[PATCH] doc: Add full disc encryption guide to the cookbook

Joshua Branson wrote on 20 Jul 2021 07:22

Recipients:(address . guix-patches@gnu.org)(address . rg@raghavgururajan.name)

Message-ID:20210720052229.15438-1-jbranso@dismail.de

The original guide was written by Raghav Gururajan <rg@raghavgururajan.name>

and edited by Joshua Branson <jbranso@dismail.de>.

* doc/guix-cookbook.texi (System Configuration): New section of full disc

encryption via libreboot.

---

doc/guix-cookbook.texi | 724 +++++++++++++++++++++++++++++++++++++++++

1 file changed, 724 insertions(+)

Toggle diff (751 lines)diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index 2e627ecc51..ef8f3425d6 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -18,6 +18,7 @@ Copyright @copyright{} 2020 Brice Waegeneire@*
 Copyright @copyright{} 2020 André Batista@*
 Copyright @copyright{} 2020 Christopher Lemmer Webber
 Copyright @copyright{} 2021 Joshua Branson@*
+Copyright @copyright{} 2021 Raghav Gururajan@*
 
 Permission is granted to copy, distribute and/or modify this document
 under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -1358,6 +1359,7 @@ reference.
 * Customizing the Kernel::       Creating and using a custom Linux kernel on Guix System.
 * Guix System Image API::        Customizing images to target specific platforms.
 * Connecting to Wireguard VPN::  Connecting to a Wireguard VPN.
+* Guix System with Full Disk Encryption::    Guix System with Full Disk Encryption
 * Customizing a Window Manager:: Handle customization of a Window manager on Guix System.
 * Running Guix on a Linode Server:: Running Guix on a Linode Server
 * Setting up a bind mount:: Setting up a bind mount in the file-systems definition.
@@ -1938,6 +1940,728 @@ For more specific information about NetworkManager and wireguard
 @uref{https://blogs.gnome.org/thaller/2019/03/15/wireguard-in-networkmanager/,see
 this post by thaller}.
 
