zlg's notepad

User Tools

Site Tools

You are here: index » hardware » purism-librem14 » gentoo-luks-lvm-librem-key
hardware:purism-librem14:gentoo-luks-lvm-librem-key

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
hardware:purism-librem14:gentoo-luks-lvm-librem-key [2024-04-02 09:23] – created zlghardware:purism-librem14:gentoo-luks-lvm-librem-key [2024-04-12 08:44] (current) – [Anatomy of the Librem 14's Boot] correct info based on chat on Purism's forum zlg
Line 1: Line 1:
 ====== Librem 14 with Gentoo, LUKS, LVM, Librem Key ====== ====== Librem 14 with Gentoo, LUKS, LVM, Librem Key ======
  
-This guide is designed to get you from a Librem 14 in any configuration to a PureBoot-enabled, Librem Key-supporting Gentoo installation with LUKS to protect your data and LVM to make OS migration easy, should you ever want to do it again. This makes it a more or less perfect development machine, and is sure to be suitable for the target audience of Purism's hardware who aren't afraid to get down in the dirt to build what they want.+This guide is designed to get you to a PureBoot-enabled, Librem Key-supporting Gentoo installation with LUKS to protect your data and LVM to make OS migration easy, should you ever want to do it again. This makes it a wonderful option for a secure developer workstation segregating the ''$HOME'' directory from the rest of the system, or any other setups you may want in your volume group.
  
 **THIS PAGE IS A WORK IN PROGRESS. THERE IS NO GUARANTEE THAT ANYTHING HERE WILL WORK, BUT IN GENERAL I HAVE TESTED IT ON MY OWN SETUP AND VERIFIED IT TO WORK BEFORE PUBLISHING IT HERE. IF ANYTHING YOU TRY HERE BREAKS YOUR SYSTEM, YOU GET TO KEEP THE PIECES. I DON'T DO FREE TECH SUPPORT. YOU HAVE BEEN WARNED.** **THIS PAGE IS A WORK IN PROGRESS. THERE IS NO GUARANTEE THAT ANYTHING HERE WILL WORK, BUT IN GENERAL I HAVE TESTED IT ON MY OWN SETUP AND VERIFIED IT TO WORK BEFORE PUBLISHING IT HERE. IF ANYTHING YOU TRY HERE BREAKS YOUR SYSTEM, YOU GET TO KEEP THE PIECES. I DON'T DO FREE TECH SUPPORT. YOU HAVE BEEN WARNED.**
 +
 +===== Supporting Links and Documentation =====
 +
 +Despite this process being meant to install Gentoo (or frankly, anything else that'll fit into the resulting LUKS+LVM setup), Purism still designed the hardware and continue to support it with firmware and kernel configuration updates. These repositories and other useful Purism links can be found here, to assist with any questions regarding their tech choices and the ways you can use the Librem Key, etc. These are extremely useful if you intend to mess with PureBoot, Heads, your Librem Key, or anything else that happens before the kernel boots.
 +
 +It's a good idea to keep a few of these tabs handy as you continue through this guide, because I won't be copying //all// steps verbatim. I //will// supply lines for all actions taken on the device, however. Some experience with GNU/Linux is expected from the reader, but anyone with research skills and the ability to read a manual can get by.
 +
 +  * [[https://puri.sm/products/librem-14/|Librem 14 Homepage]]
 +  * [[https://docs.puri.sm/PureBoot.html|PureBoot Docs]]
 +  * [[https://trmm.net/Heads/|Heads Homepage]]
 +  * [[https://github.com/linuxboot/heads|Heads Repository]]
 +
 +===== Anatomy of the Librem 14's Boot =====
 +
 +The Librem 14 runs a system of early boot technologies in concert, together called //PureBoot//. It consists of ''coreboot'', a PGP-compatible smartcard (a Librem Key, in this case), ''gnupg'', and clever use of the TPM (Trusted Platform Module) to detect if your ''/boot'' storage has been tampered with.
 +
 +Coreboot acts as a firmware loader for the laptop. It loads a firmware called Heads, which is a tiny Linux system that fits in embedded chip storage. It can optionally check for the **Librem Key** for tamper-evident boot. With an ''initramfs'', one can leverage the Librem Key to manage their storage decryption, ensuring that nobody boots the OS without having the Librem Key. That is one of the goals of this guide; notes will be included where the reader can diverge between setting a password, using just the key, or supporting both options where possible. Once Heads verifies the Librem Key, it begins the proper boot process. Note that **Heads will never stop you from booting; it will only let you know what, if anything, has happened to your /boot storage and TPM.**
 +
 +So in short, the chain is as such:
 +
 +  * Coreboot starts, runs Heads
 +    * Heads loads
 +      * Librem Key ''/boot'' Verification
 +      * GRUB config is read
 +      * Heads runs the initramfs
 +        * LUKS volume is opened with Librem Key
 +        * LVM reads the now unlocked volume group
 +        * ''/root'' is found, Linux kernel starts via ''kexec''
 +          * The OS begins here
 +
 +Simple, right? LOL
 +===== Download Gentoo Live ISO, ''dd'' it to a flash drive =====
 +
 +===== Use recovery shell inside Heads to mount and boot Live image correctly =====
 +
 +===== Prepare storage for encryption =====
 +
 +===== Generate (or prepare) a GnuPG key for the Librem Key =====
 +
 +===== Wipe storage and encrypt with new key ======
 +
 +===== Unlock storage and install LVM =====
 +
 +===== Prepare LVM volumes and filesystems =====
 +
 +===== Download and extract stage3 =====
 +
 +===== Follow Gentoo Handbook up until kernel/bootloader time =====
 +
 +===== Fetch Purism's kernel configs, build new kernel =====
 +
 +===== Build new initrd or configure Heads to support LUKS, LVM, and Librem Key =====
 +
 +===== Factory Reset Heads and associate with Librem Key =====
 +
 +===== Pull it all together, and pray =====
hardware/purism-librem14/gentoo-luks-lvm-librem-key.1712049820.txt.gz · Last modified: 2024-04-02 09:23 by zlg