diff options
Diffstat (limited to 'docs/src/gnulinux')
-rw-r--r-- | docs/src/gnulinux/configuring_parabola.texi | 482 | ||||
-rw-r--r-- | docs/src/gnulinux/encrypted_parabola.texi | 414 | ||||
-rw-r--r-- | docs/src/gnulinux/encrypted_trisquel.texi | 347 | ||||
-rw-r--r-- | docs/src/gnulinux/grub_boot_installer.texi | 157 | ||||
-rw-r--r-- | docs/src/gnulinux/grub_cbfs.texi | 178 | ||||
-rw-r--r-- | docs/src/gnulinux/grub_config.texi | 119 | ||||
-rw-r--r-- | docs/src/gnulinux/index.texi | 58 |
7 files changed, 1755 insertions, 0 deletions
diff --git a/docs/src/gnulinux/configuring_parabola.texi b/docs/src/gnulinux/configuring_parabola.texi new file mode 100644 index 0000000..ebef9e9 --- /dev/null +++ b/docs/src/gnulinux/configuring_parabola.texi @@ -0,0 +1,482 @@ +\input texinfo +@documentencoding UTF-8 + +@ifnottex +@paragraphindent 0 +@end ifnottex +@titlepage +@title Configuring Parabola (post-install) +@end titlepage + +@node Top +@top Configuring Parabola (post-install) + +@menu +* Configuring Parabola post-install:: +* Table of Contents:: +@end menu + +@node Configuring Parabola post-install +@chapter Configuring Parabola (post-install) +@anchor{#configuring-parabola-post-install} +Post-installation configuration steps for Parabola GNU/Linux-libre. Parabola is extremely flexible; this is just an example. + +@uref{index.html,Back to previous index} + +@node Table of Contents +@chapter Table of Contents +@anchor{#table-of-contents} +@itemize +@item +@ref{#pacman_configure,Configuring pacman} +@itemize +@item +@ref{#pacman_update,Updating Parabola} +@item +@ref{#pacman_maintain,Maintaining Parabola during system updates} +@itemize +@item +@ref{#pacman_cacheclean,Clearing package cache after updating} +@item +@ref{#pacman_commandequiv,Pacman command equivalents (compared to other package managers)} +@end itemize + +@item +@ref{#yourfreedom,your-freedom} +@end itemize + +@item +@ref{#useradd,Add a user account} +@item +@ref{#systemd,System D} +@item +@ref{#interesting_repos,Interesting repositories} +@item +@ref{#network,Setup a network connection in Parabola} +@itemize +@item +@ref{#network_hostname,Setting hostname} +@item +@ref{#network_status,Network status} +@item +@ref{#network_devicenames,Network interface names} +@item +@ref{#network_setup,Network setup} +@end itemize + +@item +@ref{#system_maintain,System maintenance} - important! +@item +@ref{#desktop,Configuring the desktop} +@itemize +@item +@ref{#desktop_xorg,Install Xorg} +@item +@ref{#desktop_kblayout,Xorg keyboard layout} +@item +@ref{#desktop_lxde,Install LXDE} +@item +@ref{#lxde_clock,LXDE - clock} +@item +@ref{#lxde_font,LXDE - font} +@item +@ref{#lxde_screenlock,LXDE - screenlock} +@item +@ref{#lxde_automount,LXDE - automounting} +@item +@ref{#lxde_suspend,LXDE - disable suspend} +@item +@ref{#lxde_battery,LXDE - battery monitor} +@item +@ref{#lxde_network,LXDE - network manager} +@end itemize + +@end itemize + +While not strictly related to the libreboot project, this guide is intended to be useful for those interested in installing Parabola on their libreboot system. + +It details configuration steps that I took after installing the base system, as a follow up to @uref{encrypted_parabola.html,encrypted_parabola.html}. This guide is likely to become obsolete at a later date (due to the volatile 'rolling-release' model that Arch/Parabola both use), but attempts will be made to maintain it. + +@strong{This guide was valid on 2014-09-21. If you see any changes that should to be made at the present date, please get in touch with the libreboot project!} + +You do not necessarily have to follow this guide word-for-word; @emph{parabola} is extremely flexible. The aim here is to provide a common setup that most users will be happy with. While Parabola can seem daunting at first glance (especially for new GNU/Linux users), with a simple guide it can provide all the same usability as Trisquel, without hiding any details from the user. + +Paradoxically, as you get more advanced Parabola can actually become @emph{easier to use} when you want to set up your system in a special way compared to what most distributions provide. You will find over time that other distributions tend to @emph{get in your way}. + +@strong{This guide assumes that you already have Parabola installed. If you have not yet installed Parabola, then @uref{encrypted_parabola.html,this guide} is highly recommended!} + +A lot of the steps in this guide will refer to the Arch wiki. Arch is the upstream distribution that Parabola uses. Most of this guide will also tell you to read wiki articles, other pages, manuals, and so on. In general it tries to cherry pick the most useful information but nonetheless you are encouraged to learn as much as possible. @strong{It might take you a few days to fully install your system how you like, depending on how much you need to read. Patience is key, especially for new users}. + +The Arch wiki will sometimes use bad language, such as calling the whole system Linux, using the term open-source (or closed-source), and it will sometimes recommend the use of proprietary software. You need to be careful about this when reading anything on the Arch wiki. + +Some of these steps require internet access. I'll go into networking later but for now, I just connected my system to a switch and did:@* # @strong{systemctl start dhcpcd.service}@* You can stop it later by running:@* # @strong{systemctl stop dhcpcd.service}@* For most people this should be enough, but if you don't have DHCP on your network then you should setup your network connection first:@* @ref{#network,Setup network connection in Parabola} +@menu +* Configure pacman:: +* Updating Parabola:: +* Maintaining Parabola:: +* your-freedom:: +* Add a user:: +* systemd:: +* Interesting repositories:: +* Setup a network connection in Parabola:: +* System Maintenance:: +* Configuring the desktop:: +@end menu + +@node Configure pacman +@section Configure pacman +@anchor{#configure-pacman} +pacman (@strong{pac}kage @strong{man}ager) is the name of the package management system in Arch, which Parabola (as a deblobbed parallel effort) also uses. Like with 'apt-get' on debian-based systems like Trisquel, this can be used to add/remove and update the software on your computer. + +Based on @uref{https://wiki.parabolagnulinux.org/Installation_Guide#Configure_pacman,https://wiki.parabolagnulinux.org/Installation_Guide#Configure_pacman} and from reading @uref{https://wiki.archlinux.org/index.php/Pacman,https://wiki.archlinux.org/index.php/Pacman} (make sure to read and understand this, it's very important) and @uref{https://wiki.parabolagnulinux.org/Official_Repositories,https://wiki.parabolagnulinux.org/Official_Repositories} + +@ref{#pagetop,Back to top of page.} + +@node Updating Parabola +@section Updating Parabola +@anchor{#updating-parabola} +In the end, I didn't change my configuration for pacman. When you are updating, resync with the latest package names/versions:@* # @strong{pacman -Syy}@* (according to the wiki, -Syy is better than Sy because it refreshes the package list even if it appears to be up to date, which can be useful when switching to another mirror).@* Then, update the system:@* # @strong{pacman -Syu} + +@strong{Before installing packages with 'pacman -S', always update first, using the notes above.} + +Keep an eye out on the output, or read it in /var/log/pacman.log. Sometimes, pacman will show messages about maintenance steps that you will need to perform with certain files (typically configurations) after the update. Also, you should check both the Parabola and Arch home pages to see if they mention any issues. If a new kernel is installed, you should also update to be able to use it (the currently running kernel will also be fine). It's generally good enough to update Parabola once every week, or maybe twice. As a rolling release distribution, it's a good idea never to leave your install too outdated; update regularly. This is simply because of the way the project works; old packages are deleted from the repositories quickly, once they are updated. A system that hasn't been updated for quite a while will mean potentially more reading of previous posts through the website, and more maintenance work. + +The Arch forum can also be useful, if others have the same issue as you (if you encounter issues, that is). The @emph{Parabola} IRC channel (#parabola on freenode) can also help you. + +Due to this and the volatile nature of Parabola/Arch, you should only update when you have at least a couple hours of spare time in case of issues that need to be resolved. You should never update, for example, if you need your system for an important event, like a presentation or sending an email to an important person before an allocated deadline, and so on. + +Relax - packages are well-tested regularly when new updates are made to the repositories. Separate 'testing' repositories exist for this exact reason. Despite what many people will tell you, Parabola is fairly stable and trouble-free, so long as you are aware of how to check for issues, and are willing to spend some time fixing issues in the rare event that they do occur. + +@ref{#pagetop,Back to top of page.} + +@node Maintaining Parabola +@section Maintaining Parabola +@anchor{#maintaining-parabola} +Parabola is a very simple distro, in the sense that you are in full control and everything is made transparent to you. One consequence is that you also need to know what you are doing, and what you have done before. In general, keeping notes (such as what I have done with this page) can be very useful as a reference in the future (if you wanted to re-install it or install the distro on another computer, for example). + +@ref{#pagetop,Back to top of page.} +@menu +* Cleaning the package cache:: +* pacman command equivalents:: +@end menu + +@node Cleaning the package cache +@subsection Cleaning the package cache +@anchor{#cleaning-the-package-cache} +@strong{The following is very important as you continue to use, update and maintain your Parabola system:@* @uref{https://wiki.archlinux.org/index.php/Pacman#Cleaning_the_package_cache,https://wiki.archlinux.org/index.php/Pacman#Cleaning_the_package_cache}. Essentially, this guide talks about a directory that has to be cleaned once in a while, to prevent it from growing too big (it's a cache of old package information, updated automatically when you do anything in pacman).} + +To clean out all old packages that are cached:@* # @strong{pacman -Sc} + +The wiki cautions that this should be used with care. For example, since older packages are deleted from the repo, if you encounter issues and want to revert back to an older package then it's useful to have the caches available. Only do this if you are sure that you won't need it. + +The wiki also mentions this method for removing everything from the cache, including currently installed packages that are cached:@* # @strong{pacman -Scc}@* This is inadvisable, since it means re-downloading the package again if you wanted to quickly re-install it. This should only be used when disk space is at a premium. + +@ref{#pagetop,Back to top of page.} + +@node pacman command equivalents +@subsection pacman command equivalents +@anchor{#pacman-command-equivalents} +The following table lists other distro package manager commands, and their equivalent in pacman:@* @uref{https://wiki.archlinux.org/index.php/Pacman_Rosetta,https://wiki.archlinux.org/index.php/Pacman_Rosetta} + +@ref{#pagetop,Back to top of page.} + +@node your-freedom +@section your-freedom +@anchor{#your-freedom} +your-freedom is a package specific to Parabola, and it is installed by default. What it does is conflict with packages from Arch that are known to be non-free (proprietary) software. When migrating from Arch (there is a guide on the Parabola wiki for migrating - converting - an existing Arch system to a Parabola system), installing your-freedom will also fail if these packages are installed, citing them as conflicts; the recommended solution is then to delete the offending packages, and continue installing @emph{your-freedom}. + +@ref{#pagetop,Back to top of page.} + +@node Add a user +@section Add a user +@anchor{#add-a-user} +Based on @uref{https://wiki.archlinux.org/index.php/Users_and_Groups,https://wiki.archlinux.org/index.php/Users_and_Groups}. + +It is important (for security reasons) to create and use a non-root (non-admin) user account for everyday use. The default 'root' account is intended only for critical administrative work, since it has complete access to the entire operating system. + +Read the entire document linked to above, and then continue. + +Add your user:@* # @strong{useradd -m -G wheel -s /bin/bash @emph{yourusername}}@* Set a password:@* # @strong{passwd @emph{yourusername}} + +Use of the @emph{diceware method} is recommended, for generating secure passphrases (instead of passwords). + +@ref{#pagetop,Back to top of page} + +@node systemd +@section systemd +@anchor{#systemd} +This is the name of the system used for managing services in Parabola. It is a good idea to become familiar with it. Read @uref{https://wiki.archlinux.org/index.php/systemd,https://wiki.archlinux.org/index.php/systemd} and @uref{https://wiki.archlinux.org/index.php/systemd#Basic_systemctl_usage,https://wiki.archlinux.org/index.php/systemd#Basic_systemctl_usage} to gain a full understanding. @strong{This is very important! Make sure to read them.