g/thinkpad-coreboot-qubes
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
master
thinkpad-coreboot-qubes/README.md
Giulio 0c06f8bc56 Note addition
2018-03-28 18:15:20 +02:00

545 lines
17 KiB
Markdown
Raw Permalink Blame History

*Disclaimer*:
This is not an easy: mistakes can lead to data loss or bricking of the laptop. Only execute command that you are able to understand.
*Note*: This guide suggest installing Qubes before flashing coreboot. If you already have coreboot refer to this instead http://dodoid.net/qubreboot/
# Qubes+Coreboot on Thinkpad X220
## Prerequisites
* Thinkpad x220 (other models supported by coreboot may apply)
* Pomona 5250 + RaspberryPI/BeagleBone black for hardware flashing
## Advantages:
* Encrypted /boot
* Less proprietary components in bios
* Neutralized Intel ME
* Evil Maid Attacks requires hardware flashing/partial disassembly
## Disadvantages:
* TPM can't work without the Intel ME
* Not all RAM sticks works
* Different (probably worse) fan control
* Microcode updates probably working but not yet tested
Final qubes-hcl-report
```
Qubes release 4.0 (R4.0)
Brand: LENOVO
Model: 429136G
BIOS: CBET4000 4.7-577-gd18f42ab6f
Xen: 4.8.3
Kernel: 4.14.18-1
RAM: 12208 Mb
CPU:
Intel(R) Core(TM) i7-2620M CPU @ 2.70GHz
Chipset:
Intel Corporation 2nd Generation Core Processor Family DRAM Controller [8086:0104] (rev 09)
VGA:
Intel Corporation 2nd Generation Core Processor Family Integrated Graphics Controller [8086:0106] (rev 09) (prog-if 00 [VGA controller])
Net:
Intel Corporation 82579LM Gigabit Network Connection (Lewisville) (rev 05)
Intel Corporation Centrino Advanced-N 6205 [Taylor Peak] (rev 34)
SCSI:
Crucial_CT240M50 Rev: MU03
HVM: Active
I/O MMU: Active
HAP/SLAT: Yes
TPM: Device present
Remapping: Yes
```
# Procedure
## Install Qubes
Do a simple Qubes 4 LUKS+LVM installation by just following the graphical installer.
## Coreboot prerequisites
Clone the base Qubes debian8/9 template and install the following packages:
```
sudo apt-get install git wget build-essential gnat flex bison libncurses5-dev zlib1g-dev libfreetype6-dev unifont python3
sudo apt-get build-dep grub
```
If required enable the necessary source repository.
Create an AppVM based on the template and start a terminal in it.
```
mkdir ~/Build
cd ~/Build
git clone https://notabug.org/Velsoth/x220-coreboot.git
cd x220-coreboot/
./cb-helper download_code
./cb-helper build_utils
```
## Get the original bios binary
If you are able to extract it from the executable distributed by Lenovo it should be good. Do not get it from some random forum or website.
If you can't the best way is to read it directly from the flash using the Raspberry and the clip.
```
______
1--| O |--8
2--| |--7
3--| |--6
4--|______|--5
```
Remeber to research your chip model and manufacturer (in this guide a Macronix MX25L6405) and double check the pin layout using the official datasheet.
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | Flash pin number |
|----|----|-----|-----|----|-----|-------|-----|------------------|
| CS | DO | /WP | GND | DI | CLK | /HOLD | VCC | Pin name |
| 24 | 21 | GND | 25 | 19 | 23 | GND | 17 | Rpi GPIO number |
Please refer to the multiple flashing guides available
* https://www.flashrom.org/RaspberryPi
* https://libreboot.org/docs/install/rpi_setup.html
* https://karlcordes.com/coreboot-x220/
* https://tylercipriani.com/blog/2016/11/13/coreboot-on-the-thinkpad-x220-with-a-raspberry-pi/
* https://github.com/bibanon/Coreboot-ThinkPads/wiki/Hardware-Flashing-with-Raspberry-Pi
From a root prompt on the Rpi
```
flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=1000 -r bios1.bin
flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=1000 -r bios2.bin
flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=1000 -r bios3.bin
sha1sum bios*.bin
```
Check that all the checksums do match. In case they don't there's probably something wrong in the clip position or in the wiring. Remember that no pin should left floating even if it's not useful for the operation. /WP and /HOLD should be always connected to something like GND.
