Table of Contents

Librem 14 with Gentoo, LUKS, LVM, Librem Key

This guide is designed to get you to a PureBoot-enabled, Librem Key-supporting Gentoo installation with LUKS to protect your data and LVM to make OS migration easy, should you ever want to do it again. This makes it a wonderful option for a secure developer workstation segregating the $HOME directory from the rest of the system, or any other setups you may want in your volume group.

THIS PAGE IS A WORK IN PROGRESS. THERE IS NO GUARANTEE THAT ANYTHING HERE WILL WORK, BUT IN GENERAL I HAVE TESTED IT ON MY OWN SETUP AND VERIFIED IT TO WORK BEFORE PUBLISHING IT HERE. IF ANYTHING YOU TRY HERE BREAKS YOUR SYSTEM, YOU GET TO KEEP THE PIECES. I DON'T DO FREE TECH SUPPORT. YOU HAVE BEEN WARNED.

Despite this process being meant to install Gentoo (or frankly, anything else that'll fit into the resulting LUKS+LVM setup), Purism still designed the hardware and continue to support it with firmware and kernel configuration updates. These repositories and other useful Purism links can be found here, to assist with any questions regarding their tech choices and the ways you can use the Librem Key, etc. These are extremely useful if you intend to mess with PureBoot, Heads, your Librem Key, or anything else that happens before the kernel boots.

It's a good idea to keep a few of these tabs handy as you continue through this guide, because I won't be copying all steps verbatim. I will supply lines for all actions taken on the device, however. Some experience with GNU/Linux is expected from the reader, but anyone with research skills and the ability to read a manual can get by.

Anatomy of the Librem 14's Boot

The Librem 14 runs a system of early boot technologies in concert, together called PureBoot. It consists of coreboot, a PGP-compatible smartcard (a Librem Key, in this case), gnupg, and clever use of the TPM (Trusted Platform Module) to detect if your /boot storage has been tampered with.

Coreboot acts as a firmware loader for the laptop. It loads a firmware called Heads, which is a tiny Linux system that fits in embedded chip storage. It can optionally check for the Librem Key for tamper-evident boot. With an initramfs, one can leverage the Librem Key to manage their storage decryption, ensuring that nobody boots the OS without having the Librem Key. That is one of the goals of this guide; notes will be included where the reader can diverge between setting a password, using just the key, or supporting both options where possible. Once Heads verifies the Librem Key, it begins the proper boot process. Note that Heads will never stop you from booting; it will only let you know what, if anything, has happened to your /boot storage and TPM.

So in short, the chain is as such:

Simple, right? LOL

Download Gentoo Live ISO, ''dd'' it to a flash drive

Use recovery shell inside Heads to mount and boot Live image correctly

Prepare storage for encryption

Generate (or prepare) a GnuPG key for the Librem Key

Wipe storage and encrypt with new key

Unlock storage and install LVM

Prepare LVM volumes and filesystems

Download and extract stage3

Follow Gentoo Handbook up until kernel/bootloader time

Fetch Purism's kernel configs, build new kernel

Build new initrd or configure Heads to support LUKS, LVM, and Librem Key

Factory Reset Heads and associate with Librem Key

Pull it all together, and pray