This post is a small introduction to install a hardened Gentoo on your 2015 XPS. You’ll end up with a laptop that
Is fully encrypted
Only boots kernels signed with your key
Protects you against the most common exploits using PaX
Allows you to enable Role-Base-Access-Control to further harden your system
Disclaimer: Though everything should work regardless of your exact model, you might have to reconfigure the kernel if you’re not using an XPS 9343.
I will not go over every detail. If yo are a Gentoo user you’ve probably installed your fair share of stage3 tarballs already.
If in doubt, consult the Gentoo Handbook.
What you need
Your XPS Laptop.
USB Stick with Ubuntu 16.04
Ethernet to USB Adapter
Instead of using an ethernet adapter you might try to download all necessary drivers beforehand and place them on the USB stick to work around the wifi not working out of the box.
I used this ethernet adapter which has linux support via the asix module out of the box. The total cost cost was around ~8 Euros.
Also make sure that you delete all existing secure-boot keys if you actually want to sign your kernel.
Without removing them, you’ll be unable to set any new ones from within the operating system.
This is by-design as to not allow an attacker with root-privileges to disable secure boot and replace your kernel.
After you’ve configure your BIOS, plug in the USB Stick and press F12 when you see the Dell-Logo.
This should give you the option to boot Ubuntu.
Formatting and encrypting your drive
You should’ve booted Ubuntu and opened a terminal by now. In the shell code below I’m assuming that /dev/sda is your
SSD. If that’s not the case, substitute it with the correct device.
Next up, you want to format and encrypt your new paritions:
Installing the base system
At this point you’ve got an empty, encrypted harddrive that’s mounted at /mnt/gentoo.
We’ll need to to download the stage3 tarball and get the basic configuration in place before
we can chroot into our new system and start building the kernel.
You should consult the gentoo handbook at this point if you don’t know all the steps by heart.
The make.conf configuration I’m using below is un-opinionated, so you might want to add some additional useflags depending
on what window manager you want to install. Make sure the DRACUT_MODULES section is included because we’ll need that to
boot from our encrypted drive.
Once you’ve chrooted into the freshly unpacked tarball, it’s time to configure the rest of the system.
At this point you should check out the following git repositiory, which contains an optimized kernel configuration among
some other file that will be useful later: https://github.com/invokr/xps-9343-linux
You should also go through the kernel configuration to check that you are fine with any of the PaX settings.
Some of the things I configured may not be to everyones liking:
Deny new USB connections
Hide kernel symbols
The former forces you to have any and all USB devices plugged in at boot. I particularly like this because it means that
someone sticking their USB-Stick in my laptop at a conference is not going to have any effect.
The later just strips all kernel symbols, which makes debugging harder but prevents some rootkits from working correctly.
Now that you have a working kernel and the keys to sign it, we want to add those keys to the bios’s key-store.
This prevents any unsigned kernel from booting. Note that this only works if you have remove the existing Microsoft keys
as mentioned in the beginning of the post.
With PK.auth reset, it will now be impossible to overwrite any of the already added keys unless they are cleared in the bios again.
Should you want to ever go back to windows, deleting all the keys and reimporting the old ones will do the trick. The Dell BIOS
also has a reset option that will roll-back the windows key automatically.
It’s also possible to dual boot if you combine your keys with Microsoft’s. I’m not going to go into that as there is plenty
information available online on how to do it.
The next step is to sign our kernel and generate an efi-stub that is bootable.
Because the XPS’s Bios does not pass any parameters to the kernel during boot, meaning it’s impossible to specify the root / luks device directly, we need an initrd-image that already includes all the parameters.
It might be possible to hardcode these with gentoolkit, I couldn’t get this work though, so instead of using gentoolkit I recommend using dracut, which is easy to setup and worked without any issues for me.
The only thing that’s left to do is reboot, go into your bios and select /boot/EFI/gentoo/BOOT.x64.efi.signed in the EFI section.
Afterwards, you can enable secureboot and you should be good to go!
You know have an encrypted harddrive that only boots your signed kernels.
Written by Robin Dietrich
on 01 March 2017, tagged as