ISO: Change to unencrypted /boot if using Full Disk Encryption

Patrick · March 18, 2024, 2:05pm

Calamares setting up encrpyted /boot (which gets decrypted with GRUB2) causes many issues.

GRUB2 needs a very long time to decrypt the root disk.
Need to enter full disk password twice, at grub boot menu and systemd during boot. This might be a missing dracut module or bug.
And the worst issue: Keyboard layout issues. There is no way to define keyboard layout during GRUB2 pre-boot full disk encryption password entry. (If there is, these are very complicated, not suitable for a Debian derivative and also break SecureBoot.)

This should be no security issue. This is what most distributions are using. The kernel image is not secret. Unencrypted /boot that Debian (CLI looking) installer (“DI”) is using that too. Encrypted /boot is simply not ready due to these upstream bugs which will very most likely not be resolved anytime soon.

TODO:

Find a distribution that uses Calamares and implemented unencrypted /boot.
- Maybe Ubuntu? Check
  - ```
  git clone https://git.launchpad.net/~ubuntu-qt-code/+git/calamares-settings-ubuntu
```
- Linux Mint?
- Elementary OS?
Copy over the Calamares config files to Kicksecure (if permissible by the license, which is probably the case).
Change Kicksecure Calamares Installer to the usual unencrypted /boot partition.

Patrick · April 1, 2024, 5:19am

Patrick · April 1, 2024, 10:48am

github.com

calamares/calamares/blob/calamares/src/modules/partition/partition.conf

# SPDX-FileCopyrightText: no
# SPDX-License-Identifier: CC0-1.0
#

# Options for EFI system partition.
#
# - *mountPoint*
#   This setting specifies the mount point of the EFI system partition. Some
#   distributions (Fedora, Debian, Manjaro, etc.) use /boot/efi, others (KaOS,
#   etc.) use just /boot.
#
#   Defaults to "/boot/efi", may be empty (but weird effects ensue)
# - *recommendedSize*
#   This optional setting specifies the size of the EFI system partition.
#   If nothing is specified, the default size of 300MiB will be used.
#   When writing quantities here, M is treated as MiB, and if you really
#   want one-million (10^6) bytes, use MB.
# - *minimumSize*
#   This optional setting specifies the absolute minimum size of the EFI
#   system partition. If nothing is specified, the *recommendedSize*

This file has been truncated. show original

Patrick · April 16, 2024, 8:15am

github.com

Kicksecure/live-config-dist/blob/master/etc/calamares/modules/partition.conf

## https://github.com/calamares/calamares/blob/calamares/src/modules/partition/partition.conf
## https://github.com/bbqlinux/calamares-bbqlinux/blob/master/src/etc/calamares/modules/partition.conf

efiSystemPartition:     "/boot/efi"

## Size? See:
## https://github.com/grml/grml-debootstrap/issues/221
efi:
    mountPoint:         "/boot/efi"
    recommendedSize:    550MiB
    minimumSize:        550MiB
    label:              "EFI"

efiSystemPartitionSize:     550MiB

userSwapChoices:
    - none      # Create no swap, use no swap
    - reuse     # Re-use existing swap, but don't create any
    - small     # Up to 4GB
    - suspend   # At least main memory size

This file has been truncated. show original

Patrick · April 16, 2024, 8:15am

Probably not possible as long as Kicksecure is based on Debian 12 / bookworm.

Requires a newer calamares version which is only installable in Debian 13 / trixie.

Very difficult to install the newer calamares version in Debian 13 due to dependency issues.

