 TX bytes:164568 > + > +wlp2s0 Link encap:Ethernet HWaddr E4:CE:8F:59:D6:BF > + inet addr:192.168.1.133 Bcast:192.168.1.255 Mask:255.255.255= .0 > + UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > + RX packets:60084 errors:0 dropped:71 overruns:0 frame:0 > + TX packets:33232 errors:0 dropped:0 overruns:0 carrier:0 > + collisions:0 txqueuelen:1000 > + RX bytes:45965805 TX bytes:4905457 > + > +@end example > + > +Bring the desired network interface (wired or wireless) up, where > +@code{nwif} is the network interface name. How do I know which of the interfaces I should use? > + > +@example > +ifconfig -v nwif up > +@end example > + > +For wireless connection, follow the wireless setup. ^ connections > + > +@menu > +* Wireless Setup:: > +@end menu > + > +@node Wireless Setup > +@subsubsection Wireless Setup > + > +Create a configuration file using text editor, where @code{fname} is any > +desired name for file. This reads a bit awkwardly. Perhaps something like "Create the configuration file using a text editor such as @code{nano}. In this example, we are naming the file @code{fname.conf}, but any name will do." Also consider using a more descriptive example filename, like `wpa_supplicant.conf`. You'd be surprised how many users just use the example names! > + > +@example > +nano fname.conf > +@end example > + > +Choose, type and save ONE of the following snippets, where =E2=80=98net= =E2=80=99 is > +the network name, =E2=80=98pass=E2=80=99 is the password or passphrase a= nd =E2=80=98uid=E2=80=99 is > +the user identity. > + > +For most private networks: > + > +@example > +network=3D@{ > + ssid=3D"net" > + key_mgmt=3DWPA-PSK > + psk=3D"pass" > +@} > +@end example > + > +(or) > + > +For most public networks: > + > +@example > +network=3D@{ > + ssid=3D"net" > + key_mgmt=3DNONE > +@} > +@end example > + > +(or) > + > +For most organizational networks: > + > +@example > +network=3D@{ > + ssid=3D"net" > + scan_ssid=3D1 > + key_mgmt=3DWPA-EAP > + identity=3D"uid" > + password=3D"pass" > + eap=3DPEAP > + phase1=3D"peaplabel=3D0" > + phase2=3D"auth=3DMSCHAPV2" > +@} > +@end example > + > +Connect to the configured network. > + > +@example > +wpa_supplicant -B -c fname.conf -i nwif > +@end example > + > +Assign an IP address to the network interface. This is a bit misleading, as we aren't actually directly assigning an IP address, but using dhclient to get one through DHCP. > + > +@example > +dhclient -v nwif > +@end example Should there be something indicating the end of "Wireless Setup"? I'm not sure how texi subsections work, but if I were skipping "Wireless Setup," how would I know where to skip to? > + > +Obtain the device letter @code{/dev/sdX} in which you would like to depl= oy > +and install Guix System, where =E2=80=9CX=E2=80=9D is the device letter. This reads a bit awkwardly. Perhaps consider "Find the [device] identifier for the device you are installing Guix System onto." > + > +@example > +lsblk --list > +@end example > + > +@example > +NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT > +sda 8:0 0 223.6G 0 disk > +sda1 8:1 0 2M 0 part > +sda2 8:2 0 3.7G 0 part > +sda3 8:3 0 219.9G 0 part / > +zram0 251:0 0 512M 0 disk [SWAP] > +@end example > + > +Wipe the device (Ignore if the device is new). ^ lowercase; or "skip" Also, why did the example for the USB drive show all 'sda' devices, and this one does too? This is potentially confusing. Consider using examples from the actual process. > + > +@example > +shred --verbose --random-source=3D/dev/urandom /dev/sdX > +@end example > + > +Load the device-mapper module in the current kernel. Why? Consider adding "(This is necessary for...)" > + > +@example > +modprobe --verbose dm_mod > +@end example > + > +Partition the device. Follow the prompts. Just do, GPT --> New --> > +Write --> Quit; defaults will be set. Consider writing out the steps. Also: are we just using one partition? Prefer describing what the goal of a step is before describing the step, so a less knowledgeable user learns and a more knowledgeable user knows when that step can be substituted. > + > +@example > +cfdisk /dev/sdX > +@end example > + > +Obtain the partition number from the device, where =E2=80=9CY=E2=80=9D i= s the > +partition number. Doesn't cfdisk show the partition number? > + > +@example > +lsblk --list > +@end example > + > +Encrypt the partition. Follow the prompts. > + > +@example > +cryptsetup --verbose --hash whirlpool --cipher serpent-xts-plain64 \ > +--verify-passphrase --use-random --key-size 512 --iter-time 500 \ > +luksFormat /dev/sdXY > +@end example > + > +Obtain and note down the UUID of the LUKS partition. > + > +@example > +cryptsetup --verbose luksUUID /dev/sdXY > +@end example > + > +Open the encrypted partition, where @code{luks-uuid} is the LUKS UUID, > +and @code{partname} is any desired name for the partition. Consider suggesting (or using in your example) a default partition name, like with the .conf file above. Same for all the vg, lv, and fs names below. > + > +@example > +cryptsetup --verbose > +luksOpen UUID=3Dluks-uuid partname > +@end example Is this supposed to be two lines? > + > +Create a physical volume in the partition. > + > +@example > +pvcreate /dev/mapper/partname --verbose > +@end example > + > +Create a volume group in the physical volume, where @code{vgname} is any > +desired name for volume group. > + > +@example > +vgcreate vgname /dev/mapper/partname --verbose > +@end example > + > +Create logical volumes in the volume group; where "num" is the number > +for space in GB, and @code{lvnameroot} and @code{lvnamehome} are any > +desired names for root and home volumes respectively. There is not "num" or any GB values in your following example... > + > +@example > +lvcreate --extents 25%VG vgname --name lvnameroot --verbose > +lvcreate --extents 100%FREE vgname --name lvnamehome --verbose > +@end example > + > +Create filesystems on the logical-volumes, where @code{fsnameroot} and ^ logical volumes > +@code{fsnamehome} are any desired names for root and home filesystems > +respectively. > + > +@example > +mkfs.btrfs --metadata dup --label fsnameroot /dev/vgname/lvnameroot > +mkfs.btrfs --metadata dup --label fsnamehome /dev/vgname/lvnamehome > +@end example Why are we using btrfs? Could I use ext4 instead? > + > +Mount the filesystems under the current system. Consider "Mount the new filesystems." > + > +@example > +mount --label fsnameroot --target /mnt --types btrfs --verbose > +mkdir --verbose /mnt/home && mount --label fsnamehome --target \ > +/mnt/home --types btrfs --verbose > +@end example > + > +Create a swap file. > + > +@example > +dd bs=3D1MiB count=3D1GiB if=3D/dev/zero of=3D/mnt/swapfile status=3Dpro= gress > +mkswap --verbose /mnt/swapfile > +@end example > + > +Make the swap file readable and writable only by root account. "root." or "the root account." > + > +@example > +chmod --verbose 600 /mnt/swapfile > +@end example > + > +Activate the swap file. > + > +@example > +swapon --verbose /mnt/swapfile > +@end example > + > +Install packages on the mounted root filesystem. > + > +@example > +herd start cow-store /mnt > +@end example This doesn't actually install packages, does it? The manual says: "This makes /gnu/store copy-on-write, such that packages added to it during the installation phase are written to the target disk rather