Date: Wed, 04 Feb 2015 04:14:49 -0500 Subject: Documentation: implement theme, drastically improve readability --- (limited to 'docs/gnulinux') diff --git a/docs/gnulinux/configuring_parabola.html b/docs/gnulinux/configuring_parabola.html index 0c8e92a..7f69cf7 100644 --- a/docs/gnulinux/configuring_parabola.html +++ b/docs/gnulinux/configuring_parabola.html @@ -12,143 +12,169 @@ -

Configuring Parabola (post-install)

- -

- Configuring pacman -
-
Add a user account
System D
Interesting repositories
- Setup a network connection in Parabola -
- Setting hostname
- Network status
- Network interface names
- Network setup
-
System maintenance - important!
- Configuring the desktop -
- Install Xorg
- Xorg keyboard layout
- Install LXDE
- LXDE - clock
- LXDE - font
- LXDE - screenlock
- LXDE - automounting
- LXDE - disable suspend
- LXDE - battery monitor
- LXDE - network manager
-

- -

- While not strictly related to the libreboot project, this guide - is intended to be useful for those interested in installing - Parabola on their libreboot machine. -

- -

- It details configuration steps that I took after installing the base system, - as a follow up to encrypted_parabola.html. - This guide is likely to become obsolete at a later date (due to the volatile - 'rolling-release' model that Arch/Parabola both use), but attempts will be made to maintain it. -

- -

- - This guide was valid on 2014-09-21. If you see any changes that should to be made at the present date, please get in touch - with the libreboot project! - -

- -

- You do not necessarily have to follow this guide word-for-word; parabola is extremely flexible. - The aim here is to provide a common setup that most users will be happy with. While Parabola - can seem daunting at first glance (especially for new GNU/Linux users), with a simple guide it can provide - all the same usability as Trisquel, without hiding any details from the user. -

- -

- Paradoxically, as you get more advanced Parabola can actually become easier to use - when you want to set up your machine in a special way compared to what most distributions provide. - You will find over time that other distributions tend to get in your way. -

- -

- - This guide assumes that you already have Parabola installed. If you have not yet installed Parabola, - then this guide is highly recommended! - -

- -

- A lot of the steps in this guide will refer to the Arch wiki. Arch is the upstream distribution that Parabola uses. - Most of this guide will also tell you to read wiki articles, other pages, manuals, and so on. In general it tries - to cherry pick the most useful information but nonetheless you are encouraged to learn as much as possible. - It might take you a few days to fully install your system how you like, depending on how much you need to read. Patience is key, - especially for new users. -

- -

- The Arch wiki will sometimes use bad language, such as calling the whole system Linux, using the term open-source (or closed-source), - and it will sometimes recommend the use of proprietary software. You need to be careful about this when reading anything on the - Arch wiki. -

- -

- Some of these steps require internet access. I'll go into networking later but for now, I just connected - my machine to a switch and did:
- # systemctl start dhcpcd.service
- You can stop it later by running:
- # systemctl stop dhcpcd.service
- For most people this should be enough, but if you don't have DHCP on your network then you should setup your network connection first:
- Setup network connection in Parabola -

- -

Configure pacman

+ Post-installation configuration steps for Parabola GNU/Linux-libre. Parabola is extremely flexible; this is just an example. +

+ Back to previous index +

+ + +

+ +

+ Configuring pacman +
+
Add a user account
System D
Interesting repositories
+ Setup a network connection in Parabola +
- Setting hostname
- Network status
- Network interface names
- Network setup
+
System maintenance - important!
+ Configuring the desktop +
- Install Xorg
- Xorg keyboard layout
- Install LXDE
- LXDE - clock
- LXDE - font
- LXDE - screenlock
- LXDE - automounting
- LXDE - disable suspend
- LXDE - battery monitor
- LXDE - network manager
+

+ +

+ While not strictly related to the libreboot project, this guide + is intended to be useful for those interested in installing + Parabola on their libreboot machine. +

+ +

+ It details configuration steps that I took after installing the base system, + as a follow up to encrypted_parabola.html. + This guide is likely to become obsolete at a later date (due to the volatile + 'rolling-release' model that Arch/Parabola both use), but attempts will be made to maintain it. +

+ +

+ + This guide was valid on 2014-09-21. If you see any changes that should to be made at the present date, please get in touch + with the libreboot project! + +

+ +

+ You do not necessarily have to follow this guide word-for-word; parabola is extremely flexible. + The aim here is to provide a common setup that most users will be happy with. While Parabola + can seem daunting at first glance (especially for new GNU/Linux users), with a simple guide it can provide + all the same usability as Trisquel, without hiding any details from the user. +

+ +

+ Paradoxically, as you get more advanced Parabola can actually become easier to use + when you want to set up your machine in a special way compared to what most distributions provide. + You will find over time that other distributions tend to get in your way. +

+ +

+ + This guide assumes that you already have Parabola installed. If you have not yet installed Parabola, + then this guide is highly recommended! + +

- pacman (package manager) is the name of the package management system in Arch, which Parabola - (as a deblobbed parallel effort) also uses. Like with 'apt-get' on debian-based systems like Trisquel, - this can be used to add/remove and update the software on your computer. + A lot of the steps in this guide will refer to the Arch wiki. Arch is the upstream distribution that Parabola uses. + Most of this guide will also tell you to read wiki articles, other pages, manuals, and so on. In general it tries + to cherry pick the most useful information but nonetheless you are encouraged to learn as much as possible. + It might take you a few days to fully install your system how you like, depending on how much you need to read. Patience is key, + especially for new users.

- Based on https://wiki.parabolagnulinux.org/Installation_Guide#Configure_pacman - and from reading https://wiki.archlinux.org/index.php/Pacman (make sure to read and understand this, - it's very important) and - https://wiki.parabolagnulinux.org/Official_Repositories + The Arch wiki will sometimes use bad language, such as calling the whole system Linux, using the term open-source (or closed-source), + and it will sometimes recommend the use of proprietary software. You need to be careful about this when reading anything on the + Arch wiki.

+ +

- Back to top of page. + Some of these steps require internet access. I'll go into networking later but for now, I just connected + my machine to a switch and did:
+ # systemctl start dhcpcd.service
+ You can stop it later by running:
+ # systemctl stop dhcpcd.service
+ For most people this should be enough, but if you don't have DHCP on your network then you should setup your network connection first:
+ Setup network connection in Parabola

Updating Parabola

+ +

Configure pacman

+ pacman (package manager) is the name of the package management system in Arch, which Parabola + (as a deblobbed parallel effort) also uses. Like with 'apt-get' on debian-based systems like Trisquel, + this can be used to add/remove and update the software on your computer. +

+ Based on https://wiki.parabolagnulinux.org/Installation_Guide#Configure_pacman + and from reading https://wiki.archlinux.org/index.php/Pacman (make sure to read and understand this, + it's very important) and + https://wiki.parabolagnulinux.org/Official_Repositories +

+ Back to top of page. +

+ +

Updating Parabola

In the end, I didn't change my configuration for pacman. When you are updating, resync with the latest package names/versions:
# pacman -Syy
@@ -191,7 +217,12 @@

Maintaining Parabola

+ +

Maintaining Parabola

Parabola is a very simple distro, in the sense that you are in full control and everything is made transparent to you. One consequence is @@ -202,7 +233,7 @@

Cleaning the package cache

The following is very important as you continue to use, update and maintain your Parabola system:
@@ -229,7 +260,7 @@

Back to top of page.

-
pacman command equivalents
+
pacman command equivalents

The following table lists other distro package manager commands, and their equivalent in pacman:
https://wiki.archlinux.org/index.php/Pacman_Rosetta @@ -237,8 +268,12 @@
Back to top of page.
+ +

-
your-freedom
+
+ +
your-freedom

your-freedom is a package specific to Parabola, and it is installed by default. What it does is conflict with packages from Arch that are known to be non-free (proprietary) software. When migrating from Arch (there is a guide on the Parabola @@ -249,526 +284,565 @@
Back to top of page.
+ +
-
+
-
Add a user
-
- Based on https://wiki.archlinux.org/index.php/Users_and_Groups. -
-
- It is important (for security reasons) to create and use a non-root (non-admin) user account for everyday use. The default 'root' account is intended - only for critical administrative work, since it has complete access to the entire operating system. -
-
- Read the entire document linked to above, and then continue. -
-
- Add your user:
- # useradd -m -G wheel -s /bin/bash yourusername
- Set a password:
- # passwd yourusername -
- -
Back to top of page
- -
- -
systemd
-
- This is the name of the system used for managing services in Parabola. It is a good idea to become familiar with it. - Read https://wiki.archlinux.org/index.php/systemd - and https://wiki.archlinux.org/index.php/systemd#Basic_systemctl_usage - to gain a full understanding. This is very important! Make sure to read them. -
-
- An example of a 'service' could be a webserver (such as lighttpd), or sshd (openssh), dhcp, etc. There are countless others. -
-
- https://bbs.archlinux.org/viewtopic.php?pid=1149530#p1149530 explains - the background behind the decision by Arch (Parabola's upstream supplier) to use systemd. -
- -
- The manpage should also help:
- # man systemd
- The section on 'unit types' is especially useful. -
- -
- According to the wiki, systemd 'journal' keeps logs of a size up to 10% of the total size your / partition takes up. - on a 60GB root this would mean 6GB. That's not exactly practical, and can have performance implications later when the - log gets too big. Based on instructions from the wiki, I will reduce the total size of the journal to 50MiB (the wiki - recommends 50MiB). -
-
- Open /etc/systemd/journald.conf and find the line that says:
- #SystemMaxUse=
- Change it to say:
- SystemMaxUse=50M -
-
- The wiki also recommended a method for forwarding journal output to TTY 12 (accessible by pressing ctrl+alt+f12, - and you use ctrl+alt+[F1-F12] to switch between terminals). I decided not to enable it. -
-
- Restart journald:
- # systemctl restart systemd-journald -
- -
- The wiki recommends that if the journal gets too large, you can also simply delete (rm -rf) everything inside /var/log/journald/* - but recommends backing it up. This shouldn't be necessary, since you already set the size limit above and systemd will automatically - start to delete older records when the journal size reaches it's limit (according to systemd developers). -
- -
- Finally, the wiki mentions 'temporary' files and the utility for managing them.
- # man systemd-tmpfiles
- The command for 'clean' is:
- # systemd-tmpfiles --clean
- According to the manpage, this "cleans all files and directories with an age parameter". - According to the Arch wiki, this reads information in /etc/tmpfiles.d/ and /usr/lib/tmpfiles.d/ - to know what actions to perform. Therefore, it is a good idea to read what's stored in these locations - to get a better understanding. -
-
- I looked in /etc/tmpfiles.d/ and found that it was empty on my system. However, /usr/lib/tmpfiles.d/ contained some files. - The first one was etc.conf, containing information and a reference to this manpage:
- # man tmpfiles.d
- Read that manpage, and then continue studying all the files. -
-
- The systemd developers tell me that it isn't usually necessary to touch the systemd-tmpfiles utility manually at all. -
- -
Back to top of page
- -
- -
Interesting repositories
-
- Parabola wiki at https://wiki.parabolagnulinux.org/Repositories#kernels - mentions about a repository called [kernels] for custom kernels that aren't in the default base. It might be worth looking into what is available - there, depending on your use case. -
-
- I enabled it on my system, to see what was in it. Edit /etc/pacman.conf and below the 'extra' section add:
- - [kernels]
- Include = /etc/pacman.d/mirrorlist - -
-
- Now sync with the repository:
- # pacman -Syy -
-
- List all available packages in this repository:
- # pacman -Sl kernels -
-
- In the end, I decided not to install anything from it but I kept the repository enabled regardless. -
-
Back to top of page.
- -
- -
Setup a network connection in Parabola
-
- Read https://wiki.archlinux.org/index.php/Configuring_Network. -
-
- Back to top of page. -
-
Set the hostname
-
- This should be the same as the hostname that you set in /etc/hostname when installing Parabola. You can also do it with systemd (do so now, if you like):
- # hostnamectl set-hostname yourhostname
- This writes the specified hostname to /etc/hostname. More information can be found in these manpages:
- # man hostname
- # info hostname
- # man hostnamectl -
-
- Add the same hostname to /etc/hosts, on each line. Example:
- - 127.0.0.1 localhost.localdomain localhost myhostname
- ::1 localhost.localdomain localhost myhostname - -
-
- You'll note that I set both lines; the 2nd line is for IPv6. More and more ISPs are providing this now (mine does) - so it's good to be forward-thinking here. -
-
- The hostname utility is part of the inetutils package and is in core/, installed by default (as part of base). -
-
- Back to top of page. -
-
Network Status
-
- According to the Arch wiki, udev should already detect the ethernet chipset - and load the driver for it automatically at boot time. You can check this in the "Ethernet controller" section - when running this command:
- # lspci -v -
-
- Look at the remaining sections 'Kernel driver in use' and 'Kernel modules'. In my case it was as follows:
- - Kernel driver in use: e1000e
- Kernel modules: e1000e - -
-
- Check that the driver was loaded by issuing dmesg | grep module_name. In my case, I did:
- # dmesg | grep e1000e -
-
Network device names
+
Add a user

- According to https://wiki.archlinux.org/index.php/Configuring_Network#Device_names, - it is important to note that the old interface names like eth0, wlan0, wwan0 and so on no longer apply. Instead, systemd - creates device names starting with en (for enternet), wl (for wifi) and ww (for wwan) with a fixed identifier that systemd automatically generates. - An example device name for your ethernet chipset would be enp0s25, where it is never supposed to change. + Based on https://wiki.archlinux.org/index.php/Users_and_Groups.

- If you want to enable the old names (eth0, wlan0, wwan0, etc), the Arch wiki recommends - adding net.ifnames=0 to your kernel parameters (in libreboot context, this would be accomplished by following the - instructions in grub_cbfs.html). + It is important (for security reasons) to create and use a non-root (non-admin) user account for everyday use. The default 'root' account is intended + only for critical administrative work, since it has complete access to the entire operating system.

- For background information, - read Predictable Network Interface Names + Read the entire document linked to above, and then continue.

