From mboxrd@z Thu Jan 1 00:00:00 1970 From: Chris Marusich Subject: Re: Libreboot + WDE + GuixSD: Need some advice Date: Thu, 13 Apr 2017 00:31:08 -0700 Message-ID: <87efwwrcg3.fsf@gmail.com> References: <87efwxabya.fsf@fastmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:39550) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cyZDo-00009D-Hs for help-guix@gnu.org; Thu, 13 Apr 2017 03:31:18 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cyZDn-0005oy-3C for help-guix@gnu.org; Thu, 13 Apr 2017 03:31:16 -0400 Received: from mail-pg0-x242.google.com ([2607:f8b0:400e:c05::242]:35231) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cyZDm-0005oJ-QY for help-guix@gnu.org; Thu, 13 Apr 2017 03:31:15 -0400 Received: by mail-pg0-x242.google.com with SMTP id g2so9601991pge.2 for ; Thu, 13 Apr 2017 00:31:14 -0700 (PDT) In-Reply-To: (Stephen Sloan's message of "Wed, 12 Apr 2017 21:08:59 -0700") List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: Stephen Sloan Cc: help-guix@gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Stephen Sloan writes: > I used your find command and copied the grub.cfg file into place. It "jus= t worked". Cool indeed! Practically speaking, I could copy the file into pl= ace every > time that I reconfigure the system. But for bragging rights, I've got to = get it automated. I'm reading through the code, looking for the best approa= ch. I'm a > clojure programmer by trade; scheme is new to me. > > I think I will try to make a package for flashrom and the libreboot utili= ties, but I like this solution of just copying a file into place. > > On Wed, Apr 12, 2017 at 8:21 AM, Marius Bakke wrote: > > Stephen Sloan writes: > > > I am looking for some advice. > > > > I'm am setting up a libreboot + whole disk encryption + guixsd laptop. > > Libreboot has grub in the BIOS, which allows for encrypting the whole = disk. > > > > According to the libreboot docs, I can make the grub config available = at > > /boot/grub/libreboot_grub.cfg and the grub installed on the BIOS will = load > > and use that config file. I've installed guixsd with --no-grub, I have > > libreboot installed, and the disk encrypted, now I just need to make it > > bootable! > > Wow, cool! > > `guix system --no-grub` will actually build out grub.cfg in the store, > just not write it to the actual bootloader configuration. So you can try > to `find /gnu/store -maxdepth 1 -name '*grub.cfg'` and copy it in place. > > It will also print the location when running `reconfigure`: > > root@xbmc ~# guix system reconfigure --no-grub /etc/config.scm > substitute: updating list of substitutes from 'https://mirror.hydra.gnu.= org'... 100.0% > The following derivation will be built: > /gnu/store/dp0v27hgc93a18zva7wqnl5rl3h1yvm2-grub.cfg.drv > /gnu/store/r2y4bn5p162pah9lqa3mqyplj09va65x-system > /gnu/store/jnnzn804d2ss2vk7k8hxkzh07waj0x75-grub.cfg > > > I think I need to make the correct grub config file available at that > > location whenever I reconfigure. I can manage the coding, but I'd like > > hints on the best way to go about this with guix. > > I think making the field take a "copy-only?" option > would be a decent fix for now. Currently the build code expects to run > "grub-install", look into gnu/system/grub.scm and gnu/build/install.scm > for starters. > > > There are some other options I've considered. I could reflash my BIOS = as > > part of the reconfiguration process. Or maybe I could chain-load two g= rub > > installations, possibly with an unencrypted /boot. > > We don't have libreboot in Guix yet, but the ability to install it at > reconfigure time would be nice. Sounds risky, though :) FYI, it's possible to achieve the practical equivalent of full-disk encryption while using Libreboot without jumping through any hoops at all. An installation like the one performed in the encrypted-root-os system test [1] works "out of the box" with Libreboot. For more information, please refer to the operating system configuration file and the installation script shown in the encrypted-root-os system test. The section "Mapped Devices" in the manual is also helpful. I use a Libreboot laptop, which I've set up like that. All state - my home directory, the GRUB configuration file, system service database files, etc. - is stored in the root file system. Because the root file system is in a LUKS-encrypted partition, everything I care about is encrypted. I also use a swap file as described in the manual (same section). Because that swap file is just another file in the root file system, my swap space is encrypted, too. The only things that aren't encrypted are my Libreboot installation (in flash memory, not on disk) and the GRUB bootloader that Guix installed to the disk (which is never actually used, since I use Libreboot). This setup works for my use case. I know it has some drawbacks, but they aren't problems for me. For example, I've heard that suspend-to-disk won't work with this style of encrypted swap, but since I don't need that feature right now, I don't mind. The boot time is also pretty long - Libreboot seems to take quite a while (minutes) to find the encrypted disk - but it works every time, so I'm content. I also have to input my disk's passphrase two times (once when Libreboot's GRUB payload wants to decrypt the LUKS volume, and again when the initialization process in GuixSD's initrd wants to decrypt the same LUKS volume), but I think you have to enter your passphrase twice in that case even when not using Libreboot. [1] http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/tests/install.scm?id= =3D2e3744730777dc4e988675be369692d2be6fa1e2#n453 =2D-=20 Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAljvKTwACgkQ3UCaFdgi Rp0VPA/7BPyYavv4pYgAqCsiJ8nLHSd2FQXGszsSlgr3I1I7FfKSj390n6fLJsfW LrNAJxjdmE7eTiZO4sZFfhOb2eNJcxThsVMioG151wZVgQhpdJkERVndDQv6CGRf Jxe0nmsb0ek0soJwL5TyGZ4z7PdYV3j29kLjwG4LPzNEFtnOoVrl+WzgEk0sNbd8 3nra28j542shLx2HLK/10G0kOaCBWlkutFW6EF2WPGzWnjKpgAQPo7oQEpO11Oot rdFXZ9aCnONYVNgXNiM8YkTVjgr/NtPNReEaVZlAenb/fEhl8bRC7nnQN9wF4xPe VeP1WJXK+BzYY4xrTKOBDk3+WPV4JRY5+twpUOsYpRjJN9Th6cHmddXsUWxPbUyQ XjBeydmnmz7iT0TJZWkSzzW+Nwd0Rv7ZrkKxXNPV8nkgzXsPiZmvJXOdd4wCmze8 NpwlE7lhONFqYTK6l50cI5CIRSOIgudGvIx5s9m6zkMw2kBm069kudd7PorKD49V P0Wn+dUNxHAkQkQ8iutOTI+mRyGeiv1okx/xqJQ3IiAr1hHU14bJlQrrr2zUybUl CMaJfHHuvA7YUpeqJOz+0vIXkiK3NuO7qrp6LrVl1W6GeLRqoFEpC2bgjD5QYtIU dxOCyoHEyBEfX4Wn4uNIlgoRM8sAIhFidNH9RmpXv1xjCyrMRz8= =Ss5T -----END PGP SIGNATURE----- --=-=-=--