} + +An example of a 'service' could be a webserver (such as lighttpd), or sshd (openssh), dhcp, etc. There are countless others. + +@uref{https://bbs.archlinux.org/viewtopic.php?pid=1149530#p1149530,https://bbs.archlinux.org/viewtopic.php?pid=1149530#p1149530} explains the background behind the decision by Arch (Parabola's upstream supplier) to use systemd. + +The manpage should also help:@* # @strong{man systemd}@* The section on 'unit types' is especially useful. + +According to the wiki, systemd 'journal' keeps logs of a size up to 10% of the total size your / partition takes up. on a 60GB root this would mean 6GB. That's not exactly practical, and can have performance implications later when the log gets too big. Based on instructions from the wiki, I will reduce the total size of the journal to 50MiB (the wiki recommends 50MiB). + +Open /etc/systemd/journald.conf and find the line that says:@* @emph{#SystemMaxUse=}@* Change it to say:@* @emph{SystemMaxUse=50M} + +The wiki also recommended a method for forwarding journal output to TTY 12 (accessible by pressing ctrl+alt+f12, and you use ctrl+alt+[F1-F12] to switch between terminals). I decided not to enable it. + +Restart journald:@* # @strong{systemctl restart systemd-journald} + +The wiki recommends that if the journal gets too large, you can also simply delete (rm -Rf) everything inside /var/log/journald/* but recommends backing it up. This shouldn't be necessary, since you already set the size limit above and systemd will automatically start to delete older records when the journal size reaches it's limit (according to systemd developers). + +Finally, the wiki mentions 'temporary' files and the utility for managing them.@* # @strong{man systemd-tmpfiles}@* The command for 'clean' is:@* # @strong{systemd-tmpfiles --clean}@* According to the manpage, this @emph{"cleans all files and directories with an age parameter"}. According to the Arch wiki, this reads information in /etc/tmpfiles.d/ and /usr/lib/tmpfiles.d/ to know what actions to perform. Therefore, it is a good idea to read what's stored in these locations to get a better understanding. + +I looked in /etc/tmpfiles.d/ and found that it was empty on my system. However, /usr/lib/tmpfiles.d/ contained some files. The first one was etc.conf, containing information and a reference to this manpage:@* # @strong{man tmpfiles.d}@* Read that manpage, and then continue studying all the files. + +The systemd developers tell me that it isn't usually necessary to touch the systemd-tmpfiles utility manually at all. + +@ref{#pagetop,Back to top of page} + +@node Interesting repositories +@section Interesting repositories +@anchor{#interesting-repositories} +Parabola wiki at @uref{https://wiki.parabolagnulinux.org/Repositories#kernels,https://wiki.parabolagnulinux.org/Repositories#kernels} mentions about a repository called [kernels] for custom kernels that aren't in the default base. It might be worth looking into what is available there, depending on your use case. + +I enabled it on my system, to see what was in it. Edit /etc/pacman.conf and below the 'extra' section add:@* @emph{[kernels]@* Include = /etc/pacman.d/mirrorlist} + +Now sync with the repository:@* # @strong{pacman -Syy} + +List all available packages in this repository:@* # @strong{pacman -Sl kernels} + +In the end, I decided not to install anything from it but I kept the repository enabled regardless. + +@ref{#pagetop,Back to top of page.} + +@node Setup a network connection in Parabola +@section Setup a network connection in Parabola +@anchor{#setup-a-network-connection-in-parabola} +Read @uref{https://wiki.archlinux.org/index.php/Configuring_Network,https://wiki.archlinux.org/index.php/Configuring_Network}. + +@ref{#pagetop,Back to top of page.} +@menu +* Set the hostname:: +* Network Status:: +* Network device names:: +* Network setup:: +@end menu + +@node Set the hostname +@subsection Set the hostname +@anchor{#set-the-hostname} +This should be the same as the hostname that you set in /etc/hostname when installing Parabola. You can also do it with systemd (do so now, if you like):@* # @strong{hostnamectl set-hostname @emph{yourhostname}}@* This writes the specified hostname to /etc/hostname. More information can be found in these manpages:@* # @strong{man hostname}@* # @strong{info hostname}@* # @strong{man hostnamectl} + +Add the same hostname to /etc/hosts, on each line. Example:@* @emph{127.0.0.1 localhost.localdomain localhost myhostname@* ::1 localhost.localdomain localhost myhostname} + +You'll note that I set both lines; the 2nd line is for IPv6. More and more ISPs are providing this now (mine does) so it's good to be forward-thinking here. + +The @emph{hostname} utility is part of the @emph{inetutils} package and is in core/, installed by default (as part of @emph{base}). + +@ref{#pagetop,Back to top of page.} + +@node Network Status +@subsection Network Status +@anchor{#network-status} +According to the Arch wiki, @uref{https://wiki.archlinux.org/index.php/Udev,udev} should already detect the ethernet chipset and load the driver for it automatically at boot time. You can check this in the @emph{"Ethernet controller"} section when running this command:@* # @strong{lspci -v} + +Look at the remaining sections @emph{'Kernel driver in use'} and @emph{'Kernel modules'}. In my case it was as follows:@* @emph{Kernel driver in use: e1000e@* Kernel modules: e1000e} + +Check that the driver was loaded by issuing @emph{dmesg | grep module_name}. In my case, I did:@* # @strong{dmesg | grep e1000e} + +@node Network device names +@subsection Network device names +@anchor{#network-device-names} +According to @uref{https://wiki.archlinux.org/index.php/Configuring_Network#Device_names,https://wiki.archlinux.org/index.php/Configuring_Network#Device_names}, it is important to note that the old interface names like eth0, wlan0, wwan0 and so on no longer apply. Instead, @emph{systemd} creates device names starting with en (for enternet), wl (for wifi) and ww (for wwan) with a fixed identifier that systemd automatically generates. An example device name for your ethernet chipset would be @emph{enp0s25}, where it is never supposed to change. + +If you want to enable the old names (eth0, wlan0, wwan0, etc), the Arch wiki recommends adding @emph{net.ifnames=0} to your kernel parameters (in libreboot context, this would be accomplished by following the instructions in @uref{grub_cbfs.html,grub_cbfs.html}). + +For background information, read @uref{http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/,Predictable Network Interface Names} + +Show device names:@* # @strong{ls /sys/class/net} + +Changing the device names is possible (I chose not to do it):@* @uref{https://wiki.archlinux.org/index.php/Configuring_Network#Change_device_name,https://wiki.archlinux.org/index.php/Configuring_Network#Change_device_name} + +@ref{#pagetop,Back to top of page.} + +@node Network setup +@subsection Network setup +@anchor{#network-setup} +I actually chose to ignore most of Networking section on the wiki. Instead, I plan to set up LXDE desktop with the graphical network-manager client. Here is a list of network managers:@* @uref{https://wiki.archlinux.org/index.php/List_of_applications/Internet#Network_managers,https://wiki.archlinux.org/index.php/List_of_applications/Internet#Network_managers}. If you need to, set a static IP address (temporarily) using the networking guide and the Arch wiki, or start the dhcpcd service in systemd. NetworkManager will be setup later, after installing LXDE. + +@ref{#pagetop,Back to top of page.} + +@node System Maintenance +@section System Maintenance +@anchor{#system-maintenance} +Read @uref{https://wiki.archlinux.org/index.php/System_maintenance,https://wiki.archlinux.org/index.php/System_maintenance} before continuing. Also read @uref{https://wiki.archlinux.org/index.php/Enhance_system_stability,https://wiki.archlinux.org/index.php/Enhance_system_stability}. @strong{This is important, so make sure to read them!} + +Install smartmontools (it can be used to check smart data. HDDs use non-free firmware inside, but it's transparent to you but the smart data comes from it. Therefore, don't rely on it too much):@* # @strong{pacman -S smartmontools}@* Read @uref{https://wiki.archlinux.org/index.php/S.M.A.R.T.,https://wiki.archlinux.org/index.php/S.M.A.R.T.} to learn how to use it. + +@ref{#pagetop,Back to top of page.} + +@node Configuring the desktop +@section Configuring the desktop +@anchor{#configuring-the-desktop} +Based on steps from @uref{https://wiki.archlinux.org/index.php/General_recommendations#Graphical_user_interface,General Recommendations} on the Arch wiki. The plan is to use LXDE and LXDM/LightDM, along with everything else that you would expect on other distributions that provide LXDE by default. + +@ref{#pagetop,Back to top of page.} +@menu +* Installing Xorg:: +* Xorg keyboard layout:: +* Install LXDE:: +* LXDE - clock:: +* LXDE - font:: +* LXDE - screenlock:: +* LXDE - automounting:: +* LXDE - disable suspend:: +* LXDE - battery monitor:: +* LXDE - Network Manager:: +@end menu + +@node Installing Xorg +@subsection Installing Xorg +@anchor{#installing-xorg} +Based on @uref{https://wiki.archlinux.org/index.php/Xorg,https://wiki.archlinux.org/index.php/Xorg}. + +Firstly, install it!@* # @strong{pacman -S xorg-server}@* I also recommend installing this (contains lots of useful tools, including @emph{xrandr}):@* # @strong{pacman -S xorg-server-utils} + +Install the driver. For me this was @emph{xf86-video-intel} on the ThinkPad X60. T60 and macbook11/21 should be the same.@* # @strong{pacman -S xf86-video-intel}@* For other systems you can try:@* # @strong{pacman -Ss xf86-video- | less}@* Combined with looking at your @emph{lspci} output, you can determine which driver is needed. By default, Xorg will revert to xf86-video-vesa which is a generic driver and doesn't provide true hardware acceleration. + +Other drivers (not just video) can be found by looking at the @emph{xorg-drivers} group:@* # @strong{pacman -Sg xorg-drivers}@* + +Mostly you will rely on a display manager, but in case you ever want to start X without one:@* # @strong{pacman -S xorg-xinit} + +<optional>@* @ @ @ Arch wiki recommends installing these, for testing that X works:@* @ @ @ # @strong{pacman -S xorg-twm xorg-xclock xterm}@* @ @ @ Refer to @uref{https://wiki.archlinux.org/index.php/Xinitrc,https://wiki.archlinux.org/index.php/Xinitrc}. and test X:@* @ @ @ # @strong{startx}@* @ @ @ When you are satisfied, type @strong{@emph{exit}} in xterm, inside the X session.@* @ @ @ Uninstall them (clutter. eww): # @strong{pacman -S xorg-xinit xorg-twm xorg-xclock xterm}@* </optional> + +@ref{#pagetop,Back to top of page.} + +@node Xorg keyboard layout +@subsection Xorg keyboard layout +@anchor{#xorg-keyboard-layout} +Refer to @uref{https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg,https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg}. + +Xorg uses a different configuration method for keyboard layouts, so you will notice that the layout you set in /etc/vconsole.conf earlier might not actually be the same in X. + +To see what layout you currently use, try this on a terminal emulator in X:@* # @strong{setxkbmap -print -verbose 10} + +In my case, I wanted to use the Dvorak (UK) keyboard which is quite different from Xorg's default Qwerty (US) layout. + +I'll just say it now: @emph{XkbModel} can be @emph{pc105} in this case (ThinkPad X60, with a 105-key UK keyboard). If you use an American keyboard (typically 104 keys) you will want to use @emph{pc104}. + +@emph{XkbLayout} in my case would be @emph{gb}, and @emph{XkbVariant} would be @emph{dvorak}. + +The Arch wiki recommends two different methods for setting the keyboard layout:@* @uref{https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_X_configuration_files,https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_X_configuration_files} and@* @uref{https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_localectl,https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_localectl}. + +In my case, I chose to use the @emph{configuration file} method:@* Create the file /etc/X11/xorg.conf.d/10-keyboard.conf and put this inside:@* @emph{Section "InputClass"@* @ @ @ @ @ @ @ @ Identifier "system-keyboard"@* @ @ @ @ @ @ @ @ MatchIsKeyboard "on"@* @ @ @ @ @ @ @ @ Option "XkbLayout" "gb"@* @ @ @ @ @ @ @ @ Option "XkbModel" "pc105"@* @ @ @ @ @ @ @ @ Option "XkbVariant" "dvorak"@* EndSection} + +For you, the steps above may differ if you have a different layout. If you use a US Qwerty keyboard, then you don't even need to do anything (though it might help, for the sake of being explicit). + +@ref{#pagetop,Back to top of page.} + +@node Install LXDE +@subsection Install LXDE +@anchor{#install-lxde} +Desktop choice isn't that important to me, so for simplicity I decided to use LXDE. It's lightweight and does everything that I need. If you would like to try something different, refer to @uref{https://wiki.archlinux.org/index.php/Desktop_environment,https://wiki.archlinux.org/index.php/Desktop_environment} + +Refer to @uref{https://wiki.archlinux.org/index.php/LXDE,https://wiki.archlinux.org/index.php/LXDE}. + +Install it, choosing 'all' when asked for the default package list:@* # @strong{pacman -S lxde obconf} + +I didn't want the following, so I removed them:@* # @strong{pacman -R lxmusic lxtask} + +I also lazily installed all fonts:@* # @strong{pacman -S $(pacman -Ssq ttf-)} + +LXDE comes with a terminal. You probably want a browser to go with that; I choose GNU IceCat, part of the @emph{@uref{https://gnu.org/,GNU project}}:@* # @strong{pacman -S icecat}@* And a mail client:@* # @strong{pacman -S icedove} + +In IceCat, go to @emph{Preferences :: Advanced} and disable @emph{GNU IceCat Health Report}. + +I also like to install these:@* # @strong{pacman -S xsensors stress htop} + +Enable LXDM (the default display manager, providing a graphical login):@* # @strong{systemctl enable lxdm.service}@* It will start when you boot up the system. To start it now, do:@* # @strong{systemctl start lxdm.service} + +Log in with your standard (non-root) user that you created earlier. It is advisable to also create an xinitrc rule in case you ever want to start lxde without lxdm. Read @uref{https://wiki.archlinux.org/index.php/Xinitrc,https://wiki.archlinux.org/index.php/Xinitrc}. + +Open LXterminal:@* $ @strong{cp /etc/skel/.xinitrc ~}@* Open .xinitrc and add the following plus a line break at the bottom of the file.