+@node Guix System with Full Disk Encryption
+@section Guix System with Full Disk Encryption
+@cindex libreboot, full disk encryption
+
+Guix System is an exotic distribution of GNU/Linux operating system,
+with Guix as package/system manager, Linux-Libre as kernel and
+Shepherd as init system.
+
+Libreboot is a de-blobbed distribution of Coreboot firmware. By
+default, Libreboot comes with GRUB bootloader as a payload.
+
+The objective of this manual is to provide step-by-step guide for
+setting up Guix System (stand-alone Guix), with Full Disk
+Encryption (FDE), on devices powered by Libreboot.
+
+Any users, for their generalized use cases, need not stumble away from
+this guide to accomplish the setup. Advanced users, for deviant use
+cases, will have to explore outside this guide for customization;
+although this guide provides information that is of paramount use.
+
+Let us begin!
+
+@menu
+* Create Boot-able USB::
+* Installing and Setup::
+* Tweaking Libreboot's Grub Payload::
+* Closing Thoughts::
+* Special Thanks::
+@end menu
+
+@node Create Boot-able USB
+@subsection Create Boot-able USB
+
+In the current GNU+Linux system, open terminal as root user.
+
+Insert USB drive and get the device letter @code{/dev/sdX}, where “X” is the
+device letter.
+
+@example
+lsblk --list
+@end example
+
+@example
+NAME  MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
+sda     8:0    0 223.6G  0 disk
+sda1    8:1    0     2M  0 part
+sda2    8:2    0   3.7G  0 part
+sda3    8:3    0 219.9G  0 part /
+zram0 251:0    0   512M  0 disk [SWAP]
+@end example
+
+
+Just in case the device is auto-mounted, unmount the device.
+
+@example
+umount /dev/sdX --verbose
+@end example
+
+Download the Guix System ISO installer package and it’s GPG signature;
+where @code{A.B.C} is the version number and @code{SSS} is the system
+architecture.
+
+@example
+wget --verbose https://ftp.gnu.org/gnu/guix/guix-system-install-A.B.C.SSS-linux.iso.xz
+wget --verbose https://ftp.gnu.org/gnu/guix/guix-system-install-A.B.C.SSS-linux.iso.xz.sig
+@end example
+
+Import the Guix's public key.
+
+@example
+gpg --verbose --keyserver pool.sks-keyservers.net –-receive-keys 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
+@end example
+
+Verify the GPG signature of the downloaded package.
+
+@example
+gpg --verbose --verify guix-system-install-A.B.C.SSS-linux.iso.xz.sig
+@end example
+
+Extract ISO image from the downloaded package.
+
+@example
+xz --verbose --decompress guix-system-install-A.B.C.SSS-linux.iso.xz
+@end example
+
+Write the extracted ISO image to the drive.
+
+@example
+dd if=guix-system-install-A.B.C.SSS-linux.iso of=/dev/sdX status=progress; sync
+@end example
+
+Reboot the device.
+
+@example
+reboot
+@end example
+
+@node Installing and Setup
+@subsection Installing and Setup
+
+On reboot, as soon as the Libreboot's graphic art appears, press "S"
+or choose @code{Search for GRUB2 configuration on external media [s]}. Wait
+for the Guix System from USB drive to load.
+
+Once Guix System installer starts, choose @code{Install using the shell
+based process}.
+
+Set your keyboard layout, where @code{lo} is the two-letter keyboard
+layout code (lower-case).
+
+@example
+loadkeys --verbose lo
+@end example
+
+Unblock network interfaces.
+
+@example
+rfkill unblock all
+@end example
+
+Get the names of network interfaces.
+
+@example
+ifconfig -v -a
+@end example
+
+@example
+enp0s25   Link encap:Ethernet  HWaddr 00:1C:25:9A:37:BA
+          UP BROADCAST MULTICAST  MTU:1500  Metric:1
+          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:1000
+          RX bytes:0  TX bytes:0
+          Interrupt:16 Memory:98800000-98820000
+
+lo        Link encap:Local Loopback
+          inet addr:127.0.0.1  Bcast:0.0.0.0  Mask:255.0.0.0
+          UP LOOPBACK RUNNING  MTU:65536  Metric:1
+          RX packets:265 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:265 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:1000
+          RX bytes:164568  TX bytes:164568
+
+wlp2s0    Link encap:Ethernet  HWaddr E4:CE:8F:59:D6:BF
+          inet addr:192.168.1.133  Bcast:192.168.1.255  Mask:255.255.255.0
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:60084 errors:0 dropped:71 overruns:0 frame:0
+          TX packets:33232 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:1000
+          RX bytes:45965805  TX bytes:4905457
+
+@end example
+
+Bring the desired network interface (wired or wireless) up, where
+@code{nwif} is the network interface name.
+
+@example
+ifconfig -v nwif up
+@end example
+
+For wireless connection, follow the wireless setup.
+
+@menu
+* Wireless Setup::
+@end menu
+
+@node Wireless Setup
+@subsubsection Wireless Setup
+
+Create a configuration file using text editor, where @code{fname} is any
+desired name for file.
+
+@example
+nano fname.conf
+@end example
+
+Choose, type and save ONE of the following snippets, where ‘net’ is
+the network name, ‘pass’ is the password or passphrase and ‘uid’ is
+the user identity.
+
+For most private networks:
+
+@example
+network=@{
+  ssid="net"
+  key_mgmt=WPA-PSK
+  psk="pass"
+@}
+@end example
+
+(or)
+
+For most public networks:
+
+@example
+network=@{
+  ssid="net"
+  key_mgmt=NONE
+@}
+@end example
+
+(or)
+
+For most organizational networks:
+
+@example
+network=@{
+  ssid="net"
+  scan_ssid=1
+  key_mgmt=WPA-EAP
+  identity="uid"
+  password="pass"
+  eap=PEAP
+  phase1="peaplabel=0"
+  phase2="auth=MSCHAPV2"
+@}
+@end example
+
+Connect to the configured network.
+
+@example
+wpa_supplicant -B -c fname.conf -i nwif
+@end example
+
+Assign an IP address to the network interface.
+
+@example
+dhclient -v nwif
+@end example
+
+Obtain the device letter @code{/dev/sdX} in which you would like to deploy
+and install Guix System, where “X” is the device letter.
+
+@example
+lsblk --list
+@end example
+
+@example
+NAME  MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
+sda     8:0    0 223.6G  0 disk
+sda1    8:1    0     2M  0 part
+sda2    8:2    0   3.7G  0 part
+sda3    8:3    0 219.9G  0 part /
+zram0 251:0    0   512M  0 disk [SWAP]
+@end example
+
+Wipe the device (Ignore if the device is new).
+
+@example
+shred --verbose --random-source=/dev/urandom /dev/sdX
+@end example
+
+Load the device-mapper module in the current kernel.
+
+@example
+modprobe --verbose dm_mod
+@end example
+
+Partition the device. Follow the prompts. Just do, GPT --> New -->
+Write --> Quit; defaults will be set.
+
+@example
+cfdisk /dev/sdX
+@end example
+
+Obtain the partition number from the device, where “Y” is the
+partition number.
+
+@example
+lsblk --list
+@end example
+
+Encrypt the partition. Follow the prompts.
+
+@example
+cryptsetup --verbose --hash whirlpool --cipher serpent-xts-plain64 \
+--verify-passphrase --use-random --key-size 512 --iter-time 500 \
+luksFormat /dev/sdXY
+@end example
+
+Obtain and note down the UUID of the LUKS partition.
+
+@example
+cryptsetup --verbose luksUUID /dev/sdXY
+@end example
+
+Open the encrypted partition, where @code{luks-uuid} is the LUKS UUID,
+and @code{partname} is any desired name for the partition.
+
+@example
+cryptsetup --verbose
+luksOpen UUID=luks-uuid partname
+@end example
+
+Create a physical volume in the partition.
+
+@example
+pvcreate /dev/mapper/partname --verbose
+@end example
+
+Create a volume group in the physical volume, where @code{vgname} is any
+desired name for volume group.
+
+@example
+vgcreate vgname /dev/mapper/partname --verbose
+@end example
+
+Create logical volumes in the volume group; where "num" is the number
+for space in GB, and @code{lvnameroot} and @code{lvnamehome} are any
+desired names for root and home volumes respectively.
+
+@example
+lvcreate --extents 25%VG vgname --name lvnameroot --verbose
+lvcreate --extents 100%FREE vgname --name lvnamehome --verbose
+@end example
+
+Create filesystems on the logical-volumes, where @code{fsnameroot} and
+@code{fsnamehome} are any desired names for root and home filesystems
+respectively.
+
+@example
+mkfs.btrfs --metadata dup --label fsnameroot /dev/vgname/lvnameroot
+mkfs.btrfs --metadata dup --label fsnamehome /dev/vgname/lvnamehome
+@end example
+
+Mount the filesystems under the current system.
+
+@example
+mount --label fsnameroot --target /mnt --types btrfs --verbose
+mkdir --verbose /mnt/home && mount --label fsnamehome --target \
+/mnt/home --types btrfs --verbose
+@end example
+
+Create a swap file.
+
+@example
+dd bs=1MiB count=1GiB if=/dev/zero of=/mnt/swapfile status=progress
+mkswap --verbose /mnt/swapfile
+@end example
+
+Make the swap file readable and writable only by root account.
+
+@example
+chmod --verbose 600 /mnt/swapfile
+@end example
+
+Activate the swap file.
+
+@example
+swapon --verbose /mnt/swapfile
+@end example
+
+Install packages on the mounted root filesystem.
+
+@example
+herd start cow-store /mnt
+@end example
+
+Create the system-wide configuration files directory.
+
+@example
+mkdir --verbose /mnt/etc
+@end example
+
+Create, edit and save the system configuration file by typing the
+following code snippet. WATCH-OUT for variables in the code snippet
+and replace them with the relevant values.
+
+@example
+nano /mnt/etc/config.scm
+@end example
+
+The content of config.scm is:
+
+@lisp
+(use-modules
+ (gnu)
+ (gnu system nss))
+
+(use-package-modules
+ certs
+ gnome
+ linux)
+
+(use-service-modules
+ desktop
+ xorg)
+
+(operating-system
+  (kernel linux-libre-lts)
+  (kernel-arguments
+   (append
+    (list
+    ;; this is needed to flash the libreboot ROM. After, you
+    ;; have flashed your rom, it is a good idea to remove
+    ;; iomem=relaxed from your kernel arguments
+     "iomem=relaxed")
+    %default-kernel-arguments))
+
+  (timezone "Zone/SubZone")
+  (locale "ab_XY.1234")
+  (name-service-switch %mdns-host-lookup-nss)
+
+  (bootloader
+   (bootloader-configuration
+    (bootloader
+     (bootloader
+      (inherit grub-bootloader)
+      (installer #~(const #t))))
+    (keyboard-layout keyboard-layout)))
+
+  (keyboard-layout
+   (keyboard-layout
+    "xy"
+    "altgr-intl"))
+
+  (host-name "hostname")
+
+  (mapped-devices
+   (list
+    (mapped-device
+     (source
+      (uuid "LUKS-UUID"))
+     (target "partname")
+     (type luks-device-mapping))
+    (mapped-device
+     (source "vgname")
+     (targets
+      (list
+       "vgname-lvnameroot"
+       "vgname-lvnamehome"))
+     (type lvm-device-mapping))))
+
+  (file-systems
+   (append
+    (list
+     (file-system
+       (type "btrfs")
+       (mount-point "/")
+       (device "/dev/mapper/VGNAME-LVNAMEROOT")
+       (flags '(no-atime))
+       (options "space_cache=v2")
+       (needed-for-boot? #t)
+       (dependencies mapped-devices))
+     (file-system
+       (type "btrfs")
+       (mount-point "/home")
+       (device "/dev/mapper/VGNAME-LVNAMEHOME")
+       (flags '(no-atime))
+       (options "space_cache=v2")
+       (dependencies mapped-devices)))
+    %base-file-systems))
+
+  (swap-devices
+   (list
+    "/swapfile"))
+
+  (users
+   (append
+    (list
+     (user-account
+      (name "USERNAME")
+      (comment "Full Name")
+      (group "users")
+      (supplementary-groups '("audio" "cdrom"
+                              "kvm" "lp" "netdev"
+                              "tape" "video"
+                              "wheel"))))
+    %base-user-accounts))
+
+  (packages
+   (append
+    (list
+     nss-certs)
+    %base-packages))
+
+  (services
+   (append
+    (list
+     (service gnome-desktop-service-type))
+    %desktop-services)))
+@end lisp
+
+Initialize new Guix System.
+
+@example
+guix system init /mnt/etc/config.scm /mnt
+@end example
+
+Reboot the device.
+
+@example
+reboot
+@end example
+
+@node Tweaking Libreboot's Grub Payload
+@subsection Tweaking Libreboot's Grub Payload
+@cindex grub payload
+
+On reboot, as soon as the Libreboot graphic art appears, press “C” to
+enter the command-line.
+
+Enter the following commands and respond to first command with the LUKS
+Key.
+
+@example
+cryptomount -u luks-uuid
+set root=(lvm/vgname-lvnameroot)
+@end example
+
+Upon Guix's GRUB menu, go with the default option.
+
+Enter the LUKS Key again, for kernel, as prompted.
+
+Upon login screen, login as "root" with password field empty.
+
+Open terminal.
+
+Set passkey for the "root" user. Follow the prompts.
+
+@example
+passwd root
+@end example
+
+Set passkey for the "username" user. Follow the prompts.
+
+@example
+passwd username
+@end example
+
+Install flashrom and wget.
+
+@example
+guix package –-install flashrom wget
+@end example
+
+Obtain the ROM chip's model and size. Look for the output line “Found
+[@dots{}] flash chip [@dots{}]”.
+
+@example
+flashrom --verbose --programmer internal
+@end example
+
+Download Libreboot ROM and utilities, where "YYYYMMDD" is the release
+date, @code{devmod} is the device model and "N" is the ROM chip size.
+
+@example
+wget --verbose https://rsync.libreboot.org/stable/YYYYMMDD/rom/grub/libreboot_rYYYYMMDD_grub_devmod_Nmb.tar.xz
+wget --verbose https://rsync.libreboot.org/stable/YYYYMMDD/libreboot_rYYYYMMDD_util.tar.xz
+@end example
+
+Extract the downloaded files.
+@example
+tar --extract --file=libreboot_rYYYYMMDD_grub_devmod_Nmb.tar.xz --verbose
+tar --extract --file=libreboot_rYYYYMMDD_util.tar.xz --verbose
+@end example
+
+Rename the directories of extracted files.
+
+@example
+mv --verbose "libreboot_rYYYYMMDD_grub_devmod_Nmb.tar.xz" "libreboot_rom"
+mv --verbose "libreboot_rYYYYMMDD_util" "libreboot_util"
+@end example
+
+Copy the ROM image to the directory of cbfstool, where "kbdlo" is the
+keyboard layout and "arch" is the system architecture.
+
+@example
+cp libreboot_rom/devmod_Nmb_kbdlo_vesafb.rom libreboot_util/cbfstool/arch/libreboot.rom
+@end example
+
+Change directory to the directory of cbfstool.
+@example
+cd libreboot_util/cbfstool/arch/
+@end example
+
+Extract the GRUB configuration file from the image.
+
+@example
+./cbfstool libreboot.rom extract -n grub.cfg -f grub.cfg
+@end example
+
+Edit the GRUB configuration file and insert the following code snippet
+above the line @code{“menuentry 'Load Operating System [o]' --hotkey='o'
+--unrestricted @{ [...] @}”}.
+
+@example
+nano grub.cfg
+@end example
+
+Snippet:
+@example
+menuentry ‘Guix System (An advanced distribution of the GNU operating system) [g]’ --hotkey=’g’ --unrestricted
+@{
+cryptomount -u luks-uuid
+set root=(lvm/vgname-lvnameroot)
+configfile /boot/grub/grub.cfg
+@}
+@end example
+
+Remove the old GRUB configuration file from the ROM image.
+
+@example
+./cbfstool libreboot.rom remove -n grub.cfg
+@end example
+
+Insert the new GRUB configuration file into the ROM image.
+
+@example
+./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw
+@end example
+
+Move the ROM image to the directory of ich9gen.
+
+@example
+mv libreboot.rom ~/libreboot_util/ich9deblob/arch/libreboot.rom
+@end example
+
+Change directory to the directory of ich9gen.
+
+@example
+cd ~/libreboot_util/ich9deblob/arch/
+@end example
+
+Generate descriptor+GbE images with the MAC address, where "mac-addr"
+is the MAC address of the machine.
+
+@example
+ich9gen --macaddress mac-addr
+@end example
+
+Insert the descriptor+GbE image into the ROM image, where "N" is the
+ROM chip size.
+@example
+dd bs=12k conv=notrunc count=1 if=ich9fdgbe_Nm.bin of=libreboot.rom status=progress
+@end example
+
+Move the ROM image to the directory of flash.
+
+@example
+mv libreboot.rom ~/libreboot_util/libreboot.rom
+@end example
+
+Change directory to the directory of flash.
+
+@example
+cd ~/libreboot_util
+@end example
+
+Modify the shebang of flash script, from `#!/bin/bash` to `#!/bin/sh`.
+@example
+nano flash
+@end example
+
+Flash the ROM with the new image.
+@example
+./flash update libreboot.rom
+@end example
+
+(or)
+
+@example
+./flash forceupdate libreboot.rom
+@end example
+
+Reboot the device.
+@example
+reboot
+@end example
+
+@node Closing Thoughts
+@subsection Closing Thoughts
+
+Everything should be stream-lined from now. Upon Libreboot's GRUB
+menu, you can either press "G" or choose "Guix System (An advanced
+distribution of the GNU operating system) [g]".
+
+During the boot process, as prompted, you have to type LUKS key twice;
+once for Libreboot's GRUB and once more for Linux-Libre kernel.
+Retyping a passphrase is a minor annoyance, but it is a secure method of
+opening up your device.  There are methods that exist to only type the
+passphrase once, but none are currently integrated into Guix System.
+
+Generally, you will be using Libreboot's initial/default grub.cfg,
+whose Guix menu-entry invokes Guix's grub.cfg located at
+@code{/boot/grub/}. For trouble-shooting, you can also use Libreboot's
+@code{grubtest.cfg}, which hasn't been modified.
+
+Now that you have a working Guix System with full disk encryption, you
+may want to remove the @code{iomem=relaxed} from your
+@code{kernel-arguments}.  @code{iomem=relaxed} is needed to reflash your
+rom.  Since, most users will probably not flash their rom often, those
+users may wish to disable that feature:
+
+@lisp
+  ;; optionally remove this bit of code from your config.scm
+  (kernel-arguments
+   (append
+    (list
+    ;; this is needed to flash the libreboot ROM. After, you
+    ;; have flashed your rom, it is a good idea to remove
+    ;; iomem=relaxed from your kernel arguments
+     "iomem=relaxed")
+    %default-kernel-arguments))
+@end lisp
+
+That is it! You have now setup Guix System with Full Disk Encryption on
+your device powered by Libreboot. Enjoy!
+
+More information about Libreboot can be found at their official
+documentation: @uref{https://libreboot.org/docs/}.
+
+@node Special Thanks
+@subsection Special Thanks
+
+Thanks to Guix developer, Clement Lassieur (clement@@lassieur.org),
+for helping me with the Scheme code for the bootloader configuration.
+
+Thanks to Libreboot founder and developer, Leah Rowe
+(leah@@libreboot.org), for helping me with the understanding of
+Libreboot’s functionalities.
+
 @node Customizing a Window Manager
 @section Customizing a Window Manager
 @cindex wm
-- 
2.32.0

Giovanni Biscuolo wrote on 20 Jul 2021 12:41

Recipients:(address . rg@raghavgururajan.name)

Message-ID:87pmvdi7xa.fsf@xelera.eu

Hello Joshua and Raghav,

thank you for your guide! I have just a couple of comments.

