вторник, 18 сентября 2018 г., 20:16:10 UTC+3 пользователь Jonathan Seefelder
написал:
> yes its possible, do you want to encrypt /boot and /root separately so
> you will need a different password for each partition, or do you want to
> encrypt it all together with 2fa etc?
>
> The first one is relatively easy, you will have to modify the grub.cfg
> of your coreboot image.Also, the uuid will have to match, you can either
> do a "normal" install and change the uuid in the grub.cfg, or change the
> uuid of /root.
>
> check out the libreboot-side, there should be all the necessary
> information. I will write a tutorial some day.
>
> cheers
>
>
> On 9/18/18 1:02 PM, 'awokd' via qubes-users wrote:
>
> > get:
> >> FDE in my understanding this is a scheme partition look like
> >>
> >> sda 8:0 0 99999,9G 0 disk
> >> └─sda1 8:1 0 99999,9G 0 LUKS
> >> └──luks-<UUID> crypt
> >> ├─qubes_dom0-boot lvm /boot (encrypted)
> >> ├─qubes_dom0-swap lvm [SWAP] (encrypted)
> >> └─qubes_dom0-root lvm / (encrypted)
> >>
> >> FDE = cryptsetup whole disk (including /boot). Not only root partition.
> >> Anaconda can't do it by default. Installation success only with grub
> >> missing.
> >> OS research HEADS can't kexec into FDE disk.
> >>
> >> Is it only possible to boot from grub2 coreboot ?
> >>
> >> cryptomount -a
> >> set root='hd0,msdos1'
> >> linux=... vmlinuz=...
> >>
> >> I have been trying to do the coreboot firmware for a month already
> >> to get a load of Qubes with full disk encryption (including /boot). Is it
> >> possible? Can anyone help me ?:)
> > I've seen others on this list report it as successful, but haven't done
> > it myself. I think they had to use the Seabios payload for the initial
> > install, then switch to coreboot's grub2. Afraid that's about all I know...
> >
> --
> Kind Regards
> Jonathan Seefelder
> CryptoGS IT-Security Solutions
Hi, Jonathan Seefelder.
I'm looking for different ways of how to encrypt the whole disk (include /boot)
and load it using coreboot modifications.
I know how to load this way Parabola FDE (include /boot)
menuentry 'Linux-libre kernel' {
cryptomount -a (ahci0,msdos1)
set root='lvm/matrix-rootvol'
linux /boot/vmlinuz-linux-libre root=/dev/matrix/rootvol
cryptdevice=/dev/sda1:root
initrd /boot/initramfs-linux-libre.img
}
Is the same method for xen?
Did you try Heads/Petitboot?
https://www.raptorengineering.com/content/kb/1.html
https://github.com/osresearch/heads
Did you try to add
https://en.wikipedia.org/wiki/PBKDF2 to grub use qubes FDE?
Did you try add gpg keys?
Thanks.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/0734ef03-a091-46a8-9e3f-456fa392c595%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