@* @emph{# Probably not needed. The same locale info that we set before@* # Based on advice from the LXDE wiki export LC_ALL=en_GB.UTF-8@* export LANGUAGE=en_GB.UTF-8@* export LANG=en_GB.UTF-8@* @* # Start lxde desktop@* exec startlxde@*} Now make sure that it is executable:@* $ @strong{chmod +x .xinitrc} + +@ref{#pagetop,Back to top of page.} + +@node LXDE - clock +@subsection LXDE - clock +@anchor{#lxde---clock} +In @strong{Digital Clock Settings} (right click the clock) I set the Clock Format to @emph{%Y/%m/%d %H:%M:%S} + +@ref{#pagetop,Back to top of page.} + +@node LXDE - font +@subsection LXDE - font +@anchor{#lxde---font} +NOTE TO SELF: come back to this later. + +@ref{#pagetop,Back to top of page.} + +@node LXDE - screenlock +@subsection LXDE - screenlock +@anchor{#lxde---screenlock} +Arch wiki recommends to use @emph{xscreensaver}:@* # @strong{pacman -S xscreensaver} + +Under @emph{Preferences :: Screensaver} in the LXDE menu, I chose @emph{Mode: Blank Screen Only}, setting @emph{Blank After}, @emph{Cycle After} and @emph{Lock Screen After} (checked) to 10 minutes. + +You can now lock the screen with @emph{Logout :: Lock Screen} in the LXDE menu. + +@ref{#pagetop,Back to top of page.} + +@node LXDE - automounting +@subsection LXDE - automounting +@anchor{#lxde---automounting} +Refer to @uref{https://wiki.archlinux.org/index.php/File_manager_functionality,https://wiki.archlinux.org/index.php/File_manager_functionality}. + +I chose to ignore this for now. NOTE TO SELF: come back to this later. + +@ref{#pagetop,Back to top of page.} + +@node LXDE - disable suspend +@subsection LXDE - disable suspend +@anchor{#lxde---disable-suspend} +When closing the laptop lid, the system suspends. This is annoying at least to me. NOTE TO SELF: disable it, then document the steps here. + +@ref{#pagetop,Back to top of page.} + +@node LXDE - battery monitor +@subsection LXDE - battery monitor +@anchor{#lxde---battery-monitor} +Right click lxde panel and @emph{Add/Remove Panel Items}. Click @emph{Add} and select @emph{Battery Monitor}, then click @emph{Add}. Close and then right-click the applet and go to @emph{Battery Monitor Settings}, check the box that says @emph{Show Extended Information}. Now click @emph{Close}. When you hover the cursor over it, it'll show information about the battery. + +@ref{#pagetop,Back to top of page.} + +@node LXDE - Network Manager +@subsection LXDE - Network Manager +@anchor{#lxde---network-manager} +Refer to @uref{https://wiki.archlinux.org/index.php/LXDE#Network_Management,https://wiki.archlinux.org/index.php/LXDE#Network_Management}. Then I read: @uref{https://wiki.archlinux.org/index.php/NetworkManager,https://wiki.archlinux.org/index.php/NetworkManager}. + +Install Network Manager:@* # @strong{pacman -S networkmanager} + +You will also want the graphical applet:@* # @strong{pacman -S network-manager-applet}@* Arch wiki says that an autostart rule will be written at @emph{/etc/xdg/autostart/nm-applet.desktop} + +I want to be able to use a VPN at some point, so the wiki tells me to do:@* # @strong{pacman -S networkmanager-openvpn} + +LXDE uses openbox, so I refer to:@* @uref{https://wiki.archlinux.org/index.php/NetworkManager#Openbox,https://wiki.archlinux.org/index.php/NetworkManager#Openbox}. + +It tells me for the applet I need:@* # @strong{pacman -S xfce4-notifyd gnome-icon-theme}@* Also, for storing authentication details (wifi) I need:@* # @strong{pacman -S gnome-keyring} + +I wanted to quickly enable networkmanager:@* # @strong{systemctl stop dhcpcd}@* # @strong{systemctl start NetworkManager}@* Enable NetworkManager at boot time:@* # @strong{systemctl enable NetworkManager} + +Restart LXDE (log out, and then log back in). + +I added the volume control applet to the panel (right click panel, and add a new applet). I also later changed the icons to use the gnome icon theme, in @emph{lxappearance}. + +@ref{#pagetop,Back to top of page.} + +Copyright © 2014, 2015 Francis Rowe <info@@gluglug.org.uk>@* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license can be found at @uref{../resources/licenses/gfdl-1.3.txt,gfdl-1.3.txt} + +Updated versions of the license (when available) can be found at @uref{https://www.gnu.org/licenses/licenses.html,https://www.gnu.org/licenses/licenses.html} + +UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. + +TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. + +The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability. + +@bye diff --git a/docs/src/gnulinux/encrypted_parabola.texi b/docs/src/gnulinux/encrypted_parabola.texi new file mode 100644 index 0000000..83d5ac4 --- /dev/null +++ b/docs/src/gnulinux/encrypted_parabola.texi @@ -0,0 +1,414 @@ +\input texinfo +@documentencoding UTF-8 + +@ifnottex +@paragraphindent 0 +@end ifnottex +@titlepage +@title Installing Parabola GNU/Linux with full disk encryption (including /boot) +@end titlepage + +@node Top +@top Installing Parabola GNU/Linux with full disk encryption (including /boot) + +@menu +* Installing Parabola GNU/Linux with full disk encryption including /boot:: +* Troubleshooting:: +@end menu + +@node Installing Parabola GNU/Linux with full disk encryption including /boot +@chapter Installing Parabola GNU/Linux with full disk encryption (including /boot) +@anchor{#installing-parabola-gnulinux-with-full-disk-encryption-including-boot} +Libreboot on x86 uses the GRUB @uref{http://www.coreboot.org/Payloads#GRUB_2,payload} by default, which means that the GRUB configuration file (where your GRUB menu comes from) is stored directly alongside libreboot and it's GRUB payload executable, inside the flash chip. In context, this means that installing distributions and managing them is handled slightly differently compared to traditional BIOS systems. + +On most systems, the /boot partition has to be left unencrypted while the others are encrypted. This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical access to the system. + +@strong{This guide is *only* for the GRUB payload. If you use the depthcharge payload, ignore this section entirely.} + +@uref{index.html,Back to previous index} + +Boot Parabola's install environment. @uref{grub_boot_installer.html,How to boot a GNU/Linux installer}. + +For this guide I used the 2015 08 01 image to boot the live installer and install the system. This is available at @uref{https://wiki.parabola.nu/Get_Parabola#Main_live_ISO,this page}. + +This guide will go through the installation steps taken at the time of writing, which may or may not change due to the volatile nature of Parabola (it changes all the time). In general most of it should remain the same. If you spot mistakes, please say so! This guide will be ported to the Parabola wiki at a later date. For up to date Parabola install guide, go to the Parabola wiki. This guide essentially cherry picks the useful information (valid at the time of writing: 2015-08-25). + +This section deals with wiping the storage device on which you plan to install Parabola GNU/Linux. Follow these steps, but if you use an SSD, also: + +- beware there are issues with TRIM (not enabled through luks) and security issues if you do enable it. See @uref{https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Discard.2FTRIM_support_for_solid_state_drives_.28SSD.29,this page} for more info. + +- make sure it's brand-new (or barely used). Or, otherwise, be sure that it never previously contained plaintext copies of your data. + +- make sure to read @uref{https://wiki.archlinux.org/index.php/Solid_State_Drives,this article}. Edit /etc/fstab later on when chrooted into your install. Also, read the whole article and keep all points in mind, adapting them for this guide. + +Wipe the MBR (if you use MBR):@* # @strong{lsblk}@* Your storage is probably /dev/sda, but be very sure to double check this or you WILL lose your data!@* # @strong{dd if=/dev/zero of=/dev/sda bs=446 count=1; sync}@* Never use SeaBIOS! The MBR section can easily be changed with malicious code, which SeaBIOS will blindly execute. This guide is for libreboot with GRUB-as-payload only. + +Securely wipe the drive:@* # @strong{dd if=/dev/urandom of=/dev/sda; sync}@* NOTE: If you have an SSD, only do this the first time. If it was already LUKS-encrypted before, use the info below to wipe the LUKS header. Also, check online for your SSD what the recommended erase block size is. For example if it was 2MiB:@* # @strong{dd if=/dev/urandom of=/dev/sda bs=2M; sync} + +If your drive was already LUKS encrypted (maybe you are re-installing your distro) then it is already 'wiped'. You should just wipe the LUKS header. @uref{https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/,https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/} showed me how to do this. It recommends doing the first 3MiB. Now, that guide is recommending putting zero there. I'm going to use urandom. Do this:@* # @strong{head -c 3145728 /dev/urandom > /dev/sda; sync}@* (Wiping the LUKS header is important, since it has hashed passphrases and so on. It's 'secure', but 'potentially' a risk). +@menu +* Change keyboard layout:: +* Establish an internet connection:: +* Getting started:: +* dm-mod:: +* Create LUKS partition:: +* Create LVM:: +* Create / and swap partitions and mount:: +* Continue with Parabola installation:: +* Configure the system:: +* Extra security tweaks:: +* Unmount reboot!:: +* Booting from GRUB:: +* Follow-up tutorial configuring Parabola:: +* Modify grubcfg inside the ROM:: +* Bonus Using a key file to unlock /boot/:: +* Further security tips:: +@end menu + +@node Change keyboard layout +@section Change keyboard layout +@anchor{#change-keyboard-layout} +Parabola live shell assumes US Qwerty. If you have something different, list the available keymaps and use yours:@* # @strong{localectl list-keymaps}@* # @strong{loadkeys LAYOUT}@* For me, LAYOUT would have been dvorak-uk. + +@node Establish an internet connection +@section Establish an internet connection +@anchor{#establish-an-internet-connection} +Refer to @uref{https://wiki.parabola.nu/Beginners%27_guide#Establish_an_internet_connection,this guide}. Wired is recommended, but wireless is also explained there. + +@node Getting started +@section Getting started +@anchor{#getting-started} +The beginning is based on @uref{https://wiki.parabolagnulinux.org/Installation_Guide,https://wiki.parabolagnulinux.org/Installation_Guide}. Then I referred to @uref{https://wiki.archlinux.org/index.php/Partitioning,https://wiki.archlinux.org/index.php/Partitioning} at first. + +@node dm-mod +@section dm-mod +@anchor{#dm-mod} +device-mapper will be used - a lot. Make sure that the kernel module is loaded:@* # @strong{modprobe dm-mod} + +@node Create LUKS partition +@section Create LUKS partition +@anchor{#create-luks-partition} +I am using MBR partitioning, so I use cfdisk:@* # @strong{cfdisk /dev/sda} + +I create a single large sda1 filling the whole drive, leaving it as the default type 'Linux' (83). + +Now I refer to @uref{https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#Partitioning,https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#Partitioning}:@* I am then directed to @uref{https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption,https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption}. + +Parabola forces you to RTFM. Do that. + +It tells me to run:@* # @strong{cryptsetup benchmark} (for making sure the list below is populated)@* Then:@* # @strong{cat /proc/crypto}@* This gives me crypto options that I can use. It also provides a representation of the best way to set up LUKS (in this case, security is a priority; speed, a distant second). To gain a better understanding, I am also reading:@* # @strong{man cryptsetup} + +Following that page, based on my requirements, I do the following based on @uref{https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode,https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode}. Reading through, it seems like Serpent (encryption) and Whirlpool (hash) is the best option. + +I am initializing LUKS with the following:@* # @strong{cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --use-random --verify-passphrase luksFormat /dev/sda1} Choose a @strong{secure} passphrase here. Ideally lots of lowercase/uppercase numbers, letters, symbols etc all in a random pattern. The password length should be as long as you are able to handle without writing it down or storing it anywhere. + +Use of the @emph{diceware method} is recommended, for generating secure passphrases (instead of passwords). + +@node Create LVM +@section Create LVM +@anchor{#create-lvm} +Now I refer to @uref{https://wiki.archlinux.org/index.php/LVM,https://wiki.archlinux.org/index.php/LVM}. + +Open the LUKS partition:@* # @strong{cryptsetup luksOpen /dev/sda1 lvm}@* (it will be available at /dev/mapper/lvm) + +Create LVM partition:@* # @strong{pvcreate /dev/mapper/lvm}@* Show that you just created it:@* # @strong{pvdisplay} + +Now I create the volume group, inside of which the logical volumes will be created:@* # @strong{vgcreate matrix /dev/mapper/lvm}@* (volume group name is 'matrix' - choose your own name, if you like) Show that you created it:@* # @strong{vgdisplay} + +Now create the logical volumes:@* # @strong{lvcreate -L 2G matrix -n swapvol} (2G swap partition, named swapvol)@* Again, choose your own name if you like. Also, make sure to choose a swap size of your own needs. It basically depends on how much RAM you have installed. I refer to @uref{http://www.linux.com/news/software/applications/8208-all-about-linux-swap-space,http://www.linux.com/news/software/applications/8208-all-about-linux-swap-space}.