Joshua Branson via Guix-patches via <guix-patches@gnu.org> writes:

Toggle quote (11 lines)> From: Joshua Branson <jbranso AT gnucode.me>
>
> The original guide was written by Raghav Gururajan <rg@raghavgururajan.name>
> and edited by Joshua Branson <jbranso@dismail.de>.
>
> * doc/guix-cookbook.texi (System Configuration): New section of full disc
> encryption via libreboot.
> ---
>  doc/guix-cookbook.texi | 724 +++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 724 insertions(+)

[...]

Toggle quote (2 lines)

> +* Guix System with Full Disk Encryption:: Guix System with Full Disk Encryption

AFAIU the steps, especially the partitioning that does not provide an

UEFI dedicated partition, are specific to Libreboot systems: what about

to make it more clear in the section title?

...or to adapt the section by separating Libreboot specific instructions

from generic system instructions?

[...]

Toggle quote (31 lines)> +Create a physical volume in the partition.
> +
> +@example
> +pvcreate /dev/mapper/partname --verbose
> +@end example
> +
> +Create a volume group in the physical volume, where @code{vgname} is any
> +desired name for volume group.
> +
> +@example
> +vgcreate vgname /dev/mapper/partname --verbose
> +@end example
> +
> +Create logical volumes in the volume group; where "num" is the number
> +for space in GB, and @code{lvnameroot} and @code{lvnamehome} are any
> +desired names for root and home volumes respectively.
> +
> +@example
> +lvcreate --extents 25%VG vgname --name lvnameroot --verbose
> +lvcreate --extents 100%FREE vgname --name lvnamehome --verbose
> +@end example
> +
> +Create filesystems on the logical-volumes, where @code{fsnameroot} and
> +@code{fsnamehome} are any desired names for root and home filesystems
> +respectively.
> +
> +@example
> +mkfs.btrfs --metadata dup --label fsnameroot /dev/vgname/lvnameroot
> +mkfs.btrfs --metadata dup --label fsnamehome /dev/vgname/lvnamehome
> +@end example

Why using two BTRFS volumes on top of LVM and not directly using BTRFS

(with subvolumes if you want) on top of /dev/mapper/partname?

AFAIU the "double mapping" it's not needed, BTRFS have a very good (and

now mature) built in volume manager. Furthermore, using BTRFS for

volume management will allow users to switch to a multi-device system

(e.g. RAID1) very easily.

I'm still using LVM on some "legacy" systems but for new installations

I'd strogly suggest starting using BTRFS on top of "physical"

partitions.

Toggle quote (15 lines)> +Mount the filesystems under the current system.
> +
> +@example
> +mount --label fsnameroot --target /mnt --types btrfs --verbose
> +mkdir --verbose /mnt/home && mount --label fsnamehome --target \
> +/mnt/home --types btrfs --verbose
> +@end example
> +
> +Create a swap file.
> +
> +@example
> +dd bs=1MiB count=1GiB if=/dev/zero of=/mnt/swapfile status=progress
> +mkswap --verbose /mnt/swapfile
> +@end example

I know that since Linux 2.6 swapfile performance is not a big issue if
the file is unfragmented (and it'll be for sure on newly partitioned
filesystems) but AFAIU swap files are still a little bit problematic on
BTRFS
https://btrfs.wiki.kernel.org/index.php/FAQ#Does_Btrfs_support_swap_files.3F:

Toggle snippet (7 lines)

From kernel 5.0+ btrfs have native swap files support, but with some

limitations. Swap file - must be fully allocated as NOCOW with no

compression on one device.

I've never tested a system with swap file on BTRFS but I think that your

instructions should add how to set NOCOW for the swap file.

The above example could be:

Toggle snippet (10 lines)

@example

dd bs=1MiB count=1GiB if=/dev/zero of=/mnt/swapfile status=progress

mkswap --verbose /mnt/swapfile

chattr +C /mnt/swapfile

btrfs property set /mnt/swapfile compression none

@end example

Final note: AFAIU BTRFS supports swap files ONLY in single device

settings (that is: NO swap file support on multi device settings), so

IMHO it's better to use a dedicated partition for the swap space so

users are free to switch to a multi-device setting if they wish (and

can).

The problem with a fully encrypted dedicated swap partition is that

it'll require a third passphrase prompt on boot (the one to unlock the

swap partition), but that's a minor annoyance IMHO.

What do you think?

[...]

Happy hacking! Gio'

Giovanni Biscuolo

Xelera IT Infrastructures

Joshua Branson wrote on 20 Jul 2021 20:15

Recipients:(name . Giovanni Biscuolo)(address . g@xelera.eu)

Message-ID:87eebsvokg.fsf@dismail.de

Giovanni Biscuolo <g@xelera.eu> writes:

Toggle quote (25 lines)> Hello Joshua and Raghav,
>
> thank you for your guide!  I have just a couple of comments.
>
> Joshua Branson via Guix-patches via <guix-patches@gnu.org> writes:
>
>> From: Joshua Branson <jbranso AT gnucode.me>
>>
>> The original guide was written by Raghav Gururajan <rg@raghavgururajan.name>
>> and edited by Joshua Branson <jbranso@dismail.de>.
>>
>> * doc/guix-cookbook.texi (System Configuration): New section of full disc
>> encryption via libreboot.
>> ---
>>  doc/guix-cookbook.texi | 724 +++++++++++++++++++++++++++++++++++++++++
>>  1 file changed, 724 insertions(+)
>
> [...]
>
>> +* Guix System with Full Disk Encryption::    Guix System with Full Disk Encryption
>
> AFAIU the steps, especially the partitioning that does not provide an
> UEFI dedicated partition, are specific to Libreboot systems: what about
> to make it more clear in the section title?

I will mention this somewhere. Thanks. Perhaps we could mention that

libreboot systems are so ancient that they do not support UEFI. I will

also mention that newer coreboot devices do not support a UEFI partition,

but require proprietary blobs to run properly.

Toggle quote (4 lines)

> ...or to adapt the section by separating Libreboot specific instructions

> from generic system instructions?

as above.

Toggle quote (37 lines)>
> [...]
>
>> +Create a physical volume in the partition.
>> +
>> +@example
>> +pvcreate /dev/mapper/partname --verbose
>> +@end example
>> +
>> +Create a volume group in the physical volume, where @code{vgname} is any
>> +desired name for volume group.
>> +
>> +@example
>> +vgcreate vgname /dev/mapper/partname --verbose
>> +@end example
>> +
>> +Create logical volumes in the volume group; where "num" is the number
>> +for space in GB, and @code{lvnameroot} and @code{lvnamehome} are any
>> +desired names for root and home volumes respectively.
>> +
>> +@example
>> +lvcreate --extents 25%VG vgname --name lvnameroot --verbose
>> +lvcreate --extents 100%FREE vgname --name lvnamehome --verbose
>> +@end example
>> +
>> +Create filesystems on the logical-volumes, where @code{fsnameroot} and
>> +@code{fsnamehome} are any desired names for root and home filesystems
>> +respectively.
>> +
>> +@example
>> +mkfs.btrfs --metadata dup --label fsnameroot /dev/vgname/lvnameroot
>> +mkfs.btrfs --metadata dup --label fsnamehome /dev/vgname/lvnamehome
>> +@end example
>
> Why using two BTRFS volumes on top of LVM and not directly using BTRFS
> (with subvolumes if you want) on top of /dev/mapper/partname?

This is probably a good idea...however does the grub payload support

this?

Toggle quote (6 lines)

> AFAIU the "double mapping" it's not needed, BTRFS have a very good (and

> now mature) built in volume manager. Furthermore, using BTRFS for

> volume management will allow users to switch to a multi-device system

> (e.g. RAID1) very easily.

That's pretty cool!

Toggle quote (5 lines)

> I'm still using LVM on some "legacy" systems but for new installations

> I'd strogly suggest starting using BTRFS on top of "physical"

> partitions.

does btrfs volume manage allow use to use ext4, jfs, or xfs filesystems?

Or does on LVM do that?

Toggle quote (21 lines)>> +Mount the filesystems under the current system.
>> +
>> +@example
>> +mount --label fsnameroot --target /mnt --types btrfs --verbose
>> +mkdir --verbose /mnt/home && mount --label fsnamehome --target \
>> +/mnt/home --types btrfs --verbose
>> +@end example
>> +
>> +Create a swap file.
>> +
>> +@example
>> +dd bs=1MiB count=1GiB if=/dev/zero of=/mnt/swapfile status=progress
>> +mkswap --verbose /mnt/swapfile
>> +@end example
>
> I know that since Linux 2.6 swapfile performance is not a big issue if
> the file is unfragmented (and it'll be for sure on newly partitioned
> filesystems) but AFAIU swap files are still a little bit problematic on
> BTRFS
> https://btrfs.wiki.kernel.org/index.php/FAQ#Does_Btrfs_support_swap_files.3F:

Ok...maybe we could use ext4 for the swap file? Is there a better

filesystem? Again does btrfs volume management allow the swap file to

be ext4? Or do we have to use LVM?

