libreboot-full-disk-encryption-on-openbsd.html 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121
  1. <!DOCTYPE html><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><meta name="keywords" content="GNU, Emacs, Libre Software, Hurd, Guile, Guix" /><meta name="description" content="GNUcode.me is a website focusing on libre software projects, especially the GNU project." /><link type="application/atom+xml" rel="alternate" title="GNUcode.me -- Feed" href="/feed.xml" /><a rel="me" href="https://fosstodon.org/@thegnuguy"></a><link type="text/css" href="css/footer.min.css" rel="stylesheet"></link><link type="text/css" href="css/header.min.css" rel="stylesheet"></link><link type="text/css" href="css/main.min.css" rel="stylesheet"></link><title>Libreboot Full Disk encryption on OpenBSD — GNUcode.me</title></head><body><header><nav><ul><li><a href="index.html">GNUcode.me</a></li><li><a href="services.html">Services</a></li><li><a href="business-ideas.html">Business-ideas</a></li><li><a href="about.html">About</a></li></ul></nav></header><h1>Libreboot Full Disk encryption on OpenBSD</h1><main><section class="basic-section-padding"><article><h3>by Joshua Branson — March 30, 2023</h3><div><p>So I previously talked about my <a href="http://gnucode.me/installing-openbsd-on-a-vm.html">interest</a> <a href="http://gnucode.me/dual-booting-openbsd-guix-system.html">in OpenBSD</a>. Well last week, I
  2. have been more and more impressed with OpenBSD, especially after watching
  3. <a href="https://undeadly.org/cgi?action=article;sid=20230325163416">Theo’s recent talk</a>. I recently installed OpenBSD on my desktop, and I was
  4. satisfied. There are some things that I knew how to do on GNU Guix that I do not
  5. yet know how to do on OpenBSD. For example, there is a minor issue with the
  6. sound being a bit wonky but that is not a deal breaker.</p><p>A few days ago I switched to OpenBSD on my laptop. So now, with the exception of
  7. my PinePhone, all of my computing devices are using OpenBSD. The OpenBSD
  8. installer is getting support for autoencrypting your hard drive, but I wanted to
  9. document the manual set up process if I ever decide to set up a RAID+ecryption.
  10. I do not believe the installer will support RAID+encryption anytime soon.</p><p>The real problem was trying to get libreboot to even recognize the OpenBSD usb
  11. installer stick. The best method to boot OpenBSD on libreboot is to use the
  12. seaBIOS payload. I could NOT get this to work. I must have booted and rebooted
  13. 10+ times trying to get this to work. I even opened up a grub command line
  14. prompt, and it could not SEE the usb stick. <a href="https://misc.openbsd.narkive.com/auaZDqBe/bsd-rd-fails-to-boot-up-on-libreboot-x200-how-to-find-out-why">Others have reported this problem.</a></p><p>In grub you can get a feel for what partitions are available via:</p><pre><code>grub&gt; ls
  15. (hd0) (hd0,msdos1)</code></pre><p>This seems to only show my GNU/Linux Guix System partition. That’s not a good
  16. sign. There is another way to check. I can type out the following
  17. <code>set root=(hd0,msdos1)/</code></p><p>and then press TAB:</p><p>I was able to see <code>/bin</code>, <code>/boot</code>, <code>/etc</code>, etc. Going into <code>/var</code>, I saw
  18. <code>guix/</code>. So clearly <code>hd0</code> is my current SSD that has GNU/Linux Guix System. And
  19. grub and libreboot did NOT see the OpenBSD usb stick. I kept rebooting, tried
  20. searching for the OpenBSD stick, and finally the grub console showed me
