From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id cOftLTET92AmQwAAgWs5BA (envelope-from ) for ; Tue, 20 Jul 2021 20:17:21 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id kHCUKTET92DIDwAAbx9fmQ (envelope-from ) for ; Tue, 20 Jul 2021 18:17:21 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C19E911FD4 for ; Tue, 20 Jul 2021 20:17:20 +0200 (CEST) Received: from localhost ([::1]:58870 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1m5uIx-0005HR-P6 for larch@yhetil.org; Tue, 20 Jul 2021 14:17:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38500) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m5uIf-0005Gh-VW for guix-patches@gnu.org; Tue, 20 Jul 2021 14:17:05 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:52014) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1m5uIf-0000hu-Na for guix-patches@gnu.org; Tue, 20 Jul 2021 14:17:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1m5uIf-000563-K7 for guix-patches@gnu.org; Tue, 20 Jul 2021 14:17:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#49654] [PATCH] doc: Add full disc encryption guide to the cookbook Resent-From: Joshua Branson Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 20 Jul 2021 18:17:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 49654 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Giovanni Biscuolo Cc: 49654@debbugs.gnu.org, rg@raghavgururajan.name Received: via spool by 49654-submit@debbugs.gnu.org id=B49654.162680498019537 (code B ref 49654); Tue, 20 Jul 2021 18:17:01 +0000 Received: (at 49654) by debbugs.gnu.org; 20 Jul 2021 18:16:20 +0000 Received: from localhost ([127.0.0.1]:35327 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1m5uHu-00054x-Iu for submit@debbugs.gnu.org; Tue, 20 Jul 2021 14:16:20 -0400 Received: from mx1.dismail.de ([78.46.223.134]:7522) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1m5uHr-00054i-Sd for 49654@debbugs.gnu.org; Tue, 20 Jul 2021 14:16:13 -0400 Received: from mx1.dismail.de (localhost [127.0.0.1]) by mx1.dismail.de (OpenSMTPD) with ESMTP id e909de71; Tue, 20 Jul 2021 20:16:04 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=dismail.de; h=from:to:cc :subject:references:date:in-reply-to:message-id:mime-version :content-type; s=20190914; bh=J4h3qrgjKTQqzNU5HWZx95vrG9Oz0i/qiw bvF4BJ88M=; b=pyovKIVDn71SfqLGWE12GEkabUwlrfXUJrYBEJ6Q9TS4A5IXyk T7mv98sfMotu71zDHWvLRed8/5G8WagHlRIyIXYxNv15+aWhUX7+wjMs7U3XrILE +Zrxnm0GSzsb9fVm7gFMswKxr12dA3SndlSwD/crU+770N8vMY7/f2/lywY87UCW fJHj3DVSo3Rk40Keyvcqnoehtwr249xaCbC8OHLeslERd8ANFq4V+0zpUyp3r/fT mOM0ouMYwStumJpc4SV+qQuKkIGr2ERqkHkQCph1M8x5zTLYNMulDTBdybulJaFo Fy2UmyZA3DYCRMNhxyob4hUNLeIZvdT3vhFA== Received: from smtp2.dismail.de ( [10.240.26.12]) by mx1.dismail.de (OpenSMTPD) with ESMTP id f4f26310; Tue, 20 Jul 2021 20:16:04 +0200 (CEST) Received: from smtp2.dismail.de (localhost [127.0.0.1]) by smtp2.dismail.de (OpenSMTPD) with ESMTP id 51309edc; Tue, 20 Jul 2021 20:16:04 +0200 (CEST) Received: by dismail.de (OpenSMTPD) with ESMTPSA id e35588bf (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Tue, 20 Jul 2021 20:16:02 +0200 (CEST) References: <20210720052229.15438-1-jbranso@dismail.de> <87pmvdi7xa.fsf@xelera.eu> Date: Tue, 20 Jul 2021 14:15:59 -0400 In-Reply-To: <87pmvdi7xa.fsf@xelera.eu> (Giovanni Biscuolo's message of "Tue, 20 Jul 2021 12:41:37 +0200") Message-ID: <87eebsvokg.fsf@dismail.