## Continue with coreboot build
Now reassemble the x220, boot Qubes and copy bios1.bin from the RaspberryPi to the AppVM created before in `~/Build/x220-coreboot/binaries/bios.bin`.
Open again a terminal in the AppVM:
```
cd ~/Build/x220-coreboot/
./cb-helper split_bios
./cb-helper neuter_me
./cb-helper pre_build_coreboot
```
Now the `cb-helper` script is prepared to build coreboot with SeaBIOS as primary payload and Grub2 as a secondary payload. In this specific guide we do not use SeaBIOS and directly use Grub2 as a primary payload.
This is an advantage for some reasons:
* Faster boot
* Less code running
And a disadvantage for some others:
* No BIOS like configuration available
* Probable problems with other operating systems
* Missing utilities like nvramcui
Now edit grub.cfg
`~/Build/x220/coreboot/config/grub.cfg`
Replace at the beginning of the file
```
set prefix=(memdisk)/boot/grub
insmod nativedisk
insmod ehci
insmod ohci
insmod uhci
insmod usb
insmod usbms
insmod part_msdos
insmod ext2
insmod lvm
insmod gcry_rijndael
insmod gcry_sha256
insmod luks
insmod cryptodisk
# insmod usbserial_pl2303
# insmod usbserial_ftdi
# insmod usbserial_usbdebug
insmod gfxmenu
insmod gfxterm_menu
insmod gfxterm_background
insmod chain
insmod jpeg
# Serial and keyboard configuration, very important.
# serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
# terminal_input --append serial
# terminal_output --append serial
terminal_input --append at_keyboard
terminal_output --append cbmemc
gfxpayload=keep
terminal_output --append gfxterm
set menu_color_normal=white/black
set menu_color_highlight=white/cyan
# Default to first option, automatically boot after 1 second
set default="0>0"
set timeout=1
# This is useful when using 'cat' on long files on GRUB terminal
set pager=1
# Set a background image from CBFS
background_image (cbfsdisk)/background.jpg
# Set DejaVu Sans Mono as the default font
loadfont (cbfsdisk)/dejavusansmono.pf2
# Default keymap
keymap usqwerty
```
And add the following menuentry:
** THIS IS AN EXAMPLE YOU SHOULD GET IT FROM YOUR ORIGINAL grub.cfg WITH YOUR DISK UUID AND KERNEL VERSIONS **
```
menuentry 'Qubes, with Xen hypervisor FDE' --class qubes --class gnu-linux --class gnu --class os --class xen $menuentry_id_option 'xen-gnulinux-simple-1c874f0f-b41d-4120-8058-b327554c11bf' {
cryptomount -a
set root='lvm/qubes_dom0-boot'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1' 55e7e06a-cad4-4a8d-ba89-9205493e87d7
else
search --no-floppy --fs-uuid --set=root 55e7e06a-cad4-4a8d-ba89-9205493e87d7
fi
echo 'Loading Xen 4.8.3 ...'
if [ "$grub_platform" = "pc" -o "$grub_platform" = "" ]; then
xen_rm_opts=
else
xen_rm_opts="no-real-mode edd=off"
fi
multiboot /xen-4.8.3.gz placeholder console=none dom0_mem=min:1024M dom0_mem=max:4096M iommu=no-igfx ${xen_rm_opts}
echo 'Loading Linux 4.14.18-1.pvops.qubes.x86_64 ...'
module /vmlinuz-4.14.18-1.pvops.qubes.x86_64 placeholder root=/dev/mapper/qubes_dom0-root ro rd.luks.uuid=luks-8453f049-6322-4e5d-b05a-a6c4688fd3a5 rd.lvm.lv=qubes_dom0/root rd.lvm.lv=qubes_dom0/swap i915.preliminary_hw_support=1 rhgb quiet rd.qubes.hide_all_usb
echo 'Loading initial ramdisk ...'
