Home Explore Help
Register Sign In
libreboot
/
lbmk
Watch 8
Star 12
Fork 18
Files Issues 61 Pull Requests 0
Labels Milestones
New Issue

#140 RAID support for FDE + /Boot

Closed
opened 1 year ago by FrostMoth · 3 comments
FrostMoth commented 1 year ago

This also interests me, as this might be yet another reason, some might shy away from FDE + /boot encryption.

If it already exists, haven't seen how to do it, but this does interest me.

This also interests me, as this might be yet another reason, some might shy away from FDE + /boot encryption. If it already exists, haven't seen how to do it, but this does interest me.
ThomasPfundt commented 1 year ago

Hi, I'd like to chime in on this.

I've successfully set up an mdadm RAID1 with FDE and Debian 11 on my laptop. The Libreboot GRUB-config will automatically open the md-devices with cryptomount and ask for a password.

The only issue you're facing is that Debian (and I assume most other distributions currently) will use Luks2 for encryption by default, which uses Argon2-keys while GRUB 2 only supports PBKDF2-keys.

This means you either have to downgrade the encrypted /boot or single / partition to Luks1 (by booting a live system and executing cryptsetup convert --type luks1 (/boot-device) or adding a PBKDF2-keyslot for GRUB to open.

This is a GRUB/distro issue and can't really be "fixed" in any way without a complete manual install, I assume (unless GRUB adds native Argon2 support), coreboot and Libreboot GRUB payloads are already built with cryptodisk-support, so there's no limitation on that end.

For your reference, I set up my devices in the following way:

/dev/sda
  /dev/sda1
    -/dev/md0  /boot  (Luks1)
  /dev/sda2
    -/dev/md1  /      (Luks2)
/dev/sdb
  /dev/sdb1
    -/dev/md0  /boot  (Luks1)
  /dev/sdb2
    -/dev/md1  /      (Luks2)

This is with using a swapfile on Ext4 exclusively. I'm not sure if it is possible to unlock the entire drives from GRUB and load a Btrfs RAID1 with a separate swap-partition. That would be another interesting setup, but I haven't tried it, yet.

You can later add keyfiles to /etc/cryppttab to automatically unlock /boot again in Linux, so you don't have to enter your boot-password twice.

Hi, I'd like to chime in on this. I've successfully set up an mdadm RAID1 with FDE and Debian 11 on my laptop. The Libreboot GRUB-config will automatically open the md-devices with cryptomount and ask for a password. The only issue you're facing is that Debian (and I assume most other distributions currently) will use Luks2 for encryption by default, which uses Argon2-keys while GRUB 2 only supports PBKDF2-keys. This means you either have to downgrade the encrypted `/boot` or single `/` partition to Luks1 (by booting a live system and executing `cryptsetup convert --type luks1 (/boot-device)` or adding a PBKDF2-keyslot for GRUB to open. This is a GRUB/distro issue and can't really be "fixed" in any way without a complete manual install, I assume (unless GRUB adds native Argon2 support), coreboot and Libreboot GRUB payloads are already built with cryptodisk-support, so there's no limitation on that end. For your reference, I set up my devices in the following way: /dev/sda /dev/sda1 -/dev/md0 /boot (Luks1) /dev/sda2 -/dev/md1 / (Luks2) /dev/sdb /dev/sdb1 -/dev/md0 /boot (Luks1) /dev/sdb2 -/dev/md1 / (Luks2) This is with using a swapfile on Ext4 exclusively. I'm not sure if it is possible to unlock the entire drives from GRUB and load a Btrfs RAID1 with a separate swap-partition. That would be another interesting setup, but I haven't tried it, yet. You can later add keyfiles to `/etc/cryppttab` to automatically unlock `/boot` again in Linux, so you don't have to enter your boot-password twice.
FrostMoth commented 1 year ago
Poster

@ThomasPundit

Funny thing, Hyperbola is mostly a manual install already, regarding their purpose...

DIY, etc...

:)

Btw, glad you brought up argon2, as I wondered if luks2 algorithms could be used in luks1, or if luks2 can be made stable for specific use cases.

This being said, I cannot actually do much with this as of now, because one of my main laptops has heads and... X200 doesn't as of now have a heads like option. That I know of anyhow.

Would be nice to have a heads like approach for libreboot devices. Pity Nitrokey doesn't seem to plan to do this, as of now anyhow.

Might also not be feasible for the time being anyhow. Can't say for sure tho.

This all being said and I know it is A LOT, the problem I think that makes things hard for stuff like FDE + /Boot + RAID, is very simple:

Bloatware

And if you want to know more about bloatware, look up any distro that uses dbus as a mandatory dependency and you will find plenty of it.

This I can assure you.

Btw, I am fully aware almost no distros exclude that trash.

You would have to find something like KissLinux, Hyperbola, or similar to escape those bloated thorns.

And that's before I mention other similar and possibly worse garbage.

xD

@ThomasPundit Funny thing, Hyperbola is mostly a manual install already, regarding their purpose... DIY, etc... :) Btw, glad you brought up argon2, as I wondered if luks2 algorithms could be used in luks1, or if luks2 can be made stable for specific use cases. This being said, I cannot actually do much with this as of now, because one of my main laptops has heads and... X200 doesn't as of now have a heads like option. That I know of anyhow. Would be nice to have a heads like approach for libreboot devices. Pity Nitrokey doesn't seem to plan to do this, as of now anyhow. Might also not be feasible for the time being anyhow. Can't say for sure tho. This all being said and I know it is A LOT, the problem I think that makes things hard for stuff like FDE + /Boot + RAID, is very simple: Bloatware And if you want to know more about bloatware, look up any distro that uses dbus as a mandatory dependency and you will find plenty of it. This I can assure you. Btw, I am fully aware almost no distros exclude that trash. You would have to find something like KissLinux, Hyperbola, or similar to escape those bloated thorns. And that's before I mention other similar and possibly worse garbage. xD
Leah Rowe commented 1 year ago
Owner

this is not a bug, as grub has never had fully working luks2 support yet, and it's possible to just boot a linux kernel off of non-encrypted /boot or put /boot on a luks1 setup

closing, as there is nothing to be done here

i have some patches for grub i need to review, but i'll just push these when i have something ready

this is not a bug, as grub has never had fully working luks2 support yet, and it's possible to just boot a linux kernel off of non-encrypted /boot or put /boot on a luks1 setup closing, as there is nothing to be done here i have some patches for grub i need to review, but i'll just push these when i have something ready
vimuser closed 1 year ago
Sign in to join this conversation.
Labels
Clear labels
No Label
Milestone
Clear milestone
No Milestone
Assignee
Clear assignee
No assignee
3 Participants
Write Preview
Loading...
Cancel
Save
There is no content yet.