[PATCH] doc: Add full disc encryption guide to the cookbook

OpenSubmitted by Joshua Branson.
Details
5 participants
  • david larsson
  • Giovanni Biscuolo
  • Sarah Morgensen
  • Joshua Branson
  • Ludovic Courtès
Owner
unassigned
Severity
normal
J
J
Joshua Branson wrote on 20 Jul 07:22 +0200
(address . guix-patches@gnu.org)(address . rg@raghavgururajan.name)
20210720052229.15438-1-jbranso@dismail.de
From: Joshua Branson <jbranso AT gnucode.me>
The original guide was written by Raghav Gururajan <rg@raghavgururajan.name>and edited by Joshua Branson <jbranso@dismail.de>.
* doc/guix-cookbook.texi (System Configuration): New section of full discencryption via libreboot.--- doc/guix-cookbook.texi | 724 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 724 insertions(+)
Toggle diff (751 lines)diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texiindex 2e627ecc51..ef8f3425d6 100644--- a/doc/guix-cookbook.texi+++ b/doc/guix-cookbook.texi@@ -18,6 +18,7 @@ Copyright @copyright{} 2020 Brice Waegeneire@* Copyright @copyright{} 2020 André Batista@* Copyright @copyright{} 2020 Christopher Lemmer Webber Copyright @copyright{} 2021 Joshua Branson@*+Copyright @copyright{} 2021 Raghav Gururajan@* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or@@ -1358,6 +1359,7 @@ reference. * Customizing the Kernel:: Creating and using a custom Linux kernel on Guix System. * Guix System Image API:: Customizing images to target specific platforms. * Connecting to Wireguard VPN:: Connecting to a Wireguard VPN.+* Guix System with Full Disk Encryption:: Guix System with Full Disk Encryption * Customizing a Window Manager:: Handle customization of a Window manager on Guix System. * Running Guix on a Linode Server:: Running Guix on a Linode Server * Setting up a bind mount:: Setting up a bind mount in the file-systems definition.@@ -1938,6 +1940,728 @@ For more specific information about NetworkManager and wireguard @uref{https://blogs.gnome.org/thaller/2019/03/15/wireguard-in-networkmanager/,see this post by thaller}. +@node Guix System with Full Disk Encryption+@section Guix System with Full Disk Encryption+@cindex libreboot, full disk encryption++Guix System is an exotic distribution of GNU/Linux operating system,+with Guix as package/system manager, Linux-Libre as kernel and+Shepherd as init system.++Libreboot is a de-blobbed distribution of Coreboot firmware. By+default, Libreboot comes with GRUB bootloader as a payload.++The objective of this manual is to provide step-by-step guide for+setting up Guix System (stand-alone Guix), with Full Disk+Encryption (FDE), on devices powered by Libreboot.++Any users, for their generalized use cases, need not stumble away from+this guide to accomplish the setup. Advanced users, for deviant use+cases, will have to explore outside this guide for customization;+although this guide provides information that is of paramount use.++Let us begin!++@menu+* Create Boot-able USB::+* Installing and Setup::+* Tweaking Libreboot's Grub Payload::+* Closing Thoughts::+* Special Thanks::+@end menu++@node Create Boot-able USB+@subsection Create Boot-able USB++In the current GNU+Linux system, open terminal as root user.++Insert USB drive and get the device letter @code{/dev/sdX}, where “X” is the+device letter.++@example+lsblk --list+@end example++@example+NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT+sda 8:0 0 223.6G 0 disk+sda1 8:1 0 2M 0 part+sda2 8:2 0 3.7G 0 part+sda3 8:3 0 219.9G 0 part /+zram0 251:0 0 512M 0 disk [SWAP]+@end example+++Just in case the device is auto-mounted, unmount the device.++@example+umount /dev/sdX --verbose+@end example++Download the Guix System ISO installer package and it’s GPG signature;+where @code{A.B.C} is the version number and @code{SSS} is the system+architecture.++@example+wget --verbose https://ftp.gnu.org/gnu/guix/guix-system-install-A.B.C.SSS-linux.iso.xz+wget --verbose https://ftp.gnu.org/gnu/guix/guix-system-install-A.B.C.SSS-linux.iso.xz.sig+@end example++Import the Guix's public key.++@example+gpg --verbose --keyserver pool.sks-keyservers.net –-receive-keys 3CE464558A84FDC69DB40CFB090B11993D9AEBB5+@end example++Verify the GPG signature of the downloaded package.++@example+gpg --verbose --verify guix-system-install-A.B.C.SSS-linux.iso.xz.sig+@end example++Extract ISO image from the downloaded package.++@example+xz --verbose --decompress guix-system-install-A.B.C.SSS-linux.iso.xz+@end example++Write the extracted ISO image to the drive.++@example+dd if=guix-system-install-A.B.C.SSS-linux.iso of=/dev/sdX status=progress; sync+@end example++Reboot the device.++@example+reboot+@end example++@node Installing and Setup+@subsection Installing and Setup++On reboot, as soon as the Libreboot's graphic art appears, press "S"+or choose @code{Search for GRUB2 configuration on external media [s]}. Wait+for the Guix System from USB drive to load.++Once Guix System installer starts, choose @code{Install using the shell+based process}.++Set your keyboard layout, where @code{lo} is the two-letter keyboard+layout code (lower-case).++@example+loadkeys --verbose lo+@end example++Unblock network interfaces.++@example+rfkill unblock all+@end example++Get the names of network interfaces.++@example+ifconfig -v -a+@end example++@example+enp0s25 Link encap:Ethernet HWaddr 00:1C:25:9A:37:BA+ UP BROADCAST MULTICAST MTU:1500 Metric:1+ RX packets:0 errors:0 dropped:0 overruns:0 frame:0+ TX packets:0 errors:0 dropped:0 overruns:0 carrier:0+ collisions:0 txqueuelen:1000+ RX bytes:0 TX bytes:0+ Interrupt:16 Memory:98800000-98820000++lo Link encap:Local Loopback+ inet addr:127.0.0.1 Bcast:0.0.0.0 Mask:255.0.0.0+ UP LOOPBACK RUNNING MTU:65536 Metric:1+ RX packets:265 errors:0 dropped:0 overruns:0 frame:0+ TX packets:265 errors:0 dropped:0 overruns:0 carrier:0+ collisions:0 txqueuelen:1000+ RX bytes:164568 TX bytes:164568++wlp2s0 Link encap:Ethernet HWaddr E4:CE:8F:59:D6:BF+ inet addr:192.168.1.133 Bcast:192.168.1.255 Mask:255.255.255.0+ UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1+ RX packets:60084 errors:0 dropped:71 overruns:0 frame:0+ TX packets:33232 errors:0 dropped:0 overruns:0 carrier:0+ collisions:0 txqueuelen:1000+ RX bytes:45965805 TX bytes:4905457++@end example++Bring the desired network interface (wired or wireless) up, where+@code{nwif} is the network interface name.++@example+ifconfig -v nwif up+@end example++For wireless connection, follow the wireless setup.++@menu+* Wireless Setup::+@end menu++@node Wireless Setup+@subsubsection Wireless Setup++Create a configuration file using text editor, where @code{fname} is any+desired name for file.++@example+nano fname.conf+@end example++Choose, type and save ONE of the following snippets, where ‘net’ is+the network name, ‘pass’ is the password or passphrase and ‘uid’ is+the user identity.++For most private networks:++@example+network=@{+ ssid="net"+ key_mgmt=WPA-PSK+ psk="pass"+@}+@end example++(or)++For most public networks:++@example+network=@{+ ssid="net"+ key_mgmt=NONE+@}+@end example++(or)++For most organizational networks:++@example+network=@{+ ssid="net"+ scan_ssid=1+ key_mgmt=WPA-EAP+ identity="uid"+ password="pass"+ eap=PEAP+ phase1="peaplabel=0"+ phase2="auth=MSCHAPV2"+@}+@end example++Connect to the configured network.++@example+wpa_supplicant -B -c fname.conf -i nwif+@end example++Assign an IP address to the network interface.++@example+dhclient -v nwif+@end example++Obtain the device letter @code{/dev/sdX} in which you would like to deploy+and install Guix System, where “X” is the device letter.++@example+lsblk --list+@end example++@example+NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT+sda 8:0 0 223.6G 0 disk+sda1 8:1 0 2M 0 part+sda2 8:2 0 3.7G 0 part+sda3 8:3 0 219.9G 0 part /+zram0 251:0 0 512M 0 disk [SWAP]+@end example++Wipe the device (Ignore if the device is new).++@example+shred --verbose --random-source=/dev/urandom /dev/sdX+@end example++Load the device-mapper module in the current kernel.++@example+modprobe --verbose dm_mod+@end example++Partition the device. Follow the prompts. Just do, GPT --> New -->+Write --> Quit; defaults will be set.++@example+cfdisk /dev/sdX+@end example++Obtain the partition number from the device, where “Y” is the+partition number.++@example+lsblk --list+@end example++Encrypt the partition. Follow the prompts.++@example+cryptsetup --verbose --hash whirlpool --cipher serpent-xts-plain64 \+--verify-passphrase --use-random --key-size 512 --iter-time 500 \+luksFormat /dev/sdXY+@end example++Obtain and note down the UUID of the LUKS partition.++@example+cryptsetup --verbose luksUUID /dev/sdXY+@end example++Open the encrypted partition, where @code{luks-uuid} is the LUKS UUID,+and @code{partname} is any desired name for the partition.++@example+cryptsetup --verbose+luksOpen UUID=luks-uuid partname+@end example++Create a physical volume in the partition.++@example+pvcreate /dev/mapper/partname --verbose+@end example++Create a volume group in the physical volume, where @code{vgname} is any+desired name for volume group.++@example+vgcreate vgname /dev/mapper/partname --verbose+@end example++Create logical volumes in the volume group; where "num" is the number+for space in GB, and @code{lvnameroot} and @code{lvnamehome} are any+desired names for root and home volumes respectively.++@example+lvcreate --extents 25%VG vgname --name lvnameroot --verbose+lvcreate --extents 100%FREE vgname --name lvnamehome --verbose+@end example++Create filesystems on the logical-volumes, where @code{fsnameroot} and+@code{fsnamehome} are any desired names for root and home filesystems+respectively.++@example+mkfs.btrfs --metadata dup --label fsnameroot /dev/vgname/lvnameroot+mkfs.btrfs --metadata dup --label fsnamehome /dev/vgname/lvnamehome+@end example++Mount the filesystems under the current system.++@example+mount --label fsnameroot --target /mnt --types btrfs --verbose+mkdir --verbose /mnt/home && mount --label fsnamehome --target \+/mnt/home --types btrfs --verbose+@end example++Create a swap file.++@example+dd bs=1MiB count=1GiB if=/dev/zero of=/mnt/swapfile status=progress+mkswap --verbose /mnt/swapfile+@end example++Make the swap file readable and writable only by root account.++@example+chmod --verbose 600 /mnt/swapfile+@end example++Activate the swap file.++@example+swapon --verbose /mnt/swapfile+@end example++Install packages on the mounted root filesystem.++@example+herd start cow-store /mnt+@end example++Create the system-wide configuration files directory.++@example+mkdir --verbose /mnt/etc+@end example++Create, edit and save the system configuration file by typing the+following code snippet. WATCH-OUT for variables in the code snippet+and replace them with the relevant values.++@example+nano /mnt/etc/config.scm+@end example++The content of config.scm is:++@lisp+(use-modules+ (gnu)+ (gnu system nss))++(use-package-modules+ certs+ gnome+ linux)++(use-service-modules+ desktop+ xorg)++(operating-system+ (kernel linux-libre-lts)+ (kernel-arguments+ (append+ (list+ ;; this is needed to flash the libreboot ROM. After, you+ ;; have flashed your rom, it is a good idea to remove+ ;; iomem=relaxed from your kernel arguments+ "iomem=relaxed")+ %default-kernel-arguments))++ (timezone "Zone/SubZone")+ (locale "ab_XY.1234")+ (name-service-switch %mdns-host-lookup-nss)++ (bootloader+ (bootloader-configuration+ (bootloader+ (bootloader+ (inherit grub-bootloader)+ (installer #~(const #t))))+ (keyboard-layout keyboard-layout)))++ (keyboard-layout+ (keyboard-layout+ "xy"+ "altgr-intl"))++ (host-name "hostname")++ (mapped-devices+ (list+ (mapped-device+ (source+ (uuid "LUKS-UUID"))+ (target "partname")+ (type luks-device-mapping))+ (mapped-device+ (source "vgname")+ (targets+ (list+ "vgname-lvnameroot"+ "vgname-lvnamehome"))+ (type lvm-device-mapping))))++ (file-systems+ (append+ (list+ (file-system+ (type "btrfs")+ (mount-point "/")+ (device "/dev/mapper/VGNAME-LVNAMEROOT")+ (flags '(no-atime))+ (options "space_cache=v2")+ (needed-for-boot? #t)+ (dependencies mapped-devices))+ (file-system+ (type "btrfs")+ (mount-point "/home")+ (device "/dev/mapper/VGNAME-LVNAMEHOME")+ (flags '(no-atime))+ (options "space_cache=v2")+ (dependencies mapped-devices)))+ %base-file-systems))++ (swap-devices+ (list+ "/swapfile"))++ (users+ (append+ (list+ (user-account+ (name "USERNAME")+ (comment "Full Name")+ (group "users")+ (supplementary-groups '("audio" "cdrom"+ "kvm" "lp" "netdev"+ "tape" "video"+ "wheel"))))+ %base-user-accounts))++ (packages+ (append+ (list+ nss-certs)+ %base-packages))++ (services+ (append+ (list+ (service gnome-desktop-service-type))+ %desktop-services)))+@end lisp++Initialize new Guix System.++@example+guix system init /mnt/etc/config.scm /mnt+@end example++Reboot the device.++@example+reboot+@end example++@node Tweaking Libreboot's Grub Payload+@subsection Tweaking Libreboot's Grub Payload+@cindex grub payload++On reboot, as soon as the Libreboot graphic art appears, press “C” to+enter the command-line.++Enter the following commands and respond to first command with the LUKS+Key.++@example+cryptomount -u luks-uuid+set root=(lvm/vgname-lvnameroot)+@end example++Upon Guix's GRUB menu, go with the default option.++Enter the LUKS Key again, for kernel, as prompted.++Upon login screen, login as "root" with password field empty.++Open terminal.++Set passkey for the "root" user. Follow the prompts.++@example+passwd root+@end example++Set passkey for the "username" user. Follow the prompts.++@example+passwd username+@end example++Install flashrom and wget.++@example+guix package –-install flashrom wget+@end example++Obtain the ROM chip's model and size. Look for the output line “Found+[@dots{}] flash chip [@dots{}]”.++@example+flashrom --verbose --programmer internal+@end example++Download Libreboot ROM and utilities, where "YYYYMMDD" is the release+date, @code{devmod} is the device model and "N" is the ROM chip size.++@example+wget --verbose https://rsync.libreboot.org/stable/YYYYMMDD/rom/grub/libreboot_rYYYYMMDD_grub_devmod_Nmb.tar.xz+wget --verbose https://rsync.libreboot.org/stable/YYYYMMDD/libreboot_rYYYYMMDD_util.tar.xz+@end example++Extract the downloaded files.+@example+tar --extract --file=libreboot_rYYYYMMDD_grub_devmod_Nmb.tar.xz --verbose+tar --extract --file=libreboot_rYYYYMMDD_util.tar.xz --verbose+@end example++Rename the directories of extracted files.++@example+mv --verbose "libreboot_rYYYYMMDD_grub_devmod_Nmb.tar.xz" "libreboot_rom"+mv --verbose "libreboot_rYYYYMMDD_util" "libreboot_util"+@end example++Copy the ROM image to the directory of cbfstool, where "kbdlo" is the+keyboard layout and "arch" is the system architecture.++@example+cp libreboot_rom/devmod_Nmb_kbdlo_vesafb.rom libreboot_util/cbfstool/arch/libreboot.rom+@end example++Change directory to the directory of cbfstool.+@example+cd libreboot_util/cbfstool/arch/+@end example++Extract the GRUB configuration file from the image.++@example+./cbfstool libreboot.rom extract -n grub.cfg -f grub.cfg+@end example++Edit the GRUB configuration file and insert the following code snippet+above the line @code{“menuentry 'Load Operating System [o]' --hotkey='o'+--unrestricted @{ [...] @}”}.++@example+nano grub.cfg+@end example++Snippet:+@example+menuentry ‘Guix System (An advanced distribution of the GNU operating system) [g]’ --hotkey=’g’ --unrestricted+@{+cryptomount -u luks-uuid+set root=(lvm/vgname-lvnameroot)+configfile /boot/grub/grub.cfg+@}+@end example++Remove the old GRUB configuration file from the ROM image.++@example+./cbfstool libreboot.rom remove -n grub.cfg+@end example++Insert the new GRUB configuration file into the ROM image.++@example+./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw+@end example++Move the ROM image to the directory of ich9gen.++@example+mv libreboot.rom ~/libreboot_util/ich9deblob/arch/libreboot.rom+@end example++Change directory to the directory of ich9gen.++@example+cd ~/libreboot_util/ich9deblob/arch/+@end example++Generate descriptor+GbE images with the MAC address, where "mac-addr"+is the MAC address of the machine.++@example+ich9gen --macaddress mac-addr+@end example++Insert the descriptor+GbE image into the ROM image, where "N" is the+ROM chip size.+@example+dd bs=12k conv=notrunc count=1 if=ich9fdgbe_Nm.bin of=libreboot.rom status=progress+@end example++Move the ROM image to the directory of flash.++@example+mv libreboot.rom ~/libreboot_util/libreboot.rom+@end example++Change directory to the directory of flash.++@example+cd ~/libreboot_util+@end example++Modify the shebang of flash script, from `#!/bin/bash` to `#!/bin/sh`.+@example+nano flash+@end example++Flash the ROM with the new image.+@example+./flash update libreboot.rom+@end example++(or)++@example+./flash forceupdate libreboot.rom+@end example++Reboot the device.+@example+reboot+@end example++@node Closing Thoughts+@subsection Closing Thoughts++Everything should be stream-lined from now. Upon Libreboot's GRUB+menu, you can either press "G" or choose "Guix System (An advanced+distribution of the GNU operating system) [g]".++During the boot process, as prompted, you have to type LUKS key twice;+once for Libreboot's GRUB and once more for Linux-Libre kernel.+Retyping a passphrase is a minor annoyance, but it is a secure method of+opening up your device. There are methods that exist to only type the+passphrase once, but none are currently integrated into Guix System.++Generally, you will be using Libreboot's initial/default grub.cfg,+whose Guix menu-entry invokes Guix's grub.cfg located at+@code{/boot/grub/}. For trouble-shooting, you can also use Libreboot's+@code{grubtest.cfg}, which hasn't been modified.++Now that you have a working Guix System with full disk encryption, you+may want to remove the @code{iomem=relaxed} from your+@code{kernel-arguments}. @code{iomem=relaxed} is needed to reflash your+rom. Since, most users will probably not flash their rom often, those+users may wish to disable that feature:++@lisp+ ;; optionally remove this bit of code from your config.scm+ (kernel-arguments+ (append+ (list+ ;; this is needed to flash the libreboot ROM. After, you+ ;; have flashed your rom, it is a good idea to remove+ ;; iomem=relaxed from your kernel arguments+ "iomem=relaxed")+ %default-kernel-arguments))+@end lisp++That is it! You have now setup Guix System with Full Disk Encryption on+your device powered by Libreboot. Enjoy!++More information about Libreboot can be found at their official+documentation: @uref{https://libreboot.org/docs/}.++@node Special Thanks+@subsection Special Thanks++Thanks to Guix developer, Clement Lassieur (clement@@lassieur.org),+for helping me with the Scheme code for the bootloader configuration.++Thanks to Libreboot founder and developer, Leah Rowe+(leah@@libreboot.org), for helping me with the understanding of+Libreboot’s functionalities.+ @node Customizing a Window Manager @section Customizing a Window Manager @cindex wm-- 2.32.0
G
G
Giovanni Biscuolo wrote on 20 Jul 12:41 +0200
(address . rg@raghavgururajan.name)
87pmvdi7xa.fsf@xelera.eu
Hello Joshua and Raghav,
thank you for your guide! I have just a couple of comments.
