When installing Debian I used [this guide](https://libreboot.org/docs/gnulinux/encrypted_debian.html) in particular. The guide uses LUKS->LVM->Partitions, thus everything is encrypted. You don't need to install GRUB since it is already on the libreboot ROM (if you're using the GRUB payload), however, using a local GRUB makes it possible to [change GRUB config](https://libreboot.org/docs/gnulinux/grub_cbfs.html) without reflashing ROM. But reflashing ROM can be done in the OS (boot with kernel flag iomem=relaxed).
If you have an unencrypted /boot the default GRUB-scripts works better, i e it boots automatically (using Libreboot2016). Otherwise, it can be fixed manually with a better GRUB config ... well basically it should work by just adding _cryptomount -a_ before mounting the volumes?
-_Note:__ So for security it is wise to encrypt /boot/, which is then decrypted before booting to OS, using GRUB config on flash chip. Just one warning, _older_ versions of Coreboot and Libreboot did not support LUKS v2__ so use LUKS v1. Then you were required to have /boot/ as LUKSv1 so that you can then decrypt the main drive once kernel has been loaded, or of course, exclusively use LUKSv1.
+__Note:__ So for security it is wise to encrypt /boot/, which is then decrypted before booting to OS, using GRUB config on flash chip. Just one warning, _older_ versions of Coreboot and Libreboot did not support LUKS v2 so use LUKS v1. Then you were required to have /boot/ as LUKSv1 so that you can then decrypt the main drive once kernel has been loaded, or of course, exclusively use LUKSv1.
But since [Libreboot 20210522](https://libreboot.org/news/libreboot20210522.html) LUKSv2 is supported.
projects / inbyggd-frihet-wiki.git / commitdiff