Re: [qubes-users] Grub with encrypted boot
Can you elaborate on this a bit please? Or point at some manual that could help get started with th topic? While the concept sounds familiar I don't have enough experience to build a secure boot environment from scratch - and that's what needs to be done in case of Qubes. On Wednesday, May 6, 2020 at 9:16:54 AM UTC+2, dhorf-hfr...@hashmail.org wrote: > > On Wed, May 06, 2020 at 06:21:00AM +, lamboicarus via qubes-users > wrote: > > I am wondering if anyone knows how I might install grub for use with > > an encrypted boot partition, or no boot partition at all. I have > > recently decided to use btrfs, and I have grub working fine. The > > grub2-efi config from the qubes-dom0-unstable repo is working fine, > > but it's very complex. Reading about grub on the arch-wiki, it says > > boot security is a very complex topic. > > just encrypting your /boot but keeping an unencrypted grub > around that opens that /boot is not increasing your security > in any meaningful way. it just adds a pile of fragility. > > for actual cryptographic boot security, you need a "verified" > and/or "measured" boot setup. > > since you mentioned "efi", i would recommend an efi-heads hybrid. > deploy a linux kernel with _internal_ initrd (!) as efi-verified > boot payload. this way you have to do the efi-signing "just once", > and from that linux kernel you can open your encrypted /boot > in the "natural linux ways". > > if your "bios" takes measurements during boot, do tpmtotp (or similar) > from the first stage linux (before unlocking your /boot) you dont even > have to do any modifications to the payloads inside /boot ... > so no resigning/resealing on every payload-xen/kernel update either! > > this setup does not involve grub at all. this is intentional. > > > > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8afd7aef-5470-4ab3-b83b-2dccd1246414%40googlegroups.com.
Re: [qubes-users] Grub with encrypted boot
On Wed, May 06, 2020 at 06:21:00AM +, lamboicarus via qubes-users wrote: > I am wondering if anyone knows how I might install grub for use with > an encrypted boot partition, or no boot partition at all. I have > recently decided to use btrfs, and I have grub working fine. The > grub2-efi config from the qubes-dom0-unstable repo is working fine, > but it's very complex. Reading about grub on the arch-wiki, it says boot security is a very complex topic. just encrypting your /boot but keeping an unencrypted grub around that opens that /boot is not increasing your security in any meaningful way. it just adds a pile of fragility. for actual cryptographic boot security, you need a "verified" and/or "measured" boot setup. since you mentioned "efi", i would recommend an efi-heads hybrid. deploy a linux kernel with _internal_ initrd (!) as efi-verified boot payload. this way you have to do the efi-signing "just once", and from that linux kernel you can open your encrypted /boot in the "natural linux ways". if your "bios" takes measurements during boot, do tpmtotp (or similar) from the first stage linux (before unlocking your /boot) you dont even have to do any modifications to the payloads inside /boot ... so no resigning/resealing on every payload-xen/kernel update either! this setup does not involve grub at all. this is intentional. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200506071648.GK987%40priv-mua.
[qubes-users] Grub with encrypted boot
Hello all, I am wondering if anyone knows how I might install grub for use with an encrypted boot partition, or no boot partition at all. I have recently decided to use btrfs, and I have grub working fine. The grub2-efi config from the qubes-dom0-unstable repo is working fine, but it's very complex. Reading about grub on the arch-wiki, it says you can enable this feature in grub just by adding ENABLE_CRYPTODISK=y in /etc/default/grub then running grub2-install. I need to know if that will actually work with Qubes, and how to generate a proper grub.cfg for use with the feature. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8nKpro73CUMwiWxvDa8MG66duIRyyFEAmKHsaXIN8GIy-QCbgbQ5CuOk_ztuDxLmelZFdWo80L0JGXmkkpfKuKNThV3IsZC0fULQpP0sK2g%3D%40protonmail.com.