Toggle quote (24 lines)> From kernel 5.0+ btrfs have native swap files support, but with some
> limitations. Swap file - must be fully allocated as NOCOW with no
> compression on one device.
>
>
> I've never tested a system with swap file on BTRFS but I think that your
> instructions should add how to set NOCOW for the swap file.
>
> The above example could be:
>
>
> @example
> dd bs=1MiB count=1GiB if=/dev/zero of=/mnt/swapfile status=progress
> mkswap --verbose /mnt/swapfile
> chattr +C /mnt/swapfile
> btrfs property set /mnt/swapfile compression none
> @end example
>
> Final note: AFAIU BTRFS supports swap files ONLY in single device
> settings (that is: NO swap file support on multi device settings), so
> IMHO it's better to use a dedicated partition for the swap space so
> users are free to switch to a multi-device setting if they wish (and
> can).

Ok, I will create a dedicated partition and format it with ext4 and the

swap program...but I will probably need help figuring out how to encrypt

the swap partition...There are guides online that I can look at...

Toggle quote (4 lines)

> The problem with a fully encrypted dedicated swap partition is that

> it'll require a third passphrase prompt on boot (the one to unlock the

> swap partition), but that's a minor annoyance IMHO.

Oh no! I hadn't thought about that! grrr! I wonder if bcachefs is

better than btrfs...well I guess it's not merged yet. What about

instead of using a swap file we use zram? Or how about both?

Toggle quote (6 lines)

> What do you think?

> [...]

> Happy hacking! Gio'

--
Joshua Branson (jab in #guix)
Sent from Emacs and Gnus
  https://gnucode.me
  https://video.hardlimit.com/accounts/joshua_branson/video-channels
  https://propernaming.org
  "You can have whatever you want, as long as you help
enough other people get what they want." - Zig Ziglar

Giovanni Biscuolo wrote on 21 Jul 2021 14:16

Recipients:(name . Joshua Branson)(address . jbranso@dismail.de)

Message-ID:87k0ljj20i.fsf@xelera.eu

Hi Joshua

Joshua Branson <jbranso@dismail.de> writes:

[...]

Toggle quote (6 lines)

>> Why using two BTRFS volumes on top of LVM and not directly using BTRFS

>> (with subvolumes if you want) on top of /dev/mapper/partname?

> This is probably a good idea...however does the grub payload support

> this?

Do you mean: does grub support booting from encrypted BTRFS? The answer

is yes.

WARNING: I've (still) not tried myself to boot Guix System using an

encrypted BTRFS (sub)volume but I'm pretty confident that Guix is

configuring grub with the needed modules (luks and btrfs)

[...]

Toggle quote (7 lines)

>> I'm still using LVM on some "legacy" systems but for new installations

>> I'd strogly suggest starting using BTRFS on top of "physical"

>> partitions.

> does btrfs volume manage allow use to use ext4, jfs, or xfs

> filesystems?

No: BTRFS is a volume manager and a filesystem "all in one", you cannot

create a BRTFS subvolume and format it with another filesystem

Toggle quote (2 lines)

> Or does on LVM do that?

LVM is "just" a volume manager with no idea about the overlaying

filesystem

[...]

Toggle quote (10 lines)>> I know that since Linux 2.6 swapfile performance is not a big issue if
>> the file is unfragmented (and it'll be for sure on newly partitioned
>> filesystems) but AFAIU swap files are still a little bit problematic on
>> BTRFS
>> https://btrfs.wiki.kernel.org/index.php/FAQ#Does_Btrfs_support_swap_files.3F:
>
> Ok...maybe we could use ext4 for the swap file?  Is there a better
> filesystem?  Again does btrfs volume management allow the swap file to
> be ext4?

No, al explained above

Toggle quote (2 lines)

> Or do we have to use LVM?

If we use a dedicated partition for swap there is no need to set up an

LVM volume (phisical, VG and then logical): we can just create a

dedicate partition during partitioning, encrypt it with LUKS and

"mkswap" it (e.g. mkswap /dev/mapper/<encrypted_swap>)

[...]

Toggle quote (9 lines)

>> Final note: AFAIU BTRFS supports swap files ONLY in single device

>> settings (that is: NO swap file support on multi device settings), so

>> IMHO it's better to use a dedicated partition for the swap space so

>> users are free to switch to a multi-device setting if they wish (and

>> can).

> Ok, I will create a dedicated partition and format it with ext4

> and the swap program

There's no need to format (mkfs.ext4) the partition with ext4, just

"mkswap" it :-)

Toggle quote (3 lines)

> ...but I will probably need help figuring out how to encrypt

> the swap partition...There are guides online that I can look at...

You have to encrypt it like any other partition, e.g.:

Toggle snippet (31 lines)

Encrypt swap the partition. Follow the prompts.

@example

cryptsetup --verbose --hash whirlpool --cipher serpent-xts-plain64 \

--verify-passphrase --use-random --key-size 512 --iter-time 500 \

luksFormat /dev/<swap_partition>

@end example

Obtain and note down the UUID of the LUKS partition.

@example

cryptsetup --verbose luksUUID /dev/<swap_partition>

@end example

Open the encrypted partition, where @code{luks-uuid} is the LUKS UUID,

and @code{crypt_swap01} is any desired name for the decrypted swap

partition.

@example

cryptsetup --verbose luksOpen UUID=luks-uuid crypt_swap01

@end example

Format the encrypted swap

@example

mkswap /dev/mapper/crypt_swap01

@end example

Then, in our (operating-system) declaration, we have to use something

like this:

Toggle snippet (27 lines)
  (mapped-devices
   (list
    (mapped-device
     (source (uuid "LUKS-UUID"))
     (target "partname")
     (type luks-device-mapping))
    ;; This is our new encrypted swap partition
    (mapped-device
     (source
      (uuid "SWAP-LUKS-UUID"))
     (target "crypt_swap01")
     (type luks-device-mapping))
    (mapped-device
     (source "vgname")
     (targets
      (list
       "vgname-lvnameroot"
       "vgname-lvnamehome"))
     (type lvm-device-mapping))))

  (swap-devices
   (list
    "/dev/mapper/crypt_swap01"))

WARNING: please consider I've not tested this code.

Toggle quote (6 lines)

>> The problem with a fully encrypted dedicated swap partition is that

>> it'll require a third passphrase prompt on boot (the one to unlock the

>> swap partition), but that's a minor annoyance IMHO.

> Oh no! I hadn't thought about that! grrr!

Actually what I said it's NOT true... or better: we could avoid the

(third) password prompt for the swap partition if we _add_ a keyfile to

the LUKS encrypted swap partition _and_ we have a mechanism to

"luksOpen" that mapped volume using that keyfile.

I'm not aware of such a mechanism on Guix Systems, in Debian (et al)

this is done with /etc/crypttab, AFAIU the luks-device-mapping lacks the

option to specify a keyfile.

So, as far as this cookbook section is concerned, unfortunately when

using a dedicated encrypted swap partition an additional passphrase

prompt will be presented to the user at each boot.

Toggle quote (3 lines)

> I wonder if bcachefs is better than btrfs...well I guess it's not

> merged yet.

No, still not. AFAIU also still not available in Guix.

Toggle quote (2 lines)

> What about instead of using a swap file we use zram?

Never used zram and I don't know if it's supported (I mean configured by

(operating-system)) on Guix System

[...]

Sorry I've more issues than answers on this topics, nevertheless I hope

it somway helps.

Thanks! Gio'

Giovanni Biscuolo

Xelera IT Infrastructures

Sarah Morgensen wrote on 22 Jul 2021 00:50

Re: bug#49654: [PATCH] doc: Add full disc encryption guide to the cookbook

Recipients:(name . Joshua Branson)(address . jbranso@dismail.de)

Message-ID:86tukns2mc.fsf@mgsn.dev

Hello Joshua, Raghav,

Good to see more guides like this. In addition to what others have

already pointed out, I've got few readability suggestions, reading this as a

layperson :) (Questions are intentended to be rhetorical, to illustrate

where a layperson might have questions or be confused.)

Joshua Branson <jbranso@dismail.de> writes:

Toggle quote (40 lines)> From: Joshua Branson <jbranso AT gnucode.me>
>
> The original guide was written by Raghav Gururajan <rg@raghavgururajan.name>
> and edited by Joshua Branson <jbranso@dismail.de>.
>
> * doc/guix-cookbook.texi (System Configuration): New section of full disc
> encryption via libreboot.
> ---
>  doc/guix-cookbook.texi | 724 +++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 724 insertions(+)
>
> diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
> index 2e627ecc51..ef8f3425d6 100644
> --- a/doc/guix-cookbook.texi
> +++ b/doc/guix-cookbook.texi
> @@ -18,6 +18,7 @@ Copyright @copyright{} 2020 Brice Waegeneire@*
>  Copyright @copyright{} 2020 André Batista@*
>  Copyright @copyright{} 2020 Christopher Lemmer Webber
>  Copyright @copyright{} 2021 Joshua Branson@*
> +Copyright @copyright{} 2021 Raghav Gururajan@*
>  
>  Permission is granted to copy, distribute and/or modify this document
>  under the terms of the GNU Free Documentation License, Version 1.3 or
> @@ -1358,6 +1359,7 @@ reference.
>  * Customizing the Kernel::       Creating and using a custom Linux kernel on Guix System.
>  * Guix System Image API::        Customizing images to target specific platforms.
>  * Connecting to Wireguard VPN::  Connecting to a Wireguard VPN.
> +* Guix System with Full Disk Encryption::    Guix System with Full Disk Encryption
>  * Customizing a Window Manager:: Handle customization of a Window manager on Guix System.
>  * Running Guix on a Linode Server:: Running Guix on a Linode Server
>  * Setting up a bind mount:: Setting up a bind mount in the file-systems definition.
> @@ -1938,6 +1940,728 @@ For more specific information about NetworkManager and wireguard
>  @uref{https://blogs.gnome.org/thaller/2019/03/15/wireguard-in-networkmanager/,see
>  this post by thaller}.
>  
> +@node Guix System with Full Disk Encryption
> +@section Guix System with Full Disk Encryption
> +@cindex libreboot, full disk encryption
> +
> +Guix System is an exotic distribution of GNU/Linux operating system,

^ the

Toggle quote (7 lines)> +with Guix as package/system manager, Linux-Libre as kernel and
> +Shepherd as init system.
> +
> +Libreboot is a de-blobbed distribution of Coreboot firmware. By
> +default, Libreboot comes with GRUB bootloader as a payload.
> +
> +The objective of this manual is to provide step-by-step guide for

^ a

Toggle quote (1 lines)

> +setting up Guix System (stand-alone Guix), with Full Disk

^ You already defined Guix System above

Toggle quote (7 lines)

> +Encryption (FDE), on devices powered by Libreboot.

