Skip to content

[WIP] Update Qubes route for 4.1.x

Created by: pterocles

Proposed changes to guide

Download and prepare Qubes USB drive for installation

sdX is the disk that Qubes OS will be installed on sdY is the USB that will contain the bootloader and the detached LUKS header file sdZ is the USB stick containing the Qubes OS installer

Boot into installation and press Ctrl + Alt + F2 to enter into terminal

Prepare your disk by first overwriting with random data dd if=/dev/urandom of=/dev/sdX status=progress

Create LUKS header file

dd if=/dev/zero of=header.img bs=16M count=1

Write master key with passphrase to header file

cryptsetup luksFormat /dev/sdX --header header.img

Open the encrypted device

cryptsetup luksOpen /dev/sdX luks --header header.img

Create LVM on LUKS config

vgcreate qubes_dom0 /dev/mapper/luks
lvcreate -n swap -L 10G qubes_dom0
lvcreate -T -L 60G qubes_dom0/root-pool
lvcreate -T -l +100%FREE qubes_dom0/vm-pool
lvcreate -V60G -T qubes_dom0/root-pool -n root
lvcreate -V871G -T qubes_dom0/vm-pool -n vm
mkfs.ext4 /dev/qubes_dom0/vm 

Create filesystems on logical volumes

mkfs.ext4 /dev/mapper/qubes_dom0-root
mkswap /dev/mapper/qubes_dom0-swap

Prepare USB boot

fdisk /dev/sdY g enter n enter t enter 1 enter w enter mkfs.fat -F32 /dev/sdY1

Return to GUI and enter device configuration

press Ctrl + Alt + F6 select /dev/sdX select "I will configure partitioning" de-select "Encrypt my data" press "Done"

Return to terminal and mount filesystems

press Ctrl + Alt + F2

mount /dev/mapper/qubes_dom0-root /mnt
swapon /dev/mapper/qubes_dom0-swap
mkdir -p /mnt/boot/efi
mount /dev/sdY1 /mnt/boot/efi

Return to GUI and refresh the device list

press Ctrl + Alt + F6 click on the "Refresh" button to load created partitions click on qubes_dom0-root and select / as its mount point and check reformat as ext4 click on qubes_dom0-swap and select reformat as swap click on /dev/sdY1 then leave it alone press "Done"

If the installer finished successfully then do NOT reboot

press Ctrl + Alt + F2

cp header.img /mnt/sysimage/
cp -r /mnt/sysimage/boot /mnt/sysimage/boot.orig
rm -rf mnt/sysimage/boot/*

Mount the live filesystem

on the mounted encrypted root and copy needed binaries and their dependencies

mount --bind /dev /mnt/sysimage/dev
mount --bind /dev/pts /mnt/sysimage/dev/pts
mount --bind /proc /mnt/sysimage/proc
mount --bind /sys /mnt/sysimage/sys
cp -r /etc/grub.d/ /mnt/sysimage/etc/
cp -r /usr/lib/grub/ /mnt/sysimage/usr/lib/
cp -r /usr/share/grub/ /mnt/sysimage/usr/share/
cp /usr/sbin/grub2-* /mnt/sysimage/usr/sbin/
cp /usr/bin/grub2-* /mnt/sysimage/usr/bin/
cp /sbin/cryptsetup /mnt/sbin/

chroot /mnt /bin/bash

Configure and install GRUB2

lsblk -f # note the UUID of sdY
vi /etc/grub.d/40_custom

add the following lines:

#---------------------------------------------
menuentry "Qubes-OS-4 XEN"{
search --no-floppy --fs-uuid --set sdY_**UUID**
insmod chain
chainloader /xen.efi
}
#---------------------------------------------

Exit editor.

touch /etc/default/grub
vi /etc/default/grub

add the following lines:

#----------------------------------------------------------
GRUB_DEFAULT=0
GRUB_TIMEOUT=10
GRUB_CMDLINE_LINUX="console=hvc0 loglevel=8 initcall_debug"
#----------------------------------------------------------

Exit editor.

grub2-install --target=x86_64-efi --efi-directory /boot /dev/sdY
grub2-mkconfig -o /boot/efi/EFI/grub/grub.cfg

Configure XEN loader

cp /boot.orig/efi/EFI/qubes/xen*-.efi /boot/efi/xen.efi
vi /boot/efi/xen.cfg

add the following lines:

#-------------------------------------------------------
[global]
default=qubes

[qubes]
options=loglvl=all dom0_mem=min:1024M dom0_mem=max:4096M
kernel=vmlinuz
ramdisk=initramfs-qubes.img
#-------------------------------------------------------

Configure systemd unit to decrypt encrypted root with detached header

vi /etc/crypttab

add the following line:

#------------------------------------------------------
luks /dev/sdX none header=/header.img
#------------------------------------------------------
/usr/lib/systemd/system-generators/systemd-cryptsetup-generator
vi /tmp/systemd-cryptsetup\@luks.service

remove the After= and BindsTo= lines that contain /dev/sdX

Regenerate initramfs

cp /boot.orig/initramfs*.img /boot/efi/initramfs.img
cp /boot.orig/vmlinuz* /boot/efi/vmlinuz

vi /etc/dracut.conf.d/detached-header.conf

add the following line:

#---------------------------------------
install_items+=" /header.img "
#---------------------------------------

Exit editor.

dracut -M -v --hostonly-cmdline --fstab --add-fstab /etc/fstab --add crypt --include /tmp/systemd-cryptsetup\@luks.service /usr/lib/systemd/system/basic.target.wants/systemd-cryptsetup\@luks.service --install "/sbin/cryptsetup /sbin/swapon /usr/lib/systemd/systemd-cryptsetup" -f --rebuild /boot/efi/initramfs-qubes.img

Exit & reboot

Enter boot menu and select the UEFI GRUB bootloader to load detached LUKS Qubes OS.

During boot it may appear stuck, press any key to get to the disk decryption.

If you made it this far then remember that you will have to manually regenerate the initramfs with the new kernel after upgrading dom0.

References:

http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/doc/custom-install/ http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/doc/uefi-troubleshooting/ https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Encrypted_system_using_a_detached_LUKS_header https://www.gnu.org/software/grub/manual/grub/grub.htm https://unix.stackexchange.com/questions/64693/how-do-i-configure-systemd-to-activate-an-encrypted-swap-file https://www.freedesktop.org/software/systemd/man/crypttab.html https://www.freedesktop.org/software/systemd/man/systemd-cryptsetup-generator.html https://cdn.kernel.org/pub/linux/utils/boot/dracut/dracut.html https://forums.gentoo.org/viewtopic-p-7418442.html https://cryptsetup-team.pages.debian.net/cryptsetup/README.debug.html https://wiki.xen.org/wiki/Xen_EFI https://xenbits.xenproject.org/docs/unstable/misc/efi.html

I'll update the complete change log when it's done. Thanks to Dread user @0x1337f331 for contributing

Merge request reports

Loading