Joshua Branson via Guix-patches via <guix-patches@gnu.org> writes:
Toggle quote (11 lines)> From: Joshua Branson <jbranso AT gnucode.me>>> The original guide was written by Raghav Gururajan <rg@raghavgururajan.name>> and edited by Joshua Branson <jbranso@dismail.de>.>> * doc/guix-cookbook.texi (System Configuration): New section of full disc> encryption via libreboot.> ---> doc/guix-cookbook.texi | 724 +++++++++++++++++++++++++++++++++++++++++> 1 file changed, 724 insertions(+)
[...]
Toggle quote (2 lines)> +* Guix System with Full Disk Encryption:: Guix System with Full Disk Encryption
AFAIU the steps, especially the partitioning that does not provide anUEFI dedicated partition, are specific to Libreboot systems: what aboutto make it more clear in the section title?
...or to adapt the section by separating Libreboot specific instructionsfrom generic system instructions?
[...]
Toggle quote (31 lines)> +Create a physical volume in the partition.> +> +@example> +pvcreate /dev/mapper/partname --verbose> +@end example> +> +Create a volume group in the physical volume, where @code{vgname} is any> +desired name for volume group.> +> +@example> +vgcreate vgname /dev/mapper/partname --verbose> +@end example> +> +Create logical volumes in the volume group; where "num" is the number> +for space in GB, and @code{lvnameroot} and @code{lvnamehome} are any> +desired names for root and home volumes respectively.> +> +@example> +lvcreate --extents 25%VG vgname --name lvnameroot --verbose> +lvcreate --extents 100%FREE vgname --name lvnamehome --verbose> +@end example> +> +Create filesystems on the logical-volumes, where @code{fsnameroot} and> +@code{fsnamehome} are any desired names for root and home filesystems> +respectively.> +> +@example> +mkfs.btrfs --metadata dup --label fsnameroot /dev/vgname/lvnameroot> +mkfs.btrfs --metadata dup --label fsnamehome /dev/vgname/lvnamehome> +@end example
Why using two BTRFS volumes on top of LVM and not directly using BTRFS(with subvolumes if you want) on top of /dev/mapper/partname?
AFAIU the "double mapping" it's not needed, BTRFS have a very good (andnow mature) built in volume manager. Furthermore, using BTRFS forvolume management will allow users to switch to a multi-device system(e.g. RAID1) very easily.
I'm still using LVM on some "legacy" systems but for new installationsI'd strogly suggest starting using BTRFS on top of "physical"partitions.
Toggle quote (15 lines)> +Mount the filesystems under the current system.> +> +@example> +mount --label fsnameroot --target /mnt --types btrfs --verbose> +mkdir --verbose /mnt/home && mount --label fsnamehome --target \> +/mnt/home --types btrfs --verbose> +@end example> +> +Create a swap file.> +> +@example> +dd bs=1MiB count=1GiB if=/dev/zero of=/mnt/swapfile status=progress> +mkswap --verbose /mnt/swapfile> +@end example
I know that since Linux 2.6 swapfile performance is not a big issue ifthe file is unfragmented (and it'll be for sure on newly partitionedfilesystems) but AFAIU swap files are still a little bit problematic onBTRFShttps://btrfs.wiki.kernel.org/index.php/FAQ#Does_Btrfs_support_swap_files.3F:
Toggle snippet (7 lines)
From kernel 5.0+ btrfs have native swap files support, but with somelimitations. Swap file - must be fully allocated as NOCOW with nocompression on one device.

I've never tested a system with swap file on BTRFS but I think that yourinstructions should add how to set NOCOW for the swap file.
The above example could be:
Toggle snippet (10 lines)
@exampledd bs=1MiB count=1GiB if=/dev/zero of=/mnt/swapfile status=progressmkswap --verbose /mnt/swapfilechattr +C /mnt/swapfilebtrfs property set /mnt/swapfile compression none@end example

Final note: AFAIU BTRFS supports swap files ONLY in single devicesettings (that is: NO swap file support on multi device settings), soIMHO it's better to use a dedicated partition for the swap space sousers are free to switch to a multi-device setting if they wish (andcan).
The problem with a fully encrypted dedicated swap partition is thatit'll require a third passphrase prompt on boot (the one to unlock theswap partition), but that's a minor annoyance IMHO.
What do you think?
[...]
Happy hacking! Gio'
-- Giovanni Biscuolo
Xelera IT Infrastructures
-----BEGIN PGP SIGNATURE-----
iQJABAEBCgAqFiEERcxjuFJYydVfNLI5030Op87MORIFAmD2qGEMHGdAeGVsZXJhLmV1AAoJENN9DqfOzDkSk2kP/1D7pOfC9mchHXvnTDi9mGvi8FdWayUO3LMOqt9L198CBLezXNTGY/kPQwBHJRDB7u34EsZMGi4IrJVjAf25yXqslLHsiU5OHNgZ2xoVngj1hKGKo8Uy84K+/B4uHyx3W5NUatjbfxTnb2JBjbxtWGU4SEqFyAtQ/qyrL6ccUNWEPQuiajcdDZxChLj0pT6SzD93Lf+PY6kSj7O0bB4BJHymoiDiZs1dyuazRti0uYMhe9GvjIXEheDcrIkUBvJRgP9OW77ORMjf7UyHSNFelxxMVKOt4gqYvIqi9C/sQVTPB/SApqcZQEy3mFjhvKx31cQ7dyrm3yv2mi9O7D9n32foiQgEbhJhBVcb4xZakcdq3c9Msbkd6V8k9tYDWhyXp0QD4pdHuB3vPFJ1GCXgaqdbkaUgqO3pnW4wW1DE0qJjZhKDpD7MYO/OWEKPfGuI12F6aGM8GQ0HN5PY1StT6OAyALXUKq256ECo8pgIXirsMXMDtb5Pcmt/i1Whe19hCZWhJ5eK/NXlgJhGirjDU7HaqTIbW1aOWiBnb3HXtaR3t0c+KLuPk+7h6+TWJQI2Ryzx9WQuWWMM7frZx5q/kOTKZ7aGRZ4xVtnK2moaj3Bj/i7ayqD78ZUAXva9PomPR41/fipYoVbuw/1zBgKS0Fe0xXgyZ7jnmNOIUtarsyU5=k+lZ-----END PGP SIGNATURE-----
J
J
Joshua Branson wrote on 20 Jul 20:15 +0200
(name . Giovanni Biscuolo)(address . g@xelera.eu)
87eebsvokg.fsf@dismail.de
Giovanni Biscuolo <g@xelera.eu> writes:
Toggle quote (25 lines)> Hello Joshua and Raghav,>> thank you for your guide! I have just a couple of comments.>> Joshua Branson via Guix-patches via <guix-patches@gnu.org> writes:>>> From: Joshua Branson <jbranso AT gnucode.me>>>>> The original guide was written by Raghav Gururajan <rg@raghavgururajan.name>>> and edited by Joshua Branson <jbranso@dismail.de>.>>>> * doc/guix-cookbook.texi (System Configuration): New section of full disc>> encryption via libreboot.>> --->> doc/guix-cookbook.texi | 724 +++++++++++++++++++++++++++++++++++++++++>> 1 file changed, 724 insertions(+)>> [...]>>> +* Guix System with Full Disk Encryption:: Guix System with Full Disk Encryption>> AFAIU the steps, especially the partitioning that does not provide an> UEFI dedicated partition, are specific to Libreboot systems: what about> to make it more clear in the section title?
I will mention this somewhere. Thanks. Perhaps we could mention thatlibreboot systems are so ancient that they do not support UEFI. I willalso mention that newer coreboot devices do not support a UEFI partition,but require proprietary blobs to run properly.
Toggle quote (4 lines)>> ...or to adapt the section by separating Libreboot specific instructions> from generic system instructions?
as above.
Toggle quote (37 lines)>> [...]>>> +Create a physical volume in the partition.>> +>> +@example>> +pvcreate /dev/mapper/partname --verbose>> +@end example>> +>> +Create a volume group in the physical volume, where @code{vgname} is any>> +desired name for volume group.>> +>> +@example>> +vgcreate vgname /dev/mapper/partname --verbose>> +@end example>> +>> +Create logical volumes in the volume group; where "num" is the number>> +for space in GB, and @code{lvnameroot} and @code{lvnamehome} are any>> +desired names for root and home volumes respectively.>> +>> +@example>> +lvcreate --extents 25%VG vgname --name lvnameroot --verbose>> +lvcreate --extents 100%FREE vgname --name lvnamehome --verbose>> +@end example>> +>> +Create filesystems on the logical-volumes, where @code{fsnameroot} and>> +@code{fsnamehome} are any desired names for root and home filesystems>> +respectively.>> +>> +@example>> +mkfs.btrfs --metadata dup --label fsnameroot /dev/vgname/lvnameroot>> +mkfs.btrfs --metadata dup --label fsnamehome /dev/vgname/lvnamehome>> +@end example>> Why using two BTRFS volumes on top of LVM and not directly using BTRFS> (with subvolumes if you want) on top of /dev/mapper/partname?
This is probably a good idea...however does the grub payload supportthis?
Toggle quote (6 lines)>> AFAIU the "double mapping" it's not needed, BTRFS have a very good (and> now mature) built in volume manager. Furthermore, using BTRFS for> volume management will allow users to switch to a multi-device system> (e.g. RAID1) very easily.
That's pretty cool!
Toggle quote (5 lines)>> I'm still using LVM on some "legacy" systems but for new installations> I'd strogly suggest starting using BTRFS on top of "physical"> partitions.
does btrfs volume manage allow use to use ext4, jfs, or xfs filesystems?Or does on LVM do that?
