Libreboot release 6 beta 6.

- Added modified builddeb* scripts for Parabola GNU/Linux-libre:
  buildpac, buildpac-flashrom, buildpac-bucts (courtesy of Noah
  Vesely)
- Documentation: updated all relevant areas to mention use of
  buildpac* scripts for Parabola users.
- Documentation: added information showing how to enable or disable
  bluetooth on the X60
- MacBook1,1 tested! See ../docs/index.html#macbook11"
- Documentation: fixed typo in ../docs/index.html#get_edid_panelname
  (get-edit changed to get-edid)
- Documentation: added ../docs/howtos/x60_lcd_change/ (pics only for
  now)
- Added gcry_serpent and gcry_whirlpool to the GRUB module list in the
  'build' script (for luks users)
- Libreboot is now based on a new coreboot version from August 23rd,
  2014:
  Merged commits (relates to boards that were already supported in libreboot):
  - http://review.coreboot.org/#/c/6697/
  - http://review.coreboot.org/#/c/6698/ (merged already)
  - http://review.coreboot.org/#/c/6699/ (merged already)
  - http://review.coreboot.org/#/c/6696/ (merged already)
  - http://review.coreboot.org/#/c/6695/ (merged already)
  - http://review.coreboot.org/#/c/5927/ (merged already)
  - http://review.coreboot.org/#/c/6717/ (merged already)
  - http://review.coreboot.org/#/c/6718/ (merged already)
  - http://review.coreboot.org/#/c/6723/ (merged already) (text-mode
    patch, might enable memtest. macbook21)
  - http://review.coreboot.org/#/c/6732/ (MERGED) (remove useless ps/2
    keyboard delay from macbook21. already merged)
- These were also merged in coreboot (relates to boards that libreboot
  already supported):
  - http://review.coreboot.org/#/c/5320/ (merged)
  - http://review.coreboot.org/#/c/5321/ (merged)
  - http://review.coreboot.org/#/c/5323/ (merged)
  - http://review.coreboot.org/#/c/6693/ (merged)
  - http://review.coreboot.org/#/c/6694/ (merged)
  - http://review.coreboot.org/#/c/5324/ (merged)
- Documentation: removed the section about tft_brightness on X60 (new
  code makes it obsolete)
- Removed all patches from resources/libreboot/patch/ and added new
  patch: 0000_t60_textmode.git.diff
- Updated getcb script and DEBLOB script.
- Updated configuration files under resources/libreboot/config/ to
  accomodate new coreboot version.
- Removed grub_serial*.cfg and libreboot_serial*.rom, all
  configs/rom's are now unified (containing same configuration as
  serial rom's from before).
  - Documentation: updated ../docs/index.html#rom to reflect the above.
- Updated GRUB to new version from August 14th, 2014.
- Unified all grub configurations for all machines to a single
  grub.cfg under resources/grub/config/
- Updated flashrom to new version from August 20th, 2014
- Added getseabios and builddeps-seabios (builddeps and getall were
  also updated)
  - Added instructions to 'buildrom-withgrub' to include bios.bin.elf
    and vgaroms/vgabios.bin from SeaBIOS inside the ROM.
- Added seabios (and sgavgabios) to grub as payload option in menu
- Disabled serial output in Memtest86+ (no longer needed) to speed up
  tests.
  - MemTest86+ now works properly, it can output on the laptop screen
    (no serial port needed anymore).
- Added getgrubinvaders, builddeps-grubinvaders scripts. Added these
  to getall and builddeps.
  - Added GRUB Invaders menu entry in resources/grub/config/grub.cfg
- Added rules to builddeps-coreboot to build libpayload with
  TinyCurses. (added appropriate instructions to cleandeps script).
- Commented out lines in resources/grub/config/grub.cfg for loading
  font/background (not useful anymore, now that GRUB is in text-mode).
- Commented out lines in buildrom-withgrub that included
  backgrounds/fonts (not useful anymore, now that GRUB is in
  text-mode).