@* # @strong{lvcreate -l +100%FREE matrix -n rootvol} (single large partition in the rest of the space, named rootvol)@* You can also be flexible here, for example you can specify a /boot, a /, a /home, a /var, a /usr, etc. For example, if you will be running a web/mail server then you want /var in its own partition (so that if it fills up with logs, it won't crash your system). For a home/laptop system (typical use case), a root and a swap will do (really). + +Verify that the logical volumes were created, using the following command:@* # @strong{lvdisplay} + +@node Create / and swap partitions and mount +@section Create / and swap partitions, and mount +@anchor{#create-and-swap-partitions-and-mount} +For the swapvol LV I use:@* # @strong{mkswap /dev/mapper/matrix-swapvol}@* Activate swap:@* # @strong{swapon /dev/matrix/swapvol} + +For the rootvol LV I use:@* # @strong{mkfs.ext4 /dev/mapper/matrix-rootvol} + +Mount the root (/) partition:@* # @strong{mount /dev/matrix/rootvol /mnt} + +@node Continue with Parabola installation +@section Continue with Parabola installation +@anchor{#continue-with-parabola-installation} +This guide is really about GRUB, Parabola and cryptomount. I have to show how to install Parabola so that the guide can continue. + +Now I am following the rest of @uref{https://wiki.parabolagnulinux.org/Installation_Guide,https://wiki.parabolagnulinux.org/Installation_Guide}. I also cross referenced @uref{https://wiki.archlinux.org/index.php/Installation_guide,https://wiki.archlinux.org/index.php/Installation_guide}. + +Create /home and /boot on rootvol mountpoint:@* # @strong{mkdir -p /mnt/home}@* # @strong{mkdir -p /mnt/boot} + +Once all the remaining partitions, if any, have been mounted, the devices are ready to install Parabola. + +In @strong{/etc/pacman.d/mirrorlist}, comment out all lines except the Server line closest to where you are (I chose the UK Parabola server (main server)) and then did:@* # @strong{pacman -Syy}@* # @strong{pacman -Syu}@* # @strong{pacman -Sy pacman} (and then I did the other 2 steps above, again)@* In my case I did the steps in the next paragraph, and followed the steps in this paragraph again. + +<troubleshooting>@* @ @ @ The following is based on 'Verification of package signatures' in the Parabola install guide.@* @ @ @ Check there first to see if steps differ by now.@* @ @ @ Now you have to update the default Parabola keyring. This is used for signing and verifying packages:@* @ @ @ # @strong{pacman -Sy parabola-keyring}@* @ @ @ It says that if you get GPG errors, then it's probably an expired key and, therefore, you should do:@* @ @ @ # @strong{pacman-key --populate parabola}@* @ @ @ # @strong{pacman-key --refresh-keys}@* @ @ @ # @strong{pacman -Sy parabola-keyring}@* @ @ @ To be honest, you should do the above anyway. Parabola has a lot of maintainers, and a lot of keys. Really!@* @ @ @ If you get an error mentioning dirmngr, do:@* @ @ @ # @strong{dirmngr </dev/null}@* @ @ @ Also, it says that if the clock is set incorrectly then you have to manually set the correct time @* @ @ @ (if keys are listed as expired because of it):@* @ @ @ # @strong{date MMDDhhmm[[CC]YY][.ss]}@* @ @ @ I also had to install:@* @ @ @ # @strong{pacman -S archlinux-keyring}@* @ @ @ # @strong{pacman-key --populate archlinux}@* @ @ @ In my case I saw some conflicting files reported in pacman, stopping me from using it.@* @ @ @ I deleted the files that it mentioned and then it worked. Specifically, I had this error:@* @ @ @ @emph{licenses: /usr/share/licenses/common/MPS exists in filesystem}@* @ @ @ I rm -Rf'd the file and then pacman worked. I'm told that the following would have also made it work:@* @ @ @ # @strong{pacman -Sf licenses}@* </troubleshooting>@* + +I also like to install other packages (base-devel, compilers and so on) and wpa_supplicant/dialog/iw/wpa_actiond are needed for wireless after the install:@* # @strong{pacstrap /mnt base base-devel wpa_supplicant dialog iw wpa_actiond} + +@node Configure the system +@section Configure the system +@anchor{#configure-the-system} +Generate an fstab - UUIDs are used because they have certain advantages (see @uref{https://wiki.parabola.nu/Fstab#Identifying_filesystems,https://wiki.parabola.nu/Fstab#Identifying_filesystems}. If you prefer labels instead, replace the -U option with -L):@* # @strong{genfstab -U -p /mnt >> /mnt/etc/fstab}@* Check the created file:@* # @strong{cat /mnt/etc/fstab}@* (If there are any errors, edit the file. Do @strong{NOT} run the genfstab command again!) + +Chroot into new system:@* # @strong{arch-chroot /mnt /bin/bash} + +It's a good idea to have this installed:@* # @strong{pacman -S linux-libre-lts} + +It was also suggested that you should install this kernel (read up on what GRSEC is):@* # @strong{pacman -S linux-libre-grsec} + +This is another kernel that sits inside /boot, which you can use. LTS means 'long-term support'. These are so-called 'stable' kernels that can be used as a fallback during updates, if a bad kernel causes issues for you. + +Parabola does not have wget. This is sinister. Install it:@* # @strong{pacman -S wget} + +Locale:@* # @strong{nano /etc/locale.gen}@* Uncomment your needed localisations. For example en_GB.UTF-8 (UTF-8 is highly recommended over other options).@* # @strong{locale-gen}@* # @strong{echo LANG=en_GB.UTF-8 > /etc/locale.conf}@* # @strong{export LANG=en_GB.UTF-8} + +Console font and keymap:@* # @strong{nano /etc/vconsole.conf}@* In my case: + +@verbatim +KEYMAP=dvorak-uk +FONT=Lat9w-16 +@end verbatim + +Time zone:@* # @strong{ln -s /usr/share/zoneinfo/Europe/London /etc/localtime}@* (Replace Zone and Subzone to your liking. See /usr/share/zoneinfo) + +Hardware clock:@* # @strong{hwclock --systohc --utc} + +Hostname: Write your hostname to /etc/hostname. For example, if your hostname is parabola:@* # @strong{echo parabola > /etc/hostname}@* Add the same hostname to /etc/hosts:@* # @strong{nano /etc/hosts}@* + +@verbatim +#<ip-address> <hostname.domain.org> <hostname> +127.0.0.1 localhost.localdomain localhost parabola +::1 localhost.localdomain localhost parabola +@end verbatim + +Configure the network: Refer to @uref{https://wiki.parabola.nu/Beginners%27_guide#Configure_the_network,https://wiki.parabola.nu/Beginners%27_guide#Configure_the_network}. + +Mkinitcpio: Configure /etc/mkinitcpio.conf as needed (see @uref{https://wiki.parabola.nu/Mkinitcpio,https://wiki.parabola.nu/Mkinitcpio}). Runtime modules can be found in /usr/lib/initcpio/hooks, and build hooks can be found in /usr/lib/initcpio/install. (# @strong{mkinitcpio -H hookname} gives information about each hook.) Specifically, for this use case:@* # @strong{nano /etc/mkinitcpio.conf}@* Then modify the file like so: + +@itemize +@item +MODULES="i915" +@item +This forces the driver to load earlier, so that the console font isn't wiped out after getting to login) +@item +HOOKS="base udev autodetect modconf block keyboard keymap consolefont encrypt lvm2 filesystems fsck shutdown" +@item +Explanation: +@item +keymap adds to initramfs the keymap that you specified in /etc/vconsole.conf +@item +consolefont adds to initramfs the font that you specified in /etc/vconsole.conf +@item +encrypt adds LUKS support to the initramfs - needed to unlock your disks at boot time +@item +lvm2 adds LVM support to the initramfs - needed to mount the LVM partitions at boot time +@item +shutdown is needed according to Parabola wiki for unmounting devices (such as LUKS/LVM) during shutdown) +@end itemize + +Now using mkinitcpio, you can create the kernel and ramdisk for booting with (this is different from Arch, specifying linux-libre instead of linux):@* # @strong{mkinitcpio -p linux-libre}@* Also do it for linux-libre-lts:@* # @strong{mkinitcpio -p linux-libre-lts}@* Also do it for linux-libre-grsec:@* # @strong{mkinitcpio -p linux-libre-grsec} + +Set the root password: At the time of writing, Parabola used SHA512 by default for its password hashing. I referred to @uref{https://wiki.archlinux.org/index.php/SHA_password_hashes,https://wiki.archlinux.org/index.php/SHA_password_hashes}.@* # @strong{nano /etc/pam.d/passwd}@* Add rounds=65536 at the end of the uncommented 'password' line.@* # @strong{passwd root}@* Make sure to set a secure password! Also, it must never be the same as your LUKS password. + +Use of the @emph{diceware method} is recommended, for generating secure passphrases (instead of passwords). + +@node Extra security tweaks +@section Extra security tweaks +@anchor{#extra-security-tweaks} +Based on @uref{https://wiki.archlinux.org/index.php/Security,https://wiki.archlinux.org/index.php/Security}. + +Restrict access to important directories:@* # @strong{chmod 700 /boot /etc/@{iptables,arptables@}} + +Lockout user after three failed login attempts:@* Edit the file /etc/pam.d/system-login and comment out that line:@* @emph{# auth required pam_tally.so onerr=succeed file=/var/log/faillog}@* Or just delete it. Above it, put:@* @emph{auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog}@* To unlock a user manually (if a password attempt is failed 3 times), do:@* # @strong{pam_tally --user @emph{theusername} --reset} What the above configuration does is lock the user out for 10 minutes, if they make 3 failed login attempts. + +Configure sudo - not covered here. Will be covered post-installation in another tutorial, at a later date. If this is a single-user system, you don't really need sudo. + +@node Unmount reboot! +@section Unmount, reboot! +@anchor{#unmount-reboot} +Exit from chroot:@* # @strong{exit} + +unmount:@* # @strong{umount -R /mnt}@* # @strong{swapoff -a} + +deactivate the lvm lv's:@* # @strong{lvchange -an /dev/matrix/rootvol}@* # @strong{lvchange -an /dev/matrix/swapvol}@* + +Lock the encrypted partition (close it):@* # @strong{cryptsetup luksClose lvm} + +# @strong{shutdown -h now}@* Remove the installation media, then boot up again. + +@node Booting from GRUB +@section Booting from GRUB +@anchor{#booting-from-grub} +Initially you will have to boot manually. Press C to get to the GRUB command line. The underlined parts are optional (using those 2 underlines will boot lts kernel instead of normal). + +grub> @strong{cryptomount -a}@* grub> @strong{set root='lvm/matrix-rootvol'}@* grub> @strong{linux /boot/vmlinuz-linux-libre-lts root=/dev/matrix/rootvol cryptdevice=/dev/sda1:root}@* grub> @strong{initrd /boot/initramfs-linux-libre-lts.img}@* grub> @strong{boot}@* + +You could also make it load /boot/vmlinuz-linux-libre-grsec and /boot/initramfs-linux-libre-grsec.img + +@node Follow-up tutorial configuring Parabola +@section Follow-up tutorial: configuring Parabola +@anchor{#follow-up-tutorial-configuring-parabola} +We will modify grub.config inside the ROM and do all kinds of fun stuff, but I recommend that you first transform the current bare-bones Parabola install into a more useable system. Doing so will make the upcoming ROM modifications MUCH easier to perform and less risky! @uref{configuring_parabola.html,configuring_parabola.html} shows my own notes post-installation. Using these, you can get a basic system similar to the one that I chose for myself. You can also cherry pick useful notes and come up with your own system. Parabola is user-centric, which means that you are in control. For more information, read @uref{https://wiki.archlinux.org/index.php/The_Arch_Way,The Arch Way} (Parabola also follows it). + +@node Modify grubcfg inside the ROM +@section Modify grub.cfg inside the ROM +@anchor{#modify-grub.cfg-inside-the-rom} +(Re-)log in to your system, pressing C, so booting manually from GRUB (see above). You need to modify the ROM, so that Parabola can boot automatically with this configuration. @uref{grub_cbfs.html,grub_cbfs.html} shows you how. Follow that guide, using the configuration details below. If you go for option 2 (re-flash), promise to do this on grubtest.cfg first! We can't emphasise this enough. This is to reduce the possibility of bricking your device! + +I will go for the re-flash option here. Firstly, cd to the libreboot_util/cbfstool/@{armv7l i686 x86_64@} directory. Dump the current firmware - where @emph{libreboot.rom} is an example: make sure to adapt:@* # @strong{flashrom -p internal -r libreboot.rom}@* If flashrom complains about multiple flash chips detected, add a @emph{-c} option at the end, with the name of your chosen chip is quotes.