Received: (at 49654) by debbugs.gnu.org; 22 Jul 2021 19:16:58 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jul 22 15:16:58 2021 Received: from localhost ([127.0.0.1]:41647 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1m6eBm-00074T-28 for submit <at> debbugs.gnu.org; Thu, 22 Jul 2021 15:16:58 -0400 Received: from mx1.dismail.de ([78.46.223.134]:10733) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <jbranso@HIDDEN>) id 1m6eBh-0006vR-3O for 49654 <at> debbugs.gnu.org; Thu, 22 Jul 2021 15:16:56 -0400 Received: from mx1.dismail.de (localhost [127.0.0.1]) by mx1.dismail.de (OpenSMTPD) with ESMTP id 9c27a7e6; Thu, 22 Jul 2021 21:16:45 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=dismail.de; h= mime-version:date:content-type:content-transfer-encoding:from :message-id:subject:to:cc:in-reply-to:references; s=20190914; bh=OGMWAc9kFMzUzgYAyNOdZfZw1thdjSixIR4QP1J9fNk=; b=mC7GrRwn1nXz fffNlojeB5RhhUxVx5pQhzcMyhl4B2701KV6HT60CxoRNj9yt8N2bcz35Gd24x47 4DdDD4v1NspJ15A8Zc8XEepDrtZsKf6QFr7yPIYW6mB9MOVhmqaCtdcVxsR7v551 DVEkcZWEvdHb0ay/Muhn4+C6yKQ+Rl/E51cBE8Lul5zxOmVBr/oKWEd51BTgbjyd iFAyG4B169ZFhnf4hMcw4+9kzM5A4VoGeNlemRUA521JW++hf6qQr5J0Z8rhECar eSmWgLDbP9ccfNGxj4520AWieXLkGzYxqU1iffswKOK/a80L4gQ4Mq0k23Gf2LDp BpjhtvDAAA== Received: from smtp2.dismail.de (<unknown> [10.240.26.12]) by mx1.dismail.de (OpenSMTPD) with ESMTP id 622959ff; Thu, 22 Jul 2021 21:16:45 +0200 (CEST) Received: from smtp2.dismail.de (localhost [127.0.0.1]) by smtp2.dismail.de (OpenSMTPD) with ESMTP id d51b8060; Thu, 22 Jul 2021 21:16:45 +0200 (CEST) Received: by dismail.de (OpenSMTPD) with ESMTPSA id baede6cc (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Thu, 22 Jul 2021 21:16:44 +0200 (CEST) MIME-Version: 1.0 Date: Thu, 22 Jul 2021 19:16:44 +0000 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: RainLoop/1.14.0a From: jbranso@HIDDEN Message-ID: <2a373bf54c17a11a37ab8f2ca86ef07f@HIDDEN> Subject: Re: bug#49654: [PATCH] doc: Add full disc encryption guide to the cookbook To: "Sarah Morgensen" <iskarian@HIDDEN> In-Reply-To: <86tukns2mc.fsf@HIDDEN> References: <86tukns2mc.fsf@HIDDEN> <20210720052229.15438-1-jbranso@HIDDEN> X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 49654 Cc: 49654 <at> debbugs.gnu.org, rg@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) July 21, 2021 6:50 PM, "Sarah Morgensen" <iskarian@HIDDEN> wrote:=0A=0A= > Hello Joshua, Raghav,=0A> =0A> Good to see more guides like this. In ad= dition to what others have=0A> already pointed out, I've got few readabil= ity suggestions, reading this as a=0A> layperson :) (Questions are intent= ended to be rhetorical, to illustrate=0A> where a layperson might have qu= estions or be confused.)=0A =0AThanks so much for you proof-reading! I'l= l update and push a new patch!=0A =0A> Also, consider referencing relevan= t sections of the manual, such as=0A> =0A> https://guix.gnu.org/manual/en= /html_node/Manual-Installation.html=0A> =0A> so users know where to find = more detailed information.=0A =0AThat is an awesome idea! I will do so!= =0A=0A> Hope that helps,=0A> Sarah
guix-patches@HIDDEN:bug#49654; Package guix-patches.
Full text available.
Received: (at 49654) by debbugs.gnu.org; 21 Jul 2021 22:50:53 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Jul 21 18:50:53 2021
Received: from localhost ([127.0.0.1]:38940 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1m6L38-0003Jl-6a
for submit <at> debbugs.gnu.org; Wed, 21 Jul 2021 18:50:53 -0400
Received: from out1.migadu.com ([91.121.223.63]:33020)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <iskarian@HIDDEN>) id 1m6L34-0003JZ-3L
for 49654 <at> debbugs.gnu.org; Wed, 21 Jul 2021 18:50:44 -0400
X-Report-Abuse: Please report any abuse attempt to abuse@HIDDEN and
include these headers.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mgsn.dev; s=key1;
t=1626907840;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=+RIUt6vvVIvG012FhCwQqkdqLCo51wrvZniSYGWunWI=;
b=QUZ/rvFPZGFk2ltjJOIRUbuLV5Zk9zCxEL/Cm0JYSYdiOsgl6vXJhEBiD4W3eI6SlEM6Fu
/YCalaDuOiQpil5bXH1EjtEJsKKz7Y6GF8jUObSZMvaf+Fg5EoNr4iEl2WHWcVF/K0/FM5
Ek3gRy824pLppsY/eaG8CL36IRwmJwo=
From: Sarah Morgensen <iskarian@HIDDEN>
To: Joshua Branson <jbranso@HIDDEN>
Subject: Re: bug#49654: [PATCH] doc: Add full disc encryption guide to the
cookbook
References: <20210720052229.15438-1-jbranso@HIDDEN>
Date: Wed, 21 Jul 2021 15:50:35 -0700
In-Reply-To: <20210720052229.15438-1-jbranso@HIDDEN> (Joshua Branson's
message of "Tue, 20 Jul 2021 01:22:24 -0400")
Message-ID: <86tukns2mc.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Migadu-Flow: FLOW_OUT
X-Migadu-Auth-User: iskarian@HIDDEN
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 49654
Cc: 49654 <at> debbugs.gnu.org, rg@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Hello Joshua, Raghav,
Good to see more guides like this. In addition to what others have
already pointed out, I've got few readability suggestions, reading this as a
layperson :) (Questions are intentended to be rhetorical, to illustrate
where a layperson might have questions or be confused.)
Joshua Branson <jbranso@HIDDEN> writes:
> From: Joshua Branson <jbranso AT gnucode.me>
>
> The original guide was written by Raghav Gururajan <rg@HIDDEN=
me>
> and edited by Joshua Branson <jbranso@HIDDEN>.
>
> * doc/guix-cookbook.texi (System Configuration): New section of full disc
> encryption via libreboot.
> ---
> doc/guix-cookbook.texi | 724 +++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 724 insertions(+)
>
> diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
> index 2e627ecc51..ef8f3425d6 100644
> --- a/doc/guix-cookbook.texi
> +++ b/doc/guix-cookbook.texi
> @@ -18,6 +18,7 @@ Copyright @copyright{} 2020 Brice Waegeneire@*
> Copyright @copyright{} 2020 Andr=C3=A9 Batista@*
> Copyright @copyright{} 2020 Christopher Lemmer Webber
> Copyright @copyright{} 2021 Joshua Branson@*
> +Copyright @copyright{} 2021 Raghav Gururajan@*
>=20=20
> Permission is granted to copy, distribute and/or modify this document
> under the terms of the GNU Free Documentation License, Version 1.3 or
> @@ -1358,6 +1359,7 @@ reference.
> * Customizing the Kernel:: Creating and using a custom Linux kerne=
l on Guix System.
> * Guix System Image API:: Customizing images to target specific p=
latforms.
> * Connecting to Wireguard VPN:: Connecting to a Wireguard VPN.
> +* Guix System with Full Disk Encryption:: Guix System with Full Disk =
Encryption
> * Customizing a Window Manager:: Handle customization of a Window manage=
r on Guix System.
> * Running Guix on a Linode Server:: Running Guix on a Linode Server
> * Setting up a bind mount:: Setting up a bind mount in the file-systems =
definition.
> @@ -1938,6 +1940,728 @@ For more specific information about NetworkManage=
r and wireguard
> @uref{https://blogs.gnome.org/thaller/2019/03/15/wireguard-in-networkman=
ager/,see
> this post by thaller}.
>=20=20
> +@node Guix System with Full Disk Encryption
> +@section Guix System with Full Disk Encryption
> +@cindex libreboot, full disk encryption
> +
> +Guix System is an exotic distribution of GNU/Linux operating system,
^ the
> +with Guix as package/system manager, Linux-Libre as kernel and
> +Shepherd as init system.
> +
> +Libreboot is a de-blobbed distribution of Coreboot firmware. By
> +default, Libreboot comes with GRUB bootloader as a payload.
> +
> +The objective of this manual is to provide step-by-step guide for
^ a
> +setting up Guix System (stand-alone Guix), with Full Disk
^ You already defined Guix System above
> +Encryption (FDE), on devices powered by Libreboot.
> +
> +Any users, for their generalized use cases, need not stumble away from
> +this guide to accomplish the setup. Advanced users, for deviant use
> +cases, will have to explore outside this guide for customization;
> +although this guide provides information that is of paramount use.
Above paragraph does not add useful information and the tone does not
match the rest of the Cookbook. (Sorry!)
> +
> +Let us begin!
> +
> +@menu
> +* Create Boot-able USB::
^ Bootable
> +* Installing and Setup::
> +* Tweaking Libreboot's Grub Payload::
> +* Closing Thoughts::
> +* Special Thanks::
> +@end menu
> +
> +@node Create Boot-able USB
> +@subsection Create Boot-able USB
Likewise.
> +
> +In the current GNU+Linux system, open terminal as root user.
"open a terminal as root" or "open a terminal as the root user"
> +
> +Insert USB drive and get the device letter @code{/dev/sdX}, where =E2=80=
=9CX=E2=80=9D is the
> +device letter.
What USB drive? This is the first I've heard of it! Do I need to make
sure it's a specific kind? Is it okay if there's important information
on there that I haven't backed up?
Also note that while usually the device identifier will be 'sdX' this is
not guaranteed; sometimes you'll see 'hdX' or 'mmcblkX'.
> +
> +@example
> +lsblk --list
> +@end example
> +
> +@example
> +NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
> +sda 8:0 0 223.6G 0 disk
> +sda1 8:1 0 2M 0 part
> +sda2 8:2 0 3.7G 0 part
> +sda3 8:3 0 219.9G 0 part /
> +zram0 251:0 0 512M 0 disk [SWAP]
> +@end example
Why are these separate examples? IMO it would be more clear (and is the
usual style in such guides) to combine them and simply add '$ ' to the
beginning of any line that is a command the user should run.
> +
> +
> +Just in case the device is auto-mounted, unmount the device.
> +
> +@example
> +umount /dev/sdX --verbose
> +@end example
> +
> +Download the Guix System ISO installer package and it=E2=80=99s GPG sign=
ature;
^ its
> +where @code{A.B.C} is the version number and @code{SSS} is the system
> +architecture.