- Show device names:
- # ls /sys/class/net -
-
- Changing the device names is possible (I chose not to do it):
- https://wiki.archlinux.org/index.php/Configuring_Network#Change_device_name -
-
- Back to top of page. -
-
Network setup
-
- I actually chose to ignore most of Networking section on the wiki. Instead, I plan to set up LXDE desktop with the graphical - network-manager client. Here is a list of network managers:
- https://wiki.archlinux.org/index.php/List_of_applications/Internet#Network_managers. - If you need to, set a static IP address (temporarily) using the networking guide and the Arch wiki, or start the dhcpcd service in systemd. - NetworkManager will be setup later, after installing LXDE. -
-
- Back to top of page. + Add your user:
+ # useradd -m -G wheel -s /bin/bash yourusername
+ Set a password:
+ # passwd yourusername
-
+
Back to top of page
+ +
-
System Maintenance
-
- Read https://wiki.archlinux.org/index.php/System_maintenance before continuing. - Also read https://wiki.archlinux.org/index.php/Enhance_system_stability. - This is important, so make sure to read them! -
-
- Install smartmontools (it can be used to check smart data. HDDs use non-free firmware inside, but it's transparent to you - but the smart data comes from it. Therefore, don't rely on it too much):
- # pacman -S smartmontools
- Read https://wiki.archlinux.org/index.php/S.M.A.R.T. to learn how to use it. -
-
- Back to top of page. -
- -
- -
Configuring the desktop
-
- Based on steps from - General Recommendations on the Arch wiki. - The plan is to use LXDE and LXDM/LightDM, along with everything else that you would expect on other distributions that provide LXDE - by default. -
-
- Back to top of page. -
+
-
Installing Xorg
-
- Based on https://wiki.archlinux.org/index.php/Xorg. -
-
- Firstly, install it!
- # pacman -S xorg-server
- I also recommend installing this (contains lots of useful tools, including xrandr):
- # pacman -S xorg-server-utils -
-
- Install the driver. For me this was xf86-video-intel on the ThinkPad X60. T60 and macbook11/21 should be the same.
- # pacman -S xf86-video-intel
- For other systems you can try:
- # pacman -Ss xf86-video- | less
- Combined with looking at your lspci output, you can determine which driver is needed. - By default, Xorg will revert to xf86-video-vesa which is a generic driver and doesn't provide true hardware acceleration. -
-
- Other drivers (not just video) can be found by looking at the xorg-drivers group:
- # pacman -Sg xorg-drivers
-
+
systemd

- Mostly you will rely on a display manager, but in case you ever want to start X without one:
- # pacman -S xorg-xinit + This is the name of the system used for managing services in Parabola. It is a good idea to become familiar with it. + Read https://wiki.archlinux.org/index.php/systemd + and https://wiki.archlinux.org/index.php/systemd#Basic_systemctl_usage + to gain a full understanding. This is very important! Make sure to read them.

- <optional>
-    Arch wiki recommends installing these, for testing that X works:
-    # pacman -S xorg-twm xorg-xclock xterm
-    Refer to https://wiki.archlinux.org/index.php/Xinitrc. - and test X:
-    # startx
-    When you are satisfied, type exit in xterm, inside the X session.
-    Uninstall them (clutter. eww): # pacman -S xorg-xinit xorg-twm xorg-xclock xterm
- </optional> + An example of a 'service' could be a webserver (such as lighttpd), or sshd (openssh), dhcp, etc. There are countless others.

- Back to top of page. + https://bbs.archlinux.org/viewtopic.php?pid=1149530#p1149530 explains + the background behind the decision by Arch (Parabola's upstream supplier) to use systemd.
-
Xorg keyboard layout
-
- Refer to https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg. -
-
- Xorg uses a different configuration method for keyboard layouts, so you will notice that the layout you - set in /etc/vconsole.conf earlier might not actually be the same in X. -
-
- To see what layout you currently use, try this on a terminal emulator in X:
- # setxkbmap -print -verbose 10 -
-
- In my case, I wanted to use the Dvorak (UK) keyboard which is quite different from Xorg's default Qwerty (US) layout. -
-
- I'll just say it now: XkbModel can be pc105 in this case (ThinkPad X60, with a 105-key UK keyboard). - If you use an American keyboard (typically 104 keys) you will want to use pc104. -
-
- XkbLayout in my case would be gb, and XkbVariant would be dvorak. -
-
- The Arch wiki recommends two different methods for setting the keyboard layout:
- https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_X_configuration_files and
- https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_localectl. -
-
- In my case, I chose to use the configuration file method:
- Create the file /etc/X11/xorg.conf.d/10-keyboard.conf and put this inside:
- - Section "InputClass"
-         Identifier "system-keyboard"
-         MatchIsKeyboard "on"
-         Option "XkbLayout" "gb"
-         Option "XkbModel" "pc105"
-         Option "XkbVariant" "dvorak"
- EndSection - -
-
- For you, the steps above may differ if you have a different layout. If you use a US Qwerty keyboard, then - you don't even need to do anything (though it might help, for the sake of being explicit). -

- Back to top of page. + The manpage should also help:
+ # man systemd
+ The section on 'unit types' is especially useful.
-
Install LXDE
-
- Desktop choice isn't that important to me, so for simplicity I decided to use LXDE. It's lightweight - and does everything that I need. - If you would like to try something different, refer to - https://wiki.archlinux.org/index.php/Desktop_environment -

- Refer to https://wiki.archlinux.org/index.php/LXDE. + According to the wiki, systemd 'journal' keeps logs of a size up to 10% of the total size your / partition takes up. + on a 60GB root this would mean 6GB. That's not exactly practical, and can have performance implications later when the + log gets too big. Based on instructions from the wiki, I will reduce the total size of the journal to 50MiB (the wiki + recommends 50MiB).

- Install it, choosing 'all' when asked for the default package list:
- # pacman -S lxde obconf + Open /etc/systemd/journald.conf and find the line that says:
+ #SystemMaxUse=
+ Change it to say:
+ SystemMaxUse=50M

- I didn't want the following, so I removed them:
- # pacman -R lxmusic lxtask + The wiki also recommended a method for forwarding journal output to TTY 12 (accessible by pressing ctrl+alt+f12, + and you use ctrl+alt+[F1-F12] to switch between terminals). I decided not to enable it.

- I also lazily installed all fonts:
- # pacman -S $(pacman -Ssq ttf-) + Restart journald:
+ # systemctl restart systemd-journald
+
- LXDE comes with a terminal. You probably want a browser to go with that; I choose GNU IceCat, part of the GNU project:
- # pacman -S icecat
- And a mail client:
- # pacman -S icedove + The wiki recommends that if the journal gets too large, you can also simply delete (rm -rf) everything inside /var/log/journald/* + but recommends backing it up. This shouldn't be necessary, since you already set the size limit above and systemd will automatically + start to delete older records when the journal size reaches it's limit (according to systemd developers).
+
- In IceCat, go to Preferences :: Advanced and disable GNU IceCat Health Report. + Finally, the wiki mentions 'temporary' files and the utility for managing them.
+ # man systemd-tmpfiles
+ The command for 'clean' is:
+ # systemd-tmpfiles --clean
+ According to the manpage, this "cleans all files and directories with an age parameter". + According to the Arch wiki, this reads information in /etc/tmpfiles.d/ and /usr/lib/tmpfiles.d/ + to know what actions to perform. Therefore, it is a good idea to read what's stored in these locations + to get a better understanding.

- I also like to install these:
- # pacman -S xsensors stress htop + I looked in /etc/tmpfiles.d/ and found that it was empty on my system. However, /usr/lib/tmpfiles.d/ contained some files. + The first one was etc.conf, containing information and a reference to this manpage:
+ # man tmpfiles.d
+ Read that manpage, and then continue studying all the files.

- Enable LXDM (the default display manager, providing a graphical login):
- # systemctl enable lxdm.service
- It will start when you boot up the machine. To start it now, do:
- # systemctl start lxdm.service + The systemd developers tell me that it isn't usually necessary to touch the systemd-tmpfiles utility manually at all.
+ +
Back to top of page
+ +
+ +
+ +
Interesting repositories

- Log in with your standard (non-root) user that you created earlier. - It is advisable to also create an xinitrc rule in case you ever want to start lxde without lxdm. - Read https://wiki.archlinux.org/index.php/Xinitrc. + Parabola wiki at https://wiki.parabolagnulinux.org/Repositories#kernels + mentions about a repository called [kernels] for custom kernels that aren't in the default base. It might be worth looking into what is available + there, depending on your use case.

- Open LXterminal:
- $ cp /etc/skel/.xinitrc ~
- Open .xinitrc and add the following plus a line break at the bottom of the file.
+ I enabled it on my system, to see what was in it. Edit /etc/pacman.conf and below the 'extra' section add:
- # Probably not needed. The same locale info that we set before
- # Based on advice from the LXDE wiki - export LC_ALL=en_GB.UTF-8
- export LANGUAGE=en_GB.UTF-8
- export LANG=en_GB.UTF-8
-
- # Start lxde desktop
- exec startlxde
+ [kernels]
+ Include = /etc/pacman.d/mirrorlist - Now make sure that it is executable:
- $ chmod +x .xinitrc

- Back to top of page. + Now sync with the repository:
+ # pacman -Syy
- -
LXDE - clock

- In Digital Clock Settings (right click the clock) I set the Clock Format to %Y/%m/%d %H:%M:%S + List all available packages in this repository:
+ # pacman -Sl kernels

- Back to top of page. + In the end, I decided not to install anything from it but I kept the repository enabled regardless.
+
Back to top of page.
+ +
-
LXDE - font
-
- NOTE TO SELF: come back to this later. -
-
- Back to top of page. -
+
-
LXDE - screenlock
-
- Arch wiki recommends to use xscreensaver:
- # pacman -S xscreensaver -
+
Setup a network connection in Parabola

- Under Preferences :: Screensaver in the LXDE menu, I chose Mode: Blank Screen Only, - setting Blank After, Cycle After and Lock Screen After (checked) to 10 minutes. -
-
- You can now lock the screen with Logout :: Lock Screen in the LXDE menu. + Read https://wiki.archlinux.org/index.php/Configuring_Network.

Back to top of page.
+
Set the hostname
+
+ This should be the same as the hostname that you set in /etc/hostname when installing Parabola. You can also do it with systemd (do so now, if you like):
+ # hostnamectl set-hostname yourhostname
+ This writes the specified hostname to /etc/hostname. More information can be found in these manpages:
+ # man hostname
+ # info hostname
+ # man hostnamectl +
+
+ Add the same hostname to /etc/hosts, on each line. Example:
+ + 127.0.0.1 localhost.localdomain localhost myhostname
+ ::1 localhost.localdomain localhost myhostname + +
+
+ You'll note that I set both lines; the 2nd line is for IPv6. More and more ISPs are providing this now (mine does) + so it's good to be forward-thinking here. +
+
+ The hostname utility is part of the inetutils package and is in core/, installed by default (as part of base). +
+
+ Back to top of page. +
+
Network Status
+
+ According to the Arch wiki, udev should already detect the ethernet chipset + and load the driver for it automatically at boot time. You can check this in the "Ethernet controller" section + when running this command:
+ # lspci -v +
+
+ Look at the remaining sections 'Kernel driver in use' and 'Kernel modules'. In my case it was as follows:
+ + Kernel driver in use: e1000e
+ Kernel modules: e1000e + +
+
+ Check that the driver was loaded by issuing dmesg | grep module_name. In my case, I did:
+ # dmesg | grep e1000e +
+
Network device names
+
+ According to https://wiki.archlinux.org/index.php/Configuring_Network#Device_names, + it is important to note that the old interface names like eth0, wlan0, wwan0 and so on no longer apply. Instead, systemd + creates device names starting with en (for enternet), wl (for wifi) and ww (for wwan) with a fixed identifier that systemd automatically generates. + An example device name for your ethernet chipset would be enp0s25, where it is never supposed to change. +
+
+ If you want to enable the old names (eth0, wlan0, wwan0, etc), the Arch wiki recommends + adding net.ifnames=0 to your kernel parameters (in libreboot context, this would be accomplished by following the + instructions in grub_cbfs.html). +
+
+ For background information, + read Predictable Network Interface Names +
+
+ Show device names:
+ # ls /sys/class/net +
+
+ Changing the device names is possible (I chose not to do it):
+ https://wiki.archlinux.org/index.php/Configuring_Network#Change_device_name +
+
+ Back to top of page. +
+
Network setup
+
+ I actually chose to ignore most of Networking section on the wiki. Instead, I plan to set up LXDE desktop with the graphical + network-manager client. Here is a list of network managers:
+ https://wiki.archlinux.org/index.php/List_of_applications/Internet#Network_managers. + If you need to, set a static IP address (temporarily) using the networking guide and the Arch wiki, or start the dhcpcd service in systemd. + NetworkManager will be setup later, after installing LXDE. +
+
+ Back to top of page. +
+ +
-
LXDE - automounting
-
- Refer to https://wiki.archlinux.org/index.php/File_manager_functionality. -
-
- I chose to ignore this for now. NOTE TO SELF: come back to this later. -
-
- Back to top of page. -
-
LXDE - disable suspend
-
- When closing the laptop lid, the machine suspends. This is annoying at least to me. - NOTE TO SELF: disable it, then document the steps here. -
+
+ +
System Maintenance

- Back to top of page. + Read https://wiki.archlinux.org/index.php/System_maintenance before continuing. + Also read https://wiki.archlinux.org/index.php/Enhance_system_stability. + This is important, so make sure to read them!
-
LXDE - battery monitor

- Right click lxde panel and Add/Remove Panel Items. Click Add and select Battery Monitor, then click Add. - Close and then right-click the applet and go to Battery Monitor Settings, check the box that says Show Extended Information. - Now click Close. When you hover the cursor over it, it'll show information about the battery. + Install smartmontools (it can be used to check smart data. HDDs use non-free firmware inside, but it's transparent to you + but the smart data comes from it. Therefore, don't rely on it too much):
+ # pacman -S smartmontools
+ Read https://wiki.archlinux.org/index.php/S.M.A.R.T. to learn how to use it.