@* You can check if everything is in there (@emph{grub.cfg} and @emph{grubtest.cfg} would be really nice):@* $ @strong{./cbfstool libreboot.rom print}@* Extract grubtest.cfg:@* $ @strong{./cbfstool libreboot.rom extract -n grubtest.cfg -f grubtest.cfg}@* And modify:@* $ @strong{nano grubtest.cfg} + +In grubtest.cfg, inside the 'Load Operating System' menu entry, change the contents to: + +@verbatim +cryptomount -a +set root='lvm/matrix-rootvol' +linux /boot/vmlinuz-linux-libre-lts root=/dev/matrix/rootvol cryptdevice=/dev/sda1:root +initrd /boot/initramfs-linux-libre-lts.img +@end verbatim + +Note: the underlined parts above (-lts) can also be removed, to boot the latest kernel instead of LTS (long-term support) kernels. You could also copy the menu entry and in one have -lts, and without in the other menuentry. You could also create a menu entry to load /boot/vmlinuz-linux-libre-grsec and /boot/initramfs-linux-libre-grsec.img The first entry will load by default. + +Without specifying a device, the @emph{-a} parameter tries to unlock all detected LUKS volumes. You can also specify -u UUID or -a (device). + +Now, to protect your system from an attacker simply booting a live usb distro and re-flashing the boot firmware, we are going to add a password for GRUB. In a new terminal window, if you are not yet online, start dhcp on ethernet:@* # @strong{systemctl start dhcpcd.service} Or make sure to get connected to the internet in any other way you prefer, at least. + +Use of the @emph{diceware method} is recommended, for generating secure passphrases (instead of passwords). + +AGAIN: MAKE SURE TO DO THIS WHOLE SECTION ON grubtest.cfg *BEFORE* DOING IT ON grub.cfg. (When we get there, upon reboot, select the menu entry that says @emph{Switch to grubtest.cfg} and test that it works. Only once you are satisfied, copy that to grub.cfg. Only a few steps to go, though.) WHY? BECAUSE AN INCORRECTLY SET PASSWORD CONFIG MEANS YOU CAN'T AUTHENTICATE, WHICH MEANS 'BRICK'. + +(emphasis added, because it's needed: this is a common roadblock for users.) + +We need a utility that comes with GRUB, so we will download it temporarily. (Remember that GRUB isn't needed for booting, since it's already included as a payload in libreboot.) Also, we will use flashrom, and I installed dmidecode. You only need base-devel (compilers and so on) to build and use cbfstool. It was already installed if you followed this tutorial, but here it is:@* # @strong{pacman -S grub flashrom dmidecode base-devel}@* Next, do:@* # @strong{grub-mkpasswd-pbkdf2}@* Enter your chosen password at the prompt and your hash will be shown. Copy this string - you will add it to your grubtest.cfg. + +The password below (it's @strong{password}, by the way) after @emph{'password_pbkdf2 root'} @emph{should be changed} to your own. Make sure to specify a password that is different from both your LUKS *and* your root/user password. Obviously, do not simply copy and paste the examples shown here... + +Next, back in grubtest.cfg, above the first 'Load Operating System' menu entry, you should now add your GRUB password, like so (replace with your own name (I used @strong{root} on both lines, feel free to choose another one) and the password hash which you copied): + +@verbatim +set superusers="root" +password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711 +@end verbatim + +Save your changes in grubtest.cfg, then delete the unmodified config from the ROM image:@* $ @strong{./cbfstool libreboot.rom remove -n grubtest.cfg}@* and insert the modified grubtest.cfg:@* $ @strong{./cbfstool libreboot.rom add -n grubtest.cfg -f grubtest.cfg -t raw}@* + +Now refer to @uref{http://libreboot.org/install/index.html#flashrom,http://libreboot.org/install/index.html#flashrom}. Cd (up) to the libreboot_util directory and update the flash chip contents:@* # @strong{./flash update libreboot.rom}@* Ocassionally, coreboot changes the name of a given board. If flashrom complains about a board mismatch, but you are sure that you chose the correct ROM image, then run this alternative command:@* # @strong{./flash forceupdate libreboot.rom}@* You should see "Verifying flash... VERIFIED." written at the end of the flashrom output. + +With this new configuration, Parabola can boot automatically and you will have to enter a password at boot time, in GRUB, before being able to use any of the menu entries or switch to the terminal. Let's test it out: reboot and choose grubtest.cfg from the GRUB menu, using the arrow keys on your keyboard. Enter the name you chose, the GRUB password, your LUKS passphrase and login as root/your user. All went well? Great! + +If it does not work like you want it to, if you are unsure or sceptical in any way, don't despair: you have been wise and did not brick your device! Reboot and login the default way, and then modify your grubtest.cfg until you get it right! @strong{Do *not* proceed past this point unless you are 100% sure that your new configuration is safe (or desirable) to use.} + +Now, we can easily and safely create a copy of grubtest.cfg, called grub.cfg. This will be the same except for one difference: the menuentry 'Switch to grub.cfg' is changed to 'Switch to grubtest.cfg' and, inside it, all instances of grub.cfg to grubtest.cfg. This is so that the main config still links (in the menu) to grubtest.cfg, so that you don't have to manually switch to it, in case you ever want to follow this guide again in the future (modifying the already modified config). Inside libreboot_util/cbfstool/@{armv7l i686 x86_64@}, we can do this with the following command:@* $ @strong{sed -e 's:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g' -e 's:Switch to grub.cfg:Switch to grubtest.cfg:g' < grubtest.cfg > grub.cfg}@* Delete the grub.cfg that remained inside the ROM:@* $ @strong{./cbfstool libreboot.rom remove -n grub.cfg}@* Add the modified version that you just made:@* $ @strong{./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw}@* + +Now you have a modified ROM. Once more, refer to @uref{http://libreboot.org/install/index.html#flashrom,http://libreboot.org/install/index.html#flashrom}. Cd to the libreboot_util directory and update the flash chip contents:@* # @strong{./flash update libreboot.rom}@* And wait for the "Verifying flash... VERIFIED." Once you have done that, shut down and then boot up with your new configuration. + +When done, delete GRUB (remember, we only needed it for the @emph{grub-mkpasswd-pbkdf2} utility; GRUB is already part of libreboot, flashed alongside it as a @emph{payload}):@* # @strong{pacman -R grub} + +If you followed all that correctly, you should now have a fully encrypted Parabola installation. Refer to the wiki for how to do the rest. + +@node Bonus Using a key file to unlock /boot/ +@section Bonus: Using a key file to unlock /boot/ +@anchor{#bonus-using-a-key-file-to-unlock-boot} +By default, you will have to enter your LUKS passphrase twice; once in GRUB, and once when booting the kernel. GRUB unlocks the encrypted partition and then loads the kernel, but the kernel is not aware of the fact that it is being loaded from an encrypted volume. Therefore, you will be asked to enter your passphrase a second time. A workaround is to put a keyfile inside initramfs, with instructions for the kernel to use it when booting. This is safe, because /boot/ is encrypted (otherwise, putting a keyfile inside initramfs would be a bad idea).@* Boot up and login as root or your user. Then generate the key file:@* # @strong{dd bs=512 count=4 if=/dev/urandom of=/etc/mykeyfile iflag=fullblock}@* Insert it into the luks volume:@* # @strong{cryptsetup luksAddKey /dev/sdX /etc/mykeyfile}@* and enter your LUKS passphrase when prompted. Add the keyfile to the initramfs by adding it to FILES in /etc/mkinitcpio.conf. For example:@* # @strong{FILES="/etc/mykeyfile"}@* Create the initramfs image from scratch:@* # @strong{mkinitcpio -p linux-libre}@* # @strong{mkinitcpio -p linux-libre-lts}@* # @strong{mkinitcpio -p linux-libre-grsec}@* Add the following to your grub.cfg - you are now able to do that, see above! -, or add it in the kernel command line for GRUB:@* # @strong{cryptkey=rootfs:/etc/mykeyfile}@* @* You can also place this inside the grub.cfg that exists in CBFS: @uref{grub_cbfs.html,grub_cbfs.html}. + +@node Further security tips +@section Further security tips +@anchor{#further-security-tips} +@uref{https://wiki.archlinux.org/index.php/Security,https://wiki.archlinux.org/index.php/Security}.@* @uref{https://wiki.parabolagnulinux.org/User:GNUtoo/laptop,https://wiki.parabolagnulinux.org/User:GNUtoo/laptop} + +@node Troubleshooting +@chapter Troubleshooting +@anchor{#troubleshooting} +A user reported issues when booting with a docking station attached on an X200, when decrypting the disk in GRUB. The error @emph{AHCI transfer timed out} was observed. The workaround was to remove the docking station. + +Further investigation revealed that it was the DVD drive causing problems. Removing that worked around the issue. + +@verbatim + +"sudo wodim -prcap" shows information about the drive: +Device was not specified. Trying to find an appropriate drive... +Detected CD-R drive: /dev/sr0 +Using /dev/cdrom of unknown capabilities +Device type : Removable CD-ROM +Version : 5 +Response Format: 2 +Capabilities : +Vendor_info : 'HL-DT-ST' +Identification : 'DVDRAM GU10N ' +Revision : 'MX05' +Device seems to be: Generic mmc2 DVD-R/DVD-RW. + +Drive capabilities, per MMC-3 page 2A: + + Does read CD-R media + Does write CD-R media + Does read CD-RW media + Does write CD-RW media + Does read DVD-ROM media + Does read DVD-R media + Does write DVD-R media + Does read DVD-RAM media + Does write DVD-RAM media + Does support test writing + + Does read Mode 2 Form 1 blocks + Does read Mode 2 Form 2 blocks + Does read digital audio blocks + Does restart non-streamed digital audio reads accurately + Does support Buffer-Underrun-Free recording + Does read multi-session CDs + Does read fixed-packet CD media using Method 2 + Does not read CD bar code + Does not read R-W subcode information + Does read raw P-W subcode data from lead in + Does return CD media catalog number + Does return CD ISRC information + Does support C2 error pointers + Does not deliver composite A/V data + + Does play audio CDs + Number of volume control levels: 256 + Does support individual volume control setting for each channel + Does support independent mute setting for each channel + Does not support digital output on port 1 + Does not support digital output on port 2 + + Loading mechanism type: tray + Does support ejection of CD via START/STOP command + Does not lock media on power up via prevent jumper + Does allow media to be locked in the drive via PREVENT/ALLOW command + Is not currently in a media-locked state + Does not support changing side of disk + Does not have load-empty-slot-in-changer feature + Does not support Individual Disk Present feature + + Maximum read speed: 4234 kB/s (CD 24x, DVD 3x) + Current read speed: 4234 kB/s (CD 24x, DVD 3x) + Maximum write speed: 4234 kB/s (CD 24x, DVD 3x) + Current write speed: 4234 kB/s (CD 24x, DVD 3x) + Rotational control selected: CLV/PCAV + Buffer size in KB: 1024 + Copy management revision supported: 1 + Number of supported write speeds: 4 + Write speed # 0: 4234 kB/s CLV/PCAV (CD 24x, DVD 3x) + Write speed # 1: 2822 kB/s CLV/PCAV (CD 16x, DVD 2x) + Write speed # 2: 1764 kB/s CLV/PCAV (CD 10x, DVD 1x) + Write speed # 3: 706 kB/s CLV/PCAV (CD 4x, DVD 0x) + +Supported CD-RW media types according to MMC-4 feature 0x37: + Does write multi speed CD-RW media + Does write high speed CD-RW media + Does write ultra high speed CD-RW media + Does not write ultra high speed+ CD-RW media +@end verbatim + +Copyright © 2014, 2015 Francis Rowe <info@@gluglug.org.uk>@* Copyright © 2015 Jeroen Quint <jezza@@diplomail.ch>@* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license can be found at @uref{../resources/licenses/gfdl-1.3.txt,gfdl-1.3.txt} + +Updated versions of the license (when available) can be found at @uref{https://www.gnu.org/licenses/licenses.html,https://www.gnu.org/licenses/licenses.html} + +UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. + +TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. + +The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability. + +@bye diff --git a/docs/src/gnulinux/encrypted_trisquel.texi b/docs/src/gnulinux/encrypted_trisquel.texi new file mode 100644 index 0000000..4332962 --- /dev/null +++ b/docs/src/gnulinux/encrypted_trisquel.texi @@ -0,0 +1,347 @@ +\input texinfo +@documentencoding UTF-8 + +@ifnottex +@paragraphindent 0 +@end ifnottex +@titlepage +@title Installing Trisquel GNU/Linux with full disk encryption (including /boot) +@end titlepage + +@node Top +@top Installing Trisquel GNU/Linux with full disk encryption (including /boot) + +@menu +* Installing Trisquel GNU/Linux with full disk encryption including /boot:: +* Partitioning:: +* Further partitioning:: +* Kernel:: +* Tasksel:: +* Postfix configuration:: +* Install the GRUB boot loader to the master boot record:: +* Clock UTC:: +* Booting your system:: +* ecryptfs:: +* Modify grubcfg CBFS:: +* Troubleshooting:: +@end menu + +@node Installing Trisquel GNU/Linux with full disk encryption including /boot +@chapter Installing Trisquel GNU/Linux with full disk encryption (including /boot) +@anchor{#installing-trisquel-gnulinux-with-full-disk-encryption-including-boot} +Libreboot on x86 uses the GRUB @uref{http://www.coreboot.org/Payloads#GRUB_2,payload} by default, which means that the GRUB configuration file (where your GRUB menu comes from) is stored directly alongside libreboot and its GRUB payload executable, inside the flash chip. In context, this means that installing distributions and managing them is handled slightly differently compared to traditional BIOS systems. + +On most systems, the /boot partition has to be left unencrypted while the others are encrypted. This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical access to the system. + +This works in Trisquel 7, and probably Trisquel 6. Boot the 'net installer' (Install Trisquel in Text Mode). @uref{grub_boot_installer.html,How to boot a GNU/Linux installer}. + +@strong{This guide is *only* for the GRUB payload. If you use the depthcharge payload, ignore this section entirely.} + +@uref{index.html,Back to previous index} + +Set a strong user password (lots of lowercase/uppercase, numbers and symbols). + +Use of the @emph{diceware method} is recommended, for generating secure passphrases (instead of passwords). + +when the installer asks you to set up encryption (ecryptfs) for your home directory, select 'Yes' if you want to: @strong{LUKS is already secure and performs well. Having ecryptfs on top of it will add noticeable performance penalty, for little security gain in most use cases. This is therefore optional, and not recommended. Choose 'no'.} + +@strong{Your user password should be different from the LUKS password which you will set later on. Your LUKS password should, like the user password, be secure.