aboutsummaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2024-02-24 13:50:23 -0300
committerSilvio Rhatto <rhatto@riseup.net>2024-02-24 13:50:23 -0300
commit92c0b5f5ab2b11783db0c7e7f6fca42161705df6 (patch)
tree8fd6dc7a4c00df29727feebef8281dc71f8cb295 /docs
parenta3e8aa6c319e38606e7d10562c793e3027c57ff4 (diff)
downloadhydra-92c0b5f5ab2b11783db0c7e7f6fca42161705df6.tar.gz
hydra-92c0b5f5ab2b11783db0c7e7f6fca42161705df6.tar.bz2
Feat: docs: TPC and backups
Diffstat (limited to 'docs')
-rw-r--r--docs/backups.md146
-rw-r--r--docs/index.md17
-rw-r--r--docs/tpc.md380
3 files changed, 541 insertions, 2 deletions
diff --git a/docs/backups.md b/docs/backups.md
new file mode 100644
index 0000000..f6faf8a
--- /dev/null
+++ b/docs/backups.md
@@ -0,0 +1,146 @@
+# Backups and syncs
+
+This mostly has to do with `hydractl` commands such as
+`sync-{backups,media,tpc}`.
+
+## Servers
+
+* Backups can be automatically generated and sent to other servers, including
+ NAS instances.
+* Automated backup checking can be done.
+* But all this does not exempt a team from manually testing backups and to make
+ their own offline copies in external drives.
+
+## New external drive
+
+Proceed as follows
+
+ disk=new-disk-name
+ device=/dev/sdc
+ hydractl usb-enable # run this for USB drives, then connect the disk
+ sudo cfdisk ${device} # layout with single ${device}1 partition
+ sudo cryptsetup luksFormat ${device}1
+ sudo cryptsetup luksOpen ${device}1 $disk
+ sudo mkfs.ext4 /dev/mapper/$disk
+ sudo mkdir /media/$disk
+ sudo mount /dev/mapper/$disk /media/$disk
+ sudo mkdir /media/$disk/media.`facter domain`
+ sudo chown `whoami`: /media/$disk/media.`facter domain`
+
+## NAS
+
+These commands should be enough to sync all media archives:
+
+ hydractl usb-enable # run this for USB drives, then connect the disk
+ hydractl mount-media $MEDIA
+ hydractl sync-media $MEDIA
+
+As this should handle syncing all backups:
+
+ hydractl sync-backups $MEDIA
+
+## TPC
+
+Chek the [specific](tpc.md) documentation for more information about TPCs.
+
+When regularly syncing a TPC, use a procedure that guarantees minimal
+changes in the running TPC, to make sure syncing data won't create
+inconsistencies in the destination, by doing something like:
+
+1. Reboot the machine
+2. Turn off networking.
+3. Log in through console.
+
+Then do the following:
+
+ hydractl usb-enable # run this for USB drives, then connect the disk
+ hydractl mount-media $TPC
+ hydractl sync-tpc $TPC
+
+To sync archives and remote backups, proceed with as explained in the NAS
+section.
+
+You may also want to consider using [borger][] ([mirror][]) to have encrypted
+homedir backups in the external archive/backup volume.
+
+[borger]: https://git.fluxo.info/borger/about/
+[mirror]: https://0xacab.org/rhatto/borger
+
+## Appliances
+
+You might want to backup the whole SSD, M-SATA or microSD from your appliances.
+If so, proceed as follows with the appliance device connected in your TPC:
+
+ export appliance=appliance-name
+ export dest="/var/backups/remote/$appliance.`facter domain`/image/`date +%Y%m%d`"
+ sudo mkdir -p $dest
+ dcfldd if=/dev/sdb | bzip2 > $dest/$appliance.img.bz2
+
+## Smartphone
+
+Smartphones usually have their own way to be backed up. This is an example
+based on the [android-backup][] utility:
+
+ android-backup <device-name>
+
+[android-backup]: https://git.fluxo.info/scripts/tree/android-backup
+
+## Hardware rotation
+
+It's recommended to rotate the current hardware in use in all
+places:
+
+* Backup disks.
+* Laptops, so they're not kept out of use (and/or especially the batteries).
+
+## Backup Kit
+
+A Backup Kit is a box with the following items:
+
+* External encrypted archive/backup disk.
+* Case for SSD transportation.
+* Laptop power adapter and cables.
+* Dockstation SATA/USB/M-2/microSD/etc (with power adapter).
+* USB power adapter and cable (including USB 2, USB 3 and USB C).
+* USB cables (USB 2, USB 3 and USB C) for the Dockstation and the external drive.
+* TPC laptop with battery and TPS (SSD, M-2 etc), optionally with a UltraBase/Dockstation.
+* Philips screwdriver and other tools.
+* FCR-MG2 adaptor for microSD to USB.
+* Anything else your need (like eyeglasses).
+* Everything in a sealed box.
+
+This may be the ultimate disaster recovery kit for your Hydra!
+
+## Restore
+
+Examples according to the software used to make the backup.
