Tobias Görgens
Tobi_Peter
Involved Projects and Packages
A dynamic swap manager
Xbox Wireless Controller Adapter firmware
Open source, compact, and material designed cursor set.
This project was created for package snapper-sdboot via attribute OBS:Maintained
This repo contains a fork of systemd on openSUSE Tumbleweed for x86_64 with systemd-boot instead of grub
Development repo
xrandr for Gnome/wayland, on distros that don't support wlr-randr
This project was created for package gnome-software-snapd via attribute OBS:Maintained
This project was created for package discover via attribute OBS:Maintained
This project was created for package libgda via attribute OBS:Maintained
This project was created for package libgnomesu via attribute OBS:Maintained
A game launcher which can be used as a CLI, GUI, and a library for creating and playing Modrinth projects.
This project was created for package mutter via attribute OBS:Maintained
This project is a personal repository containing the software I need and want on my machines :)
This project was created for package kernel-install-openSUSE via attribute OBS:Maintained
This project was created for package sunshine via attribute OBS:Maintained
A dynamic swap manager
This project was created for package libdnf via attribute OBS:Maintained
This project was created for package libdnf via attribute OBS:Maintained
This is a fork of systemd on openSUSE Tumbleweed for x86_64 with systemd-boot instead of grub
This repo contains everything needed to utilize systemd-boot and snapshot support.
-------------------------------------------
To install it, do the following:
By default a fresh installation with yast will suggest creating an EFI partition with 500MB and install grub. That's just fine and will do.
--Click "Show more" on the right side--
Edit LOADER_TYPE in /etc/sysconfig/bootloader to an empty value to make sure other scripts don't get into the way later.
Install systemd-boot. Note that it will overwrite /EFI/BOOT/BOOTX64.EFI on the efi partition. Keep that in mind if the system contains other installations as well.
# bootctl --make-machine-id-directory=yes install
If secure boot is enabled, shim needs to be installed manually. As shim only reads grub.efi, systemd-boot needs to be renamed to pretend it's grub:
# mokutil --sb-state SecureBoot enabled
# mv /boot/efi/EFI/systemd/systemd-bootx64.efi /boot/efi/EFI/systemd/grub.efi
# cp /usr/share/efi/x86_64/shim.efi /boot/efi/EFI/systemd/systemd-bootx64.efi
# cp /usr/share/efi/x86_64/MokManager.efi /boot/efi/EFI/systemd/
The easiest way to get kernel and initrd registed with systemd is to install file triggers scripts for kernel-install. RPM will call the triggers when a kernel gets installed or upgraded.
# zypper ar https://download.opensuse.org/repositories/home:/Tobi_Peter:/tumbleweed:/systemd-boot/openSUSE_Tumbleweed/home:Tobi_Peter:tumbleweed:systemd-boot.repo
# zypper dup --allow-vendor-change --from home_Tobi_Peter_tumbleweed_systemd-boot
Reboot & enjoy
-------------------------------------------
As of March 2023 the following packages require modifications to work with systemd-boot:
systemd: hooks to add snapshot awareness to kernel-install
dracut: avoid overwriting existing initrds, do not delete initrds on removal in kernel-install script
This is a fork of systemd on openSUSE Tumbleweed for x86_64 with experimental submenu support.
This repo contains everything needed to utilize systemd-boot and snapshot support using snapper.
When new snapshots are created, they get automatically added to the boot menu.
When using secure boot: All snapshots and kernels are automatically signed upon creation, as well as systemd-boot.
Below are installation instructions for these packages & make this setup compatible with TPM2.
--Click "Show more" on the right side to show installation instructions--
Assumption: You have already installed your system on GPT-partitioned drive using UEFI mode.
To install it, do the following:
By default a fresh installation with yast will suggest creating an EFI partition with 500MB and install grub. You'll need a bigger EFI partition (at least 2GB).
