help-guix
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Libreboot + WDE + GuixSD: Need some advice


From: Chris Marusich
Subject: Re: Libreboot + WDE + GuixSD: Need some advice
Date: Thu, 13 Apr 2017 00:31:08 -0700
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)

Stephen Sloan <address@hidden> writes:

> I used your find command and copied the grub.cfg file into place. It "just 
> worked". Cool indeed! Practically speaking, I could copy the file into place 
> every
> time that I reconfigure the system. But for bragging rights, I've got to get 
> it automated. I'm reading through the code, looking for the best approach. 
> I'm a
> clojure programmer by trade; scheme is new to me.
>
> I think I will try to make a package for flashrom and the libreboot 
> utilities, but I like this solution of just copying a file into place.
>
> On Wed, Apr 12, 2017 at 8:21 AM, Marius Bakke <address@hidden> wrote:
>
>  Stephen Sloan <address@hidden> writes:
>
>  > I am looking for some advice.
>  >
>  > I'm am setting up a libreboot + whole disk encryption + guixsd laptop.
>  > Libreboot has grub in the BIOS, which allows for encrypting the whole disk.
>  >
>  > According to the libreboot docs, I can make the grub config available at
>  > /boot/grub/libreboot_grub.cfg and the grub installed on the BIOS will load
>  > and use that config file. I've installed guixsd with --no-grub, I have
>  > libreboot installed, and the disk encrypted, now I just need to make it
>  > bootable!
>
>  Wow, cool!
>
>  `guix system --no-grub` will actually build out grub.cfg in the store,
>  just not write it to the actual bootloader configuration. So you can try
>  to `find /gnu/store -maxdepth 1 -name '*grub.cfg'` and copy it in place.
>
>  It will also print the location when running `reconfigure`:
>
>  address@hidden ~# guix system reconfigure --no-grub /etc/config.scm
>  substitute: updating list of substitutes from 
> 'https://mirror.hydra.gnu.org'... 100.0%
>  The following derivation will be built:
>  /gnu/store/dp0v27hgc93a18zva7wqnl5rl3h1yvm2-grub.cfg.drv
>  /gnu/store/r2y4bn5p162pah9lqa3mqyplj09va65x-system
>  /gnu/store/jnnzn804d2ss2vk7k8hxkzh07waj0x75-grub.cfg
>
>  > I think I need to make the correct grub config file available at that
>  > location whenever I reconfigure. I can manage the coding, but I'd like
>  > hints on the best way to go about this with guix.
>
>  I think making the <grub-configuration> field take a "copy-only?" option
>  would be a decent fix for now. Currently the build code expects to run
>  "grub-install", look into gnu/system/grub.scm and gnu/build/install.scm
>  for starters.
>
>  > There are some other options I've considered. I could reflash my BIOS as
>  > part of the reconfiguration process. Or maybe I could chain-load two grub
>  > installations, possibly with an unencrypted /boot.
>
>  We don't have libreboot in Guix yet, but the ability to install it at
>  reconfigure time would be nice. Sounds risky, though :)

FYI, it's possible to achieve the practical equivalent of full-disk
encryption while using Libreboot without jumping through any hoops at
all.  An installation like the one performed in the encrypted-root-os
system test [1] works "out of the box" with Libreboot.  For more
information, please refer to the operating system configuration file and
the installation script shown in the encrypted-root-os system test.  The
section "Mapped Devices" in the manual is also helpful.

I use a Libreboot laptop, which I've set up like that.  All state - my
home directory, the GRUB configuration file, system service database
files, etc. - is stored in the root file system.  Because the root file
system is in a LUKS-encrypted partition, everything I care about is
encrypted.  I also use a swap file as described in the manual (same
section).  Because that swap file is just another file in the root file
system, my swap space is encrypted, too.  The only things that aren't
encrypted are my Libreboot installation (in flash memory, not on disk)
and the GRUB bootloader that Guix installed to the disk (which is never
actually used, since I use Libreboot).

This setup works for my use case.  I know it has some drawbacks, but
they aren't problems for me.  For example, I've heard that
suspend-to-disk won't work with this style of encrypted swap, but since
I don't need that feature right now, I don't mind.  The boot time is
also pretty long - Libreboot seems to take quite a while (minutes) to
find the encrypted disk - but it works every time, so I'm content.  I
also have to input my disk's passphrase two times (once when Libreboot's
GRUB payload wants to decrypt the LUKS volume, and again when the
initialization process in GuixSD's initrd wants to decrypt the same LUKS
volume), but I think you have to enter your passphrase twice in that
case even when not using Libreboot.

[1] 
http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/tests/install.scm?id=2e3744730777dc4e988675be369692d2be6fa1e2#n453

-- 
Chris

Attachment: signature.asc
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]