Re: [Libreboot] Parabola install & Grub

[Denis 'GNUtoo' Carikli]

On Sun, 09 Aug 2015 14:28:14 +0200
Andreas Kuss <address@hidden> wrote:
> Hi,
Hi,

> I installed parabola with full disk encryption on my T400 until the
> point where I have to boot from Grub manually. This is getting hard
> (or maybe impossible?) because of my bootscreen
> (https://i.imgur.com/LqAdmmK.jpg). I can't see what I type in the
> console and if it's working. I used a usqwerty-vesafb rom for
> flashing, which is not my actual keyboard layout.
I am not connected to the Internet right now, so I can't see the
picture. Where does the grub comes from?
Is the libreboot payload grub here?

> Instead of booting manually I thought I'd install Grub with a few
> changes in /etc/default/grub.
> I added
> GRUB_CRYPTODISK_ENABLED=y
> and I added the kernel parameter
> GRUB_CMDLINE_LINUX=“cryptdevice=/dev/sda1:root
> root=/dev/matrix/rootvol“
If you used full disk encryption without a /boot in clear, then the
above probably generated the grub.cfg in /boot/grub/grub.cfg, since
the documentation advise to run "grub-mkconfig -o /boot/grub/grub.cfg"

> I installed Grub with the hope of being recognized automatically by
> libreboot. This works with Trisquel 7 (which I did not encrypt) but
> not (yet) with Parabola (?).
Maybe because your generated grub.cfg is on an encrypted partition.

In reality it's the other way around: With parabola you have stable
paths for the kernels and their respective initramfs, so it's easier to
handle.

If you use the standard linux-libre (some variant like -libre-grsec and
so on exist) you'd have:
/boot/vmlinuz-linux-libre
/boot/initramfs-linux-libre.img
/boot/initramfs-linux-libre-fallback.img

Then to make it work, I advise to:

1) Put libreboot with grub as a payload on the flash
2) Write a grub.cfg *by hand*, you can use the generated one as a
   starting point to do that.

> I am asking myself if I should be able to start Parabola with FDE this
> way? When would I have to type in the keyphrase in Grub? I wouldn't
> know because of the trouble with my bootscreen. I can use the
> different options at bootscreen, though.
If you can't fix the graphics issue(you should really try), grub is
flexible: you could make it beep right before asking the passphrase,
and even beep in case of failure or success. It probably even support
different tones.
In grub.cfg, you can even use a grub-specific shell-like syntax.

> I used the latest Parabola live ISO (2015.08.01) because I couldn't
> get a wireless connection with an older ISO (probably kernel related).
> I used a wiped SSD to try out. Trisquel is on another HDD.
Do read the cryptsetup documentation about SSDs, especially about the
TRIM command.

By the way, try to test things in a way that won't brick your laptop
before making them permanent:
For instance you can try grub configuration files with configfile
first, you also do have qemu and so on.


> I used fdisk when creating the LUKS partition. Using cfdisk does not
> leave enough disk space (see here:
> https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1059827) for
> Grub. You either have to install it outside the MBR, resize (if
> possible) or start all over again.
I personally try to avoid the MBR and the execution of any code coming
from devices I can't trust, like an encrypted HDD or USB stick.

To prevent doing it by accident, I partitioned as GPT to avoid the MBR.

In any case security and privacy is about tradeoffs, you'll have to
chose which ones to make yourself, based on your use and threat model.

Denis.

pgpHWLE1eNXNG.pgp
Description: OpenPGP digital signature