Back to top of page.
-
LXDE - Network Manager
-
- Refer to https://wiki.archlinux.org/index.php/LXDE#Network_Management. - Then I read: https://wiki.archlinux.org/index.php/NetworkManager. -
-
- Install Network Manager:
- # pacman -S networkmanager -
-
- You will also want the graphical applet:
- # pacman -S network-manager-applet
- Arch wiki says that an autostart rule will be written at /etc/xdg/autostart/nm-applet.desktop -
-
- I want to be able to use a VPN at some point, so the wiki tells me to do:
- # pacman -S networkmanager-openvpn -
-
- LXDE uses openbox, so I refer to:
- https://wiki.archlinux.org/index.php/NetworkManager#Openbox. -
-
- It tells me for the applet I need:
- # pacman -S xfce4-notifyd gnome-icon-theme
- Also, for storing authentication details (wifi) I need:
- # pacman -S gnome-keyring -
-
- I wanted to quickly enable networkmanager:
- # systemctl stop dhcpcd
- # systemctl start NetworkManager
- Enable NetworkManager at boot time:
- # systemctl enable NetworkManager -
-
- Restart LXDE (log out, and then log back in). -
+ +
+ +
+ +
Configuring the desktop

- I added the volume control applet to the panel (right click panel, and add a new applet). - I also later changed the icons to use the gnome icon theme, in lxappearance. + Based on steps from + General Recommendations on the Arch wiki. + The plan is to use LXDE and LXDM/LightDM, along with everything else that you would expect on other distributions that provide LXDE + by default.

Back to top of page.
-
+
+
Installing Xorg
+
+ Based on https://wiki.archlinux.org/index.php/Xorg. +
+
+ Firstly, install it!
+ # pacman -S xorg-server
+ I also recommend installing this (contains lots of useful tools, including xrandr):
+ # pacman -S xorg-server-utils +
+
+ Install the driver. For me this was xf86-video-intel on the ThinkPad X60. T60 and macbook11/21 should be the same.
+ # pacman -S xf86-video-intel
+ For other systems you can try:
+ # pacman -Ss xf86-video- | less
+ Combined with looking at your lspci output, you can determine which driver is needed. + By default, Xorg will revert to xf86-video-vesa which is a generic driver and doesn't provide true hardware acceleration. +
+
+ Other drivers (not just video) can be found by looking at the xorg-drivers group:
+ # pacman -Sg xorg-drivers
+
+
+ Mostly you will rely on a display manager, but in case you ever want to start X without one:
+ # pacman -S xorg-xinit +
+
+ <optional>
+    Arch wiki recommends installing these, for testing that X works:
+    # pacman -S xorg-twm xorg-xclock xterm
+    Refer to https://wiki.archlinux.org/index.php/Xinitrc. + and test X:
+    # startx
+    When you are satisfied, type exit in xterm, inside the X session.
+    Uninstall them (clutter. eww): # pacman -S xorg-xinit xorg-twm xorg-xclock xterm
+ </optional> +
+
+ Back to top of page. +
+
+ +
+
Xorg keyboard layout
+
+ Refer to https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg. +
+
+ Xorg uses a different configuration method for keyboard layouts, so you will notice that the layout you + set in /etc/vconsole.conf earlier might not actually be the same in X. +
+
+ To see what layout you currently use, try this on a terminal emulator in X:
+ # setxkbmap -print -verbose 10 +
+
+ In my case, I wanted to use the Dvorak (UK) keyboard which is quite different from Xorg's default Qwerty (US) layout. +
+
+ I'll just say it now: XkbModel can be pc105 in this case (ThinkPad X60, with a 105-key UK keyboard). + If you use an American keyboard (typically 104 keys) you will want to use pc104. +
+
+ XkbLayout in my case would be gb, and XkbVariant would be dvorak. +
+
+ The Arch wiki recommends two different methods for setting the keyboard layout:
+ https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_X_configuration_files and
+ https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_localectl. +
+
+ In my case, I chose to use the configuration file method:
+ Create the file /etc/X11/xorg.conf.d/10-keyboard.conf and put this inside:
+ + Section "InputClass"
+         Identifier "system-keyboard"
+         MatchIsKeyboard "on"
+         Option "XkbLayout" "gb"
+         Option "XkbModel" "pc105"
+         Option "XkbVariant" "dvorak"
+ EndSection + +
+
+ For you, the steps above may differ if you have a different layout. If you use a US Qwerty keyboard, then + you don't even need to do anything (though it might help, for the sake of being explicit). +
+
+ Back to top of page. +
+
+ +
+
Install LXDE
+
+ Desktop choice isn't that important to me, so for simplicity I decided to use LXDE. It's lightweight + and does everything that I need. + If you would like to try something different, refer to + https://wiki.archlinux.org/index.php/Desktop_environment +
+
+ Refer to https://wiki.archlinux.org/index.php/LXDE. +
+
+ Install it, choosing 'all' when asked for the default package list:
+ # pacman -S lxde obconf +
+
+ I didn't want the following, so I removed them:
+ # pacman -R lxmusic lxtask +
+
+ I also lazily installed all fonts:
+ # pacman -S $(pacman -Ssq ttf-) +
+
+ LXDE comes with a terminal. You probably want a browser to go with that; I choose GNU IceCat, part of the GNU project:
+ # pacman -S icecat
+ And a mail client:
+ # pacman -S icedove +
+
+ In IceCat, go to Preferences :: Advanced and disable GNU IceCat Health Report. +
+
+ I also like to install these:
+ # pacman -S xsensors stress htop +
+
+ Enable LXDM (the default display manager, providing a graphical login):
+ # systemctl enable lxdm.service
+ It will start when you boot up the machine. To start it now, do:
+ # systemctl start lxdm.service +
+
+ Log in with your standard (non-root) user that you created earlier. + It is advisable to also create an xinitrc rule in case you ever want to start lxde without lxdm. + Read https://wiki.archlinux.org/index.php/Xinitrc. +
+
+ Open LXterminal:
+ $ cp /etc/skel/.xinitrc ~
+ Open .xinitrc and add the following plus a line break at the bottom of the file.
+ + # Probably not needed. The same locale info that we set before
+ # Based on advice from the LXDE wiki + export LC_ALL=en_GB.UTF-8
+ export LANGUAGE=en_GB.UTF-8
+ export LANG=en_GB.UTF-8
+
+ # Start lxde desktop
+ exec startlxde
+ + Now make sure that it is executable:
+ $ chmod +x .xinitrc +
+
+ Back to top of page. +
+
+ +
+
LXDE - clock
+
+ In Digital Clock Settings (right click the clock) I set the Clock Format to %Y/%m/%d %H:%M:%S +
+
+ Back to top of page. +
+
+ +
+
LXDE - font
+
+ NOTE TO SELF: come back to this later. +
+
+ Back to top of page. +
+
+ +
+
LXDE - screenlock
+
+ Arch wiki recommends to use xscreensaver:
+ # pacman -S xscreensaver +
+
+ Under Preferences :: Screensaver in the LXDE menu, I chose Mode: Blank Screen Only, + setting Blank After, Cycle After and Lock Screen After (checked) to 10 minutes. +
+
+ You can now lock the screen with Logout :: Lock Screen in the LXDE menu. +
+
+ Back to top of page. +
+
+ +
+
LXDE - automounting
+
+ Refer to https://wiki.archlinux.org/index.php/File_manager_functionality. +
+
+ I chose to ignore this for now. NOTE TO SELF: come back to this later. +
+
+ Back to top of page. +
+
+ +
+
LXDE - disable suspend
+
+ When closing the laptop lid, the machine suspends. This is annoying at least to me. + NOTE TO SELF: disable it, then document the steps here. +
+
+ Back to top of page. +
+
+ +
+
LXDE - battery monitor
+
+ Right click lxde panel and Add/Remove Panel Items. Click Add and select Battery Monitor, then click Add. + Close and then right-click the applet and go to Battery Monitor Settings, check the box that says Show Extended Information. + Now click Close. When you hover the cursor over it, it'll show information about the battery. +
+
+ Back to top of page. +
+
+ +
+
LXDE - Network Manager
+
+ Refer to https://wiki.archlinux.org/index.php/LXDE#Network_Management. + Then I read: https://wiki.archlinux.org/index.php/NetworkManager. +
+
+ Install Network Manager:
+ # pacman -S networkmanager +
+
+ You will also want the graphical applet:
+ # pacman -S network-manager-applet
+ Arch wiki says that an autostart rule will be written at /etc/xdg/autostart/nm-applet.desktop +
+
+ I want to be able to use a VPN at some point, so the wiki tells me to do:
+ # pacman -S networkmanager-openvpn +
+
+ LXDE uses openbox, so I refer to:
+ https://wiki.archlinux.org/index.php/NetworkManager#Openbox. +
+
+ It tells me for the applet I need:
+ # pacman -S xfce4-notifyd gnome-icon-theme
+ Also, for storing authentication details (wifi) I need:
+ # pacman -S gnome-keyring +
+
+ I wanted to quickly enable networkmanager:
+ # systemctl stop dhcpcd
+ # systemctl start NetworkManager
+ Enable NetworkManager at boot time:
+ # systemctl enable NetworkManager +
+
+ Restart LXDE (log out, and then log back in). +
+
+ I added the volume control applet to the panel (right click panel, and add a new applet). + I also later changed the icons to use the gnome icon theme, in lxappearance. +
+
+ Back to top of page. +
+
+ +
+ +
-
- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at ../license.txt. -
+
+ Copyright © 2014, 2015 Francis Rowe <info@gluglug.org.uk>
+ This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. + A copy of the license can be found at ../license.txt. +
-
- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -
+
+ This document is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. +
+ +
diff --git a/docs/gnulinux/encrypted_parabola.html b/docs/gnulinux/encrypted_parabola.html index a48e489..85cb6ce 100644 --- a/docs/gnulinux/encrypted_parabola.html +++ b/docs/gnulinux/encrypted_parabola.html @@ -12,262 +12,293 @@ -
+

Installing Parabola GNU/Linux with full disk encryption (including /boot)
-
Or back to main index
-
- -
- Libreboot uses the GRUB payload - by default, which means that the GRUB configuration file - (where your GRUB menu comes from) is stored directly alongside libreboot - and it's GRUB payload executable, inside - the flash chip. In context, this means that installing distributions and managing them - is handled slightly differently compared to traditional BIOS systems. -
- -
- On most systems, the /boot partition has to be left unencrypted while the others are encrypted. - This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware - can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a - payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical - access to the machine. -
- -
- Boot Parabola's install environment. How to boot a GNU/Linux installer. -
- -
- For this guide I used the 2013 09 01 image to boot the live installer and install the system. -
- -
- Parabola is much more flexible than Trisquel, but also more involved to set up. -
- -
- Firstly if you use an SSD, beware there are issues with TRIM (not enabled through luks) and security issues if you do enable it. - See this page - for more info. -
- -
- If you are using an SSD for this, make sure it's brand-new (or barely used). Or, otherwise, be sure that it never previously - contained plaintext copies of your data. -
- -
- Wipe the MBR (if you use MBR):
- # lsblk
- Your HDD is probably /dev/sda: - # dd if=/dev/zero of=/dev/sda bs=446 count=1; sync
- Never use SeaBIOS! The MBR section can easily be changed with malicious code, which SeaBIOS will blindly execute. - This guide is for libreboot with GRUB-as-payload only. -
- -
- Securely wipe the drive:
- # dd if=/dev/urandom of=/dev/sda; sync
- NOTE: If you have an SSD, only do this the first time. If it was already LUKS-encrypted before, - use the info below to wipe the LUKS header. Also, check online for your SSD what the recommended - erase block size is. For example if it was 2MiB:
- # dd if=/dev/urandom of=/dev/sda bs=2M; sync -
-
- If your drive was already LUKS encrypted (maybe you are re-installing your distro) then - it is already 'wiped'. You should just wipe the LUKS header. - https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/ - showed me how to do this. It recommends doing the first 3MiB. Now, that guide is recommending putting zero there. I'm doing to use urandom. Do this:
- # head -c 3145728 /dev/urandom > /dev/sda; sync
- (wiping the LUKS header is important, since it has hashed passphrases and so on. It's 'secure', but 'potentially' a risk). -
-
- - If you do plan to use an SSD, make sure to read - https://wiki.archlinux.org/index.php/Solid_State_Drives
- Edit /etc/fstab later on when chrooted into your install. Also, read the whole article and keep all points in mind, adapting - them for this guide. - -
- -
- This guide will go through the installation steps taken at the time of writing, which may or may not change due to - the volatile nature of Parabola (it changes all the time). In general most of it should remain the same. If you spot mistakes, - please say so! This guide will be ported to the Parabola wiki at a later date. For up to date Parabola install guide, go to - the Parabola wiki. This guide essentially cherry picks the useful information (valid at the time of writing: 2014-09-15). -
- -
- Change keyboard layout -
-
- Parabola live shell assumes US Qwerty. If you have something different, use:
- # loadkeys LAYOUT
- For me, LAYOUT would have been dvorak-uk. -
+
+ Libreboot uses the GRUB payload + by default, which means that the GRUB configuration file + (where your GRUB menu comes from) is stored directly alongside libreboot + and it's GRUB payload executable, inside + the flash chip. In context, this means that installing distributions and managing them + is handled slightly differently compared to traditional BIOS systems. +
-
Getting started
-
- The beginning is based on https://wiki.parabolagnulinux.org/Installation_Guide. - Then I referred to https://wiki.archlinux.org/index.php/Partitioning at first. -
+
+ On most systems, the /boot partition has to be left unencrypted while the others are encrypted. + This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware + can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a + payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical + access to the machine. +
+
+ Back to previous index +
+ -
dm-mod
+
+
- device-mapper will be used - a lot. Make sure that the kernel module is loaded:
- # modprobe dm-mod + Boot Parabola's install environment. How to boot a GNU/Linux installer.
-
Create LUKS partition
-
- I am using MBR partitioning, so I use cfdisk:
- # cfdisk /dev/sda -
-
- I create a single large sda1 filling the whole drive, leaving it as the default type 'Linux' (83). -

