| Both sides previous revisionPrevious revision | |
| hardware:purism-librem14:gentoo-luks-lvm-librem-key [2024-04-04 02:11] – reorder major steps before filling in details zlg | hardware:purism-librem14:gentoo-luks-lvm-librem-key [2024-04-12 08:44] (current) – [Anatomy of the Librem 14's Boot] correct info based on chat on Purism's forum zlg |
|---|
| ===== Anatomy of the Librem 14's Boot ===== | ===== Anatomy of the Librem 14's Boot ===== |
| |
| The Librem 14 runs a fork of coreboot called **PureBoot**, which acts as a firmware loader for the laptop. This fork is designed to integrate **Heads**, a firmware solution for more secure booting on laptops and servers. Heads can optionally check for the **Librem Key** for tamper-evident boot, and it can even be used to decrypt your storage after a successful boot, so that a physical device unlocks your computer entirely. That is one of the goals of this guide; notes will be included where the reader can diverge between setting a password, using just the key, or supporting both options where possible. Once Heads verifies the Librem Key, it begins the proper boot process. | The Librem 14 runs a system of early boot technologies in concert, together called //PureBoot//. It consists of ''coreboot'', a PGP-compatible smartcard (a Librem Key, in this case), ''gnupg'', and clever use of the TPM (Trusted Platform Module) to detect if your ''/boot'' storage has been tampered with. |
| | |
| | Coreboot acts as a firmware loader for the laptop. It loads a firmware called Heads, which is a tiny Linux system that fits in embedded chip storage. It can optionally check for the **Librem Key** for tamper-evident boot. With an ''initramfs'', one can leverage the Librem Key to manage their storage decryption, ensuring that nobody boots the OS without having the Librem Key. That is one of the goals of this guide; notes will be included where the reader can diverge between setting a password, using just the key, or supporting both options where possible. Once Heads verifies the Librem Key, it begins the proper boot process. Note that **Heads will never stop you from booting; it will only let you know what, if anything, has happened to your /boot storage and TPM.** |
| |
| So in short, the chain is as such: | So in short, the chain is as such: |
| |
| - PureBoot | * Coreboot starts, runs Heads |
| - Heads | * Heads loads |
| - Librem Key Verification | * Librem Key ''/boot'' Verification |
| - GRUB config is read | * GRUB config is read |
| - Heads opens LUKS and prepares LVM for boot | * Heads runs the initramfs |
| - Linux kernel starts via ''kexec'' | * LUKS volume is opened with Librem Key |
| - ''<insert Gentoo|KISS|LFS|whatever here>'' | * LVM reads the now unlocked volume group |
| | * ''/root'' is found, Linux kernel starts via ''kexec'' |
| | * The OS begins here |
| |
| Simple, right? LOL | Simple, right? LOL |
| |
| ===== Download Gentoo Live ISO, ''dd'' it to a flash drive ===== | ===== Download Gentoo Live ISO, ''dd'' it to a flash drive ===== |
| |
