From: eliot <eliot@web>
Date: Sat, 18 Sep 2021 15:54:36 +0000 (+0200)
Subject: (no commit message)
X-Git-Url: https://git.g-eek.se/?a=commitdiff_plain;h=446db4476a508bd223ccdfe6de20af4d61c60890;p=inbyggd-frihet-wiki.git

---

diff --git a/guider.mdwn b/guider.mdwn
index 609ae2f..4644f56 100644
--- a/guider.mdwn
+++ b/guider.mdwn
@@ -19,13 +19,15 @@ Pomona chip holders
 10cm wires
 
 ### General
-For flashing see this [guide](https://libreboot.org/docs/install/x200_external.html) for a general idea, however each system has their own chip configuration which differs a  little.
+For flashing see this [(X200 Libreboot) guide](https://libreboot.org/docs/install/x200_external.html) for a general idea, however each system has their own chip configuration which differs a little.
 
-When installing an OS on a Libreboot (/Coreboot) system, use these [guides](https://libreboot.org/docs/gnulinux/).
+When installing an OS on a Libreboot (/Coreboot) system, use these [guides](https://libreboot.org/docs/gnulinux/) (old link?).
 
 When installing Debian I used [this guide](https://libreboot.org/docs/gnulinux/encrypted_debian.html) in particular. The guide uses LUKS->LVM->Partitions, thus everything is encrypted. You don't need to install GRUB since it is already on the libreboot ROM (if you're using the GRUB payload), however, using a local GRUB makes it possible to [change GRUB config](https://libreboot.org/docs/gnulinux/grub_cbfs.html) without reflashing ROM. But reflashing ROM can be done in the OS (boot with kernel flag iomem=relaxed).
-If you have an unencrypted /boot the default GRUB-scripts works better, i e it boots automatically (using Libreboot2016).
+If you have an unencrypted /boot the default GRUB-scripts works better, i e it boots automatically (using Libreboot2016). Otherwise, it can be fixed manually with a better GRUB config ... well basically it should work by just adding _cryptomount -a_ before mounting the volumes? 
 
+_Note:__ So for security it is wise to encrypt /boot/, which is then decrypted before booting to OS, using GRUB config on flash chip. Just one warning, _older_ versions of Coreboot and Libreboot did not support LUKS v2__ so use LUKS v1. Then you were required to have /boot/ as LUKSv1 so that you can then decrypt the main drive once kernel has been loaded, or of course, exclusively use LUKSv1.
+But since [Libreboot 20210522](https://libreboot.org/news/libreboot20210522.html) LUKSv2 is supported.
 
 
 ## GRUB