> +

> +Any users, for their generalized use cases, need not stumble away from

> +this guide to accomplish the setup. Advanced users, for deviant use

> +cases, will have to explore outside this guide for customization;

> +although this guide provides information that is of paramount use.

Above paragraph does not add useful information and the tone does not

match the rest of the Cookbook. (Sorry!)

Toggle quote (5 lines)> +
> +Let us begin!
> +
> +@menu
> +* Create Boot-able USB::

^ Bootable

Toggle quote (9 lines)

> +* Installing and Setup::

> +* Tweaking Libreboot's Grub Payload::

> +* Closing Thoughts::

> +* Special Thanks::

> +@end menu

> +

> +@node Create Boot-able USB

> +@subsection Create Boot-able USB

Likewise.

Toggle quote (3 lines)

> +

> +In the current GNU+Linux system, open terminal as root user.

"open a terminal as root" or "open a terminal as the root user"

Toggle quote (4 lines)

> +

> +Insert USB drive and get the device letter @code{/dev/sdX}, where “X” is the

> +device letter.

What USB drive? This is the first I've heard of it! Do I need to make

sure it's a specific kind? Is it okay if there's important information

on there that I haven't backed up?

Also note that while usually the device identifier will be 'sdX' this is

not guaranteed; sometimes you'll see 'hdX' or 'mmcblkX'.

Toggle quote (14 lines)> +
> +@example
> +lsblk --list
> +@end example
> +
> +@example
> +NAME  MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
> +sda     8:0    0 223.6G  0 disk
> +sda1    8:1    0     2M  0 part
> +sda2    8:2    0   3.7G  0 part
> +sda3    8:3    0 219.9G  0 part /
> +zram0 251:0    0   512M  0 disk [SWAP]
> +@end example

Why are these separate examples? IMO it would be more clear (and is the

usual style in such guides) to combine them and simply add '$ ' to the

beginning of any line that is a command the user should run.

Toggle quote (9 lines)> +
> +
> +Just in case the device is auto-mounted, unmount the device.
> +
> +@example
> +umount /dev/sdX --verbose
> +@end example
> +
> +Download the Guix System ISO installer package and it’s GPG signature;

^ its

Toggle quote (9 lines)> +where @code{A.B.C} is the version number and @code{SSS} is the system
> +architecture.
> +
> +@example
> +wget --verbose https://ftp.gnu.org/gnu/guix/guix-system-install-A.B.C.SSS-linux.iso.xz
> +wget --verbose https://ftp.gnu.org/gnu/guix/guix-system-install-A.B.C.SSS-linux.iso.xz.sig
> +@end example
> +
> +Import the Guix's public key.

^ "the Guix" or "Guix's"

Toggle quote (33 lines)> +
> +@example
> +gpg --verbose --keyserver pool.sks-keyservers.net –-receive-keys 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
> +@end example
> +
> +Verify the GPG signature of the downloaded package.
> +
> +@example
> +gpg --verbose --verify guix-system-install-A.B.C.SSS-linux.iso.xz.sig
> +@end example
> +
> +Extract ISO image from the downloaded package.
> +
> +@example
> +xz --verbose --decompress guix-system-install-A.B.C.SSS-linux.iso.xz
> +@end example
> +
> +Write the extracted ISO image to the drive.
> +
> +@example
> +dd if=guix-system-install-A.B.C.SSS-linux.iso of=/dev/sdX status=progress; sync
> +@end example
> +
> +Reboot the device.
> +
> +@example
> +reboot
> +@end example
> +
> +@node Installing and Setup
> +@subsection Installing and Setup
> +
> +On reboot, as soon as the Libreboot's graphic art appears, press "S"

^ "the" is not necessary

Toggle quote (3 lines)

> +or choose @code{Search for GRUB2 configuration on external media [s]}. Wait

> +for the Guix System from USB drive to load.

This sounds awkward. Perhaps "Wait for Guix System to load from the USB

drive." or "Wait for the Guix System [you just] installed on the USB

drive to load."?

Toggle quote (7 lines)

> +

> +Once Guix System installer starts, choose @code{Install using the shell

> +based process}.

> +

> +Set your keyboard layout, where @code{lo} is the two-letter keyboard

> +layout code (lower-case).

How do I know out what my keyboard layout code should be? Even

"layout code (lower-case), for example @code{us} or @code{ru}."

would be helpful.

Toggle quote (47 lines)> +
> +@example
> +loadkeys --verbose lo
> +@end example
> +
> +Unblock network interfaces.
> +
> +@example
> +rfkill unblock all
> +@end example
> +
> +Get the names of network interfaces.
> +
> +@example
> +ifconfig -v -a
> +@end example
> +
> +@example
> +enp0s25   Link encap:Ethernet  HWaddr 00:1C:25:9A:37:BA
> +          UP BROADCAST MULTICAST  MTU:1500  Metric:1
> +          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> +          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> +          collisions:0 txqueuelen:1000
> +          RX bytes:0  TX bytes:0
> +          Interrupt:16 Memory:98800000-98820000
> +
> +lo        Link encap:Local Loopback
> +          inet addr:127.0.0.1  Bcast:0.0.0.0  Mask:255.0.0.0
> +          UP LOOPBACK RUNNING  MTU:65536  Metric:1
> +          RX packets:265 errors:0 dropped:0 overruns:0 frame:0
> +          TX packets:265 errors:0 dropped:0 overruns:0 carrier:0
> +          collisions:0 txqueuelen:1000
> +          RX bytes:164568  TX bytes:164568
> +
> +wlp2s0    Link encap:Ethernet  HWaddr E4:CE:8F:59:D6:BF
> +          inet addr:192.168.1.133  Bcast:192.168.1.255  Mask:255.255.255.0
> +          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> +          RX packets:60084 errors:0 dropped:71 overruns:0 frame:0
> +          TX packets:33232 errors:0 dropped:0 overruns:0 carrier:0
> +          collisions:0 txqueuelen:1000
> +          RX bytes:45965805  TX bytes:4905457
> +
> +@end example
> +
> +Bring the desired network interface (wired or wireless) up, where
> +@code{nwif} is the network interface name.

How do I know which of the interfaces I should use?

Toggle quote (6 lines)> +
> +@example
> +ifconfig -v nwif up
> +@end example
> +
> +For wireless connection, follow the wireless setup.

^ connections

Toggle quote (11 lines)> +
> +@menu
> +* Wireless Setup::
> +@end menu
> +
> +@node Wireless Setup
> +@subsubsection Wireless Setup
> +
> +Create a configuration file using text editor, where @code{fname} is any
> +desired name for file.

This reads a bit awkwardly. Perhaps something like

"Create the configuration file using a text editor such as

@code{nano}. In this example, we are naming the file

@code{fname.conf}, but any name will do."

Also consider using a more descriptive example filename, like

`wpa_supplicant.conf`. You'd be surprised how many users just use the

example names!

Toggle quote (55 lines)> +
> +@example
> +nano fname.conf
> +@end example
> +
> +Choose, type and save ONE of the following snippets, where ‘net’ is
> +the network name, ‘pass’ is the password or passphrase and ‘uid’ is
> +the user identity.
> +
> +For most private networks:
> +
> +@example
> +network=@{
> +  ssid="net"
> +  key_mgmt=WPA-PSK
> +  psk="pass"
> +@}
> +@end example
> +
> +(or)
> +
> +For most public networks:
> +
> +@example
> +network=@{
> +  ssid="net"
> +  key_mgmt=NONE
> +@}
> +@end example
> +
> +(or)
> +
> +For most organizational networks:
> +
> +@example
> +network=@{
> +  ssid="net"
> +  scan_ssid=1
> +  key_mgmt=WPA-EAP
> +  identity="uid"
> +  password="pass"
> +  eap=PEAP
> +  phase1="peaplabel=0"
> +  phase2="auth=MSCHAPV2"
> +@}
> +@end example
> +
> +Connect to the configured network.
> +
> +@example
> +wpa_supplicant -B -c fname.conf -i nwif
> +@end example
> +
> +Assign an IP address to the network interface.

This is a bit misleading, as we aren't actually directly assigning an IP

address, but using dhclient to get one through DHCP.

Toggle quote (5 lines)

> +

> +@example

> +dhclient -v nwif

> +@end example

Should there be something indicating the end of "Wireless Setup"? I'm

not sure how texi subsections work, but if I were skipping "Wireless

Setup," how would I know where to skip to?

Toggle quote (4 lines)

> +

> +Obtain the device letter @code{/dev/sdX} in which you would like to deploy

> +and install Guix System, where “X” is the device letter.

This reads a bit awkwardly. Perhaps consider

"Find the [device] identifier for the device you are installing Guix

System onto."

Toggle quote (15 lines)> +
> +@example
> +lsblk --list
> +@end example
> +
> +@example
> +NAME  MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
> +sda     8:0    0 223.6G  0 disk
> +sda1    8:1    0     2M  0 part
> +sda2    8:2    0   3.7G  0 part
> +sda3    8:3    0 219.9G  0 part /
> +zram0 251:0    0   512M  0 disk [SWAP]
> +@end example
> +
> +Wipe the device (Ignore if the device is new).

^ lowercase; or "skip"

Also, why did the example for the USB drive show all 'sda' devices, and

this one does too? This is potentially confusing. Consider using

examples from the actual process.

Toggle quote (7 lines)

> +

> +@example

> +shred --verbose --random-source=/dev/urandom /dev/sdX

> +@end example

> +

> +Load the device-mapper module in the current kernel.

Why? Consider adding "(This is necessary for...)"

Toggle quote (8 lines)

> +

> +@example

> +modprobe --verbose dm_mod

> +@end example

> +

> +Partition the device. Follow the prompts. Just do, GPT --> New -->

> +Write --> Quit; defaults will be set.

