Re: [qubes-users] Qubes can't FDE?
вторник, 18 сентября 2018 г., 20:16:10 UTC+3 пользователь Jonathan Seefelder
написал:
> yes its possible, do you want to encrypt /boot and /root separately so
> you will need a different password for each partition, or do you want to
> encrypt it all together with 2fa etc?
>
> The first one is relatively easy, you will have to modify the grub.cfg
> of your coreboot image.Also, the uuid will have to match, you can either
> do a "normal" install and change the uuid in the grub.cfg, or change the
> uuid of /root.
>
> check out the libreboot-side, there should be all the necessary
> information. I will write a tutorial some day.
>
> cheers
>
>
> On 9/18/18 1:02 PM, 'awokd' via qubes-users wrote:
>
> > get:
> >> FDE in my understanding this is a scheme partition look like
> >>
> >> sda 8:00 9,9G 0 disk
> >> └─sda1 8:10 9,9G 0 LUKS
> >> └──luks- crypt
> >> ├─qubes_dom0-boot lvm /boot (encrypted)
> >> ├─qubes_dom0-swap lvm [SWAP] (encrypted)
> >> └─qubes_dom0-root lvm / (encrypted)
> >>
> >> FDE = cryptsetup whole disk (including /boot). Not only root partition.
> >> Anaconda can't do it by default. Installation success only with grub
> >> missing.
> >> OS research HEADS can't kexec into FDE disk.
> >>
> >> Is it only possible to boot from grub2 coreboot ?
> >>
> >> cryptomount -a
> >> set root='hd0,msdos1'
> >> linux=... vmlinuz=...
> >>
> >> I have been trying to do the coreboot firmware for a month already
> >> to get a load of Qubes with full disk encryption (including /boot). Is it
> >> possible? Can anyone help me ?:)
> > I've seen others on this list report it as successful, but haven't done
> > it myself. I think they had to use the Seabios payload for the initial
> > install, then switch to coreboot's grub2. Afraid that's about all I know...
> >
> --
> Kind Regards
> Jonathan Seefelder
> CryptoGS IT-Security Solutions
Hi, Jonathan Seefelder.
I'm looking for different ways of how to encrypt the whole disk (include /boot)
and load it using coreboot modifications.
I know how to load this way Parabola FDE (include /boot)
menuentry 'Linux-libre kernel' {
cryptomount -a (ahci0,msdos1)
set root='lvm/matrix-rootvol'
linux /boot/vmlinuz-linux-libre root=/dev/matrix/rootvol
cryptdevice=/dev/sda1:root
initrd /boot/initramfs-linux-libre.img
}
Is the same method for xen?
Did you try Heads/Petitboot?
https://www.raptorengineering.com/content/kb/1.html
https://github.com/osresearch/heads
Did you try to add
https://en.wikipedia.org/wiki/PBKDF2 to grub use qubes FDE?
Did you try add gpg keys?
Thanks.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/0734ef03-a091-46a8-9e3f-456fa392c595%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes can't FDE?
