
How to run the ALP Demo

The easiest way to run the ALP demo is by using the alp-demo script
provided by SUSE. This script downloads the ALP image and runs it
under KVM.

The script is available as an RPM package from opensuse.org,
currently in project home:okir:FDE.


Installing the demo
===================

Once you've obtained and installed the scripts, run it as root:

  sudo -E run-alp

This will churn for a moment, downloading and copying the image around.
Eventually a virt-viewer window should pop up and show you the boot
screen. The shim loader will ask you whether you want to trust the
openSUSE Secure Boot certificate, you should say "Yes" here.

Booting should then proceed without further manual intervention.

At some point, JeOS-Firstboot should start, asking you questions
about things like your keyboard layout, time zone, etc, and request
your consent to the EULA.

After this, the firstboot scripts should launch into setup for full
disk encryption. You have a choice of protecting your encryption
key with the TPM chip, and/or with a pass phrase. It is recommended
to enable the TPM chip unless there are hardware issues (which are
not expected while running the demo under KVM), and use the pass
phrase for recovery only.

The dialog offers a third option (protection using a CCID device)
but that is currently there as a teaser, only. We should probably
disable it for the released version of the demo.

Once the system setup is complete, you will see the usual Linux
console login.

HINT for users not familiar with virt-viewer: if you click into
the virt-viewer window, it will "capture" your mouse. The mouse
pointer will essentially disappear from your screen. To make
virt-viewer release it again, there is a magic key combination you
need to press. virt-viewer will usually show this in the title
bar when the mouse has been captured.


Verifying FDE features
======================

When you reboot the system, grub should display a message saying
that it retrieved the key from the TPM, and proceed to boot the
system without requiring any pass phrase to unlock the disk.

For those who want to test the system a bit, here are some things
to try

 - reboot the VM, and enter the BIOS by pressing F2, and disable
   Secure Boot. Your ALP system should no longer be able to
   recover the key from the TPM, and request the fallback
   password instead.

 - modify /boot/efi/EFI/BOOT/grub.cfg and reboot.
   Just like above, the system should no longer be able to
   unlock the disk using the TPM.


Miscellaneous
=============

If the image does not boot under virt-manager on your system,
the run-alp script supports a fallback that runs the demo
under qemu directly. Simply invoke the run-alp script with
the --qemu option.