Toggle quote (21 lines)>> +Mount the filesystems under the current system.>> +>> +@example>> +mount --label fsnameroot --target /mnt --types btrfs --verbose>> +mkdir --verbose /mnt/home && mount --label fsnamehome --target \>> +/mnt/home --types btrfs --verbose>> +@end example>> +>> +Create a swap file.>> +>> +@example>> +dd bs=1MiB count=1GiB if=/dev/zero of=/mnt/swapfile status=progress>> +mkswap --verbose /mnt/swapfile>> +@end example>> I know that since Linux 2.6 swapfile performance is not a big issue if> the file is unfragmented (and it'll be for sure on newly partitioned> filesystems) but AFAIU swap files are still a little bit problematic on> BTRFS> https://btrfs.wiki.kernel.org/index.php/FAQ#Does_Btrfs_support_swap_files.3F:
Ok...maybe we could use ext4 for the swap file? Is there a betterfilesystem? Again does btrfs volume management allow the swap file tobe ext4? Or do we have to use LVM?
Toggle quote (24 lines)> From kernel 5.0+ btrfs have native swap files support, but with some> limitations. Swap file - must be fully allocated as NOCOW with no> compression on one device.>>> I've never tested a system with swap file on BTRFS but I think that your> instructions should add how to set NOCOW for the swap file.>> The above example could be:>>> @example> dd bs=1MiB count=1GiB if=/dev/zero of=/mnt/swapfile status=progress> mkswap --verbose /mnt/swapfile> chattr +C /mnt/swapfile> btrfs property set /mnt/swapfile compression none> @end example>> Final note: AFAIU BTRFS supports swap files ONLY in single device> settings (that is: NO swap file support on multi device settings), so> IMHO it's better to use a dedicated partition for the swap space so> users are free to switch to a multi-device setting if they wish (and> can).
Ok, I will create a dedicated partition and format it with ext4 and theswap program...but I will probably need help figuring out how to encryptthe swap partition...There are guides online that I can look at...
Toggle quote (4 lines)> The problem with a fully encrypted dedicated swap partition is that> it'll require a third passphrase prompt on boot (the one to unlock the> swap partition), but that's a minor annoyance IMHO.
Oh no! I hadn't thought about that! grrr! I wonder if bcachefs isbetter than btrfs...well I guess it's not merged yet. What aboutinstead of using a swap file we use zram? Or how about both?
Toggle quote (6 lines)> What do you think?>> [...]>> Happy hacking! Gio'
--Joshua Branson (jab in #guix)Sent from Emacs and Gnus https://gnucode.me https://video.hardlimit.com/accounts/joshua_branson/video-channels https://propernaming.org "You can have whatever you want, as long as you helpenough other people get what they want." - Zig Ziglar
G
G
Giovanni Biscuolo wrote on 21 Jul 14:16 +0200
(name . Joshua Branson)(address . jbranso@dismail.de)
87k0ljj20i.fsf@xelera.eu
Hi Joshua
Joshua Branson <jbranso@dismail.de> writes:
[...]
Toggle quote (6 lines)>> Why using two BTRFS volumes on top of LVM and not directly using BTRFS>> (with subvolumes if you want) on top of /dev/mapper/partname?>> This is probably a good idea...however does the grub payload support> this?
Do you mean: does grub support booting from encrypted BTRFS? The answeris yes.
WARNING: I've (still) not tried myself to boot Guix System using anencrypted BTRFS (sub)volume but I'm pretty confident that Guix isconfiguring grub with the needed modules (luks and btrfs)
[...]
Toggle quote (7 lines)>> I'm still using LVM on some "legacy" systems but for new installations>> I'd strogly suggest starting using BTRFS on top of "physical">> partitions.>> does btrfs volume manage allow use to use ext4, jfs, or xfs> filesystems?
No: BTRFS is a volume manager and a filesystem "all in one", you cannotcreate a BRTFS subvolume and format it with another filesystem
Toggle quote (2 lines)> Or does on LVM do that?
LVM is "just" a volume manager with no idea about the overlayingfilesystem

[...]
Toggle quote (10 lines)>> I know that since Linux 2.6 swapfile performance is not a big issue if>> the file is unfragmented (and it'll be for sure on newly partitioned>> filesystems) but AFAIU swap files are still a little bit problematic on>> BTRFS>> https://btrfs.wiki.kernel.org/index.php/FAQ#Does_Btrfs_support_swap_files.3F:>> Ok...maybe we could use ext4 for the swap file? Is there a better> filesystem? Again does btrfs volume management allow the swap file to> be ext4?
No, al explained above
Toggle quote (2 lines)> Or do we have to use LVM?
If we use a dedicated partition for swap there is no need to set up anLVM volume (phisical, VG and then logical): we can just create adedicate partition during partitioning, encrypt it with LUKS and"mkswap" it (e.g. mkswap /dev/mapper/<encrypted_swap>)
[...]
Toggle quote (9 lines)>> Final note: AFAIU BTRFS supports swap files ONLY in single device>> settings (that is: NO swap file support on multi device settings), so>> IMHO it's better to use a dedicated partition for the swap space so>> users are free to switch to a multi-device setting if they wish (and>> can).>> Ok, I will create a dedicated partition and format it with ext4> and the swap program
There's no need to format (mkfs.ext4) the partition with ext4, just"mkswap" it :-)
Toggle quote (3 lines)> ...but I will probably need help figuring out how to encrypt> the swap partition...There are guides online that I can look at...
You have to encrypt it like any other partition, e.g.:
Toggle snippet (31 lines)
Encrypt swap the partition. Follow the prompts.
@examplecryptsetup --verbose --hash whirlpool --cipher serpent-xts-plain64 \--verify-passphrase --use-random --key-size 512 --iter-time 500 \luksFormat /dev/<swap_partition>@end example
Obtain and note down the UUID of the LUKS partition.
@examplecryptsetup --verbose luksUUID /dev/<swap_partition>@end example
Open the encrypted partition, where @code{luks-uuid} is the LUKS UUID,and @code{crypt_swap01} is any desired name for the decrypted swappartition.
@examplecryptsetup --verbose luksOpen UUID=luks-uuid crypt_swap01@end example
Format the encrypted swap
@examplemkswap /dev/mapper/crypt_swap01@end example

Then, in our (operating-system) declaration, we have to use somethinglike this:
Toggle snippet (27 lines)
(mapped-devices (list (mapped-device (source (uuid "LUKS-UUID")) (target "partname") (type luks-device-mapping)) ;; This is our new encrypted swap partition (mapped-device (source (uuid "SWAP-LUKS-UUID")) (target "crypt_swap01") (type luks-device-mapping)) (mapped-device (source "vgname") (targets (list "vgname-lvnameroot" "vgname-lvnamehome")) (type lvm-device-mapping))))
(swap-devices (list "/dev/mapper/crypt_swap01"))

WARNING: please consider I've not tested this code.
Toggle quote (6 lines)>> The problem with a fully encrypted dedicated swap partition is that>> it'll require a third passphrase prompt on boot (the one to unlock the>> swap partition), but that's a minor annoyance IMHO.>> Oh no! I hadn't thought about that! grrr!
Actually what I said it's NOT true... or better: we could avoid the(third) password prompt for the swap partition if we _add_ a keyfile tothe LUKS encrypted swap partition _and_ we have a mechanism to"luksOpen" that mapped volume using that keyfile.
I'm not aware of such a mechanism on Guix Systems, in Debian (et al)this is done with /etc/crypttab, AFAIU the luks-device-mapping lacks theoption to specify a keyfile.
So, as far as this cookbook section is concerned, unfortunately whenusing a dedicated encrypted swap partition an additional passphraseprompt will be presented to the user at each boot.
Toggle quote (3 lines)> I wonder if bcachefs is better than btrfs...well I guess it's not> merged yet.
No, still not. AFAIU also still not available in Guix.
Toggle quote (2 lines)> What about instead of using a swap file we use zram?
Never used zram and I don't know if it's supported (I mean configured by(operating-system)) on Guix System
[...]
Sorry I've more issues than answers on this topics, nevertheless I hopeit somway helps.
Thanks! Gio'
-- Giovanni Biscuolo
Xelera IT Infrastructures
-----BEGIN PGP SIGNATURE-----
iQJABAEBCgAqFiEERcxjuFJYydVfNLI5030Op87MORIFAmD4EA0MHGdAeGVsZXJhLmV1AAoJENN9DqfOzDkSzPUP+wVK9T3xSz/RtCMQ3FT6v3ARMaBPZON/q+nib2KYt+sD9xptJcP9ohGGJLwqRpRnrmdOpIUc7Kqr0EBoAAwFz8YLyN7+rKXiN2wByFiTYc05VA0iiFU+yeNN2GUw57PVSk/4evEKAlEe5gKbjfncV6Q59xR1JzXNlvhuRMETXsM+LEhPlYqrqPO/2meG2fl822qNIypDP8ADWQE6ev3XoRiyctHWopUWeB9itlngjc/MBjwFoJ4dtjEIx/Nqv6oQ+mfqcBFNCmjl+B8VUuoqsKVvxYBr3sqVp8haqhS5NSWqRIwaoL/StfdUZerLSbfLOx+pRhzYVD3UjHeQ2bPibUv8n+GnhwIlQpneB+VNkbILcgqBt0UgXCbQhcz5lsMPaY1dKZjoR5oXgDXnXkONEF4ac2dpQ3GFaMbYsEsyAAdZGpwaWQGWRpD5u2wirxz/f8bEqrK+uXOAmlvs8tRgBCb4ilMyowApvnWmnNIaGVVZi16FLUKix0AYS3uAlucOgyJQWDqBtKZkdSTBlpt7DNN+ANAv84wM0lxPu7NzOv2VDUb2ra/J/vlDVyK+bNzp2o8R4Ai60LROynzbSUHvEfgvgIIPUrZwJjyVAy3gZHlg9D7+z1BuXlaz8LY62pWShkydi4o0MaMAG/nM8a0XOPjH/Zz9++7/X+APLc8wcIio=1UvG-----END PGP SIGNATURE-----
S
S
Sarah Morgensen wrote on 22 Jul 00:50 +0200
Re: bug#49654: [PATCH] doc: Add full disc encryption guide to the cookbook
(name . Joshua Branson)(address . jbranso@dismail.de)
86tukns2mc.fsf@mgsn.dev
Hello Joshua, Raghav,
Good to see more guides like this. In addition to what others havealready pointed out, I've got few readability suggestions, reading this as alayperson :) (Questions are intentended to be rhetorical, to illustratewhere a layperson might have questions or be confused.)
