123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121 |
- <!DOCTYPE html><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><meta name="keywords" content="GNU, Emacs, Libre Software, Hurd, Guile, Guix" /><meta name="description" content="GNUcode.me is a website focusing on libre software projects, especially the GNU project." /><link type="application/atom+xml" rel="alternate" title="GNUcode.me -- Feed" href="/feed.xml" /><a rel="me" href="https://fosstodon.org/@thegnuguy"></a><link type="text/css" href="css/footer.min.css" rel="stylesheet"></link><link type="text/css" href="css/header.min.css" rel="stylesheet"></link><link type="text/css" href="css/main.min.css" rel="stylesheet"></link><title>Libreboot Full Disk encryption on OpenBSD — GNUcode.me</title></head><body><header><nav><ul><li><a href="index.html">GNUcode.me</a></li><li><a href="services.html">Services</a></li><li><a href="business-ideas.html">Business-ideas</a></li><li><a href="about.html">About</a></li></ul></nav></header><h1>Libreboot Full Disk encryption on OpenBSD</h1><main><section class="basic-section-padding"><article><h3>by Joshua Branson — March 30, 2023</h3><div><p>So I previously talked about my <a href="http://gnucode.me/installing-openbsd-on-a-vm.html">interest</a> <a href="http://gnucode.me/dual-booting-openbsd-guix-system.html">in OpenBSD</a>. Well last week, I
- have been more and more impressed with OpenBSD, especially after watching
- <a href="https://undeadly.org/cgi?action=article;sid=20230325163416">Theo’s recent talk</a>. I recently installed OpenBSD on my desktop, and I was
- satisfied. There are some things that I knew how to do on GNU Guix that I do not
- yet know how to do on OpenBSD. For example, there is a minor issue with the
- sound being a bit wonky but that is not a deal breaker.</p><p>A few days ago I switched to OpenBSD on my laptop. So now, with the exception of
- my PinePhone, all of my computing devices are using OpenBSD. The OpenBSD
- installer is getting support for autoencrypting your hard drive, but I wanted to
- document the manual set up process if I ever decide to set up a RAID+ecryption.
- I do not believe the installer will support RAID+encryption anytime soon.</p><p>The real problem was trying to get libreboot to even recognize the OpenBSD usb
- installer stick. The best method to boot OpenBSD on libreboot is to use the
- seaBIOS payload. I could NOT get this to work. I must have booted and rebooted
- 10+ times trying to get this to work. I even opened up a grub command line
- prompt, and it could not SEE the usb stick. <a href="https://misc.openbsd.narkive.com/auaZDqBe/bsd-rd-fails-to-boot-up-on-libreboot-x200-how-to-find-out-why">Others have reported this problem.</a></p><p>In grub you can get a feel for what partitions are available via:</p><pre><code>grub> ls
- (hd0) (hd0,msdos1)</code></pre><p>This seems to only show my GNU/Linux Guix System partition. That’s not a good
- sign. There is another way to check. I can type out the following
- <code>set root=(hd0,msdos1)/</code></p><p>and then press TAB:</p><p>I was able to see <code>/bin</code>, <code>/boot</code>, <code>/etc</code>, etc. Going into <code>/var</code>, I saw
- <code>guix/</code>. So clearly <code>hd0</code> is my current SSD that has GNU/Linux Guix System. And
- grub and libreboot did NOT see the OpenBSD usb stick. I kept rebooting, tried
- searching for the OpenBSD stick, and finally the grub console showed me