} + +@node Partitioning +@chapter Partitioning +@anchor{#partitioning} +Choose 'Manual' partitioning: + +@itemize +@item +Select drive and create new partition table +@item +Single large partition. The following are mostly defaults: +@itemize +@item +Use as: physical volume for encryption +@item +Encryption: aes +@item +key size: 256 +@item +IV algorithm: xts-plain64 +@item +Encryption key: passphrase +@item +erase data: Yes (only choose 'No' if it's a new drive that doesn't contain your private data) +@end itemize + +@item +Select 'configure encrypted volumes' +@itemize +@item +Create encrypted volumes +@item +Select your partition +@item +Finish +@item +Really erase: Yes +@item +(erase will take a long time. be patient) +@item +(if your old system was encrypted, just let this run for about a minute to make sure that the LUKS header is wiped out) +@end itemize + +@item +Select encrypted space: +@itemize +@item +use as: physical volume for LVM +@item +Choose 'done setting up the partition' +@end itemize + +@item +Configure the logical volume manager: +@itemize +@item +Keep settings: Yes +@end itemize + +@item +Create volume group: +@itemize +@item +Name: @strong{grubcrypt} (you can use whatever you want here, this is just an example) +@item +Select crypto partition +@end itemize + +@item +Create logical volume +@itemize +@item +select @strong{grubcrypt} (or whatever you named it before) +@item +name: @strong{trisquel} (you can use whatever you want here, this is just an example) +@item +size: default, minus 2048 MB +@end itemize + +@item +Create logical volume +@itemize +@item +select @strong{grubcrypt} (or whatever you named it before) +@item +name: @strong{swap} (you can use whatever you want here, this is just an example) +@item +size: press enter +@end itemize + +@end itemize + +@node Further partitioning +@chapter Further partitioning +@anchor{#further-partitioning} +Now you are back at the main partitioning screen. You will simply set mountpoints and filesystems to use. + +@itemize +@item +LVM LV trisquel +@itemize +@item +use as: ext4 +@item +mount point: / +@item +done setting up partition +@end itemize + +@item +LVM LV swap +@itemize +@item +use as: swap area +@item +done setting up partition +@end itemize + +@item +Now you select 'Finished partitioning and write changes to disk'. +@end itemize + +@node Kernel +@chapter Kernel +@anchor{#kernel} +Installation will ask what kernel you want to use. linux-generic is fine. + +@node Tasksel +@chapter Tasksel +@anchor{#tasksel} +Choose @emph{"Trisquel Desktop Environment"} if you want GNOME, @emph{"Trisquel-mini Desktop Environment"} if you want LXDE or @emph{"Triskel Desktop Environment"} if you want KDE. If you want to have no desktop (just a basic shell) when you boot or if you want to create your own custom setup, then choose nothing here (don't select anything). You might also want to choose some of the other package groups; it's up to you. + +@node Postfix configuration +@chapter Postfix configuration +@anchor{#postfix-configuration} +If asked, choose @emph{"No Configuration"} here (or maybe you want to select something else. It's up to you.) + +@node Install the GRUB boot loader to the master boot record +@chapter Install the GRUB boot loader to the master boot record +@anchor{#install-the-grub-boot-loader-to-the-master-boot-record} +Choose 'Yes'. It will fail, but don't worry. Then at the main menu, choose 'Continue without a bootloader'. You could also choose 'No'. Choice is irrelevant here. + +@emph{You do not need to install GRUB at all, since in libreboot you are using the GRUB payload (for libreboot) to boot your system directly.} + +@node Clock UTC +@chapter Clock UTC +@anchor{#clock-utc} +Just say 'Yes'. + +@node Booting your system +@chapter Booting your system +@anchor{#booting-your-system} +At this point, you will have finished the installation. At your GRUB payload, press C to get to the command line. + +Do that:@* grub> @strong{cryptomount -a}@* grub> @strong{set root='lvm/grubcrypt-trisquel'}@* grub> @strong{linux /vmlinuz root=/dev/mapper/grubcrypt-trisquel cryptdevice=/dev/mapper/grubcrypt-trisquel:root}@* grub> @strong{initrd /initrd.img}@* grub> @strong{boot} + +@node ecryptfs +@chapter ecryptfs +@anchor{#ecryptfs} +If you didn't encrypt your home directory, then you can safely ignore this section. + +Immediately after logging in, do that:@* $ @strong{sudo ecryptfs-unwrap-passphrase} + +This will be needed in the future if you ever need to recover your home directory from another system, so write it down and keep the note somewhere secret. Ideally, you should memorize it and then burn the note (or not even write it down, and memorize it still)> + +@node Modify grubcfg CBFS +@chapter Modify grub.cfg (CBFS) +@anchor{#modify-grub.cfg-cbfs} +Now you need to set it up so that the system will automatically boot, without having to type a bunch of commands. + +Modify your grub.cfg (in the firmware) @uref{grub_cbfs.html,using this tutorial}; just change the default menu entry 'Load Operating System' to say this inside: + +@strong{cryptomount -a}@* @strong{set root='lvm/grubcrypt-trisquel'}@* @strong{linux /vmlinuz root=/dev/mapper/grubcrypt-trisquel cryptdevice=/dev/mapper/grubcrypt-trisquel:root}@* @strong{initrd /initrd.img} + +Without specifying a device, the @emph{-a} parameter tries to unlock all detected LUKS volumes. You can also specify -u UUID or -a (device). + +Additionally, you should set a GRUB password. This is not your LUKS password, but it's a password that you have to enter to see GRUB. This protects your system from an attacker simply booting a live USB and re-flashing your firmware. @strong{This should be different than your LUKS passphrase and user password.} + +Use of the @emph{diceware method} is recommended, for generating secure passphrases (as opposed to passwords). + +The GRUB utility can be used like so:@* $ @strong{grub-mkpasswd-pbkdf2} + +Give it a password (remember, it has to be secure) and it'll output something like:@* @strong{grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711} + +Use of the @emph{diceware method} is recommended, for generating secure passphrases (instead of passwords). + +Put that in the grub.cfg (the one for CBFS inside the ROM) before the 'Load Operating System' menu entry like so (example):@* + +@verbatim +set superusers="root" +password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711 + +@end verbatim + +MAKE SURE TO DO THIS ON grubtest.cfg *BEFORE* DOING IT ON grub.cfg. Then select the menu entry that says @emph{Switch to grubtest.cfg} and test that it works. Then copy that to grub.cfg once you're satisfied. WHY? BECAUSE AN INCORRECTLY SET PASSWORD CONFIG MEANS YOU CAN'T AUTHENTICATE, WHICH MEANS 'BRICK'. + +(emphasis added, because it's needed. This is a common roadblock for users) + +Obviously, replace it with the correct hash that you actually got for the password that you entered. Meaning, not the hash that you see above! + +After this, you will have a modified ROM with the menu entry for cryptomount, and the entry before that for the GRUB password. Flash the modified ROM using @uref{../install/index.html#flashrom,this tutorial}. + +@node Troubleshooting +@chapter Troubleshooting +@anchor{#troubleshooting} +A user reported issues when booting with a docking station attached on an X200, when decrypting the disk in GRUB. The error @emph{AHCI transfer timed out} was observed. The workaround was to remove the docking station. + +Further investigation revealed that it was the DVD drive causing problems. Removing that worked around the issue. + +@verbatim + +"sudo wodim -prcap" shows information about the drive: +Device was not specified. Trying to find an appropriate drive... +Detected CD-R drive: /dev/sr0 +Using /dev/cdrom of unknown capabilities +Device type : Removable CD-ROM +Version : 5 +Response Format: 2 +Capabilities : +Vendor_info : 'HL-DT-ST' +Identification : 'DVDRAM GU10N ' +Revision : 'MX05' +Device seems to be: Generic mmc2 DVD-R/DVD-RW. + +Drive capabilities, per MMC-3 page 2A: + + Does read CD-R media + Does write CD-R media + Does read CD-RW media + Does write CD-RW media + Does read DVD-ROM media + Does read DVD-R media + Does write DVD-R media + Does read DVD-RAM media + Does write DVD-RAM media + Does support test writing + + Does read Mode 2 Form 1 blocks + Does read Mode 2 Form 2 blocks + Does read digital audio blocks + Does restart non-streamed digital audio reads accurately + Does support Buffer-Underrun-Free recording + Does read multi-session CDs + Does read fixed-packet CD media using Method 2 + Does not read CD bar code + Does not read R-W subcode information + Does read raw P-W subcode data from lead in + Does return CD media catalog number + Does return CD ISRC information + Does support C2 error pointers + Does not deliver composite A/V data + + Does play audio CDs + Number of volume control levels: 256 + Does support individual volume control setting for each channel + Does support independent mute setting for each channel + Does not support digital output on port 1 + Does not support digital output on port 2 + + Loading mechanism type: tray + Does support ejection of CD via START/STOP command + Does not lock media on power up via prevent jumper + Does allow media to be locked in the drive via PREVENT/ALLOW command + Is not currently in a media-locked state + Does not support changing side of disk + Does not have load-empty-slot-in-changer feature + Does not support Individual Disk Present feature + + Maximum read speed: 4234 kB/s (CD 24x, DVD 3x) + Current read speed: 4234 kB/s (CD 24x, DVD 3x) + Maximum write speed: 4234 kB/s (CD 24x, DVD 3x) + Current write speed: 4234 kB/s (CD 24x, DVD 3x) + Rotational control selected: CLV/PCAV + Buffer size in KB: 1024 + Copy management revision supported: 1 + Number of supported write speeds: 4 + Write speed # 0: 4234 kB/s CLV/PCAV (CD 24x, DVD 3x) + Write speed # 1: 2822 kB/s CLV/PCAV (CD 16x, DVD 2x) + Write speed # 2: 1764 kB/s CLV/PCAV (CD 10x, DVD 1x) + Write speed # 3: 706 kB/s CLV/PCAV (CD 4x, DVD 0x) + +Supported CD-RW media types according to MMC-4 feature 0x37: + Does write multi speed CD-RW media + Does write high speed CD-RW media + Does write ultra high speed CD-RW media + Does not write ultra high speed+ CD-RW media +@end verbatim + +Copyright © 2014, 2015 Francis Rowe <info@@gluglug.org.uk>@* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license can be found at @uref{../resources/licenses/gfdl-1.3.txt,gfdl-1.3.txt} + +Updated versions of the license (when available) can be found at @uref{https://www.gnu.org/licenses/licenses.html,https://www.gnu.org/licenses/licenses.html} + +UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. + +TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. + +The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability. + +@bye diff --git a/docs/src/gnulinux/grub_boot_installer.texi b/docs/src/gnulinux/grub_boot_installer.texi new file mode 100644 index 0000000..a06f55c --- /dev/null +++ b/docs/src/gnulinux/grub_boot_installer.texi @@ -0,0 +1,157 @@ +\input texinfo +@documentencoding UTF-8 + +@ifnottex +@paragraphindent 0 +@end ifnottex +@titlepage +@title How to install GNU/Linux on a libreboot system +@end titlepage + +@node Top +@top How to install GNU/Linux on a libreboot system + +@menu +* How to install GNU/Linux on a libreboot system:: +* Troubleshooting:: +@end menu + +@node How to install GNU/Linux on a libreboot system +@chapter How to install GNU/Linux on a libreboot system +@anchor{#how-to-install-gnulinux-on-a-libreboot-system} +This section relates to preparing, booting and installing a GNU/Linux distribution on your libreboot system, using nothing more than a USB flash drive (and @emph{dd}). + +@itemize +@item +@ref{#prepare,Prepare the USB drive (in GNU/Linux)} +@item +@ref{#encryption,Installing GNU/Linux with full disk encryption} +@item +@ref{#guix,GNU Guix System Distribution?} +@item +@ref{#trisquel_netinstall,Trisquel net install?} +@item +@ref{#parse_isolinux,Booting ISOLINUX images (automatic method)} +@item +@ref{#manual_isolinux,Booting ISOLINUX images (manual method)} +@item +@ref{#troubleshooting,Troubleshooting} +@end itemize + +@uref{index.html,Back to previous index} + +@strong{This section is only for the GRUB payload. For depthcharge (used on CrOS devices in libreboot), instructions have yet to be written in the libreboot documentation.