-
-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Full encrypted disk support on coreboot/libreboot BIOS machines #2118
Comments
Anyone could improve Fonctional patchwork was provided here against Qubes 3.1 so that it could be merged to 3.2 torward fedora-23 ? |
Yes, I have it already in my local testing repo. There were some modifications needed, for example add |
Dare to branch it online and give me an url so i can build qubes-installer from it and rebuild iso from it? I would be happy to test and report. Thanks, @marmarek . |
With grub payload it is possible to have all the partitions encrypted. Fixes QubesOS/qubes-issues#2118
With grub payload it is possible to have all the partitions encrypted. Based on patch by @tlaurion Fixes QubesOS/qubes-issues#2118
@tlaurion sure, r32-coreboot branch in https://github.com/marmarek/qubes-installer-qubes-os. |
Just verified it doesn't break non-coreboot installation. |
I get "/boot file system cannot be on encrypted block device" Which could be triggered from stage or stage2. |
Check which bootloader class is used on coreboot system. I've assumed it is GRUB2 (which is default for x86 in non-EFI mode). |
That's the problem, if I understand well (quick test this morning). The GRUB2 bootloader won't be visible from anaconda perspective, since it is in the firmware and non-accessible from the installer. We need to assume it is there and deploy grub2 files, but without actually installing a bootloader ourselves. But yes, it is GRUB2, and would require GRUB2 second payload from coreboot if bootloader was Seabios or any other. Can you pinpoint where that bootloader assumption was made (which is different to my approach?) |
It doesn't matter, since the patch set
It's at the end of bootloader.py: https://github.com/marmarek/qubes-installer-qubes-os/blob/cb1dda1897b49d311f05c762d28888bd6506c935/anaconda/pyanaconda/bootloader.py#L2386-L2397 If coreboot system could be detected as separate platform, that would be even better - it would allow plugging some minimal class with no requirements on partition layout at all. Or with requirements specific to grub2 bundled with coreboot. |
It still currently complains about partition scheme even though "skip_booloader = True" is explicited, which is why i'm asking :) I will try to check differences betweenpatches tonight, but if you have any other insight about why current r32-coreboot branch says "/boot file system cannot be on encrypted block device", please advise. I am not aware of any other coreboot platform differences. |
The |
Hmmm.
It seems that this complete block is never executed. Any idea why? Some additional information:
Thanks @marmarek . |
Maybe there are some non-printable characters? Check |
string ends by 0a which is line feed and checked against: That worked in precedent patchwork. Any other hint? |
No, it ends with "0d 0a", which is windows EOL... |
Oupsi. Ok I read the doc, and normally those characters are ignored by python so I will ignore them myself (newline and carriage return), as per your prior recommendation. I'm mesmerized that that part worked in the patch provided before but wouldn't now, but will try still. FYI: Here is an example of full dmidecode output on a coreboot system. |
Double verified: I modified bootloader.py to check only for "coreboot" with same result: there is no "dmidecode -s bios-vendor returns coreboot" in /tmp/* Any other insight? |
Add logging of dmidecode output regardless of the match (i.e. save it Best Regards, |
To speedup debugging, you can edit bootloader.py in the running installer, then start anaconda again (just launch it from console). It may require killing already running instance. |
The problem seems to be linked to python 3 dealing with output differently the 2.7. To fix output validation, following block:
needs to become:
I'm installing right now on a x200 with libreboot flashed on. Sorry for the ping pong game again, learning my way into python, which is pretty neat. Thanks, @marmarek |
Automated announcement from builder-github The package
|
Automated announcement from builder-github The package
Or update dom0 via Qubes Manager. |
With grub payload it is possible to have all the partitions encrypted. Based on patch by @tlaurion Fixes QubesOS/qubes-issues#2118
With grub payload it is possible to have all the partitions encrypted. Based on patch by @tlaurion Fixes QubesOS/qubes-issues#2118