- something other than <code>(hd0,msdos1)</code>. I think I have to use the right-most usb
- port. I think that is the secret.</p><p>Technically, <a href="https://notabug.org/swiftgeek/libreboot/src/master/docs/bsd/openbsd.md">grub can boot
- OpenBSD</a>,
- at least grub as packaged by Libreboot, but that is NOT advisable. And grub's
- ability to boot OpenBSD may disappear at any moment. Seeing no other option, I
- typed in this command to boot OpenBSD via grub:</p><pre><code>grub> kopenbsd (usb0)/7.2/amd64/bsd.rd
- grub> boot</code></pre><p>And OpenBSD started booting! Woo hoo! At the OpenBSD installer I typed in “s”
- to exit to the shell so that I could set up full disc encryption.</p><p>Before we get to the disc encryption, let me give a quick overview of how
- OpenBSD sets up partitions. OpenBSD supports both MBR and GPT partitions, which
- divide the physical disc into sections (MBR is old; GPT is the modern way to do
- it, and most people will want GPT on newer machines so for the rest of this blog
- post I will just talk about GPT). All operating systems recognize and use GPT
- partitions. Linux will install its filesystem partitions into seperate GPT
- partitions, which means that a "partition" in Linux means the GPT
- partition and the filesystem partion. Here's a handy graphic:</p><pre><code>|--------------+------------+----------------|
- | | Linux | |
- |--------------+------------+----------------|
- | GPT partiton | filesystem | mount location |
- | | partition | |
- |--------------+------------+----------------|
- | /dev/sda1 | ext4 | / |
- | /dev/sda2 | btrfs | /etc |
- | /dev/sda3 | xfs | /boot |
- | ... | ... | ... |
- | /dev/sda128 | vfat | /boot/efi |
- | | | |
- | /dev/sdb1 | ext4 | /data |
- |--------------+------------+----------------|</code></pre><p>OpenBSD is a little different. It uses one big GPT partition, and then it
- further splits up that one big GPT partition into filesystem partitions, which
- can be examined via <a href="https://man.openbsd.org/disklabel">disklabel</a>. So in
- OpenBSD <code>sd0</code> and <code>sd1</code> refer to the first and second hard drive. <code>/dev/sd0c</code>
- refers to the one big GPT partition and <code>/dev/sd0a</code> by convention is the <code>/</code>
- partition. <code>/dev/sd0b</code> is swap by convention and <code>d</code> through <code>p</code> could refor to
- any other arbitrary mount point. So "partition" in OpenBSD may refer to the GPT
- partion or the filesystem partitions.</p><pre><code>|--------------+-------------+----------------|
- | | OpenBSD | |
- |--------------+-------------+----------------|
- | GPT partiton | filesystem | mount location |
- | | partition | |
- | | (FFS) | |
- |--------------+-------------+----------------|
- | /dev/sd01 | /dev/sd0a | / |
- | /dev/sd01 | /dev/sd0b | swap |
- | /dev/sd01 | /dev/sd0c | not mounted |
- | /dev/sd01 | /dev/sd0d | /home |
- | | ... | |
- | /dev/sd01 | /dev/sd0e | /tmp |
- | | | |
- | /dev/sd11 | /dev/sd1i | /data |
- |--------------+-------------+----------------|</code></pre><p>I would highly recommend the OpenBSD
- <a href="https://www.openbsd.org/faq/faq14.html#intro">faq</a> page about this (as well as
- the disklabel man page), which will also act as a more official version of this
- blog post. Now on with the blog post!</p><p>Let’s figure out which drive is my usb stick, and which drive is my SSD with
- Guix on it. Please note that I did not write the output of this command down.