- Now I refer to https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#Partitioning:
- I am then directed to https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption. + For this guide I used the 2013 09 01 image to boot the live installer and install the system.
+
- Parabola forces you to RTFM. -
-
- It tells me to run:
- # cryptsetup benchmark (for making sure the list below is populated)
- Then:
- # cat /proc/crypto
- This gives me crypto options that I can use. It also provides a representation of the best way to set up LUKS (in this case, security is a priority; speed, a distant second). - To gain a better understanding, I am also reading:
- # man cryptsetup -
-
- Following that page, based on my requirements, I do the following based on https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode. - Reading through, it seems like Serpent (encryption) and Whirlpool (hash) is the best option. -
-
- I am initializing LUKS with the following:
- # cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --use-random --verify-passphrase luksFormat /dev/sda1 - -- choose a secure passphrase here. Ideally lots of lowercase/uppercase numbers, letters, symbols etc all in a random pattern. The password - length should be as long as you are able to handle without writing it down or storing it anywhere. Ideally, 100 characters or more. - It might take you a while to memorize a long passphrase before beginning this step. + This guide will go through the installation steps taken at the time of writing, which may or may not change due to + the volatile nature of Parabola (it changes all the time). In general most of it should remain the same. If you spot mistakes, + please say so! This guide will be ported to the Parabola wiki at a later date. For up to date Parabola install guide, go to + the Parabola wiki. This guide essentially cherry picks the useful information (valid at the time of writing: 2014-09-15).
+ +
-
Create LVM
-
- Now I refer to https://wiki.archlinux.org/index.php/LVM. -
+
+
- Open the LUKS partition:
- # cryptsetup open --type luks /dev/sda1 lvm
- (it will be available at /dev/mapper/lvm)
- I'm told that the above is old syntax, which is what I did anyway. You could also try:
- # cryptsetup luksOpen /dev/sda1 lvm -
-
- Create LVM partition:
- # pvcreate /dev/mapper/lvm
- Show that you just created it:
- # pvdisplay -
-
- Now I create the volume group, inside of which the logical volumes will be created:
- # vgcreate matrix /dev/mapper/lvm (volume group name is 'matrix')
- Show that you created it:
- # vgdisplay -
-
- Now create the logical volumes:
- # lvcreate -L 2G matrix -n swapvol (2G swap partition, named swapvol)
- # lvcreate -l +100%FREE matrix -n rootvol (single large partition in the rest of the space, named rootvol)
- You can also be flexible here, for example you can specify a /boot, a /, a /home, a /var, a /usr, etc. For example, - if you will be running a web/mail server then you want /var in its own partition (so that if it fills up with logs, it won't crash your system). - For a home/laptop system (typical use case), a root and a swap will do (really). -
-
- Verify that the logical volumes were created, using the following command:
- # lvdisplay + Firstly if you use an SSD, beware there are issues with TRIM (not enabled through luks) and security issues if you do enable it. + See this page + for more info.
-
Create / and swap partitions

- For the swapvol LV I use:
- # mkswap /dev/mapper/matrix-swapvol -
-
- For the rootvol LV I use:
- # mkfs.ext4 /dev/mapper/matrix-rootvol + If you are using an SSD for this, make sure it's brand-new (or barely used). Or, otherwise, be sure that it never previously + contained plaintext copies of your data.
-
Continue with Parabola installation
-
- Mount the root (/) partition:
- # mount /dev/matrix/rootvol /mnt
-
-
- This guide is really about GRUB, Parabola and cryptomount. I have to show how to install Parabola - so that the guide can continue. -

- Now I am following the rest of https://wiki.parabolagnulinux.org/Installation_Guide. - I also cross referenced https://wiki.archlinux.org/index.php/Installation_guide. -
-
- Create /home and /boot on rootvol mountpoint:
- # mkdir /mnt/home
- # mkdir /mnt/boot -
-
- The wiki says to enable the swap so that it can be detected by 'genfstab':
- # swapon /dev/matrix/swapvol -
-
- DHCP was already working for me, so I had internet during the install. Therefore, I ignore the 'Connect to the Internet' section of the install guide. - I also ignore wifi, since I can set that up after the install. For now, I am just using ethernet. - Otherwise, refer to https://wiki.archlinux.org/index.php/Configuring_Network. - You can test to see if internet is already working by pinging a few domains. + Wipe the MBR (if you use MBR):
+ # lsblk
+ Your HDD is probably /dev/sda: + # dd if=/dev/zero of=/dev/sda bs=446 count=1; sync
+ Never use SeaBIOS! The MBR section can easily be changed with malicious code, which SeaBIOS will blindly execute. + This guide is for libreboot with GRUB-as-payload only.

- I commented out all lines except the Server line for the UK Parabola server (main server) in /etc/pacman.d/mirrorlist and then did:
- # pacman -Syy
- # pacman -Syu
- # pacman -Sy pacman (and then I did the other 2 steps above, again)
- In my case I did the steps in the next paragraph, and followed the steps in this paragraph again. + Securely wipe the drive:
+ # dd if=/dev/urandom of=/dev/sda; sync
+ NOTE: If you have an SSD, only do this the first time. If it was already LUKS-encrypted before, + use the info below to wipe the LUKS header. Also, check online for your SSD what the recommended + erase block size is. For example if it was 2MiB:
+ # dd if=/dev/urandom of=/dev/sda bs=2M; sync

- <troubleshooting>
-    The following is based on 'Verification of package signatures' in the Parabola install guide.
-    Check there first to see if steps differ by now.
-    Now you have to update the default Parabola keyring. This is used for signing and verifying packages:
-    # pacman -Sy parabola-keyring
-    It says that if you get GPG errors, then it's probably an expired key and, therefore, you should do:
-    # pacman-key --populate parabola
-    # pacman-key --refresh-keys
-    # pacman -Sy parabola-keyring
-    To be honest, you should do the above anyway. Parabola has a lot of maintainers, and a lot of keys. Really!
-    Also, it says that if the clock is set incorrectly then you have to manually set the correct time
-    (if keys are listed as expired because of it):
-    # date MMDDhhmm[[CC]YY][.ss]
-    I also had to install:
-    # pacman -S archlinux-keyring
-    # pacman-key --populate archlinux
-    In my case I saw some conflicting files reported in pacman, stopping me from using it.
-    I deleted the files that it mentioned - and then it worked. Specifically, I had this error:
-    licenses: /usr/share/licenses/common/MPS exists in filesystem
-    I rm -rf'd the file and then pacman worked. I'm told that the following would have also made it work:
-    # pacman -Sf licenses
- </troubleshooting>
+ If your drive was already LUKS encrypted (maybe you are re-installing your distro) then + it is already 'wiped'. You should just wipe the LUKS header. + https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/ + showed me how to do this. It recommends doing the first 3MiB. Now, that guide is recommending putting zero there. I'm doing to use urandom. Do this:
+ # head -c 3145728 /dev/urandom > /dev/sda; sync
+ (wiping the LUKS header is important, since it has hashed passphrases and so on. It's 'secure', but 'potentially' a risk).

- I also like to install other packages (base-devel, compilers and so on) and wpa_supplicant/dialog are needed for wireless after the install:
- # pacstrap /mnt base base-devel wpa_supplicant dialog + + If you do plan to use an SSD, make sure to read + https://wiki.archlinux.org/index.php/Solid_State_Drives
+ Edit /etc/fstab later on when chrooted into your install. Also, read the whole article and keep all points in mind, adapting + them for this guide. +
+ +
+ +
+ +
+ Change keyboard layout +
+
+ Parabola live shell assumes US Qwerty. If you have something different, use:
+ # loadkeys LAYOUT
+ For me, LAYOUT would have been dvorak-uk. +
+ +
+ +
+ +
Getting started
+
+ The beginning is based on https://wiki.parabolagnulinux.org/Installation_Guide. + Then I referred to https://wiki.archlinux.org/index.php/Partitioning at first. +
+ +
+ +
+ +
dm-mod
+
+ device-mapper will be used - a lot. Make sure that the kernel module is loaded:
+ # modprobe dm-mod +
+ +
Create LUKS partition
+
+ I am using MBR partitioning, so I use cfdisk:
+ # cfdisk /dev/sda +
+
+ I create a single large sda1 filling the whole drive, leaving it as the default type 'Linux' (83). +
+
+ Now I refer to https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#Partitioning:
+ I am then directed to https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption. +
+
+ Parabola forces you to RTFM. +
+
+ It tells me to run:
+ # cryptsetup benchmark (for making sure the list below is populated)
+ Then:
+ # cat /proc/crypto
+ This gives me crypto options that I can use. It also provides a representation of the best way to set up LUKS (in this case, security is a priority; speed, a distant second). + To gain a better understanding, I am also reading:
+ # man cryptsetup +
+
+ Following that page, based on my requirements, I do the following based on https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode. + Reading through, it seems like Serpent (encryption) and Whirlpool (hash) is the best option. +
+
+ I am initializing LUKS with the following:
+ # cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --use-random --verify-passphrase luksFormat /dev/sda1 + -- choose a secure passphrase here. Ideally lots of lowercase/uppercase numbers, letters, symbols etc all in a random pattern. The password + length should be as long as you are able to handle without writing it down or storing it anywhere. Ideally, 100 characters or more. + It might take you a while to memorize a long passphrase before beginning this step. +
+ +
-
Configure the system
+
+ +
Create LVM
+
+ Now I refer to https://wiki.archlinux.org/index.php/LVM. +
+
+ Open the LUKS partition:
+ # cryptsetup open --type luks /dev/sda1 lvm
+ (it will be available at /dev/mapper/lvm)
+ I'm told that the above is old syntax, which is what I did anyway. You could also try:
+ # cryptsetup luksOpen /dev/sda1 lvm +
+
+ Create LVM partition:
+ # pvcreate /dev/mapper/lvm
+ Show that you just created it:
+ # pvdisplay +
+
+ Now I create the volume group, inside of which the logical volumes will be created:
+ # vgcreate matrix /dev/mapper/lvm (volume group name is 'matrix')
+ Show that you created it:
+ # vgdisplay +
+
+ Now create the logical volumes:
+ # lvcreate -L 2G matrix -n swapvol (2G swap partition, named swapvol)
+ # lvcreate -l +100%FREE matrix -n rootvol (single large partition in the rest of the space, named rootvol)
+ You can also be flexible here, for example you can specify a /boot, a /, a /home, a /var, a /usr, etc. For example, + if you will be running a web/mail server then you want /var in its own partition (so that if it fills up with logs, it won't crash your system). + For a home/laptop system (typical use case), a root and a swap will do (really). +
+
+ Verify that the logical volumes were created, using the following command:
+ # lvdisplay +
+ +
+ +
+ +
Create / and swap partitions
+
+ For the swapvol LV I use:
+ # mkswap /dev/mapper/matrix-swapvol +
+
+ For the rootvol LV I use:
+ # mkfs.ext4 /dev/mapper/matrix-rootvol +
+ +
+ +
+ +
Continue with Parabola installation
+
+ Mount the root (/) partition:
+ # mount /dev/matrix/rootvol /mnt
+
+
+ This guide is really about GRUB, Parabola and cryptomount. I have to show how to install Parabola + so that the guide can continue. +
+
+ Now I am following the rest of https://wiki.parabolagnulinux.org/Installation_Guide. + I also cross referenced https://wiki.archlinux.org/index.php/Installation_guide. +
+
+ Create /home and /boot on rootvol mountpoint:
+ # mkdir /mnt/home
+ # mkdir /mnt/boot +
+
+ The wiki says to enable the swap so that it can be detected by 'genfstab':
+ # swapon /dev/matrix/swapvol +
+
+ DHCP was already working for me, so I had internet during the install. Therefore, I ignore the 'Connect to the Internet' section of the install guide. + I also ignore wifi, since I can set that up after the install. For now, I am just using ethernet. + Otherwise, refer to https://wiki.archlinux.org/index.php/Configuring_Network. + You can test to see if internet is already working by pinging a few domains. +
+ +
+ I commented out all lines except the Server line for the UK Parabola server (main server) in /etc/pacman.d/mirrorlist and then did:
+ # pacman -Syy
+ # pacman -Syu
+ # pacman -Sy pacman (and then I did the other 2 steps above, again)
+ In my case I did the steps in the next paragraph, and followed the steps in this paragraph again. +
+
+ <troubleshooting>
+    The following is based on 'Verification of package signatures' in the Parabola install guide.
+    Check there first to see if steps differ by now.
+    Now you have to update the default Parabola keyring. This is used for signing and verifying packages:
+    # pacman -Sy parabola-keyring
+    It says that if you get GPG errors, then it's probably an expired key and, therefore, you should do:
+    # pacman-key --populate parabola
+    # pacman-key --refresh-keys
+    # pacman -Sy parabola-keyring
+    To be honest, you should do the above anyway. Parabola has a lot of maintainers, and a lot of keys. Really!
+    Also, it says that if the clock is set incorrectly then you have to manually set the correct time
+    (if keys are listed as expired because of it):
+    # date MMDDhhmm[[CC]YY][.ss]
+    I also had to install:
+    # pacman -S archlinux-keyring
+    # pacman-key --populate archlinux
+    In my case I saw some conflicting files reported in pacman, stopping me from using it.
+    I deleted the files that it mentioned + and then it worked. Specifically, I had this error:
+    licenses: /usr/share/licenses/common/MPS exists in filesystem
+    I rm -rf'd the file and then pacman worked. I'm told that the following would have also made it work:
+    # pacman -Sf licenses
+ </troubleshooting>
+
+
+ I also like to install other packages (base-devel, compilers and so on) and wpa_supplicant/dialog are needed for wireless after the install:
+ # pacstrap /mnt base base-devel wpa_supplicant dialog +
+ +
+ +
+ +
Configure the system

From the Parabola installation guide (Arch's one was identical):
# genfstab -p /mnt >> /mnt/etc/fstab @@ -359,8 +390,12 @@ # mkinitcpio -p linux-libre-grsec + +
-
Set a root password
+
+ +
Set a root password

At the time of writing, Parabola used SHA512 by default for it's password hashing.
@@ -374,8 +409,12 @@ # passwd root
Make sure to set a secure password! Also, it must never be the same as your LUKS password.
+ +
+ +
-
Extra security tweaks
+
Extra security tweaks

Based on https://wiki.archlinux.org/index.php/Security.
@@ -397,8 +436,12 @@ Configure sudo - not covered here. Will be covered post-installation in another tutorial, at a later date. If this is a single-user system, you don't really need sudo.
+ +
+ +
-
Unmount, reboot!
+
Unmount, reboot!

