Full disk encryption secure boot

From Alpine Linux
Revision as of 17:52, 7 August 2022 by Blt (talk | contribs) (converting the guide for LVM until Installing Alpine)
This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Blt on 7 Aug 2022.)

This guide is to explain, step-by-step, how to setup Alpine Linux with Full Disk Encryption using LUKS2, LVM (one Physical Volume Partition with three Logical Volume Partitions (/ /boot & swap) with hibernation on a NVMe drive, with UEFI & Secure Boot (and hopefully tpm as well : WIP). This guide has been written using Alpine Linux Std 3.16.1, please adapt some commands if needed.

The goal of this guide is to follow the KISS principle, but another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if the proposed configuration is not meeting your requirements.

Installing packages

To facilitate the partitioning we will use gdisk :

# apk add lsblk gptfdisk

For encryption, we will use cryptsetup :

# apk add cryptsetup

For LVM:

# apk add lvm2

For using and managing UEFI, multiple packages are needed :

# apk add efibootmgr e2fsprogs grub grub-efi

To improve the entropy :

# apk add haveged
# rc-service haveged start

Preparing / overwriting the disk

This can take long, on my side for a 500GB nVME it tooks ~30 minutes.

# haveged -n 0 | dd of=/dev/nvme0n1

Partitioning the disk

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create two partitions :

  • one for UEFI
  • one for LVM
# gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
  MBR: protective
  BSD: not present
  APM: not present
  GPT: present

Found valid GPT with protective MBR; using GPT.

Command (? for help): d
No partitions

Command (? for help): n
Partition number (1-128, default 1): 
First sector (2048-1000215182, default = 2048) or {+-}size{KMGTP}: 
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2): 
First sector (1048577-1000215182, default = 33556480) or {+-}size{KMGTP}: 
Last sector (33556480-1000215182, default = 1000214527) or {+-}size{KMGTP}: 
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.

Configuring LUKS

# cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 1000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2: 
Verify passphrase: 
Key slot 0 created.
Command successful.

# cryptsetup luksOpen /dev/nvme0n1p2 lvmcrypt

= LVM : Physical & Logical Volumes creation=
<pre># pvcreate /dev/mapper/lvmcrypt
# vgcreate vg0 /dev/mapper/lvmcrypt
# lvcreate -L 20G vg0 -n swap (I have a 16GB RAM laptop)
# lvcreate -L 512M vg0 -n boot
# lvcreate -l 100%FREE vg0 -n root

To check the creation :

# lvscan

Mounting points and File System

Create vfat file system for UEFI partition:

# mkfs.vfat /dev/nvme0n1p1

Create ext4 file system for / partition:

# mkfs.ext4 /dev/vg0/root

Activate SWAP:

# mkswap /dev/vg0/swap
# swapon /dev/vg0/swap

Mount / partition to /mnt :

# mount -t ext4 /dev/vg0/root /mnt

Create /boot/efi:

# mkdir /mnt/boot/efi -p

Mount UEFI partition to /mnt/boot/efi :

# mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi

Check partition scheme:

# lsblk

Installing Alpine

# setup-disk -m sys /mnt/

mkinitfs settings & modules

Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the cryptsetup and lvm modules to the features parameter (keymap only needed if QWERTY is not used):

features="...keymap cryptsetup cryptkey"

Regenerate the initram:

# mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)

Grub settings

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):

# touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p3 /mnt/crypto_keyfile.bin

Then, let's mount and chroot to our fresh installation:

# mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt

Let's show the UUID of our partition scheme:

# lsblk -f

Edit /etc/default/grub and add a new line starting with GRUB_CMDLINE_LINUX parameter, replacing <UUID> with the UUID of the encrypted partition (in this case /dev/nvme0n1p3) and adding a new GRUB_PRELOAD_MODULES line like this:

GRUB_CMDLINE_LINUX="cryptroot=UUID=<UUID> cryptdm=nvme0n1p3-crypt cryptkey"
GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt"

Create a /root/grub-pre.cfg and replace <UUID_WITHOUT_HYPHENS> with your encrypted root partition UUID (here /dev/nvme0n1p3) without hyphens

set crypto_uuid=<UUID_WITHOUT_HYPHENS>
cryptomount -u $crypto_uuid
set root=crypto0
set prefix=($root)/boot/grub
insmod normal
normal

Configuring Secure Boot

# apk add efi-mkkeys efibootmgr sbsigntool
# efi-mkkeys -s "Your Name" -o /etc/uefi-keys

Re-install Grub:

# grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk ext2 gcry_rijndael pbkdf2 gcry_sha512
# install -v /tmp/grubx64.efi /boot/efi/EFI/AlpineLinuxSecureBoot/
# sed -i 's/SecureBoot/SecureB00t/' /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi
# cd /boot/efi/EFI/AlpineLinuxSecureBoot/
# sbsign --key /etc/uefi-keys/db.key --cert /etc/uefi-keys/db.crt --output grubx64.efi.signed grubx64.efi
# grub-mkconfig -o /boot/grub/grub.cfg
# efibootmgr --disk /dev/nvme0n1p1 --part 1 --create --label 'Alpine Linux Secure Boot Signed' --load /EFI/AlpineLinuxSecureBoot/grubx64.efi.signed --verbose

To check that your .efi is signed :

 # sbverify --cert /etc/uefi-keys/db.crt /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed 
Signature verification OK
# sbverify --list /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
signature 1
image signature issuers:
 - /CN="Your Name" (db)
image signature certificates:
 - subject: /CN="Your Name" (db)
   issuer:  /CN="Your Name" (db)

Reboot & enter into your UEFI (Fx key depending of your laptop)

Import keys to UEFI

Copy db.auth, KEK.auth and PK.auth files from /etc/uefi-keys to a FAT formatted file system. This is just an example from an XPS laptop, each UEFI is unique.

  1. Go to Boot Configuration > Secure Boot
  2. Change Enable Secure Boot to ON
  3. Change Secure Boot Mode to Deployed Mode
  4. Change Enable Custom Mode to ON
  5. Go to Custom Mode Key Management
    • Reset All Keys
    • Select Key Database select db > Replace from file > select your Flash Drive > select db.auth
    • Select Key Database select KEK > Replace from file > select your Flash Drive > select KEK.auth
    • Select Key Database select PK > Replace from file > select your Flash Drive > select PK.auth
  6. APPLY CHANGES > EXIT

Check Secure Boot State:

# apk add mokutil
# mokutil --sb-state
SecureBoot enabled

Congrats!