- Added resources/utilities/i945-pwm/ (from
  git://git.mtjm.eu/i945-pwm), for debugging acpi brightness on i945
  machines.
  - Added instructions for it in builddeps, builddeps-i945pwm,
    builddeb and cleandeps
- 'build' script: removed the parts that generated sha512sum manifests
  (not needed, since release tarballs are GPG-signed)
- 'build' script: removed the parts that generated libreboot_meta
  directory (not needed anymore, since _meta will be hosted in git)
  - Updated ../docs/index.html#build_meta (and other parts of
    documentation) to accomodate this change.
- Documentation: simplified (refactored) the notes in
  ../docs/index.html#rom
- 'build' script: removed the parts that generated libreboot_bin and
  added them to a new script: 'build-release'
  - Documentation: ../docs/index.html#build updated to reflect the
    above.
- Removed 'sudo' from builddeb, builddeb-flashrom, powertop.trisquel6
  and builddeb-bucts scripts (assuming that the user has it is a
  really bad idea).
- Added all gcry_* modules to grub (luks/cryptomount): gcry_arcfour
  gcry_camellia gcry_crc gcry_dsa gcry_md4 gcry_rfc2268 gcry_rmd160
  gcry_seed gcry_sha1 gcry_sha512 gcry_twofish gcry_blowfish
  gcry_cast5 gcry_des gcry_idea gcry_md5 gcry_rijndael gcry_rsa
  gcry_serpent gcry_sha256 gcry_tiger gcry_whirlpool
- Added GNUtoo's list of GRUB modules (includes all of the gcry_*
  modules above), cryptomount should be working now.
- Removed builddeb-bucts and builddeb-flashrom, merged them with
  builddeb (../docs/index.html updated accordingly)
- Removed buildpac-bucts and buildpac-flashrom, merged them with
  buildpac (../docs/index.html updated accordingly)
- Renamed builddeb to deps-trisquel (../docs/index.html updated
  accordingly)
- Renamed buildpac to deps-parabola (../docs/index.html updated
  accordingly)
- Documentation: removed all parts talking about build dependencies,
  replaced them with links to ../docs/index.html#build_dependencies
- Documentation: emphasized more strongly on the documentation, the
  need to re-build bucts and/or flashrom before flashing a ROM image.
- build-release: flashrom, nvramtool, cbfstool and bucts are no longer
  provided pre-compiled in binary archives, and are now in source form
  only. (to maximize distro compatibility).
- Documentation: added ../docs/howtos/encrypted_trisquel.html showing
  how to setup a fully encrypted Trisquel installation (including
  /boot) and boot it from the GRUB payload.
- 'build' script: replaced grub.elf assembly instructons, it's now
  handled by a utility added under resources/utilities/grub-assemble
- Moved resources/grub/keymap to
  resources/utilities/grub-assemble/keymap, and updated that utility
  to use it
- Documentation: removed useless links to pictures of keyboard layouts
  and unmodified layouts.
- Removed all unused fonts from dejavu-fonts-ttf-2.34/ directory
- 'buildrom-withgrub' script: updated it to create 2 sets of ROM's for
  each machine: one with text-mode, one with coreboot framebuffer.
- Documentation: updated ../docs/index.html#rom to reflect the above
- Deleted unused README and COPYING file from main directory
- Removed some rm -rf .git* instructions from the get* scripts and
  moved them to build-release script
- Split up default grub.cfg into 6 parts:
  extra/{common.cfg,txtmode.cfg,vesafb.cfg} and
  menuentries/{common.cfg,txtmode.cfg,vesafb.cfg}
  - buildrom-withgrub script uses these to generate the correct
    grub.cfg for each type of configuration.