+
+### Duplicity
+
+For [duplicity][]:
+
+ duplicity collection-status file:///var/backups/duplicity
+ duplicity restore --file-to-restore home/$USER --time 2018-03-25 file:///var/backups/duplicity/ /home/$USER
+
+[duplicity]: https://duplicity.gitlab.io/
+
+### Borg
+
+For [Borg][]:
+
+ mkdir ~/temp/misc/restore
+ cd ~/temp/misc/restore
+ borg list ssh://$USER@$SERVER:$PORT//var/backups/users/$USER/borg
+ borg extract ssh://$USER@$SERVER:$PORT//var/backups/users/$USER/borg::$USER-2018-06-11T17:07:39 mnt/crypt/home/$USER/$FILE_OR_FOLDER
+
+Make sure to cleanup `~/temp/misc/restore` after recovering what you need.
+
+[Borg]: https://www.borgbackup.org/
+
+### eCryptfs
+
+For [eCryptfs][]:
+
+ sudo ecryptfs-recover-private /media/$MEDIA/home/.ecryptfs/$USER/.Private
+
+[eCryptfs]: https://www.ecryptfs.org/
diff --git a/docs/index.md b/docs/index.md
index e833e89..f52f3b4 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -1,10 +1,23 @@
# Hydra Suite - Command and Control
Hydra is a suite for orchestration and management of machines composed of
-the following basic commands:
+**lots of conventions and assumptions**, and the following basic commands:
* `hydractl`: act in the current host.
* `hydra`: act on at set of hosts.
* `hydras`: act on a superset of hosts.
-Check also the [slides](slides) (portuguese only).
+An Hydra is not a "cloud computing" platform, it's something else: a set of
+systems that operate together, where any node can be used to spawn new nodes.
+
+This is an ongoing experiment is how a person or a collective can manage
+many computers in an unified way. It's not production ready, and it always
+struggles to pass the test of time.
+
+Running the Hydra Suite is not recommended at this point, except if you
+want to contribute with it's development.
+
+But studying it's documentation, code, conventions is concepts is highly
+encouraged, as it may give you some ideas to manage your own systems.
+
+Check also the [concept presentation](slides) (portuguese only).
diff --git a/docs/tpc.md b/docs/tpc.md
new file mode 100644
index 0000000..969b5bb
--- /dev/null
+++ b/docs/tpc.md
@@ -0,0 +1,380 @@
+# Trusted Personal Computers
+
+The Hydra Suite was made with the [Trusted Personal Computer (TPC)][]
+([portuguese translation][]) paradigm as it's starting point.
+
+This guide documents the lifecycle of a TPC storage device, or a "TPS
+Cartridge":
+
+ Cartridge = TPS = Trusted Personal Storage (like and SSD, microSD or M-2)
+
+The idea is that a number of TPCs can have interchangeable cartridges, as long
+as each cartridge has an unique name.
+
+[Trusted Personal Computer (TPC)]: https://web.archive.org/web/20180914153944/http://cmrg.fifthhorseman.net/wiki/TrustedPhysicalConsole
+[portuguese translation]: https://plano.autodefesa.org/specs/tpc.html
+
+## Parameters
+
+Start by running the following commands in your terminal, adjusting to your
+case:
+
+ export HYDRA="nome-da-hydra"
+ export VOLNAME="nome-do-disco"
+ export DOMAIN="dominio.example.org"
+ export DEVICE="/dev/sdb"
+ export USER=`whoami`
+ export DEST=/media/$VOLNAME
+ export CONFIG_FOLDER="`hydra $HYDRA folder`"
+
+ if [ "$USER" != "root" ]; then
+ export SUDO="sudo"
+ fi
+
+## Provisioning a new cartridge
+
+### Random data
+
+If you want to pre-fill your disk with random data, proceed as follows:
+
+ $SUDO dcfldd if=/dev/urandom of=$DEVICE
+
+This can be done in a NAS as it may take days to finish, and the rest of the
+procedures from this document can be done from another TPC.
+
+### Configuration
+
+If non-existing, create entries and keys:
+
+ hydra $HYDRA newnode $VOLNAME tpc
+
+Customize:
+
+ vim $CONFIG_FOLDER/config/provision/$VOLNAME.conf
+ vim $CONFIG_FOLDER/puppet/config/node/$VOLNAME.$DOMAIN.yaml
+ vim $CONFIG_FOLDER/puppet/config/secrets/node/$VOLNAME.$DOMAIN.yaml
+
+### Secrets
+
+Proceed adding other passwords and secrets at
+`$CONFIG_FOLDER/puppet/config/secrets/node/$VOLNAME.$DOMAIN`, make sure to
+encode them with [hiera-yaml][]:
+
+ hydra $HYDRA eyaml $VOLNAME encrypt -q -o block -p -l some::password
+
+If you already have the secret somewhere, you can use a construction like this
+which already adds the eyaml block into the hiera config file:
+
+ keyringer $HYDA decrypt /path/to/some/secret | \
+ hydra $HYDRA eyaml $VOLNAME encrypt -q -o block --sdtin -l some::password >> \
+ $CONFIG_FOLDER/puppet/config/secrets/node/$VOLNAME.$DOMAIN.yaml
+
+You can also ensure a fresh random passphrase is used, using your favourite
+generator like this:
+
+ head -c ${1:-20} /dev/urandom | base64 | \
+ hydra $HYDRA eyaml $VOLNAME encrypt -q -o block --sdtin -l some::random:password >> \
+ $CONFIG_FOLDER/puppet/config/secrets/node/$VOLNAME.$DOMAIN.yaml
+
+[hiera-yaml]: https://github.com/voxpupuli/hiera-eyaml
+
+### Installation
+
+The proceed with the system installation, which should create all volumes in
+the TPS and setup the base Operating System:
+
+ hydra $HYDRA provision $VOLNAME
+
+### Metadata
+
+After installation, make sure to save metadata from the disk layout and LUKS headers, which
+can be useful during recovery procedures.