Exit from chroot:
# exit @@ -421,8 +464,12 @@ # shutdown -h now
Then boot up again.
+ +
-
Booting from GRUB
+
+ +
Booting from GRUB

Initially you will have to boot manually. Press C to get to the GRUB command line. The underlined parts are optional (using those 2 underlines will boot lts kernel instead of normal). @@ -437,132 +484,144 @@
You could also make it load /boot/vmlinuz-linux-libre-grsec and /boot/initramfs-linux-libre-grsec.img
+ +
-
+
+ +
Modify grub.cfg inside the ROM
-
Modify grub.cfg inside the ROM
+
+ Now you need to modify the ROM, so that Parabola can boot automatically with this configuration. + grub_cbfs.html shows you how. Follow that guide, using the configuration details below. +
+
+ Inside the 'Load Operating System' menu entry, change the contents to:
+ + cryptomount -a (ahci0,msdos1)
+ set root='lvm/matrix-rootvol'
+ linux /boot/vmlinuz-linux-libre-lts root=/dev/matrix/rootvol cryptdevice=/dev/sda1:root
+ initrd /boot/initramfs-linux-libre-lts.img + +
-
- Now you need to modify the ROM, so that Parabola can boot automatically with this configuration. - grub_cbfs.html shows you how. Follow that guide, using the configuration details below. -
-
- Inside the 'Load Operating System' menu entry, change the contents to:
- - cryptomount -a (ahci0,msdos1)
- set root='lvm/matrix-rootvol'
- linux /boot/vmlinuz-linux-libre-lts root=/dev/matrix/rootvol cryptdevice=/dev/sda1:root
- initrd /boot/initramfs-linux-libre-lts.img - -
+
+ Note: the underlined parts above (-lts) can also be removed, to boot the latest kernel instead of LTS (long-term support) kernels. + You could also copy the menu entry and in one have -lts, and without in the other menuentry. + You could also create a menu entry to load /boot/vmlinuz-linux-libre-grsec and /boot/initramfs-linux-libre-grsec.img +
-
- Note: the underlined parts above (-lts) can also be removed, to boot the latest kernel instead of LTS (long-term support) kernels. - You could also copy the menu entry and in one have -lts, and without in the other menuentry. - You could also create a menu entry to load /boot/vmlinuz-linux-libre-grsec and /boot/initramfs-linux-libre-grsec.img -
+
+ Personally, I opted to have the entry for linux-libre-grsec at the top, so that it would load by default. +
-
- Personally, I opted to have the entry for linux-libre-grsec at the top, so that it would load by default. -
+
+ Above the 'Load Operating System' menu entry you should also add a GRUB password, like so: +
+
set superusers="root" + password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711 +
-
- Above the 'Load Operating System' menu entry you should also add a GRUB password, like so: -
-
set superusers="root" -password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711 -
+
+ Note that the above entry specifies user 'root'; this is just a username for GRUB. You don't even need to use root. + Change root on both of those 2 lines to whatever you want. +
-
- Note that the above entry specifies user 'root'; this is just a username for GRUB. You don't even need to use root. - Change root on both of those 2 lines to whatever you want. -
+
+ Start dhcp on ethernet:
+ # systemctl start dhcpcd.service + This is just for the step below. I won't cover network configuration here. That is for another Parabola article. +
-
- Start dhcp on ethernet:
- # systemctl start dhcpcd.service - This is just for the step below. I won't cover network configuration here. That is for another Parabola article. -
+
+ The password hash (it's password, by the way) after 'password_pbkdf2 root' should be changed and is created by the grub-mkpasswd-pbkdf2 utility, which you need to install or otherwise compile, + like so:
+ # pacman -S grub +
+ +
+ GRUB isn't needed for booting, since it's already included as a payload in libreboot. This is only so that the utility needed becomes available. Get your hash + by entering your chosen password at the prompt, when running this command:
+ # grub-mkpasswd-pbkdf2 +
-
- The password hash (it's password, by the way) after 'password_pbkdf2 root' should be changed and is created by the grub-mkpasswd-pbkdf2 utility, which you need to install or otherwise compile, - like so:
- # pacman -S grub -
- -
- GRUB isn't needed for booting, since it's already included as a payload in libreboot. This is only so that the utility needed becomes available. Get your hash - by entering your chosen password at the prompt, when running this command:
- # grub-mkpasswd-pbkdf2 -
+
+ It will output the hash for the password that you entered. Make sure to specify a password that is different from both your LUKS *and* your root/user password. + Use it to replace the default hash mentioned above. +
-
- It will output the hash for the password that you entered. Make sure to specify a password that is different from both your LUKS *and* your root/user password. - Use it to replace the default hash mentioned above. -
+
+ With this setup, you will have to enter a password at boot time, in GRUB, before being able to use any of the menu entries or switch to the terminal. + This protects your system from an attacker simply booting a live usb distro and re-flashing the boot firmware. +
-
- With this setup, you will have to enter a password at boot time, in GRUB, before being able to use any of the menu entries or switch to the terminal. - This protects your system from an attacker simply booting a live usb distro and re-flashing the boot firmware. -
+
+ You probably only need base-devel (compilers and so on) to build and use cbfstool. It was already installed if you followed this tutorial, but here it is:
+ # pacman -S base-devel +
-
- You probably only need base-devel (compilers and so on) to build and use cbfstool. It was already installed if you followed this tutorial, but here it is:
- # pacman -S base-devel -
+
+ For flashing the modified ROM, I just used flashrom from the Parabola repo's:
+ # pacman -S flashrom
+ I also installed dmidecode:
+ # pacman -S dmidecode +
-
- For flashing the modified ROM, I just used flashrom from the Parabola repo's:
- # pacman -S flashrom
- I also installed dmidecode:
- # pacman -S dmidecode -
+
+ When done, deleted GRUB (remember, we only needed it for the grub-mkpasswd-pbkdf2 utility; + GRUB is already part of libreboot, flashed alongside it as a payload):
+ # pacman -R grub +
+ +
+ +

- When done, deleted GRUB (remember, we only needed it for the grub-mkpasswd-pbkdf2 utility; - GRUB is already part of libreboot, flashed alongside it as a payload):
- # pacman -R grub + If you followed all that correctly, you should now have a fully encrypted Parabola installation. + This is a very barebones Parabola install (the default one). Refer to the wiki for how to do the rest + (desktop, etc).
+ +
-
+
-
- If you followed all that correctly, you should now have a fully encrypted Parabola installation. - This is a very barebones Parabola install (the default one). Refer to the wiki for how to do the rest - (desktop, etc). -
+
Further security tips
+
+ https://wiki.archlinux.org/index.php/Security.
+ https://wiki.parabolagnulinux.org/User:GNUtoo/laptop +
+ +
-
+
-
Further security tips
-
- https://wiki.archlinux.org/index.php/Security.
- https://wiki.parabolagnulinux.org/User:GNUtoo/laptop -
+
Follow-up tutorial: configuring Parabola
+
+ configuring_parabola.html shows my own notes post-installation. Using these, you can get a basic + system similar to the one that I chose for myself. You can also cherry pick useful notes and come up with your own system. + Parabola is user-centric, which means that you are in control. For more information, read The Arch Way + (Parabola also follows it). +
+ +
-
+
-
Follow-up tutorial: configuring Parabola

- configuring_parabola.html shows my own notes post-installation. Using these, you can get a basic - system similar to the one that I chose for myself. You can also cherry pick useful notes and come up with your own system. - Parabola is user-centric, which means that you are in control. For more information, read The Arch Way - (Parabola also follows it). + Copyright © 2014, 2015 Francis Rowe <info@gluglug.org.uk>
+ This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. + A copy of the license can be found at ../license.txt.
-
- -
- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at ../license.txt. -
- -
- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -
+
+ This document is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. +
+ +
diff --git a/docs/gnulinux/encrypted_trisquel.html b/docs/gnulinux/encrypted_trisquel.html index 8e369a4..c24d5f1 100644 --- a/docs/gnulinux/encrypted_trisquel.html +++ b/docs/gnulinux/encrypted_trisquel.html @@ -12,280 +12,325 @@ -
+

Installing Trisquel GNU/Linux with full disk encryption (including /boot)
-
Or back to main index
-
- -
- Libreboot uses the GRUB payload - by default, which means that the GRUB configuration file - (where your GRUB menu comes from) is stored directly alongside libreboot - and its GRUB payload executable, inside - the flash chip. In context, this means that installing distributions and managing them - is handled slightly differently compared to traditional BIOS systems. -
- -
- On most systems, the /boot partition has to be left unencrypted while the others are encrypted. - This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware - can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a - payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical - access to the machine. -
- -
- This works in Trisquel 7, and probably Trisquel 6. Boot the 'net installer' (Install Trisquel in Text Mode). How to boot a GNU/Linux installer. -
- -
- Set a strong user password (ideally above 40 characters, of lowercase/uppercase, numbers and symbols). -
- -
- when the installer asks you to set up - encryption (ecryptfs) for your home directory, select 'Yes' if you want to: LUKS is already secure and performs well. Having ecryptfs on top of it - will add noticeable performance penalty, for little security gain in most use cases. This is therefore optional, and not recommended. - Choose 'no'. -
- -
- - Your user password should be different from the LUKS password which you will set later on. - Your LUKS password should, like the user password, be secure. - -
- -
Partitioning
- -
Choose 'Manual' partitioning:
-
-
Select drive and create new partition table
-
- Single large partition. The following are mostly defaults: -
-
Use as: physical volume for encryption
-
Encryption: aes
-
key size: 256
-
IV algorithm: xts-plain64
-
Encryption key: passphrase
-
erase data: Yes (only choose 'No' if it's a new drive that doesn't contain your private data)
-
-
-
- Select 'configure encrypted volumes' -
-
Create encrypted volumes
-
Select your partition
-
Finish
-
Really erase: Yes
-
(erase will take a long time. be patient)
-
(if your old system was encrypted, just let this run for about a minute to - make sure that the LUKS header is wiped out)
-
-
-
- Select encrypted space: -
-
use as: physical volume for LVM
-
Choose 'done setting up the partition'
-
-
-
- Configure the logical volume manager: -
-
Keep settings: Yes
-
-
-
- Create volume group: -
-
Name: grubcrypt (you can use whatever you want here, this is just an example)
-
Select crypto partition
-
-
-
- Create logical volume -
-
select grubcrypt (or whatever you named it before)
-
name: trisquel (you can use whatever you want here, this is just an example)
-
size: default, minus 2048 MB
-
-
-
- Create logical volume -
-
select grubcrypt (or whatever you named it before)
-
name: swap (you can use whatever you want here, this is just an example)
-
size: press enter
-
-
-
- -
Further partitioning
- -
- Now you are back at the main partitioning screen. You will simply set mountpoints and filesystems to use. -
-
-
- LVM LV trisquel -
-
use as: ext4
-
mount point: /
-
done setting up partition
-
-
-
- LVM LV swap -
-
use as: swap area
-
done setting up partition
-
-
-
Now you select 'Finished partitioning and write changes to disk'.
-
- -
Kernel
- -
- Installation will ask what kernel you want to use. linux-generic is fine. -
- -
Tasksel
- -
- Choose "Trisquel Desktop Environment" if you want GNOME, - "Trisquel-mini Desktop Environment" if you - want LXDE or "Triskel Desktop Environment" if you want KDE. - If you want to have no desktop (just a basic shell) - when you boot or if you want to create your own custom setup, then choose nothing here (don't select anything). - You might also want to choose some of the other package groups; it's up to you. -
- -
Postfix configuration
- -
- If asked, choose "No Configuration" here (or maybe you want to select something else. It's up to you.) -
- -
Install the GRUB boot loader to the master boot record
- -
- Choose 'Yes'. It will fail, but don't worry. Then at the main menu, choose 'Continue without a bootloader'. - You could also choose 'No'. Choice is irrelevant here. -
- -
- You do not need to install GRUB at all, since in libreboot you are using the GRUB payload (for libreboot) to boot your system directly. -
- -
Clock UTC
- -
- Just say 'Yes'. -
- -
- Booting your system -
- -
- At this point, you will have finished the installation. At your GRUB payload, press C to get to the command line. -
- +
+ Libreboot uses the GRUB payload + by default, which means that the GRUB configuration file + (where your GRUB menu comes from) is stored directly alongside libreboot + and its GRUB payload executable, inside + the flash chip. In context, this means that installing distributions and managing them + is handled slightly differently compared to traditional BIOS systems. +
+ +
+ On most systems, the /boot partition has to be left unencrypted while the others are encrypted. + This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware + can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a + payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical + access to the machine. +
+
+ This works in Trisquel 7, and probably Trisquel 6. Boot the 'net installer' (Install Trisquel in Text Mode). + How to boot a GNU/Linux installer. +
+
Back to previous index
+ + +
+
- Do that:
- grub> cryptomount -a (ahci0,msdos1)
- grub> set root='lvm/grubcrypt-trisquel'
- grub> linux /vmlinuz root=/dev/mapper/grubcrypt-trisquel cryptdevice=/dev/mapper/grubcrypt-trisquel:root
- grub> initrd /initrd.img
- grub> boot -
- -
- ecryptfs -
- -
- If you didn't encrypt your home directory, then you can safely ignore this section. -
- -
- Immediately after logging in, do that:
- $ sudo ecryptfs-unwrap-passphrase -
- -
- This will be needed in the future if you ever need to recover your home directory from another system, so write it down and keep the note - somewhere secret. Ideally, you should memorize it and then burn the note (or not even write it down, and memorize it still)> -
- -
- Modify grub.cfg (CBFS) -
- -
- Now you need to set it up so that the system will automatically boot, without having to type a bunch of commands. -
- -
- Modify your grub.cfg (in the firmware) using this tutorial; - just change the default menu entry 'Load Operating System' to say this inside: + Set a strong user password (ideally above 40 characters, of lowercase/uppercase, numbers and symbols).