> +
> +@example
> +wget --verbose https://ftp.gnu.org/gnu/guix/guix-system-install-A.B.C.SS=
S-linux.iso.xz
> +wget --verbose https://ftp.gnu.org/gnu/guix/guix-system-install-A.B.C.SS=
S-linux.iso.xz.sig
> +@end example
> +
> +Import the Guix's public key.
^ "the Guix" or "Guix's"
> +
> +@example
> +gpg --verbose --keyserver pool.sks-keyservers.net =E2=80=93-receive-keys=
3CE464558A84FDC69DB40CFB090B11993D9AEBB5
> +@end example
> +
> +Verify the GPG signature of the downloaded package.
> +
> +@example
> +gpg --verbose --verify guix-system-install-A.B.C.SSS-linux.iso.xz.sig
> +@end example
> +
> +Extract ISO image from the downloaded package.
> +
> +@example
> +xz --verbose --decompress guix-system-install-A.B.C.SSS-linux.iso.xz
> +@end example
> +
> +Write the extracted ISO image to the drive.
> +
> +@example
> +dd if=3Dguix-system-install-A.B.C.SSS-linux.iso of=3D/dev/sdX status=3Dp=
rogress; sync
> +@end example
> +
> +Reboot the device.
> +
> +@example
> +reboot
> +@end example
> +
> +@node Installing and Setup
> +@subsection Installing and Setup
> +
> +On reboot, as soon as the Libreboot's graphic art appears, press "S"
^ "the" is not necessary
> +or choose @code{Search for GRUB2 configuration on external media [s]}. W=
ait
> +for the Guix System from USB drive to load.
This sounds awkward. Perhaps "Wait for Guix System to load from the USB
drive." or "Wait for the Guix System [you just] installed on the USB
drive to load."?
> +
> +Once Guix System installer starts, choose @code{Install using the shell
> +based process}.
> +
> +Set your keyboard layout, where @code{lo} is the two-letter keyboard
> +layout code (lower-case).
How do I know out what my keyboard layout code should be? Even
"layout code (lower-case), for example @code{us} or @code{ru}."
would be helpful.
> +
> +@example
> +loadkeys --verbose lo
> +@end example
> +
> +Unblock network interfaces.
> +
> +@example
> +rfkill unblock all
> +@end example
> +
> +Get the names of network interfaces.
> +
> +@example
> +ifconfig -v -a
> +@end example
> +
> +@example
> +enp0s25 Link encap:Ethernet HWaddr 00:1C:25:9A:37:BA
> + UP BROADCAST MULTICAST MTU:1500 Metric:1
> + RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> + TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> + collisions:0 txqueuelen:1000
> + RX bytes:0 TX bytes:0
> + Interrupt:16 Memory:98800000-98820000
> +
> +lo Link encap:Local Loopback
> + inet addr:127.0.0.1 Bcast:0.0.0.0 Mask:255.0.0.0
> + UP LOOPBACK RUNNING MTU:65536 Metric:1
> + RX packets:265 errors:0 dropped:0 overruns:0 frame:0
> + TX packets:265 errors:0 dropped:0 overruns:0 carrier:0
> + collisions:0 txqueuelen:1000
> + RX bytes:164568 TX bytes:164568
> +
> +wlp2s0 Link encap:Ethernet HWaddr E4:CE:8F:59:D6:BF
> + inet addr:192.168.1.133 Bcast:192.168.1.255 Mask:255.255.255=
.0
> + UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> + RX packets:60084 errors:0 dropped:71 overruns:0 frame:0
> + TX packets:33232 errors:0 dropped:0 overruns:0 carrier:0
> + collisions:0 txqueuelen:1000
> + RX bytes:45965805 TX bytes:4905457
> +
> +@end example
> +
> +Bring the desired network interface (wired or wireless) up, where
> +@code{nwif} is the network interface name.
How do I know which of the interfaces I should use?
> +
> +@example
> +ifconfig -v nwif up
> +@end example
> +
> +For wireless connection, follow the wireless setup.
^ connections
> +
> +@menu
> +* Wireless Setup::
> +@end menu
> +
> +@node Wireless Setup
> +@subsubsection Wireless Setup
> +
> +Create a configuration file using text editor, where @code{fname} is any
> +desired name for file.
This reads a bit awkwardly. Perhaps something like
"Create the configuration file using a text editor such as
@code{nano}. In this example, we are naming the file
@code{fname.conf}, but any name will do."
Also consider using a more descriptive example filename, like
`wpa_supplicant.conf`. You'd be surprised how many users just use the
example names!
> +
> +@example
> +nano fname.conf
> +@end example
> +
> +Choose, type and save ONE of the following snippets, where =E2=80=98net=
=E2=80=99 is
> +the network name, =E2=80=98pass=E2=80=99 is the password or passphrase a=
nd =E2=80=98uid=E2=80=99 is
> +the user identity.
> +
> +For most private networks:
> +
> +@example
> +network=3D@{
> + ssid=3D"net"
> + key_mgmt=3DWPA-PSK
> + psk=3D"pass"
> +@}
> +@end example
> +
> +(or)
> +
> +For most public networks:
> +
> +@example
> +network=3D@{
> + ssid=3D"net"
> + key_mgmt=3DNONE
> +@}
> +@end example
> +
> +(or)
> +
> +For most organizational networks:
> +
> +@example
> +network=3D@{
> + ssid=3D"net"
> + scan_ssid=3D1
> + key_mgmt=3DWPA-EAP
> + identity=3D"uid"
> + password=3D"pass"
> + eap=3DPEAP
> + phase1=3D"peaplabel=3D0"
> + phase2=3D"auth=3DMSCHAPV2"
> +@}
> +@end example
> +
> +Connect to the configured network.
> +
> +@example
> +wpa_supplicant -B -c fname.conf -i nwif
> +@end example
> +
> +Assign an IP address to the network interface.
This is a bit misleading, as we aren't actually directly assigning an IP
address, but using dhclient to get one through DHCP.
> +
> +@example
> +dhclient -v nwif
> +@end example
Should there be something indicating the end of "Wireless Setup"? I'm
not sure how texi subsections work, but if I were skipping "Wireless
Setup," how would I know where to skip to?
> +
> +Obtain the device letter @code{/dev/sdX} in which you would like to depl=
oy
> +and install Guix System, where =E2=80=9CX=E2=80=9D is the device letter.
This reads a bit awkwardly. Perhaps consider
"Find the [device] identifier for the device you are installing Guix
System onto."
> +
> +@example
> +lsblk --list
> +@end example
> +
> +@example
> +NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
> +sda 8:0 0 223.6G 0 disk
> +sda1 8:1 0 2M 0 part
> +sda2 8:2 0 3.7G 0 part
> +sda3 8:3 0 219.9G 0 part /
> +zram0 251:0 0 512M 0 disk [SWAP]
> +@end example
> +
> +Wipe the device (Ignore if the device is new).
^ lowercase; or "skip"
Also, why did the example for the USB drive show all 'sda' devices, and
this one does too? This is potentially confusing. Consider using
examples from the actual process.
> +
> +@example
> +shred --verbose --random-source=3D/dev/urandom /dev/sdX
> +@end example
> +
> +Load the device-mapper module in the current kernel.
Why? Consider adding "(This is necessary for...)"
> +
> +@example
> +modprobe --verbose dm_mod
> +@end example
> +
> +Partition the device. Follow the prompts. Just do, GPT --> New -->
> +Write --> Quit; defaults will be set.
Consider writing out the steps.
Also: are we just using one partition? Prefer describing what the goal
of a step is before describing the step, so a less knowledgeable user
learns and a more knowledgeable user knows when that step can be
substituted.
> +
> +@example
> +cfdisk /dev/sdX
> +@end example
> +
> +Obtain the partition number from the device, where =E2=80=9CY=E2=80=9D i=
s the
> +partition number.
Doesn't cfdisk show the partition number?
> +
> +@example
> +lsblk --list
> +@end example
> +
> +Encrypt the partition. Follow the prompts.
> +
> +@example
> +cryptsetup --verbose --hash whirlpool --cipher serpent-xts-plain64 \
> +--verify-passphrase --use-random --key-size 512 --iter-time 500 \
> +luksFormat /dev/sdXY
> +@end example
> +
> +Obtain and note down the UUID of the LUKS partition.
> +
> +@example
> +cryptsetup --verbose luksUUID /dev/sdXY
> +@end example
> +
> +Open the encrypted partition, where @code{luks-uuid} is the LUKS UUID,
> +and @code{partname} is any desired name for the partition.
Consider suggesting (or using in your example) a default partition name,
like with the .conf file above. Same for all the vg, lv, and fs names
below.
> +
> +@example
> +cryptsetup --verbose
> +luksOpen UUID=3Dluks-uuid partname
> +@end example
Is this supposed to be two lines?
> +
> +Create a physical volume in the partition.
> +
> +@example
> +pvcreate /dev/mapper/partname --verbose
> +@end example
> +
> +Create a volume group in the physical volume, where @code{vgname} is any
> +desired name for volume group.
> +
> +@example
> +vgcreate vgname /dev/mapper/partname --verbose
> +@end example
> +
> +Create logical volumes in the volume group; where "num" is the number
> +for space in GB, and @code{lvnameroot} and @code{lvnamehome} are any
> +desired names for root and home volumes respectively.
There is not "num" or any GB values in your following example...
> +
> +@example
> +lvcreate --extents 25%VG vgname --name lvnameroot --verbose
> +lvcreate --extents 100%FREE vgname --name lvnamehome --verbose
> +@end example
> +
> +Create filesystems on the logical-volumes, where @code{fsnameroot} and
^ logical volumes
> +@code{fsnamehome} are any desired names for root and home filesystems
> +respectively.
> +
> +@example
> +mkfs.btrfs --metadata dup --label fsnameroot /dev/vgname/lvnameroot
> +mkfs.btrfs --metadata dup --label fsnamehome /dev/vgname/lvnamehome
> +@end example
Why are we using btrfs? Could I use ext4 instead?
> +
> +Mount the filesystems under the current system.
Consider "Mount the new filesystems."
> +
> +@example
> +mount --label fsnameroot --target /mnt --types btrfs --verbose
> +mkdir --verbose /mnt/home && mount --label fsnamehome --target \
> +/mnt/home --types btrfs --verbose
> +@end example
> +
> +Create a swap file.
> +
> +@example
> +dd bs=3D1MiB count=3D1GiB if=3D/dev/zero of=3D/mnt/swapfile status=3Dpro=
gress
> +mkswap --verbose /mnt/swapfile
> +@end example
> +
> +Make the swap file readable and writable only by root account.
"root." or "the root account."
> +
> +@example
> +chmod --verbose 600 /mnt/swapfile
> +@end example
> +
> +Activate the swap file.
> +
> +@example
> +swapon --verbose /mnt/swapfile
> +@end example
> +
> +Install packages on the mounted root filesystem.