  21. something other than <code>(hd0,msdos1)</code>. I think I have to use the right-most usb
  22. port. I think that is the secret.</p><p>Technically, <a href="https://notabug.org/swiftgeek/libreboot/src/master/docs/bsd/openbsd.md">grub can boot
  23. OpenBSD</a>,
  24. at least grub as packaged by Libreboot, but that is NOT advisable. And grub's
  25. ability to boot OpenBSD may disappear at any moment. Seeing no other option, I
  26. typed in this command to boot OpenBSD via grub:</p><pre><code>grub&gt; kopenbsd (usb0)/7.2/amd64/bsd.rd
  27. grub&gt; boot</code></pre><p>And OpenBSD started booting! Woo hoo! At the OpenBSD installer I typed in “s”
  28. to exit to the shell so that I could set up full disc encryption.</p><p>Before we get to the disc encryption, let me give a quick overview of how
  29. OpenBSD sets up partitions. OpenBSD supports both MBR and GPT partitions, which
  30. divide the physical disc into sections (MBR is old; GPT is the modern way to do
  31. it, and most people will want GPT on newer machines so for the rest of this blog
  32. post I will just talk about GPT). All operating systems recognize and use GPT
  33. partitions. Linux will install its filesystem partitions into seperate GPT
  34. partitions, which means that a &quot;partition&quot; in Linux means the GPT
  35. partition and the filesystem partion. Here's a handy graphic:</p><pre><code>|--------------+------------+----------------|
  36. | | Linux | |
  37. |--------------+------------+----------------|
  38. | GPT partiton | filesystem | mount location |
  39. | | partition | |
  40. |--------------+------------+----------------|
  41. | /dev/sda1 | ext4 | / |
  42. | /dev/sda2 | btrfs | /etc |
  43. | /dev/sda3 | xfs | /boot |
  44. | ... | ... | ... |
  45. | /dev/sda128 | vfat | /boot/efi |
  46. | | | |
  47. | /dev/sdb1 | ext4 | /data |
  48. |--------------+------------+----------------|</code></pre><p>OpenBSD is a little different. It uses one big GPT partition, and then it
  49. further splits up that one big GPT partition into filesystem partitions, which
  50. can be examined via <a href="https://man.openbsd.org/disklabel">disklabel</a>. So in
  51. OpenBSD <code>sd0</code> and <code>sd1</code> refer to the first and second hard drive. <code>/dev/sd0c</code>
  52. refers to the one big GPT partition and <code>/dev/sd0a</code> by convention is the <code>/</code>
  53. partition. <code>/dev/sd0b</code> is swap by convention and <code>d</code> through <code>p</code> could refor to
  54. any other arbitrary mount point. So &quot;partition&quot; in OpenBSD may refer to the GPT
  55. partion or the filesystem partitions.</p><pre><code>|--------------+-------------+----------------|
  56. | | OpenBSD | |
  57. |--------------+-------------+----------------|
  58. | GPT partiton | filesystem | mount location |
  59. | | partition | |
  60. | | (FFS) | |
  61. |--------------+-------------+----------------|
  62. | /dev/sd01 | /dev/sd0a | / |
  63. | /dev/sd01 | /dev/sd0b | swap |
  64. | /dev/sd01 | /dev/sd0c | not mounted |
  65. | /dev/sd01 | /dev/sd0d | /home |
  66. | | ... | |
  67. | /dev/sd01 | /dev/sd0e | /tmp |
  68. | | | |
  69. | /dev/sd11 | /dev/sd1i | /data |
  70. |--------------+-------------+----------------|</code></pre><p>I would highly recommend the OpenBSD
  71. <a href="https://www.openbsd.org/faq/faq14.html#intro">faq</a> page about this (as well as
  72. the disklabel man page), which will also act as a more official version of this
  73. blog post. Now on with the blog post!</p><p>Let’s figure out which drive is my usb stick, and which drive is my SSD with
