Barney Style Libreboot Debian 11 (Bullseye) Installation Guide

John O

7 min read

This guide assumes a stock libreboot image is currently flashed to the bios ROM. If you're looking for a guide for flashing libreboot over the stock rom you can check out this post https://exclusionzone.io/flash-libreboot-to-lenovo-x200/, but I'd suggest googling around as there are more up to date guides on this.

This guide was written specifically using the 20211122 grub_x200_8mb_libgfxinit_corebootfb_usqwerty.rom and debian-live-11.1.0-amd64-xfce.iso and a Lenovo X200 with the MX25L6405D chip.

Credit where credit is due. I've been using libreboot for a while, but still had to lean heavily on these sources. They're good, but didn't cover the below procedure end to end to leave me with the laptop in the end state I desired.
https://libreboot.org/docs/gnulinux/encrypted_debian.html
https://wiki.parabola.nu/Installing_Parabola_on_Libreboot_with_full_disk_encryption_(including_/boot)
https://libreboot.org/docs/gnulinux/grub_hardening.html
https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html

Flash your Debian installation image to a USB drive and insert it into the laptop.

Additionally insert a blank USB drive into the laptop so we can bypass the /boot partition requirement

Install Debian

  • Boot your laptop and select "Search for GRUB2 configuration on external media"
  • Select "Debian Installer"
  • Select your language location and keyboard
  • If desired select the network device you wish to leverage, and if required enter the WiFi credentials when prompted
  • Enter your laptop's host name and domain suffix
  • Enter your root password, new username, and user password
  • Configure your clock for the appropriate time zone
  • In the "Partition disks" dialog select "Manual"
  • Delete any pre-existing partitions on your installation target
  • Select the free space on your installation target
  • Select "Create a new partition"
  • Select "Primary"
  • Select "Beginning"
  • Select "Use as:"
  • Select "physical volume for encryption"
  • Optionally disable "Erase data:"
  • Select "Done setting up the partition"
  • Select "Configure encrypted volumes"
  • Select "Yes"
  • Select "Finish"
  • Enter your encryption passphrase. This should be different from the root and user passwords you had set earlier.
  • Select the new encrypted volume. It should read similar to below
    "#1     xxx.x GB    f    ext4"
  • Select "Use as"
  • Select "Ext4"
  • Select "Mount point"
  • Select "/ - the root file system"
  • Select "Done setting up the partition"
  • Select the 2nd USB drive
  • If prompted to create a patition table select "Yes"
  • Select the "FREE SPACE" on the device
  • Select "Create new partition"
  • Enter a size of at least 500MB
  • Select "logical"
  • Select "Use as:"
  • Select "Ext2 file system"
  • Select "Mount point"
  • Select "/boot - static files of the boot loader"
  • Select "Done setting up the partition"
  • Select "Finish partitioning and write changes to disk"
  • Select "No" when prompted about not configuring a swap
  • Select "Yes" when prompted to write changes to the disk
  • Wait for the "Partitions formatting" and "Installing the system" steps to complete
  • When prompted with "Use a network mirror?" select "Yes"
  • Select your mirror country
  • Select your desired mirror
  • Enter an HTTP proxy if required or just press enter if not required
  • Wait for the "Configuring apt" and "Installing GRUB boot loader" steps to complete
  • When prompted with "Install the GRUB boot loader to your primary drive?" select "No"
  • Select "Go Back"
  • Select "Continue without boot loader"
  • Select "Continue"
  • Wait for the "Finishing the installation" step to complete
  • When the "Installation complete" dialog is on screen select "Continue". Leave the installation media USB drive inserted, and remove the temporary boot parititon USB drive

Convert the encrypted volume key derivation function from argon2i to pbkdf2

  • When the laptop reboots into libreboot's grub select "Search for GRUB2 configuration on external media"
  • Select Debian GNU/Linux Live (Kernel <KernelVersionHere>)
  • Wait for the OS to boot
  • Open a terminal
user@debian:~$ sudo su

root@debian:/home/user# cryptsetup luksConvertKey --pbkdf pbkdf2 /dev/sda1
Enter passphrase for keyslot to be converted:

root@debian:/home/user# /usr/sbin/shutdown now -hP
  • Wait for your laptop to shut down completely then remove the USB stick