than kept in memory." > + > +Create the system-wide configuration files directory. > + > +@example > +mkdir --verbose /mnt/etc > +@end example Why all the verbose, even on mkdir? > + > +Create, edit and save the system configuration file by typing the > +following code snippet. WATCH-OUT for variables in the code snippet > +and replace them with the relevant values. "Replace placeholders (such as LUKS-UUID) with their values from earlier." > + > +@example > +nano /mnt/etc/config.scm > +@end example > + > +The content of config.scm is: > + > +@lisp > +(use-modules > + (gnu) > + (gnu system nss)) > + > +(use-package-modules > + certs > + gnome > + linux) > + > +(use-service-modules > + desktop > + xorg) > + > +(operating-system > + (kernel linux-libre-lts) > + (kernel-arguments > + (append > + (list > + ;; this is needed to flash the libreboot ROM. After, you > + ;; have flashed your rom, it is a good idea to remove > + ;; iomem=3Drelaxed from your kernel arguments > + "iomem=3Drelaxed") > + %default-kernel-arguments)) > + > + (timezone "Zone/SubZone") > + (locale "ab_XY.1234") > + (name-service-switch %mdns-host-lookup-nss) > + > + (bootloader > + (bootloader-configuration > + (bootloader > + (bootloader > + (inherit grub-bootloader) > + (installer #~(const #t)))) > + (keyboard-layout keyboard-layout))) > + > + (keyboard-layout > + (keyboard-layout > + "xy" > + "altgr-intl")) > + > + (host-name "hostname") > + > + (mapped-devices > + (list > + (mapped-device > + (source > + (uuid "LUKS-UUID")) > + (target "partname") > + (type luks-device-mapping)) > + (mapped-device > + (source "vgname") > + (targets > + (list > + "vgname-lvnameroot" > + "vgname-lvnamehome")) > + (type lvm-device-mapping)))) > + > + (file-systems > + (append > + (list > + (file-system > + (type "btrfs") > + (mount-point "/") > + (device "/dev/mapper/VGNAME-LVNAMEROOT") > + (flags '(no-atime)) > + (options "space_cache=3Dv2") > + (needed-for-boot? #t) > + (dependencies mapped-devices)) > + (file-system > + (type "btrfs") > + (mount-point "/home") > + (device "/dev/mapper/VGNAME-LVNAMEHOME") > + (flags '(no-atime)) > + (options "space_cache=3Dv2") > + (dependencies mapped-devices))) > + %base-file-systems)) > + > + (swap-devices > + (list > + "/swapfile")) > + > + (users > + (append > + (list > + (user-account > + (name "USERNAME") > + (comment "Full Name") > + (group "users") > + (supplementary-groups '("audio" "cdrom" > + "kvm" "lp" "netdev" > + "tape" "video" > + "wheel")))) > + %base-user-accounts)) > + > + (packages > + (append > + (list > + nss-certs) > + %base-packages)) > + > + (services > + (append > + (list > + (service gnome-desktop-service-type)) > + %desktop-services))) > +@end lisp > + > +Initialize new Guix System. > + > +@example > +guix system init /mnt/etc/config.scm /mnt > +@end example > + > +Reboot the device. > + > +@example > +reboot > +@end example > + > +@node Tweaking Libreboot's Grub Payload > +@subsection Tweaking Libreboot's Grub Payload > +@cindex grub payload > + > +On reboot, as soon as the Libreboot graphic art appears, press =E2=80=9C= C=E2=80=9D to > +enter the command-line. > + > +Enter the following commands and respond to first command with the LUKS > +Key. What key? When did we get a LUKS Key? Am I supposed to come up with a new key/passphrase? > + > +@example > +cryptomount -u luks-uuid > +set root=3D(lvm/vgname-lvnameroot) > +@end example > + > +Upon Guix's GRUB menu, go with the default option. "At the GRUB menu, selec the default option." > + > +Enter the LUKS Key again, for kernel, as prompted. > + > +Upon login screen, login as "root" with password field empty. "At the login screen" ^ the > + > +Open terminal. ^ the > + > +Set passkey for the "root" user. Follow the prompts. ^ the password > + > +@example > +passwd root > +@end example > + > +Set passkey for the "username" user. Follow the prompts. ^ the password Also, the guide used the @code{username} style before. Why the change? > + > +@example > +passwd username > +@end example > + > +Install flashrom and wget. > + > +@example > +guix package =E2=80=93-install flashrom wget > +@end example > + > +Obtain the ROM chip's model and size. Look for the output line =E2=80=9C= Found > +[@dots{}] flash chip [@dots{}]=E2=80=9D. > + > +@example > +flashrom --verbose --programmer internal > +@end example > + > +Download Libreboot ROM and utilities, where "YYYYMMDD" is the release > +date, @code{devmod} is the device model and "N" is the ROM chip size. Likewise. The guide also used single quotes for 'sdX' earlier. > + > +@example > +wget --verbose https://rsync.libreboot.org/stable/YYYYMMDD/rom/grub/libr= eboot_rYYYYMMDD_grub_devmod_Nmb.tar.xz > +wget --verbose https://rsync.libreboot.org/stable/YYYYMMDD/libreboot_rYY= YYMMDD_util.tar.xz > +@end example > + > +Extract the downloaded files. > +@example > +tar --extract --file=3Dlibreboot_rYYYYMMDD_grub_devmod_Nmb.tar.xz --verb= ose > +tar --extract --file=3Dlibreboot_rYYYYMMDD_util.tar.xz --verbose > +@end example > + > +Rename the directories of extracted files. > + > +@example > +mv --verbose "libreboot_rYYYYMMDD_grub_devmod_Nmb.tar.xz" "libreboot_rom" > +mv --verbose "libreboot_rYYYYMMDD_util" "libreboot_util" > +@end example > + > +Copy the ROM image to the directory of cbfstool, where "kbdlo" is the > +keyboard layout and "arch" is the system architecture. Likewise. > + > +@example > +cp libreboot_rom/devmod_Nmb_kbdlo_vesafb.rom libreboot_util/cbfstool/arc= h/libreboot.rom > +@end example > + > +Change directory to the directory of cbfstool. > +@example > +cd libreboot_util/cbfstool/arch/ > +@end example > + > +Extract the GRUB configuration file from the image. > + > +@example > +./cbfstool libreboot.rom extract -n grub.cfg -f grub.cfg > +@end example > + > +Edit the GRUB configuration file and insert the following code snippet > +above the line @code{=E2=80=9Cmenuentry 'Load Operating System [o]' --ho= tkey=3D'o' > +--unrestricted @{ [...] @}=E2=80=9D}. > + > +@example > +nano grub.cfg > +@end example > + > +Snippet: > +@example > +menuentry =E2=80=98Guix System (An advanced distribution of the GNU oper= ating system) [g]=E2=80=99 --hotkey=3D=E2=80=99g=E2=80=99 --unrestricted > +@{ > +cryptomount -u luks-uuid > +set root=3D(lvm/vgname-lvnameroot) > +configfile /boot/grub/grub.cfg > +@} > +@end example > + > +Remove the old GRUB configuration file from the ROM image. > + > +@example > +./cbfstool libreboot.rom remove -n grub.cfg > +@end example > + > +Insert the new GRUB configuration file into the ROM image. > + > +@example > +./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw > +@end example > + > +Move the ROM image to the directory of ich9gen. > + > +@example > +mv libreboot.rom ~/libreboot_util/ich9deblob/arch/libreboot.rom > +@end example > + > +Change directory to the directory of ich9gen. > + > +@example > +cd ~/libreboot_util/ich9deblob/arch/ > +@end example > + > +Generate descriptor+GbE images with the MAC address, where "mac-addr" > +is the MAC address of the machine. Likewise. > + > +@example > +ich9gen --macaddress mac-addr > +@end example > + > +Insert the descriptor+GbE image into the ROM image, where "N" is the > +ROM chip size. > +@example > +dd bs=3D12k conv=3Dnotrunc count=3D1 if=3Dich9fdgbe_Nm.bin of=3Dlibreboo= t.rom status=3Dprogress > +@end example > + > +Move the ROM image to the directory of flash. ^ "the flash script" > + > +@example > +mv libreboot.rom ~/libreboot_util/libreboot.rom > +@end example > + > +Change directory to the directory of flash. > + > +@example > +cd ~/libreboot_util > +@end example > + > +Modify the shebang of flash script, from `#!