} +@menu +* Prepare the USB drive in GNU/Linux:: +* Installing GNU/Linux with full disk encryption:: +* GNU Guix System Distribution?:: +* Trisquel net install?:: +* Booting ISOLINUX images automatic method:: +* Booting ISOLINUX images manual method:: +@end menu + +@node Prepare the USB drive in GNU/Linux +@section Prepare the USB drive (in GNU/Linux) +@anchor{#prepare-the-usb-drive-in-gnulinux} +Connect the USB drive. Check dmesg:@* @strong{$ dmesg}@* Check lsblk to confirm which drive it is:@* @strong{$ lsblk} + +Check that it wasn't automatically mounted. If it was, unmount it. For example:@* @strong{$ sudo umount /dev/sdX*}@* @strong{# umount /dev/sdX*} + +dmesg told you what device it is. Overwrite the drive, writing your distro ISO to it with dd. For example:@* @strong{$ sudo dd if=gnulinux.iso of=/dev/sdX bs=8M; sync}@* @strong{# dd if=gnulinux.iso of=/dev/sdX bs=8M; sync} + +You should now be able to boot the installer from your USB drive. Continue reading, for information about how to do that. + +@ref{#pagetop,Back to top of page}. + +@node Installing GNU/Linux with full disk encryption +@section Installing GNU/Linux with full disk encryption +@anchor{#installing-gnulinux-with-full-disk-encryption} +@itemize +@item +@uref{encrypted_trisquel.html,Installing Trisquel GNU/Linux with full disk encryption (including /boot)} +@item +@uref{encrypted_parabola.html,Installing Parabola GNU/Linux with full disk encryption (including /boot)} +@end itemize + +@ref{#pagetop,Back to top of page}. + +@node GNU Guix System Distribution? +@section GNU Guix System Distribution? +@anchor{#gnu-guix-system-distribution} +The Guix installers uses the GRUB bootloader, unlike most GNU/Linux installers which will likely use ISOLINUX. + +To boot the Guix live USB install, select @strong{@emph{Search for GRUB configuration (grub.cfg) outside of CBFS}} from the GRUB payload menu. After you have done that, a new menuentry will appear at the very bottom with text like @strong{@emph{Load Config from (usb0)}}; select that, and it should boot. + +Once you have installed Guix onto the main storage device, check @uref{grub_cbfs.html#option1_dont_reflash,grub_cbfs.html#option1_dont_reflash} for hints on how to boot it. + +GuixSD (Guix System Distribution) is highly recommended; it's part of GNU, and @uref{https://www.gnu.org/distros/free-distros.html,endorsed} by the Free Software Foundation. + +@ref{#pagetop,Back to top of page}. + +@node Trisquel net install? +@section Trisquel net install? +@anchor{#trisquel-net-install} +Tip: don't use the official net install image. Download the full GNOME ISO (the ~1.5GiB one). In this ISO, there is still the capability to boot the net install, while it also provides an easy to use live system (which you can boot from USB). This ISO also works using @emph{syslinux_configfile -i} (the @emph{Parse ISOLINUX} menu entries in the default GRUB configuration that libreboot uses). + +@ref{#pagetop,Back to top of page}. + +@node Booting ISOLINUX images automatic method +@section Booting ISOLINUX images (automatic method) +@anchor{#booting-isolinux-images-automatic-method} +Boot it in GRUB using the @emph{Parse ISOLINUX config (USB)} option. A new menu should appear in GRUB, showing the boot options for that distro; this is a GRUB menu, converted from the usual ISOLINUX menu provided by that distro. + +@ref{#pagetop,Back to top of page}. + +@node Booting ISOLINUX images manual method +@section Booting ISOLINUX images (manual method) +@anchor{#booting-isolinux-images-manual-method} +@emph{These are generic instructions. They may or may not be correct for your distribution. You must adapt them appropriately, for whatever GNU/Linux distribution it is that you are trying to install.} + +If the ISOLINUX parser or @emph{Search for GRUB configuration} options won't work, then press C in GRUB to access the command line.@* grub> @strong{ls}@* Get the device from above output, eg (usb0). Example:@* grub> @strong{cat (usb0)/isolinux/isolinux.cfg}@* Either this will show the ISOLINUX menuentries for that ISO, or link to other .cfg files, for example /isolinux/foo.cfg.@* If it did that, then you do:@* grub> @strong{cat (usb0)/isolinux/foo.cfg}@* And so on, until you find the correct menuentries for ISOLINUX. @strong{The file @emph{/isolinux/foo.cfg} is a fictional example. Do not actually use this example, unless you actually have that file, if it is appropriate.} + +For Trisquel (and other debian-based distros), there are typically menuentries listed in @emph{/isolinux/txt.cfg} or @emph{/isolinux/gtk.cfg}. For dual-architecture ISO images (i686 and x86_64), there may be separate files/directories for each architecture. Just keep searching through the image, until you find the correct ISOLINUX configuration file. + +Now look at the ISOLINUX menuentry. It'll look like:@* @strong{kernel /path/to/kernel@* append PARAMETERS initrd=/path/to/initrd MAYBE_MORE_PARAMETERS@*} GRUB works the same way, but in it's own way. Example GRUB commands:@* grub> @strong{set root='usb0'}@* grub> @strong{linux /path/to/kernel PARAMETERS MAYBE_MORE_PARAMETERS}@* grub> @strong{initrd /path/to/initrd}@* grub> @strong{boot}@* Note: @emph{usb0} may be incorrect. Check the output of the @emph{ls} command in GRUB, to see a list of USB devices/partitions. Of course this will vary from distro to distro. If you did all of that correctly, then it should now be booting your USB drive in the way that you specified. + +@ref{#pagetop,Back to top of page}. + +@node Troubleshooting +@chapter Troubleshooting +@anchor{#troubleshooting} +Most of these issues occur when using libreboot with coreboot's 'text mode' instead of the coreboot framebuffer. This mode is useful for booting payloads like memtest86+ which expect text-mode, but for GNU/Linux distributions it can be problematic when they are trying to switch to a framebuffer because it doesn't exist. + +In most cases, you should use the vesafb ROM images. Example filename: libreboot_ukdvorak_vesafb.rom. +@menu +* parabola won't boot in text-mode:: +* debian-installer trisquel net install graphical corruption in text-mode:: +@end menu + +@node parabola won't boot in text-mode +@section parabola won't boot in text-mode +@anchor{#parabola-wont-boot-in-text-mode} +Use one of the ROM images with vesafb in the filename (uses coreboot framebuffer instead of text-mode). + +@node debian-installer trisquel net install graphical corruption in text-mode +@section debian-installer (trisquel net install) graphical corruption in text-mode +@anchor{#debian-installer-trisquel-net-install-graphical-corruption-in-text-mode} +When using the ROM images that use coreboot's "text mode" instead of the coreboot framebuffer, booting the Trisquel net installer results in graphical corruption because it is trying to switch to a framebuffer which doesn't exist. Use that kernel parameter on the 'linux' line when booting it:@* @strong{vga=normal fb=false} + +Tested in Trisquel 6 (and 7). This forces debian-installer to start in text-mode, instead of trying to switch to a framebuffer. + +If selecting text-mode from a GRUB menu created using the ISOLINUX parser, you can press E on the menu entry to add this. Or, if you are booting manually (from GRUB terminal) then just add the parameters. + +This workaround was found on the page: @uref{https://www.debian.org/releases/stable/i386/ch05s04.html,https://www.debian.org/releases/stable/i386/ch05s04.html}. It should also work for gNewSense, Debian and any other apt-get distro that provides debian-installer (text mode) net install method. + +@ref{#pagetop,Back to top of page}. + +Copyright © 2014, 2015 Francis Rowe <info@@gluglug.org.uk>@* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license can be found at @uref{../resources/licenses/gfdl-1.3.txt,gfdl-1.3.txt} + +Updated versions of the license (when available) can be found at @uref{https://www.gnu.org/licenses/licenses.html,https://www.gnu.org/licenses/licenses.html} + +UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. + +TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. + +The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability. + +@bye diff --git a/docs/src/gnulinux/grub_cbfs.texi b/docs/src/gnulinux/grub_cbfs.texi new file mode 100644 index 0000000..c1b6d37 --- /dev/null +++ b/docs/src/gnulinux/grub_cbfs.texi @@ -0,0 +1,178 @@ +\input texinfo +@documentencoding UTF-8 + +@ifnottex +@paragraphindent 0 +@end ifnottex +@titlepage +@title How to replace the default GRUB configuration file on a libreboot system +@end titlepage + +@node Top +@top How to replace the default GRUB configuration file on a libreboot system + +@menu +* How to replace the default GRUB configuration file on a libreboot system:: +* Table of Contents:: +@end menu + +@node How to replace the default GRUB configuration file on a libreboot system +@chapter How to replace the default GRUB configuration file on a libreboot system +@anchor{#how-to-replace-the-default-grub-configuration-file-on-a-libreboot-system} +Libreboot on x86 uses the GRUB @uref{http://www.coreboot.org/Payloads#GRUB_2,payload} by default, which means that the GRUB configuration file (where your GRUB menu comes from) is stored directly alongside libreboot and its GRUB payload executable, inside the flash chip. In context, this means that installing distributions and managing them is handled slightly differently compared to traditional BIOS systems. + +A libreboot (or coreboot) ROM image is not simply "flat"; there is an actual filesystem inside called CBFS (coreboot filesystem). A utility called 'cbfstool' allows you to change the contents of the ROM image. In this case, libreboot is configured such that the 'grub.cfg' and 'grubtest.cfg' files exist directly inside CBFS instead of inside the GRUB payload 'memdisk' (which is itself stored in CBFS). + +You can either modify the GRUB configuration stored in the flash chip, or you can modify a GRUB configuration file on the main storage which the libreboot GRUB payload will automatically search for. + +Here is an excellent writeup about CBFS (coreboot filesystem): @uref{http://lennartb.home.xs4all.nl/coreboot/col5.html,http://lennartb.home.xs4all.nl/coreboot/col5.html}. + +@strong{This guide is *only* for the GRUB payload. If you use the depthcharge payload, ignore this section entirely.} + +@uref{index.html,Back to previous index} + +@node Table of Contents +@chapter Table of Contents +@anchor{#table-of-contents} +@itemize +@item +@ref{#introduction,Introduction} +@item +@ref{#option1_dont_reflash,1st option: don't re-flash} +@item +@ref{#option2_reflash,2nd option: re-flash} +@itemize +@item +@ref{#tools,Acquire the necessary utilities} +@item +@ref{#rom,Acquiring the correct ROM image} +@item +@ref{#extract_testconfig,Extract grubtest from the ROM image} +@item +@ref{#reinsert_modified_testconfig,Re-insert the modified grubtest.cfg into the ROM image} +@item +@ref{#testing,Testing} +@item +@ref{#final_steps,Final steps} +@end itemize + +@end itemize + +@menu +* Introduction:: +* 1st option don't re-flash:: +* 2nd option re-flash:: +* Acquire the necessary utilities:: +* Acquiring the correct ROM image:: +* Extract grubtestcfg from the ROM image:: +* Re-insert the modified grubtestcfg into the ROM image:: +* Testing:: +* Final steps:: +@end menu + +@node Introduction +@section Introduction +@anchor{#introduction} +Download the latest release from @uref{http://libreboot.org/,http://libreboot.org/} @*@strong{If you downloaded from git, refer to @uref{../git/index.html#build_meta,../git/index.html#build_meta} before continuing.} + +@ref{#pagetop,Back to top of page.} + +There are several advantages to modifying the GRUB configuration stored in CBFS, but this also means that you have to flash a new libreboot ROM image on your system (some users feel intimidated by this, to say the least). Doing so can be risky if not handled correctly, because it can result in a bricked system (recovery is easy if you have the @uref{../install/bbb_setup.html,equipment} for it, but most people don't). If you aren't up to that then don't worry; it is possible to use a custom GRUB menu without flashing a new image, by loading a GRUB configuration from a partition on the main storage instead. + +@node 1st option don't re-flash +@section 1st option: don't re-flash +@anchor{#st-option-dont-re-flash} +By default, GRUB in libreboot is configured to scan all partitions on the main storage for /boot/grub/libreboot_grub.cfg or /grub/libreboot_grub.cfg(for systems where /boot is on a dedicated partition), and then use it automatically. + +Simply create your custom GRUB configuration and save it to @strong{/boot/grub/libreboot_grub.cfg} on the running system. The next time you boot, GRUB (in libreboot) will automatically switch to this configuration file. @strong{This means that you do not have to re-flash, recompile or otherwise modify libreboot at all!} + +Ideally, your distribution should automatically generate a libreboot_grub.cfg file that is written specifically under the assumption that it will be read and used on a libreboot system that uses GRUB as a payload. If your distribution does not do this, then you can try to add that feature yourself or politely ask someone involved with or otherwise knowledgeable about the distribution to do it for you. The libreboot_grub.cfg could either contain the full configuration, or it could chainload another GRUB ELF executable (built to be used as a coreboot payload) that is located in a partition on the main storage. + +If you want to adapt a copy of the existing @emph{libreboot} GRUB configuration and use that for the libreboot_grub.cfg file, then follow @ref{#tools,#tools}, @ref{#rom,#rom} and @ref{#extract_testconfig,#extract_testconfig} to get the @strong{@emph{grubtest.cfg}}. Rename @strong{@emph{grubtest.cfg}} to @strong{@emph{libreboot_grub.cfg}} and save it to @strong{@emph{/boot/grub/}} on the running system where it is intended to be used. Modify the file at that location however you see fit, and then stop reading this guide (the rest of this page is irrelevant to you); @strong{in libreboot_grub.cfg on disk, if you are adapting it based on grub.cfg from CBFS then remove the check for libreboot_grub.cfg otherwise it will loop.}. + +This is all well and good, but what should you actually put in your GRUB configuration file? Read @uref{grub_config.html,grub_config.html} for more information. + +@ref{#pagetop,Back to top of page.} + +@node 2nd option re-flash +@section 2nd option: re-flash +@anchor{#nd-option-re-flash} +You can modify what is stored inside the flash chip quite easily. Read on to find out how. + +@ref{#pagetop,Back to top of page.} + +@node Acquire the necessary utilities +@section Acquire the necessary utilities +@anchor{#acquire-the-necessary-utilities} +Use @strong{@emph{cbfstool}} and @strong{@emph{flashrom}}. There are available in the @emph{libreboot_util} release archive, or they can be compiled (see @uref{../git/index.html#build_flashrom,../git/index.html#build_flashrom}). Flashrom is also available from the repositories:@* # @strong{pacman -S flashrom} + +@ref{#pagetop,Back to top of page.} + +@node Acquiring the correct ROM image +@section Acquiring the correct ROM image +@anchor{#acquiring-the-correct-rom-image} +You can either work directly with one of the ROM images already included in the libreboot ROM archives, or re-use the ROM that you have currently flashed. For the purpose of this tutorial it is assumed that your ROM image file is named @emph{libreboot.rom}, so please make sure to adapt. + +ROM images are included pre-compiled in libreboot. You can also dump your current firmware, using flashrom:@* $ @strong{sudo flashrom -p internal -r libreboot.rom}@* # @strong{flashrom -p internal -r libreboot.rom}@* If you are told to specify the chip, add the option @strong{-c @{your chip@}} to the command, for example:@* # @strong{flashrom -c MX25L6405 -p internal -r libreboot.rom} + +@ref{#pagetop,Back to top of page.