+
+1. Write down UUIDS, models and serials from the new disk. Examples:
+
+ lsblk $DEVICE -n -o +UUID | keyringer $HYDRA encrypt nodes/$VOLNAME.$DOMAIN/lsblk
+ udevadm info --query=all --name=$DEVICE | keyringer $HYDRA encrypt nodes/$VOLNAME.$DOMAIN/udevadm
+
+ # For non-USB disks only
+ $SUDO hdparm -I $DEVICE | keyringer $HYDRA encrypt nodes/$VOLNAME.$DOMAIN/hdparm
+ $SUDO smartctl -i $DEVICE | keyringer $HYDRA encrypt nodes/$VOLNAME.$DOMAIN/smartctl
+
+2. Save partition tables, the LUKS header and other relevant information:
+
+ $SUDO LC_ALL=C sfdisk -d $DEVICE | keyringer $HYDRA encrypt nodes/$VOLNAME.$DOMAIN/sfdisk
+
+ $SUDO cryptsetup luksDump /dev/mapper/$VOLNAME-root | keyringer $HYDRA encrypt nodes/houdini.fluxo.info/luksDump-root
+ $SUDO cryptsetup luksDump /dev/mapper/$VOLNAME-swap | keyringer $HYDRA encrypt nodes/houdini.fluxo.info/luksDump-swap
+
+ $SUDO cryptsetup luksHeaderBackup /dev/mapper/$VOLNAME-root --header-backup-file luksHeaderBackup-root
+ $SUDO chown $(whoami) luksHeaderBackup-root
+ keyringer $HYDRA encrypt nodes/$VOLNAME.$DOMAIN/luksHeaderBackup-root luksHeaderBackup-root
+ chmod +w luksHeaderBackup-root
+ wipe luksHeaderBackup-root
+
+## Other security measures
+
+* Optionally, configure ATA passphrases for the new disk. If so, make sure to
+ save the passphrase in the keyring:
+
+ keyringer $HYDRA encrypt nodes/$VOLNAME.$DOMAIN/ata
+
+## Mounting
+
+Use the following whenever you need to mount the cartridge in another system:
+
+ hydractl mount-media $VOLNAME
+
+This will make the volume available at `/media/$VOLNAME`.
+
+## Initial user
+
+These steps are needed to setup the encrypted home folder (the second level of encryption)
+before continuing the provisioning.
+
+### Setting up home encryption
+
+If you're running this in an existing hydra-compatible TPC but you don't have your
+home folder encrypted, backup your data and then proceed running
+
+ hydractl ecryptfs-home
+
+### Syncing the user and encrypted home in the new cartridge
+
+Then, with the new TPS cartridge mounted (`hydractl mount-media $VOLNAME`), do
+the following to replicate your user and homedir there:
+
+ $SUDO chroot $DEST adduser $USER
+ $SUDO chroot $DEST usermod -a -G sudo $USER
+ $SUDO chroot $DEST apt install ecryptfs-utils -y
+
+ $SUDO mkdir -p $DEST/mnt/crypt/home
+ $SUDO mv $DEST/home/$USER $DEST/mnt/crypt/home/$USER
+ $SUDO ln -s -t $DEST/home /mnt/crypt/home/$USER/
+ $SUDO ln -s -t $DEST/mnt/crypt/home/$USER /home/.ecryptfs/$USER/.ecryptfs
+ $SUDO ln -s -t $DEST/mnt/crypt/home/$USER /home/.ecryptfs/$USER/.Private
+
+ $SUDO chroot $DEST chown -R $USER: /mnt/crypt/home/$USER
+
+The procedure may be adapted if you're already running the system from the new TPS
+and is logged in there as `root`.
+
+## Syncing data
+
+From another system, and with the cartridge mounted:
+
+ hydractl sync-tpc $VOLNAME
+
+Check the [backups](backups.md) for additional information.
+
+## Unmounting
+
+Now that basic provisioning is completed, you can unmount the cartridge.
+
+From another system, and with the cartridge mounted:
+
+ hydractl umount-media $VOLNAME
+
+## Deploy
+
+Now it's time to boot the new system, log in with your user and deploy the complete
+configuration.
+
+The following command will take care of the deployment:
+
+ hydra $HYDRA deploy localhost
+
+## Archives and backups
+
+You can use a hydra-compatible archive/backup disk to setup working copies
+for existing archives:
+
+ export MEDIA=backup-disk-name
+ hydractl mount-media $MEDIA
+ hydractl sync-backups $MEDIA
+ hydractl sync-media $MEDIA
+
+ hydractl sync-media-initremotes localhost boxes hostname-nas1 hostname-nas2
+
+Then add manually other archive remotes.
+
+## Compile
+
+Make sure other nodes have some information on your cartridge by compiling
+collected data:
+
+ hydra $HYDRA compile
+
+## Adding a new hardware in the TPC pool
+
+* Proceed with [homologatin a new unit](https://plano.autodefesa.org/specs/tpc.html).