- cryptomount -a (ahci0,msdos1)
- set root='lvm/grubcrypt-trisquel'
- linux /vmlinuz root=/dev/mapper/grubcrypt-trisquel cryptdevice=/dev/mapper/grubcrypt-trisquel:root
- initrd /initrd.img + when the installer asks you to set up + encryption (ecryptfs) for your home directory, select 'Yes' if you want to: LUKS is already secure and performs well. Having ecryptfs on top of it + will add noticeable performance penalty, for little security gain in most use cases. This is therefore optional, and not recommended. + Choose 'no'.

- Additionally, you should set a GRUB password. This is not your LUKS password, but it's a password that you have to enter to see - GRUB. This protects your system from an attacker simply booting a live USB and re-flashing your firmware. This should be different than your LUKS passphrase and user password. + + Your user password should be different from the LUKS password which you will set later on. + Your LUKS password should, like the user password, be secure. +
+ +
+ +
+ +
Partitioning
+ +
Choose 'Manual' partitioning:
+
+
Select drive and create new partition table
+
+ Single large partition. The following are mostly defaults: +
+
Use as: physical volume for encryption
+
Encryption: aes
+
key size: 256
+
IV algorithm: xts-plain64
+
Encryption key: passphrase
+
erase data: Yes (only choose 'No' if it's a new drive that doesn't contain your private data)
+
+
+
+ Select 'configure encrypted volumes' +
+
Create encrypted volumes
+
Select your partition
+
Finish
+
Really erase: Yes
+
(erase will take a long time. be patient)
+
(if your old system was encrypted, just let this run for about a minute to + make sure that the LUKS header is wiped out)
+
+
+
+ Select encrypted space: +
+
use as: physical volume for LVM
+
Choose 'done setting up the partition'
+
+
+
+ Configure the logical volume manager: +
+
Keep settings: Yes
+
+
+
+ Create volume group: +
+
Name: grubcrypt (you can use whatever you want here, this is just an example)
+
Select crypto partition
+
+
+
+ Create logical volume +
+
select grubcrypt (or whatever you named it before)
+
name: trisquel (you can use whatever you want here, this is just an example)
+
size: default, minus 2048 MB
+
+
+
+ Create logical volume +
+
select grubcrypt (or whatever you named it before)
+
name: swap (you can use whatever you want here, this is just an example)
+
size: press enter
+
+
+
+ +
+ +
+ +
Further partitioning
+ +
+ Now you are back at the main partitioning screen. You will simply set mountpoints and filesystems to use. +
+
+
+ LVM LV trisquel +
+
use as: ext4
+
mount point: /
+
done setting up partition
+
+
+
+ LVM LV swap +
+
use as: swap area
+
done setting up partition
+
+
+
Now you select 'Finished partitioning and write changes to disk'.
+
+ +
+ +
+ +
Kernel
+ +
+ Installation will ask what kernel you want to use. linux-generic is fine. +
+ +
+ +
+ +
Tasksel
+ +
+ Choose "Trisquel Desktop Environment" if you want GNOME, + "Trisquel-mini Desktop Environment" if you + want LXDE or "Triskel Desktop Environment" if you want KDE. + If you want to have no desktop (just a basic shell) + when you boot or if you want to create your own custom setup, then choose nothing here (don't select anything). + You might also want to choose some of the other package groups; it's up to you. +
+ +
+ +
+ +
Postfix configuration
+ +
+ If asked, choose "No Configuration" here (or maybe you want to select something else. It's up to you.) +
+ +
+ +
+ +
Install the GRUB boot loader to the master boot record
+ +
+ Choose 'Yes'. It will fail, but don't worry. Then at the main menu, choose 'Continue without a bootloader'. + You could also choose 'No'. Choice is irrelevant here. +
+ +
+ You do not need to install GRUB at all, since in libreboot you are using the GRUB payload (for libreboot) to boot your system directly. +
+ +
+ +
+ +
Clock UTC
+ +
+ Just say 'Yes'. +
+ +
+ +
+ +
+ Booting your system +
+ +
+ At this point, you will have finished the installation. At your GRUB payload, press C to get to the command line. +
+ +
+ Do that:
+ grub> cryptomount -a (ahci0,msdos1)
+ grub> set root='lvm/grubcrypt-trisquel'
+ grub> linux /vmlinuz root=/dev/mapper/grubcrypt-trisquel cryptdevice=/dev/mapper/grubcrypt-trisquel:root
+ grub> initrd /initrd.img
+ grub> boot +
+ +
+ +
+ +
+ ecryptfs +
+ +
+ If you didn't encrypt your home directory, then you can safely ignore this section. +
+ +
+ Immediately after logging in, do that:
+ $ sudo ecryptfs-unwrap-passphrase +
+ +
+ This will be needed in the future if you ever need to recover your home directory from another system, so write it down and keep the note + somewhere secret. Ideally, you should memorize it and then burn the note (or not even write it down, and memorize it still)> +
+ +
+ +
+ +
+ Modify grub.cfg (CBFS) +
+ +
+ Now you need to set it up so that the system will automatically boot, without having to type a bunch of commands. +
+ +
+ Modify your grub.cfg (in the firmware) using this tutorial; + just change the default menu entry 'Load Operating System' to say this inside: +
+ +
+ cryptomount -a (ahci0,msdos1)
+ set root='lvm/grubcrypt-trisquel'
+ linux /vmlinuz root=/dev/mapper/grubcrypt-trisquel cryptdevice=/dev/mapper/grubcrypt-trisquel:root
+ initrd /initrd.img +
+ +
+ Additionally, you should set a GRUB password. This is not your LUKS password, but it's a password that you have to enter to see + GRUB. This protects your system from an attacker simply booting a live USB and re-flashing your firmware. This should be different than your LUKS passphrase and user password. +
+ +
+ The GRUB utility can be used like so:
+ $ grub-mkpasswd-pbkdf2 +
+ +
+ Give it a password (remember, it has to be secure) and it'll output something like:
+ grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711 +
+ +
+ Put that in the grub.cfg (the one for CBFS inside the ROM) before the 'Load Operating System' menu entry like so (example):
+
+
+set superusers="root" +password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711 +
-
- The GRUB utility can be used like so:
- $ grub-mkpasswd-pbkdf2 -
+
+ Obviously, replace it with the correct hash that you actually got for the password that you entered. Meaning, not the hash that you see above! +
-
- Give it a password (remember, it has to be secure) and it'll output something like:
- grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711 -
+
+ After this, you will have a modified ROM with the menu entry for cryptomount, and the entry before that for the GRUB password. Flash the modified ROM + using this tutorial. +
+ +
-
- Put that in the grub.cfg (the one for CBFS inside the ROM) before the 'Load Operating System' menu entry like so (example):
-
-
-set superusers="root" -password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711 -
+

- Obviously, replace it with the correct hash that you actually got for the password that you entered. Meaning, not the hash that you see above! + Copyright © 2014, 2015 Francis Rowe <info@gluglug.org.uk>
+ This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. + A copy of the license can be found at ../license.txt.

- After this, you will have a modified ROM with the menu entry for cryptomount, and the entry before that for the GRUB password. Flash the modified ROM - using this tutorial. + This document is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information.
- -
- -
- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at ../license.txt. -
- -
- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -
+ +
diff --git a/docs/gnulinux/grub_boot_installer.html b/docs/gnulinux/grub_boot_installer.html index 8a5a8f8..3a99d00 100644 --- a/docs/gnulinux/grub_boot_installer.html +++ b/docs/gnulinux/grub_boot_installer.html @@ -12,144 +12,168 @@ -
+

Boot a GNU/Linux installer on USB
-
Or back to main index
-
- -
Prepare the USB drive (in GNU/Linux)
- -
- Connect the USB drive. Check dmesg:
- $ dmesg
- - Check lsblk to confirm which drive it is:
- $ lsblk -
- -
- Check that it wasn't automatically mounted. If it was, unmount it. For example:
- $ sudo umount /dev/sdb*
- # umount /dev/sdb* -
+
+ Back to previous index +
+ -
- dmesg told you what device it is. Overwrite the drive, writing your distro ISO to it with dd. For example:
- $ sudo dd if=gnulinux.iso of=/dev/sdb bs=8M; sync
- # dd if=gnulinux.iso of=/dev/sdb bs=8M; sync -
+
-
GNU Guix System Distribution?
+
Prepare the USB drive (in GNU/Linux)
-
- Guix USB installers use the GRUB bootloader, unlike most GNU/Linux installers which will likely use ISOLINUX. -
-
- To boot the Guix live USB install, select Search for GRUB configuration (grub.cfg) outside of CBFS from - the GRUB payload menu. After you have done that, a new menuentry will appear at the very bottom with text like - Load Config from (usb0); select that, and it should boot. -
-
- Once you have installed Guix onto the main storage device, check - grub_cbfs.html#libreboot_grub_config_ondisk for hints on how - to boot it. -
+
+ Connect the USB drive. Check dmesg:
+ $ dmesg
-
Booting ISOLINUX images
+ Check lsblk to confirm which drive it is:
+ $ lsblk +
-
- Boot it in GRUB using the Parse ISOLINUX config (USB) option. +
+ Check that it wasn't automatically mounted. If it was, unmount it. For example:
+ $ sudo umount /dev/sdb*
+ # umount /dev/sdb* +
- A new menu should appear in GRUB, showing the boot options for that distro; this is a GRUB menu, converted from the usual - ISOLINUX menu provided by that distro. -
+
+ dmesg told you what device it is. Overwrite the drive, writing your distro ISO to it with dd. For example:
+ $ sudo dd if=gnulinux.iso of=/dev/sdb bs=8M; sync
+ # dd if=gnulinux.iso of=/dev/sdb bs=8M; sync +
+ +
-
Booting manually
- -
- If the ISOLINUX parser or Search for GRUB configuration options won't work, then press C to get to the GRUB command line.
- grub> ls
- - Get the device from above output, eg (usb0). Example:
- grub> cat (usb0)/isolinux/isolinux.cfg
+
+ +
GNU Guix System Distribution?
- Either this will show the ISOLINUX menuentries for that ISO, or link to other .cfg files, for example /isolinux/foo.cfg.
+
+ Guix USB installers use the GRUB bootloader, unlike most GNU/Linux installers which will likely use ISOLINUX. +
+
+ To boot the Guix live USB install, select Search for GRUB configuration (grub.cfg) outside of CBFS from + the GRUB payload menu. After you have done that, a new menuentry will appear at the very bottom with text like + Load Config from (usb0); select that, and it should boot. +
+
+ Once you have installed Guix onto the main storage device, check + grub_cbfs.html#libreboot_grub_config_ondisk for hints on how + to boot it. +
+ +
- If it did that, then you do:
- grub> cat (usb0)/isolinux/foo.cfg
+
+ +
Booting ISOLINUX images
- And so on, until you find the correct menuentries for ISOLINUX. -
+
+ Boot it in GRUB using the Parse ISOLINUX config (USB) option. -
- Now look at the ISOLINUX menuentry. It'll look like:
- - kernel /path/to/kernel
- append PARAMETERS initrd=/path/to/initrd MAYBE_MORE_PARAMETERS
- - - GRUB works the same way, but in it's own way. Example GRUB commands:
- grub> linux (usb0)/path/to/kernel PARAMETERS MAYBE_MORE_PARAMETERS
- grub> initrd (usb0)/path/to/initrd
- grub> boot
- - Of course this will vary from distro to distro. If you did all that correctly, it should now be booting the ISO - the way you specified. -
+ A new menu should appear in GRUB, showing the boot options for that distro; this is a GRUB menu, converted from the usual + ISOLINUX menu provided by that distro. +
+ +
+ +
+ +
Booting manually
-
Troubleshooting
+
+ If the ISOLINUX parser or Search for GRUB configuration options won't work, then press C to get to the GRUB command line.
+ grub> ls
-
- Most of these issues occur when using libreboot with coreboot's 'text mode' instead of the coreboot framebuffer. - This mode is useful for booting payloads like memtest86+ which expect text-mode, but for GNU/Linux distributions - it can be problematic when they are trying to switch to a framebuffer because it doesn't exist. -
+ Get the device from above output, eg (usb0). Example:
+ grub> cat (usb0)/isolinux/isolinux.cfg
-
- In most cases, you should use the vesafb ROM's. Example filename: libreboot_ukdvorak_vesafb.rom. -
+ Either this will show the ISOLINUX menuentries for that ISO, or link to other .cfg files, for example /isolinux/foo.cfg.
-
parabola won't boot in text-mode
+ If it did that, then you do:
+ grub> cat (usb0)/isolinux/foo.cfg
-
- Use one of the ROM images with vesafb in the filename (uses coreboot framebuffer instead of text-mode). + And so on, until you find the correct menuentries for ISOLINUX.
-
debian-installer (trisquel net install) graphical corruption in text-mode

- When using the ROM images that use coreboot's "text mode" instead of the coreboot framebuffer, - booting the Trisquel net installer results in graphical corruption because it is trying to switch to a framebuffer which doesn't - exist. Use that kernel parameter on the 'linux' line when booting it:
- vga=normal fb=false + Now look at the ISOLINUX menuentry. It'll look like:
+ + kernel /path/to/kernel
+ append PARAMETERS initrd=/path/to/initrd MAYBE_MORE_PARAMETERS
+ + + GRUB works the same way, but in it's own way. Example GRUB commands:
+ grub> linux (usb0)/path/to/kernel PARAMETERS MAYBE_MORE_PARAMETERS
+ grub> initrd (usb0)/path/to/initrd
+ grub> boot
+ + Of course this will vary from distro to distro. If you did all that correctly, it should now be booting the ISO + the way you specified.
+ +
-
- Tested in Trisquel 6 (and 7). This forces debian-installer to start in text-mode, instead of trying to switch to a framebuffer. -
+
+ +
Troubleshooting

- If selecting text-mode from a GRUB menu created using the ISOLINUX parser, you can press E on the menu entry to add this. - Or, if you are booting manually (from GRUB terminal) then just add the parameters. + Most of these issues occur when using libreboot with coreboot's 'text mode' instead of the coreboot framebuffer. + This mode is useful for booting payloads like memtest86+ which expect text-mode, but for GNU/Linux distributions + it can be problematic when they are trying to switch to a framebuffer because it doesn't exist.