Consider writing out the steps.

Also: are we just using one partition? Prefer describing what the goal

of a step is before describing the step, so a less knowledgeable user

learns and a more knowledgeable user knows when that step can be

substituted.

Toggle quote (8 lines)

> +

> +@example

> +cfdisk /dev/sdX

> +@end example

> +

> +Obtain the partition number from the device, where “Y” is the

> +partition number.

Doesn't cfdisk show the partition number?

Toggle quote (22 lines)> +
> +@example
> +lsblk --list
> +@end example
> +
> +Encrypt the partition. Follow the prompts.
> +
> +@example
> +cryptsetup --verbose --hash whirlpool --cipher serpent-xts-plain64 \
> +--verify-passphrase --use-random --key-size 512 --iter-time 500 \
> +luksFormat /dev/sdXY
> +@end example
> +
> +Obtain and note down the UUID of the LUKS partition.
> +
> +@example
> +cryptsetup --verbose luksUUID /dev/sdXY
> +@end example
> +
> +Open the encrypted partition, where @code{luks-uuid} is the LUKS UUID,
> +and @code{partname} is any desired name for the partition.

Consider suggesting (or using in your example) a default partition name,

like with the .conf file above. Same for all the vg, lv, and fs names

below.

Toggle quote (6 lines)

> +

> +@example

> +cryptsetup --verbose

> +luksOpen UUID=luks-uuid partname

> +@end example

Is this supposed to be two lines?

Toggle quote (18 lines)> +
> +Create a physical volume in the partition.
> +
> +@example
> +pvcreate /dev/mapper/partname --verbose
> +@end example
> +
> +Create a volume group in the physical volume, where @code{vgname} is any
> +desired name for volume group.
> +
> +@example
> +vgcreate vgname /dev/mapper/partname --verbose
> +@end example
> +
> +Create logical volumes in the volume group; where "num" is the number
> +for space in GB, and @code{lvnameroot} and @code{lvnamehome} are any
> +desired names for root and home volumes respectively.

There is not "num" or any GB values in your following example...

Toggle quote (7 lines)> +
> +@example
> +lvcreate --extents 25%VG vgname --name lvnameroot --verbose
> +lvcreate --extents 100%FREE vgname --name lvnamehome --verbose
> +@end example
> +
> +Create filesystems on the logical-volumes, where @code{fsnameroot} and

^ logical volumes

Toggle quote (8 lines)

> +@code{fsnamehome} are any desired names for root and home filesystems

> +respectively.

> +

> +@example

> +mkfs.btrfs --metadata dup --label fsnameroot /dev/vgname/lvnameroot

> +mkfs.btrfs --metadata dup --label fsnamehome /dev/vgname/lvnamehome

> +@end example

Why are we using btrfs? Could I use ext4 instead?

Toggle quote (3 lines)

> +

> +Mount the filesystems under the current system.

Consider "Mount the new filesystems."

Toggle quote (15 lines)> +
> +@example
> +mount --label fsnameroot --target /mnt --types btrfs --verbose
> +mkdir --verbose /mnt/home && mount --label fsnamehome --target \
> +/mnt/home --types btrfs --verbose
> +@end example
> +
> +Create a swap file.
> +
> +@example
> +dd bs=1MiB count=1GiB if=/dev/zero of=/mnt/swapfile status=progress
> +mkswap --verbose /mnt/swapfile
> +@end example
> +
> +Make the swap file readable and writable only by root account.

"root." or "the root account."

Toggle quote (17 lines)> +
> +@example
> +chmod --verbose 600 /mnt/swapfile
> +@end example
> +
> +Activate the swap file.
> +
> +@example
> +swapon --verbose /mnt/swapfile
> +@end example
> +
> +Install packages on the mounted root filesystem.
> +
> +@example
> +herd start cow-store /mnt
> +@end example

This doesn't actually install packages, does it? The manual says:

"This makes /gnu/store copy-on-write, such that packages added to it

during the installation phase are written to the target disk rather

than kept in memory."

Toggle quote (7 lines)

> +

> +Create the system-wide configuration files directory.

> +

> +@example

> +mkdir --verbose /mnt/etc

> +@end example

Why all the verbose, even on mkdir?

Toggle quote (5 lines)

> +

> +Create, edit and save the system configuration file by typing the

> +following code snippet. WATCH-OUT for variables in the code snippet

> +and replace them with the relevant values.

"Replace placeholders (such as LUKS-UUID) with their values from earlier."

Toggle quote (138 lines)> +
> +@example
> +nano /mnt/etc/config.scm
> +@end example
> +
> +The content of config.scm is:
> +
> +@lisp
> +(use-modules
> + (gnu)
> + (gnu system nss))
> +
> +(use-package-modules
> + certs
> + gnome
> + linux)
> +
> +(use-service-modules
> + desktop
> + xorg)
> +
> +(operating-system
> +  (kernel linux-libre-lts)
> +  (kernel-arguments
> +   (append
> +    (list
> +    ;; this is needed to flash the libreboot ROM. After, you
> +    ;; have flashed your rom, it is a good idea to remove
> +    ;; iomem=relaxed from your kernel arguments
> +     "iomem=relaxed")
> +    %default-kernel-arguments))
> +
> +  (timezone "Zone/SubZone")
> +  (locale "ab_XY.1234")
> +  (name-service-switch %mdns-host-lookup-nss)
> +
> +  (bootloader
> +   (bootloader-configuration
> +    (bootloader
> +     (bootloader
> +      (inherit grub-bootloader)
> +      (installer #~(const #t))))
> +    (keyboard-layout keyboard-layout)))
> +
> +  (keyboard-layout
> +   (keyboard-layout
> +    "xy"
> +    "altgr-intl"))
> +
> +  (host-name "hostname")
> +
> +  (mapped-devices
> +   (list
> +    (mapped-device
> +     (source
> +      (uuid "LUKS-UUID"))
> +     (target "partname")
> +     (type luks-device-mapping))
> +    (mapped-device
> +     (source "vgname")
> +     (targets
> +      (list
> +       "vgname-lvnameroot"
> +       "vgname-lvnamehome"))
> +     (type lvm-device-mapping))))
> +
> +  (file-systems
> +   (append
> +    (list
> +     (file-system
> +       (type "btrfs")
> +       (mount-point "/")
> +       (device "/dev/mapper/VGNAME-LVNAMEROOT")
> +       (flags '(no-atime))
> +       (options "space_cache=v2")
> +       (needed-for-boot? #t)
> +       (dependencies mapped-devices))
> +     (file-system
> +       (type "btrfs")
> +       (mount-point "/home")
> +       (device "/dev/mapper/VGNAME-LVNAMEHOME")
> +       (flags '(no-atime))
> +       (options "space_cache=v2")
> +       (dependencies mapped-devices)))
> +    %base-file-systems))
> +
> +  (swap-devices
> +   (list
> +    "/swapfile"))
> +
> +  (users
> +   (append
> +    (list
> +     (user-account
> +      (name "USERNAME")
> +      (comment "Full Name")
> +      (group "users")
> +      (supplementary-groups '("audio" "cdrom"
> +                              "kvm" "lp" "netdev"
> +                              "tape" "video"
> +                              "wheel"))))
> +    %base-user-accounts))
> +
> +  (packages
> +   (append
> +    (list
> +     nss-certs)
> +    %base-packages))
> +
> +  (services
> +   (append
> +    (list
> +     (service gnome-desktop-service-type))
> +    %desktop-services)))
> +@end lisp
> +
> +Initialize new Guix System.
> +
> +@example
> +guix system init /mnt/etc/config.scm /mnt
> +@end example
> +
> +Reboot the device.
> +
> +@example
> +reboot
> +@end example
> +
> +@node Tweaking Libreboot's Grub Payload
> +@subsection Tweaking Libreboot's Grub Payload
> +@cindex grub payload
> +
> +On reboot, as soon as the Libreboot graphic art appears, press “C” to
> +enter the command-line.
> +
> +Enter the following commands and respond to first command with the LUKS
> +Key.

What key? When did we get a LUKS Key? Am I supposed to come up with a

new key/passphrase?

Toggle quote (7 lines)> +
> +@example
> +cryptomount -u luks-uuid
> +set root=(lvm/vgname-lvnameroot)
> +@end example
> +
> +Upon Guix's GRUB menu, go with the default option.

"At the GRUB menu, selec the default option."

Toggle quote (4 lines)

> +

> +Enter the LUKS Key again, for kernel, as prompted.

> +

> +Upon login screen, login as "root" with password field empty.

"At the login screen" ^ the

Toggle quote (2 lines)

> +

> +Open terminal.

^ the

Toggle quote (2 lines)

> +

> +Set passkey for the "root" user. Follow the prompts.

^ the password

Toggle quote (6 lines)> +
> +@example
> +passwd root
> +@end example
> +
> +Set passkey for the "username" user. Follow the prompts.

^ the password

Also, the guide used the @code{username} style before. Why the change?

Toggle quote (21 lines)> +
> +@example
> +passwd username
> +@end example
> +
> +Install flashrom and wget.
> +
> +@example
> +guix package –-install flashrom wget
> +@end example
> +
> +Obtain the ROM chip's model and size. Look for the output line “Found
> +[@dots{}] flash chip [@dots{}]”.
> +
> +@example
> +flashrom --verbose --programmer internal
> +@end example
> +
> +Download Libreboot ROM and utilities, where "YYYYMMDD" is the release
> +date, @code{devmod} is the device model and "N" is the ROM chip size.

Likewise. The guide also used single quotes for 'sdX' earlier.

Toggle quote (22 lines)> +
> +@example
> +wget --verbose https://rsync.libreboot.org/stable/YYYYMMDD/rom/grub/libreboot_rYYYYMMDD_grub_devmod_Nmb.tar.xz
> +wget --verbose https://rsync.libreboot.org/stable/YYYYMMDD/libreboot_rYYYYMMDD_util.tar.xz
> +@end example
> +
> +Extract the downloaded files.
> +@example
> +tar --extract --file=libreboot_rYYYYMMDD_grub_devmod_Nmb.tar.xz --verbose
> +tar --extract --file=libreboot_rYYYYMMDD_util.tar.xz --verbose
> +@end example
> +
> +Rename the directories of extracted files.
> +
> +@example
> +mv --verbose "libreboot_rYYYYMMDD_grub_devmod_Nmb.tar.xz" "libreboot_rom"
> +mv --verbose "libreboot_rYYYYMMDD_util" "libreboot_util"
> +@end example
> +
> +Copy the ROM image to the directory of cbfstool, where "kbdlo" is the
> +keyboard layout and "arch" is the system architecture.