# zypper ar https://download.opensuse.org/repositories/home:/Tobi_Peter:/tumbleweed:/systemd-boot-snapper/openSUSE_Tumbleweed/home:Tobi_Peter:tumbleweed:systemd-boot-snapper.repo
I recommend installing my systemd version, as it includes submenu support to organize the entries in menus:
# zypper dup --allow-vendor-change --from home_Tobi_Peter_tumbleweed_systemd-boot-snapper
# zypper in systemd-boot
Installing kernel-install-openSUSE-snapper or kernel-install-openSUSE-snapper-sb will automatically setup systemd-boot for you.
If you're not using secure-boot:
# zypper in kernel-install-openSUSE-snapper
If you're using secure-boot, you HAVE to put your system into SETUP MODE for secure boot. To verify this:
# zypper in sbctl
# sbctl status
Only when setup mode is enabled:
# zypper in kernel-install-openSUSE-snapper-sb
Reboot & enjoy
--------------------------
If you rollback to a snapshot that has been created BEFORE following these steps, it won't create new boot images or snaphot boot images. You can install my packages again after reboot (note though, If you're using secure-boot, you HAVE to put your system into SETUP MODE for secure boot again).
Should any issues arise or you decide to not want my packages anymore, you should go back to another snapshot or boot into the same snapshot again and do one of the following:
1. Go back to GRUB and try to create a new dracut image (This WON'T work if you have a LUKS2 encrypted system):
List all installed kernels in this snapshot:
# ls /lib/modules/
Now, replace kernel-version with a kernel version (or all) you saw in the output:
# dracut -f --kver kernel-version
Should it show an error message like:
dracut: Can't write to /boot/efi/XXXXXXXXXXXXXXXXXXX/kernel-version: Directory /boot/efi/XXXXXXXXXXXXXXXXXXX/kernel-version does not exist or is not accessible.
create this directory (replace the path with the path shown in your error message):
# mkdir /boot/efi/XXXXXXXXXXXXXXXXXXX/kernel-version
Then, try again:
# dracut -f --kver kernel-version
You might have to install grub again (replace "/dev/sda" with the hard drive your EFI partition is located on, not system partition):
# grub-install /dev/sda
OR
2. Tell dracut to build UKIs and continue to use systemd-boot (this won't work with secure boot enabled, as you can't boot the image):
# touch /etc/dracut.conf.d/uefi.conf
# echo "uefi =yes" >> /etc/dracut.conf.d/uefi.conf
Then, create a new image:
List all installed kernels in this snapshot:
# ls /lib/modules/
Now, replace kernel-version with a kernel version (or all) you saw in the output:
# dracut -f --kver kernel-version
--------------------------
OPTIONAL:
Assumption: Your PC has a TPM2 device
This setup allows you to have your complete system encrypted with LUKS2 and automatic unlock (so without entering the password at boot. However, it requires some manual steps:
Install OpenSUSE with encryption enabled. (This should include the /boot partition). This will encrypt your system with luks1 for now, as grub only supports luks1.
IMPORTANT: Remember the physical partiton your system is installed on (e.g. /dev/sda2). Better write it down.
Boot your system, follow the steps above to install sytemd-boot and kernel-install-openSUSE-snapper or kernel-install-openSUSE-snapper-sb.
Reboot into the ISO you used for installation.
Select "More..."
Select "Rescue System"
Then wait, select your language.
You will be thrown into a cli, a message is shown: "openSUSE Tumbleweed Rescue System".
Enter "root" when asked for rescue login.