+* Provision, deploy, sync-media, sync-vms etc.
+* Add the devices' network MAC Addresses at `70-persistent-net.rules`, then make sure
+ to sync this in the other cartridges.
+
+## Decommissioning
+
+To be documented.
+
+## Additional references
+
+### Implementation
+
+These are implementation-specific references, especially issues, fixes and
+workarounds found while developing procedures for TPCs.
+
+#### UEFI
+
+Overview:
+
+* [UEFI boot: how does that actually work, then? | AdamW on Linux and more](https://www.happyassassin.net/posts/2014/01/25/uefi-boot-how-does-that-actually-work-then/ "UEFI boot: how does that actually work, then? | AdamW on Linux and more")
+* [Unified Extensible Firmware Interface - ArchWiki](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface "Unified Extensible Firmware Interface - ArchWiki")
+* [Linux on UEFI: A Quick Installation Guide](https://www.rodsbooks.com/linux-uefi/ "Linux on UEFI: A Quick Installation Guide")
+
+Coreboot versus UEFI:
+
+* [Coreboot Versus UEFI](https://linuxhint.com/coreboot-vs-uefi/ "Coreboot Versus UEFI")
+
+UEFI versus Legacy:
+
+* [Linux: UEFI vs Legacy IDE. Pros/Cons/Security? : linuxquestions](https://www.reddit.com/r/linuxquestions/comments/6kw648/linux_uefi_vs_legacy_ide_prosconssecurity/ "Linux: UEFI vs Legacy IDE. Pros/Cons/Security? : linuxquestions")
+
+Lenovo:
+
+* [lenovo - UEFI or Legacy? Which is advised and why? - Ask Ubuntu](https://askubuntu.com/questions/647303/uefi-or-legacy-which-is-advised-and-why "lenovo - UEFI or Legacy? Which is advised and why? - Ask Ubuntu")
+* [Legacy BIOS boot support removed in Lenovo's 2020 products](https://support.lenovo.com/br/en/solutions/ht510878-legacy-bios-boot-support-removed-in-lenovo-2020-products "Access Denied")
+
+Issues:
+
+* [UEFI troubleshooting | Qubes OS](https://www.qubes-os.org/doc/uefi-troubleshooting/ "UEFI troubleshooting | Qubes OS")
+
+#### Boot loader
+
+Geral:
+
+* [GNU GRUB Manual 2.06: Installing GRUB using grub-install](https://www.gnu.org/software/grub/manual/grub/html_node/Installing-GRUB-using-grub_002dinstall.html#Installing-GRUB-using-grub_002dinstall "GNU GRUB Manual 2.06: Installing GRUB using grub-install")
+* [GRUB - ArchWiki](https://wiki.archlinux.org/title/GRUB#Default/fallback_boot_path "GRUB - ArchWiki")
+* [GRUB/Tips and tricks - ArchWiki](https://wiki.archlinux.org/title/GRUB/Tips_and_tricks#UEFI_further_reading "GRUB/Tips and tricks - ArchWiki")
+
+(Re)installation:
+
+* [GrubEFIReinstall - Debian Wiki](https://wiki.debian.org/GrubEFIReinstall "GrubEFIReinstall - Debian Wiki")
+* [Chapter 13. Encrypting block devices using LUKS Red Hat Enterprise Linux 8 | Red Hat Customer Portal](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening)
+
+Full Disk Encryption (FDE) support:
+
+* [How can I install Debian with full-disk encryption and a custom sized swapfile? - Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/577379/how-can-i-install-debian-with-full-disk-encryption-and-a-custom-sized-swapfile "How can I install Debian with full-disk encryption and a custom sized swapfile? - Unix & Linux Stack Exchange")
+
+Recovery:
+
+* [GRUB Recovery for UEFI-GPT-LUKS-LVM](https://arnaudr.io/2018/03/26/grub-recovery-for-uefi-gpt-luks-lvm/ "Arnaud R")
+* [Re: Does grub-mkrescue support UEFI hybrid USB/DVD images?](https://lists.gnu.org/archive/html/grub-devel/2015-01/msg00042.html "Re: Does grub-mkrescue support UEFI hybrid USB/DVD images?")
