Stephen Sloan <[email protected]> writes: > I used your find command and copied the grub.cfg file into place. It "just > worked". Cool indeed! Practically speaking, I could copy the file into place > every > time that I reconfigure the system. But for bragging rights, I've got to get > it automated. I'm reading through the code, looking for the best approach. > I'm a > clojure programmer by trade; scheme is new to me. > > I think I will try to make a package for flashrom and the libreboot > utilities, but I like this solution of just copying a file into place. > > On Wed, Apr 12, 2017 at 8:21 AM, Marius Bakke <[email protected]> wrote: > > Stephen Sloan <[email protected]> writes: > > > I am looking for some advice. > > > > I'm am setting up a libreboot + whole disk encryption + guixsd laptop. > > Libreboot has grub in the BIOS, which allows for encrypting the whole disk. > > > > According to the libreboot docs, I can make the grub config available at > > /boot/grub/libreboot_grub.cfg and the grub installed on the BIOS will load > > and use that config file. I've installed guixsd with --no-grub, I have > > libreboot installed, and the disk encrypted, now I just need to make it > > bootable! > > Wow, cool! > > `guix system --no-grub` will actually build out grub.cfg in the store, > just not write it to the actual bootloader configuration. So you can try > to `find /gnu/store -maxdepth 1 -name '*grub.cfg'` and copy it in place. > > It will also print the location when running `reconfigure`: > > root@xbmc ~# guix system reconfigure --no-grub /etc/config.scm > substitute: updating list of substitutes from > 'https://mirror.hydra.gnu.org'... 100.0% > The following derivation will be built: > /gnu/store/dp0v27hgc93a18zva7wqnl5rl3h1yvm2-grub.cfg.drv > /gnu/store/r2y4bn5p162pah9lqa3mqyplj09va65x-system > /gnu/store/jnnzn804d2ss2vk7k8hxkzh07waj0x75-grub.cfg > > > I think I need to make the correct grub config file available at that > > location whenever I reconfigure. I can manage the coding, but I'd like > > hints on the best way to go about this with guix. > > I think making the <grub-configuration> field take a "copy-only?" option > would be a decent fix for now. Currently the build code expects to run > "grub-install", look into gnu/system/grub.scm and gnu/build/install.scm > for starters. > > > There are some other options I've considered. I could reflash my BIOS as > > part of the reconfiguration process. Or maybe I could chain-load two grub > > installations, possibly with an unencrypted /boot. > > We don't have libreboot in Guix yet, but the ability to install it at > reconfigure time would be nice. Sounds risky, though :)
FYI, it's possible to achieve the practical equivalent of full-disk encryption while using Libreboot without jumping through any hoops at all. An installation like the one performed in the encrypted-root-os system test [1] works "out of the box" with Libreboot. For more information, please refer to the operating system configuration file and the installation script shown in the encrypted-root-os system test. The section "Mapped Devices" in the manual is also helpful. I use a Libreboot laptop, which I've set up like that. All state - my home directory, the GRUB configuration file, system service database files, etc. - is stored in the root file system. Because the root file system is in a LUKS-encrypted partition, everything I care about is encrypted. I also use a swap file as described in the manual (same section). Because that swap file is just another file in the root file system, my swap space is encrypted, too. The only things that aren't encrypted are my Libreboot installation (in flash memory, not on disk) and the GRUB bootloader that Guix installed to the disk (which is never actually used, since I use Libreboot). This setup works for my use case. I know it has some drawbacks, but they aren't problems for me. For example, I've heard that suspend-to-disk won't work with this style of encrypted swap, but since I don't need that feature right now, I don't mind. The boot time is also pretty long - Libreboot seems to take quite a while (minutes) to find the encrypted disk - but it works every time, so I'm content. I also have to input my disk's passphrase two times (once when Libreboot's GRUB payload wants to decrypt the LUKS volume, and again when the initialization process in GuixSD's initrd wants to decrypt the same LUKS volume), but I think you have to enter your passphrase twice in that case even when not using Libreboot. [1] http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/tests/install.scm?id=2e3744730777dc4e988675be369692d2be6fa1e2#n453 -- Chris
signature.asc
Description: PGP signature