- grub_memdisk.cfg (used inside grub.elf) now only loads grub.cfg from
  cbfs. It no longer enables serial output or sets
  prefix. (menuentries/common.cfg does instead)
- resources/grub/config/extra/common.cfg, added:
  - insmod instructions to load those modules: nativedisk, ehci, ohci,
    uhci, usb, usbserial_pl2303, usbserial_ftdi, usbserial_usbdebug
  - set prefix=(memdisk)/boot/grub
  - For native graphics (recommended by coreboot wiki):
  - gfxpayload=keep
  - terminal_output --append gfxterm
  - Play a beep on startup:
  - play 480 440 1
- Documentation: added note about 'fb=false' workaround for text-mode
  debian-installer (Trisquel net install) to
  ../docs/howtos/grub_boot_installer.html
- Documentation: updated ../docs/howtos/grub_cbfs.html to make it
  safer (and easier) to follow.

1 files changed, 321 insertions, 0 deletions

diff --git a/docs/howtos/encrypted_trisquel.html b/docs/howtos/encrypted_trisquel.html
new file mode 100644
index 0000000..2529da4
--- /dev/null
+++ b/docs/howtos/encrypted_trisquel.html
@@ -0,0 +1,321 @@
+<!DOCTYPE html>
+<html>
+<head>
+	<meta charset="utf-8">
+	<meta name="viewport" content="width=device-width, initial-scale=1">
+
+	<style type="text/css">
+		body {
+			background:#fff;
+			color:#000;
+			font-family:sans-serif;
+			font-size:1em;
+		}
+		div.important {
+			background-color:#ccc;
+		}
+	</style>
+
+	<title>Installing Trisquel GNU/Linux with full disk encryption (including /boot)</title>
+</head>
+
+<body>
+	<header>
+		<h1>Installing Trisquel GNU/Linux with full disk encryption (including /boot)</h1>
+		<aside>Or <a href="../index.html">back to main index</a></aside>
+	</header>
+
+	<p>
+		Because GRUB is installed directly as a payload of libreboot (or coreboot), you don't need an unencrypted /boot partition
+		when setting up an encrypted system. This means that your machine can really secure data while powered off.
+	</p>
+
+	<p>
+		This works in Trisquel 7, and probably Trisquel 6. Boot the 'net installer' (Install Trisquel in Text Mode). <a href="grub_boot_installer.html">How to boot a GNU/Linux installer</a>.
+	</p>
+
+	<p>
+		Set a strong user password (ideally above 40 characters, of lowercase/uppercase, numbers and symbols) and when the installer asks you to setup
+		encryption (ecryptfs) for your home directory, select 'Yes'.
+	</p>
+
+	<p>
+		<b>
+			Your user password should be different than the LUKS password which you will set later on.
+			Your LUKS password should, like the user password, be secure.
+		</b>
+	</p>
+
+	<h1>Partitioning</h1>
+
+		<p>Choose 'Manual' partitioning:</p>
+			<ul>
+				<li>Select drive and create new partition table</li>
+				<li>
+					Single large partition. The following are mostly defaults:
+					<ul>
+						<li>Use as: physical volume for encryption</li>
+						<li>Encryption: aes</li>
+						<li>key size: 256</li>
+						<li>IV algorithm: xts-plain64</li>
+						<li>Encryption key: passphrase</li>
+						<li>erase data: Yes (only choose 'No' if it's a new drive that doesn't contain your private data)</li>
+					</ul>
+				</li>
+				<li>
+					Select 'configure encrypted volumes'
+					<ul>
+						<li>Create encrypted volumes</li>
+						<li>Select your partition</li>
+						<li>Finish</li>
+						<li>Really erase: Yes</li>
+						<li>(erase will take a long time. be patient)</li>
+					</ul>
+				</li>
+				<li>
+					Select encrypted space:
+					<ul>
+						<li>use as: physical volume for LVM</li>
+						<li>Choose 'done setting up the partition'</li>
+					</ul>
+				</li>
+				<li>
+					Configure the logical volume manager:
+					<ul>
+						<li>Keep settings: Yes</li>
+					</ul>
+				</li>
+				<li>
+					Create volume group:
+					<ul>
+						<li>Name: <b>buzz</b> (you can use whatever you want here, this is just an example)</li>
+						<li>Select crypto partition</li>
+					</ul>
+				</li>
+				<li>
+					Create logical volume
+					<ul>
+						<li>select <b>buzz</b> (or whatever you named it before)</li>
+						<li>name: <b>distro</b> (you can use whatever you want here, this is just an example)</li>
+						<li>size: default, minus 2048 MB</li>
+					</ul>
+				</li>
+				<li>
+					Create logical volume
+					<ul>
+						<li>select <b>buzz</b> (or whatever you named it before)</li>
+						<li>name: <b>swap</b> (you can use whatever you want here, this is just an example)</li>
+						<li>size: press enter</li>
+					</ul>
+				</li>
+			</ul>
+
+	<h1>Further partitioning</h1>
+
+		<p>
+			Now you are back at the main partitioning screen. You will simply set mountpoints and filesystems to use.