+
+Issues:
+
+* [grub2 - UEFI Grub fails to boot encrypted Ubuntu 21.04 system: can't find command cryptomoun - Ask Ubuntu](https://askubuntu.com/questions/1351914/uefi-grub-fails-to-boot-encrypted-ubuntu-21-04-system-cant-find-command-crypt)
+ * [PSA: GRUB fails to detect the fact that / and /boot are LUKS encrypted : archlinux](https://www.reddit.com/r/archlinux/comments/o1opyj/psa_grub_fails_to_detect_the_fact_that_and_boot/ "PSA: GRUB fails to detect the fact that / and /boot are LUKS encrypted : archlinux")
+ * [grub2 - How do I get Grub to automatically run cryptomount to load its config file (encrypted boot) - Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/313939/how-do-i-get-grub-to-automatically-run-cryptomount-to-load-its-config-file-encr "grub2 - How do I get Grub to automatically run cryptomount to load its config file (encrypted boot) - Unix & Linux Stack Exchange")
+ * [#917117 - grub-efi-amd64-signed: doesn't mount cryptodisk - Debian Bug report logs](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917117 "#917117 - grub-efi-amd64-signed: doesn't mount cryptodisk - Debian Bug report logs")
+ * [GRUB + LUKS2 not asking for password](https://forum.artixlinux.org/index.php/topic,2093.0.html "GRUB + LUKS2 not asking for password")
+* [FS#40029 : [grub] ${cmdpath} expansion in GRUB shell is wrong](https://bugs.archlinux.org/task/40029 "FS#40029 : [grub] ${cmdpath} expansion in GRUB shell is wrong")
+ * [linux - How to reconfigure grub - Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/577780/how-to-reconfigure-grub "linux - How to reconfigure grub - Unix & Linux Stack Exchange")
+ * [grub2 - wrong grub prefix (efi) `grub-install` and `update-grub` doesn't fix it - Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/615109/wrong-grub-prefix-efi-grub-install-and-update-grub-doesnt-fix-it "grub2 - wrong grub prefix (efi) `grub-install` and `update-grub` doesn't fix it - Unix & Linux Stack Exchange")
+ * [#925309 - Wrong prefix directory hardcoded in signed GRUB image - Debian Bug report logs](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925309 "#925309 - Wrong prefix directory hardcoded in signed GRUB image - Debian Bug report logs")
+ * [grub2 - grub doesn't load grub.cfg automatically - Ask Ubuntu](https://askubuntu.com/questions/885445/grub-doesnt-load-grub-cfg-automatically "grub2 - grub doesn't load grub.cfg automatically - Ask Ubuntu")
+ * [ubuntu - Grub not loading config file or booting into linux automatically - Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/232730/grub-not-loading-config-file-or-booting-into-linux-automatically#247716 "ubuntu - Grub not loading config file or booting into linux automatically - Unix & Linux Stack Exchange")
+
+#### SecureBoot
+
+* [SecureBoot - Debian Wiki](https://wiki.debian.org/SecureBoot "SecureBoot - Debian Wiki")
+ * [DEBAMAX — Debian expertise — Blog — An overview of Secure Boot in Debian](https://debamax.com/blog/2019/04/19/an-overview-of-secure-boot-in-debian/ "DEBAMAX — Debian expertise — Blog — An overview of Secure Boot in Debian")
+ * [Debian -- GRUB2 UEFI SecureBoot vulnerabilities - 2021](https://www.debian.org/security/2021-GRUB-UEFI-SecureBoot/ "Debian -- GRUB2 UEFI SecureBoot vulnerabilities - 2021")
+ * [SecureBoot/Discussion - Debian Wiki](https://wiki.debian.org/SecureBoot/Discussion "SecureBoot/Discussion - Debian Wiki")
+ * [SecureBoot/VirtualMachine - Debian Wiki](https://wiki.debian.org/SecureBoot/VirtualMachine "SecureBoot/VirtualMachine - Debian Wiki")
+ * [Frequently asked questions (FAQ) | Qubes OS](https://www.qubes-os.org/faq/#is-secure-boot-supported "Frequently asked questions (FAQ) | Qubes OS")
+ * [Heads - Trammell Hudson's Projects](https://trmm.net/Heads/ "Heads - Trammell Hudson's Projects")
+ * [About - Heads - Wiki](https://osresearch.net/ "About - Heads - Wiki")
+ * [GitHub - osresearch/safeboot: Scripts to slightly improve the security of the Linux boot process with UEFI Secure Boot and TPM support](https://github.com/osresearch/safeboot "GitHub - osresearch/safeboot: Scripts to slightly improve the security of the Linux boot process with UEFI Secure Boot and TPM support")
+ * [Xen / Qubes support · Issue #21 · osresearch/safeboot · GitHub](https://github.com/osresearch/safeboot/issues/21 "Xen / Qubes support · Issue #21 · osresearch/safeboot · GitHub")
+ * [Debian-GNU-Linux-Profiles/build-secureboot-trustchain.md at master · hardenedlinux/Debian-GNU-Linux-Profiles · GitHub](https://github.com/hardenedlinux/Debian-GNU-Linux-Profiles/blob/master/docs/hardened_boot/build-secureboot-trustchain.md "Debian-GNU-Linux-Profiles/build-secureboot-trustchain.md at master · hardenedlinux/Debian-GNU-Linux-Profiles · GitHub")