- This workaround was found on the page: https://www.debian.org/releases/stable/i386/ch05s04.html. - It should also work for gNewSense, Debian and any other apt-get distro that provides debian-installer (text mode) net install method. + In most cases, you should use the vesafb ROM's. Example filename: libreboot_ukdvorak_vesafb.rom.
-
+
parabola won't boot in text-mode
+ +
+ Use one of the ROM images with vesafb in the filename (uses coreboot framebuffer instead of text-mode). +
+ +
debian-installer (trisquel net install) graphical corruption in text-mode
+
+ When using the ROM images that use coreboot's "text mode" instead of the coreboot framebuffer, + booting the Trisquel net installer results in graphical corruption because it is trying to switch to a framebuffer which doesn't + exist. Use that kernel parameter on the 'linux' line when booting it:
+ vga=normal fb=false +
+ +
+ Tested in Trisquel 6 (and 7). This forces debian-installer to start in text-mode, instead of trying to switch to a framebuffer. +
-
- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at ../license.txt. -
+
+ If selecting text-mode from a GRUB menu created using the ISOLINUX parser, you can press E on the menu entry to add this. + Or, if you are booting manually (from GRUB terminal) then just add the parameters. +
-
- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -
+
+ This workaround was found on the page: https://www.debian.org/releases/stable/i386/ch05s04.html. + It should also work for gNewSense, Debian and any other apt-get distro that provides debian-installer (text mode) net install method. +
+ +
+ +
+ +
+ Copyright © 2014, 2015 Francis Rowe <info@gluglug.org.uk>
+ This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. + A copy of the license can be found at ../license.txt. +
+ +
+ This document is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. +
+ +
diff --git a/docs/gnulinux/grub_cbfs.html b/docs/gnulinux/grub_cbfs.html index c22d71d..73cce0c 100644 --- a/docs/gnulinux/grub_cbfs.html +++ b/docs/gnulinux/grub_cbfs.html @@ -12,444 +12,467 @@ -
+

How to change your default GRUB menu
-
Or back to main index
-
- -
- Libreboot uses the GRUB payload - by default, which means that the GRUB configuration file - (where your GRUB menu comes from) is stored directly alongside libreboot - and it's GRUB payload executable, inside - the flash chip. In context, this means that installing distributions and managing them - is handled slightly differently compared to traditional BIOS systems. -
- -
- A libreboot (or coreboot) ROM image is not simply "flat"; there is an actual - filesystem inside called CBFS (coreboot filesystem). A utility called 'cbfstool' - allows you to change the contents of the ROM image. In this case, libreboot is configured - such that the 'grub.cfg' and 'grubtest.cfg' files exists directly inside CBFS instead of - inside the GRUB payload 'memdisk' (which is itself stored in CBFS). -
-
- You can either modify - the GRUB configuration stored in the flash chip, or you can modify a GRUB configuration - file on the main storage which the libreboot GRUB payload will automatically search for. -
- -
- Here is an excellent writeup about CBFS (coreboot filesystem): - http://lennartb.home.xs4all.nl/coreboot/col5.html. -
- -
- -
Table of Contents
- -
-
Getting started
-
Don't want to flash a new ROM image?
-
Build 'cbfstool' from source
-
Which ROM image should I use?
-
Extract grubtest from the ROM image -
- Example modifications for grubtest.cfg -
-
Trisquel GNU/Linux-libre
-
Parabola GNU/Linux-libre
-
-
-
Re-insert the modified grubtest.cfg into the ROM image
-
Test it! -
Final steps
-
Troubleshooting
-
- -
- -
Getting started
+
+ Libreboot uses the GRUB payload + by default, which means that the GRUB configuration file + (where your GRUB menu comes from) is stored directly alongside libreboot + and it's GRUB payload executable, inside + the flash chip. In context, this means that installing distributions and managing them + is handled slightly differently compared to traditional BIOS systems. +
+
+ A libreboot (or coreboot) ROM image is not simply "flat"; there is an actual + filesystem inside called CBFS (coreboot filesystem). A utility called 'cbfstool' + allows you to change the contents of the ROM image. In this case, libreboot is configured + such that the 'grub.cfg' and 'grubtest.cfg' files exists directly inside CBFS instead of + inside the GRUB payload 'memdisk' (which is itself stored in CBFS). +
+
+ You can either modify + the GRUB configuration stored in the flash chip, or you can modify a GRUB configuration + file on the main storage which the libreboot GRUB payload will automatically search for. +
+
+ Here is an excellent writeup about CBFS (coreboot filesystem): + http://lennartb.home.xs4all.nl/coreboot/col5.html. +
+
+ Back to previous index +
+ -
- Download the latest release from - http://libreboot.org/ -
If you downloaded from git, refer to - ../git/index.html#build_meta before continuing. -
+
+ +
Table of Contents
+ +
+
Getting started
+
Don't want to flash a new ROM image?
+
Build 'cbfstool' from source
+
Which ROM image should I use?
+
Extract grubtest from the ROM image +
+ Example modifications for grubtest.cfg +
+
Trisquel GNU/Linux-libre
+
Parabola GNU/Linux-libre
+
+
+
Re-insert the modified grubtest.cfg into the ROM image
+
Test it! +
Final steps
+
Troubleshooting
+
+ +
-
- Install the build dependencies. -
+
-
- Back to top of page. -
+
Getting started
-
- -
Don't want to flash a new ROM image?
+
+ Download the latest release from + http://libreboot.org/ +
If you downloaded from git, refer to + ../git/index.html#build_meta before continuing. +
-
- There are several advantages to modifying the GRUB configuration stored in CBFS, but - this also means that you have to flash a new libreboot ROM image on your machine (some users - feel intimidated by this, to say the least). - Doing so can be risky if not handled correctly, because it can result in a bricked - machine (recovery is easy if you have the equipment - for it, but most people don't). If you aren't up to that then don't worry; it is possible - to use a custom GRUB menu without flashing a new image, by loading a GRUB configuration - from a partition on the main storage instead. -
+
+ Install the build dependencies. +
-
- By default, GRUB in libreboot is configured to scan all partitions on the main storage - for /boot/grub/libreboot_grub.cfg or /grub/libreboot_grub.cfg(for systems where /boot - is on a dedicated partition), and then use it automatically. -
-
- Simply create your custom GRUB configuration and save it to /boot/grub/libreboot_grub.cfg - on the running system. The next time you boot, GRUB (in libreboot) will automatically switch to - this configuration file. This means that you do not have to re-flash, recompile or otherwise - modify libreboot at all! -
+
+ Back to top of page. +
+ +
-
- Ideally, your distribution should automatically generate a libreboot_grub.cfg file that is written - specifically under the assumption that it will be read and used on a libreboot system that uses - GRUB as a payload. If your distribution does not do this, then you can try to add that feature - yourself or politely ask someone involved with or otherwise knowledgeable about the distribution - to do it for you. The libreboot_grub.cfg could either contain the full configuration, or it could - chainload another GRUB ELF executable (built to be used as a coreboot payload) that is located in - a partition on the main storage. -
+
-
- If you want to adapt a copy of the existing libreboot GRUB configuration and use that for the libreboot_grub.cfg file, then - follow #build_cbfstool, #which_rom and - #extract_grubtest to get the grubtest.cfg. - Rename grubtest.cfg to libreboot_grub.cfg and save it to /boot/grub/ - on the running system where it is intended to be used. Modify the file at that location however you see fit, - and then stop reading this guide (the rest of this page is irrelevant to you); in libreboot_grub.cfg on disk, - if you are adapting it based on grub.cfg from CBFS then remove the check for libreboot_grub.cfg otherwise it will loop.. -
- -
- Back to top of page. -
- -
+
Don't want to flash a new ROM image?
-
Build 'cbfstool' from source
- -
- If you are working with libreboot_src, then you can run make command in - libreboot_src/coreboot/util/cbfstool to build the cbfstool and rmodtool - executable. -
-
- Alternatively if you are working with libreboot_bin, you will find binaries under ./cbfstool/ -
+
+ There are several advantages to modifying the GRUB configuration stored in CBFS, but + this also means that you have to flash a new libreboot ROM image on your machine (some users + feel intimidated by this, to say the least). + Doing so can be risky if not handled correctly, because it can result in a bricked + machine (recovery is easy if you have the equipment + for it, but most people don't). If you aren't up to that then don't worry; it is possible + to use a custom GRUB menu without flashing a new image, by loading a GRUB configuration + from a partition on the main storage instead. +
-
- Back to top of page. -
+
+ By default, GRUB in libreboot is configured to scan all partitions on the main storage + for /boot/grub/libreboot_grub.cfg or /grub/libreboot_grub.cfg(for systems where /boot + is on a dedicated partition), and then use it automatically. +
+
+ Simply create your custom GRUB configuration and save it to /boot/grub/libreboot_grub.cfg + on the running system. The next time you boot, GRUB (in libreboot) will automatically switch to + this configuration file. This means that you do not have to re-flash, recompile or otherwise + modify libreboot at all! +
-
+
+ Ideally, your distribution should automatically generate a libreboot_grub.cfg file that is written + specifically under the assumption that it will be read and used on a libreboot system that uses + GRUB as a payload. If your distribution does not do this, then you can try to add that feature + yourself or politely ask someone involved with or otherwise knowledgeable about the distribution + to do it for you. The libreboot_grub.cfg could either contain the full configuration, or it could + chainload another GRUB ELF executable (built to be used as a coreboot payload) that is located in + a partition on the main storage. +
+ +
+ If you want to adapt a copy of the existing libreboot GRUB configuration and use that for the libreboot_grub.cfg file, then + follow #build_cbfstool, #which_rom and + #extract_grubtest to get the grubtest.cfg. + Rename grubtest.cfg to libreboot_grub.cfg and save it to /boot/grub/ + on the running system where it is intended to be used. Modify the file at that location however you see fit, + and then stop reading this guide (the rest of this page is irrelevant to you); in libreboot_grub.cfg on disk, + if you are adapting it based on grub.cfg from CBFS then remove the check for libreboot_grub.cfg otherwise it will loop.. +
-
Which ROM image should I use?
+
+ Back to top of page. +
+ +
-
- You can work directly with one of the ROM images already included in the libreboot ROM archives. For the purpose of - this tutorial it is assumed that your ROM image file is named libreboot.rom, so please make sure to adapt. -
+
-
- If you want to re-use the ROM that you currently have flashed (and running) then see - ../git/index.html#build_flashrom - and then run:
- $ sudo ./flashrom -p internal -r libreboot.rom
- Notice that this is using "-r" (read) instead of "-w" (write). - This will create a dump (copy) of your current firmware and name it libreboot.rom. - You need to take ownership of the file. For example:
- $ sudo chown yourusername:yourusername libreboot.rom
- # chown yourusername:yourusername libreboot.rom -
+
Build 'cbfstool' from source
-
- If you currently have flashed a ROM image from an older version, it is recommended to update first: - basically, modify one of the latest ROM images and then flash it. -
+
+ If you are working with libreboot_src, then you can run make command in + libreboot_src/coreboot/util/cbfstool to build the cbfstool and rmodtool + executable. +
+
+ Alternatively if you are working with libreboot_bin, you will find binaries under ./cbfstool/ +
-
- Back to top of page. -
+
+ Back to top of page. +
+ +
-
+
-
Extract grubtest.cfg from the ROM image
+
Which ROM image should I use?
-
- Display contents of ROM:
- $ ./cbfstool libreboot.rom print -
+
+ You can work directly with one of the ROM images already included in the libreboot ROM archives. For the purpose of + this tutorial it is assumed that your ROM image file is named libreboot.rom, so please make sure to adapt. +
-
- The libreboot.rom file contains your grub.cfg and grubtest.cfg files. - You should extract, modify and re-insert the copy first. grub.cfg will load first, - but it has a menu entry for switching to the copy (grubtest.cfg). - This reduces your chance of making a mistake that could make your machine unbootable (or very hard to boot). -
+
+ If you want to re-use the ROM that you currently have flashed (and running) then see + ../git/index.html#build_flashrom + and then run:
+ $ sudo ./flashrom -p internal -r libreboot.rom
+ Notice that this is using "-r" (read) instead of "-w" (write). + This will create a dump (copy) of your current firmware and name it libreboot.rom. + You need to take ownership of the file. For example:
+ $ sudo chown yourusername:yourusername libreboot.rom
+ # chown yourusername:yourusername libreboot.rom +
-
- Extract grubtest.cfg from the ROM image:
- $ ./cbfstool libreboot.rom extract -n grubtest.cfg -f grubtest.cfg -
+
+ If you currently have flashed a ROM image from an older version, it is recommended to update first: + basically, modify one of the latest ROM images and then flash it. +
-
- Now you have a grubtest.cfg in cbfstool directory. Edit it however you wish. -
+
+ Back to top of page. +
+ +
-
- Back to top of page. -
+
-
+
Extract grubtest.cfg from the ROM image
-
+
+ Display contents of ROM:
+ $ ./cbfstool libreboot.rom print +
-
Example modifications for grubtest.cfg
+
+ The libreboot.rom file contains your grub.cfg and grubtest.cfg files. + You should extract, modify and re-insert the copy first. grub.cfg will load first, + but it has a menu entry for switching to the copy (grubtest.cfg). + This reduces your chance of making a mistake that could make your machine unbootable (or very hard to boot). +

