================
== cqstia.com ==
================

Libreboot Full Disk Encryption

Libreboot Full Disk Encryption with Debootstrap

BOOT ARCHITECTURE

Libreboot has support for truly Full Disk Encryption

To understand why this is cool, lets look at a typical GRUB setup.

TRADITIONAL BIOS BOOT 

BIOS
 |
 |
 V
----(FLASH LAYER)
 |
 |
 V
/dev/sda (GRUB)
 |
 |
 V
-->/dev/sda1 /boot (Grub finds this)
 |
 |
 V
-->/dev/sda2 / [LUKS ENCRYPTED]
  1. Grub is read off the UNENCRYPTED hard disk
  2. GRUB finds the UNENCRYPTED /boot, from /boot/grub/grub.cfg
  3. Boots into linux passing information on the disks to the kernel+initramfs
  4. The kernel/initramfs decrypt / and mount fstab etc…

Lets look at a Libreboot GRUB boot process for Full Disk Encryption.

LIBREBOOT FULL DISK ENCRYPTION

SeaBIOS
 |
 |
 V
GRUB (CBFS)
 |
----(FLASH LAYER)
 |
 |
 V
/dev/sda / [LUKS ENCRYPTED]
  1. SeaBIOS chainloads into GRUB
  2. GRUB searches for and decrypts encrypted hard disks
  3. GRUB searches for grub.cfg inside lvm/ volumes it discovers
  4. GRUB boots the linux kernel and initramfs
  5. LINUX kernel boot process

So how do we actually implement this?

The Arch Wiki will be of help here: https://wiki.archlinux.org/title/LVM

/dev/sda is our Physical Volume

grubcrypt is our Volume Group inside /dev/sda

rootvol is a logical volume inside our Volume Group

Here is what that setup would look like

/dev/sda (physical volume)
    |
    |
    V
(grubcrypt) Volume Group [LUKS ENCRYPTED]
    |
    |
    ----> (grubcrypt-rootvol) / (Logical Volume)

So lets look at our boot process in its full glory:

SeaBIOS
  |
  |
  V
GRUB (CBFS)
  |
----(FLASH LAYER)
  |
  |
  V
/dev/sda (PV) [LUKS ENCRYPTED]
   |
   |
   | 
   V (DECRYPTED)
(grubcrypt) Volume Group 
--> (grubcrypt-rootvol) / (Logical Volume)
   |
   |
   V
-->/boot/grub/grub.cfg (GRUB finds this)
   |
   |
   V
GRUB boots KERNEL and INITRAMFS with / as ROOT

Now lets get to the implementation.

INSTALLATION PROCESS

WARNING

This guide has NO WARRANTY. I take ZERO responsibility if you are left in an unbootable state using this!

This installation process assumes you already Libreboot installed.

Pre-Installation NOTES:

  1. You should use a SeaGrub payload.

  2. You are probably going to need network to accomplish this.

Acquiring Live Media

Got SeaGrub ready? Lets get started.

You can use any Live Linux Media.

I recommend Dragora linux or Debian 11/Bullseye live images.

(Debian 12 and up images include proprietary non-free firmware by default 🤮)

https://cdimage.debian.org/mirror/cdimage/archive/11.11.0-live/amd64/iso-hybrid/

debian-live-11.11.0-amd64-standard.iso

install it to your USB flash drive

dd if=debian-live-11.11.0-amd64-standard.iso of=/dev/sdX

Plug your flash drive in. Press “s” at GRUB to boot from USB..

Debian should boot up!

Networking

Make sure networking is up. Use an ethernet cable for best results

$ ping gnu.org

The console may be broken (it is for me on my t480) fix it with dpkg-reconfigure

# dpkg-reconfigure console-setup

Install required packages

# apt update && apt upgrade

# apt install debootstrap cryptsetup lvm2

lsblk

Setup cryptography

  • WARNING, the instructions here use /dev/sda as a GENERIC REPRESENTATION OF YOUR DISK

Be SURE you are using the right disk! Triple check with $ lsblk

# cryptsetup luksFormat /dev/sda
# cryptsetup open /dev/sda cryptlvm
# pvcreate /dev/mapper/cryptlvm
# vgcreate grubcrypt /dev/mapper/cryptlvm
# lvcreate -l 100%FREE -n rootvol grubcrypt

Now lets make the filesystems

Make filesystems

# mkfs.ext4 /dev/grubcrypt/rootvol

Now lets build the OS!

Install Debian and Chroot in

# mkdir /mnt/debian-chroot
# mount /dev/grubcrypt/rootvol /mnt/debian-chroot
# debootstrap --arch amd64 trixie /mnt/debian-chroot \
https://deb.debian.org/debian
# mount --make-rslave --bind /proc /mnt/debian-chroot/proc
# mount --make-rslave --bind /dev /mnt/debian-chroot/dev
# mount --make-rslave --rbind /sys /mnt/debian-chroot/proc/sys

Setup target system in our chroot

# chroot /mnt/debian-chroot
(debian-chroot) # apt install locales
(debian-chroot) # dpkg-reconfigure locales
(debian-chroot) # apt install sudo linux-image-amd64 console-setup \
console-setup-linux grub2 tasksel cryptsetup cryptsetup-initramfs ed lvm2
(debian-chroot) # dpkg-reconfigure tzdata
(debian-chroot) # tasksel install standard
(debian-chroot) # tasksel install laptop # if on a laptop
(debian-chroot) # adduser $USERNAME # put your username here
(debian-chroot) # usermod -aG sudo $USERNAME

Setup fstab and crypttab

Lets setup our fstab and crypttab!

# /etc/fstab
/dev/mapper/rootvol	/	ext4	defaults	0	1

# /etc/crypttab
grublvm		/dev/sda	none

(debian-chroot) # update-initramfs -u
(debian-chroot) # update-grub2

(debian-chroot) # exit
# reboot

That’s right! You are done. Libreboot SHOULD find the encrypted disk automatically, decrypt, and search for lvm volumes then boot.

WARNING Libreboot releases BEFORE Luminous Lemon have a BROKEN setup for automatically locating booting encrypted LVM volumes.

https://libreboot.org/news/libreboot2506.html

https://codeberg.org/libreboot/lbmk/commit/e084b06dc767af37870b05139598b56a41872d1f

In an emergency, you should be able to boot from the grub command line like this:

grub> configfile (lvm/grubcrypt-rootvol)/boot/grub/grub.cfg

Wait, why am I being asked for my password twice?

With this setup you are required to enter your password twice.

Once grub throws you into the initramfs, from the initramfs perspective everything is encrypted again.

There are ways to fix this, but that’s out of the scope of this guide.