+ * [Secure Boot with GRUB 2 and signed Linux images and initrds](https://ruderich.org/simon/notes/secure-boot-with-grub-and-signed-linux-and-initrd "Secure Boot with GRUB 2 and signed Linux images and initrds")
+
+#### Evil Maid Attack
+
+* [Evil maid attack - Wikipedia](https://en.wikipedia.org/wiki/Evil_maid_attack "Evil maid attack - Wikipedia")
+ * [Anti-Evil Maid with UEFI and Xen - Brendan Kerrigan, Assured Information Security - Platform Security Summit 2018](https://www.platformsecuritysummit.com/2018/speaker/kerrigan/ "Anti-Evil Maid with UEFI and Xen - Brendan Kerrigan, Assured Information Security - Platform Security Summit 2018")
+ * [PSEC2018-Anti-Evil-Maid-UEFI-Xen-Brendan-Kerrigan.pdf](https://www.platformsecuritysummit.com/2018/speaker/kerrigan/PSEC2018-Anti-Evil-Maid-UEFI-Xen-Brendan-Kerrigan.pdf "PSEC2018-Anti-Evil-Maid-UEFI-Xen-Brendan-Kerrigan.pdf")
+ * [F-Secure Whitepaper - Evil Maid Guide (English).pdf](https://www.f-secure.com/content/dam/press/de/media-library/reports/F-Secure%20Whitepaper%20-%20Evil%20Maid%20Guide%20(English).pdf "F-Secure Whitepaper - Evil Maid Guide (English).pdf")
+ * [UEFI threats moving to the ESP: Introducing ESPecter bootkit | WeLiveSecurity](https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/ "UEFI threats moving to the ESP: Introducing ESPecter bootkit | WeLiveSecurity")
+ * [disk encryption - Encrypting the /boot partition in a Linux system can protect from an Evil Maid Attack? - Information Security Stack Exchange](https://security.stackexchange.com/questions/166075/encrypting-the-boot-partition-in-a-linux-system-can-protect-from-an-evil-maid-a "disk encryption - Encrypting the /boot partition in a Linux system can protect from an Evil Maid Attack? - Information Security Stack Exchange")
+ * [Ten Immutable Laws Of Security (Version 2.0) | Microsoft Docs](https://docs.microsoft.com/en-us/archive/blogs/rhalbheer/ten-immutable-laws-of-security-version-2-0 "Ten Immutable Laws Of Security (Version 2.0) | Microsoft Docs")
+ * [seagl-2017.pdf](https://ia600805.us.archive.org/7/items/seagl-2017/seagl-2017.pdf "seagl-2017.pdf")
+ * [GitHub - kritjo/Techniques-for-Secure-System-Boot: Paper for mid-semester exam in IN2120 at Institute for Informathics, University of Oslo. Ended up scoring 98,8%.](https://github.com/kritjo/Techniques-for-Secure-System-Boot "GitHub - kritjo/Techniques-for-Secure-System-Boot: Paper for mid-semester exam in IN2120 at Institute for Informathics, University of Oslo. Ended up scoring 98,8%.")
+ * [GitHub - xmikos/cryptboot: Encrypted boot partition manager with UEFI Secure Boot support](https://github.com/xmikos/cryptboot "GitHub - xmikos/cryptboot: Encrypted boot partition manager with UEFI Secure Boot support")
+ * [Arch Linux Full-Disk Encryption Installation Guide [Encrypted Boot, UEFI, NVMe, Evil Maid] · GitHub](https://gist.github.com/m-bartlett/3ff47b31947cd1e504268415c8054f50 "Arch Linux Full-Disk Encryption Installation Guide [Encrypted Boot, UEFI, NVMe, Evil Maid] · GitHub")
+ * [GitHub - QubesOS/qubes-antievilmaid: Qubes component: antievilmaid](https://github.com/QubesOS/qubes-antievilmaid "GitHub - QubesOS/qubes-antievilmaid: Qubes component: antievilmaid")
+ * [Secure Boot, TPM2, LUKS, and a potential security hole in the Wiki / GNU/Linux Discussion / Arch Linux Forums](https://bbs.archlinux.org/viewtopic.php?id=271423 "Secure Boot, TPM2, LUKS, and a potential security hole in the Wiki / GNU/Linux Discussion / Arch Linux Forums")
+ * [luks - Defending against the evil maid, how to handle removal of the /boot partition - Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/189412/defending-against-the-evil-maid-how-to-handle-removal-of-the-boot-partition "luks - Defending against the evil maid, how to handle removal of the /boot partition - Unix & Linux Stack Exchange")
+ * [Multiple encryption - Wikipedia](https://en.wikipedia.org/wiki/Multiple_encryption "Multiple encryption - Wikipedia")
+
+#### Howtos
+
+* [Creating a BIOS/GPT and UEFI/GPT Grub-bootable Linux system - Philipp's Tech Blog](https://blog.heckel.io/2017/05/28/creating-a-bios-gpt-and-uefi-gpt-grub-bootable-linux-system/ "Creating a BIOS/GPT and UEFI/GPT Grub-bootable Linux system - Philipp's Tech Blog")
+ * [How to Install GRUB2 with EFI Support | Timesys LinuxLink](https://linuxlink.timesys.com/docs/engineering/wiki/HOWTO_Install_GRUB2_with_EFI_support "How to Install GRUB2 with EFI Support | Timesys LinuxLink")
+ * [Real full disk encryption using GRUB on Arch Linux for BIOS and UEFI](https://unixsheikh.com/tutorials/real-full-disk-encryption-using-grub-on-arch-linux-for-bios-and-uefi.html "Real full disk encryption using GRUB on Arch Linux for BIOS and UEFI")
+ * [Real full disk encryption using GRUB on Debian GNU/Linux for BIOS](https://unixsheikh.com/tutorials/real-full-disk-encryption-using-grub-on-debian-linux-for-bios.html "Real full disk encryption using GRUB on Debian GNU/Linux for BIOS")