module --nounzip /initramfs-4.14.18-1.pvops.qubes.x86_64.img
}
```
The only difference with the original is the addition of
* cryptomount -a
* set root='lvm/qubes_dom0-boot'
The below example of .config should work without any modification given that the steps above have been done correctly, however some configurations depends on personal needs and should be changed. Refer to the coreboot wiki for more information https://www.coreboot.org/Coreboot_Options
`~/Build/x220-coreboot/coreboot/.config`
```
CONFIG_COREBOOT_BUILD=y
CONFIG_LOCALVERSION=""
CONFIG_CBFS_PREFIX="fallback"
CONFIG_COMPILER_GCC=y
CONFIG_COMPRESS_RAMSTAGE=y
CONFIG_INCLUDE_CONFIG_FILE=y
CONFIG_USE_BLOBS=y
CONFIG_RELOCATABLE_RAMSTAGE=y
CONFIG_VENDOR_LENOVO=y
CONFIG_BOARD_SPECIFIC_OPTIONS=y
CONFIG_MAINBOARD_DIR="lenovo/x220"
CONFIG_MAINBOARD_PART_NUMBER="ThinkPad X220"
CONFIG_MAINBOARD_VENDOR="LENOVO"
CONFIG_MAX_CPUS=8
CONFIG_CACHE_ROM_SIZE_OVERRIDE=0x0
CONFIG_CBFS_SIZE=0x200000
CONFIG_VGA_BIOS_ID="8086,0126"
CONFIG_DIMM_SPD_SIZE=256
CONFIG_DCACHE_RAM_BASE=0xfefe0000
CONFIG_DCACHE_RAM_SIZE=0x20000
CONFIG_VGA_BIOS_FILE="pci8086,0126.rom"
CONFIG_MAINBOARD_PCI_SUBSYSTEM_VENDOR_ID=0x17aa
CONFIG_MAINBOARD_PCI_SUBSYSTEM_DEVICE_ID=0x21db
CONFIG_HAVE_IFD_BIN=y
CONFIG_HAVE_ME_BIN=y
CONFIG_DRAM_RESET_GATE_GPIO=10
CONFIG_DEVICETREE="devicetree.cb"
CONFIG_MAX_REBOOT_CNT=3
CONFIG_HAVE_GBE_BIN=y
CONFIG_USBDEBUG_HCD_INDEX=2
CONFIG_MMCONF_BASE_ADDRESS=0xf0000000
CONFIG_TPM_PIRQ=0x0
CONFIG_BOOT_DEVICE_SPI_FLASH_BUS=0
CONFIG_FMDFILE=""
CONFIG_PRERAM_CBMEM_CONSOLE_SIZE=0xc00
CONFIG_IFD_BIN_PATH="../binaries/descriptor.bin"
CONFIG_ME_BIN_PATH="../binaries/me_neutered.bin"
CONFIG_BOARD_LENOVO_X220=y
CONFIG_CPU_ADDR_BITS=36
CONFIG_DEFAULT_CONSOLE_LOGLEVEL=8
CONFIG_DRIVERS_PS2_KEYBOARD=y
CONFIG_SMBIOS_ENCLOSURE_TYPE=0x09
CONFIG_BOARD_ROMSIZE_KB_8192=y
CONFIG_COREBOOT_ROMSIZE_KB_8192=y
CONFIG_COREBOOT_ROMSIZE_KB=8192
CONFIG_ROM_SIZE=0x800000
CONFIG_SYSTEM_TYPE_LAPTOP=y
CONFIG_CPU_SPECIFIC_OPTIONS=y
CONFIG_RAMTOP=0x200000
CONFIG_HEAP_SIZE=0x4000
CONFIG_RAMBASE=0x100000
CONFIG_EHCI_BAR=0xfef00000
CONFIG_SERIRQ_CONTINUOUS_MODE=y
CONFIG_SMM_TSEG_SIZE=0x800000
CONFIG_ACPI_CPU_STRING="\\_PR.CP%02d"
CONFIG_BOOTBLOCK_CPU_INIT="cpu/intel/model_206ax/bootblock.c"
CONFIG_C_ENV_BOOTBLOCK_SIZE=0x10000
CONFIG_X86_TOP4G_BOOTMEDIA_MAP=y
CONFIG_ROMSTAGE_ADDR=0x2000000
CONFIG_VERSTAGE_ADDR=0x2000000
CONFIG_SPI_FLASH_INCLUDE_ALL_DRIVERS=y
CONFIG_DCACHE_RAM_MRC_VAR_SIZE=0x0
CONFIG_PCIEXP_ASPM=y
CONFIG_PCIEXP_COMMON_CLOCK=y
CONFIG_BOOTBLOCK_NORTHBRIDGE_INIT="northbridge/intel/sandybridge/bootblock.c"
CONFIG_BOOTBLOCK_SOUTHBRIDGE_INIT="southbridge/intel/bd82x6x/bootblock.c"