Perform first boot into the newly installed Debian OS

  • Power on the laptop and press "c" when you see the grub console
grub> cryptomount -a
Enter passphrase for ahci0,msdos1 (<LongStringHere>): _
Slot "1" opened

grub> set root='ahci0,msdos1'

grub> linux /vmlinuz root=/dev/sda1 cryptdevice=/dev/sda1

grub>

grub>


grub> set root='lvm/matrix-rootvol'

grub> linux /vmlinuz root=/dev/mapper/matrix-rootvol cryptdevice=/dev/mapper/matrix-rootvol:root

grub> initrd /initrd.img

grub> boot
  • When prompted, enter your encrypted volume password again
Please unlock disk sda1_crypt:
  • Log in to the desktop

Pull down and verify the libreboot files

  • Configure a network connection
  • Open a terminal
user@laptop:~$ su
Password:

root@laptop:/home/<UserName># apt update && apt -y install wget flashrom vim; exit
user@laptop:~$ mkdir libreboot; cd libreboot

user@laptop:~/libreboot$ wget https://libreboot.org/lbkey.asc https://rsync.libreboot.org/testing/20211122/libreboot-20211122_src.tar.xz https://rsync.libreboot.org/testing/20211122/libreboot-20211122_src.tar.xz.sha256 https://rsync.libreboot.org/testing/20211122/libreboot-20211122_src.tar.xz.sig
user@laptop:~/libreboot$ gpg --import lbkey.asc 
gpg: key D0C62464FA8B4856: 1 signature not checked due to a missing key
gpg: key D0C62464FA8B4856: public key "Leah Rowe <info@minifree.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: no ultimately trusted keys found
user@laptop:~/libreboot$ sha256sum libreboot-20211122_src.tar.xz; cat libreboot-20211122_src.tar.xz.sha256
e8a610e51e668c34627a6d9c048c554592fd2c2ab4dbcad83c85c06d132e5ad1  libreboot-20211122_src.tar.xz
e8a610e51e668c34627a6d9c048c554592fd2c2ab4dbcad83c85c06d132e5ad1  libreboot-20211122_src.tar.xz
user@laptop:~/libreboot$ gpg --verify libreboot-20211122_src.tar.xz.sig libreboot-20211122_src.tar.xz
gpg: Signature made Mon 22 Nov 2021 03:48:56 PM EST
gpg:                using RSA key 98CCDDF8E56047F475C044BDD0C62464FA8B4856
gpg: Good signature from "Leah Rowe <info@minifree.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 98CC DDF8 E560 47F4 75C0  44BD D0C6 2464 FA8B 4856
user@laptop:~/libreboot$ tar xf libreboot-20211122_src.tar.xz

user@laptop:~/libreboot$ su
Password:

root@laptop:/home/<UserName># /usr/sbin/flashrom -p internal

user@laptop:~/libreboot$ cd libreboot-20211122_src

user@laptop:~/libreboot/libreboot-20211122_src$

Read the active rom

user@laptop:~/libreboot$ su
Password:

root@laptop:/home/<UserName># /usr/sbin/flashrom -p internal
flashrom v1.2 on Linux 5.10.0-9-amd64 (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
coreboot table found at 0x7d770000.
Found chipset "Intel ICH9M-E".
Enabling flash write... OK.
Found Macronix flash chip "MX25L6405" (8192 kB, SPI) mapped at physical address 0x00000000ff800000.
Found Macronix flash chip "MX25L6405D" (8192 kB, SPI) mapped at physical address 0x00000000ff800000.
Found Macronix flash chip "MX25L6406E/MX25L6408E" (8192 kB, SPI) mapped at physical address 0x00000000ff800000.
Found Macronix flash chip "MX25L6436E/MX25L6445E/MX25L6465E/MX25L6473E/MX25L6473F" (8192 kB, SPI) mapped at physical address 0x00000000ff800000.
Multiple flash chip definitions match the detected chip(s): "MX25L6405", "MX25L6405D", "MX25L6406E/MX25L6408E", "MX25L6436E/MX25L6445E/MX25L6465E/MX25L6473E/MX25L6473F"
Please specify which chip definition to use with the -c <chipname> option.

root@laptop:/home/<UserName># /usr/sbin/flashrom -p internal -c MX25L6405D -r libreboot.rom
flashrom v1.2 on Linux 5.10.0-9-amd64 (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
coreboot table found at 0x7d770000.
Found chipset "Intel ICH9M-E".
Enabling flash write... OK.
Found Macronix flash chip "MX25L6405D" (8192 kB, SPI) mapped at physical address 0x00000000ff800000.
Reading flash... done.

root@laptop:/home/<UserName># /usr/sbin/flashrom -p internal -c MX25L6405D -r libreboot.rom2
flashrom v1.2 on Linux 5.10.0-9-amd64 (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
coreboot table found at 0x7d770000.
Found chipset "Intel ICH9M-E".
Enabling flash write... OK.
Found Macronix flash chip "MX25L6405D" (8192 kB, SPI) mapped at physical address 0x00000000ff800000.
Reading flash... done.

root@laptop:/home/<UserName># diff libreboot.rom libreboot.rom2
.....NOTHING.....

root@laptop:/home/<UserName># mv libreboot.rom2 libreboot.rom.bak

This post is still a WIP, and things below haven't been thoroughly tested yet. This will be completed at a later time.

Generate a key file for the encrypted volume

root@laptop:/home/<UserName># mkdir -m0700 /etc/keys

root@laptop:/home/<UserName># ( umask 0077 && dd bs=512 count=4 if=/dev/urandom of=/etc/keys/root.key iflag=fullblock )
4+0 records in
4+0 records out
2048 bytes (2.0 kB, 2.0 KiB) copied, 0.000388614 s, 5.3 MB/s

root@laptop:/home/<UserName># /usr/sbin/cryptsetup luksAddKey /dev/sda1 /etc/keys/root.key
Enter any existing passphrase:

root@laptop:/home/<UserName># echo UMASK=0077 >>/etc/initramfs-tools/initramfs.conf

root@laptop:/home/<UserName># sed -i 's/#KEYFILE_PATTERN=/KEYFILE_PATTERN="\/etc\/keys\/*.key"/g' /etc/cryptsetup-initramfs/conf-hook

root@laptop:/home/<UserName># sed -i 's/none/\/etc\/keys\/root.key/g' /etc/crypttab

root@laptop:/home/<UserName># sed -i 's/$/,key-slot=1/g' /etc/crypttab

root@laptop:/home/<UserName># PATH=$PATH:/usr/sbin/

root@laptop:/home/<UserName># echo "matrix $(blkid | grep sda1 | awk '{print $2}' | sed 's/"//g') none luks,discard" >> /etc/crypttab

root@laptop:/home/<UserName># update-initramfs -u
update-initramfs: Generating /boot/initrd.img-5.10.0-9-amd64
.....TRUNCATED.....

root@laptop:/home/<UserName># shutdown now -hP
  • Once the laptop fully shuts down test power it back on pressing "c" when grub is on screen. Using the below boot options you should not be prompted for the encrypted volume password a second time. Note the additional args "cryptkey" and "iomem" on line 3. These are required to unlock the volume and to allow read and write to the rom from the internal flasher.
grub> cryptomount -a
Enter passphrase for ahci0,msdos1 (<LongStringHere>): _
Slot "1" opened

grub> set root='lvm/matrix-rootvol'

grub> linux /vmlinuz root=/dev/mapper/matrix-rootvol cryptkey=rootfs:/etc/keys/root.key cryptdevice=/dev/mapper/matrix-rootvol:root iomem=relaxed

grub> initrd /initrd.img

grub> boot
  • If you get hung up in the initramfs shell for some reason you should be able to unlock the encrypted volume and complete boot into the OS with the following. Its hard to say what may have broken, but this should at least get you into the OS so you can copy out any impo
initramfs) cryptsetup luksOpen /dev/sda1 matrix
initramfs) exec switch_root /mnt/root /sbin/init
Enter your email
Subscribe