libreboot

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README

commit 0be85f82c2ffe56859701c9ada615bfa846d0879
parent 8767e2b33bf6e6297a61dffa188fe499e5712e4b
Author: Leah Rowe <info@minifree.org>
Date:   Tue,  7 Mar 2017 05:12:10 +0000

remove hardening guides from debian/parabola guides. link to specing's guide

Diffstat:
docs/gnulinux/encrypted_debian.html | 51+++++++--------------------------------------------
docs/gnulinux/encrypted_parabola.html | 50++++----------------------------------------------
2 files changed, 11 insertions(+), 90 deletions(-)

diff --git a/docs/gnulinux/encrypted_debian.html b/docs/gnulinux/encrypted_debian.html @@ -333,53 +333,16 @@ You can also specify -u UUID or -a (device). </p> - <p> - Additionally, you should set a GRUB password. This is not your LUKS password, but it's a password that you have to enter to see - GRUB. This protects your system from an attacker simply booting a live USB and re-flashing your firmware. <b>This should be different than your LUKS passphrase and user password.</b> - </p> - <p> - Use of the <i>diceware method</i> is recommended, for generating secure passphrases (as opposed to passwords). - </p> - - <p> - The GRUB utility can be used like so:<br/> - $ <b>grub-mkpasswd-pbkdf2</b> - </p> - - <p> - Give it a password (remember, it has to be secure) and it'll output something like:<br/> - <b>grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711</b> - </p> - <p> - Use of the <i>diceware method</i> is recommended, for generating secure passphrases (instead of passwords). - </p> - - <p> - Put that in the grub.cfg (the one for CBFS inside the ROM) before the 'Load Operating System' menu entry like so (example):<br/> - </p> - <pre> -<b>set superusers=&quot;root&quot;</b> -<b>password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711</b> - </pre> - <p style="font-size:2em;"> - MAKE SURE TO DO THIS ON grubtest.cfg *BEFORE* DOING IT ON grub.cfg. - Then select the menu entry that says <i>Switch to grubtest.cfg</i> and test that it works. - Then copy that to grub.cfg once you're satisfied. - WHY? BECAUSE AN INCORRECTLY SET PASSWORD CONFIG MEANS YOU CAN'T AUTHENTICATE, WHICH MEANS 'BRICK'. - </p> - <p> - (emphasis added, because it's needed. This is a common roadblock for users) - </p> - - <p> - Obviously, replace it with the correct hash that you actually got for the password that you entered. Meaning, not the hash that you see above! - </p> + <p> + <a href="grub_hardening.html">Refer to this guide</a> for further guidance + on hardening your GRUB configuration, for security purposes. + </p> <p> - After this, you will have a modified ROM with the menu entry for cryptomount, and the entry before that for the GRUB password. Flash the modified ROM + Flash the modified ROM using <a href="../install/#flashrom">this tutorial</a>. </p> - + </div> <div class="section"> @@ -487,7 +450,7 @@ Supported CD-RW media types according to MMC-4 feature 0x37: Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license or any later version published by Creative Commons; - + A copy of the license can be found at <a href="../cc-by-sa-4.0.txt">../cc-by-sa-4.0.txt</a> </p> diff --git a/docs/gnulinux/encrypted_parabola.html b/docs/gnulinux/encrypted_parabola.html @@ -572,52 +572,10 @@ initrd /boot/initramfs-linux-libre<u>-lts</u>.img You can also specify -u UUID or -a (device). </p> - <p> - Now, to protect your system from an attacker simply booting a live usb distro and re-flashing the boot firmware, we are going to add a password for GRUB. - In a new terminal window, if you are not yet online, start dhcp on ethernet:<br/> - # <b>systemctl start dhcpcd.service</b> - Or make sure to get connected to the internet in any other way you prefer, at least. - </p> - - <p> - Use of the <i>diceware method</i> is recommended, for generating secure passphrases (instead of passwords). - </p> - - <p style="font-size:2em;"> - AGAIN: MAKE SURE TO DO THIS WHOLE SECTION ON grubtest.cfg *BEFORE* DOING IT ON grub.cfg. - (When we get there, upon reboot, select the menu entry that says <i>Switch to grubtest.cfg</i> and test that it works. - Only once you are satisfied, copy that to grub.cfg. Only a few steps to go, though.) - WHY? BECAUSE AN INCORRECTLY SET PASSWORD CONFIG MEANS YOU CAN'T AUTHENTICATE, WHICH MEANS 'BRICK'. - </p> - - <p> - (emphasis added, because it's needed: this is a common roadblock for users.) - </p> - - <p> - We need a utility that comes with GRUB, so we will download it temporarily. (Remember that GRUB isn't needed for booting, since it's already included as a payload in libreboot.) - Also, we will use flashrom, and I installed dmidecode. You only need base-devel (compilers and so on) to build and use cbfstool. It was already installed if you followed this tutorial, but here - it is:<br/> - # <b>pacman -S grub flashrom dmidecode base-devel</b><br/> - Next, do:<br/> - # <b>grub-mkpasswd-pbkdf2</b><br/> - Enter your chosen password at the prompt and your hash will be shown. Copy this string - you will add it to your grubtest.cfg. - </p> - - <p> - The password below (it's <b>password</b>, by the way) after <i>'password_pbkdf2 root'</i> <i>should be changed</i> to your own. - Make sure to specify a password that is different from both your LUKS *and* your root/user password. - Obviously, do not simply copy and paste the examples shown here... - </p> - - <p> - Next, back in grubtest.cfg, above the first 'Load Operating System' menu entry, you should now add your GRUB password, like so - (replace with your own name (I used <b>root</b> on both lines, feel free to choose another one) and the password hash which you copied): - </p> -<pre> -set superusers=&quot;root&quot; -password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711 -</pre> + <p> + <a href="grub_hardening.html">Refer to this guide</a> for further guidance + on hardening your GRUB configuration, for security purposes. + </p> <p> Save your changes in grubtest.cfg, then delete the unmodified config from the ROM image:<br/>