Joshua Branson <jbranso@dismail.de> writes:
Toggle quote (40 lines)> From: Joshua Branson <jbranso AT gnucode.me>>> The original guide was written by Raghav Gururajan <rg@raghavgururajan.name>> and edited by Joshua Branson <jbranso@dismail.de>.>> * doc/guix-cookbook.texi (System Configuration): New section of full disc> encryption via libreboot.> ---> doc/guix-cookbook.texi | 724 +++++++++++++++++++++++++++++++++++++++++> 1 file changed, 724 insertions(+)>> diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi> index 2e627ecc51..ef8f3425d6 100644> --- a/doc/guix-cookbook.texi> +++ b/doc/guix-cookbook.texi> @@ -18,6 +18,7 @@ Copyright @copyright{} 2020 Brice Waegeneire@*> Copyright @copyright{} 2020 André Batista@*> Copyright @copyright{} 2020 Christopher Lemmer Webber> Copyright @copyright{} 2021 Joshua Branson@*> +Copyright @copyright{} 2021 Raghav Gururajan@*> > Permission is granted to copy, distribute and/or modify this document> under the terms of the GNU Free Documentation License, Version 1.3 or> @@ -1358,6 +1359,7 @@ reference.> * Customizing the Kernel:: Creating and using a custom Linux kernel on Guix System.> * Guix System Image API:: Customizing images to target specific platforms.> * Connecting to Wireguard VPN:: Connecting to a Wireguard VPN.> +* Guix System with Full Disk Encryption:: Guix System with Full Disk Encryption> * Customizing a Window Manager:: Handle customization of a Window manager on Guix System.> * Running Guix on a Linode Server:: Running Guix on a Linode Server> * Setting up a bind mount:: Setting up a bind mount in the file-systems definition.> @@ -1938,6 +1940,728 @@ For more specific information about NetworkManager and wireguard> @uref{https://blogs.gnome.org/thaller/2019/03/15/wireguard-in-networkmanager/,see> this post by thaller}.> > +@node Guix System with Full Disk Encryption> +@section Guix System with Full Disk Encryption> +@cindex libreboot, full disk encryption> +> +Guix System is an exotic distribution of GNU/Linux operating system,
^ the
Toggle quote (7 lines)> +with Guix as package/system manager, Linux-Libre as kernel and> +Shepherd as init system.> +> +Libreboot is a de-blobbed distribution of Coreboot firmware. By> +default, Libreboot comes with GRUB bootloader as a payload.> +> +The objective of this manual is to provide step-by-step guide for
^ a
Toggle quote (1 lines)> +setting up Guix System (stand-alone Guix), with Full Disk
^ You already defined Guix System above
Toggle quote (7 lines)> +Encryption (FDE), on devices powered by Libreboot.> +> +Any users, for their generalized use cases, need not stumble away from> +this guide to accomplish the setup. Advanced users, for deviant use> +cases, will have to explore outside this guide for customization;> +although this guide provides information that is of paramount use.
Above paragraph does not add useful information and the tone does notmatch the rest of the Cookbook. (Sorry!)
Toggle quote (5 lines)> +> +Let us begin!> +> +@menu> +* Create Boot-able USB::
^ Bootable
Toggle quote (9 lines)> +* Installing and Setup::> +* Tweaking Libreboot's Grub Payload::> +* Closing Thoughts::> +* Special Thanks::> +@end menu> +> +@node Create Boot-able USB> +@subsection Create Boot-able USB
Likewise.
Toggle quote (3 lines)> +> +In the current GNU+Linux system, open terminal as root user.
"open a terminal as root" or "open a terminal as the root user"
Toggle quote (4 lines)> +> +Insert USB drive and get the device letter @code{/dev/sdX}, where “X” is the> +device letter.
What USB drive? This is the first I've heard of it! Do I need to makesure it's a specific kind? Is it okay if there's important informationon there that I haven't backed up?
Also note that while usually the device identifier will be 'sdX' this isnot guaranteed; sometimes you'll see 'hdX' or 'mmcblkX'.
Toggle quote (14 lines)> +> +@example> +lsblk --list> +@end example> +> +@example> +NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT> +sda 8:0 0 223.6G 0 disk> +sda1 8:1 0 2M 0 part> +sda2 8:2 0 3.7G 0 part> +sda3 8:3 0 219.9G 0 part /> +zram0 251:0 0 512M 0 disk [SWAP]> +@end example
Why are these separate examples? IMO it would be more clear (and is theusual style in such guides) to combine them and simply add '$ ' to thebeginning of any line that is a command the user should run.
Toggle quote (9 lines)> +> +> +Just in case the device is auto-mounted, unmount the device.> +> +@example> +umount /dev/sdX --verbose> +@end example> +> +Download the Guix System ISO installer package and it’s GPG signature;
^ its
Toggle quote (9 lines)> +where @code{A.B.C} is the version number and @code{SSS} is the system> +architecture.> +> +@example> +wget --verbose https://ftp.gnu.org/gnu/guix/guix-system-install-A.B.C.SSS-linux.iso.xz> +wget --verbose https://ftp.gnu.org/gnu/guix/guix-system-install-A.B.C.SSS-linux.iso.xz.sig> +@end example> +> +Import the Guix's public key.
^ "the Guix" or "Guix's"
Toggle quote (33 lines)> +> +@example> +gpg --verbose --keyserver pool.sks-keyservers.net –-receive-keys 3CE464558A84FDC69DB40CFB090B11993D9AEBB5> +@end example> +> +Verify the GPG signature of the downloaded package.> +> +@example> +gpg --verbose --verify guix-system-install-A.B.C.SSS-linux.iso.xz.sig> +@end example> +> +Extract ISO image from the downloaded package.> +> +@example> +xz --verbose --decompress guix-system-install-A.B.C.SSS-linux.iso.xz> +@end example> +> +Write the extracted ISO image to the drive.> +> +@example> +dd if=guix-system-install-A.B.C.SSS-linux.iso of=/dev/sdX status=progress; sync> +@end example> +> +Reboot the device.> +> +@example> +reboot> +@end example> +> +@node Installing and Setup> +@subsection Installing and Setup> +> +On reboot, as soon as the Libreboot's graphic art appears, press "S"
^ "the" is not necessary
Toggle quote (3 lines)> +or choose @code{Search for GRUB2 configuration on external media [s]}. Wait> +for the Guix System from USB drive to load.
This sounds awkward. Perhaps "Wait for Guix System to load from the USBdrive." or "Wait for the Guix System [you just] installed on the USBdrive to load."?
Toggle quote (7 lines)> +> +Once Guix System installer starts, choose @code{Install using the shell> +based process}.> +> +Set your keyboard layout, where @code{lo} is the two-letter keyboard> +layout code (lower-case).
How do I know out what my keyboard layout code should be? Even
"layout code (lower-case), for example @code{us} or @code{ru}."
would be helpful.
Toggle quote (47 lines)> +> +@example> +loadkeys --verbose lo> +@end example> +> +Unblock network interfaces.> +> +@example> +rfkill unblock all> +@end example> +> +Get the names of network interfaces.> +> +@example> +ifconfig -v -a> +@end example> +> +@example> +enp0s25 Link encap:Ethernet HWaddr 00:1C:25:9A:37:BA> + UP BROADCAST MULTICAST MTU:1500 Metric:1> + RX packets:0 errors:0 dropped:0 overruns:0 frame:0> + TX packets:0 errors:0 dropped:0 overruns:0 carrier:0> + collisions:0 txqueuelen:1000> + RX bytes:0 TX bytes:0> + Interrupt:16 Memory:98800000-98820000> +> +lo Link encap:Local Loopback> + inet addr:127.0.0.1 Bcast:0.0.0.0 Mask:255.0.0.0> + UP LOOPBACK RUNNING MTU:65536 Metric:1> + RX packets:265 errors:0 dropped:0 overruns:0 frame:0> + TX packets:265 errors:0 dropped:0 overruns:0 carrier:0> + collisions:0 txqueuelen:1000> + RX bytes:164568 TX bytes:164568> +> +wlp2s0 Link encap:Ethernet HWaddr E4:CE:8F:59:D6:BF> + inet addr:192.168.1.133 Bcast:192.168.1.255 Mask:255.255.255.0> + UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1> + RX packets:60084 errors:0 dropped:71 overruns:0 frame:0> + TX packets:33232 errors:0 dropped:0 overruns:0 carrier:0> + collisions:0 txqueuelen:1000> + RX bytes:45965805 TX bytes:4905457> +> +@end example> +> +Bring the desired network interface (wired or wireless) up, where> +@code{nwif} is the network interface name.
How do I know which of the interfaces I should use?
Toggle quote (6 lines)> +> +@example> +ifconfig -v nwif up> +@end example> +> +For wireless connection, follow the wireless setup.
^ connections
Toggle quote (11 lines)> +> +@menu> +* Wireless Setup::> +@end menu> +> +@node Wireless Setup> +@subsubsection Wireless Setup> +> +Create a configuration file using text editor, where @code{fname} is any> +desired name for file.
This reads a bit awkwardly. Perhaps something like
"Create the configuration file using a text editor such as @code{nano}. In this example, we are naming the file @code{fname.conf}, but any name will do."
Also consider using a more descriptive example filename, like`wpa_supplicant.conf`. You'd be surprised how many users just use theexample names!
Toggle quote (55 lines)> +> +@example> +nano fname.conf> +@end example> +> +Choose, type and save ONE of the following snippets, where ‘net’ is> +the network name, ‘pass’ is the password or passphrase and ‘uid’ is> +the user identity.> +> +For most private networks:> +> +@example> +network=@{> + ssid="net"> + key_mgmt=WPA-PSK> + psk="pass"> +@}> +@end example> +> +(or)> +> +For most public networks:> +> +@example> +network=@{> + ssid="net"> + key_mgmt=NONE> +@}> +@end example> +> +(or)> +> +For most organizational networks:> +> +@example> +network=@{> + ssid="net"> + scan_ssid=1> + key_mgmt=WPA-EAP> + identity="uid"> + password="pass"> + eap=PEAP> + phase1="peaplabel=0"> + phase2="auth=MSCHAPV2"> +@}> +@end example> +> +Connect to the configured network.> +> +@example> +wpa_supplicant -B -c fname.conf -i nwif> +@end example> +> +Assign an IP address to the network interface.