Now, please verify that your system is actually encrypted with luks1 (replace "/dev/sda2" with your system partition you remembered/wrote down earlier):
# cryptsetup luksDump /dev/sda2
It should show something like this:
LUKS header information for /dev/sda2 (<- your partition name here)
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha256
Payload offset: 4096
MK bits: 512
MK digest: 87 51 d5 12 69 a7 4e 5d 6a 56 b3 f6 5e 6b 5d ef 21 81 d6 ce
MK salt: b9 9f 9e bf 34 da ba 5f 33 10 f5 e3 c2 7b 1f 33
9e f4 6d 1c e6 cd bc 8b 48 ad 34 56 98 79 cd ce
MK iterations: 126517
UUID: 3c4624a7-2e5b-4aa3-a7b8-76e4d8dc0aa8
Key Slot 0: ENABLED
Iterations: 2024276
Salt: 93 5c b6 24 c5 47 e2 71 23 dd 57 3a d3 4a 58 9a
94 28 f9 be 41 b7 63 28 b1 8b e2 bf 84 4a 39 a6
Key material offset: 8
AF stripes: 4000
If it shows "Device /dev/sda2 (<- your partition name here) is not a valid LUKS device.", it's not the correct partition.
To find the correct partition, execute:
# lsblk
This will list all hard drives connected. You might be able to find the partition here.
We now backup the encryption data you saw above in case something goes wrong (replace "/dev/sda2" with your system partition):
# cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file header-backup.dat
Now, let's convert the LUKS1 encrypted partition to LUKS2 encryption (replace "/dev/sda2" with your system partition):
# cryptsetup convert /dev/sda2 --type luks2
Reboot:
# reboot
Boot your regular system. GRUB will NOT WORK anymore from this point on. You might also uninstall it and it's components:
# zypper rm grub2
Now, it's recommended to change the key type, as there's a more secure one in LUKS2. You will be prompted to enter the passphrase of the key you want to change, enter the passphrase you use to boot your system. Then, enter a new password, which might also be the previous one (replace "/dev/sda2" with your system partition):
# cryptsetup luksChangeKey /dev/sda2 --pbkdf argon2id
Now, install the necessary TPM tools:
# zypper in tpm2.0-tools
Enroll your keys to TPM. This will allow the system to be unlocked using your TPM chip.
If you want to know more: https://www.freedesktop.org/software/systemd/man/systemd-cryptenroll.html
This will also ask you for your password you used to boot your system (replace "/dev/sda2" with your system partition):
# systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7+14 /dev/sda2
Find the entry for the LUKS2 volume in /etc/crypttab (it may appear referenced by its UUID) and add the tpm2-device= option, but let's first make a backup:
# cp /etc/crypttab /etc/crypttab-bu
# nano /etc/crypttab
It should show (or something similar) (replace "/dev/sda2" with your system partition):
cr-auto-1 /dev/sda2 none x-initrd.attach
Change it to:
cr-auto-1 /dev/sda2 none x-initrd.attach,tpm2-device=auto
If you did some changes you didn't want:
Hit CTRL+C and press N
if you did everything correctly:
Hit CTRL+S and CTRL+C.
Should you think you did something wrong anyway:
# cp /etc/crypttab-bu /etc/crypttab
This replaces your file with the backup we created earlier.
The last step: Regenerate the boot image. This will only generate the boot image for the currently running kernel, so if you want it to work for other kernels as well, boot into them and execute this command again:
# dracut -f
Reboot & enjoy
--------------------------
Now every time you have some changes to PCRs on which your check is based, the auto-unlock will fail and you will have to enter your passphrase. This could be caused by not only malicious agent (Smith), but also your own actions like disabling Secure Boot, enrolling some other MOK certificate or deleting the current one, updating/downgrading BIOS. If you know it is you who triggered that, then provided that it was MOK or BIOS change (not disabling of Secure Boot), on completion of boot procedure you should do the following (replace "/dev/sda2" with your system partition):
# systemd-cryptenroll /dev/sda2 --wipe-slot=tpm2
# systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7+14 /dev/sda2
And on the next boot you should not see any password prompt (due to the auto-unlocking functionality working again).
--------------------------
USE AT YOUR OWN RISK!
This project was created for package wsdd2 via attribute OBS:Maintained
