* Libreboot + WDE + GuixSD: Need some advice
@ 2017-04-12 5:05 Stephen Sloan
2017-04-12 15:21 ` Marius Bakke
0 siblings, 1 reply; 4+ messages in thread
From: Stephen Sloan @ 2017-04-12 5:05 UTC (permalink / raw)
To: help-guix
[-- Attachment #1: Type: text/plain, Size: 1088 bytes --]
I am looking for some advice.
I'm am setting up a libreboot + whole disk encryption + guixsd laptop.
Libreboot has grub in the BIOS, which allows for encrypting the whole disk.
According to the libreboot docs, I can make the grub config available at
/boot/grub/libreboot_grub.cfg and the grub installed on the BIOS will load
and use that config file. I've installed guixsd with --no-grub, I have
libreboot installed, and the disk encrypted, now I just need to make it
bootable!
I think I need to make the correct grub config file available at that
location whenever I reconfigure. I can manage the coding, but I'd like
hints on the best way to go about this with guix.
There are some other options I've considered. I could reflash my BIOS as
part of the reconfiguration process. Or maybe I could chain-load two grub
installations, possibly with an unencrypted /boot.
What do people do when they don't have GuixSD manage their grub
configuration?
ref: https://libreboot.org/docs/gnulinux/grub_cbfs.html,
https://libreboot.org/docs/gnulinux/encrypted_parabola.html
Thanks!
[-- Attachment #2: Type: text/html, Size: 1453 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Libreboot + WDE + GuixSD: Need some advice
2017-04-12 5:05 Libreboot + WDE + GuixSD: Need some advice Stephen Sloan
@ 2017-04-12 15:21 ` Marius Bakke
2017-04-13 4:08 ` Stephen Sloan
0 siblings, 1 reply; 4+ messages in thread
From: Marius Bakke @ 2017-04-12 15:21 UTC (permalink / raw)
To: Stephen Sloan, help-guix
[-- Attachment #1: Type: text/plain, Size: 1955 bytes --]
Stephen Sloan <steve@stevesloan.com> writes:
> I am looking for some advice.
>
> I'm am setting up a libreboot + whole disk encryption + guixsd laptop.
> Libreboot has grub in the BIOS, which allows for encrypting the whole disk.
>
> According to the libreboot docs, I can make the grub config available at
> /boot/grub/libreboot_grub.cfg and the grub installed on the BIOS will load
> and use that config file. I've installed guixsd with --no-grub, I have
> libreboot installed, and the disk encrypted, now I just need to make it
> bootable!
Wow, cool!
`guix system --no-grub` will actually build out grub.cfg in the store,
just not write it to the actual bootloader configuration. So you can try
to `find /gnu/store -maxdepth 1 -name '*grub.cfg'` and copy it in place.
It will also print the location when running `reconfigure`:
root@xbmc ~# guix system reconfigure --no-grub /etc/config.scm
substitute: updating list of substitutes from 'https://mirror.hydra.gnu.org'... 100.0%
The following derivation will be built:
/gnu/store/dp0v27hgc93a18zva7wqnl5rl3h1yvm2-grub.cfg.drv
/gnu/store/r2y4bn5p162pah9lqa3mqyplj09va65x-system
/gnu/store/jnnzn804d2ss2vk7k8hxkzh07waj0x75-grub.cfg
> I think I need to make the correct grub config file available at that
> location whenever I reconfigure. I can manage the coding, but I'd like
> hints on the best way to go about this with guix.
I think making the <grub-configuration> field take a "copy-only?" option
would be a decent fix for now. Currently the build code expects to run
"grub-install", look into gnu/system/grub.scm and gnu/build/install.scm
for starters.
> There are some other options I've considered. I could reflash my BIOS as
> part of the reconfiguration process. Or maybe I could chain-load two grub
> installations, possibly with an unencrypted /boot.
