From 50bffff4dc859b9397b45a7c4143a5e6ab0705d8 Mon Sep 17 00:00:00 2001 From: Luc Date: Sun, 3 Sep 2023 11:07:23 +0200 Subject: [PATCH 1/5] Added alpine-server-setup/home.md. --- docs/alpine-server-setup/home.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 docs/alpine-server-setup/home.md diff --git a/docs/alpine-server-setup/home.md b/docs/alpine-server-setup/home.md new file mode 100644 index 0000000..a249c91 --- /dev/null +++ b/docs/alpine-server-setup/home.md @@ -0,0 +1 @@ +# A Alpine Linux installation \ No newline at end of file From 0e9df68bae6e08c98b9575eee1ede7a569380221 Mon Sep 17 00:00:00 2001 From: Luc Date: Sun, 3 Sep 2023 11:12:22 +0200 Subject: [PATCH 2/5] Changed syntax. --- docs/void-desktop-setup/post-installation/linux-lts.md | 2 +- docs/void-desktop-setup/post-installation/users.md | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/void-desktop-setup/post-installation/linux-lts.md b/docs/void-desktop-setup/post-installation/linux-lts.md index 571c064..b4a966c 100644 --- a/docs/void-desktop-setup/post-installation/linux-lts.md +++ b/docs/void-desktop-setup/post-installation/linux-lts.md @@ -6,7 +6,7 @@ It might be desirable to install an LTS kernel for better stability. This can be # xbps-install -Sy linux-lts linux-lts-headers ``` -To uninstall the non-lts kernel, ignore the package through `/etc/xbps.d/xbps.conf` by adding: +To uninstall the non-lts kernel, ignore the package by creating `/etc/xbps.d/nolinux.conf` and inserting: ``` ignorepkg=linux diff --git a/docs/void-desktop-setup/post-installation/users.md b/docs/void-desktop-setup/post-installation/users.md index 9891456..81558d6 100644 --- a/docs/void-desktop-setup/post-installation/users.md +++ b/docs/void-desktop-setup/post-installation/users.md @@ -18,8 +18,7 @@ The user may be added to certain groups, to give it some rights. # usermod -aG wheel,audio,video,kvm,tty,input,storage ``` -The package `sudo` that is present in the `base-system` package will be removed. Since, it is bloatware. To persist this. That is sudo will not be installed ever again on the system. Edit `/etc/xbps.d/xbps.conf` and insert: - +The package `sudo` that is present in the `base-system` package will be removed. Since, it is bloatware. To persist this. That is sudo will not be installed ever again on the system. Create `/etc/xbps.d/nosudo.conf` and insert: ``` ignorepkg=sudo From 5766dea10716ffa21c09a3bf3b260940dad3b9ed Mon Sep 17 00:00:00 2001 From: Luc Date: Sun, 3 Sep 2023 11:18:17 +0200 Subject: [PATCH 3/5] Added new boot parameters that will negate tpm luks bypass. --- docs/void-desktop-setup/installation/installation-with-lvm.md | 2 +- docs/void-desktop-setup/installation/installation.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/void-desktop-setup/installation/installation-with-lvm.md b/docs/void-desktop-setup/installation/installation-with-lvm.md index 2a0f636..0ed2b27 100644 --- a/docs/void-desktop-setup/installation/installation-with-lvm.md +++ b/docs/void-desktop-setup/installation/installation-with-lvm.md @@ -113,7 +113,7 @@ The `uuid` is needed again and can be obtained by: Now edit `/boot/loader/void-options.conf` and insert: ``` -rw rd.luks.name==root root=/dev/disk/by-label/root quiet splash apparmor=1 security=apparmor loglevel=1 rd.lvm.vg=lv0 +rw rd.luks.name==root root=/dev/disk/by-label/root quiet splash apparmor=1 security=apparmor loglevel=1 rd.shell=0 d.emergency=reboot rd.lvm.vg=lv0 ``` To obtain a boot menu. A timeout may be added to `/boot/loader/loader.conf`. diff --git a/docs/void-desktop-setup/installation/installation.md b/docs/void-desktop-setup/installation/installation.md index 299da5f..66bfe60 100644 --- a/docs/void-desktop-setup/installation/installation.md +++ b/docs/void-desktop-setup/installation/installation.md @@ -111,7 +111,7 @@ The `uuid` is needed again and can be obtained by: Now edit `/boot/loader/void-options.conf` and insert: ``` -rw rd.luks.name==root root=/dev/mapper/root quiet splash apparmor=1 security=apparmor loglevel=1 +rw rd.luks.name==root root=/dev/mapper/root quiet splash apparmor=1 security=apparmor loglevel=1 rd.shell=0 d.emergency=reboot ``` To obtain a boot menu. A timeout may be added to `/boot/loader/loader.conf`. From b30a146641eb460094bac40a3b89519096166216 Mon Sep 17 00:00:00 2001 From: Tastatur Date: Fri, 8 Sep 2023 10:53:35 +0200 Subject: [PATCH 4/5] Updated automatic-decryption to use clevis package --- .../post-installation/automatic-decryption.md | 61 ++++++------------- 1 file changed, 17 insertions(+), 44 deletions(-) diff --git a/docs/void-desktop-setup/post-installation/automatic-decryption.md b/docs/void-desktop-setup/post-installation/automatic-decryption.md