+		</p>
+			<ul>
+				<li>
+					LVM LV distro
+					<ul>
+						<li>use as: ext4</li>
+						<li>mount point: /</li>
+						<li>done setting up partition</li>
+					</ul>
+				</li>
+				<li>
+					LVM LV swap
+					<ul>
+						<li>use as: swap area</li>
+						<li>done setting up partition</li>
+					</ul>
+				</li>
+				<li>Now you select 'Finished partitioning and write changes to disk'.</li>
+			</ul>
+
+	<h1>Kernel</h1>
+
+		<p>
+			Installation will ask what kernel you want to use. linux-generic is fine.
+		</p>
+
+	<h1>Tasksel</h1>
+
+		<p>
+			Just continue here, without selecting anything. You can install everything later (it's really easy).
+		</p>
+
+	<h1>Install the GRUB boot loader to the master boot record</h1>
+
+		<p>
+			Choose 'Yes'. It will fail, but don't worry. Then at the main menu, choose 'Continue without a bootloader'.
+		</p>
+
+		<p>
+			<i>You do not need to install GRUB at all, since in libreboot you are using the GRUB payload (for libreboot) to boot your system directly.</i>
+		</p>
+
+	<h1>Clock UTC</h1>
+
+		<p>
+			Just say 'Yes'.
+		</p>
+
+	<h1>
+		Booting your system
+	</h1>
+
+		<p>
+			At this point, you will have finished the installation. At your GRUB payload, press C to get to the command line.
+		</p>
+
+		<p>
+			Do that:<br/>
+			grub&gt; <b>cryptomount -a (ahci0,msdos1)</b><br/>
+			grub&gt; <b>set root='lvm/buzz-distro'</b><br/>
+			grub&gt; <b>linux /vmlinuz root=/dev/mapper/buzz-distro cryptdevice=/dev/mapper/buzz-distro:root quiet splash ro</b><br/>
+			grub&gt; <b>initrd /initrd.img</b><br/>
+			grub&gt; <b>boot</b>
+		</p>
+
+	<h1>
+		ecryptfs
+	</h1>
+
+		<p>
+			Immediately after logging in, do that:<br/>
+			$ <b>sudo ecryptfs-unwrap-passphrase</b>
+		</p>
+
+		<p>
+			This will be needed in the future if you ever need to recover your home directory from another system, so write it down and keep the note
+			somewhere secret. Ideally, you should memorize it and then burn the note (or not even write it down, and memorize it still)>
+		</p>
+
+	<h1>
+		Modify grub.cfg (CBFS)
+	</h1>
+
+		<p>
+			Now you need to set it up so that the system will automatically boot, without having to type a bunch of commands.