This is a bit misleading, as we aren't actually directly assigning an IPaddress, but using dhclient to get one through DHCP.
Toggle quote (5 lines)> +> +@example> +dhclient -v nwif> +@end example
Should there be something indicating the end of "Wireless Setup"? I'mnot sure how texi subsections work, but if I were skipping "WirelessSetup," how would I know where to skip to?
Toggle quote (4 lines)> +> +Obtain the device letter @code{/dev/sdX} in which you would like to deploy> +and install Guix System, where “X” is the device letter.
This reads a bit awkwardly. Perhaps consider "Find the [device] identifier for the device you are installing Guix System onto."
Toggle quote (15 lines)> +> +@example> +lsblk --list> +@end example> +> +@example> +NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT> +sda 8:0 0 223.6G 0 disk> +sda1 8:1 0 2M 0 part> +sda2 8:2 0 3.7G 0 part> +sda3 8:3 0 219.9G 0 part /> +zram0 251:0 0 512M 0 disk [SWAP]> +@end example> +> +Wipe the device (Ignore if the device is new).
^ lowercase; or "skip"
Also, why did the example for the USB drive show all 'sda' devices, andthis one does too? This is potentially confusing. Consider usingexamples from the actual process.
Toggle quote (7 lines)> +> +@example> +shred --verbose --random-source=/dev/urandom /dev/sdX> +@end example> +> +Load the device-mapper module in the current kernel.
Why? Consider adding "(This is necessary for...)"
Toggle quote (8 lines)> +> +@example> +modprobe --verbose dm_mod> +@end example> +> +Partition the device. Follow the prompts. Just do, GPT --> New -->> +Write --> Quit; defaults will be set.
Consider writing out the steps.
Also: are we just using one partition? Prefer describing what the goalof a step is before describing the step, so a less knowledgeable userlearns and a more knowledgeable user knows when that step can besubstituted.
Toggle quote (8 lines)> +> +@example> +cfdisk /dev/sdX> +@end example> +> +Obtain the partition number from the device, where “Y” is the> +partition number.
Doesn't cfdisk show the partition number?
Toggle quote (22 lines)> +> +@example> +lsblk --list> +@end example> +> +Encrypt the partition. Follow the prompts.> +> +@example> +cryptsetup --verbose --hash whirlpool --cipher serpent-xts-plain64 \> +--verify-passphrase --use-random --key-size 512 --iter-time 500 \> +luksFormat /dev/sdXY> +@end example> +> +Obtain and note down the UUID of the LUKS partition.> +> +@example> +cryptsetup --verbose luksUUID /dev/sdXY> +@end example> +> +Open the encrypted partition, where @code{luks-uuid} is the LUKS UUID,> +and @code{partname} is any desired name for the partition.
Consider suggesting (or using in your example) a default partition name,like with the .conf file above. Same for all the vg, lv, and fs namesbelow.
Toggle quote (6 lines)> +> +@example> +cryptsetup --verbose> +luksOpen UUID=luks-uuid partname> +@end example
Is this supposed to be two lines?
Toggle quote (18 lines)> +> +Create a physical volume in the partition.> +> +@example> +pvcreate /dev/mapper/partname --verbose> +@end example> +> +Create a volume group in the physical volume, where @code{vgname} is any> +desired name for volume group.> +> +@example> +vgcreate vgname /dev/mapper/partname --verbose> +@end example> +> +Create logical volumes in the volume group; where "num" is the number> +for space in GB, and @code{lvnameroot} and @code{lvnamehome} are any> +desired names for root and home volumes respectively.
There is not "num" or any GB values in your following example...
Toggle quote (7 lines)> +> +@example> +lvcreate --extents 25%VG vgname --name lvnameroot --verbose> +lvcreate --extents 100%FREE vgname --name lvnamehome --verbose> +@end example> +> +Create filesystems on the logical-volumes, where @code{fsnameroot} and
^ logical volumes
Toggle quote (8 lines)> +@code{fsnamehome} are any desired names for root and home filesystems> +respectively.> +> +@example> +mkfs.btrfs --metadata dup --label fsnameroot /dev/vgname/lvnameroot> +mkfs.btrfs --metadata dup --label fsnamehome /dev/vgname/lvnamehome> +@end example
Why are we using btrfs? Could I use ext4 instead?
Toggle quote (3 lines)> +> +Mount the filesystems under the current system.
Consider "Mount the new filesystems."
Toggle quote (15 lines)> +> +@example> +mount --label fsnameroot --target /mnt --types btrfs --verbose> +mkdir --verbose /mnt/home && mount --label fsnamehome --target \> +/mnt/home --types btrfs --verbose> +@end example> +> +Create a swap file.> +> +@example> +dd bs=1MiB count=1GiB if=/dev/zero of=/mnt/swapfile status=progress> +mkswap --verbose /mnt/swapfile> +@end example> +> +Make the swap file readable and writable only by root account.
"root." or "the root account."
Toggle quote (17 lines)> +> +@example> +chmod --verbose 600 /mnt/swapfile> +@end example> +> +Activate the swap file.> +> +@example> +swapon --verbose /mnt/swapfile> +@end example> +> +Install packages on the mounted root filesystem.> +> +@example> +herd start cow-store /mnt> +@end example
This doesn't actually install packages, does it? The manual says:
"This makes /gnu/store copy-on-write, such that packages added to it during the installation phase are written to the target disk rather than kept in memory."
Toggle quote (7 lines)> +> +Create the system-wide configuration files directory.> +> +@example> +mkdir --verbose /mnt/etc> +@end example
Why all the verbose, even on mkdir?
Toggle quote (5 lines)> +> +Create, edit and save the system configuration file by typing the> +following code snippet. WATCH-OUT for variables in the code snippet> +and replace them with the relevant values.
"Replace placeholders (such as LUKS-UUID) with their values from earlier."
Toggle quote (138 lines)> +> +@example> +nano /mnt/etc/config.scm> +@end example> +> +The content of config.scm is:> +> +@lisp> +(use-modules> + (gnu)> + (gnu system nss))> +> +(use-package-modules> + certs> + gnome> + linux)> +> +(use-service-modules> + desktop> + xorg)> +> +(operating-system> + (kernel linux-libre-lts)> + (kernel-arguments> + (append> + (list> + ;; this is needed to flash the libreboot ROM. After, you> + ;; have flashed your rom, it is a good idea to remove> + ;; iomem=relaxed from your kernel arguments> + "iomem=relaxed")> + %default-kernel-arguments))> +> + (timezone "Zone/SubZone")> + (locale "ab_XY.1234")> + (name-service-switch %mdns-host-lookup-nss)> +> + (bootloader> + (bootloader-configuration> + (bootloader> + (bootloader> + (inherit grub-bootloader)> + (installer #~(const #t))))> + (keyboard-layout keyboard-layout)))> +> + (keyboard-layout> + (keyboard-layout> + "xy"> + "altgr-intl"))> +> + (host-name "hostname")> +> + (mapped-devices> + (list> + (mapped-device> + (source> + (uuid "LUKS-UUID"))> + (target "partname")> + (type luks-device-mapping))> + (mapped-device> + (source "vgname")> + (targets> + (list> + "vgname-lvnameroot"> + "vgname-lvnamehome"))> + (type lvm-device-mapping))))> +> + (file-systems> + (append> + (list> + (file-system> + (type "btrfs")> + (mount-point "/")> + (device "/dev/mapper/VGNAME-LVNAMEROOT")> + (flags '(no-atime))> + (options "space_cache=v2")> + (needed-for-boot? #t)> + (dependencies mapped-devices))> + (file-system> + (type "btrfs")> + (mount-point "/home")> + (device "/dev/mapper/VGNAME-LVNAMEHOME")> + (flags '(no-atime))> + (options "space_cache=v2")> + (dependencies mapped-devices)))> + %base-file-systems))> +> + (swap-devices> + (list> + "/swapfile"))> +> + (users> + (append> + (list> + (user-account> + (name "USERNAME")> + (comment "Full Name")> + (group "users")> + (supplementary-groups '("audio" "cdrom"> + "kvm" "lp" "netdev"> + "tape" "video"> + "wheel"))))> + %base-user-accounts))> +> + (packages> + (append> + (list> + nss-certs)> + %base-packages))> +> + (services> + (append> + (list> + (service gnome-desktop-service-type))> + %desktop-services)))> +@end lisp> +> +Initialize new Guix System.> +> +@example> +guix system init /mnt/etc/config.scm /mnt> +@end example> +> +Reboot the device.> +> +@example> +reboot> +@end example> +> +@node Tweaking Libreboot's Grub Payload> +@subsection Tweaking Libreboot's Grub Payload> +@cindex grub payload> +> +On reboot, as soon as the Libreboot graphic art appears, press “C” to> +enter the command-line.> +> +Enter the following commands and respond to first command with the LUKS> +Key.
What key? When did we get a LUKS Key? Am I supposed to come up with anew key/passphrase?
Toggle quote (7 lines)> +> +@example> +cryptomount -u luks-uuid> +set root=(lvm/vgname-lvnameroot)> +@end example> +> +Upon Guix's GRUB menu, go with the default option.
"At the GRUB menu, selec the default option."
Toggle quote (4 lines)> +> +Enter the LUKS Key again, for kernel, as prompted.> +> +Upon login screen, login as "root" with password field empty.
"At the login screen" ^ the
Toggle quote (2 lines)> +> +Open terminal.
^ the
Toggle quote (2 lines)> +> +Set passkey for the "root" user. Follow the prompts.
^ the password
Toggle quote (6 lines)> +> +@example> +passwd root> +@end example> +> +Set passkey for the "username" user. Follow the prompts.
^ the password
Also, the guide used the @code{username} style before. Why the change?
Toggle quote (21 lines)> +> +@example> +passwd username> +@end example> +> +Install flashrom and wget.> +> +@example> +guix package –-install flashrom wget> +@end example> +> +Obtain the ROM chip's model and size. Look for the output line “Found> +[@dots{}] flash chip [@dots{}]”.> +> +@example> +flashrom --verbose --programmer internal> +@end example> +> +Download Libreboot ROM and utilities, where "YYYYMMDD" is the release> +date, @code{devmod} is the device model and "N" is the ROM chip size.