We don't have libreboot in Guix yet, but the ability to install it at
reconfigure time would be nice. Sounds risky, though :)
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Libreboot + WDE + GuixSD: Need some advice
2017-04-12 15:21 ` Marius Bakke
@ 2017-04-13 4:08 ` Stephen Sloan
2017-04-13 7:31 ` Chris Marusich
0 siblings, 1 reply; 4+ messages in thread
From: Stephen Sloan @ 2017-04-13 4:08 UTC (permalink / raw)
To: Marius Bakke; +Cc: help-guix
[-- Attachment #1: Type: text/plain, Size: 2631 bytes --]
I used your find command and copied the grub.cfg file into place. It "just
worked". Cool indeed! Practically speaking, I could copy the file into
place every time that I reconfigure the system. But for bragging rights,
I've got to get it automated. I'm reading through the code, looking for
the best approach. I'm a clojure programmer by trade; scheme is new to me.
I think I will try to make a package for flashrom and the libreboot
utilities, but I like this solution of just copying a file into place.
On Wed, Apr 12, 2017 at 8:21 AM, Marius Bakke <mbakke@fastmail.com> wrote:
> Stephen Sloan <steve@stevesloan.com> writes:
>
> > I am looking for some advice.
> >
> > I'm am setting up a libreboot + whole disk encryption + guixsd laptop.
> > Libreboot has grub in the BIOS, which allows for encrypting the whole
> disk.
> >
> > According to the libreboot docs, I can make the grub config available at
> > /boot/grub/libreboot_grub.cfg and the grub installed on the BIOS will
> load
> > and use that config file. I've installed guixsd with --no-grub, I have
> > libreboot installed, and the disk encrypted, now I just need to make it
> > bootable!
>
> Wow, cool!
>
> `guix system --no-grub` will actually build out grub.cfg in the store,
> just not write it to the actual bootloader configuration. So you can try
> to `find /gnu/store -maxdepth 1 -name '*grub.cfg'` and copy it in place.
>
> It will also print the location when running `reconfigure`:
>
> root@xbmc ~# guix system reconfigure --no-grub /etc/config.scm
> substitute: updating list of substitutes from '
> https://mirror.hydra.gnu.org'... 100.0%
> The following derivation will be built:
> /gnu/store/dp0v27hgc93a18zva7wqnl5rl3h1yvm2-grub.cfg.drv
> /gnu/store/r2y4bn5p162pah9lqa3mqyplj09va65x-system
> /gnu/store/jnnzn804d2ss2vk7k8hxkzh07waj0x75-grub.cfg
>
> > I think I need to make the correct grub config file available at that
> > location whenever I reconfigure. I can manage the coding, but I'd like
> > hints on the best way to go about this with guix.
>
> I think making the <grub-configuration> field take a "copy-only?" option
> would be a decent fix for now. Currently the build code expects to run
> "grub-install", look into gnu/system/grub.scm and gnu/build/install.scm
> for starters.
>
> > There are some other options I've considered. I could reflash my BIOS as
> > part of the reconfiguration process. Or maybe I could chain-load two
> grub
> > installations, possibly with an unencrypted /boot.
>
> We don't have libreboot in Guix yet, but the ability to install it at
> reconfigure time would be nice. Sounds risky, though :)
>
[-- Attachment #2: Type: text/html, Size: 3441 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Libreboot + WDE + GuixSD: Need some advice
2017-04-13 4:08 ` Stephen Sloan
@ 2017-04-13 7:31 ` Chris Marusich
0 siblings, 0 replies; 4+ messages in thread
From: Chris Marusich @ 2017-04-13 7:31 UTC (permalink / raw)
To: Stephen Sloan; +Cc: help-guix
[-- Attachment #1: Type: text/plain, Size: 4800 bytes --]
Stephen Sloan <steve@stevesloan.com> writes:
> I used your find command and copied the grub.cfg file into place. It "just worked". Cool indeed! Practically speaking, I could copy the file into place every
> time that I reconfigure the system. But for bragging rights, I've got to get it automated. I'm reading through the code, looking for the best approach. I'm a
> clojure programmer by trade; scheme is new to me.
>
> I think I will try to make a package for flashrom and the libreboot utilities, but I like this solution of just copying a file into place.