вторник, 18 сентября 2018 г., 20:02:19 UTC+3 пользователь awokd написал: > get: > > FDE in my understanding this is a scheme partition look like > > > > sda 8:00 9,9G 0 disk > > └─sda1 8:10 9,9G 0 LUKS > > └──luks- crypt > > ├─qubes_dom0-boot lvm /boot (encrypted) > > ├─qubes_dom0-swap lvm [SWAP] (encrypted) > > └─qubes_dom0-root lvm / (encrypted) > > > > FDE = cryptsetup whole disk (including /boot). Not only root partition. > > Anaconda can't do it by default. Installation success only with grub > > missing. > > OS research HEADS can't kexec into FDE disk. > > > > Is it only possible to boot from grub2 coreboot ? > > > > cryptomount -a > > set root='hd0,msdos1' > > linux=... vmlinuz=... > > > > I have been trying to do the coreboot firmware for a month already > > to get a load of Qubes with full disk encryption (including /boot). Is it > > possible? Can anyone help me ?:) > > I've seen others on this list report it as successful, but haven't done > it myself. I think they had to use the Seabios payload for the initial > install, then switch to coreboot's grub2. Afraid that's about all I know... Hi, awokd. I agree, this is also the only way I know. http://www.zerocat.org/coreboot-machines/md_doc_build-coreboot-x220.html http://www.zerocat.org/coreboot-machines/md_doc_build-coreboot-x230.html Do you mean that? seabios (main) + grub2(elf payload) I'm trying to learn HEADS, but it's quite difficult. there is a built-in cryptsetup and kexec. but I have not yet found the information how to boot without a loader to FDE Qubes (include /boot use kexec. Also branch "master" only 4.7 coreboot version, found this https://github.com/flammit/heads/tree/coreboot-4.8 I can not compile (build fails). Also I tried to add gpg keys to the firmware https://libreboot.org/docs/gnulinux/grub_hardening.html#GPG keys cfbstool test.rom print - writes that everything is fine, but after the flash firmware in the heads (initrd/etc/.gnupg) there are no keys seal-totp works strange. Have you any experience? unfortunately, too little information is available -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fddee08c-0703-4540-bb53-0d220ae927c6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes can't FDE?
FDE in my understanding this is a scheme partition look like sda 8:00 9,9G 0 disk └─sda1 8:10 9,9G 0 LUKS └──luks- crypt ├─qubes_dom0-boot lvm /boot (encrypted) ├─qubes_dom0-swap lvm [SWAP] (encrypted) └─qubes_dom0-root lvm / (encrypted) FDE = cryptsetup whole disk (including /boot). Not only root partition. Anaconda can't do it by default. Installation success only with grub missing. OS research HEADS can't kexec into FDE disk. Is it only possible to boot from grub2 coreboot ? cryptomount -a set root='hd0,msdos1' linux=... vmlinuz=... I have been trying to do the coreboot firmware for a month already to get a load of Qubes with full disk encryption (including /boot). Is it possible? Can anyone help me ?:) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/694e85c7-a80d-4334-a2c5-5a35764fa900%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Has anyone tried to run non-classical OS/nix* on the Qubes 4 machine?
For example, NixOS/GuixSD/Sabotage/Plan9 and other. Any guides please? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/849357db-0483-40da-a9e6-c83b83abb4e2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: ANN: Testing new VPN code for Qubes
среда, 18 апреля 2018 г., 0:13:29 UTC+3 пользователь Chris Laprise написал: > Hello fellow Qubes users: > > Per issue 3503 the Qubes project would like to incorporate VPN features > from Qubes-vpn-support -- which a number of you are already using -- > into the Qubes 4.1 release. > > I've set up a new project "qubes-tunnel" to act as a staging area for > testing and eventual forking into Qubes. It is nearly the same as > Qubes-vpn-support except some names & paths are different... and install > to template is required for obvious reasons :) . > > > Project Link... https://github.com/tasket/qubes-tunnel > > > Everyone with an available VPN service is welcome to try this out and > report here on your results! > > - > > PS - Some of you will wonder if installing qubes-tunnel into an existing > template already used for Qubes-vpn-support will cause a conflict; They > will not conflict as long as the two services aren't enabled for the > same ProxyVM(s). > > -- > > Chris Laprise, tas...@posteo.net > https://github.com/tasket > https://twitter.com/ttaskett > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 Hi. script not working more on debian-9/fedora-26. Please fix it. Tested vpn's : mullvad, privateinternetaccess, expressvpn and multiple random openvpn. Guides: https://github.com/tasket/Qubes-vpn-support https://github.com/tasket/qubes-doc/blob/tunnel/configuration/vpn.md#set-up-a-proxyvm-as-a-vpn-gateway-using-the-qubes-tunnel-service https://github.com/tasket/qubes-tunnel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0fa39509-f292-4cca-b547-978aad4b7b16%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: issues with qubes fedora and debian repos
Unfortunately ftp.qubes-os.org "down" -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/37bf3f50-fd8c-408f-915a-a3f4197b86ff%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