/bin/bash` to `#!/bin/sh`. ^ the ^ no "," > +@example > +nano flash > +@end example > + > +Flash the ROM with the new image. > +@example > +./flash update libreboot.rom > +@end example > + > +(or) > + > +@example > +./flash forceupdate libreboot.rom > +@end example How do I know whether to use 'update' or 'forceupdate'? > + > +Reboot the device. > +@example > +reboot > +@end example > + > +@node Closing Thoughts > +@subsection Closing Thoughts Typically it's "Closing Remarks". > + > +Everything should be stream-lined from now. Upon Libreboot's GRUB What does this mean? > +menu, you can either press "G" or choose "Guix System (An advanced > +distribution of the GNU operating system) [g]". In order to do what? > + > +During the boot process, as prompted, you have to type LUKS key twice; > +once for Libreboot's GRUB and once more for Linux-Libre kernel. > +Retyping a passphrase is a minor annoyance, but it is a secure method of > +opening up your device. There are methods that exist to only type the > +passphrase once, but none are currently integrated into Guix System. > + > +Generally, you will be using Libreboot's initial/default grub.cfg, Is this the grub.cfg we setup above? If so, specify that. > +whose Guix menu-entry invokes Guix's grub.cfg located at > +@code{/boot/grub/}. For trouble-shooting, you can also use Libreboot's ^ troubleshooting > +@code{grubtest.cfg}, which hasn't been modified. But *how* would I use grubtest.cfg? > + > +Now that you have a working Guix System with full disk encryption, you > +may want to remove the @code{iomem=3Drelaxed} from your > +@code{kernel-arguments}. @code{iomem=3Drelaxed} is needed to reflash yo= ur > +rom. Since, most users will probably not flash their rom often, those ^ ROM ^ no "," ^ ROM > +users may wish to disable that feature: The change from "you" to "most users"/"those users" is a little jarring. > + > +@lisp > + ;; optionally remove this bit of code from your config.scm > + (kernel-arguments > + (append > + (list > + ;; this is needed to flash the libreboot ROM. After, you > + ;; have flashed your rom, it is a good idea to remove > + ;; iomem=3Drelaxed from your kernel arguments > + "iomem=3Drelaxed") > + %default-kernel-arguments)) > +@end lisp > + > +That is it! You have now setup Guix System with Full Disk Encryption on > +your device powered by Libreboot. Enjoy! > + > +More information about Libreboot can be found at their official > +documentation: @uref{https://libreboot.org/docs/}. Consider embedding the link: "[...] can be found in the @uref{https://libreboot.org/docs/, official documentation}." =20=20 > + > +@node Special Thanks > +@subsection Special Thanks > + > +Thanks to Guix developer, Clement Lassieur (clement@@lassieur.org), ^ no "," ^ same > +for helping me with the Scheme code for the bootloader configuration. ^ "for assisting with" (avoid first person prounouns) > + > +Thanks to Libreboot founder and developer, Leah Rowe ^ no "," > +(leah@@libreboot.org), for helping me with the understanding of ^ no "," ^ "for assistance with Libreboot." > +Libreboot=E2=80=99s functionalities. > + > @node Customizing a Window Manager > @section Customizing a Window Manager > @cindex wm Also, consider referencing relevant sections of the manual, such as https://guix.gnu.org/manual/en/html_node/Manual-Installation.html so users know where to find more detailed information. Hope that helps, Sarah