CONFIG_CACHE_MRC_SIZE_KB=512
CONFIG_STACK_SIZE=0x1000
CONFIG_UART_PCI_ADDR=0x0
CONFIG_SOCKET_SPECIFIC_OPTIONS=y
CONFIG_XIP_ROM_SIZE=0x20000
CONFIG_NUM_IPI_STARTS=2
CONFIG_CPU_INTEL_MODEL_206AX=y
CONFIG_SSE2=y
CONFIG_CPU_INTEL_SOCKET_RPGA989=y
CONFIG_CPU_INTEL_COMMON=y
CONFIG_ENABLE_VMX=y
CONFIG_UDELAY_TSC=y
CONFIG_TSC_CONSTANT_RATE=y
CONFIG_TSC_MONOTONIC_TIMER=y
CONFIG_TSC_SYNC_MFENCE=y
CONFIG_LOGICAL_CPUS=y
CONFIG_SMM_TSEG=y
CONFIG_SMM_MODULE_HEAP_SIZE=0x4000
CONFIG_CACHE_AS_RAM=y
CONFIG_SMP=y
CONFIG_AP_SIPI_VECTOR=0xfffff000
CONFIG_MMX=y
CONFIG_SSE=y
CONFIG_SUPPORT_CPU_UCODE_IN_CBFS=y
CONFIG_CPU_MICROCODE_CBFS_NONE=y
CONFIG_NORTHBRIDGE_INTEL_SANDYBRIDGE=y
CONFIG_USE_NATIVE_RAMINIT=y
CONFIG_SANDYBRIDGE_IVYBRIDGE_LVDS=y
CONFIG_IF_NATIVE_VGA_INIT=y
CONFIG_HPET_ADDRESS=0xfed00000
CONFIG_HPET_MIN_TICKS=0x80
CONFIG_MAX_PIRQ_LINKS=4
CONFIG_SOUTHBRIDGE_INTEL_C216=y
CONFIG_SOUTH_BRIDGE_OPTIONS=y
CONFIG_LOCK_SPI_FLASH_NONE=y
CONFIG_SOUTHBRIDGE_INTEL_COMMON=y
CONFIG_SOUTHBRIDGE_INTEL_COMMON_GPIO=y
CONFIG_SOUTHBRIDGE_INTEL_COMMON_SMBUS=y
CONFIG_SOUTHBRIDGE_INTEL_COMMON_SPI=y
CONFIG_SOUTHBRIDGE_INTEL_COMMON_PIRQ_ACPI_GEN=y
CONFIG_SOUTHBRIDGE_INTEL_COMMON_RCBA_PIRQ=y
CONFIG_HAVE_INTEL_CHIPSET_LOCKDOWN=y
CONFIG_INTEL_CHIPSET_LOCKDOWN=y
CONFIG_EC_ACPI=y
CONFIG_EC_LENOVO_H8=y
CONFIG_H8_BEEP_ON_DEATH=y
CONFIG_H8_FLASH_LEDS_ON_DEATH=y
CONFIG_EC_LENOVO_PMH7=y
CONFIG_HAVE_INTEL_FIRMWARE=y
CONFIG_CHECK_ME=y
CONFIG_GBE_BIN_PATH="../binaries/gbe.bin"
CONFIG_UDK_2013_VERSION=2013
CONFIG_UDK_2015_VERSION=2015
CONFIG_UDK_2017_VERSION=2017
CONFIG_UDK_VERSION=2013
CONFIG_ARCH_ARMV8_EXTENSION=0
CONFIG_ARCH_X86=y
CONFIG_ARCH_BOOTBLOCK_X86_32=y
CONFIG_ARCH_VERSTAGE_X86_32=y
CONFIG_ARCH_ROMSTAGE_X86_32=y
CONFIG_ARCH_RAMSTAGE_X86_32=y
CONFIG_PC80_SYSTEM=y
CONFIG_HAVE_CMOS_DEFAULT=y
CONFIG_CMOS_DEFAULT_FILE="src/mainboard/$(MAINBOARDDIR)/cmos.default"
CONFIG_IOAPIC_INTERRUPTS_ON_FSB=y
CONFIG_ID_SECTION_OFFSET=0x80
CONFIG_BOOTBLOCK_SIMPLE=y
CONFIG_BOOTBLOCK_SOURCE="bootblock_simple.c"
CONFIG_HAVE_VGA_TEXT_FRAMEBUFFER=y
CONFIG_HAVE_LINEAR_FRAMEBUFFER=y
CONFIG_MAINBOARD_HAS_NATIVE_VGA_INIT=y
CONFIG_MAINBOARD_HAS_LIBGFXINIT=y
CONFIG_MAINBOARD_DO_NATIVE_VGA_INIT=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_LINEAR_FRAMEBUFFER=y
CONFIG_PCI=y
CONFIG_MMCONF_SUPPORT=y
CONFIG_PCIX_PLUGIN_SUPPORT=y
CONFIG_CARDBUS_PLUGIN_SUPPORT=y
CONFIG_PCIEXP_PLUGIN_SUPPORT=y
CONFIG_SUBSYSTEM_VENDOR_ID=0x0000
CONFIG_SUBSYSTEM_DEVICE_ID=0x0000
CONFIG_CACHE_MRC_SETTINGS=y
CONFIG_MRC_SETTINGS_CACHE_SIZE=0x10000
CONFIG_SPI_FLASH=y
CONFIG_BOOT_DEVICE_SPI_FLASH_RW_NOMMAP=y
CONFIG_SPI_FLASH_ADESTO=y