- Your output might look different.</p><pre><code>sysctl hw.disknames
- hw.disknames=sd0:ec557d42f5cbfa41,sd1:</code></pre><p>I typed in the next two commands to try to get a feel for which drive was my
- SSD.</p><pre><code>doas disklabel sd0
- doas disklabel sd1</code></pre><p>I forget what the above commands output-ed, but looking at the output I was able
- to determine that <code>sd0</code> was my GNU/Linux Guix System. Now it was time to set up a
- <a href="https://www.openbsd.org/faq/faq14.html#softraidFDE">full disc encryption</a>.</p><pre><code>cd /dev && sh MAKEDEV sd0
- dd if=/dev/urandom of=/dev/rsd0c bs=1m</code></pre><p>That second command took 8+ hours to complete. It wrote random data on the
- whole SSD. That way, if an attacker ever stole my hard drive, when they
- examined my hard drive, they would not see:</p><p>00000000EncryptedData0000000EncryptedData000000</p><p>Instead they would see</p><p>RandomDataRandomDataRandomDataRandomDataRandomDataRandomData</p><p>where only the 2nd and 5th =RandomData= are actually my encrypted files. Trying
- to figure what is data and what is just random ones and zeros would be really
- hard. However, I should probably ask on <code>#openbsd</code> irc to make sure that I
- wrote the right command. Is there a way to search your raw hard drive for a
- section of disc that is just 10,000 zeros?</p><p>Anway, let’s partition the <code>sd0</code> drive and format it as a RAID. Random encrypted
- data will go to <code>sd0</code>. OpenBSD will read files from the unencrypted <code>sd1</code>,
- which will be encrypted and stored on <code>sd0</code>.</p><pre><code>fdisk -iy sd0
- sd0> *a* *a*
- sd0>size: [ ... ] ***
- sd0> FS type: *RAID*
- sd0> *w*
- sd0> *q*</code></pre><p>This next command will ask you for a passphrase. If you use an alternative
- keyboard layout, then make your command use numbers and special characters on
- the 1-9 section. That way you can still type in the secret password on boot,
- because OpenBSD changes your keyboard layout after you unlock your encrypted
- volumes.</p><pre><code>bioctl -c C -l sd0a softraid0</code></pre><p>Now let’s set up <code>sd1</code>.</p><pre><code>cd /dev && sh MAKEDEV sd1
- dd if=/dev/zero of=/dev/rsd1c bs=1m count=1
- exit</code></pre><p>This will return us to the main installer. When the installer asks you which
- hard drive to install OpenBSD on, I said <code>sd1</code>.</p><pre><code>[...]
- Available disks are: sd0 sd1.
- Which disk is the root disk? ('?' for details) [sd0] *sd1*</code></pre><p>And that was that! I did a few things to set up <code>XFCE</code>, which I quickly
- abandoned in favor of i3, and I was off to the races. Then I realized that my
- full-disk decryption passphrase was pretty weak. Basically, because I use a
- physical <a href="https://en.wikipedia.org/wiki/Dvorak_keyboard_layout">dvorak keyboard
- layout</a>, and OpenBSD uses
- the standard <a href="https://en.wikipedia.org/wiki/QWERTY">qwerty</a> layout when you type
- in the password to decrypt the disk, my initial full disk encryption password
- was just numbers. Now, I wanted to change it to my normal password.</p><p>Apparently you can do so while the encrypted volume <a href="https://dev.to/nabbisen/openbsd-disk-encryption-change-passphrase-4i8l">is
- mounted</a>!
- I made sure that I changed the keyboard layout to the standard qwerty, when I typed in
- the new passphase.</p><pre><code> doas bioctl -P sd1 # I was using the dvorak layout here</code></pre><p>In another terminal I typed in:</p><pre><code> setxkbmap -layout us</code></pre><p>Then I moved to the terminal that was asking me to change the full disk
- encryption password.</p><pre><code> Old Passphrase: # I typed in the numbers
- New Passphrase: # I typed in an awesome password
- Confirm Passphrase: # I typed it in again.</code></pre><p>Now let's get back to dvorak:</p><pre><code> setxkbmap -layout dvorak</code></pre><p>That's better. I did have a great time the next day. I was hoping to
- automatically automount my usb stick on boot. So I added this beauty to my
- <code>/etc/fstab</code>.</p><p><code>sd2i /mnt/usb msdos rw 1 2</code></p><p>The next time I booted it threw me into a rescue shell with only <code>/</code> mounted.
- That was a wild ride to fix, bit I will explain how I fixed that next time!</p></div></article></section></main><footer><p>© 2020 Joshua Branson. The text on this site is free culture under the Creative Commons Attribution Share-Alike 4.0 International license.</p><p>This website is build with Haunt, a static site generator written in Guile Scheme. Source code is <a href="https://notabug.org/jbranso/gnucode.me">available.</a></p><p>The color theme of this website is based off of the famous <a href="#3f3f3f" target="_blank">zenburn</a> theme.</p></footer></body>
|