With grub payload it is possible to have all the partitions encrypted. Based on patch by @tlaurion Fixes QubesOS/qubes-issues#2118
With grub payload it is possible to have all the partitions encrypted. Based on patch by @tlaurion Fixes QubesOS/qubes-issues#2118
With grub payload it is possible to have all the partitions encrypted. Based on patch by @tlaurion Fixes QubesOS/qubes-issues#2118
With grub payload it is possible to have all the partitions encrypted. Based on patch by @tlaurion Fixes QubesOS/qubes-issues#2118
With grub payload it is possible to have all the partitions encrypted. Based on patch by @tlaurion Fixes QubesOS/qubes-issues#2118
With grub payload it is possible to have all the partitions encrypted. Based on patch by @tlaurion Fixes QubesOS/qubes-issues#2118
With grub payload it is possible to have all the partitions encrypted. Based on patch by @tlaurion Fixes QubesOS/qubes-issues#2118
With grub payload it is possible to have all the partitions encrypted. Based on patch by @tlaurion Fixes QubesOS/qubes-issues#2118
With grub payload it is possible to have all the partitions encrypted. Based on patch by @tlaurion Fixes QubesOS/qubes-issues#2118
With grub payload it is possible to have all the partitions encrypted. Based on patch by @tlaurion Fixes QubesOS/qubes-issues#2118
With grub payload it is possible to have all the partitions encrypted. Based on patch by @tlaurion Fixes QubesOS/qubes-issues#2118
With grub payload it is possible to have all the partitions encrypted. Based on patch by @tlaurion Fixes QubesOS/qubes-issues#2118
With grub payload it is possible to have all the partitions encrypted. Based on patch by @tlaurion Fixes QubesOS/qubes-issues#2118
With grub payload it is possible to have all the partitions encrypted. Based on patch by @tlaurion Fixes QubesOS/qubes-issues#2118
With grub payload it is possible to have all the partitions encrypted. Based on patch by @tlaurion Fixes QubesOS/qubes-issues#2118
With grub payload it is possible to have all the partitions encrypted. Based on patch by @tlaurion Fixes QubesOS/qubes-issues#2118
With grub payload it is possible to have all the partitions encrypted. Based on patch by @tlaurion Fixes QubesOS/qubes-issues#2118
With grub payload it is possible to have all the partitions encrypted. Based on patch by @tlaurion Fixes QubesOS/qubes-issues#2118
With grub payload it is possible to have all the partitions encrypted. Based on patch by @tlaurion Fixes QubesOS/qubes-issues#2118
With grub payload it is possible to have all the partitions encrypted. Based on patch by @tlaurion Fixes QubesOS/qubes-issues#2118
With grub payload it is possible to have all the partitions encrypted. Based on patch by @tlaurion Fixes QubesOS/qubes-issues#2118
With grub payload it is possible to have all the partitions encrypted. Based on patch by @tlaurion Fixes QubesOS/qubes-issues#2118
With grub payload it is possible to have all the partitions encrypted. Based on patch by @tlaurion Fixes QubesOS/qubes-issues#2118
Qubes OS version (e.g.,
R3.1
):R3.0, R3.1
Affected TemplateVMs (e.g.,
fedora-23
, if applicable):qubes-installer iso
Expected behavior:
Partition type requirements should be loosened up on systems having coreboot/libreboot bios replacement, since that bios can open luks container itself and load initrd and kernel inside, permitting full disk encryption.
Fonctional patchwork was provided here against Qubes 3.1
Passphrase will be asked twice. Once by coreboot/libreboot, and a second time when booting the kernel until a keyfile is introduced in the initrd like here
Actual behavior:
The installer requires /boot to be unencrypted even though coreboot/libreboot bios replacement is present.
Steps to reproduce the behavior:
1-Boot from Qubes 3.1 without provided patch
2-Create a shell script with the following content and execute it consciously from shell:
2-Continue installation on the previously created luks container. It will fail saying its impossible on an encrypted disk. On a libreboot/coreboot bios replaced machine booting a iso created with the provided patch, the Installer would continue, permitting full encrypted disk support.
General notes:
Related issues:
If your coreboot/libreboot laptop can't boot from usb drive/dvd drive, add seabios to your coreboot/libreboot bios replacement image with the following script and reflash.
Add seabios to libreboot images
The text was updated successfully, but these errors were encountered: