Netinsall, tty, apt-get update not working

78 replies [Last post]
root_vegetable
Offline
Joined: 10/27/2015

Could you edit the fstab file to set /boot/ to be on a different drive?

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

An unencrypted boot partition opens the possibility for someone to be able to install malicious software, since it can be read from and written to without any problem.

Indeed. However, encryption only makes a difference in a scenario with physical access. That is, in this case, someone booting a Live system on the computer and changing the kernel in /boot.

root_vegetable
Offline
Joined: 10/27/2015

Intel ME gives anyone physical access.
--
What if you go on holiday and an organised crime group targets you?
"Did you enjoy your holiday in Normandy?"
"Yeah, the food was great but someone stole my bitcoins not long after I got back!"
Or a spook with personal vengence?
Or some nasty "script kiddy"?
--

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

Well, not anyone... but if the attacker has enough power on Intel (states), then, yes, it is a potential problem.

root_vegetable
Offline
Joined: 10/27/2015

I seriously think that activists could be at risk.
Perhaps it is just a matter of paperwork, then Intel hits the button to send off some malware.
And the scary thing is no one can conclusively prove it has/hasn't happened.
We are living in the age of Orwell.

hack and hack
Offline
Joined: 04/02/2015

Browsing through my 2009 netbook, I see no AMT/ME parameters.
Sweet. With the encrypted /boot nearly working, even without Libreboot, it's a rather secure computer.

AMT/ME's wiki page seems to say that only 2015 are concerned. But I might be wrong. After all, the X200 is of 2008. I never had the opportunity to check it's original BIOS.

Either way, such a black box on my machine is unacceptable. Though I agree that realistically the danger is currently minimal, the fact that it has potential for abuse makes it wrong, to me.

There's also such a thing as over-cautiousness, but for now I'm at a deeper learning stage, so I go all out ;)

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

> Browsing through my 2009 netbook, I see no AMT/ME parameters. Sweet

Browsing w00t, where? What parameters?

If it is an Intel cpu, you most certainly have it.
ME is present on all Intel desktop, mobile (laptop), and server systems since mid 2006.

https://libreboot.org/faq/#intelme

> AMT/ME's wiki page seems to say that only 2015 are concerned. But I might be wrong.

You are wrong. All intel cpu hardware since 2006 and all AMD cpu hardware since 2013.

> Either way, such a black box on my machine is unacceptable

I agree. In fact, not having at my disposal 500 euros to throw on minifree, I opted to buy a 2003 laptop for 20 euros, no backdoor, dirty cheap and it works great. Smooth as butter, believe it or not. If I find another one like this (2006 tops, coreduo) for dirty cheap like the one I got, I will buy it without second thought.

hack and hack
Offline
Joined: 04/02/2015

Oh, right, I meant my BIOS settings.
I'm supposed to be able to able/disable AMT.
Yet there's no related option.

Unfortunately,
My netbook has a North bridge chipset is Intel 945GSE, which suIntel® 82573E Gigabit Ethernet Controllerpports AMT:
Intel® Active Management Technology,2
when used with the Intel® 82573E Gigabit Ethernet Controller, supports high-quality asset management capabilities such as remote management
of unmanned sites
--
2 - Intel® Active Management Technology requires the platform to have an Intel® AMT-enabled chipset, network hardware and software, as well as connection with a power source and a corporate network connection. With regard to notebooks, Intel AMT may not be available or certain capabilities may belimited over a host OS-based VPN or when connecting wirelessly, on battery power, sleeping, hibernating or powered off. For more information, see http://www.intel.com/technology/iamt.

Fortunately (I hope), the Device's map indicates that the Gigabit Ethernet Controller is "an optional Intel component".
https://www-ssl.intel.com/content/www/us/en/intelligent-systems/navy-pier/atom-n270-ibd.html

Can I safely deduce that I'm off the hook with this one, regarding AMT/ME?
If I don't have that optional piece on my machine, I can safely say I'm AMT-free. EDIT: Maybe that Optional piece of hardware is meant for the controlling Desktop, not for my Netbook. OTOH, since I nearly never am on Ethernet with this one, I don't think I'm concerned anyway.
Plus, seeing all it takes to make it work, I doubt it's a threat on this specific Netbook.

You buying a 2003 laptop for this cheap is a smart move, I can definitely believe that it runs just fine.

root_vegetable
Offline
Joined: 10/27/2015

You should look around for an X60 laptop. They are dirt cheap and you can flash Libreboot via software.
And you are also saving poor computers from that computer graveyard in China...

hack and hack
Offline
Joined: 04/02/2015

I'm actually saving that old netbook from that same graveyard. Sure, there's no Libreboot, and that's ok for what I plan to do with it.

And according to the data above, the AMT/ME is no threat on this machine anyway. So there's no point in me getting an X60 right now.

But if I need another machine, it's one of the best choices indeed.

hack and hack
Offline
Joined: 04/02/2015

Thanks lembas, that's a great option.
Thanks jxself, now I know how to do it, and why I should (or not).
The way I roughly consider my threat model is this: even if there's no threat involved, if it's easy/takes little time to setup, it's better to have it than not.

This could be a good option for computers that don't support libreboot and can't have an encrypted /boot (since proprietary BIOSes typically do not have support for reading an encrypted /boot it needs to be left unencrypted.)
Looking at this (https://wiki.archlinux.org/index.php/GRUB#Boot_partition) and this (http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/), it seems I don't need to be on Libreboot in order to have a functioning encrypted /boot anymore. Grub offers this exception now.

So even if I'm not on Libreboot on this machine, I still can boot manually. But I can't figure out how to save my manual input. Yet.

EDIT:
Changing grub parameters only isn't enough.
Last thing to try is adding lvm and luks hooks to "initramfs.conf", which is the equivalent of Archlinux's "mkinitcpio".

hack and hack
Offline
Joined: 04/02/2015

SOLVED.

I'm now happily running an encrypted netinstall (with /boot encrypted)
without having to worry about AMT/ME, even if this machine isn't running Libreboot.

What I did to finally be able to boot automatically:
I removed "quiet splash $vt_handoff" from the grub bot config ("c" when in grub).
This worked. I tried again only removing splash this time.
It worked also.
So after booting, I removed quiet splash altogether (I don't like the black screen "quiet" offers).
And did an "update-grub".

Worked marvelously.

Btw, to have grub displayed automatically, comment the first line (10 means ten seconds before automatic boot):
#GRUB_HIDDEN_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT="10"

I also did this, following the link I've already posted:
Configuring the boot loader
Configure GRUB to recognize the LUKS encrypted /boot partition and unlock the encrypted root partition at boot:

in /etc/default/grub

GRUB_CMDLINE_LINUX="... cryptdevice=UUID=:lvm root=/dev/mapper/MyStorage-rootvol ..."
GRUB_ENABLE_CRYPTODISK=y

And to get /boot encrypted:
code>in /etc/default/grub

GRUB_ENABLE_CRYPTODISK=y

Not much of a clean tutorial, but basically:
I just made a normal encrypted lvm install.
grub failed to install during the Trisquel install. It's ok, just finish the install without a bootloader.
Then, not being able to boot, I chrooted the drive in the LiveCD (follow the link I posted).
After installing grub, keep Shift pressed during the boot, press c when grub shows up, then type the commands to boot.
But before that, you can type e instead of c and try to already remove "quiet splash", or at least splash.
Else, when booted, configuring etc/default/grub is necessary, and also updating it (sudo update-grub) before rebooting.

That was tough to figure out (for me), but it was totally worth it, and is easy to reproduce after doing it once.

root_vegetable
Offline
Joined: 10/27/2015

So you did a normal network installation, using the 'set up full disk encryption with encrypted LVM' option in the text mode installer?
Then you booted it, changed stuff in /etc/default/grub, and now you can boot with an encrypted /boot?

hack and hack
Offline
Joined: 04/02/2015

Yes (I downloaded a 32 bits Netinstall, to be exact).
But I've chosen to do a manual partitioning, following this guide (https://libreboot.org/docs/gnulinux/encrypted_trisquel.html).

And since for some reason grub fails to install when I use disk encryption (as if I'd need to decrypt the drive right after the partitioning step), I had to use a Live CD to boot, and chroot (access the encrypted disk by mounting it on the Live CD's file system).
From there I was able to install grub on the encrypted drive.

Then, after removing the Live CD, I had trouble booting in grub, so i had to do it manually. You most likely won't see grub displayed, so you have to keep Shift pressed right after writing down your passphrase.

From there I needed to modify/add a few lines to the grub config. And update grub before rebooting.

Side note: this time I saw killall installed as default. Weird.

root_vegetable
Offline
Joined: 10/27/2015

Thanks, update-grub has worked.
However, do I need to set a GRUB password in order to use GRUB_CRYPTODISK=y (or whatever it was)?
Or does it just use my LUKS password?

hack and hack
Offline
Joined: 04/02/2015

No, you don't need a GRUB password. If I'm not mistaken, a GRUB password is meant to prevent unauthorized access to GRUB, nothing more.

root_vegetable
Offline
Joined: 10/27/2015

Actually it hasn't worked at all, when I start GRUB it gives a list of installed operating systems and then when I select "Debian Stretch/Sid with linux-image-xxx" it says error: device name required
loading linux-image-xxx
going back to device scanning
Then it just loads the kernel as normal and asks for my LUKS password.
Any ideas? Here is /etc/default/grub: GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda1:lvm"
GRUB_ENABLE_CRYPTODISK=y
This was following the latter link. I did the same manual partitioning as you for Debian (not following the Libreboot tutorial, though) so similar setup.

hack and hack
Offline
Joined: 04/02/2015

I know I have another command in GRUB_CMDLINE_LINUX:
GRUB_CMDLINE_LINUX="... cryptdevice=UUID=:lvm root=/dev/mapper/MyStorage-rootvol ..."
Hopefully this will be enough.

Regarding partitioning, it's very standard:
I encrypted the whole thing, then I partitioned it as one / ext4 partition, and a swap one.
As long as you don't have a dedicated /boot partition, it shoulldn't be a problem.

I never had this error though, this deserves some more investigation.

root_vegetable
Offline
Joined: 10/27/2015

No need for that. See my comments below this.

root_vegetable
Offline
Joined: 10/27/2015

All right, I think I have some better idea about the true nature of GRUB_ENABLE_CRYPTDISK. According to the Arch Wiki: Boot partition

GRUB can be set to ask for a password to open a LUKS blockdevice in order to read its configuration and load any initramfs and kernel from it. This option tries to solve the issue of having an unencrypted boot partition. /boot is not required to be kept in a separate partition; it may also stay under the system's root / directory tree.

To enable this feature encrypt the partition with /boot residing on it using LUKS as normal. Then add the following option to /etc/default/grub:

/etc/default/grub

GRUB_ENABLE_CRYPTODISK=y

Note: GRUB_ENABLE_CRYPTODISK=1 will not work as opposed to the request shown in GRUB 2.02-beta2.

Be sure to #Generate the main configuration file while the partition containing /boot is mounted.

Without further changes you will be prompted twice for a passhrase: the first for GRUB to unlock the /boot mount point in early boot, the second to unlock the root filesystem itself as described in #Root partition. You can use a keyfile to avoid this.

I think that GRUB_ENABLE_CRYPTDISK gets rid of the need for /boot them. You just put GRUB_ENABLE_CRYPTDISK=y in the file, reinstall GRUB, and delete /boot from the /etc/fstab file.
Nasty stuff this.

root_vegetable
Offline
Joined: 10/27/2015

Yes, and it works!
Never mind the fooling around with root=UUID and all that.
All you need to do is add GRUB_ENABLE_CRYPTODISK=y to /etc/default/grub
Run 'grub-mkconfig -o /boot/grub/grub.cfg' and 'grub-install /dev/sda' (or whatever the drive is)
then comment out /boot in /etc/fstab and run # umount /boot
# mount /dev/sda1 /mnt
# cp -r /mnt/* /boot/.
# reboot

This assumes you have drive sda where you installed LUKS encryption with unencrypted /boot/, where /boot/ is partition /dev/sda1.
It works great! What a great feature of GNU GRUB v2. This works for Debian unstable so would probably work for Trisquel too.

hack and hack
Offline
Joined: 04/02/2015

Nice, I'm glad it worked that way :)

I wonder what the difference is between having those commands in GRUB_CMDLINE_LINUX, and not having the commands but removing /boot from fstab. Yet I think I've tried that at an earlier stage, without success.
It seems the GRUB_CMDLINE_LINUX is used to add CLI parameters to the kernel.

The weird thing is that I don't have a /boot entry in fstab, only /dev/mapper/main and /dev/mapper/swap.

Also I had to remove the splash parameter for GRUB to be able to boot by itself.

Anyway, good to see that it is simpler on Debian testing, that means less headaches for the future Trisquel releases.

BTW, did you have to install GRUB by chroot or not?

root_vegetable
Offline
Joined: 10/27/2015

There is no need to install GRUB via chroot. You just do 'grub-mkconfig -o /boot/grub/grub.cfg' and then 'grub-install /dev/sda' (or whatever the drive is). I suspect that 'update-grub' would work but I did not try it.
Funny how Debian Unstable doesn't play up in this respect like Trisquel/Ubuntu does ;-D It isn't really unstable at all, I have not had a problem for many months.

hack and hack
Offline
Joined: 04/02/2015

So that means you had no alert during the install that GRUB failed to install?
Due to encryption (without it, GRUB get installed properly), I had to finish Trisquel's installation without a bootloader.

So after booting, I only had a blank screen, no way to input anything. Maybe GRUB was there hidden (I didn't know yet about Shift to make it appear at this point), but I doubt it since during the install, the message was "continue without a bootloader".

Trisquel really needs improvements in this regard. Or I just need to switch to Debian by myself. But hey, it works for now.

And maybe Debian stable isn't as advanced in this regard as the unstable version.

root_vegetable
Offline
Joined: 10/27/2015

I basically did as follows during installation:
1. Delete all partitions on disk
2. Create 200 M primary partition, for /boot
3. Create logical partition with the rest of space on the disk, with option "use as physical area for encryption" (or whatever the option is)
4. Select "configure encrypted partitions", and select the logical volume, which is usually /dev/sda5. The installer then formats the data in the encrypted partition
5. Select " configure the logical volume manager".
6. Create a volume group, called whatever you want ("herd-of-cats"?)
7. Make a logical volume, in the new volume group, for /root, make the rest for /home. If you are using an SSD like myself don't make a swap partition as it reduces the life of the SSD significantly, and ignore the warning of the installer about lack of swap space. Else just make a logical volume for swap as well.
8. Boot the system.
9. Remove /boot from fstab and unmount it. Then remount the partition somewhere other than /boot (/mnt?) and move its files to /boot, which still exists on /.
9. Add "GRUB_ENABLE_CRYPTDISK=y" to /etc default/grub, run "grub-mkconfig -o /boot/grub/grub.cfg", and finally "grub-install" on your disk.
10. Delete /boot or whatever. Voila!

What I have done is the equivalent of a guided install with encrypted LVM, then configuring GRUB to work without an unencrypted /boot partition.

Note, this may look like an extremely convoluted process. It would be far simpler just to not make /boot at all. In fact, perhaps the installer would configure GRUB to have the "GRUB_ENABLE_CRYPTSISK" option already set if you don't make an unencrypted /boot partition. I'll have to investigate.

Also, if you selected "continue without the bootloader" (did it try to install GRUB to the installation media? If so, try a CD as opposed to USB, or remove the USB temporarily and then select the target dusk for the bootloader) then you will have no GRUB. Using what I have done (basically doing a guided install with encrypted LVM) is simpler than having to install GRUB with a live CD.

I'm quite certain it will work in Debian stable too, if it uses GRUB v2.

hack and hack
Offline
Joined: 04/02/2015

Oh, so you did LUKS over LVM then. I did the opposite.
I doubt mine is really safer (preventing access to the LVM partitions in the first place); plus yours allows stretching partitions over several physical disks. My LVM is set in stone instead, so to speak (But I don't need the feature on that machine).

Unfortunately, I tried removing the USB stick several times without success, even changing the installation path to /dev/sdb didn't work either. I think I even tried /dev/mapper/herd-of-cats_main.
Also there's no CD drive on that machine. Why would a CD be different btw? Because it's not seen as /dev/sdX maybe?

root_vegetable
Offline
Joined: 10/27/2015

think about it
a installing grub to a cd
would not work.
you have to burn a whole image usually.
and the installer assumes it is probably not an expensive rewritable cd. so it is assumed that installing grub to the cd would always fail.

hack and hack
Offline
Joined: 04/02/2015

I don't know how it's supposed to work.
So the image is burned to the CD.
Why, during the install, would it accept installing GRUB on my encrypted drive more than if I use a USB stick instead?
Normally, a CD is recognized as some kind of drive I think.

So I see no reason for it to be different.
At least that's my conclusion with the knowledge I have for now.