unofficial mirror of help-guix@gnu.org 
 help / color / mirror / Atom feed
From: Chris Marusich <cmmarusich@gmail.com>
To: Stephen Sloan <steve@stevesloan.com>
Cc: help-guix@gnu.org
Subject: Re: Libreboot + WDE + GuixSD: Need some advice
Date: Thu, 13 Apr 2017 00:31:08 -0700	[thread overview]
Message-ID: <87efwwrcg3.fsf@gmail.com> (raw)
In-Reply-To: <CAMK_J0-1LNmjKzWwJyD8phpKVWX3fxRG=GfbEy9bavyfwukAuA@mail.gmail.com> (Stephen Sloan's message of "Wed, 12 Apr 2017 21:08:59 -0700")

[-- Attachment #1: Type: text/plain, Size: 4800 bytes --]

Stephen Sloan <steve@stevesloan.com> writes:

> I used your find command and copied the grub.cfg file into place. It "just worked". Cool indeed! Practically speaking, I could copy the file into place every
> time that I reconfigure the system. But for bragging rights, I've got to get it automated. I'm reading through the code, looking for the best approach. I'm a
> clojure programmer by trade; scheme is new to me.
>
> I think I will try to make a package for flashrom and the libreboot utilities, but I like this solution of just copying a file into place.
>
> On Wed, Apr 12, 2017 at 8:21 AM, Marius Bakke <mbakke@fastmail.com> wrote:
>
>  Stephen Sloan <steve@stevesloan.com> writes:
>
>  > I am looking for some advice.
>  >
>  > I'm am setting up a libreboot + whole disk encryption + guixsd laptop.
>  > Libreboot has grub in the BIOS, which allows for encrypting the whole disk.
>  >
>  > According to the libreboot docs, I can make the grub config available at
>  > /boot/grub/libreboot_grub.cfg and the grub installed on the BIOS will load
>  > and use that config file. I've installed guixsd with --no-grub, I have
>  > libreboot installed, and the disk encrypted, now I just need to make it
>  > bootable!
>
>  Wow, cool!
>
>  `guix system --no-grub` will actually build out grub.cfg in the store,
>  just not write it to the actual bootloader configuration. So you can try
>  to `find /gnu/store -maxdepth 1 -name '*grub.cfg'` and copy it in place.
>
>  It will also print the location when running `reconfigure`:
>
>  root@xbmc ~# guix system reconfigure --no-grub /etc/config.scm
>  substitute: updating list of substitutes from 'https://mirror.hydra.gnu.org'... 100.0%
>  The following derivation will be built:
>  /gnu/store/dp0v27hgc93a18zva7wqnl5rl3h1yvm2-grub.cfg.drv
>  /gnu/store/r2y4bn5p162pah9lqa3mqyplj09va65x-system
>  /gnu/store/jnnzn804d2ss2vk7k8hxkzh07waj0x75-grub.cfg
>
>  > I think I need to make the correct grub config file available at that
>  > location whenever I reconfigure. I can manage the coding, but I'd like
>  > hints on the best way to go about this with guix.
>
>  I think making the <grub-configuration> field take a "copy-only?" option
>  would be a decent fix for now. Currently the build code expects to run
>  "grub-install", look into gnu/system/grub.scm and gnu/build/install.scm
>  for starters.
>
>  > There are some other options I've considered. I could reflash my BIOS as
>  > part of the reconfiguration process. Or maybe I could chain-load two grub
>  > installations, possibly with an unencrypted /boot.
>
>  We don't have libreboot in Guix yet, but the ability to install it at
>  reconfigure time would be nice. Sounds risky, though :)

FYI, it's possible to achieve the practical equivalent of full-disk
encryption while using Libreboot without jumping through any hoops at
all.  An installation like the one performed in the encrypted-root-os
system test [1] works "out of the box" with Libreboot.  For more
information, please refer to the operating system configuration file and
the installation script shown in the encrypted-root-os system test.  The
section "Mapped Devices" in the manual is also helpful.

I use a Libreboot laptop, which I've set up like that.  All state - my
home directory, the GRUB configuration file, system service database
files, etc. - is stored in the root file system.  Because the root file
system is in a LUKS-encrypted partition, everything I care about is
encrypted.  I also use a swap file as described in the manual (same
section).  Because that swap file is just another file in the root file
system, my swap space is encrypted, too.  The only things that aren't
encrypted are my Libreboot installation (in flash memory, not on disk)
and the GRUB bootloader that Guix installed to the disk (which is never
actually used, since I use Libreboot).

This setup works for my use case.  I know it has some drawbacks, but
they aren't problems for me.  For example, I've heard that
suspend-to-disk won't work with this style of encrypted swap, but since
I don't need that feature right now, I don't mind.  The boot time is
also pretty long - Libreboot seems to take quite a while (minutes) to
find the encrypted disk - but it works every time, so I'm content.  I
also have to input my disk's passphrase two times (once when Libreboot's
GRUB payload wants to decrypt the LUKS volume, and again when the
initialization process in GuixSD's initrd wants to decrypt the same LUKS
volume), but I think you have to enter your passphrase twice in that
case even when not using Libreboot.

[1] http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/tests/install.scm?id=2e3744730777dc4e988675be369692d2be6fa1e2#n453

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

      reply	other threads:[~2017-04-13  7:31 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-04-12  5:05 Libreboot + WDE + GuixSD: Need some advice Stephen Sloan
2017-04-12 15:21 ` Marius Bakke
2017-04-13  4:08   ` Stephen Sloan
2017-04-13  7:31     ` Chris Marusich [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87efwwrcg3.fsf@gmail.com \
    --to=cmmarusich@gmail.com \
    --cc=help-guix@gnu.org \
    --cc=steve@stevesloan.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).