вторник, 18 сентября 2018 г., 20:16:10 UTC+3 пользователь Jonathan Seefelder написал: > yes its possible, do you want to encrypt /boot and /root separately so > you will need a different password for each partition, or do you want to > encrypt it all together with 2fa etc? > > The first one is relatively easy, you will have to modify the grub.cfg > of your coreboot image.Also, the uuid will have to match, you can either > do a "normal" install and change the uuid in the grub.cfg, or change the > uuid of /root. > > check out the libreboot-side, there should be all the necessary > information. I will write a tutorial some day. > > cheers > > > On 9/18/18 1:02 PM, 'awokd' via qubes-users wrote: > > > get: > >> FDE in my understanding this is a scheme partition look like > >> > >> sda 8:0 0 99999,9G 0 disk > >> └─sda1 8:1 0 99999,9G 0 LUKS > >> └──luks-<UUID> crypt > >> ├─qubes_dom0-boot lvm /boot (encrypted) > >> ├─qubes_dom0-swap lvm [SWAP] (encrypted) > >> └─qubes_dom0-root lvm / (encrypted) > >> > >> FDE = cryptsetup whole disk (including /boot). Not only root partition. > >> Anaconda can't do it by default. Installation success only with grub > >> missing. > >> OS research HEADS can't kexec into FDE disk. > >> > >> Is it only possible to boot from grub2 coreboot ? > >> > >> cryptomount -a > >> set root='hd0,msdos1' > >> linux=... vmlinuz=... > >> > >> I have been trying to do the coreboot firmware for a month already > >> to get a load of Qubes with full disk encryption (including /boot). Is it > >> possible? Can anyone help me ?:) > > I've seen others on this list report it as successful, but haven't done > > it myself. I think they had to use the Seabios payload for the initial > > install, then switch to coreboot's grub2. Afraid that's about all I know... > > > -- > Kind Regards > Jonathan Seefelder > CryptoGS IT-Security Solutions
Hi, Jonathan Seefelder. I'm looking for different ways of how to encrypt the whole disk (include /boot) and load it using coreboot modifications. I know how to load this way Parabola FDE (include /boot) menuentry 'Linux-libre kernel' { cryptomount -a (ahci0,msdos1) set root='lvm/matrix-rootvol' linux /boot/vmlinuz-linux-libre root=/dev/matrix/rootvol cryptdevice=/dev/sda1:root initrd /boot/initramfs-linux-libre.img } Is the same method for xen? Did you try Heads/Petitboot? https://www.raptorengineering.com/content/kb/1.html https://github.com/osresearch/heads Did you try to add https://en.wikipedia.org/wiki/PBKDF2 to grub use qubes FDE? Did you try add gpg keys? Thanks. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0734ef03-a091-46a8-9e3f-456fa392c595%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.