>
> On Wed, Apr 12, 2017 at 8:21 AM, Marius Bakke <mbakke@fastmail.com> wrote:
>
> Stephen Sloan <steve@stevesloan.com> writes:
>
> > I am looking for some advice.
> >
> > I'm am setting up a libreboot + whole disk encryption + guixsd laptop.
> > Libreboot has grub in the BIOS, which allows for encrypting the whole disk.
> >
> > According to the libreboot docs, I can make the grub config available at
> > /boot/grub/libreboot_grub.cfg and the grub installed on the BIOS will load
> > and use that config file. I've installed guixsd with --no-grub, I have
> > libreboot installed, and the disk encrypted, now I just need to make it
> > bootable!
>
> Wow, cool!
>
> `guix system --no-grub` will actually build out grub.cfg in the store,
> just not write it to the actual bootloader configuration. So you can try
> to `find /gnu/store -maxdepth 1 -name '*grub.cfg'` and copy it in place.
>
> It will also print the location when running `reconfigure`:
>
> root@xbmc ~# guix system reconfigure --no-grub /etc/config.scm
> substitute: updating list of substitutes from 'https://mirror.hydra.gnu.org'... 100.0%
> The following derivation will be built:
> /gnu/store/dp0v27hgc93a18zva7wqnl5rl3h1yvm2-grub.cfg.drv
> /gnu/store/r2y4bn5p162pah9lqa3mqyplj09va65x-system
> /gnu/store/jnnzn804d2ss2vk7k8hxkzh07waj0x75-grub.cfg
>
> > I think I need to make the correct grub config file available at that
> > location whenever I reconfigure. I can manage the coding, but I'd like
> > hints on the best way to go about this with guix.
>
> I think making the <grub-configuration> field take a "copy-only?" option
> would be a decent fix for now. Currently the build code expects to run
> "grub-install", look into gnu/system/grub.scm and gnu/build/install.scm
> for starters.
>
> > There are some other options I've considered. I could reflash my BIOS as
> > part of the reconfiguration process. Or maybe I could chain-load two grub
> > installations, possibly with an unencrypted /boot.
>
> We don't have libreboot in Guix yet, but the ability to install it at
> reconfigure time would be nice. Sounds risky, though :)
FYI, it's possible to achieve the practical equivalent of full-disk
encryption while using Libreboot without jumping through any hoops at
all. An installation like the one performed in the encrypted-root-os
system test [1] works "out of the box" with Libreboot. For more
information, please refer to the operating system configuration file and
the installation script shown in the encrypted-root-os system test. The
section "Mapped Devices" in the manual is also helpful.
I use a Libreboot laptop, which I've set up like that. All state - my
home directory, the GRUB configuration file, system service database
files, etc. - is stored in the root file system. Because the root file
system is in a LUKS-encrypted partition, everything I care about is
encrypted. I also use a swap file as described in the manual (same
section). Because that swap file is just another file in the root file
system, my swap space is encrypted, too. The only things that aren't
encrypted are my Libreboot installation (in flash memory, not on disk)
and the GRUB bootloader that Guix installed to the disk (which is never
actually used, since I use Libreboot).
This setup works for my use case. I know it has some drawbacks, but
they aren't problems for me. For example, I've heard that
suspend-to-disk won't work with this style of encrypted swap, but since
I don't need that feature right now, I don't mind. The boot time is
also pretty long - Libreboot seems to take quite a while (minutes) to
find the encrypted disk - but it works every time, so I'm content. I
also have to input my disk's passphrase two times (once when Libreboot's
GRUB payload wants to decrypt the LUKS volume, and again when the
initialization process in GuixSD's initrd wants to decrypt the same LUKS
volume), but I think you have to enter your passphrase twice in that
case even when not using Libreboot.
[1] http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/tests/install.scm?id=2e3744730777dc4e988675be369692d2be6fa1e2#n453
--
Chris
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-04-13 7:31 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-04-12 5:05 Libreboot + WDE + GuixSD: Need some advice Stephen Sloan
2017-04-12 15:21 ` Marius Bakke
2017-04-13 4:08 ` Stephen Sloan
2017-04-13 7:31 ` Chris Marusich
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).