index cdabb7b..6579034 100644 --- a/docs/void-desktop-setup/post-installation/automatic-decryption.md +++ b/docs/void-desktop-setup/post-installation/automatic-decryption.md @@ -1,52 +1,13 @@ -# Automatic decryption *(unfinished)* +# Automatic decryption -Using Clevis it's possible to automatically decrypt the system upon startup. But because we haven't been able to figure out how to create a functional template file for that we'll have to compile it ourselves. Note that you must use the `booster` initramfs. (A lot more information about the possibilities from clevis can be found on the [ArchWiki](https://wiki.archlinux.org/title/Clevis)) +Using Clevis it's possible to automatically decrypt the system upon startup. Note that you must use the `booster` initramfs which should be installed if you followed this guide. (A lot more information about the possibilities from Clevis can be found on the [ArchWiki](https://wiki.archlinux.org/title/Clevis)) -## Installing José +## Installation -First we have to compile [José](https://github.com/latchset/jose), a "C-language implementation of Javascript Object Signing and Encryption". José is a dependency of Clevis. -First install the dependencies needed to compile josé. +Installing clevis is straightforward: ``` -# xbps-install -Sy pkg-config zlib-devel jansson-devel openssl-devel jq-devel gcc meson ninja asciidoc -``` - -After that we have to obtain the source of José: - -``` -$ xbps-fetch https://github.com/latchset/jose/archive/refs/tags/v11.tar.gz -``` - -Unpack the Tar and go into the directory and follow the rest of these instructions: - -``` -$ mkdir build && cd build -$ meson .. --prefix=/usr -$ ninja -# ninja install -``` - -## Installing Clevis - -After having installed José install the other dependencies. - -``` -# xbps-install -Sy luksmeta cryptsetup-devel tpm2-tools libpwquality-devel -(probably missing a few) -``` - -Then clone the source code into a directory - -``` -$ xbps-fetch https://github.com/latchset/clevis/archive/refs/tags/v19.tar.gz -``` - -After unpacking and going into the directory follow the rest of these instructions: - -``` -$ meson build -$ ninja -C build -# ninja -C build install +# xbps-install -Sy clevis ``` ## Acquiring automatic decryption @@ -59,3 +20,15 @@ To bind our LUKS volume to TPM with clevis simply enter this command: ``` This will bind the partition with TPM2 and Secureboot and now the root partition can be unencrypted on startup automatically. + +If any changes have been made to the Bios or Secureboot and Clevis doesn't automatically decrypt the disk again. Clevis will have to be envoked again. + +``` +# clevis luks regen -d /dev/disk/by-label/luks -s +``` + +The keyslot can be found with: + +``` +# cryptsetup luksDump /dev/disk/by-label/luks +``` From c6e1abaa4dc72aa6b7aea6d99404d2ea6ecc0fcf Mon Sep 17 00:00:00 2001 From: Tastatur Date: Fri, 8 Sep 2023 16:15:02 +0200 Subject: [PATCH 5/5] Fixed a typo --- docs/void-desktop-setup/installation/installation-with-lvm.md | 2 +- docs/void-desktop-setup/installation/installation.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/void-desktop-setup/installation/installation-with-lvm.md b/docs/void-desktop-setup/installation/installation-with-lvm.md index 0ed2b27..82c6178 100644 --- a/docs/void-desktop-setup/installation/installation-with-lvm.md +++ b/docs/void-desktop-setup/installation/installation-with-lvm.md @@ -113,7 +113,7 @@ The `uuid` is needed again and can be obtained by: Now edit `/boot/loader/void-options.conf` and insert: ``` -rw rd.luks.name==root root=/dev/disk/by-label/root quiet splash apparmor=1 security=apparmor loglevel=1 rd.shell=0 d.emergency=reboot rd.lvm.vg=lv0 +rw rd.luks.name==root root=/dev/disk/by-label/root quiet splash apparmor=1 security=apparmor loglevel=1 rd.shell=0 rd.emergency=reboot rd.lvm.vg=lv0 ``` To obtain a boot menu. A timeout may be added to `/boot/loader/loader.conf`. diff --git a/docs/void-desktop-setup/installation/installation.md b/docs/void-desktop-setup/installation/installation.md index 66bfe60..65fe9d3 100644 --- a/docs/void-desktop-setup/installation/installation.md +++ b/docs/void-desktop-setup/installation/installation.md @@ -111,7 +111,7 @@ The `uuid` is needed again and can be obtained by: Now edit `/boot/loader/void-options.conf` and insert: ``` -rw rd.luks.name==root root=/dev/mapper/root quiet splash apparmor=1 security=apparmor loglevel=1 rd.shell=0 d.emergency=reboot +rw rd.luks.name==root root=/dev/mapper/root quiet splash apparmor=1 security=apparmor loglevel=1 rd.shell=0 rd.emergency=reboot ``` To obtain a boot menu. A timeout may be added to `/boot/loader/loader.conf`.