CONFIG_SPI_FLASH_AMIC=y
CONFIG_SPI_FLASH_ATMEL=y
CONFIG_SPI_FLASH_EON=y
CONFIG_SPI_FLASH_GIGADEVICE=y
CONFIG_SPI_FLASH_MACRONIX=y
CONFIG_SPI_FLASH_SPANSION=y
CONFIG_SPI_FLASH_SST=y
CONFIG_SPI_FLASH_STMICRO=y
CONFIG_SPI_FLASH_WINBOND=y
CONFIG_NO_UART_ON_SUPERIO=y
CONFIG_HAVE_USBDEBUG=y
CONFIG_HAVE_USBDEBUG_OPTIONS=y
CONFIG_SMBIOS_PROVIDED_BY_MOBO=y
CONFIG_INTEL_EDID=y
CONFIG_INTEL_INT15=y
CONFIG_INTEL_GMA_ACPI=y
CONFIG_GFX_GMA=y
CONFIG_GFX_GMA_CPU="Sandybridge"
CONFIG_GFX_GMA_CPU_VARIANT="Normal"
CONFIG_GFX_GMA_INTERNAL_IS_LVDS=y
CONFIG_GFX_GMA_INTERNAL_PORT="LVDS"
CONFIG_GFX_GMA_ANALOG_I2C_PORT="PCH_DAC"
CONFIG_DRIVERS_INTEL_WIFI=y
CONFIG_DRIVERS_MC146818=y
CONFIG_LPC_TPM=y
CONFIG_TPM_TIS_BASE_ADDRESS=0xfed40000
CONFIG_VGA=y
CONFIG_DRIVERS_RICOH_RCE822=y
CONFIG_MAINBOARD_HAS_LPC_TPM=y
CONFIG_ACPI_SATA_GENERATOR=y
CONFIG_ACPI_INTEL_HARDWARE_SLEEP_VALUES=y
CONFIG_BOOT_DEVICE_SPI_FLASH=y
CONFIG_BOOT_DEVICE_MEMORY_MAPPED=y
CONFIG_RTC=y
CONFIG_SQUELCH_EARLY_SMP=y
CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y
CONFIG_CONSOLE_POST=y
CONFIG_HWBASE_DEBUG_CB=y
CONFIG_HAVE_ACPI_RESUME=y
CONFIG_RESUME_PATH_SAME_AS_BOOT=y
CONFIG_HAVE_HARD_RESET=y
CONFIG_HAVE_MONOTONIC_TIMER=y
CONFIG_HAVE_OPTION_TABLE=y
CONFIG_HAVE_SMI_HANDLER=y
CONFIG_IOAPIC=y
CONFIG_USE_WATCHDOG_ON_BOOT=y
CONFIG_HAVE_ACPI_TABLES=y
CONFIG_COMMON_FADT=y
CONFIG_GENERATE_SMBIOS_TABLES=y
CONFIG_PAYLOAD_GRUB2=y
CONFIG_PAYLOAD_FILE="payloads/external/GRUB2/grub2/build/default_payload.elf"
CONFIG_GRUB2_STABLE=y
CONFIG_GRUB2_EXTRA_MODULES="gcry_rijndael gcry_sha256 gcry_seed lvm luks cryptodisk all_video jpeg png cat videoinfo videotest crypto gfxmenu gfxterm_menu gfxterm_background password password_pbkdf2 pbkdf2 usbserial_pl2303 usbserial_ftdi usbserial_usbdebug"
CONFIG_GRUB2_INCLUDE_RUNTIME_CONFIG_FILE=y
CONFIG_GRUB2_RUNTIME_CONFIG_FILE="../config/grub.cfg"
CONFIG_PAYLOAD_OPTIONS=""
CONFIG_COMPRESSED_PAYLOAD_LZMA=y
CONFIG_COMPRESS_SECONDARY_PAYLOAD=y
CONFIG_HAVE_DEBUG_RAM_SETUP=y
CONFIG_HAVE_DEBUG_SMBUS=y
CONFIG_WARNINGS_ARE_ERRORS=y
CONFIG_EARLY_CBMEM_INIT=y
CONFIG_RELOCATABLE_MODULES=y
CONFIG_BOOTBLOCK_CUSTOM=y
```
Now build coreboot
```
./cb-helper build_coreboot
```
And add the font and tha background image:
```
coreboot/util/cbfstool/cbfstool out/coreboot.rom add -f misc/dejavusansmono.pf2 -n dejavusansmono.pf2 -t raw
coreboot/util/cbfstool/cbfstool out/coreboot.rom add -f misc/bg.jpg -n background.jpg -t raw
```
The file `~/Build/x220-coreboot/out/coreboot.rom` should now be ready for flashing.
## Coreboot flash
From the RaspberryPi
```
flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=1000 -w coreboot.rom
