Libreboot uses the GRUB payload by default, which means that the GRUB configuration file (where your GRUB menu comes from) is stored directly alongside libreboot and it's GRUB payload executable, inside the flash chip. In context, this means that installing distributions and managing them is handled slightly differently compared to traditional BIOS systems.

On most systems, the /boot partition has to be left unencrypted while the others are encrypted. This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical access to the machine.

This works in Trisquel 7, and probably Trisquel 6. Boot the 'net installer' (Install Trisquel in Text Mode). How to boot a GNU/Linux installer.

Set a strong user password (ideally above 40 characters, of lowercase/uppercase, numbers and symbols).

when the installer asks you to setup encryption (ecryptfs) for your home directory, select 'Yes' if you want to: LUKS is already secure and performs well. Having ecryptfs on top of it will add noticeable performance penalty, for little security gain in most use cases. This is therefore optional, and not recommended. Choose 'no'.

Your user password should be different than the LUKS password which you will set later on. Your LUKS password should, like the user password, be secure.

Partitioning

Choose 'Manual' partitioning:

• Select drive and create new partition table
• Single large partition. The following are mostly defaults:
  • Use as: physical volume for encryption
  • Encryption: aes
  • key size: 256
  • IV algorithm: xts-plain64
  • Encryption key: passphrase
  • erase data: Yes (only choose 'No' if it's a new drive that doesn't contain your private data)
• Select 'configure encrypted volumes'
  • Create encrypted volumes
  • Select your partition
  • Finish
  • Really erase: Yes
  • (erase will take a long time. be patient)
  • (if your old system was encrypted, just let this run for about a minute to make sure that the LUKS header is wiped out)
• Select encrypted space:
  • use as: physical volume for LVM
  • Choose 'done setting up the partition'
• Configure the logical volume manager:
  • Keep settings: Yes
• Create volume group:
  • Name: grubcrypt (you can use whatever you want here, this is just an example)
  • Select crypto partition
• Create logical volume
  • select grubcrypt (or whatever you named it before)
  • name: trisquel (you can use whatever you want here, this is just an example)
  • size: default, minus 2048 MB
• Create logical volume
  • select grubcrypt (or whatever you named it before)
  • name: swap (you can use whatever you want here, this is just an example)
  • size: press enter

Further partitioning

Now you are back at the main partitioning screen. You will simply set mountpoints and filesystems to use.

• LVM LV trisquel
  • use as: ext4
  • mount point: /
  • done setting up partition
• LVM LV swap
  • use as: swap area
  • done setting up partition
• Now you select 'Finished partitioning and write changes to disk'.

Kernel

Installation will ask what kernel you want to use. linux-generic is fine.

Tasksel

Choose "Trisquel Desktop Environment" if you want GNOME, "Trisquel-mini Desktop Environment" if you want LXDE or "Triskel Desktop Environment" if you want KDE. If you want to have no desktop (just a basic shell) when you boot or if you want to create your own custom setup, then choose nothing here (don't select anything). You might also want to choose some of the other package groups; it's up to you.

Postfix configuration

If asked, choose "No Configuration" here (or maybe you want to select something else. It's up to you.)

Install the GRUB boot loader to the master boot record

Choose 'Yes'. It will fail, but don't worry. Then at the main menu, choose 'Continue without a bootloader'. You could also choose 'No'. Choice is irrelevant here.

You do not need to install GRUB at all, since in libreboot you are using the GRUB payload (for libreboot) to boot your system directly.

Clock UTC

Just say 'Yes'.

Booting your system

At this point, you will have finished the installation. At your GRUB payload, press C to get to the command line.

Do that:
grub> cryptomount -a (ahci0,msdos1)
grub> set root='lvm/grubcrypt-trisquel'
grub> linux /vmlinuz root=/dev/mapper/grubcrypt-trisquel cryptdevice=/dev/mapper/grubcrypt-trisquel:root
grub> initrd /initrd.img
grub> boot

ecryptfs

If you didn't encrypted your home directory, then you can safely ignore this section.

Immediately after logging in, do that:
$ sudo ecryptfs-unwrap-passphrase

This will be needed in the future if you ever need to recover your home directory from another system, so write it down and keep the note somewhere secret. Ideally, you should memorize it and then burn the note (or not even write it down, and memorize it still)>

Modify grub.cfg (CBFS)

Now you need to set it up so that the system will automatically boot, without having to type a bunch of commands.

Modify your grub.cfg (in the firmware) using this tutorial; just change the default menu entry 'Load Operating System' to say this inside:

cryptomount -a (ahci0,msdos1)
set root='lvm/grubcrypt-trisquel'
linux /vmlinuz root=/dev/mapper/grubcrypt-trisquel cryptdevice=/dev/mapper/grubcrypt-trisquel:root
initrd /initrd.img

Additionally, you should set a GRUB password. This is not your LUKS password, but it's a password that you have to enter to see GRUB. This protects your system from an attacker simply booting a live USB and re-flashing your firmware. This should be different than your LUKS passphrase and user password.

The GRUB utility can be used like so:
$ grub-mkpasswd-pbkdf2

Give it a password (remember, it has to be secure) and it'll output something like:
grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711

Put that in the grub.cfg (the one for CBFS inside the ROM) before the 'Load Operating System' menu entry like so (example):

set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
		

Obviously, replace it with the correct hash that you actually got for the password that you entered. Meaning, not the hash that you see above!

After this, you will have a modified ROM with the menu entry for cryptomount, and the entry before that for the GRUB password. Flash the modified ROM using this tutorial.

Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. A copy of the license can be found at ../license.txt.

This document is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information.