Skip to main content
Topic: Libreboot with full disk encryption (including /boot) Luks2+argon2id (Read 985 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Libreboot with full disk encryption (including /boot) Luks2+argon2id

Hi all .
Please tell me, has anyone tried installing a fully encrypted disk including the boot partition using Libreboot(20231106 ) +Luks2+argon2id?

I used this option but at this stage Grub Libreboot does not boot the system, I did not install grub from the repository

Re: Libreboot with full disk encryption (including /boot) Luks2+argon2id

Reply #1
I'm assuming the Grub in libreboot has been generically compiled, in that case albeit not thinking much about it how can it know to search an encrypted partition for the bootcfg and later for the kernel images?
Rebuild it but i have no idea how hard it is, or just use the seabios payload (or heck, even the uefi one, since it's not backdoored) and boot encrypted like that.

Re: Libreboot with full disk encryption (including /boot) Luks2+argon2id

Reply #2
Hello Hitman . Thank you very much for your answer.

I think there is no point in rebuilding since I can boot the system manually, that is, Grub Libreboot works. But I can’t figure out how I can change grub.cfg and then flash it into flash memory so that it doesn’t give errors and boots the system correctly.

As for where it was taken from, I’m attaching information here for those who are looking for answers:

Libreboot’s argon2 patches are based on this AUR repository  https://aur.archlinux.org/cgit/aur.git/tree/?h=grub-improved-luks2-git&id=1c7932d90f1f62d0fd5485c5eb8ad79fa4c2f50d  which patched GRUB 2.06, and the patches were rebased for use with GRUB 2.12 which Libreboot uses; the rebase was performed by Nicholas Johnson. Nicholas emailed me to tell me that this had been done, and I then merged Nicholas’s work into Libreboot. Thank you, Nicholas! Thanks also go to Axel who is the author of the original work that Nicholas imported from Archlinux AUR.

https://libreboot.org/news/argon2.html#introduction


Without installing Grub from the repository I see messages:

"Booting from Hard Disk..." and nothing happens.


If I install grub from the repository I see the error:

Code: [Select]
error : disk 'lvmid /WuGDE4-Po2w-3n6d-9pcY-sqsoV-eTsq-aLxagJ' not found


I am attaching grub.cfg Libreboot (below). I made the changes then flashed it, but it didn't work.

Code: [Select]
{
cryptomount -a
set root='lvm/matrix-rootvol'
linux /boot/vmlinuz-linux-libre root=/dev/matrix/rootvol cryptdevice=/dev/sda1:lvm
initrd /boot/initramfs-linux-libre.img
}

grub.cfg Libreboot

Code: [Select]
set prefix=(memdisk)/boot/grub

insmod at_keyboard
insmod usb_keyboard
insmod nativedisk
insmod ehci
insmod ohci
insmod uhci
insmod usb
insmod usbms
insmod regexp

terminal_input --append at_keyboard
terminal_input --append usb_keyboard
terminal_output --append cbmemc

gfxpayload=keep
terminal_output --append gfxterm

if [ -f (cbfsdisk)/background.png ]; then
    insmod png
    background_image (cbfsdisk)/background.png
elif [ -f (cbfsdisk)/background.jpg ]; then
    insmod jpeg
    background_image (cbfsdisk)/background.jpg
fi

set default="0"
if [ -f (cbfsdisk)/timeout.cfg ]; then
    source (cbfsdisk)/timeout.cfg
else   
    set timeout=5
fi
set grub_scan_disk="both"
if [ -f (cbfsdisk)/scan.cfg ]; then
    source (cbfsdisk)/scan.cfg
fi

if [ -f (cbfsdisk)/keymap.gkb ]; then
    keymap (cbfsdisk)/keymap.gkb
fi

function try_user_config {
    set root="${1}"

    # The @/... entries are for cases where the BTRFS filesystem is being used
    for dir in boot grub grub2 boot/grub boot/grub2 @/boot @/grub @/grub2 @/boot/grub @/boot/grub2; do
        for name in '' osboot_ autoboot_ libreboot_ coreboot_; do
            if [ -f /"${dir}"/"${name}"grub.cfg ]; then
                unset superusers
                configfile /"${dir}"/"${name}"grub.cfg
            fi
        done
    done
}
function search_grub {
    echo -n "Attempting to load grub.cfg from '${1}' devices"
    for i in 0 1 2 3 4 5 6 7 8 9 10 11; do
        for part in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
            try_user_config "(${1}${i},${part})"
        done
        # raw devices e.g. (ahci0) instead of (ahci0,1)
        try_user_config "(${1}${i})"
    done
    echo # Insert newline
}

function try_isolinux_config {
    set root="${1}"
    for dir in '' /boot /EFI /boot/EFI /@ /@/boot /@/boot/EFI /@/EFI; do
        if [ -f "${dir}"/isolinux/isolinux.cfg ]; then
            syslinux_configfile -i "${dir}"/isolinux/isolinux.cfg
        elif [ -f "${dir}"/syslinux/syslinux.cfg ]; then
            syslinux_configfile -s "${dir}"/syslinux/syslinux.cfg
        elif [ -f "${dir}"/syslinux/extlinux.conf ]; then
            syslinux_configfile -s "${dir}"/syslinux/extlinux.conf
        elif [ -f "${dir}"/extlinux/extlinux.conf ]; then
            syslinux_configfile -s "${dir}"/extlinux/extlinux.conf
        fi
    done
}
function search_isolinux {
    echo "\nAttempting to parse iso/sys/extlinux config from '${1}' devices"
    for i in 0 1 2 3 4 5 6 7 8 9 10 11; do
        for part in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
            try_isolinux_config "(${1}${i},${part})"
        done
        # raw devices e.g. (usb0) instead of (usb0,1)
        try_isolinux_config "(${1}${i})"
    done
    echo # Insert newline
}
function try_bootcfg {
    try_user_config "${1}"
    try_isolinux_config "${1}"
}
function search_bootcfg {
    search_grub "${1}"
    search_isolinux "${1}"
}
menuentry 'Load Operating System (incl. fully encrypted disks)  [o]' --hotkey='o' {

    if [ "${grub_scan_disk}" != "ata" ]; then
        search_bootcfg ahci
    fi
    if [ "${grub_scan_disk}" != "ahci" ]; then
        search_bootcfg ata
    fi

    # grub device enumeration is very slow, so checks are hardcoded

    # TODO: add more strings, based on what distros set up when
    # the user select auto-partitioning on those installers
    lvmvol="lvm/grubcrypt-bootvol lvm/grubcrypt-rootvol"

    raidvol="md/0 md/1 md/2 md/3 md/4 md/5 md/6 md/7 md/8 md/9"

    # in practise, doing multiple redundant checks is perfectly fast and
    # TODO: optimize grub itself, and use */? here for everything

    for vol in ${lvmvol} ${raidvol} ; do
        try_bootcfg "${vol}"
    done

    unset ahcidev
    unset atadev
    for i in 11 10 9 8 7 6 5 4 3 2 1 0; do
        for part in 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1; do
            if [ "${grub_scan_disk}" != "ata" ]; then
                ahcidev="(ahci${i},${part}) ${ahcidev}"
            fi
            if [ "${grub_scan_disk}" != "ahci" ]; then
                atadev="(ata${i},${part}) ${atadev}"
            fi
        done
    done

    set pager=0
    echo -n "Attempting to unlock encrypted volumes"
    for dev in ${ahcidev} ${atadev} ${lvmvol} ${raidvol}; do
        if cryptomount "${dev}" ; then break ; fi
    done
    set pager=1
    echo

    # after cryptomount, lvm volumes might be available
    for vol in ${lvmvol}; do
        try_bootcfg "${vol}"
    done

    search_bootcfg crypto

    for vol in lvm/* ; do
        try_bootcfg "${vol}"
    done

    true # Prevent pager requiring to accept each line instead of whole screen
}

menuentry 'Search for GRUB/SYSLINUX/EXTLINUX/ISOLINUX on USB  [s]' --hotkey='s' {
    search_bootcfg usb
}
menuentry 'Search for GRUB/SYSLINUX/EXTLINUX/ISOLINUX on AHCI  [a]' --hotkey='a' {
    search_bootcfg ahci
}
menuentry 'Search for GRUB/SYSLINUX/EXTLINUX/ISOLINUX on ATA/IDE  [d]' --hotkey='d' {
    search_bootcfg ahci
}
if [ -f (cbfsdisk)/grubtest.cfg ]; then
menuentry 'Load test configuration (grubtest.cfg) inside of CBFS  [t]' --hotkey='t' {
    set root='(cbfsdisk)'
    if [ -f /grubtest.cfg ]; then
        configfile /grubtest.cfg
    fi
}
fi
if [ -f (cbfsdisk)/seabios.elf ]; then
menuentry 'Load SeaBIOS (payload) [b]' --hotkey='b' {
    set root='cbfsdisk'
    chainloader /seabios.elf
}
fi
if [ -f (cbfsdisk)/img/grub2 ]; then
menuentry 'Return to SeaBIOS [b]' --hotkey='b' {
    set root='cbfsdisk'
    chainloader /fallback/payload
}
fi
menuentry 'Poweroff  [p]' --hotkey='p' {
    halt
}
menuentry 'Reboot  [r]' --hotkey='r' {
    reboot
}
if [ -f (cbfsdisk)/img/memtest ]; then
menuentry 'Load MemTest86+  [m]' --hotkey='m' {
    set root='cbfsdisk'
    chainloader /img/memtest
}
fi





Re: Libreboot with full disk encryption (including /boot) Luks2+argon2id

Reply #4
I know this is off the topic but I HATE that set up.  Aside from ending up with old -- or ancient - hardware  I have 2 bricked laptops that you can't gain any access to without use of a soddering iron because the libreboot installer was... how do you put this kindly... somewhat emotionally irratic.


Re: Libreboot with full disk encryption (including /boot) Luks2+argon2id

Reply #5
Hello . I agree with you, there are some difficulties and in my opinion Libreboot has very unstructured documentation, unlike the ARCH wiki.

But as for old equipment, you can argue here)) If you install bloated projects such as Gnome with millions of lines of code and for example DWM, then, as you say, everything will fly in your ancient laptop.

=> https://openhub.net/

Gnome 18 million lines of code
KDE 19 Million lines of code
Cinnamon 793,220 lines of code
LXQt 531,000 lines of code
icewm 78,868 lines of code
fluxbox 53,266 lines of code
i3wm 56,868 lines of code
jwm 22,973 lines of code
dwm 2,508 lines of code !!



What happened to your laptops (bricks), maybe they can be fixed? What is the problem ?

Re: Libreboot with full disk encryption (including /boot) Luks2+argon2id

Reply #6

I thought dwm was supposed to be limited to 2000 lines of code ?
May be they relaxed it ?

Isn't the Linux kernel at around 30 million now ?

Re: Libreboot with full disk encryption (including /boot) Luks2+argon2id

Reply #7


What happened to your laptops (bricks), maybe they can be fixed? What is the problem ?

The problem is you can't get access to the bios or any disks because of password protected cryptography.

It is a brick.  You can't edit grub.

Re: Libreboot with full disk encryption (including /boot) Luks2+argon2id

Reply #8

Hello . I think you're wrong))
I can edit Grub and after editing flash it into the flash chip, it works.
https://www.coreboot.org/GRUB2

Re: Libreboot with full disk encryption (including /boot) Luks2+argon2id

Reply #9
then yours is not locked down

 

Re: Libreboot with full disk encryption (including /boot) Luks2+argon2id

Reply #10
Hi. Thanks for your answer. I solved my issue, but it took me a lot of energy)) because Libreboot developers changed the installation instructions, now it's Flashprog  https://libreboot.org/docs/install/spi_generic.html  instead of Flashrom and many other changes. Everything works fine.