Likewise.

Toggle quote (61 lines)> +
> +@example
> +cp libreboot_rom/devmod_Nmb_kbdlo_vesafb.rom libreboot_util/cbfstool/arch/libreboot.rom
> +@end example
> +
> +Change directory to the directory of cbfstool.
> +@example
> +cd libreboot_util/cbfstool/arch/
> +@end example
> +
> +Extract the GRUB configuration file from the image.
> +
> +@example
> +./cbfstool libreboot.rom extract -n grub.cfg -f grub.cfg
> +@end example
> +
> +Edit the GRUB configuration file and insert the following code snippet
> +above the line @code{“menuentry 'Load Operating System [o]' --hotkey='o'
> +--unrestricted @{ [...] @}”}.
> +
> +@example
> +nano grub.cfg
> +@end example
> +
> +Snippet:
> +@example
> +menuentry ‘Guix System (An advanced distribution of the GNU operating system) [g]’ --hotkey=’g’ --unrestricted
> +@{
> +cryptomount -u luks-uuid
> +set root=(lvm/vgname-lvnameroot)
> +configfile /boot/grub/grub.cfg
> +@}
> +@end example
> +
> +Remove the old GRUB configuration file from the ROM image.
> +
> +@example
> +./cbfstool libreboot.rom remove -n grub.cfg
> +@end example
> +
> +Insert the new GRUB configuration file into the ROM image.
> +
> +@example
> +./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw
> +@end example
> +
> +Move the ROM image to the directory of ich9gen.
> +
> +@example
> +mv libreboot.rom ~/libreboot_util/ich9deblob/arch/libreboot.rom
> +@end example
> +
> +Change directory to the directory of ich9gen.
> +
> +@example
> +cd ~/libreboot_util/ich9deblob/arch/
> +@end example
> +
> +Generate descriptor+GbE images with the MAC address, where "mac-addr"
> +is the MAC address of the machine.

Likewise.

Toggle quote (12 lines)> +
> +@example
> +ich9gen --macaddress mac-addr
> +@end example
> +
> +Insert the descriptor+GbE image into the ROM image, where "N" is the
> +ROM chip size.
> +@example
> +dd bs=12k conv=notrunc count=1 if=ich9fdgbe_Nm.bin of=libreboot.rom status=progress
> +@end example
> +
> +Move the ROM image to the directory of flash.

^ "the flash script"

Toggle quote (12 lines)> +
> +@example
> +mv libreboot.rom ~/libreboot_util/libreboot.rom
> +@end example
> +
> +Change directory to the directory of flash.
> +
> +@example
> +cd ~/libreboot_util
> +@end example
> +
> +Modify the shebang of flash script, from `#!/bin/bash` to `#!/bin/sh`.

^ the ^ no ","

Toggle quote (15 lines)> +@example
> +nano flash
> +@end example
> +
> +Flash the ROM with the new image.
> +@example
> +./flash update libreboot.rom
> +@end example
> +
> +(or)
> +
> +@example
> +./flash forceupdate libreboot.rom
> +@end example

How do I know whether to use 'update' or 'forceupdate'?

Toggle quote (9 lines)

> +

> +Reboot the device.

> +@example

> +reboot

> +@end example

> +

> +@node Closing Thoughts

> +@subsection Closing Thoughts

Typically it's "Closing Remarks".

Toggle quote (2 lines)

> +

> +Everything should be stream-lined from now. Upon Libreboot's GRUB

What does this mean?

Toggle quote (2 lines)

> +menu, you can either press "G" or choose "Guix System (An advanced

> +distribution of the GNU operating system) [g]".

In order to do what?

Toggle quote (9 lines)

> +

> +During the boot process, as prompted, you have to type LUKS key twice;

> +once for Libreboot's GRUB and once more for Linux-Libre kernel.

> +Retyping a passphrase is a minor annoyance, but it is a secure method of

> +opening up your device. There are methods that exist to only type the

> +passphrase once, but none are currently integrated into Guix System.

> +

> +Generally, you will be using Libreboot's initial/default grub.cfg,

Is this the grub.cfg we setup above? If so, specify that.

Toggle quote (2 lines)

> +whose Guix menu-entry invokes Guix's grub.cfg located at

> +@code{/boot/grub/}. For trouble-shooting, you can also use Libreboot's

^ troubleshooting

Toggle quote (2 lines)

> +@code{grubtest.cfg}, which hasn't been modified.

But *how* would I use grubtest.cfg?

Toggle quote (5 lines)> +
> +Now that you have a working Guix System with full disk encryption, you
> +may want to remove the @code{iomem=relaxed} from your
> +@code{kernel-arguments}.  @code{iomem=relaxed} is needed to reflash your
> +rom.  Since, most users will probably not flash their rom often, those

^ ROM ^ no "," ^ ROM

Toggle quote (2 lines)

> +users may wish to disable that feature:

The change from "you" to "most users"/"those users" is a little jarring.

Toggle quote (19 lines)> +
> +@lisp
> +  ;; optionally remove this bit of code from your config.scm
> +  (kernel-arguments
> +   (append
> +    (list
> +    ;; this is needed to flash the libreboot ROM. After, you
> +    ;; have flashed your rom, it is a good idea to remove
> +    ;; iomem=relaxed from your kernel arguments
> +     "iomem=relaxed")
> +    %default-kernel-arguments))
> +@end lisp
> +
> +That is it! You have now setup Guix System with Full Disk Encryption on
> +your device powered by Libreboot. Enjoy!
> +
> +More information about Libreboot can be found at their official
> +documentation: @uref{https://libreboot.org/docs/}.

Consider embedding the link:

"[...] can be found in the @uref{https://libreboot.org/docs/,official

documentation}."

Toggle quote (5 lines)> +
> +@node Special Thanks
> +@subsection Special Thanks
> +
> +Thanks to Guix developer, Clement Lassieur (clement@@lassieur.org),

^ no "," ^ same

Toggle quote (1 lines)

> +for helping me with the Scheme code for the bootloader configuration.

^ "for assisting with" (avoid first person prounouns)

Toggle quote (2 lines)

> +

> +Thanks to Libreboot founder and developer, Leah Rowe

^ no ","

Toggle quote (1 lines)

> +(leah@@libreboot.org), for helping me with the understanding of

^ no "," ^ "for assistance with Libreboot."

Toggle quote (6 lines)

> +Libreboot’s functionalities.

> +

> @node Customizing a Window Manager

> @section Customizing a Window Manager

> @cindex wm

Also, consider referencing relevant sections of the manual, such as

https://guix.gnu.org/manual/en/html_node/Manual-Installation.html

so users know where to find more detailed information.

Hope that helps,

Sarah

jbranso wrote on 22 Jul 2021 21:16

Recipients:(name . Sarah Morgensen)(address . iskarian@mgsn.dev)

Message-ID:2a373bf54c17a11a37ab8f2ca86ef07f@dismail.de

July 21, 2021 6:50 PM, "Sarah Morgensen" <iskarian@mgsn.dev> wrote:

Toggle quote (6 lines)> Hello Joshua, Raghav,
> 
> Good to see more guides like this. In addition to what others have
> already pointed out, I've got few readability suggestions, reading this as a
> layperson :) (Questions are intentended to be rhetorical, to illustrate
> where a layperson might have questions or be confused.)

 
Thanks so much for you proof-reading!  I'll update and push a new patch!
 

Toggle quote (5 lines)> Also, consider referencing relevant sections of the manual, such as
> 
> https://guix.gnu.org/manual/en/html_node/Manual-Installation.html
> 
> so users know where to find more detailed information.

That is an awesome idea! I will do so!

Toggle quote (2 lines)

> Hope that helps,

> Sarah

Ludovic Courtès wrote on 11 Aug 2021 16:17

Recipients:(address . jbranso@dismail.de)

Message-ID:87pmukkqvx.fsf_-_@gnu.org

Hi Joshua and all,

jbranso@dismail.de skribis:

Toggle quote (19 lines)> July 21, 2021 6:50 PM, "Sarah Morgensen" <iskarian@mgsn.dev> wrote:
>
>> Hello Joshua, Raghav,
>> 
>> Good to see more guides like this. In addition to what others have
>> already pointed out, I've got few readability suggestions, reading this as a
>> layperson :) (Questions are intentended to be rhetorical, to illustrate
>> where a layperson might have questions or be confused.)
>  
> Thanks so much for you proof-reading!  I'll update and push a new patch!
>  
>> Also, consider referencing relevant sections of the manual, such as
>> 
>> https://guix.gnu.org/manual/en/html_node/Manual-Installation.html
>> 
>> so users know where to find more detailed information.
>  
> That is an awesome idea!  I will do so!

My main question would be: what do you think is not covered in the

“Manual Installation” section?

That section covers full disk encryption and other things you propose,

such as partitioning, downloading the ISO, authenticating it, changing

the keyboard layout, etc.

From a maintenance perspective, it does not seem reasonable to maintain

to similar pieces of documentation on these matters. From a user

perspective, it could be confusing or downright deceiving if one of

these two documents is out of date or erroneous.

All in all, for the topic we’re discussing, I’d suggest consolidating

existing material instead of writing new material.

WDYT?

Thanks,

Ludo’.

jbranso wrote on 12 Aug 2021 03:48

Recipients:(name . Ludovic Courtès)(address . ludo@gnu.org)

Message-ID:56b97910c9bac2b0eafb40e0b70aadea@dismail.de

August 11, 2021 10:17 AM, "Ludovic Courtès" <ludo@gnu.org> wrote:

Toggle quote (30 lines)> Hi Joshua and all,
> 
> jbranso@dismail.de skribis:
> 
>> July 21, 2021 6:50 PM, "Sarah Morgensen" <iskarian@mgsn.dev> wrote:
>> 
>>> Hello Joshua, Raghav,
>>> 
>>> Good to see more guides like this. In addition to what others have
>>> already pointed out, I've got few readability suggestions, reading this as a
>>> layperson :) (Questions are intentended to be rhetorical, to illustrate
>>> where a layperson might have questions or be confused.)
>> 
>> Thanks so much for you proof-reading! I'll update and push a new patch!
>> 
>>> Also, consider referencing relevant sections of the manual, such as
>>> 
>>> https://guix.gnu.org/manual/en/html_node/Manual-Installation.html
>>> 
>>> so users know where to find more detailed information.
>> 
>> That is an awesome idea! I will do so!
> 
> My main question would be: what do you think is not covered in the
> “Manual Installation” section?
> 
> That section covers full disk encryption and other things you propose,
> such as partitioning, downloading the ISO, authenticating it, changing
> the keyboard layout, etc.