  74. Guix on it. Please note that I did not write the output of this command down.
  75. Your output might look different.</p><pre><code>sysctl hw.disknames
  76. hw.disknames=sd0:ec557d42f5cbfa41,sd1:</code></pre><p>I typed in the next two commands to try to get a feel for which drive was my
  77. SSD.</p><pre><code>doas disklabel sd0
  78. doas disklabel sd1</code></pre><p>I forget what the above commands output-ed, but looking at the output I was able
  79. to determine that <code>sd0</code> was my GNU/Linux Guix System. Now it was time to set up a
  80. <a href="https://www.openbsd.org/faq/faq14.html#softraidFDE">full disc encryption</a>.</p><pre><code>cd /dev &amp;&amp; sh MAKEDEV sd0
  81. dd if=/dev/urandom of=/dev/rsd0c bs=1m</code></pre><p>That second command took 8+ hours to complete. It wrote random data on the
  82. whole SSD. That way, if an attacker ever stole my hard drive, when they
  83. examined my hard drive, they would not see:</p><p>00000000EncryptedData0000000EncryptedData000000</p><p>Instead they would see</p><p>RandomDataRandomDataRandomDataRandomDataRandomDataRandomData</p><p>where only the 2nd and 5th =RandomData= are actually my encrypted files. Trying
  84. to figure what is data and what is just random ones and zeros would be really
  85. hard. However, I should probably ask on <code>#openbsd</code> irc to make sure that I
  86. wrote the right command. Is there a way to search your raw hard drive for a
  87. section of disc that is just 10,000 zeros?</p><p>Anway, let’s partition the <code>sd0</code> drive and format it as a RAID. Random encrypted
  88. data will go to <code>sd0</code>. OpenBSD will read files from the unencrypted <code>sd1</code>,
  89. which will be encrypted and stored on <code>sd0</code>.</p><pre><code>fdisk -iy sd0
  90. sd0&gt; *a* *a*
  91. sd0&gt;size: [ ... ] ***
  92. sd0&gt; FS type: *RAID*
  93. sd0&gt; *w*
  94. sd0&gt; *q*</code></pre><p>This next command will ask you for a passphrase. If you use an alternative
  95. keyboard layout, then make your command use numbers and special characters on
  96. the 1-9 section. That way you can still type in the secret password on boot,
  97. because OpenBSD changes your keyboard layout after you unlock your encrypted
  98. volumes.</p><pre><code>bioctl -c C -l sd0a softraid0</code></pre><p>Now let’s set up <code>sd1</code>.</p><pre><code>cd /dev &amp;&amp; sh MAKEDEV sd1
  99. dd if=/dev/zero of=/dev/rsd1c bs=1m count=1
  100. exit</code></pre><p>This will return us to the main installer. When the installer asks you which
  101. hard drive to install OpenBSD on, I said <code>sd1</code>.</p><pre><code>[...]
  102. Available disks are: sd0 sd1.
  103. Which disk is the root disk? ('?' for details) [sd0] *sd1*</code></pre><p>And that was that! I did a few things to set up <code>XFCE</code>, which I quickly
  104. abandoned in favor of i3, and I was off to the races. Then I realized that my
  105. full-disk decryption passphrase was pretty weak. Basically, because I use a
  106. physical <a href="https://en.wikipedia.org/wiki/Dvorak_keyboard_layout">dvorak keyboard
  107. layout</a>, and OpenBSD uses
  108. the standard <a href="https://en.wikipedia.org/wiki/QWERTY">qwerty</a> layout when you type
  109. in the password to decrypt the disk, my initial full disk encryption password
  110. was just numbers. Now, I wanted to change it to my normal password.</p><p>Apparently you can do so while the encrypted volume <a href="https://dev.to/nabbisen/openbsd-disk-encryption-change-passphrase-4i8l">is
  111. mounted</a>!
  112. I made sure that I changed the keyboard layout to the standard qwerty, when I typed in
  113. the new passphase.</p><pre><code> doas bioctl -P sd1 # I was using the dvorak layout here</code></pre><p>In another terminal I typed in:</p><pre><code> setxkbmap -layout us</code></pre><p>Then I moved to the terminal that was asking me to change the full disk
  114. encryption password.</p><pre><code> Old Passphrase: # I typed in the numbers
  115. New Passphrase: # I typed in an awesome password
  116. Confirm Passphrase: # I typed it in again.</code></pre><p>Now let's get back to dvorak:</p><pre><code> setxkbmap -layout dvorak</code></pre><p>That's better. I did have a great time the next day. I was hoping to
  117. automatically automount my usb stick on boot. So I added this beauty to my
  118. <code>/etc/fstab</code>.</p><p><code>sd2i /mnt/usb msdos rw 1 2</code></p><p>The next time I booted it threw me into a rescue shell with only <code>/</code> mounted.
  119. That was a wild ride to fix, bit I will explain how I fixed that next time!</p></div></article></section></main><footer><p>© 2020 Joshua Branson. The text on this site is free culture under the Creative Commons Attribution Share-Alike 4.0 International license.</p><p>This website is build with Haunt, a static site generator written in Guile Scheme. Source code is <a href="https://notabug.org/jbranso/gnucode.me">available.</a></p><p>The color theme of this website is based off of the famous <a href="#3f3f3f" target="_blank">zenburn</a> theme.</p></footer></body>