> +
> +@example
> +herd start cow-store /mnt
> +@end example
This doesn't actually install packages, does it? The manual says:
"This makes /gnu/store copy-on-write, such that packages added to it
during the installation phase are written to the target disk rather
than kept in memory."
> +
> +Create the system-wide configuration files directory.
> +
> +@example
> +mkdir --verbose /mnt/etc
> +@end example
Why all the verbose, even on mkdir?
> +
> +Create, edit and save the system configuration file by typing the
> +following code snippet. WATCH-OUT for variables in the code snippet
> +and replace them with the relevant values.
"Replace placeholders (such as LUKS-UUID) with their values from earlier."
> +
> +@example
> +nano /mnt/etc/config.scm
> +@end example
> +
> +The content of config.scm is:
> +
> +@lisp
> +(use-modules
> + (gnu)
> + (gnu system nss))
> +
> +(use-package-modules
> + certs
> + gnome
> + linux)
> +
> +(use-service-modules
> + desktop
> + xorg)
> +
> +(operating-system
> + (kernel linux-libre-lts)
> + (kernel-arguments
> + (append
> + (list
> + ;; this is needed to flash the libreboot ROM. After, you
> + ;; have flashed your rom, it is a good idea to remove
> + ;; iomem=3Drelaxed from your kernel arguments
> + "iomem=3Drelaxed")
> + %default-kernel-arguments))
> +
> + (timezone "Zone/SubZone")
> + (locale "ab_XY.1234")
> + (name-service-switch %mdns-host-lookup-nss)
> +
> + (bootloader
> + (bootloader-configuration
> + (bootloader
> + (bootloader
> + (inherit grub-bootloader)
> + (installer #~(const #t))))
> + (keyboard-layout keyboard-layout)))
> +
> + (keyboard-layout
> + (keyboard-layout
> + "xy"
> + "altgr-intl"))
> +
> + (host-name "hostname")
> +
> + (mapped-devices
> + (list
> + (mapped-device
> + (source
> + (uuid "LUKS-UUID"))
> + (target "partname")
> + (type luks-device-mapping))
> + (mapped-device
> + (source "vgname")
> + (targets
> + (list
> + "vgname-lvnameroot"
> + "vgname-lvnamehome"))
> + (type lvm-device-mapping))))
> +
> + (file-systems
> + (append
> + (list
> + (file-system
> + (type "btrfs")
> + (mount-point "/")
> + (device "/dev/mapper/VGNAME-LVNAMEROOT")
> + (flags '(no-atime))
> + (options "space_cache=3Dv2")
> + (needed-for-boot? #t)
> + (dependencies mapped-devices))
> + (file-system
> + (type "btrfs")
> + (mount-point "/home")
> + (device "/dev/mapper/VGNAME-LVNAMEHOME")
> + (flags '(no-atime))
> + (options "space_cache=3Dv2")
> + (dependencies mapped-devices)))
> + %base-file-systems))
> +
> + (swap-devices
> + (list
> + "/swapfile"))
> +
> + (users
> + (append
> + (list
> + (user-account
> + (name "USERNAME")
> + (comment "Full Name")
> + (group "users")
> + (supplementary-groups '("audio" "cdrom"
> + "kvm" "lp" "netdev"
> + "tape" "video"
> + "wheel"))))
> + %base-user-accounts))
> +
> + (packages
> + (append
> + (list
> + nss-certs)
> + %base-packages))
> +
> + (services
> + (append
> + (list
> + (service gnome-desktop-service-type))
> + %desktop-services)))
> +@end lisp
> +
> +Initialize new Guix System.
> +
> +@example
> +guix system init /mnt/etc/config.scm /mnt
> +@end example
> +
> +Reboot the device.
> +
> +@example
> +reboot
> +@end example
> +
> +@node Tweaking Libreboot's Grub Payload
> +@subsection Tweaking Libreboot's Grub Payload
> +@cindex grub payload
> +
> +On reboot, as soon as the Libreboot graphic art appears, press =E2=80=9C=
C=E2=80=9D to
> +enter the command-line.
> +
> +Enter the following commands and respond to first command with the LUKS
> +Key.
What key? When did we get a LUKS Key? Am I supposed to come up with a
new key/passphrase?
> +
> +@example
> +cryptomount -u luks-uuid
> +set root=3D(lvm/vgname-lvnameroot)
> +@end example
> +
> +Upon Guix's GRUB menu, go with the default option.
"At the GRUB menu, selec the default option."
> +
> +Enter the LUKS Key again, for kernel, as prompted.
> +
> +Upon login screen, login as "root" with password field empty.
"At the login screen" ^ the
> +
> +Open terminal.
^ the
> +
> +Set passkey for the "root" user. Follow the prompts.
^ the password
> +
> +@example
> +passwd root
> +@end example
> +
> +Set passkey for the "username" user. Follow the prompts.
^ the password
Also, the guide used the @code{username} style before. Why the change?
> +
> +@example
> +passwd username
> +@end example
> +
> +Install flashrom and wget.
> +
> +@example
> +guix package =E2=80=93-install flashrom wget
> +@end example
> +
> +Obtain the ROM chip's model and size. Look for the output line =E2=80=9C=
Found
> +[@dots{}] flash chip [@dots{}]=E2=80=9D.
> +
> +@example
> +flashrom --verbose --programmer internal
> +@end example
> +
> +Download Libreboot ROM and utilities, where "YYYYMMDD" is the release
> +date, @code{devmod} is the device model and "N" is the ROM chip size.
Likewise. The guide also used single quotes for 'sdX' earlier.
> +
> +@example
> +wget --verbose https://rsync.libreboot.org/stable/YYYYMMDD/rom/grub/libr=
eboot_rYYYYMMDD_grub_devmod_Nmb.tar.xz
> +wget --verbose https://rsync.libreboot.org/stable/YYYYMMDD/libreboot_rYY=
YYMMDD_util.tar.xz
> +@end example
> +
> +Extract the downloaded files.
> +@example
> +tar --extract --file=3Dlibreboot_rYYYYMMDD_grub_devmod_Nmb.tar.xz --verb=
ose
> +tar --extract --file=3Dlibreboot_rYYYYMMDD_util.tar.xz --verbose
> +@end example
> +
> +Rename the directories of extracted files.
> +
> +@example
> +mv --verbose "libreboot_rYYYYMMDD_grub_devmod_Nmb.tar.xz" "libreboot_rom"
> +mv --verbose "libreboot_rYYYYMMDD_util" "libreboot_util"
> +@end example
> +
> +Copy the ROM image to the directory of cbfstool, where "kbdlo" is the
> +keyboard layout and "arch" is the system architecture.
Likewise.
> +
> +@example
> +cp libreboot_rom/devmod_Nmb_kbdlo_vesafb.rom libreboot_util/cbfstool/arc=
h/libreboot.rom
> +@end example
> +
> +Change directory to the directory of cbfstool.
> +@example
> +cd libreboot_util/cbfstool/arch/
> +@end example
> +
> +Extract the GRUB configuration file from the image.
> +
> +@example
> +./cbfstool libreboot.rom extract -n grub.cfg -f grub.cfg
> +@end example
> +
> +Edit the GRUB configuration file and insert the following code snippet
> +above the line @code{=E2=80=9Cmenuentry 'Load Operating System [o]' --ho=
tkey=3D'o'
> +--unrestricted @{ [...] @}=E2=80=9D}.
> +
> +@example
> +nano grub.cfg
> +@end example
> +
> +Snippet:
> +@example
> +menuentry =E2=80=98Guix System (An advanced distribution of the GNU oper=
ating system) [g]=E2=80=99 --hotkey=3D=E2=80=99g=E2=80=99 --unrestricted
> +@{
> +cryptomount -u luks-uuid
> +set root=3D(lvm/vgname-lvnameroot)
> +configfile /boot/grub/grub.cfg
> +@}
> +@end example
> +
> +Remove the old GRUB configuration file from the ROM image.
> +
> +@example
> +./cbfstool libreboot.rom remove -n grub.cfg
> +@end example
> +
> +Insert the new GRUB configuration file into the ROM image.
> +
> +@example
> +./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw
> +@end example
> +
> +Move the ROM image to the directory of ich9gen.
> +
> +@example
> +mv libreboot.rom ~/libreboot_util/ich9deblob/arch/libreboot.rom
> +@end example
> +
> +Change directory to the directory of ich9gen.
> +
> +@example
> +cd ~/libreboot_util/ich9deblob/arch/
> +@end example
> +
> +Generate descriptor+GbE images with the MAC address, where "mac-addr"
> +is the MAC address of the machine.
Likewise.
> +
> +@example
> +ich9gen --macaddress mac-addr
> +@end example
> +
> +Insert the descriptor+GbE image into the ROM image, where "N" is the
> +ROM chip size.
> +@example
> +dd bs=3D12k conv=3Dnotrunc count=3D1 if=3Dich9fdgbe_Nm.bin of=3Dlibreboo=
t.rom status=3Dprogress
> +@end example
> +
> +Move the ROM image to the directory of flash.
^ "the flash script"
> +
> +@example
> +mv libreboot.rom ~/libreboot_util/libreboot.rom
> +@end example
> +
> +Change directory to the directory of flash.
> +
> +@example
> +cd ~/libreboot_util
> +@end example
> +
> +Modify the shebang of flash script, from `#!/bin/bash` to `#!/bin/sh`.
^ the ^ no ","
> +@example
> +nano flash
> +@end example
> +
> +Flash the ROM with the new image.
> +@example
> +./flash update libreboot.rom
> +@end example
> +
> +(or)
> +
> +@example
> +./flash forceupdate libreboot.rom
> +@end example
How do I know whether to use 'update' or 'forceupdate'?
> +
> +Reboot the device.
> +@example
> +reboot
> +@end example
> +
> +@node Closing Thoughts
> +@subsection Closing Thoughts
Typically it's "Closing Remarks".
> +
> +Everything should be stream-lined from now. Upon Libreboot's GRUB
What does this mean?
> +menu, you can either press "G" or choose "Guix System (An advanced
> +distribution of the GNU operating system) [g]".
In order to do what?
> +
> +During the boot process, as prompted, you have to type LUKS key twice;
> +once for Libreboot's GRUB and once more for Linux-Libre kernel.
> +Retyping a passphrase is a minor annoyance, but it is a secure method of
> +opening up your device. There are methods that exist to only type the
> +passphrase once, but none are currently integrated into Guix System.
> +
> +Generally, you will be using Libreboot's initial/default grub.cfg,
Is this the grub.cfg we setup above? If so, specify that.
> +whose Guix menu-entry invokes Guix's grub.cfg located at
> +@code{/boot/grub/}. For trouble-shooting, you can also use Libreboot's
^ troubleshooting
> +@code{grubtest.cfg}, which hasn't been modified.
But *how* would I use grubtest.cfg?