I think that libreboot does not currently support the latest version of

encryption...or only supports LVM v1....something like that. Perhaps those

"libreboot specific encryption commands" need not be in the official manual?

Toggle quote (6 lines)

> From a maintenance perspective, it does not seem reasonable to maintain

> to similar pieces of documentation on these matters. From a user

> perspective, it could be confusing or downright deceiving if one of

> these two documents is out of date or erroneous.

I'm game for that. I personally find the "Manual Installation" section

slightly too terse...I've successfully installed guix encrypted before,

but I had to use the graphical installation. I have a hard time

comprehending how to manually install an encrypted guix, but I also just

have a very hard time understanding new guix things too. :)

Perhaps, if the manual does not have it, we could provide an example

config of an encrypted /home ? I feel like the majority of guix users

do not use libreboot, so a encrypted / is not an option for most of them.

Toggle quote (8 lines)> 
> All in all, for the topic we’re discussing, I’d suggest consolidating
> existing material instead of writing new material.
> 
> WDYT?
> 
> Thanks,
> Ludo’.

Ludovic Courtès wrote on 12 Aug 2021 10:04

Recipients:(address . jbranso@dismail.de)

Message-ID:878s17hywu.fsf@gnu.org

Hello!

jbranso@dismail.de skribis:

Toggle quote (2 lines)

> August 11, 2021 10:17 AM, "Ludovic Courtès" <ludo@gnu.org> wrote:

[...]

Toggle quote (11 lines)>> My main question would be: what do you think is not covered in the
>> “Manual Installation” section?
>> 
>> That section covers full disk encryption and other things you propose,
>> such as partitioning, downloading the ISO, authenticating it, changing
>> the keyboard layout, etc.
>
> I think that libreboot does not currently support the latest version of
> encryption...or only supports LVM v1....something like that.  Perhaps those
> "libreboot specific encryption commands" need not be in the official manual?

Oh, right. Perhaps there could be a subsubsection next to “Disk

Partitioning” & co. specifically about LibreBoot support? Would that

make sense?

Toggle quote (11 lines)>> From a maintenance perspective, it does not seem reasonable to maintain
>> to similar pieces of documentation on these matters. From a user
>> perspective, it could be confusing or downright deceiving if one of
>> these two documents is out of date or erroneous.
>
> I'm game for that.  I personally find the "Manual Installation" section 
> slightly too terse...I've successfully installed guix encrypted before,
> but I had to use the graphical installation.  I have a hard time 
> comprehending how to manually install an encrypted guix, but I also just
> have a very hard time understanding new guix things too.  :)

If you could pinpoint specific things that are missing or too vague in

that section, that’d be great.

Of course we don’t want to explain too much in there because that’d be

too much work, so this section assumes familiarity with GNU/Linux; and

overall, we want to encourage users, both newbies and seasoned GNU/Linux

users, to use the installer, because it’s so much more convenient.

Toggle quote (4 lines)

> Perhaps, if the manual does not have it, we could provide an example

> config of an encrypted /home ? I feel like the majority of guix users

> do not use libreboot, so a encrypted / is not an option for most of them.

Why is it not an option? I use encrypted root without Libreboot and the

installer offers that option.

Thanks!

Ludo’.

jbranso wrote on 12 Aug 2021 10:41

Recipients:(name . Ludovic Courtès)(address . ludo@gnu.org)

Message-ID:88a58ef059693914775700403c7c45f6@dismail.de

August 12, 2021 4:04 AM, "Ludovic Courtès" <ludo@gnu.org> wrote:

Toggle quote (23 lines)> Hello!
> 
> jbranso@dismail.de skribis:
> 
>> August 11, 2021 10:17 AM, "Ludovic Courtès" <ludo@gnu.org> wrote:
> 
> [...]
> 
>>> My main question would be: what do you think is not covered in the
>>> “Manual Installation” section?
>>> 
>>> That section covers full disk encryption and other things you propose,
>>> such as partitioning, downloading the ISO, authenticating it, changing
>>> the keyboard layout, etc.
>> 
>> I think that libreboot does not currently support the latest version of
>> encryption...or only supports LVM v1....something like that. Perhaps those
>> "libreboot specific encryption commands" need not be in the official manual?
> 
> Oh, right. Perhaps there could be a subsubsection next to “Disk
> Partitioning” & co. specifically about LibreBoot support? Would that
> make sense?

I'm game for that! If you think that belongs in the manual proper, I'm game

to put it there!

Toggle quote (13 lines)>>> From a maintenance perspective, it does not seem reasonable to maintain
>>> to similar pieces of documentation on these matters. From a user
>>> perspective, it could be confusing or downright deceiving if one of
>>> these two documents is out of date or erroneous.
>> 
>> I'm game for that. I personally find the "Manual Installation" section
>> slightly too terse...I've successfully installed guix encrypted before,
>> but I had to use the graphical installation. I have a hard time
>> comprehending how to manually install an encrypted guix, but I also just
>> have a very hard time understanding new guix things too. :)
> 
> If you could pinpoint specific things that are missing or too vague in
> that section, that’d be great.

 
  I was actually going to point out that the manual lacks an example config
for encrypted /...but this is apparently not the case.  10.1 has such an
example, and I'm delighted to see that the Manual Installation, specifically
3.6.2 Proceeding with the Installation links to 10.1, which has all of the
example configs.  That is super helpful!

Toggle quote (12 lines)> Of course we don’t want to explain too much in there because that’d be
> too much work, so this section assumes familiarity with GNU/Linux; and
> overall, we want to encourage users, both newbies and seasoned GNU/Linux
> users, to use the installer, because it’s so much more convenient.
> 
>> Perhaps, if the manual does not have it, we could provide an example
>> config of an encrypted /home ? I feel like the majority of guix users
>> do not use libreboot, so a encrypted / is not an option for most of them.
> 
> Why is it not an option? I use encrypted root without Libreboot and the
> installer offers that option.

Forgive me.  This is an example of me not being very technical...
I'm assuming that "encrypted /" is the same as "full disc encryption".  
That's my mistake.  :)  As stated above, the manual does have an example
of encrypted /.  :)
 

Toggle quote (3 lines)

> Thanks!

> Ludo’.

david larsson wrote on 12 Aug 2021 10:59

Re: [bug#49654] [PATCH] doc: Add full disc encryption guide to the cookbook

Recipients:(name . Ludovic Courtès)(address . ludo@gnu.org)

Message-ID:6d41fe0ff317cf845f90591250988f5b@selfhosted.xyz

On 2021-08-12 10:04, Ludovic Courtès wrote:

Toggle quote (61 lines)> Hello!
> 
> jbranso@dismail.de skribis:
> 
>> August 11, 2021 10:17 AM, "Ludovic Courtès" <ludo@gnu.org> wrote:
> 
> [...]
> 
>>> My main question would be: what do you think is not covered in the
>>> “Manual Installation” section?
>>> 
>>> That section covers full disk encryption and other things you 
>>> propose,
>>> such as partitioning, downloading the ISO, authenticating it, 
>>> changing
>>> the keyboard layout, etc.
>> 
>> I think that libreboot does not currently support the latest version 
>> of
>> encryption...or only supports LVM v1....something like that.  Perhaps 
>> those
>> "libreboot specific encryption commands" need not be in the official 
>> manual?
> 
> Oh, right.  Perhaps there could be a subsubsection next to “Disk
> Partitioning” & co. specifically about LibreBoot support?  Would that
> make sense?
> 
>>> From a maintenance perspective, it does not seem reasonable to 
>>> maintain
>>> to similar pieces of documentation on these matters. From a user
>>> perspective, it could be confusing or downright deceiving if one of
>>> these two documents is out of date or erroneous.
>> 
>> I'm game for that.  I personally find the "Manual Installation" 
>> section
>> slightly too terse...I've successfully installed guix encrypted 
>> before,
>> but I had to use the graphical installation.  I have a hard time
>> comprehending how to manually install an encrypted guix, but I also 
>> just
>> have a very hard time understanding new guix things too.  :)
> 
> If you could pinpoint specific things that are missing or too vague in
> that section, that’d be great.
> 
> Of course we don’t want to explain too much in there because that’d be
> too much work, so this section assumes familiarity with GNU/Linux; and
> overall, we want to encourage users, both newbies and seasoned 
> GNU/Linux
> users, to use the installer, because it’s so much more convenient.
> 
>> Perhaps, if the manual does not have it, we could provide an example
>> config of an encrypted /home ?  I feel like the majority of guix users
>> do not use libreboot, so a encrypted / is not an option for most of 
>> them.
> 
> Why is it not an option?  I use encrypted root without Libreboot and 
> the
> installer offers that option.

Hi!

Im happy to see this added to the cookbook.

Just to clarify: with libreboot you can have the *entire* root partition 
encrypted without a separate boot partition (with /boot mounted under 
the encrypted root) - i.e. an actually fully encrypted disk (save the 
luks headers). So this is why you need to carefully setup the grub.cfg 
that's in libreboot's ROM (assuming you use Grub as payload) to use 
something like: cryptomount -a ; configfile 
(crypto0)/boot/grub/grub.cfg, so that you point to Guix's continuously 
updated version of grub.cfg inside the encrypted partition.

If you want to have /boot on an encrypted partition without using 
libreboot, you need to pack crypttools or whatever (cryptomount command) 
to initrd which is generated with guile code. Guix currently don't 
offering such options to my knowledge.

Related note: there has also been discussions in Grub dev mailing lists 
about adding the option to specify luks headers in grub.cfg which would 
allow for actual full disk encryption of internal drives 
(indistinguishable from random wiped disk), and then you could probably 
accomplish this by mounting /boot in your config.scm from external usb. 
This would also be a nice thing to add to the cookbook IMO (when that 
feature is available in Grub).

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date