using this howto for main workflow https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019 with a few modifications. other approaches are also documented on this site
encrypted root with unencrypted boot
librem key to unlock root on boot
clean up boot + smartcard process
secure boot not working
create signatures for kernel and initrd in /boot using smartcard
validate signatures during boot
audit initrd for private information
run live installer environment so we can prepare the system. Before running the installer manually partition the disk(s) and create the luks infrastructure. See the Ubuntu howto then modify in the following ways:
using separate boot partition that is unencrypted. These files are signed in a pureboot setup to prevent tampering. I think Secure Boot would also sign them. Still working on that.
When creating the LUKS container use a strong passphrase to get setup. The smartcard comes later.
If you want to use lvm on root drive it will need to be done manually after decrypting the luks device and before running the kubuntu installer.
set boot to ask for password in /etc/crypttab. had to restart using the password version to continue. could not get initrd to build using keyscript in live installer.
In the installer environment gather the devices and create the crypttab file inside the newly installed file system.
echo "$OPEN_DEV_NAME UUID=$(blkid -s UUID -o value $LUKS_DEV ) none luks" >> /path/to/etc/crypttab
Make sure there are initrd files in /boot in the newly created system. You may need to remount the /boot partition.
chroot /target
ls /boot
mount /dev/to/boot /boot
Now chroot to the new system and update the initrd files to get the encryption/decryption into the boot process
chroot /target
update-initramfs -u -k all
If you didn't use the same open luks device name in /etc/crypttab that was used to decrypt in your install environment the initrd updates will fail.
add smartcard utilities
sudo apt install opensc scdaemon libccid pcscd pcsc-tools pinentry-tty
!!! tried pinentry-curses but it would not let me hit the enter key
test key
gpg --card-status
import public key for smartcard #!!!WTF. I dont have the export command here. Can't find it anywhere. Not even on Purism docs which is where I did this all the first time...
gpg --import pubkey.asc
export public key for smartcard for use in boot process
gpg --export XYZ > pubring.gpg
sudo mv pubring.gpg /etc/cryptsetup-initramfs/pubring.gpg
create new binary data key and add to keyslot on luks root device. Encrypt key using smartcard and output to /etc/luks/boot_os.keyfile.pkcs1. see https://blog.g3rt.nl/luks-smartcard-or-token.html on steps to create the keyfile and for some ideas on how to prevent writing your key in the clear to disk.
modify initrd to use the encrypted keyfile. file has to be decrypted before passed to cryptsetup
echo "luks-sda5 UUID=ABC /etc/luks/boot_os.keyfile.pkcs1 luks,keyscript=decrypt_gnupg-sc" >> /etc/crypttab
echo "CRYPTSETUP=y" >> /etc/cryptsetup-initramfs/conf-hook
update grub to remove splash screen and quiet mode. can't see tty prompt if we dont !
/etc/default/grub: GRUB_CMDLINE_LINUX_DEFAULT=""
backup and create initrd
cd /boot
tar -czf initrd.tgz initrd.*
update-initramfs -u -k all
update grub for all settings just made
update-grub
restart and see if grub is still using quiet and splash options. manually delete them before booting to see the smartcard pin entry. DONT FORGET to plug in the smart card before booting
When turning on secure boot in the bios the system still boots but outputs errors about verification--which is fine for now. they are not noticeable because refind quickly overwrites them. I may uninstall refind if it makes getting secure boot working much easier.
I need the boot process verify the kernel and initrd. I think this is where UEFI and secure boot complete this chain of trust. https://ubuntu.com/blog/how-to-sign-things-for-secure-boot
I can have the initrd bootup run extra code to check signatures but I'm not sure that is secure. Evil Maids can create a bootable usb which copies my initrd, modifies it, runs it. I'd have to be able to verify the initrd before it's loaded and I dont have an environment to do that.
Can I get a signature of the kernel in memory? what about initrd? Seems like that would be very difficult...This guy is trying to do this...