```
(flashrom may sometimes give an error about failing to erase. This is fine as long as the end it prints 'VERIFIED')
Or from dom0 if you already have flashed coreboot before:
```
sudo flashrom -p internal:laptop=force_I_want_a_brick -w coreboot.rom
```
## Encrypt /boot
From now on keep in mind that any error may cause data loss. Even not doing any error may cause data loss. Please make a full backup bedofre going on.
Boot a live archlinux or any other live distro which has `cryptsetup`, `lvm` and `dd` installed. In this part it is assumed the device with Qubes is `/dev/sda`.
```
fdisk -l /dev/sda
Device Boot Start End Sectors Size Id Type
/dev/sda1 2048 2099199 2097151 1.0 G 83 Linux
/dev/sda2 2099200 468862127 466762927 222.6G 83 Linux
```
Take note of the offset values.
Copy on an external device a backup of the boot partition:
```
dd if=/dev/sda1 of=/mnt/backup/boot.dd bs=1M status=progress
```
Using fdisk, cfdisk or parted delete both `sda1` and `sda2` and create a new partition using the whole disk called `sda`.
Now move the old LUKS partition at the beginning of the disk.
First check that the offsets are correct (source: https://superuser.com/questions/541067/how-to-move-a-partition-in-gnu-linux):
```
dd conv=notrunc bs=512 iflag=fullblock if=/dev/sda1 count=100 skip=$((2099199-2048)) seek=0 2> /dev/null | file -s -
/dev/stdin: LUKS encrypted file, ver 1 [aes, xts-plain64, sha256] UUID: 8453f049-6322-4e5d-b05a-a6c4688fd3a5
```
If the `file` command detect a LUKS encrypted file it should be safe to continue.
```
dd conv=notrunc bs=512 iflag=fullblock if=/dev/sda1 skip=$((2099199-2048)) seek=0 of=/dev/sda1 status=progress
```
Wait for the process to complete. Do not stop it for any reason.
```
cryptsetup luksOpen /dev/sda1 qubespv
pvresize /dev/mapper/qubespv
lvcreate -n boot -l100%FREE qubes_dom0
dd if=/mnt/backup/bios.dd of /dev/mapper/qubes_dom0-boot
```
## Reboot
Reboot. You should now be prompted two times for your LUKS passphrase: this is because the Grub installed within the Flash has no way to pass the actual passphrase to the kernel. A workaround to this issue is explained here https://wiki.parabola.nu/Installing_Parabola_on_Libreboot_with_full_disk_encryption_(including_/boot)#Bonus:_Using_a_key_file_to_unlock_.2Fboot.2F
# TODO
* Flash coreboot read-only to prevent tampering
* Add a script which symlink the latest kernel and the previous one in a predictable path in /boot
* Find a way to disable ExpressCard/Camera/Other components from coreboot
* Test microcode updates for meltdown/spectre
Reference in New Issue View Git Blame Copy Permalink