[WIP] Update Qubes route for 4.1.x
Created by: pterocles
Proposed changes to guide
Download and prepare Qubes USB drive for installation
sdX is the disk that Qubes OS will be installed on sdY is the USB that will contain the bootloader and the detached LUKS header file sdZ is the USB stick containing the Qubes OS installer
Boot into installation and press Ctrl + Alt + F2 to enter into terminal
Prepare your disk by first overwriting with random data
dd if=/dev/urandom of=/dev/sdX status=progress
Create LUKS header file
dd if=/dev/zero of=header.img bs=16M count=1
Write master key with passphrase to header file
cryptsetup luksFormat /dev/sdX --header header.img
Open the encrypted device
cryptsetup luksOpen /dev/sdX luks --header header.img
Create LVM on LUKS config
vgcreate qubes_dom0 /dev/mapper/luks
lvcreate -n swap -L 10G qubes_dom0
lvcreate -T -L 60G qubes_dom0/root-pool
lvcreate -T -l +100%FREE qubes_dom0/vm-pool
lvcreate -V60G -T qubes_dom0/root-pool -n root
lvcreate -V871G -T qubes_dom0/vm-pool -n vm
mkfs.ext4 /dev/qubes_dom0/vm
Create filesystems on logical volumes
mkfs.ext4 /dev/mapper/qubes_dom0-root
mkswap /dev/mapper/qubes_dom0-swap
Prepare USB boot
fdisk /dev/sdY
g enter
n enter
t enter
1 enter
w enter
mkfs.fat -F32 /dev/sdY1
Return to GUI and enter device configuration
press Ctrl + Alt + F6 select /dev/sdX select "I will configure partitioning" de-select "Encrypt my data" press "Done"
Return to terminal and mount filesystems
press Ctrl + Alt + F2
mount /dev/mapper/qubes_dom0-root /mnt
swapon /dev/mapper/qubes_dom0-swap
mkdir -p /mnt/boot/efi
mount /dev/sdY1 /mnt/boot/efi
Return to GUI and refresh the device list
press Ctrl + Alt + F6 click on the "Refresh" button to load created partitions click on qubes_dom0-root and select / as its mount point and check reformat as ext4 click on qubes_dom0-swap and select reformat as swap click on /dev/sdY1 then leave it alone press "Done"
If the installer finished successfully then do NOT reboot
press Ctrl + Alt + F2
cp header.img /mnt/sysimage/
cp -r /mnt/sysimage/boot /mnt/sysimage/boot.orig
rm -rf mnt/sysimage/boot/*
Mount the live filesystem
on the mounted encrypted root and copy needed binaries and their dependencies
mount --bind /dev /mnt/sysimage/dev
mount --bind /dev/pts /mnt/sysimage/dev/pts
mount --bind /proc /mnt/sysimage/proc
mount --bind /sys /mnt/sysimage/sys
cp -r /etc/grub.d/ /mnt/sysimage/etc/
cp -r /usr/lib/grub/ /mnt/sysimage/usr/lib/
cp -r /usr/share/grub/ /mnt/sysimage/usr/share/
cp /usr/sbin/grub2-* /mnt/sysimage/usr/sbin/
cp /usr/bin/grub2-* /mnt/sysimage/usr/bin/
cp /sbin/cryptsetup /mnt/sbin/
chroot /mnt /bin/bash
Configure and install GRUB2
lsblk -f # note the UUID of sdY
vi /etc/grub.d/40_custom
add the following lines:
#---------------------------------------------
menuentry "Qubes-OS-4 XEN"{
search --no-floppy --fs-uuid --set sdY_**UUID**
insmod chain
chainloader /xen.efi
}
#---------------------------------------------
Exit editor.
touch /etc/default/grub
vi /etc/default/grub
add the following lines:
#----------------------------------------------------------
GRUB_DEFAULT=0
GRUB_TIMEOUT=10
GRUB_CMDLINE_LINUX="console=hvc0 loglevel=8 initcall_debug"
#----------------------------------------------------------
Exit editor.
grub2-install --target=x86_64-efi --efi-directory /boot /dev/sdY
grub2-mkconfig -o /boot/efi/EFI/grub/grub.cfg
Configure XEN loader
cp /boot.orig/efi/EFI/qubes/xen*-.efi /boot/efi/xen.efi
vi /boot/efi/xen.cfg
add the following lines:
#-------------------------------------------------------
[global]
default=qubes
[qubes]
options=loglvl=all dom0_mem=min:1024M dom0_mem=max:4096M
kernel=vmlinuz
ramdisk=initramfs-qubes.img
#-------------------------------------------------------
Configure systemd unit to decrypt encrypted root with detached header
vi /etc/crypttab
add the following line:
#------------------------------------------------------
luks /dev/sdX none header=/header.img
#------------------------------------------------------
/usr/lib/systemd/system-generators/systemd-cryptsetup-generator
vi /tmp/systemd-cryptsetup\@luks.service
remove the After= and BindsTo= lines that contain /dev/sdX
Regenerate initramfs
cp /boot.orig/initramfs*.img /boot/efi/initramfs.img
cp /boot.orig/vmlinuz* /boot/efi/vmlinuz
vi /etc/dracut.conf.d/detached-header.conf
add the following line:
#---------------------------------------
install_items+=" /header.img "
#---------------------------------------
Exit editor.
dracut -M -v --hostonly-cmdline --fstab --add-fstab /etc/fstab --add crypt --include /tmp/systemd-cryptsetup\@luks.service /usr/lib/systemd/system/basic.target.wants/systemd-cryptsetup\@luks.service --install "/sbin/cryptsetup /sbin/swapon /usr/lib/systemd/systemd-cryptsetup" -f --rebuild /boot/efi/initramfs-qubes.img
Exit & reboot
Enter boot menu and select the UEFI GRUB bootloader to load detached LUKS Qubes OS.
During boot it may appear stuck, press any key to get to the disk decryption.
If you made it this far then remember that you will have to manually regenerate the initramfs with the new kernel after upgrading dom0.
References:
http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/doc/custom-install/ http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/doc/uefi-troubleshooting/ https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Encrypted_system_using_a_detached_LUKS_header https://www.gnu.org/software/grub/manual/grub/grub.htm https://unix.stackexchange.com/questions/64693/how-do-i-configure-systemd-to-activate-an-encrypted-swap-file https://www.freedesktop.org/software/systemd/man/crypttab.html https://www.freedesktop.org/software/systemd/man/systemd-cryptsetup-generator.html https://cdn.kernel.org/pub/linux/utils/boot/dracut/dracut.html https://forums.gentoo.org/viewtopic-p-7418442.html https://cryptsetup-team.pages.debian.net/cryptsetup/README.debug.html https://wiki.xen.org/wiki/Xen_EFI https://xenbits.xenproject.org/docs/unstable/misc/efi.html
I'll update the complete change log when it's done. Thanks to Dread user @0x1337f331 for contributing