} + +@node Extract grubtestcfg from the ROM image +@section Extract grubtest.cfg from the ROM image +@anchor{#extract-grubtest.cfg-from-the-rom-image} +You can check the contents of the ROM image, inside CBFS:@* @strong{$ cd .../libreboot_util/cbfstool} @strong{$ ./cbfstool libreboot.rom print} + +The files @emph{grub.cfg} and @emph{grubtest.cfg} should be present. grub.cfg is loaded by default, with a menuentry for switching to grubtest.cfg. In this tutorial, you will first modify and test @emph{grubtest.cfg}. This is to reduce the possibility of bricking your device, so DO NOT SKIP THIS! + +Extract grubtest.cfg from the ROM image:@* @strong{$ ./cbfstool libreboot.rom extract -n grubtest.cfg -f grubtest.cfg} + +Modify the grubtest.cfg accordingly. + +This is all well and good, but what should you actually put in your GRUB configuration file? Read @uref{grub_config.html,grub_config.html} for more information. + +@ref{#pagetop,Back to top of page.} + +@node Re-insert the modified grubtestcfg into the ROM image +@section Re-insert the modified grubtest.cfg into the ROM image +@anchor{#re-insert-the-modified-grubtest.cfg-into-the-rom-image} +Once your grubtest.cfg is modified and saved, delete the unmodified config from the ROM image:@* @strong{$ ./cbfstool libreboot.rom remove -n grubtest.cfg} + +Next, insert the modified version:@* @strong{$ ./cbfstool libreboot.rom add -n grubtest.cfg -f grubtest.cfg -t raw} + +@ref{#pagetop,Back to top of page.} + +@node Testing +@section Testing +@anchor{#testing} +@strong{Now you have a modified ROM. Refer back to @uref{../install/index.html#flashrom,../install/index.html#flashrom} for information on how to flash it.@* $ @strong{cd /libreboot_util} # @strong{./flash update libreboot.rom}@* Ocassionally, coreboot changes the name of a given board. If flashrom complains about a board mismatch, but you are sure that you chose the correct ROM image, then run this alternative command:@* # @strong{./flash forceupdate libreboot.rom}@* You should see @strong{"Verifying flash... VERIFIED."} written at the end of the flashrom output. Once you have done that, shut down and then boot up with your new test configuration.} + +Choose (in GRUB) the menu entry that switches to grubtest.cfg. If it works, then your config is safe and you can continue below. + +@strong{If it does not work like you want it to, if you are unsure or sceptical in any way, then re-do the steps above until you get it right! Do *not* proceed past this point unless you are 100% sure that your new configuration is safe (or desirable) to use.} + +@ref{#pagetop,Back to top of page.} + +@node Final steps +@section Final steps +@anchor{#final-steps} +When you are satisfied booting from grubtest.cfg, you can create a copy of grubtest.cfg, called grub.cfg. This is the same except for one difference: the menuentry 'Switch to grub.cfg' will be changed to 'Switch to grubtest.cfg' and inside it, all instances of grub.cfg to grubtest.cfg. This is so that the main config still links (in the menu) to grubtest.cfg, so that you don't have to manually switch to it, in case you ever want to follow this guide again in the future (modifying the already modified config). From /libreboot_util/cbfstool, do:@* $ @strong{sed -e 's:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g' -e 's:Switch to grub.cfg:Switch to grubtest.cfg:g' < grubtest.cfg > grub.cfg}@* + +Delete the grub.cfg that remained inside the ROM:@* @strong{$ ./cbfstool libreboot.rom remove -n grub.cfg} + +Add the modified version that you just made:@* @strong{$ ./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw} + +@strong{Now you have a modified ROM. Again, refer back to @uref{../install/index.html#flashrom,../install/index.html#flashrom} for information on how to flash it. It's the same method as you used before. Shut down and then boot up with your new configuration.} + +@ref{#pagetop,Back to top of page.} + +Copyright © 2014, 2015 Francis Rowe <info@@gluglug.org.uk>@* Copyright © 2015 Jeroen Quint <jezza@@diplomail.ch>@* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license can be found at @uref{../resources/licenses/gfdl-1.3.txt,gfdl-1.3.txt} + +Updated versions of the license (when available) can be found at @uref{https://www.gnu.org/licenses/licenses.html,https://www.gnu.org/licenses/licenses.html} + +UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. + +TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. + +The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability. + +@bye diff --git a/docs/src/gnulinux/grub_config.texi b/docs/src/gnulinux/grub_config.texi new file mode 100644 index 0000000..e0c8520 --- /dev/null +++ b/docs/src/gnulinux/grub_config.texi @@ -0,0 +1,119 @@ +\input texinfo +@documentencoding UTF-8 + +@ifnottex +@paragraphindent 0 +@end ifnottex +@titlepage +@title Writing a GRUB configuration file +@end titlepage + +@node Top +@top Writing a GRUB configuration file + +@menu +* Writing a GRUB configuration file:: +* Table of Contents:: +@end menu + +@node Writing a GRUB configuration file +@chapter Writing a GRUB configuration file +@anchor{#writing-a-grub-configuration-file} +This section is for those systems which use the GRUB payload. @strong{If your system uses the depthcharge payload, ignore this section.} + +@uref{index.html,Back to index} + +@node Table of Contents +@chapter Table of Contents +@anchor{#table-of-contents} +@itemize +@item +@ref{#example_modifications,Example modifications for @emph{grubtest.cfg}} +@itemize +@item +@ref{#example_modifications_trisquel,Trisquel GNU/Linux-libre} +@item +@ref{#example_modifications_parabola,Parabola GNU/Linux-libre} +@end itemize + +@end itemize + +@menu +* Example modifications for grubtestcfg:: +* Obvious option don't even modify the built-in grubcfg:: +* Trisquel with full disk encryption custom partition layout:: +@end menu + +@node Example modifications for grubtestcfg +@section Example modifications for @emph{grubtest.cfg} +@anchor{#example-modifications-for-grubtest.cfg} +These are some common examples of ways in which the grubtest.cfg file can be modified. + +@node Obvious option don't even modify the built-in grubcfg +@section Obvious option: don't even modify the built-in grub.cfg +@anchor{#obvious-option-dont-even-modify-the-built-in-grub.cfg} +Use the menuentry that says something like @emph{Search for GRUB outside CBFS}. Assuming that you have a grub.cfg file at /boot/grub/ in your installed distro, this will generate a new menuentry in the GRUB menu. Use that to boot. + +Then do this as root:@* $ @strong{cd /boot/grub/}@* $ @strong{ln -s grub.cfg libreboot_grub.cfg} + +After that, your system should then boot automatically. + +@node Trisquel with full disk encryption custom partition layout +@section Trisquel with full disk encryption, custom partition layout +@anchor{#trisquel-with-full-disk-encryption-custom-partition-layout} +GRUB can boot from a symlink (or symlinks) pointing to your kernel/initramfs, whether from an unencrypted or encrypted /boot/. You can create your own custom symlink(s) but you have to manually update them when updating your kernel. This guide (not maintained by the libreboot project) shows how to configure Trisquel to automatically update that symlink on every kernel update. @uref{http://www.rel4tion.org/people/fr33domlover/libreboot-fix/,http://www.rel4tion.org/people/fr33domlover/libreboot-fix/} + +TODO: adapt those notes and put them here. The author said that it was CC-0, so re-licensing under GFDL shouldn't be a problem. +@menu +* Trisquel GNU/Linux-libre:: +* Parabola GNU/Linux-libre:: +@end menu + +@node Trisquel GNU/Linux-libre +@subsection Trisquel GNU/Linux-libre +@anchor{#trisquel-gnulinux-libre} +As an example, on my test system in /boot/grub/grub.cfg (on the HDD/SSD) I see for the main menu entry: + +@itemize +@item +@strong{linux /boot/vmlinuz-3.15.1-gnu.nonpae root=UUID=3a008e14-4871-497b-95e5-fb180f277951 ro crashkernel=384M-2G:64M,2G-:128M quiet splash $vt_handoff} +@item +@strong{initrd /boot/initrd.img-3.15.1-gnu.nonpae} +@end itemize + +@strong{ro}, @strong{quiet}, @strong{splash}, @strong{crashkernel=384M-2G:64M,2G-:128M} and @strong{$vt_handoff} can be safely ignored. + +I use this to get my partition layout:@* $ @strong{lsblk} + +In my case, I have no /boot partition, instead /boot is on the same partition as / on sda1. Yours might be different. In GRUB terms, sda means ahci0. 1 means msdos1, or gpt1, depending on whether I am using MBR or GPT partitioning. Thus, /dev/sda1 is GRUB is (ahci0,msdos1) or (ahci0,gpt1). In my case, I use MBR partitioning so it's (ahci0,msdos1). 'msdos' is a GRUB name simply because this partitioning type is traditionally used by MS-DOS. It doesn't mean that you have a proprietary OS. + +Trisquel doesn't keep the filenames of kernels consistent, instead it keeps old kernels and new kernel updates are provided with the version in the filename. This can make GRUB payload a bit tricky. Fortunately, there are symlinks /vmlinuz and /initrd.img so if your /boot and / are on the same partition, you can set GRUB to boot from that. These are also updated automatically when installing kernel updates from your distributions apt-get repositories. @strong{Note: when using @uref{http://jxself.org/linux-libre,jxself kernel releases}, these are not updated at all and you have to update them manually.} + +For the GRUB payload grubtest.cfg (in the 'Load Operating System' menu entry), we therefore have (in this example):@* @strong{set root='ahci0,msdos1'}@* @strong{linux /vmlinuz root=UUID=3a008e14-4871-497b-95e5-fb180f277951}@* @strong{initrd /initrd.img} + +Optionally, you can convert the UUID to its real device name, for example /dev/sda1 in this case. sdX naming isn't very reliable, though, which is why UUID is used for most distributions. + +Alternatively, if your /boot is on a separate partition then you cannot rely on the /vmlinuz and /initrd.img symlinks. Instead, go into /boot and create your own symlinks (update them manually when you install a new kernel update).@* $ @strong{sudo -s} (or @strong{su -})@* # @strong{cd /boot/}@* # @strong{rm -f vmlinuz initrd.img}@* # @strong{ln -s yourkernel ksym}@* # @strong{ln -s yourinitrd isym}@* # @strong{exit} + +Then your grubtest.cfg menu entry (for payload) becomes like that, for example if / was on sda2 and /boot was on sda1:@* @strong{set root='ahci0,msdos1'}@* @strong{linux /ksym root=/dev/sda2}@* @strong{initrd /isym} + +There are lots of possible variations so please try to adapt. + +@node Parabola GNU/Linux-libre +@subsection Parabola GNU/Linux-libre +@anchor{#parabola-gnulinux-libre} +You can basically adapt the above. Note however that Parabola does not keep old kernels still installed, and the file names are always consistent, so you don't need to boot from symlinks, you can just use the real thing directly. + +@ref{#pagetop,Back to top of page.} + +Copyright © 2014, 2015 Francis Rowe <info@@gluglug.org.uk>@* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license can be found at @uref{../resources/licenses/gfdl-1.3.txt,gfdl-1.3.txt} + +Updated versions of the license (when available) can be found at @uref{https://www.gnu.org/licenses/licenses.html,https://www.gnu.org/licenses/licenses.html} + +UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. + +TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. + +The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability. + +@bye diff --git a/docs/src/gnulinux/index.texi b/docs/src/gnulinux/index.texi new file mode 100644 index 0000000..9a0c9df --- /dev/null +++ b/docs/src/gnulinux/index.texi @@ -0,0 +1,58 @@ +\input texinfo +@documentencoding UTF-8 + +@ifnottex +@paragraphindent 0 +@end ifnottex +@titlepage +@title GNU/Linux distributions +@end titlepage + +@node Top +@top GNU/Linux distributions + +@menu +* GNU/Linux distributions:: +@end menu + +@node GNU/Linux distributions +@chapter GNU/Linux distributions +@anchor{#gnulinux-distributions} +This section relates to dealing with GNU/Linux distributions: preparing bootable USB drives, changing the default GRUB menu and so on. + +@strong{This section is only for the *GRUB* payload. For depthcharge, instructions have yet to be written.} + +@uref{../index.html,Back to previous index}. + +@itemize +@item +@uref{grub_boot_installer.html,How to install GNU/Linux on a libreboot system} +@item +@uref{grub_cbfs.html,How to replace the default GRUB configuration file on a libreboot system} +@itemize +@item +@uref{grub_config.html,Writing a GRUB configuration file} +@end itemize + +@item +@uref{encrypted_parabola.html,Installing Parabola GNU/Linux-libre with full disk encryption (including /boot)} +@itemize +@item +Follow-up tutorial: @uref{configuring_parabola.html,Configuring Parabola (post-install)} +@end itemize + +@item +@uref{encrypted_trisquel.html,Installing Trisquel GNU/Linux-libre with full disk encryption (including /boot)} +@end itemize + +Copyright © 2014, 2015 Francis Rowe <info@@gluglug.org.uk>@* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license can be found at @uref{../resources/licenses/gfdl-1.3.txt,gfdl-1.3.txt} + +Updated versions of the license (when available) can be found at @uref{https://www.gnu.org/licenses/licenses.html,https://www.gnu.org/licenses/licenses.html} + +UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. + +TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. + +The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability. + +@bye |