- These are some common examples of ways in which the grubtest.cfg file can be modified. + Extract grubtest.cfg from the ROM image:
+ $ ./cbfstool libreboot.rom extract -n grubtest.cfg -f grubtest.cfg
-
Trisquel GNU/Linux-libre
+
+ Now you have a grubtest.cfg in cbfstool directory. Edit it however you wish. +
-
- As an example, on my test system in /boot/grub/grub.cfg (on the HDD/SSD) I see for the main menu entry: -
-
-
linux /boot/vmlinuz-3.15.1-gnu.nonpae root=UUID=3a008e14-4871-497b-95e5-fb180f277951 ro crashkernel=384M-2G:64M,2G-:128M quiet splash $vt_handoff
-
initrd /boot/initrd.img-3.15.1-gnu.nonpae
-
+
+ Back to top of page. +
+ +
-
- ro, quiet, splash, crashkernel=384M-2G:64M,2G-:128M and - $vt_handoff can be safely ignored. -
+
-
- I use this to get my partition layout:
- $ lsblk -
+
-
- In my case, I have no /boot partition, instead /boot is on the same partition as / on sda1. - Yours might be different. In GRUB terms, sda means ahci0. 1 means msdos1, or gpt1, depending - on whether I am using MBR or GPT partitioning. Thus, /dev/sda1 is GRUB is (ahci0,msdos1) or - (ahci0,gpt1). In my case, I use MBR partitioning so it's (ahci0,msdos1). - 'msdos' is a GRUB name simply because this partitioning type is traditionally used by MS-DOS. - It doesn't mean that you have a proprietary OS. -
+
Example modifications for grubtest.cfg

- Trisquel doesn't keep the filenames of kernels consistent, instead it keeps old kernels and - new kernel updates are provided with the version in the filename. This can make GRUB payload - a bit tricky. Fortunately, there are symlinks /vmlinuz and /initrd.img - so if your /boot and / are on the same partition, you can set GRUB to boot from that. - These are also updated automatically when installing kernel updates from your distributions - apt-get repositories. - - Note: when using jxself kernel releases, - these are not updated at all and you have to update them manually. - + These are some common examples of ways in which the grubtest.cfg file can be modified.
-
- For the GRUB payload grubtest.cfg (in the 'Load Operating System' menu entry), we therefore have (in this example):
- set root='ahci0,msdos1'
- linux /vmlinuz root=UUID=3a008e14-4871-497b-95e5-fb180f277951
- initrd /initrd.img -
+
Trisquel GNU/Linux-libre
+ +
+ As an example, on my test system in /boot/grub/grub.cfg (on the HDD/SSD) I see for the main menu entry: +
+
+
linux /boot/vmlinuz-3.15.1-gnu.nonpae root=UUID=3a008e14-4871-497b-95e5-fb180f277951 ro crashkernel=384M-2G:64M,2G-:128M quiet splash $vt_handoff
+
initrd /boot/initrd.img-3.15.1-gnu.nonpae
+
+ +
+ ro, quiet, splash, crashkernel=384M-2G:64M,2G-:128M and + $vt_handoff can be safely ignored. +
+ +
+ I use this to get my partition layout:
+ $ lsblk +
+ +
+ In my case, I have no /boot partition, instead /boot is on the same partition as / on sda1. + Yours might be different. In GRUB terms, sda means ahci0. 1 means msdos1, or gpt1, depending + on whether I am using MBR or GPT partitioning. Thus, /dev/sda1 is GRUB is (ahci0,msdos1) or + (ahci0,gpt1). In my case, I use MBR partitioning so it's (ahci0,msdos1). + 'msdos' is a GRUB name simply because this partitioning type is traditionally used by MS-DOS. + It doesn't mean that you have a proprietary OS. +
+ +
+ Trisquel doesn't keep the filenames of kernels consistent, instead it keeps old kernels and + new kernel updates are provided with the version in the filename. This can make GRUB payload + a bit tricky. Fortunately, there are symlinks /vmlinuz and /initrd.img + so if your /boot and / are on the same partition, you can set GRUB to boot from that. + These are also updated automatically when installing kernel updates from your distributions + apt-get repositories. + + Note: when using jxself kernel releases, + these are not updated at all and you have to update them manually. + +
+ +
+ For the GRUB payload grubtest.cfg (in the 'Load Operating System' menu entry), we therefore have (in this example):
+ set root='ahci0,msdos1'
+ linux /vmlinuz root=UUID=3a008e14-4871-497b-95e5-fb180f277951
+ initrd /initrd.img +
+ +
+ Optionally, you can convert the UUID to its real device name, for example /dev/sda1 in this case. + sdX naming isn't very reliable, though, which is why UUID is used for most distributions. +
+ +
+ Alternatively, if your /boot is on a separate partition then you cannot rely on the /vmlinuz and /initrd.img symlinks. + Instead, go into /boot and create your own symlinks (update them manually when you install a new kernel update).
+ $ sudo -s
+ # cd /boot/
+ # rm -rf vmlinuz initrd.img
+ # ln -s kernel ksym
+ # ln -s initrd isym
+ # exit +
+ +
+ Replace the underlined kernel and initrd filenames above with the actual filenames, of course. +
+ +
+ Then your grubtest.cfg menu entry (for payload) becomes like that, for example if / was on sda2 and /boot was on sda1:
+ set root='ahci0,msdos1'
+ linux /ksym root=/dev/sda2
+ initrd /isym +
+ +
+ There are lots of possible variations so please try to adapt. +
+ +
Parabola GNU/Linux-libre
+ +
+ You can basically adapt the above. Note however that Parabola does not keep old kernels still installed, and the file names + are always consistent, so you don't need to boot from symlinks, you can just use the real thing directly. +
+ +
-
- Optionally, you can convert the UUID to its real device name, for example /dev/sda1 in this case. - sdX naming isn't very reliable, though, which is why UUID is used for most distributions. -
+
+ Back to top of page. +
+ +
-
- Alternatively, if your /boot is on a separate partition then you cannot rely on the /vmlinuz and /initrd.img symlinks. - Instead, go into /boot and create your own symlinks (update them manually when you install a new kernel update).
- $ sudo -s
- # cd /boot/
- # rm -rf vmlinuz initrd.img
- # ln -s kernel ksym
- # ln -s initrd isym
- # exit -
+
-
- Replace the underlined kernel and initrd filenames above with the actual filenames, of course. -
+
Re-insert the modified grubtest.cfg into the ROM image
-
- Then your grubtest.cfg menu entry (for payload) becomes like that, for example if / was on sda2 and /boot was on sda1:
- set root='ahci0,msdos1'
- linux /ksym root=/dev/sda2
- initrd /isym -
+
+ Delete the grubtest.cfg that remained inside the ROM:
+ $ ./cbfstool libreboot.rom remove -n grubtest.cfg +
-
- There are lots of possible variations so please try to adapt. -
+
+ Display ROM contents and now you see grubtest.cfg no longer exists there:
+ $ ./cbfstool libreboot.rom print +
-
Parabola GNU/Linux-libre
+
+ Add the modified version that you just made:
+ $ ./cbfstool libreboot.rom add -n grubtest.cfg -f grubtest.cfg -t raw +
-
- You can basically adapt the above. Note however that Parabola does not keep old kernels still installed, and the file names - are always consistent, so you don't need to boot from symlinks, you can just use the real thing directly. -
+
+ Now display ROM contents again and see that it exists again:
+ $ ./cbfstool libreboot.rom print +
+
+ Back to top of page. +
+
-
- Back to top of page. -
+
-
- -
Re-insert the modified grubtest.cfg into the ROM image
- -
- Delete the grubtest.cfg that remained inside the ROM:
- $ ./cbfstool libreboot.rom remove -n grubtest.cfg -
- -
- Display ROM contents and now you see grubtest.cfg no longer exists there:
- $ ./cbfstool libreboot.rom print -
+
Test it!
-
- Add the modified version that you just made:
- $ ./cbfstool libreboot.rom add -n grubtest.cfg -f grubtest.cfg -t raw -
- -
- Now display ROM contents again and see that it exists again:
- $ ./cbfstool libreboot.rom print -
- -
- Back to top of page. -
+
+ + Now you have a modified ROM. Refer back to ../install/index.html#flashrom for information + on how to flash it. Once you have done that, shut down and then boot up with your new test configuration. + +
-
+
+ Choose (in GRUB) the menu entry that switches to grubtest.cfg. If it works, then your config is safe and you can continue below. +
-
Test it!
+
+ + If it does not work like you want it to, if you are unsure or sceptical in any way, + then re-do the steps above until you get it right! Do *not* proceed past this point + unless you are 100% sure that your new configuration is safe (or desirable) to use. + +
-
- - Now you have a modified ROM. Refer back to ../install/index.html#flashrom for information - on how to flash it. Once you have done that, shut down and then boot up with your new test configuration. - -
+
+ Back to top of page. +
+ +
-
- Choose (in GRUB) the menu entry that switches to grubtest.cfg. If it works, then your config is safe and you can continue below. -
+
-
- - If it does not work like you want it to, if you are unsure or sceptical in any way, - then re-do the steps above until you get it right! Do *not* proceed past this point - unless you are 100% sure that your new configuration is safe (or desirable) to use. - -
+
Final steps
-
- Back to top of page. -
+
+ Create a copy of grubtest.cfg, called grub.cfg, which is the same except for one difference: + change the menuentry 'Switch to grub.cfg' to 'Switch to grubtest.cfg' and inside it, + change all instances of grub.cfg to grubtest.cfg. This is so that the main config still + links (in the menu) to grubtest.cfg, so that you don't have to manually switch to it, in + case you ever want to follow this guide again in the future (modifying the already modified config)
+ $ sed -e 's:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g' -e 's:Switch to grub.cfg:Switch to grubtest.cfg:g' < grubtest.cfg > grub.cfg
+
-
+
+ Delete the grub.cfg that remained inside the ROM:
+ $ ./cbfstool libreboot.rom remove -n grub.cfg +
-
Final steps
+
+ Display ROM contents and now you see grub.cfg no longer exists there:
+ $ ./cbfstool libreboot.rom print +
-
- Create a copy of grubtest.cfg, called grub.cfg, which is the same except for one difference: - change the menuentry 'Switch to grub.cfg' to 'Switch to grubtest.cfg' and inside it, - change all instances of grub.cfg to grubtest.cfg. This is so that the main config still - links (in the menu) to grubtest.cfg, so that you don't have to manually switch to it, in - case you ever want to follow this guide again in the future (modifying the already modified config)
- $ sed -e 's:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g' -e 's:Switch to grub.cfg:Switch to grubtest.cfg:g' < grubtest.cfg > grub.cfg
-
+
+ Add the modified version that you just made:
+ $ ./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw +
-
- Delete the grub.cfg that remained inside the ROM:
- $ ./cbfstool libreboot.rom remove -n grub.cfg -
+
+ Now display ROM contents again and see that it exists again:
+ $ ./cbfstool libreboot.rom print +
-
- Display ROM contents and now you see grub.cfg no longer exists there:
- $ ./cbfstool libreboot.rom print -
+
+ + Now you have a modified ROM. Refer back to ../install/index.html#flashrom for information + on how to flash it. Once you have done that, shut down and then boot up with your new configuration. + +
-
- Add the modified version that you just made:
- $ ./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw -
+
+ Back to top of page. +
+ +
-
- Now display ROM contents again and see that it exists again:
- $ ./cbfstool libreboot.rom print -
+
-
- - Now you have a modified ROM. Refer back to ../install/index.html#flashrom for information - on how to flash it. Once you have done that, shut down and then boot up with your new configuration. - -
+
Troubleshooting
-
- Back to top of page. -
+
+ A user reported that segmentation faults occur with cbfstool + when using this procedure depending on the size of the grub.cfg being re-insterted. + In his case, a minimum size of 857 bytes was required. This could (at the time of + this release) be a bug in cbfstool that should be investigated with the coreboot + community. If cbfstool segfaults, then keep this in mind. 'strace' (or gdb? clang?) + could be used for debugging. This was in libreboot 5th release (based on coreboot + from late 2013), and I'm not sure if the issue persists in the current releases. + I have not been able to reproduce it. strace (from that user) is here: + cbfstool_libreboot5_strace. + The issue has been reported by a few users, so it does not happen all the time: + this bug (if it still exists) could (should) be reproduced. +
-
+
+ Back to top of page. +
+ +
-
Troubleshooting
+

- A user reported that segmentation faults occur with cbfstool - when using this procedure depending on the size of the grub.cfg being re-insterted. - In his case, a minimum size of 857 bytes was required. This could (at the time of - this release) be a bug in cbfstool that should be investigated with the coreboot - community. If cbfstool segfaults, then keep this in mind. 'strace' (or gdb? clang?) - could be used for debugging. This was in libreboot 5th release (based on coreboot - from late 2013), and I'm not sure if the issue persists in the current releases. - I have not been able to reproduce it. strace (from that user) is here: - cbfstool_libreboot5_strace. - The issue has been reported by a few users, so it does not happen all the time: - this bug (if it still exists) could (should) be reproduced. + Copyright © 2014, 2015 Francis Rowe <info@gluglug.org.uk>
+ This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. + A copy of the license can be found at ../license.txt.

- Back to top of page. + This document is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information.
- -
- -
- Copyright © 2014, 2015 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at ../license.txt. -
- -
- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -
+ +
diff --git a/docs/gnulinux/index.html b/docs/gnulinux/index.html index c384575..e58639d 100644 --- a/docs/gnulinux/index.html +++ b/docs/gnulinux/index.html @@ -13,39 +13,45 @@ -
GNU/Linux distributions
+
+ +
GNU/Linux distributions
+
+ This section relates to dealing with GNU/Linux distributions: preparing bootable USB drives, + changing the default GRUB menu and so on. +
+
+ Back to previous index. +
+
+
How to install a GNU/Linux distribution
+
How to change your default GRUB menu
+
+ Installing Parabola GNU/Linux-libre with full disk encryption (including /boot) +
+
Follow-up tutorial: Configuring Parabola (post-install)
+
+
+
Installing Trisquel GNU/Linux-libre with full disk encryption (including /boot)
+
+ +
+ +
+
- This section relates to dealing with GNU/Linux distributions: preparing bootable USB drives, - changing the default GRUB menu and so on. + Copyright © 2014, 2015 Francis Rowe <info@gluglug.org.uk>
+ This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. + A copy of the license can be found at ../license.txt.
+
- Or Back to main index. + This document is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information.
-
-
How to install a GNU/Linux distribution
-
How to change your default GRUB menu
-
- Installing Parabola GNU/Linux-libre with full disk encryption (including /boot) -
-
Follow-up tutorial: Configuring Parabola (post-install)
-
-
-
Installing Trisquel GNU/Linux-libre with full disk encryption (including /boot)
-
- -
- -
- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at ../license.txt. -
- -
- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -
+ +
-- cgit v0.9.1