+ * [Real full disk encryption using GRUB on Void Linux for BIOS](https://unixsheikh.com/tutorials/real-full-disk-encryption-using-grub-on-void-linux-for-bios.html "Real full disk encryption using GRUB on Void Linux for BIOS")
+ * [Install Debian with Debootstrap + Grub EFI · GitHub](https://gist.github.com/superboum/1c7adcd967d3e15dfbd30d04b9ae6144 "Install Debian with Debootstrap + Grub EFI · GitHub")
+ * [Debian: Debootstrap Install (aka Installing Debian “the Arch Way”) – LeCorbeau's Vault](https://lecorbeausvault.wordpress.com/2021/10/07/debian-debootstrap-install-aka-installing-debian-the-arch-way/ "Debian: Debootstrap Install (aka Installing Debian “the Arch Way”) – LeCorbeau's Vault")
+ * [Debian -- Details of package arch-install-scripts in bullseye](https://packages.debian.org/bullseye/arch-install-scripts "Debian -- Details of package arch-install-scripts in bullseye")
+ * [Instructions how to install Debian using debootstrap · GitHub](https://gist.github.com/varqox/42e213b6b2dde2b636ef "Instructions how to install Debian using debootstrap · GitHub")
+
+#### TRIM
+
+* [Trim (computing) - Wikipedia](https://en.wikipedia.org/wiki/Trim_(computing) "Trim (computing) - Wikipedia")
+ * [fstrim.pdf](https://people.redhat.com/mskinner/rhug/q1.2014/fstrim.pdf "fstrim.pdf")
+ * [Enable periodic TRIM - including on a LUKS partition - Tech Knowledge Base - jaytaala.com Confluence](https://confluence.jaytaala.com/display/TKB/Enable+periodic+TRIM+-+including+on+a+LUKS+partition "Enable periodic TRIM - including on a LUKS partition - Tech Knowledge Base - jaytaala.com Confluence")
+ * [How to properly activate TRIM for your SSD on Linux: fstrim, lvm and dm-crypt | synaptic fault](http://blog.neutrino.es/2013/howto-properly-activate-trim-for-your-ssd-on-linux-fstrim-lvm-and-dmcrypt/ "How to properly activate TRIM for your SSD on Linux: fstrim, lvm and dm-crypt | synaptic fault")
+ * [ssd - fstrim doesn't seem to trim a partition that uses lvm and dm-crypt - Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/346195/fstrim-doesnt-seem-to-trim-a-partition-that-uses-lvm-and-dm-crypt#348016 "ssd - fstrim doesn't seem to trim a partition that uses lvm and dm-crypt - Unix & Linux Stack Exchange")
+ * [ssd - Trim with LVM and dm-crypt - Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/85865/trim-with-lvm-and-dm-crypt "ssd - Trim with LVM and dm-crypt - Unix & Linux Stack Exchange")
+ * [[SOLVED] fstrim with LVM on LUKS: discard operation not supported / Installation / Arch Linux Forums](https://bbs.archlinux.org/viewtopic.php?id=231086 "[SOLVED] fstrim with LVM on LUKS: discard operation not supported / Installation / Arch Linux Forums")
+ * [Linux/LUKS/Full Disk Encryption: How can I mitigate SSD/flash media security security risk caused by unreliable physical deletion? - Information Security Stack Exchange](https://security.stackexchange.com/questions/248917/linux-luks-full-disk-encryption-how-can-i-mitigate-ssd-flash-media-security-sec "Linux/LUKS/Full Disk Encryption: How can I mitigate SSD/flash media security security risk caused by unreliable physical deletion? - Information Security Stack Exchange")
+ * [linux - How to enable discards on encrypted root - Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/574400/how-to-enable-discards-on-encrypted-root "linux - How to enable discards on encrypted root - Unix & Linux Stack Exchange")
+ * [SSD - Gentoo Wiki](https://wiki.gentoo.org/wiki/SSD#Discard_.28trim.29_support "SSD - Gentoo Wiki")
+ * [ssd - What exactly do the 'allow-discards' and 'root_trim' Linux parameters do? - Ask Ubuntu](https://askubuntu.com/questions/243518/what-exactly-do-the-allow-discards-and-root-trim-linux-parameters-do "ssd - What exactly do the 'allow-discards' and 'root_trim' Linux parameters do? - Ask Ubuntu")
+ * [Solid state drive - ArchWiki](https://wiki.archlinux.org/title/Solid_state_drive "Solid state drive - ArchWiki")
+ * [TRIM on LVM on LUKS on SSD – Just another Linux geek](https://blog.christophersmart.com/2013/06/05/trim-on-lvm-on-luks-on-ssd/ "TRIM on LVM on LUKS on SSD – Just another Linux geek")
+ * [Possible to get SSD TRIM (discard) working on ext4 + LVM + software RAID in Linux? - Server Fault](https://serverfault.com/questions/227918/possible-to-get-ssd-trim-discard-working-on-ext4-lvm-software-raid-in-linu "Possible to get SSD TRIM (discard) working on ext4 + LVM + software RAID in Linux? - Server Fault")
+ * [Discard (TRIM) with KVM Virtual Machines... in 2020! - Chris Irwin's Blog](https://chrisirwin.ca/posts/discard-with-kvm-2020/ "Discard (TRIM) with KVM Virtual Machines... in 2020! - Chris Irwin's Blog")