Likewise. The guide also used single quotes for 'sdX' earlier.
Toggle quote (22 lines)> +> +@example> +wget --verbose https://rsync.libreboot.org/stable/YYYYMMDD/rom/grub/libreboot_rYYYYMMDD_grub_devmod_Nmb.tar.xz> +wget --verbose https://rsync.libreboot.org/stable/YYYYMMDD/libreboot_rYYYYMMDD_util.tar.xz> +@end example> +> +Extract the downloaded files.> +@example> +tar --extract --file=libreboot_rYYYYMMDD_grub_devmod_Nmb.tar.xz --verbose> +tar --extract --file=libreboot_rYYYYMMDD_util.tar.xz --verbose> +@end example> +> +Rename the directories of extracted files.> +> +@example> +mv --verbose "libreboot_rYYYYMMDD_grub_devmod_Nmb.tar.xz" "libreboot_rom"> +mv --verbose "libreboot_rYYYYMMDD_util" "libreboot_util"> +@end example> +> +Copy the ROM image to the directory of cbfstool, where "kbdlo" is the> +keyboard layout and "arch" is the system architecture.
Likewise.
Toggle quote (61 lines)> +> +@example> +cp libreboot_rom/devmod_Nmb_kbdlo_vesafb.rom libreboot_util/cbfstool/arch/libreboot.rom> +@end example> +> +Change directory to the directory of cbfstool.> +@example> +cd libreboot_util/cbfstool/arch/> +@end example> +> +Extract the GRUB configuration file from the image.> +> +@example> +./cbfstool libreboot.rom extract -n grub.cfg -f grub.cfg> +@end example> +> +Edit the GRUB configuration file and insert the following code snippet> +above the line @code{“menuentry 'Load Operating System [o]' --hotkey='o'> +--unrestricted @{ [...] @}”}.> +> +@example> +nano grub.cfg> +@end example> +> +Snippet:> +@example> +menuentry ‘Guix System (An advanced distribution of the GNU operating system) [g]’ --hotkey=’g’ --unrestricted> +@{> +cryptomount -u luks-uuid> +set root=(lvm/vgname-lvnameroot)> +configfile /boot/grub/grub.cfg> +@}> +@end example> +> +Remove the old GRUB configuration file from the ROM image.> +> +@example> +./cbfstool libreboot.rom remove -n grub.cfg> +@end example> +> +Insert the new GRUB configuration file into the ROM image.> +> +@example> +./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw> +@end example> +> +Move the ROM image to the directory of ich9gen.> +> +@example> +mv libreboot.rom ~/libreboot_util/ich9deblob/arch/libreboot.rom> +@end example> +> +Change directory to the directory of ich9gen.> +> +@example> +cd ~/libreboot_util/ich9deblob/arch/> +@end example> +> +Generate descriptor+GbE images with the MAC address, where "mac-addr"> +is the MAC address of the machine.
Likewise.
Toggle quote (12 lines)> +> +@example> +ich9gen --macaddress mac-addr> +@end example> +> +Insert the descriptor+GbE image into the ROM image, where "N" is the> +ROM chip size.> +@example> +dd bs=12k conv=notrunc count=1 if=ich9fdgbe_Nm.bin of=libreboot.rom status=progress> +@end example> +> +Move the ROM image to the directory of flash.
^ "the flash script"
Toggle quote (12 lines)> +> +@example> +mv libreboot.rom ~/libreboot_util/libreboot.rom> +@end example> +> +Change directory to the directory of flash.> +> +@example> +cd ~/libreboot_util> +@end example> +> +Modify the shebang of flash script, from `#!/bin/bash` to `#!/bin/sh`.
^ the ^ no ","
Toggle quote (15 lines)> +@example> +nano flash> +@end example> +> +Flash the ROM with the new image.> +@example> +./flash update libreboot.rom> +@end example> +> +(or)> +> +@example> +./flash forceupdate libreboot.rom> +@end example
How do I know whether to use 'update' or 'forceupdate'?
Toggle quote (9 lines)> +> +Reboot the device.> +@example> +reboot> +@end example> +> +@node Closing Thoughts> +@subsection Closing Thoughts
Typically it's "Closing Remarks".
Toggle quote (2 lines)> +> +Everything should be stream-lined from now. Upon Libreboot's GRUB
What does this mean?
Toggle quote (2 lines)> +menu, you can either press "G" or choose "Guix System (An advanced> +distribution of the GNU operating system) [g]".
In order to do what?
Toggle quote (9 lines)> +> +During the boot process, as prompted, you have to type LUKS key twice;> +once for Libreboot's GRUB and once more for Linux-Libre kernel.> +Retyping a passphrase is a minor annoyance, but it is a secure method of> +opening up your device. There are methods that exist to only type the> +passphrase once, but none are currently integrated into Guix System.> +> +Generally, you will be using Libreboot's initial/default grub.cfg,
Is this the grub.cfg we setup above? If so, specify that.
Toggle quote (2 lines)> +whose Guix menu-entry invokes Guix's grub.cfg located at> +@code{/boot/grub/}. For trouble-shooting, you can also use Libreboot's
^ troubleshooting
Toggle quote (2 lines)> +@code{grubtest.cfg}, which hasn't been modified.
But *how* would I use grubtest.cfg?
Toggle quote (5 lines)> +> +Now that you have a working Guix System with full disk encryption, you> +may want to remove the @code{iomem=relaxed} from your> +@code{kernel-arguments}. @code{iomem=relaxed} is needed to reflash your> +rom. Since, most users will probably not flash their rom often, those
^ ROM ^ no "," ^ ROM
Toggle quote (2 lines)> +users may wish to disable that feature:
The change from "you" to "most users"/"those users" is a little jarring.
Toggle quote (19 lines)> +> +@lisp> + ;; optionally remove this bit of code from your config.scm> + (kernel-arguments> + (append> + (list> + ;; this is needed to flash the libreboot ROM. After, you> + ;; have flashed your rom, it is a good idea to remove> + ;; iomem=relaxed from your kernel arguments> + "iomem=relaxed")> + %default-kernel-arguments))> +@end lisp> +> +That is it! You have now setup Guix System with Full Disk Encryption on> +your device powered by Libreboot. Enjoy!> +> +More information about Libreboot can be found at their official> +documentation: @uref{https://libreboot.org/docs/}.
Consider embedding the link: "[...] can be found in the @uref{https://libreboot.org/docs/,official documentation}."
Toggle quote (5 lines)> +> +@node Special Thanks> +@subsection Special Thanks> +> +Thanks to Guix developer, Clement Lassieur (clement@@lassieur.org),
^ no "," ^ same
Toggle quote (1 lines)> +for helping me with the Scheme code for the bootloader configuration.
^ "for assisting with" (avoid first person prounouns)
Toggle quote (2 lines)> +> +Thanks to Libreboot founder and developer, Leah Rowe
^ no ","
Toggle quote (1 lines)> +(leah@@libreboot.org), for helping me with the understanding of
^ no "," ^ "for assistance with Libreboot."
Toggle quote (6 lines)> +Libreboot’s functionalities.> +> @node Customizing a Window Manager> @section Customizing a Window Manager> @cindex wm
Also, consider referencing relevant sections of the manual, such as
https://guix.gnu.org/manual/en/html_node/Manual-Installation.html
so users know where to find more detailed information.
Hope that helps,Sarah
J
J
jbranso wrote on 22 Jul 21:16 +0200
(name . Sarah Morgensen)(address . iskarian@mgsn.dev)
2a373bf54c17a11a37ab8f2ca86ef07f@dismail.de
July 21, 2021 6:50 PM, "Sarah Morgensen" <iskarian@mgsn.dev> wrote:
Toggle quote (6 lines)> Hello Joshua, Raghav,> > Good to see more guides like this. In addition to what others have> already pointed out, I've got few readability suggestions, reading this as a> layperson :) (Questions are intentended to be rhetorical, to illustrate> where a layperson might have questions or be confused.)
Thanks so much for you proof-reading! I'll update and push a new patch!
Toggle quote (5 lines)> Also, consider referencing relevant sections of the manual, such as> > https://guix.gnu.org/manual/en/html_node/Manual-Installation.html> > so users know where to find more detailed information.
That is an awesome idea! I will do so!
Toggle quote (2 lines)> Hope that helps,> Sarah
L
L
Ludovic Courtès wrote on 11 Aug 16:17 +0200
(address . jbranso@dismail.de)
87pmukkqvx.fsf_-_@gnu.org
Hi Joshua and all,
jbranso@dismail.de skribis:
Toggle quote (19 lines)> July 21, 2021 6:50 PM, "Sarah Morgensen" <iskarian@mgsn.dev> wrote:>>> Hello Joshua, Raghav,>> >> Good to see more guides like this. In addition to what others have>> already pointed out, I've got few readability suggestions, reading this as a>> layperson :) (Questions are intentended to be rhetorical, to illustrate>> where a layperson might have questions or be confused.)> > Thanks so much for you proof-reading! I'll update and push a new patch!> >> Also, consider referencing relevant sections of the manual, such as>> >> https://guix.gnu.org/manual/en/html_node/Manual-Installation.html>> >> so users know where to find more detailed information.> > That is an awesome idea! I will do so!
My main question would be: what do you think is not covered in the“Manual Installation” section?
That section covers full disk encryption and other things you propose,such as partitioning, downloading the ISO, authenticating it, changingthe keyboard layout, etc.
From a maintenance perspective, it does not seem reasonable to maintainto similar pieces of documentation on these matters. From a userperspective, it could be confusing or downright deceiving if one ofthese two documents is out of date or erroneous.
All in all, for the topic we’re discussing, I’d suggest consolidatingexisting material instead of writing new material.
WDYT?
Thanks,Ludo’.
