[bug#49654] [PATCH] doc: Add full disc encryption guide to the cookbook

[Giovanni Biscuolo <g@xelera.eu>]

[-- Attachment #1: Type: text/plain, Size: 4713 bytes --]

Hello Joshua and Raghav,

thank you for your guide!  I have just a couple of comments.

Joshua Branson via Guix-patches via <guix-patches@gnu.org> writes:

> From: Joshua Branson <jbranso AT gnucode.me>
>
> The original guide was written by Raghav Gururajan <rg@raghavgururajan.name>
> and edited by Joshua Branson <jbranso@dismail.de>.
>
> * doc/guix-cookbook.texi (System Configuration): New section of full disc
> encryption via libreboot.
> ---
>  doc/guix-cookbook.texi | 724 +++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 724 insertions(+)

[...]

> +* Guix System with Full Disk Encryption::    Guix System with Full Disk Encryption

AFAIU the steps, especially the partitioning that does not provide an
UEFI dedicated partition, are specific to Libreboot systems: what about
to make it more clear in the section title?

...or to adapt the section by separating Libreboot specific instructions
from generic system instructions?

[...]

> +Create a physical volume in the partition.
> +
> +@example
> +pvcreate /dev/mapper/partname --verbose
> +@end example
> +
> +Create a volume group in the physical volume, where @code{vgname} is any
> +desired name for volume group.
> +
> +@example
> +vgcreate vgname /dev/mapper/partname --verbose
> +@end example
> +
> +Create logical volumes in the volume group; where "num" is the number
> +for space in GB, and @code{lvnameroot} and @code{lvnamehome} are any
> +desired names for root and home volumes respectively.
> +
> +@example
> +lvcreate --extents 25%VG vgname --name lvnameroot --verbose
> +lvcreate --extents 100%FREE vgname --name lvnamehome --verbose
> +@end example
> +
> +Create filesystems on the logical-volumes, where @code{fsnameroot} and
> +@code{fsnamehome} are any desired names for root and home filesystems
> +respectively.
> +
> +@example
> +mkfs.btrfs --metadata dup --label fsnameroot /dev/vgname/lvnameroot
> +mkfs.btrfs --metadata dup --label fsnamehome /dev/vgname/lvnamehome
> +@end example

Why using two BTRFS volumes on top of LVM and not directly using BTRFS
(with subvolumes if you want) on top of /dev/mapper/partname?

AFAIU the "double mapping" it's not needed, BTRFS have a very good (and
now mature) built in volume manager.  Furthermore, using BTRFS for
volume management will allow users to switch to a multi-device system
(e.g. RAID1) very easily.

I'm still using LVM on some "legacy" systems but for new installations
I'd strogly suggest starting using BTRFS on top of "physical"
partitions.

> +Mount the filesystems under the current system.
> +
> +@example
> +mount --label fsnameroot --target /mnt --types btrfs --verbose
> +mkdir --verbose /mnt/home && mount --label fsnamehome --target \
> +/mnt/home --types btrfs --verbose
> +@end example
> +
> +Create a swap file.
> +
> +@example
> +dd bs=1MiB count=1GiB if=/dev/zero of=/mnt/swapfile status=progress
> +mkswap --verbose /mnt/swapfile
> +@end example

I know that since Linux 2.6 swapfile performance is not a big issue if
the file is unfragmented (and it'll be for sure on newly partitioned
filesystems) but AFAIU swap files are still a little bit problematic on
BTRFS
https://btrfs.wiki.kernel.org/index.php/FAQ#Does_Btrfs_support_swap_files.3F:

--8<---------------cut here---------------start------------->8---

From kernel 5.0+ btrfs have native swap files support, but with some
limitations. Swap file - must be fully allocated as NOCOW with no
compression on one device.

--8<---------------cut here---------------end--------------->8---

I've never tested a system with swap file on BTRFS but I think that your
instructions should add how to set NOCOW for the swap file.

The above example could be:

--8<---------------cut here---------------start------------->8---

@example
dd bs=1MiB count=1GiB if=/dev/zero of=/mnt/swapfile status=progress
mkswap --verbose /mnt/swapfile
chattr +C /mnt/swapfile
btrfs property set /mnt/swapfile compression none
@end example

--8<---------------cut here---------------end--------------->8---

Final note: AFAIU BTRFS supports swap files ONLY in single device
settings (that is: NO swap file support on multi device settings), so
IMHO it's better to use a dedicated partition for the swap space so
users are free to switch to a multi-device setting if they wish (and
can).

The problem with a fully encrypted dedicated swap partition is that
it'll require a third passphrase prompt on boot (the one to unlock the
swap partition), but that's a minor annoyance IMHO.

What do you think?

[...]

Happy hacking! Gio'

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 849 bytes --]