+ * [Implementing Linux fstrim on SSD with software md-raid - Server Fault](https://serverfault.com/questions/508459/implementing-linux-fstrim-on-ssd-with-software-md-raid#508463 "Implementing Linux fstrim on SSD with software md-raid - Server Fault")
+ * [Implementing Linux fstrim on SSD with software md-raid - Ringing Liberty](https://www.ringingliberty.com/2013/05/16/implementing-linux-fstrim-on-ssd-with-software-md-raid/ "Implementing Linux fstrim on SSD with software md-raid - Ringing Liberty")
+ * [ubuntu - Why does fstrim trim all of the free space on my mdraid mirror after a reboot? - Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/124293/why-does-fstrim-trim-all-of-the-free-space-on-my-mdraid-mirror-after-a-reboot "ubuntu - Why does fstrim trim all of the free space on my mdraid mirror after a reboot? - Unix & Linux Stack Exchange")
+ * [How to set up SSD raid and TRIM support? - Ask Ubuntu](https://askubuntu.com/questions/264625/how-to-set-up-ssd-raid-and-trim-support "How to set up SSD raid and TRIM support? - Ask Ubuntu")
+ * [Debian, QEMU, libvirt, qcow2 and fstrim – #Jan](https://jschumacher.info/2020/11/debian-qemu-libvirt-qcow2-and-fstrim/ "Debian, QEMU, libvirt, qcow2 and fstrim – #Jan")
+ * [Discard (TRIM) with KVM Virtual Machines... in 2020! - Chris Irwin's Blog](https://chrisirwin.ca/posts/discard-with-kvm-2020/ "Discard (TRIM) with KVM Virtual Machines... in 2020! - Chris Irwin's Blog")
+ * [Discard (TRIM) with KVM Virtual Machines - Chris Irwin's Blog](https://chrisirwin.ca/posts/discard-with-kvm/ "Discard (TRIM) with KVM Virtual Machines - Chris Irwin's Blog")
+ * [TRIM Support on KVM Virtual Machines – ZenCoffee Blog – random notes, guides, and thoughts…](http://blog.zencoffee.org/2016/05/trim-support-kvm-virtual-machines/ "TRIM Support on KVM Virtual Machines – ZenCoffee Blog – random notes, guides, and thoughts…")
+ * [#763318 - qemu-kvm: discard='unmap' not working for qcow2 disks on virtio-scsi controller - Debian Bug report logs](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=763318 "#763318 - qemu-kvm: discard='unmap' not working for qcow2 disks on virtio-scsi controller - Debian Bug report logs")
+ * [linux - Qemu TRIM and discard on a physical SSD device - Server Fault](https://serverfault.com/questions/896448/qemu-trim-and-discard-on-a-physical-ssd-device "linux - Qemu TRIM and discard on a physical SSD device - Server Fault")
+ * [Milan Broz's blog: TRIM & dm-crypt ... problems?](https://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html "Milan Broz's blog: TRIM & dm-crypt ... problems?")
+ * [#11870 (Add solid state drives to some servers) – Support](https://support.mayfirst.org/ticket/11870 "#11870 (Add solid state drives to some servers) – Support")
+
+#### Swap
+
+* [Swap (and hibernation) on SSD in 2019?](https://askubuntu.com/questions/1165507/swap-and-hibernation-on-ssd-in-2019#1165544)
+ * [Why are swap partitions discouraged on SSD drives, are they harmful? - Ask Ubuntu](https://askubuntu.com/questions/652337/why-are-swap-partitions-discouraged-on-ssd-drives-are-they-harmful?noredirect=1&lq=1 "Why are swap partitions discouraged on SSD drives, are they harmful? - Ask Ubuntu")
+ * [Swap (and hibernation) on SSD in 2019? - Ask Ubuntu](https://askubuntu.com/questions/1165507/swap-and-hibernation-on-ssd-in-2019 "Swap (and hibernation) on SSD in 2019? - Ask Ubuntu")
+ * [Swap and SSD linux - Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/589598/swap-and-ssd-linux "Swap and SSD linux - Unix & Linux Stack Exchange")
+
+#### Cryptsetup
+
+* [Debian Cryptsetup docs – README](https://cryptsetup-team.pages.debian.net/cryptsetup/README.initramfs.html "Debian Cryptsetup docs – README")
+ * [partitioning - Should I use LUKS1 or LUKS2 for partition encryption? - Ask Ubuntu](https://askubuntu.com/questions/1032546/should-i-use-luks1-or-luks2-for-partition-encryption "partitioning - Should I use LUKS1 or LUKS2 for partition encryption? - Ask Ubuntu")
+ * [devconf2016-luks2.pdf](https://mbroz.fedorapeople.org/talks/DevConf2016/devconf2016-luks2.pdf "devconf2016-luks2.pdf")
+ * [Cracking LUKS/dm-crypt passphrases – Diverto – Information Security Warriors](https://diverto.github.io/2019/11/18/Cracking-LUKS-passphrases "Cracking LUKS/dm-crypt passphrases – Diverto – Information Security Warriors")
+ * [#671037 - can not change target name of root in /etc/crypttab - Debian Bug report logs](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=671037 "#671037 - can not change target name of root in /etc/crypttab - Debian Bug report logs")
+ * [Debian -- Details of package cryptsetup-initramfs in bullseye](https://packages.debian.org/bullseye/cryptsetup-initramfs "Debian -- Details of package cryptsetup-initramfs in bullseye")
+
+#### Certification
+
+* [Certified hardware | Qubes OS](https://www.qubes-os.org/doc/certified-hardware/ "Certified hardware | Qubes OS")