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" Reply-to: Joshua Branson X-ACL-Warn: , Joshua Branson via Guix-patches From: Joshua Branson via Guix-patches via X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1626805041; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=gKy6fd3MYbuTyy6NWflMWCF4PCl/RYsIlustmhClB3A=; b=maQA3HBOZRNi+Sci6GhhFgRPEe9PbZGN2hnfxd2tE7V5BqnIxcy31wPb26O1Pj8cCBI5gr CX6Mvll3XxLFImLnFaGO0QYOPMJXwNeaubAK1B+oLbQyzKZ8MMvVg640boyxF8ic/taKrF nYfxfGEX2JFcHCkFyfhKXCRVuT0bG/XQzbVkPK9GYThrPv70zm9nNPXG3gKPo01Cspe0n3 o8i3UWCX7dZSzgTuSMyM5PVe74yjzxuLWIuRbjvVZDgUY9qgYy/nqp/R0U1vnCReXHYNBV 5BpH2hkrfb413+AX1HYr+khB3CTcDFdUXbg9vQD2eJlnsHPT4ZEAVllM9vcfPQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1626805041; a=rsa-sha256; cv=none; b=PShdfLW19qHv1EcveFPOxqwQMh448RGbVvcf4z2/wKzGtQkIY9+4iti9YOaRjZA+1O/cuO gKp77fnD8OJD78x+4H6hd9TSXF4TnTO1YKik0PmPAYSrPhxWThi7/iWW47pBOAJnPdjuNo 93QLSMYJLuUJ7Gcv0YgOj6/tjNnGZZF+L0IYEYRnQk2VwV1tjOWY4TMWaxen4ns0ke6jOb i3A/GLwHoS5B9HXyqjCiwRGpFLpOfOsSVg5XJ01h8FZUXq0iXJJgPJ8Xu+UWq+5xdu/oZE yhG5A0Wafu6YbM5Od+8ckr3rrsvC+32wK0JZmDRyDnE0fcC6LnGmtSY91YmZlg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=dismail.de header.s=20190914 header.b=pyovKIVD; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -2.92 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=dismail.de header.s=20190914 header.b=pyovKIVD; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: C19E911FD4 X-Spam-Score: -2.92 X-Migadu-Scanner: scn0.migadu.com X-TUID: NumimQVibxwO Giovanni Biscuolo writes: > Hello Joshua and Raghav, > > thank you for your guide! I have just a couple of comments. > > Joshua Branson via Guix-patches via writes: > >> From: Joshua Branson >> >> The original guide was written by Raghav Gururajan >> and edited by Joshua Branson . >> >> * doc/guix-cookbook.texi (System Configuration): New section of full disc >> encryption via libreboot. >> --- >> doc/guix-cookbook.texi | 724 +++++++++++++++++++++++++++++++++++++++++ >> 1 file changed, 724 insertions(+) > > [...] > >> +* Guix System with Full Disk Encryption:: Guix System with Full Disk Encryption > > AFAIU the steps, especially the partitioning that does not provide an > UEFI dedicated partition, are specific to Libreboot systems: what about > to make it more clear in the section title? I will mention this somewhere. Thanks. Perhaps we could mention that libreboot systems are so ancient that they do not support UEFI. I will also mention that newer coreboot devices do not support a UEFI partition, but require proprietary blobs to run properly. > > ...or to adapt the section by separating Libreboot specific instructions > from generic system instructions? as above. > > [...] > >> +Create a physical volume in the partition. >> + >> +@example >> +pvcreate /dev/mapper/partname --verbose >> +@end example >> + >> +Create a volume group in the physical volume, where @code{vgname} is any >> +desired name for volume group. >> + >> +@example >> +vgcreate vgname /dev/mapper/partname --verbose >> +@end example >> + >> +Create logical volumes in the volume group; where "num" is the number >> +for space in GB, and @code{lvnameroot} and @code{lvnamehome} are any >> +desired names for root and home volumes respectively. >> + >> +@example >> +lvcreate --extents 25%VG vgname --name lvnameroot --verbose >> +lvcreate --extents 100%FREE vgname --name lvnamehome --verbose >> +@end example >> + >> +Create filesystems on the logical-volumes, where @code{fsnameroot} and >> +@code{fsnamehome} are any desired names for root and home filesystems >> +respectively. >> + >> +@example >> +mkfs.btrfs --metadata dup --label fsnameroot /dev/vgname/lvnameroot >> +mkfs.btrfs --metadata dup --label fsnamehome /dev/vgname/lvnamehome >> +@end example > > Why using two BTRFS volumes on top of LVM and not directly using BTRFS > (with subvolumes if you want) on top of /dev/mapper/partname? This is probably a good idea...however does the grub payload support this? > > AFAIU the "double mapping" it's not needed, BTRFS have a very good (and > now mature) built in volume manager. Furthermore, using BTRFS for > volume management will allow users to switch to a multi-device system > (e.g. RAID1) very easily. That's pretty cool! > > I'm still using LVM on some "legacy" systems but for new installations > I'd strogly suggest starting using BTRFS on top of "physical" > partitions. does btrfs volume manage allow use to use ext4, jfs, or xfs filesystems? Or does on LVM do that? >> +Mount the filesystems under the current system. >> + >> +@example >> +mount --label fsnameroot --target /mnt --types btrfs --verbose >> +mkdir --verbose /mnt/home && mount --label fsnamehome --target \ >> +/mnt/home --types btrfs --verbose >> +@end example >> + >> +Create a swap file. >> + >> +@example >> +dd bs=1MiB count=1GiB if=/dev/zero of=/mnt/swapfile status=progress >> +mkswap --verbose /mnt/swapfile >> +@end example > > I know that since Linux 2.6 swapfile performance is not a big issue if > the file is unfragmented (and it'll be for sure on newly partitioned > filesystems) but AFAIU swap files are still a little bit problematic on > BTRFS > https://btrfs.wiki.kernel.org/index.php/FAQ#Does_Btrfs_support_swap_files.3F: Ok...maybe we could use ext4 for the swap file? Is there a better filesystem? Again does btrfs volume management allow the swap file to be ext4? Or do we have to use LVM? > From kernel 5.0+ btrfs have native swap files support, but with some > limitations. Swap file - must be fully allocated as NOCOW with no > compression on one device. > > > I've never tested a system with swap file on BTRFS but I think that your > instructions should add how to set NOCOW for the swap file. > > The above example could be: > > > @example > dd bs=1MiB count=1GiB if=/dev/zero of=/mnt/swapfile status=progress > mkswap --verbose /mnt/swapfile > chattr +C /mnt/swapfile > btrfs property set /mnt/swapfile compression none > @end example > > Final note: AFAIU BTRFS supports swap files ONLY in single device > settings (that is: NO swap file support on multi device settings), so > IMHO it's better to use a dedicated partition for the swap space so > users are free to switch to a multi-device setting if they wish (and > can). Ok, I will create a dedicated partition and format it with ext4 and the swap program...but I will probably need help figuring out how to encrypt the swap partition...There are guides online that I can look at... > The problem with a fully encrypted dedicated swap partition is that > it'll require a third passphrase prompt on boot (the one to unlock the > swap partition), but that's a minor annoyance IMHO. Oh no! I hadn't thought about that! grrr! I wonder if bcachefs is better than btrfs...well I guess it's not merged yet. What about instead of using a swap file we use zram? Or how about both? > What do you think? > > [...] > > Happy hacking! Gio' -- Joshua Branson (jab in #guix) Sent from Emacs and Gnus https://gnucode.me https://video.hardlimit.com/accounts/joshua_branson/video-channels https://propernaming.org "You can have whatever you want, as long as you help enough other people get what they want." - Zig Ziglar