> +
> +Now that you have a working Guix System with full disk encryption, you
> +may want to remove the @code{iomem=3Drelaxed} from your
> +@code{kernel-arguments}. @code{iomem=3Drelaxed} is needed to reflash yo=
ur
> +rom. Since, most users will probably not flash their rom often, those
^ ROM ^ no "," ^ ROM
> +users may wish to disable that feature:
The change from "you" to "most users"/"those users" is a little jarring.
> +
> +@lisp
> + ;; optionally remove this bit of code from your config.scm
> + (kernel-arguments
> + (append
> + (list
> + ;; this is needed to flash the libreboot ROM. After, you
> + ;; have flashed your rom, it is a good idea to remove
> + ;; iomem=3Drelaxed from your kernel arguments
> + "iomem=3Drelaxed")
> + %default-kernel-arguments))
> +@end lisp
> +
> +That is it! You have now setup Guix System with Full Disk Encryption on
> +your device powered by Libreboot. Enjoy!
> +
> +More information about Libreboot can be found at their official
> +documentation: @uref{https://libreboot.org/docs/}.
Consider embedding the link:
"[...] can be found in the @uref{https://libreboot.org/docs/, official
documentation}."
=20=20
> +
> +@node Special Thanks
> +@subsection Special Thanks
> +
> +Thanks to Guix developer, Clement Lassieur (clement@@lassieur.org),
^ no "," ^ same
> +for helping me with the Scheme code for the bootloader configuration.
^ "for assisting with" (avoid first person prounouns)
> +
> +Thanks to Libreboot founder and developer, Leah Rowe
^ no ","
> +(leah@@libreboot.org), for helping me with the understanding of
^ no "," ^ "for assistance with Libreboot."
> +Libreboot=E2=80=99s functionalities.
> +
> @node Customizing a Window Manager
> @section Customizing a Window Manager
> @cindex wm
Also, consider referencing relevant sections of the manual, such as
https://guix.gnu.org/manual/en/html_node/Manual-Installation.html
so users know where to find more detailed information.
Hope that helps,
Sarah
guix-patches@HIDDEN:bug#49654; Package guix-patches.
Full text available.
Received: (at 49654) by debbugs.gnu.org; 21 Jul 2021 12:16:26 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Jul 21 08:16:26 2021
Received: from localhost ([127.0.0.1]:36366 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1m6B9F-0003pE-V3
for submit <at> debbugs.gnu.org; Wed, 21 Jul 2021 08:16:26 -0400
Received: from ns13.heimat.it ([46.4.214.66]:54290)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <g@HIDDEN>) id 1m6B9D-0003hW-2L
for 49654 <at> debbugs.gnu.org; Wed, 21 Jul 2021 08:16:25 -0400
Received: from localhost (ip6-localhost [127.0.0.1])
by ns13.heimat.it (Postfix) with ESMTP id A70F73021BA;
Wed, 21 Jul 2021 12:16:16 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at ns13.heimat.it
Received: from ns13.heimat.it ([127.0.0.1])
by localhost (ns13.heimat.it [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id Dx0pJBLKkCYi; Wed, 21 Jul 2021 12:16:14 +0000 (UTC)
Received: from bourrache.mug.xelera.it (unknown [93.56.171.5])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client did not present a certificate)
by ns13.heimat.it (Postfix) with ESMTPSA id 89AAD3021B9;
Wed, 21 Jul 2021 12:16:14 +0000 (UTC)
Received: from roquette.mug.biscuolo.net (roquette [10.38.2.14])
by bourrache.mug.xelera.it (Postfix) with SMTP id F0F5C1106341;
Wed, 21 Jul 2021 14:16:13 +0200 (CEST)
Received: (nullmailer pid 3369 invoked by uid 1000);
Wed, 21 Jul 2021 12:16:13 -0000
From: Giovanni Biscuolo <g@HIDDEN>
To: Joshua Branson <jbranso@HIDDEN>
Subject: Re: [bug#49654] [PATCH] doc: Add full disc encryption guide to the
cookbook
In-Reply-To: <87eebsvokg.fsf@HIDDEN>
Organization: Xelera.eu
References: <20210720052229.15438-1-jbranso@HIDDEN>
<87pmvdi7xa.fsf@HIDDEN> <87eebsvokg.fsf@HIDDEN>
Date: Wed, 21 Jul 2021 14:16:13 +0200
Message-ID: <87k0ljj20i.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 49654
Cc: 49654 <at> debbugs.gnu.org, rg@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Hi Joshua
Joshua Branson <jbranso@HIDDEN> writes:
[...]
>> Why using two BTRFS volumes on top of LVM and not directly using BTRFS
>> (with subvolumes if you want) on top of /dev/mapper/partname?
>
> This is probably a good idea...however does the grub payload support
> this?
Do you mean: does grub support booting from encrypted BTRFS? The answer
is yes.
WARNING: I've (still) not tried myself to boot Guix System using an
encrypted BTRFS (sub)volume but I'm pretty confident that Guix is
configuring grub with the needed modules (luks and btrfs)
[...]
>> I'm still using LVM on some "legacy" systems but for new installations
>> I'd strogly suggest starting using BTRFS on top of "physical"
>> partitions.
>
> does btrfs volume manage allow use to use ext4, jfs, or xfs
> filesystems?
No: BTRFS is a volume manager and a filesystem "all in one", you cannot
create a BRTFS subvolume and format it with another filesystem
> Or does on LVM do that?
LVM is "just" a volume manager with no idea about the overlaying
filesystem
[...]
>> I know that since Linux 2.6 swapfile performance is not a big issue if
>> the file is unfragmented (and it'll be for sure on newly partitioned
>> filesystems) but AFAIU swap files are still a little bit problematic on
>> BTRFS
>> https://btrfs.wiki.kernel.org/index.php/FAQ#Does_Btrfs_support_swap_file=
s.3F:
>
> Ok...maybe we could use ext4 for the swap file? Is there a better
> filesystem? Again does btrfs volume management allow the swap file to
> be ext4?
No, al explained above
> Or do we have to use LVM?
If we use a dedicated partition for swap there is no need to set up an
LVM volume (phisical, VG and then logical): we can just create a
dedicate partition during partitioning, encrypt it with LUKS and
"mkswap" it (e.g. mkswap /dev/mapper/<encrypted_swap>)
[...]
>> Final note: AFAIU BTRFS supports swap files ONLY in single device
>> settings (that is: NO swap file support on multi device settings), so
>> IMHO it's better to use a dedicated partition for the swap space so
>> users are free to switch to a multi-device setting if they wish (and
>> can).
>
> Ok, I will create a dedicated partition and format it with ext4
> and the swap program
There's no need to format (mkfs.ext4) the partition with ext4, just
"mkswap" it :-)
> ...but I will probably need help figuring out how to encrypt
> the swap partition...There are guides online that I can look at...
You have to encrypt it like any other partition, e.g.:
=2D-8<---------------cut here---------------start------------->8---
Encrypt swap the partition. Follow the prompts.
@example
cryptsetup --verbose --hash whirlpool --cipher serpent-xts-plain64 \
=2D-verify-passphrase --use-random --key-size 512 --iter-time 500 \
luksFormat /dev/<swap_partition>
@end example
Obtain and note down the UUID of the LUKS partition.
@example
cryptsetup --verbose luksUUID /dev/<swap_partition>
@end example
Open the encrypted partition, where @code{luks-uuid} is the LUKS UUID,
and @code{crypt_swap01} is any desired name for the decrypted swap
partition.
@example
cryptsetup --verbose luksOpen UUID=3Dluks-uuid crypt_swap01
@end example
Format the encrypted swap
@example
mkswap /dev/mapper/crypt_swap01
@end example
=2D-8<---------------cut here---------------end--------------->8---
Then, in our (operating-system) declaration, we have to use something
like this:
=2D-8<---------------cut here---------------start------------->8---
(mapped-devices
(list
(mapped-device
(source (uuid "LUKS-UUID"))
(target "partname")
(type luks-device-mapping))
;; This is our new encrypted swap partition
(mapped-device
(source
(uuid "SWAP-LUKS-UUID"))
(target "crypt_swap01")
(type luks-device-mapping))
(mapped-device
(source "vgname")
(targets
(list
"vgname-lvnameroot"
"vgname-lvnamehome"))
(type lvm-device-mapping))))
(swap-devices
(list
"/dev/mapper/crypt_swap01"))
=2D-8<---------------cut here---------------end--------------->8---
WARNING: please consider I've not tested this code.
>> The problem with a fully encrypted dedicated swap partition is that
>> it'll require a third passphrase prompt on boot (the one to unlock the
>> swap partition), but that's a minor annoyance IMHO.
>
> Oh no! I hadn't thought about that! grrr!
Actually what I said it's NOT true... or better: we could avoid the
(third) password prompt for the swap partition if we _add_ a keyfile to
the LUKS encrypted swap partition _and_ we have a mechanism to
"luksOpen" that mapped volume using that keyfile.
I'm not aware of such a mechanism on Guix Systems, in Debian (et al)
this is done with /etc/crypttab, AFAIU the luks-device-mapping lacks the
option to specify a keyfile.
So, as far as this cookbook section is concerned, unfortunately when
using a dedicated encrypted swap partition an additional passphrase
prompt will be presented to the user at each boot.
> I wonder if bcachefs is better than btrfs...well I guess it's not
> merged yet.
No, still not. AFAIU also still not available in Guix.
> What about instead of using a swap file we use zram?
Never used zram and I don't know if it's supported (I mean configured by
(operating-system)) on Guix System
[...]
Sorry I've more issues than answers on this topics, nevertheless I hope
it somway helps.
Thanks! Gio'
=2D-=20
Giovanni Biscuolo
Xelera IT Infrastructures
--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQJABAEBCgAqFiEERcxjuFJYydVfNLI5030Op87MORIFAmD4EA0MHGdAeGVsZXJh
LmV1AAoJENN9DqfOzDkSzPUP+wVK9T3xSz/RtCMQ3FT6v3ARMaBPZON/q+nib2KY
t+sD9xptJcP9ohGGJLwqRpRnrmdOpIUc7Kqr0EBoAAwFz8YLyN7+rKXiN2wByFiT
Yc05VA0iiFU+yeNN2GUw57PVSk/4evEKAlEe5gKbjfncV6Q59xR1JzXNlvhuRMET
XsM+LEhPlYqrqPO/2meG2fl822qNIypDP8ADWQE6ev3XoRiyctHWopUWeB9itlng
jc/MBjwFoJ4dtjEIx/Nqv6oQ+mfqcBFNCmjl+B8VUuoqsKVvxYBr3sqVp8haqhS5
NSWqRIwaoL/StfdUZerLSbfLOx+pRhzYVD3UjHeQ2bPibUv8n+GnhwIlQpneB+VN
kbILcgqBt0UgXCbQhcz5lsMPaY1dKZjoR5oXgDXnXkONEF4ac2dpQ3GFaMbYsEsy
AAdZGpwaWQGWRpD5u2wirxz/f8bEqrK+uXOAmlvs8tRgBCb4ilMyowApvnWmnNIa
GVVZi16FLUKix0AYS3uAlucOgyJQWDqBtKZkdSTBlpt7DNN+ANAv84wM0lxPu7Nz
Ov2VDUb2ra/J/vlDVyK+bNzp2o8R4Ai60LROynzbSUHvEfgvgIIPUrZwJjyVAy3g
ZHlg9D7+z1BuXlaz8LY62pWShkydi4o0MaMAG/nM8a0XOPjH/Zz9++7/X+APLc8w
cIio
=1UvG
-----END PGP SIGNATURE-----
--=-=-=--
guix-patches@HIDDEN:bug#49654; Package guix-patches.