J
J
jbranso wrote on 12 Aug 03:48 +0200
(name . Ludovic Courtès)(address . ludo@gnu.org)
56b97910c9bac2b0eafb40e0b70aadea@dismail.de
August 11, 2021 10:17 AM, "Ludovic Courtès" <ludo@gnu.org> wrote:
Toggle quote (30 lines)> Hi Joshua and all,> > jbranso@dismail.de skribis:> >> July 21, 2021 6:50 PM, "Sarah Morgensen" <iskarian@mgsn.dev> wrote:>> >>> Hello Joshua, Raghav,>>> >>> Good to see more guides like this. In addition to what others have>>> already pointed out, I've got few readability suggestions, reading this as a>>> layperson :) (Questions are intentended to be rhetorical, to illustrate>>> where a layperson might have questions or be confused.)>> >> Thanks so much for you proof-reading! I'll update and push a new patch!>> >>> Also, consider referencing relevant sections of the manual, such as>>> >>> https://guix.gnu.org/manual/en/html_node/Manual-Installation.html>>> >>> so users know where to find more detailed information.>> >> That is an awesome idea! I will do so!> > My main question would be: what do you think is not covered in the> “Manual Installation” section?> > That section covers full disk encryption and other things you propose,> such as partitioning, downloading the ISO, authenticating it, changing> the keyboard layout, etc.
I think that libreboot does not currently support the latest version ofencryption...or only supports LVM v1....something like that. Perhaps those"libreboot specific encryption commands" need not be in the official manual?
Toggle quote (6 lines)> > From a maintenance perspective, it does not seem reasonable to maintain> to similar pieces of documentation on these matters. From a user> perspective, it could be confusing or downright deceiving if one of> these two documents is out of date or erroneous.
I'm game for that. I personally find the "Manual Installation" section slightly too terse...I've successfully installed guix encrypted before,but I had to use the graphical installation. I have a hard time comprehending how to manually install an encrypted guix, but I also justhave a very hard time understanding new guix things too. :)
Perhaps, if the manual does not have it, we could provide an example config of an encrypted /home ? I feel like the majority of guix usersdo not use libreboot, so a encrypted / is not an option for most of them.
Toggle quote (8 lines)> > All in all, for the topic we’re discussing, I’d suggest consolidating> existing material instead of writing new material.> > WDYT?> > Thanks,> Ludo’.
L
L
Ludovic Courtès wrote on 12 Aug 10:04 +0200
(address . jbranso@dismail.de)
878s17hywu.fsf@gnu.org
Hello!
jbranso@dismail.de skribis:
Toggle quote (2 lines)> August 11, 2021 10:17 AM, "Ludovic Courtès" <ludo@gnu.org> wrote:
[...]
Toggle quote (11 lines)>> My main question would be: what do you think is not covered in the>> “Manual Installation” section?>> >> That section covers full disk encryption and other things you propose,>> such as partitioning, downloading the ISO, authenticating it, changing>> the keyboard layout, etc.>> I think that libreboot does not currently support the latest version of> encryption...or only supports LVM v1....something like that. Perhaps those> "libreboot specific encryption commands" need not be in the official manual?
Oh, right. Perhaps there could be a subsubsection next to “DiskPartitioning” & co. specifically about LibreBoot support? Would thatmake sense?
Toggle quote (11 lines)>> From a maintenance perspective, it does not seem reasonable to maintain>> to similar pieces of documentation on these matters. From a user>> perspective, it could be confusing or downright deceiving if one of>> these two documents is out of date or erroneous.>> I'm game for that. I personally find the "Manual Installation" section > slightly too terse...I've successfully installed guix encrypted before,> but I had to use the graphical installation. I have a hard time > comprehending how to manually install an encrypted guix, but I also just> have a very hard time understanding new guix things too. :)
If you could pinpoint specific things that are missing or too vague inthat section, that’d be great.
Of course we don’t want to explain too much in there because that’d betoo much work, so this section assumes familiarity with GNU/Linux; andoverall, we want to encourage users, both newbies and seasoned GNU/Linuxusers, to use the installer, because it’s so much more convenient.
Toggle quote (4 lines)> Perhaps, if the manual does not have it, we could provide an example > config of an encrypted /home ? I feel like the majority of guix users> do not use libreboot, so a encrypted / is not an option for most of them.
Why is it not an option? I use encrypted root without Libreboot and theinstaller offers that option.
Thanks!
Ludo’.
J
J
jbranso wrote on 12 Aug 10:41 +0200
(name . Ludovic Courtès)(address . ludo@gnu.org)
88a58ef059693914775700403c7c45f6@dismail.de
August 12, 2021 4:04 AM, "Ludovic Courtès" <ludo@gnu.org> wrote:
Toggle quote (23 lines)> Hello!> > jbranso@dismail.de skribis:> >> August 11, 2021 10:17 AM, "Ludovic Courtès" <ludo@gnu.org> wrote:> > [...]> >>> My main question would be: what do you think is not covered in the>>> “Manual Installation” section?>>> >>> That section covers full disk encryption and other things you propose,>>> such as partitioning, downloading the ISO, authenticating it, changing>>> the keyboard layout, etc.>> >> I think that libreboot does not currently support the latest version of>> encryption...or only supports LVM v1....something like that. Perhaps those>> "libreboot specific encryption commands" need not be in the official manual?> > Oh, right. Perhaps there could be a subsubsection next to “Disk> Partitioning” & co. specifically about LibreBoot support? Would that> make sense?
I'm game for that! If you think that belongs in the manual proper, I'm gameto put it there!
Toggle quote (13 lines)>>> From a maintenance perspective, it does not seem reasonable to maintain>>> to similar pieces of documentation on these matters. From a user>>> perspective, it could be confusing or downright deceiving if one of>>> these two documents is out of date or erroneous.>> >> I'm game for that. I personally find the "Manual Installation" section>> slightly too terse...I've successfully installed guix encrypted before,>> but I had to use the graphical installation. I have a hard time>> comprehending how to manually install an encrypted guix, but I also just>> have a very hard time understanding new guix things too. :)> > If you could pinpoint specific things that are missing or too vague in> that section, that’d be great.
I was actually going to point out that the manual lacks an example configfor encrypted /...but this is apparently not the case. 10.1 has such anexample, and I'm delighted to see that the Manual Installation, specifically3.6.2 Proceeding with the Installation links to 10.1, which has all of theexample configs. That is super helpful!
Toggle quote (12 lines)> Of course we don’t want to explain too much in there because that’d be> too much work, so this section assumes familiarity with GNU/Linux; and> overall, we want to encourage users, both newbies and seasoned GNU/Linux> users, to use the installer, because it’s so much more convenient.> >> Perhaps, if the manual does not have it, we could provide an example>> config of an encrypted /home ? I feel like the majority of guix users>> do not use libreboot, so a encrypted / is not an option for most of them.> > Why is it not an option? I use encrypted root without Libreboot and the> installer offers that option.
Forgive me. This is an example of me not being very technical...I'm assuming that "encrypted /" is the same as "full disc encryption". That's my mistake. :) As stated above, the manual does have an exampleof encrypted /. :)
Toggle quote (3 lines)> Thanks!> > Ludo’.
D
D
david larsson wrote on 12 Aug 10:59 +0200
Re: [bug#49654] [PATCH] doc: Add full disc encryption guide to the cookbook
(name . Ludovic Courtès)(address . ludo@gnu.org)
6d41fe0ff317cf845f90591250988f5b@selfhosted.xyz
On 2021-08-12 10:04, Ludovic Courtès wrote:
Toggle quote (61 lines)> Hello!> > jbranso@dismail.de skribis:> >> August 11, 2021 10:17 AM, "Ludovic Courtès" <ludo@gnu.org> wrote:> > [...]> >>> My main question would be: what do you think is not covered in the>>> “Manual Installation” section?>>> >>> That section covers full disk encryption and other things you >>> propose,>>> such as partitioning, downloading the ISO, authenticating it, >>> changing>>> the keyboard layout, etc.>> >> I think that libreboot does not currently support the latest version >> of>> encryption...or only supports LVM v1....something like that. Perhaps >> those>> "libreboot specific encryption commands" need not be in the official >> manual?> > Oh, right. Perhaps there could be a subsubsection next to “Disk> Partitioning” & co. specifically about LibreBoot support? Would that> make sense?> >>> From a maintenance perspective, it does not seem reasonable to >>> maintain>>> to similar pieces of documentation on these matters. From a user>>> perspective, it could be confusing or downright deceiving if one of>>> these two documents is out of date or erroneous.>> >> I'm game for that. I personally find the "Manual Installation" >> section>> slightly too terse...I've successfully installed guix encrypted >> before,>> but I had to use the graphical installation. I have a hard time>> comprehending how to manually install an encrypted guix, but I also >> just>> have a very hard time understanding new guix things too. :)> > If you could pinpoint specific things that are missing or too vague in> that section, that’d be great.> > Of course we don’t want to explain too much in there because that’d be> too much work, so this section assumes familiarity with GNU/Linux; and> overall, we want to encourage users, both newbies and seasoned > GNU/Linux> users, to use the installer, because it’s so much more convenient.> >> Perhaps, if the manual does not have it, we could provide an example>> config of an encrypted /home ? I feel like the majority of guix users>> do not use libreboot, so a encrypted / is not an option for most of >> them.> > Why is it not an option? I use encrypted root without Libreboot and > the> installer offers that option.
Hi!
Im happy to see this added to the cookbook.
Just to clarify: with libreboot you can have the *entire* root partition encrypted without a separate boot partition (with /boot mounted under the encrypted root) - i.e. an actually fully encrypted disk (save the luks headers). So this is why you need to carefully setup the grub.cfg that's in libreboot's ROM (assuming you use Grub as payload) to use something like: cryptomount -a ; configfile (crypto0)/boot/grub/grub.cfg, so that you point to Guix's continuously updated version of grub.cfg inside the encrypted partition.
If you want to have /boot on an encrypted partition without using libreboot, you need to pack crypttools or whatever (cryptomount command) to initrd which is generated with guile code. Guix currently don't offering such options to my knowledge.
Related note: there has also been discussions in Grub dev mailing lists about adding the option to specify luks headers in grub.cfg which would allow for actual full disk encryption of internal drives (indistinguishable from random wiped disk), and then you could probably accomplish this by mounting /boot in your config.scm from external usb. This would also be a nice thing to add to the cookbook IMO (when that feature is available in Grub).
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send email to 49654@debbugs.gnu.org