Patrick · July 26, 2024, 6:53pm

github.com/Kicksecure/live-config-dist

[WIP] Improve localization and disk encryption

Kicksecure:master ← ArrayBolt3:master

opened 01:15AM - 24 Jul 24 UTC

ArrayBolt3

+80 -42

# WARNING - WORK IN PROGRESS This pull request improves localization and full… disk encryption for Kicksecure 17. **This PR is not suitable for merge yet - several prerequisites in Kicksecure are missing and there are several bits that need cleaned up.** This is pretty close to being done though. ## Changes * `debian/changelog`: * Bump version number. The Debian revision number is higher than necessary because I kept rebuilding things and incrementing the number for testing purposes - that will need reset to 1 before merging. * `etc/calamares/branding/Kicksecure/*`: * Updated capitalization of style fields - this is necessary for Calamares 3.3.8 to parse them properly, failing to do so results in a solid black left sidebar. * Fixed the absence of a Kicksecure logo in the upper-left corner of the installer. This is generally where distros put their logos and it seemed appropriate to me. The logo component was taken from the larger, complete Kicksecure logo in the same directory. * Renamed logo.png to icon.png to fit with the terminology used by Calamares. This made room for a new logo.png to be created, which contains the logo which now appears in the upper-left corner of the installer. * `etc/calamares/modules/partition.conf`: * Removed some obsolete fields that already have replacements integrated into the config file. * `etc/calamares/modules/users.conf.dist`: * The changes here are vestigial and should be removed before merging this PR. I originally had attempted to add the ability for the end user to customize their user password and autologin status within Calamares, but as it turns out this results in Calamares trying to create a user account with a name that already exists (`user`), crashing the install. Ubuntu works around this by not having any user defined in the ISO itself, and dynamically creates a user account with casper upon ISO bootup. Kicksecure does not do this and thus this technique fails since the installed system has a user account before the users module ever runs, due to that user being hardcoded into the ISO. I considered some workarounds for this issue but ultimately decided that this was too much trouble for now and could be pursued at a later date. * `etc/calamares/settings.conf.dist`: * Moved some fields down to the bottom of the file for readability. Not strictly necessary, but made working on the project easier. * Added the `locale` and `keyboard` modules to the `show` component of the `sequence` section. This allows the user to customize their localization, timezone, and keyboard layout information at installation time. * Added several modules to the `exec` component of the `sequence` section: * `locale` - allows setting locale to work. The absence of this module results in language settings not carrying over into the installed system. * `keyboard` - allows setting the keyboard layout to work. The absence of this module results in keyboard layout settings not carrying over into the installed system. * `localecfg` - not entirely sure if this is needed, but it appeared important and so I added it. This was when I was first trying to get localization working right. This might be able to be dropped. * `displaymanager` - Vestigial, part of trying to get autologin working earlier. Should be dropped. * `shellprocess@fixconkeys_part1` and `shellprocess@fixconkeys_part2` - Vital for disk encryption, explained later. * Added two shellprocesses to the `instances` section. These are vital for disk encryption and are explained below. * `etc/calamares/modules/shellprocess_fixconkeys_part1.conf` and `etc/calamares/modules/shellprocess_fixconkeys_part2.conf`: * Vital for disk encryption, explained below. ## Disk Encryption Fixes In order for FDE to work ideally on Kicksecure, a newer version of Calamares than the one present in Bookworm is needed. I locally compiled Calamares 3.3.8 from Trixie for Bookworm and installed it into the live session for testing. This version of Calamares properly processes the `noEncrypt` parameter in `partitions.conf` and thus the `/boot` partition is excluded from encryption. However, **this did not entirely solve disk encryption issues** - when installing Kicksecure using a language with a keyboard layout different from `us` (I used German in my testing), the keyboard layout used by cryptsetup for decrypting the disk is different than the one used by Calamares for setting the encryption passphrase. This is a situation that I previously dealt with in Lubuntu, and is a result of the console keymap not being set correctly within the system's initramfs. Solving this issue requires changing the console keyboard layout within the initramfs at install time to match the keyboard layout chosen by the user. This is non-trivial and requires a pair of scripts (embedded into the `shellprocess_fixconkeys_part*.conf` configuration files) to accomplish. * The first script runs within the live system itself, NOT in the installed system chroot that Calamares creates. This script determines the keyboard layout in use by the user using `setxkbmap -query`, processes the output so as to extract the two-character keyboard layout code, and saves it to `/dev/shm/fixconkeys-layout`. (The reason for choosing `/dev/shm` is because it is a tmpfs that can be shared between the live and installed systems at installation time.) After doing this, the script bind-mounts `/dev/shm` from the live system into the installed system so that the second script can access the `fixconkeys-layout` file from within the installed system chroot. * The second script operates within the installed system via a chroot. It loads the keyboard layout from the `fixconkeys-layout` into the current console session, then saves the loaded settings into a system-wide location using `setupcon`. With this complete, it then regenerates all initramfs'es on the installed system using `dracut`, ensuring this configuration is installed into the initramfs. This ensures that when `cryptsetup` runs from within the initramfs to unlock the disk, the console keyboard layout is set properly, thus allowing the user to decrypt the disk using the same keyboard layout they used to encrypt it. This solution works well in my testing, however Kicksecure is currently missing critical packages necessary for this to work. The following packages will have to be installed into the Kicksecure ISO at ISO build time for this solution to work properly: * `console-common` * `console-data` * `console-setup-linux` * `console-setup` * `kbd` I used workarounds to locally install these packages into the live environment and into the installed system for testing purposes, and can confirm that these five packages are sufficient to allow the keyboard layout fix described above to function properly. Last but not least, the `calamares` and `calamares-settings-debian` packages from Trixie will need to be published in Debian's `bookworm-backports` repository before they are available for general use within Kicksecure. I filed a bug report for this in Debian to bring this to the `calamares` package maintainer's attention (and emailed him directly a day before), but have not heard back from him yet. Therefore I intend to attempt creating and maintaining the backport myself. The bug report is here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076740 ## Mandatory Checklist - [x] Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements: [Terms of Service](https://www.kicksecure.com/wiki/Terms_of_Service), [Privacy Policy](https://www.kicksecure.com/wiki/Privacy_Policy), [Cookie Policy](https://www.kicksecure.com/wiki/Cookie_Policy), [E-Sign Consent](https://www.kicksecure.com/wiki/E-Sign_Consent), [DMCA](https://www.kicksecure.com/wiki/DMCA), [Imprint](https://www.kicksecure.com/wiki/Imprint) ## Optional Checklist The following items are optional but might be requested in certain cases. - [x] I have tested it locally - [x] I have reviewed and updated any documentation if relevant - [x] I am providing new code and test(s) for it * Technically there aren't tests for this code other than manual checking, so while I am providing new code, I am not providing tests for it.

Patrick · September 14, 2024, 2:18pm

This is implemented in 17.2.2.7 and above.