+		</p>
+
+		<p>
+			Modify your grub.cfg (in the firmware) <a href="grub_cbfs.html">using this tutorial</a>; 
+			just change the default menu entry 'Load Operating System' to say this inside:
+		</p>
+
+		<p>
+			<b>cryptomount -a (ahci0,msdos1)</b><br/>
+			<b>set root='lvm/buzz-distro'</b><br/>
+			<b>linux /vmlinuz root=/dev/mapper/buzz-distro cryptdevice=/dev/mapper/buzz-distro:root quiet splash ro</b><br/>
+			<b>initrd /initrd.img</b>
+		</p>
+
+		<p>
+			Additionally, you should set a GRUB password. This is not your LUKS password, but it's a password that you have to enter to see
+			GRUB. This protects your system from an attacker simply booting a live USB and re-flashing your firmware. <b>This should be different than your LUKS passphrase and user password.</b>
+		</p>
+
+		<p>
+			The GRUB utility can be used like so:<br/>
+			$ <b>grub-mkpasswd-pbkdf2</b>
+		</p>
+
+		<p>
+			Give it a password (remember, it has to be secure) and it'll output something like:<br/>
+			<b>grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711</b>
+		</p>
+
+		<p>
+			Put that in the grub.cfg (the one for CBFS inside the ROM) before the 'Load Operating System' menu entry like so (example):<br/>
+		</p>
+		<pre>
+<b>set superusers=&quot;root&quot;</b>
+<b>password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711</b>
+		</pre>
+
+		<p>
+			Obviously, replace it with the correct hash that you actually got for the password that you entered. Meaning, not the hash that you see above!
+		</p>
+
+		<p>
+			After this, you will have a modified ROM with the menu entry for cryptomount, and the entry before that for the GRUB password. Flash the modified ROM 
+			using <a href="../index.html#flashrom">this tutorial</a>.
+		</p>
+
+	<h1>
+		Update Trisquel
+	</h1>
+
+		<p>
+			$ <b>sudo apt-get update</b><br/>
+			$ <b>sudo apt-get upgrade</b>
+		</p>
+
+		<p>
+			At the time of writing, Trisquel 7 had <a href="https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1274680">this</a>
+			bug from upstream. The workaround identified in <a href="https://trisquel.info/en/forum/trisquel-7-memory-leak-issues">this page</a>
+			was as follows:<br/>
+			$ <b>sudo apt-get remove libpam-smbpass</b>
+		</p>
+
+	<h1>
+		Install a desktop (optional)
+	</h1>
+
+		<p>
+			Installs the default desktop:<br/>
+			$ <b>sudo apt-get install trisquel</b>
+		</p>
+
+		<p>
+			It might ask for postfix configuration. I just choose 'No configuration'.
+		</p>
+
+		<p>
+			Next time you boot, it'll start lightdm and you can login. To start lightdm now, do:<br/>
+			$ <b>sudo service lightdm start</b>
+		</p>
+
+		<p>
+			Go back to the terminal (ctrl-alt-f1) and exit:<br/>
+			$ <b>exit</b>
+		</p>
+
+		<p>
+			Go back to lightdm (ctrl-alt-f7) and login.
+		</p>
+
+		<p>
+			Since you installed using net install and you only installed the base system, network-manager isn't controlling
+			your eth0 but instead /etc/network/interfaces is. Comment out the eth0 lines in that file, and then do:<br/>
+			$ <b>sudo /etc/init.d/networking stop</b><br/>
+			$ <b>sudo service network-manager restart</b>
+		</p>
+
+	<h1>
+		Conclusion
+	</h1>
+
+		<p>
+			If you followed all that correctly, you should now have a fully encrypted system.
+		</p>
+
+<hr/>
+
+	<p>
+		Copyright &copy; 2014 Francis Rowe &lt;info@gluglug.org.uk&gt;<br/>
+		This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions.
+		A copy of the license can be found at <a href="../license.txt">../license.txt</a>.
+	</p>
+
+	<p>
+		This document is distributed in the hope that it will be useful,
+		but WITHOUT ANY WARRANTY; without even the implied warranty of
+		MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See <a href="../license.txt">../license.txt</a> for more information.
+	</p>
+
+</body>
+</html>