Table of Contents
Librem 14 with Gentoo, LUKS, LVM, Librem Key
This guide is designed to get you to a PureBoot-enabled, Librem Key-supporting Gentoo installation with LUKS to protect your data and LVM to make OS migration easy, should you ever want to do it again. This makes it a wonderful option for a secure developer workstation segregating the $HOME
directory from the rest of the system, or any other setups you may want in your volume group.
THIS PAGE IS A WORK IN PROGRESS. THERE IS NO GUARANTEE THAT ANYTHING HERE WILL WORK, BUT IN GENERAL I HAVE TESTED IT ON MY OWN SETUP AND VERIFIED IT TO WORK BEFORE PUBLISHING IT HERE. IF ANYTHING YOU TRY HERE BREAKS YOUR SYSTEM, YOU GET TO KEEP THE PIECES. I DON'T DO FREE TECH SUPPORT. YOU HAVE BEEN WARNED.
Supporting Links and Documentation
Despite this process being meant to install Gentoo (or frankly, anything else that'll fit into the resulting LUKS+LVM setup), Purism still designed the hardware and continue to support it with firmware and kernel configuration updates. These repositories and other useful Purism links can be found here, to assist with any questions regarding their tech choices and the ways you can use the Librem Key, etc. These are extremely useful if you intend to mess with PureBoot, Heads, your Librem Key, or anything else that happens before the kernel boots.
It's a good idea to keep a few of these tabs handy as you continue through this guide, because I won't be copying all steps verbatim. I will supply lines for all actions taken on the device, however. Some experience with GNU/Linux is expected from the reader, but anyone with research skills and the ability to read a manual can get by.
Anatomy of the Librem 14's Boot
The Librem 14 runs a system of early boot technologies in concert, together called PureBoot. It consists of coreboot
, a PGP-compatible smartcard (a Librem Key, in this case), gnupg
, and clever use of the TPM (Trusted Platform Module) to detect if your /boot
storage has been tampered with.
Coreboot acts as a firmware loader for the laptop. It loads a firmware called Heads, which is a tiny Linux system that fits in embedded chip storage. It can optionally check for the Librem Key for tamper-evident boot. With an initramfs
, one can leverage the Librem Key to manage their storage decryption, ensuring that nobody boots the OS without having the Librem Key. That is one of the goals of this guide; notes will be included where the reader can diverge between setting a password, using just the key, or supporting both options where possible. Once Heads verifies the Librem Key, it begins the proper boot process. Note that Heads will never stop you from booting; it will only let you know what, if anything, has happened to your /boot storage and TPM.
So in short, the chain is as such:
- Coreboot starts, runs Heads
- Heads loads
- Librem Key
/boot
Verification - GRUB config is read
- Heads runs the initramfs
- LUKS volume is opened with Librem Key
- LVM reads the now unlocked volume group
/root
is found, Linux kernel starts viakexec
- The OS begins here
Simple, right?