Full text available.
Received: (at 49654) by debbugs.gnu.org; 20 Jul 2021 18:16:20 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jul 20 14:16:20 2021
Received: from localhost ([127.0.0.1]:35327 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1m5uHu-00054x-Iu
for submit <at> debbugs.gnu.org; Tue, 20 Jul 2021 14:16:20 -0400
Received: from mx1.dismail.de ([78.46.223.134]:7522)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <jbranso@HIDDEN>) id 1m5uHr-00054i-Sd
for 49654 <at> debbugs.gnu.org; Tue, 20 Jul 2021 14:16:13 -0400
Received: from mx1.dismail.de (localhost [127.0.0.1])
by mx1.dismail.de (OpenSMTPD) with ESMTP id e909de71;
Tue, 20 Jul 2021 20:16:04 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=dismail.de; h=from:to:cc
:subject:references:date:in-reply-to:message-id:mime-version
:content-type; s=20190914; bh=J4h3qrgjKTQqzNU5HWZx95vrG9Oz0i/qiw
bvF4BJ88M=; b=pyovKIVDn71SfqLGWE12GEkabUwlrfXUJrYBEJ6Q9TS4A5IXyk
T7mv98sfMotu71zDHWvLRed8/5G8WagHlRIyIXYxNv15+aWhUX7+wjMs7U3XrILE
+Zrxnm0GSzsb9fVm7gFMswKxr12dA3SndlSwD/crU+770N8vMY7/f2/lywY87UCW
fJHj3DVSo3Rk40Keyvcqnoehtwr249xaCbC8OHLeslERd8ANFq4V+0zpUyp3r/fT
mOM0ouMYwStumJpc4SV+qQuKkIGr2ERqkHkQCph1M8x5zTLYNMulDTBdybulJaFo
Fy2UmyZA3DYCRMNhxyob4hUNLeIZvdT3vhFA==
Received: from smtp2.dismail.de (<unknown> [10.240.26.12])
by mx1.dismail.de (OpenSMTPD) with ESMTP id f4f26310;
Tue, 20 Jul 2021 20:16:04 +0200 (CEST)
Received: from smtp2.dismail.de (localhost [127.0.0.1])
by smtp2.dismail.de (OpenSMTPD) with ESMTP id 51309edc;
Tue, 20 Jul 2021 20:16:04 +0200 (CEST)
Received: by dismail.de (OpenSMTPD) with ESMTPSA id e35588bf
(TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO);
Tue, 20 Jul 2021 20:16:02 +0200 (CEST)
From: Joshua Branson <jbranso@HIDDEN>
To: Giovanni Biscuolo <g@HIDDEN>
Subject: Re: [bug#49654] [PATCH] doc: Add full disc encryption guide to the
cookbook
References: <20210720052229.15438-1-jbranso@HIDDEN>
<87pmvdi7xa.fsf@HIDDEN>
Date: Tue, 20 Jul 2021 14:15:59 -0400
In-Reply-To: <87pmvdi7xa.fsf@HIDDEN> (Giovanni Biscuolo's message of "Tue,
20 Jul 2021 12:41:37 +0200")
Message-ID: <87eebsvokg.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 49654
Cc: 49654 <at> debbugs.gnu.org, rg@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Giovanni Biscuolo <g@HIDDEN> writes:
> Hello Joshua and Raghav,
>
> thank you for your guide! I have just a couple of comments.
>
> Joshua Branson via Guix-patches via <guix-patches@HIDDEN> writes:
>
>> From: Joshua Branson <jbranso AT gnucode.me>
>>
>> The original guide was written by Raghav Gururajan <rg@HIDDEN>
>> and edited by Joshua Branson <jbranso@HIDDEN>.
>>
>> * doc/guix-cookbook.texi (System Configuration): New section of full disc
>> encryption via libreboot.
>> ---
>> doc/guix-cookbook.texi | 724 +++++++++++++++++++++++++++++++++++++++++
>> 1 file changed, 724 insertions(+)
>
> [...]
>
>> +* Guix System with Full Disk Encryption:: Guix System with Full Disk Encryption
>
> AFAIU the steps, especially the partitioning that does not provide an
> UEFI dedicated partition, are specific to Libreboot systems: what about
> to make it more clear in the section title?
I will mention this somewhere. Thanks. Perhaps we could mention that
libreboot systems are so ancient that they do not support UEFI. I will
also mention that newer coreboot devices do not support a UEFI partition,
but require proprietary blobs to run properly.
>
> ...or to adapt the section by separating Libreboot specific instructions
> from generic system instructions?
as above.
>
> [...]
>
>> +Create a physical volume in the partition.
>> +
>> +@example
>> +pvcreate /dev/mapper/partname --verbose
>> +@end example
>> +
>> +Create a volume group in the physical volume, where @code{vgname} is any
>> +desired name for volume group.
>> +
>> +@example
>> +vgcreate vgname /dev/mapper/partname --verbose
>> +@end example
>> +
>> +Create logical volumes in the volume group; where "num" is the number
>> +for space in GB, and @code{lvnameroot} and @code{lvnamehome} are any
>> +desired names for root and home volumes respectively.
>> +
>> +@example
>> +lvcreate --extents 25%VG vgname --name lvnameroot --verbose
>> +lvcreate --extents 100%FREE vgname --name lvnamehome --verbose
>> +@end example
>> +
>> +Create filesystems on the logical-volumes, where @code{fsnameroot} and
>> +@code{fsnamehome} are any desired names for root and home filesystems
>> +respectively.
>> +
>> +@example
>> +mkfs.btrfs --metadata dup --label fsnameroot /dev/vgname/lvnameroot
>> +mkfs.btrfs --metadata dup --label fsnamehome /dev/vgname/lvnamehome
>> +@end example
>
> Why using two BTRFS volumes on top of LVM and not directly using BTRFS
> (with subvolumes if you want) on top of /dev/mapper/partname?
This is probably a good idea...however does the grub payload support
this?
>
> AFAIU the "double mapping" it's not needed, BTRFS have a very good (and
> now mature) built in volume manager. Furthermore, using BTRFS for
> volume management will allow users to switch to a multi-device system
> (e.g. RAID1) very easily.
That's pretty cool!
>
> I'm still using LVM on some "legacy" systems but for new installations
> I'd strogly suggest starting using BTRFS on top of "physical"
> partitions.
does btrfs volume manage allow use to use ext4, jfs, or xfs filesystems?
Or does on LVM do that?
>> +Mount the filesystems under the current system.
>> +
>> +@example
>> +mount --label fsnameroot --target /mnt --types btrfs --verbose
>> +mkdir --verbose /mnt/home && mount --label fsnamehome --target \
>> +/mnt/home --types btrfs --verbose
>> +@end example
>> +
>> +Create a swap file.
>> +
>> +@example
>> +dd bs=1MiB count=1GiB if=/dev/zero of=/mnt/swapfile status=progress
>> +mkswap --verbose /mnt/swapfile
>> +@end example
>
> I know that since Linux 2.6 swapfile performance is not a big issue if
> the file is unfragmented (and it'll be for sure on newly partitioned
> filesystems) but AFAIU swap files are still a little bit problematic on
> BTRFS
> https://btrfs.wiki.kernel.org/index.php/FAQ#Does_Btrfs_support_swap_files.3F:
Ok...maybe we could use ext4 for the swap file? Is there a better
filesystem? Again does btrfs volume management allow the swap file to
be ext4? Or do we have to use LVM?
> From kernel 5.0+ btrfs have native swap files support, but with some
> limitations. Swap file - must be fully allocated as NOCOW with no
> compression on one device.
>
>
> I've never tested a system with swap file on BTRFS but I think that your
> instructions should add how to set NOCOW for the swap file.
>
> The above example could be:
>
>
> @example
> dd bs=1MiB count=1GiB if=/dev/zero of=/mnt/swapfile status=progress
> mkswap --verbose /mnt/swapfile
> chattr +C /mnt/swapfile
> btrfs property set /mnt/swapfile compression none
> @end example
>
> Final note: AFAIU BTRFS supports swap files ONLY in single device
> settings (that is: NO swap file support on multi device settings), so
> IMHO it's better to use a dedicated partition for the swap space so
> users are free to switch to a multi-device setting if they wish (and
> can).
Ok, I will create a dedicated partition and format it with ext4 and the
swap program...but I will probably need help figuring out how to encrypt
the swap partition...There are guides online that I can look at...
> The problem with a fully encrypted dedicated swap partition is that
> it'll require a third passphrase prompt on boot (the one to unlock the
> swap partition), but that's a minor annoyance IMHO.
Oh no! I hadn't thought about that! grrr! I wonder if bcachefs is
better than btrfs...well I guess it's not merged yet. What about
instead of using a swap file we use zram? Or how about both?
> What do you think?
>
> [...]
>
> Happy hacking! Gio'
--
Joshua Branson (jab in #guix)
Sent from Emacs and Gnus
https://gnucode.me
https://video.hardlimit.com/accounts/joshua_branson/video-channels
https://propernaming.org
"You can have whatever you want, as long as you help
enough other people get what they want." - Zig Ziglar
guix-patches@HIDDEN:bug#49654; Package guix-patches.
Full text available.
Received: (at 49654) by debbugs.gnu.org; 20 Jul 2021 10:42:32 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jul 20 06:42:32 2021
Received: from localhost ([127.0.0.1]:32866 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1m5nCq-0004ST-4x
for submit <at> debbugs.gnu.org; Tue, 20 Jul 2021 06:42:32 -0400
Received: from ns13.heimat.it ([46.4.214.66]:46388)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <g@HIDDEN>) id 1m5nCo-0004SE-B6
for 49654 <at> debbugs.gnu.org; Tue, 20 Jul 2021 06:42:31 -0400
Received: from localhost (ip6-localhost [127.0.0.1])
by ns13.heimat.it (Postfix) with ESMTP id 5C2323021BA;
Tue, 20 Jul 2021 10:42:16 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at ns13.heimat.it
Received: from ns13.heimat.it ([127.0.0.1])
by localhost (ns13.heimat.it [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id c0nQYWcj6Fx5; Tue, 20 Jul 2021 10:41:47 +0000 (UTC)
Received: from bourrache.mug.xelera.it (unknown [93.56.171.5])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client did not present a certificate)
by ns13.heimat.it (Postfix) with ESMTPSA id 002A83021B9;
Tue, 20 Jul 2021 10:41:38 +0000 (UTC)
Received: from roquette.mug.biscuolo.net (roquette [10.38.2.14])
by bourrache.mug.xelera.it (Postfix) with SMTP id 7F4EF10FD94A;
Tue, 20 Jul 2021 12:41:38 +0200 (CEST)
Received: (nullmailer pid 30492 invoked by uid 1000);
Tue, 20 Jul 2021 10:41:38 -0000
From: Giovanni Biscuolo <g@HIDDEN>
To: Joshua Branson <jbranso@HIDDEN>, 49654 <at> debbugs.gnu.org
Subject: Re: [bug#49654] [PATCH] doc: Add full disc encryption guide to the
cookbook
In-Reply-To: <20210720052229.15438-1-jbranso@HIDDEN>
Organization: Xelera.eu
References: <20210720052229.15438-1-jbranso@HIDDEN>
Date: Tue, 20 Jul 2021 12:41:37 +0200
Message-ID: <87pmvdi7xa.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 49654
Cc: rg@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Hello Joshua and Raghav,
thank you for your guide! I have just a couple of comments.
Joshua Branson via Guix-patches via <guix-patches@HIDDEN> writes:
> From: Joshua Branson <jbranso AT gnucode.me>
>
> The original guide was written by Raghav Gururajan <rg@HIDDEN=
me>
> and edited by Joshua Branson <jbranso@HIDDEN>.
>
> * doc/guix-cookbook.texi (System Configuration): New section of full disc
> encryption via libreboot.
> ---
> doc/guix-cookbook.texi | 724 +++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 724 insertions(+)
[...]
> +* Guix System with Full Disk Encryption:: Guix System with Full Disk =
Encryption
AFAIU the steps, especially the partitioning that does not provide an
UEFI dedicated partition, are specific to Libreboot systems: what about
to make it more clear in the section title?
...or to adapt the section by separating Libreboot specific instructions
from generic system instructions?
[...]
> +Create a physical volume in the partition.
> +
> +@example
> +pvcreate /dev/mapper/partname --verbose
> +@end example
> +
> +Create a volume group in the physical volume, where @code{vgname} is any
> +desired name for volume group.
> +
> +@example
> +vgcreate vgname /dev/mapper/partname --verbose
> +@end example
> +
> +Create logical volumes in the volume group; where "num" is the number
> +for space in GB, and @code{lvnameroot} and @code{lvnamehome} are any
> +desired names for root and home volumes respectively.
> +
> +@example
> +lvcreate --extents 25%VG vgname --name lvnameroot --verbose
> +lvcreate --extents 100%FREE vgname --name lvnamehome --verbose
> +@end example
> +
> +Create filesystems on the logical-volumes, where @code{fsnameroot} and
> +@code{fsnamehome} are any desired names for root and home filesystems
> +respectively.
> +
> +@example
> +mkfs.btrfs --metadata dup --label fsnameroot /dev/vgname/lvnameroot
> +mkfs.btrfs --metadata dup --label fsnamehome /dev/vgname/lvnamehome
> +@end example
Why using two BTRFS volumes on top of LVM and not directly using BTRFS
(with subvolumes if you want) on top of /dev/mapper/partname?
AFAIU the "double mapping" it's not needed, BTRFS have a very good (and
now mature) built in volume manager. Furthermore, using BTRFS for
volume management will allow users to switch to a multi-device system
(e.g. RAID1) very easily.
I'm still using LVM on some "legacy" systems but for new installations
I'd strogly suggest starting using BTRFS on top of "physical"
partitions.
> +Mount the filesystems under the current system.
> +
> +@example
> +mount --label fsnameroot --target /mnt --types btrfs --verbose
> +mkdir --verbose /mnt/home && mount --label fsnamehome --target \
> +/mnt/home --types btrfs --verbose
> +@end example
> +
> +Create a swap file.
> +
> +@example
> +dd bs=3D1MiB count=3D1GiB if=3D/dev/zero of=3D/mnt/swapfile status=3Dpro=
gress
> +mkswap --verbose /mnt/swapfile
> +@end example
I know that since Linux 2.6 swapfile performance is not a big issue if
the file is unfragmented (and it'll be for sure on newly partitioned
filesystems) but AFAIU swap files are still a little bit problematic on
BTRFS
https://btrfs.wiki.kernel.org/index.php/FAQ#Does_Btrfs_support_swap_files.3=
F:
=2D-8<---------------cut here---------------start------------->8---
From=20kernel 5.0+ btrfs have native swap files support, but with some
limitations. Swap file - must be fully allocated as NOCOW with no
compression on one device.
=2D-8<---------------cut here---------------end--------------->8---
I've never tested a system with swap file on BTRFS but I think that your
instructions should add how to set NOCOW for the swap file.
The above example could be:
=2D-8<---------------cut here---------------start------------->8---
@example
dd bs=3D1MiB count=3D1GiB if=3D/dev/zero of=3D/mnt/swapfile status=3Dprogre=
ss
mkswap --verbose /mnt/swapfile
chattr +C /mnt/swapfile
btrfs property set /mnt/swapfile compression none
@end example
=2D-8<---------------cut here---------------end--------------->8---
Final note: AFAIU BTRFS supports swap files ONLY in single device
settings (that is: NO swap file support on multi device settings), so
IMHO it's better to use a dedicated partition for the swap space so
users are free to switch to a multi-device setting if they wish (and
can).
The problem with a fully encrypted dedicated swap partition is that
it'll require a third passphrase prompt on boot (the one to unlock the
swap partition), but that's a minor annoyance IMHO.
What do you think?
[...]
Happy hacking! Gio'
=2D-=20
Giovanni Biscuolo
Xelera IT Infrastructures
--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQJABAEBCgAqFiEERcxjuFJYydVfNLI5030Op87MORIFAmD2qGEMHGdAeGVsZXJh
LmV1AAoJENN9DqfOzDkSk2kP/1D7pOfC9mchHXvnTDi9mGvi8FdWayUO3LMOqt9L
198CBLezXNTGY/kPQwBHJRDB7u34EsZMGi4IrJVjAf25yXqslLHsiU5OHNgZ2xoV
ngj1hKGKo8Uy84K+/B4uHyx3W5NUatjbfxTnb2JBjbxtWGU4SEqFyAtQ/qyrL6cc
UNWEPQuiajcdDZxChLj0pT6SzD93Lf+PY6kSj7O0bB4BJHymoiDiZs1dyuazRti0
uYMhe9GvjIXEheDcrIkUBvJRgP9OW77ORMjf7UyHSNFelxxMVKOt4gqYvIqi9C/s
QVTPB/SApqcZQEy3mFjhvKx31cQ7dyrm3yv2mi9O7D9n32foiQgEbhJhBVcb4xZa
kcdq3c9Msbkd6V8k9tYDWhyXp0QD4pdHuB3vPFJ1GCXgaqdbkaUgqO3pnW4wW1DE
0qJjZhKDpD7MYO/OWEKPfGuI12F6aGM8GQ0HN5PY1StT6OAyALXUKq256ECo8pgI
XirsMXMDtb5Pcmt/i1Whe19hCZWhJ5eK/NXlgJhGirjDU7HaqTIbW1aOWiBnb3HX
taR3t0c+KLuPk+7h6+TWJQI2Ryzx9WQuWWMM7frZx5q/kOTKZ7aGRZ4xVtnK2moa
j3Bj/i7ayqD78ZUAXva9PomPR41/fipYoVbuw/1zBgKS0Fe0xXgyZ7jnmNOIUtar
syU5
=k+lZ
-----END PGP SIGNATURE-----
--=-=-=--
guix-patches@HIDDEN:bug#49654; Package guix-patches.
Full text available.
Received: (at submit) by debbugs.gnu.org; 20 Jul 2021 05:23:33 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jul 20 01:23:33 2021
Received: from localhost ([127.0.0.1]:60785 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1m5iE2-0004tf-Sh
for submit <at> debbugs.gnu.org; Tue, 20 Jul 2021 01:23:33 -0400
Received: from lists.gnu.org ([209.51.188.17]:37330)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <jbranso@HIDDEN>) id 1m5iE1-0004tX-2X
for submit <at> debbugs.gnu.org; Tue, 20 Jul 2021 01:23:26 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:58832)
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <jbranso@HIDDEN>)
id 1m5iE0-0007Gl-P3
for guix-patches@HIDDEN; Tue, 20 Jul 2021 01:23:24 -0400
Received: from mx1.dismail.de ([78.46.223.134]:4621)
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <jbranso@HIDDEN>)
id 1m5iDw-0000ua-RQ
for guix-patches@HIDDEN; Tue, 20 Jul 2021 01:23:24 -0400
Received: from mx1.dismail.de (localhost [127.0.0.1])
by mx1.dismail.de (OpenSMTPD) with ESMTP id 3bdd7834;
Tue, 20 Jul 2021 07:23:16 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=dismail.de; h=from:to:cc
:subject:date:message-id:mime-version:content-type
:content-transfer-encoding; s=20190914; bh=HRPongJBC7M+ty3l+S6JC
+xyLy4bIdpneaV+hhzOc20=; b=e8ItYQ82qMWvE+0lWTqByo8scvtnkHE3Flx+F
+VBFmio3ne77pRyRKZewO9WQyZ2OXU3Wa4fIX9osa1o7nMRlBZhnfdR4QilPf/IF
OKXMalOf7CrBERVNu2Pp8CSJOxbovnYTO5iql2jua/95msXqCSZp998oihGbNRiC
ovVaSn9816U9DVjcxYRKmYtPi9Ve+Wk8H5mTjyMRdG+loWPYArrHbNmcbDki97GO
8Rt6/pDrHXLBCpmb5XdLCto9G1zNcsL0mD2hxafOOthwraIfwZphtKQgV3Q7kHhi
Sda/1yPJw7u7H9H4MKJbB4nGtqD7yG+ENtA9h2FBq/UxH5YtQ==
Received: from smtp2.dismail.de (<unknown> [10.240.26.12])
by mx1.dismail.de (OpenSMTPD) with ESMTP id 7a8996c0;
Tue, 20 Jul 2021 07:23:10 +0200 (CEST)
Received: from smtp2.dismail.de (localhost [127.0.0.1])
by smtp2.dismail.de (OpenSMTPD) with ESMTP id a6f64e62;
Tue, 20 Jul 2021 07:23:10 +0200 (CEST)
Received: by dismail.de (OpenSMTPD) with ESMTPSA id a79c3f92
(TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO);
Tue, 20 Jul 2021 07:23:08 +0200 (CEST)
From: Joshua Branson <jbranso@HIDDEN>
To: guix-patches@HIDDEN
Subject: [PATCH] doc: Add full disc encryption guide to the cookbook
Date: Tue, 20 Jul 2021 01:22:24 -0400
Message-Id: <20210720052229.15438-1-jbranso@HIDDEN>
X-Mailer: git-send-email 2.32.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=78.46.223.134; envelope-from=jbranso@HIDDEN;
helo=mx1.dismail.de
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
Cc: rg@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.1 (/)
From: Joshua Branson <jbranso AT gnucode.me>
The original guide was written by Raghav Gururajan <rg@HIDDEN>
and edited by Joshua Branson <jbranso@HIDDEN>.
* doc/guix-cookbook.texi (System Configuration): New section of full disc
encryption via libreboot.
---
doc/guix-cookbook.texi | 724 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 724 insertions(+)
diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index 2e627ecc51..ef8f3425d6 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -18,6 +18,7 @@ Copyright @copyright{} 2020 Brice Waegeneire@*
Copyright @copyright{} 2020 André Batista@*
Copyright @copyright{} 2020 Christopher Lemmer Webber
Copyright @copyright{} 2021 Joshua Branson@*
+Copyright @copyright{} 2021 Raghav Gururajan@*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -1358,6 +1359,7 @@ reference.
* Customizing the Kernel:: Creating and using a custom Linux kernel on Guix System.
* Guix System Image API:: Customizing images to target specific platforms.
* Connecting to Wireguard VPN:: Connecting to a Wireguard VPN.
+* Guix System with Full Disk Encryption:: Guix System with Full Disk Encryption
* Customizing a Window Manager:: Handle customization of a Window manager on Guix System.
* Running Guix on a Linode Server:: Running Guix on a Linode Server
* Setting up a bind mount:: Setting up a bind mount in the file-systems definition.
@@ -1938,6 +1940,728 @@ For more specific information about NetworkManager and wireguard
@uref{https://blogs.gnome.org/thaller/2019/03/15/wireguard-in-networkmanager/,see
this post by thaller}.
+@node Guix System with Full Disk Encryption
+@section Guix System with Full Disk Encryption
+@cindex libreboot, full disk encryption
+
+Guix System is an exotic distribution of GNU/Linux operating system,
+with Guix as package/system manager, Linux-Libre as kernel and
+Shepherd as init system.
+
+Libreboot is a de-blobbed distribution of Coreboot firmware. By
+default, Libreboot comes with GRUB bootloader as a payload.
+
+The objective of this manual is to provide step-by-step guide for
+setting up Guix System (stand-alone Guix), with Full Disk
+Encryption (FDE), on devices powered by Libreboot.
+
+Any users, for their generalized use cases, need not stumble away from
+this guide to accomplish the setup. Advanced users, for deviant use
+cases, will have to explore outside this guide for customization;
+although this guide provides information that is of paramount use.
+
+Let us begin!
+
+@menu
+* Create Boot-able USB::
+* Installing and Setup::
+* Tweaking Libreboot's Grub Payload::
+* Closing Thoughts::
+* Special Thanks::
+@end menu
+
+@node Create Boot-able USB
+@subsection Create Boot-able USB
+
+In the current GNU+Linux system, open terminal as root user.
+
+Insert USB drive and get the device letter @code{/dev/sdX}, where “X” is the
+device letter.
+
+@example
+lsblk --list
+@end example
+
+@example
+NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
+sda 8:0 0 223.6G 0 disk
+sda1 8:1 0 2M 0 part
+sda2 8:2 0 3.7G 0 part
+sda3 8:3 0 219.9G 0 part /
+zram0 251:0 0 512M 0 disk [SWAP]
+@end example
+
+
+Just in case the device is auto-mounted, unmount the device.
+
+@example
+umount /dev/sdX --verbose
+@end example
+
+Download the Guix System ISO installer package and it’s GPG signature;
+where @code{A.B.C} is the version number and @code{SSS} is the system
+architecture.
+
+@example
+wget --verbose https://ftp.gnu.org/gnu/guix/guix-system-install-A.B.C.SSS-linux.iso.xz
+wget --verbose https://ftp.gnu.org/gnu/guix/guix-system-install-A.B.C.SSS-linux.iso.xz.sig
+@end example
+
+Import the Guix's public key.
+
+@example
+gpg --verbose --keyserver pool.sks-keyservers.net –-receive-keys 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
+@end example
+
+Verify the GPG signature of the downloaded package.
+
+@example
+gpg --verbose --verify guix-system-install-A.B.C.SSS-linux.iso.xz.sig
+@end example
+
+Extract ISO image from the downloaded package.
+
+@example
+xz --verbose --decompress guix-system-install-A.B.C.SSS-linux.iso.xz
+@end example
+
+Write the extracted ISO image to the drive.
+
+@example
+dd if=guix-system-install-A.B.C.SSS-linux.iso of=/dev/sdX status=progress; sync
+@end example
+
+Reboot the device.
+
+@example
+reboot
+@end example
+
+@node Installing and Setup
+@subsection Installing and Setup
+
+On reboot, as soon as the Libreboot's graphic art appears, press "S"
+or choose @code{Search for GRUB2 configuration on external media [s]}. Wait
+for the Guix System from USB drive to load.
+
+Once Guix System installer starts, choose @code{Install using the shell
+based process}.
+
+Set your keyboard layout, where @code{lo} is the two-letter keyboard
+layout code (lower-case).
+
+@example
+loadkeys --verbose lo
+@end example
+
+Unblock network interfaces.
+
+@example
+rfkill unblock all
+@end example
+
+Get the names of network interfaces.
+
+@example
+ifconfig -v -a
+@end example
+
+@example
+enp0s25 Link encap:Ethernet HWaddr 00:1C:25:9A:37:BA
+ UP BROADCAST MULTICAST MTU:1500 Metric:1
+ RX packets:0 errors:0 dropped:0 overruns:0 frame:0
+ TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
+ collisions:0 txqueuelen:1000
+ RX bytes:0 TX bytes:0
+ Interrupt:16 Memory:98800000-98820000
+
+lo Link encap:Local Loopback
+ inet addr:127.0.0.1 Bcast:0.0.0.0 Mask:255.0.0.0
+ UP LOOPBACK RUNNING MTU:65536 Metric:1
+ RX packets:265 errors:0 dropped:0 overruns:0 frame:0
+ TX packets:265 errors:0 dropped:0 overruns:0 carrier:0
+ collisions:0 txqueuelen:1000
+ RX bytes:164568 TX bytes:164568
+
+wlp2s0 Link encap:Ethernet HWaddr E4:CE:8F:59:D6:BF
+ inet addr:192.168.1.133 Bcast:192.168.1.255 Mask:255.255.255.0
+ UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
+ RX packets:60084 errors:0 dropped:71 overruns:0 frame:0
+ TX packets:33232 errors:0 dropped:0 overruns:0 carrier:0
+ collisions:0 txqueuelen:1000
+ RX bytes:45965805 TX bytes:4905457
+
+@end example
+
+Bring the desired network interface (wired or wireless) up, where
+@code{nwif} is the network interface name.
+
+@example
+ifconfig -v nwif up
+@end example
+
+For wireless connection, follow the wireless setup.
+
+@menu
+* Wireless Setup::
+@end menu
+
+@node Wireless Setup
+@subsubsection Wireless Setup
+
+Create a configuration file using text editor, where @code{fname} is any
+desired name for file.
+
+@example
+nano fname.conf
+@end example
+
+Choose, type and save ONE of the following snippets, where ‘net’ is
+the network name, ‘pass’ is the password or passphrase and ‘uid’ is
+the user identity.
+
+For most private networks:
+
+@example
+network=@{
+ ssid="net"
+ key_mgmt=WPA-PSK
+ psk="pass"
+@}
+@end example
+
+(or)
+
+For most public networks:
+
+@example
+network=@{
+ ssid="net"
+ key_mgmt=NONE
+@}
+@end example
+
+(or)
+
+For most organizational networks:
+
+@example
+network=@{
+ ssid="net"
+ scan_ssid=1
+ key_mgmt=WPA-EAP
+ identity="uid"
+ password="pass"
+ eap=PEAP
+ phase1="peaplabel=0"
+ phase2="auth=MSCHAPV2"
+@}
+@end example
+
+Connect to the configured network.
+
+@example
+wpa_supplicant -B -c fname.conf -i nwif
+@end example
+
+Assign an IP address to the network interface.
+
+@example
+dhclient -v nwif
+@end example
+
+Obtain the device letter @code{/dev/sdX} in which you would like to deploy
+and install Guix System, where “X” is the device letter.
+
+@example
+lsblk --list
+@end example
+
+@example
+NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
+sda 8:0 0 223.6G 0 disk
+sda1 8:1 0 2M 0 part
+sda2 8:2 0 3.7G 0 part
+sda3 8:3 0 219.9G 0 part /
+zram0 251:0 0 512M 0 disk [SWAP]
+@end example
+
+Wipe the device (Ignore if the device is new).
+
+@example
+shred --verbose --random-source=/dev/urandom /dev/sdX
+@end example
+
+Load the device-mapper module in the current kernel.
+
+@example
+modprobe --verbose dm_mod
+@end example
+
+Partition the device. Follow the prompts. Just do, GPT --> New -->
+Write --> Quit; defaults will be set.
+
+@example
+cfdisk /dev/sdX
+@end example
+
+Obtain the partition number from the device, where “Y” is the
+partition number.
+
+@example
+lsblk --list
+@end example
+
+Encrypt the partition. Follow the prompts.
+
+@example
+cryptsetup --verbose --hash whirlpool --cipher serpent-xts-plain64 \
+--verify-passphrase --use-random --key-size 512 --iter-time 500 \
+luksFormat /dev/sdXY
+@end example
+
+Obtain and note down the UUID of the LUKS partition.
+
+@example
+cryptsetup --verbose luksUUID /dev/sdXY
+@end example
+
+Open the encrypted partition, where @code{luks-uuid} is the LUKS UUID,
+and @code{partname} is any desired name for the partition.
+
+@example
+cryptsetup --verbose
+luksOpen UUID=luks-uuid partname
+@end example
+
+Create a physical volume in the partition.
+
+@example
+pvcreate /dev/mapper/partname --verbose
+@end example
+
+Create a volume group in the physical volume, where @code{vgname} is any
+desired name for volume group.
+
+@example
+vgcreate vgname /dev/mapper/partname --verbose
+@end example
+
+Create logical volumes in the volume group; where "num" is the number
+for space in GB, and @code{lvnameroot} and @code{lvnamehome} are any
+desired names for root and home volumes respectively.
+
+@example
+lvcreate --extents 25%VG vgname --name lvnameroot --verbose
+lvcreate --extents 100%FREE vgname --name lvnamehome --verbose
+@end example
+
+Create filesystems on the logical-volumes, where @code{fsnameroot} and
+@code{fsnamehome} are any desired names for root and home filesystems
+respectively.
+
+@example
+mkfs.btrfs --metadata dup --label fsnameroot /dev/vgname/lvnameroot
+mkfs.btrfs --metadata dup --label fsnamehome /dev/vgname/lvnamehome
+@end example
+
+Mount the filesystems under the current system.
+
+@example
+mount --label fsnameroot --target /mnt --types btrfs --verbose
+mkdir --verbose /mnt/home && mount --label fsnamehome --target \
+/mnt/home --types btrfs --verbose
+@end example
+
+Create a swap file.
+
+@example
+dd bs=1MiB count=1GiB if=/dev/zero of=/mnt/swapfile status=progress
+mkswap --verbose /mnt/swapfile
+@end example
+
+Make the swap file readable and writable only by root account.
+
+@example
+chmod --verbose 600 /mnt/swapfile
+@end example
+
+Activate the swap file.
+
+@example
+swapon --verbose /mnt/swapfile
+@end example
+
+Install packages on the mounted root filesystem.
+
+@example
+herd start cow-store /mnt
+@end example
+
+Create the system-wide configuration files directory.
+
+@example
+mkdir --verbose /mnt/etc
+@end example
+
+Create, edit and save the system configuration file by typing the
+following code snippet. WATCH-OUT for variables in the code snippet
+and replace them with the relevant values.
+
+@example
+nano /mnt/etc/config.scm
+@end example
+
+The content of config.scm is:
+
+@lisp
+(use-modules
+ (gnu)
+ (gnu system nss))
+
+(use-package-modules
+ certs
+ gnome
+ linux)
+
+(use-service-modules
+ desktop
+ xorg)
+
+(operating-system
+ (kernel linux-libre-lts)
+ (kernel-arguments
+ (append
+ (list
+ ;; this is needed to flash the libreboot ROM. After, you
+ ;; have flashed your rom, it is a good idea to remove
+ ;; iomem=relaxed from your kernel arguments
+ "iomem=relaxed")
+ %default-kernel-arguments))
+
+ (timezone "Zone/SubZone")
+ (locale "ab_XY.1234")
+ (name-service-switch %mdns-host-lookup-nss)
+
+ (bootloader
+ (bootloader-configuration
+ (bootloader
+ (bootloader
+ (inherit grub-bootloader)
+ (installer #~(const #t))))
+ (keyboard-layout keyboard-layout)))
+
+ (keyboard-layout
+ (keyboard-layout
+ "xy"
+ "altgr-intl"))
+
+ (host-name "hostname")
+
+ (mapped-devices
+ (list
+ (mapped-device
+ (source
+ (uuid "LUKS-UUID"))
+ (target "partname")
+ (type luks-device-mapping))
+ (mapped-device
+ (source "vgname")
+ (targets
+ (list
+ "vgname-lvnameroot"
+ "vgname-lvnamehome"))
+ (type lvm-device-mapping))))
+
+ (file-systems
+ (append
+ (list
+ (file-system
+ (type "btrfs")
+ (mount-point "/")
+ (device "/dev/mapper/VGNAME-LVNAMEROOT")
+ (flags '(no-atime))
+ (options "space_cache=v2")
+ (needed-for-boot? #t)
+ (dependencies mapped-devices))
+ (file-system
+ (type "btrfs")
+ (mount-point "/home")
+ (device "/dev/mapper/VGNAME-LVNAMEHOME")
+ (flags '(no-atime))
+ (options "space_cache=v2")
+ (dependencies mapped-devices)))
+ %base-file-systems))
+
+ (swap-devices
+ (list
+ "/swapfile"))
+
+ (users
+ (append
+ (list
+ (user-account
+ (name "USERNAME")
+ (comment "Full Name")
+ (group "users")
+ (supplementary-groups '("audio" "cdrom"
+ "kvm" "lp" "netdev"
+ "tape" "video"
+ "wheel"))))
+ %base-user-accounts))
+
+ (packages
+ (append
+ (list
+ nss-certs)
+ %base-packages))
+
+ (services
+ (append
+ (list
+ (service gnome-desktop-service-type))
+ %desktop-services)))
+@end lisp
+
+Initialize new Guix System.
+
+@example
+guix system init /mnt/etc/config.scm /mnt
+@end example
+
+Reboot the device.
+
+@example
+reboot
+@end example
+
+@node Tweaking Libreboot's Grub Payload
+@subsection Tweaking Libreboot's Grub Payload
+@cindex grub payload
+
+On reboot, as soon as the Libreboot graphic art appears, press “C” to
+enter the command-line.
+
+Enter the following commands and respond to first command with the LUKS
+Key.
+
+@example
+cryptomount -u luks-uuid
+set root=(lvm/vgname-lvnameroot)
+@end example
+
+Upon Guix's GRUB menu, go with the default option.
+
+Enter the LUKS Key again, for kernel, as prompted.
+
+Upon login screen, login as "root" with password field empty.
+
+Open terminal.
+
+Set passkey for the "root" user. Follow the prompts.
+
+@example
+passwd root
+@end example
+
+Set passkey for the "username" user. Follow the prompts.
+
+@example
+passwd username
+@end example
+
+Install flashrom and wget.
+
+@example
+guix package –-install flashrom wget
+@end example
+
+Obtain the ROM chip's model and size. Look for the output line “Found
+[@dots{}] flash chip [@dots{}]”.
+
+@example
+flashrom --verbose --programmer internal
+@end example
+
+Download Libreboot ROM and utilities, where "YYYYMMDD" is the release
+date, @code{devmod} is the device model and "N" is the ROM chip size.
+
+@example
+wget --verbose https://rsync.libreboot.org/stable/YYYYMMDD/rom/grub/libreboot_rYYYYMMDD_grub_devmod_Nmb.tar.xz
+wget --verbose https://rsync.libreboot.org/stable/YYYYMMDD/libreboot_rYYYYMMDD_util.tar.xz
+@end example
+
+Extract the downloaded files.
+@example
+tar --extract --file=libreboot_rYYYYMMDD_grub_devmod_Nmb.tar.xz --verbose
+tar --extract --file=libreboot_rYYYYMMDD_util.tar.xz --verbose
+@end example
+
+Rename the directories of extracted files.
+
+@example
+mv --verbose "libreboot_rYYYYMMDD_grub_devmod_Nmb.tar.xz" "libreboot_rom"
+mv --verbose "libreboot_rYYYYMMDD_util" "libreboot_util"
+@end example
+
+Copy the ROM image to the directory of cbfstool, where "kbdlo" is the
+keyboard layout and "arch" is the system architecture.
+
+@example
+cp libreboot_rom/devmod_Nmb_kbdlo_vesafb.rom libreboot_util/cbfstool/arch/libreboot.rom
+@end example
+
+Change directory to the directory of cbfstool.
+@example
+cd libreboot_util/cbfstool/arch/
+@end example
+
+Extract the GRUB configuration file from the image.
+
+@example
+./cbfstool libreboot.rom extract -n grub.cfg -f grub.cfg
+@end example
+
+Edit the GRUB configuration file and insert the following code snippet
+above the line @code{“menuentry 'Load Operating System [o]' --hotkey='o'
+--unrestricted @{ [...] @}”}.
+
+@example
+nano grub.cfg
+@end example
+
+Snippet:
+@example
+menuentry ‘Guix System (An advanced distribution of the GNU operating system) [g]’ --hotkey=’g’ --unrestricted
+@{
+cryptomount -u luks-uuid
+set root=(lvm/vgname-lvnameroot)
+configfile /boot/grub/grub.cfg
+@}
+@end example
+
+Remove the old GRUB configuration file from the ROM image.
+
+@example
+./cbfstool libreboot.rom remove -n grub.cfg
+@end example
+
+Insert the new GRUB configuration file into the ROM image.
+
+@example
+./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw
+@end example
+
+Move the ROM image to the directory of ich9gen.
+
+@example
+mv libreboot.rom ~/libreboot_util/ich9deblob/arch/libreboot.rom
+@end example
+
+Change directory to the directory of ich9gen.
+
+@example
+cd ~/libreboot_util/ich9deblob/arch/
+@end example
+
+Generate descriptor+GbE images with the MAC address, where "mac-addr"
+is the MAC address of the machine.
+
+@example
+ich9gen --macaddress mac-addr
+@end example
+
+Insert the descriptor+GbE image into the ROM image, where "N" is the
+ROM chip size.
+@example
+dd bs=12k conv=notrunc count=1 if=ich9fdgbe_Nm.bin of=libreboot.rom status=progress
+@end example
+
+Move the ROM image to the directory of flash.
+
+@example
+mv libreboot.rom ~/libreboot_util/libreboot.rom
+@end example
+
+Change directory to the directory of flash.
+
+@example
+cd ~/libreboot_util
+@end example
+
+Modify the shebang of flash script, from `#!/bin/bash` to `#!/bin/sh`.
+@example
+nano flash
+@end example
+
+Flash the ROM with the new image.
+@example
+./flash update libreboot.rom
+@end example
+
+(or)
+
+@example
+./flash forceupdate libreboot.rom
+@end example
+
+Reboot the device.
+@example
+reboot
+@end example
+
+@node Closing Thoughts
+@subsection Closing Thoughts
+
+Everything should be stream-lined from now. Upon Libreboot's GRUB
+menu, you can either press "G" or choose "Guix System (An advanced
+distribution of the GNU operating system) [g]".
+
+During the boot process, as prompted, you have to type LUKS key twice;
+once for Libreboot's GRUB and once more for Linux-Libre kernel.
+Retyping a passphrase is a minor annoyance, but it is a secure method of
+opening up your device. There are methods that exist to only type the
+passphrase once, but none are currently integrated into Guix System.
+
+Generally, you will be using Libreboot's initial/default grub.cfg,
+whose Guix menu-entry invokes Guix's grub.cfg located at
+@code{/boot/grub/}. For trouble-shooting, you can also use Libreboot's
+@code{grubtest.cfg}, which hasn't been modified.
+
+Now that you have a working Guix System with full disk encryption, you
+may want to remove the @code{iomem=relaxed} from your
+@code{kernel-arguments}. @code{iomem=relaxed} is needed to reflash your
+rom. Since, most users will probably not flash their rom often, those
+users may wish to disable that feature:
+
+@lisp
+ ;; optionally remove this bit of code from your config.scm
+ (kernel-arguments
+ (append
+ (list
+ ;; this is needed to flash the libreboot ROM. After, you
+ ;; have flashed your rom, it is a good idea to remove
+ ;; iomem=relaxed from your kernel arguments
+ "iomem=relaxed")
+ %default-kernel-arguments))
+@end lisp
+
+That is it! You have now setup Guix System with Full Disk Encryption on
+your device powered by Libreboot. Enjoy!
+
+More information about Libreboot can be found at their official
+documentation: @uref{https://libreboot.org/docs/}.
+
+@node Special Thanks
+@subsection Special Thanks
+
+Thanks to Guix developer, Clement Lassieur (clement@@lassieur.org),
+for helping me with the Scheme code for the bootloader configuration.
+
+Thanks to Libreboot founder and developer, Leah Rowe
+(leah@@libreboot.org), for helping me with the understanding of
+Libreboot’s functionalities.
+
@node Customizing a Window Manager
@section Customizing a Window Manager
@cindex wm
--
2.32.0
Joshua Branson <jbranso@HIDDEN>:guix-patches@HIDDEN.
Full text available.guix-patches@HIDDEN:bug#49654; Package guix-patches.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.