From 52caa0b75ffb62511e4f73317243258bfa24d701 Mon Sep 17 00:00:00 2001
From: Francis Rowe
+ For this guide I used the 2013 09 01 image to boot the live installer and install the system. +
+ +Parabola is much more flexible than Trisquel, but also more involved to setup. Use Parabola. It's 10 million times better than Trisquel.
@@ -45,17 +49,42 @@+ If you are using an SSD for this, make sure it's brand-new (or barely used). Or, otherwise, be sure that it never previously + contained plaintext copies of your data. +
+ +
Wipe the MBR (if you use MBR):
# lsblk
Your HDD is probably /dev/sda:
- # dd if=/dev/zero of=/dev/sda bs=446 count=1
+ # dd if=/dev/zero of=/dev/sda bs=446 count=1; sync
Never use SeaBIOS! The MBR section can easily be changed with malicious code, which SeaBIOS will blindly execute.
This guide is for libreboot with GRUB-as-payload only.
Securely wipe the drive:
- # dd if=/dev/urandom of=/dev/sda
+ # dd if=/dev/urandom of=/dev/sda; sync
+ NOTE: If you have an SSD, only do this the first time. If it was already LUKS-encrypted before,
+ use the info below to wipe the LUKS header. Also, check online for your SSD what the recommended
+ erase block size is. For example if it was 2MiB:
+ # dd if=/dev/urandom of=/dev/sda bs=2M; sync
+
+ If your drive was already LUKS encrypted (maybe you are re-installing your distro) then
+ it is already 'wiped'. You should just wipe the LUKS header.
+ https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/
+ showed me how to do this. It recommends to do the first 3MiB. Now, that guide is recommending putting zero there. I'm doing to use urandom. Do this:
+ # head -c 3145728 /dev/urandom > /dev/sda; sync
+ (wiping the LUKS header is important, since it has hashed passphrases and so on. It's 'secure', but 'potentially' a risk).
+
+
+ If you do plan to use an SSD, make sure to read
+ https://wiki.archlinux.org/index.php/Solid_State_Drives
+ Edit /etc/fstab later on when chrooted into your install. Also, read the whole article and keep all points in mind, adapting
+ them for this guide.
+
@@ -197,30 +226,43 @@ Otherwise, refer to https://wiki.archlinux.org/index.php/Configuring_Network. You can test to see if internet is already working by pinging a few domains.
+
- The following is based on 'Verification of package signatures' in the Parabola install guide. Check there first to see if steps differ by now.
- Now you have to update the default Parabola keyring. This is used for signing and verifying packages:
- # pacman -Sy parabola-keyring
- It says that you you get GPG errors, it's probably an expired key so do:
- # pacman-key --populate parabola
- # pacman-key --refresh-keys
- # pacman -Sy parabola-keyring
- To be honest, you should do the above anyway. Parabola has a lot of maintainers, and a lot of keys. Really!
- Also, it says that if the clock is set incorrectly then you have to manually set the correct time (if keys are listed as expired because of it):
- # date MMDDhhmm[[CC]YY][.ss]
+ I commented out all lines except the Server line for the UK Parabola server (main server) in /etc/pacman.d/mirrorlist and then did:
+ # pacman -Syy
+ # pacman -Syu
+ # pacman -Sy pacman (and then I did the other 2 steps above, again)
+ In my case I did the steps in the next paragraph, and followed the steps in this paragraph again.
+
+ <troubleshooting>
+ The following is based on 'Verification of package signatures' in the Parabola install guide.
+ Check there first to see if steps differ by now.
+ Now you have to update the default Parabola keyring. This is used for signing and verifying packages:
+ # pacman -Sy parabola-keyring
+ It says that you you get GPG errors, it's probably an expired key so do:
+ # pacman-key --populate parabola
+ # pacman-key --refresh-keys
+ # pacman -Sy parabola-keyring
+ To be honest, you should do the above anyway. Parabola has a lot of maintainers, and a lot of keys. Really!
+ Also, it says that if the clock is set incorrectly then you have to manually set the correct time
+ (if keys are listed as expired because of it):
+ # date MMDDhhmm[[CC]YY][.ss]
+ I also had to install:
+ # pacman -S archlinux-keyring
+ # pacman-key --populate archlinux
+ In my case I saw some conflicting files reported in pacman, stopping me from using it.
+ I deleted the files that it mentioned
+ and then it worked. Specifically, I had this error:
+ licenses: /usr/share/licenses/common/MPS exists in filesystem
+ I rm -rf'd the file and then pacman worked. I'm told that the following would have also made it work:
+ # pacman -Sf licenses
+ </troubleshooting>
+
+ I also like to install other packages (base-devel, compilers and so on) and wpa_supplicant/dialog are needed for wireless after the install:
+ # pacstrap /mnt base base-devel wpa_supplicant dialog
- I commented out all lines except the Server line for the UK Parabola server (main server) in /etc/pacman.d/mirrorlist and then did:
- # pacman -Syu
- I also had to upgrade pacman and then do the above again:
- # pacman -Sy pacman
-
- I also like to install other packages (base-devel, compilers and so on) and wpa_supplicant/dialog are needed for wireless after the install:
- # pacstrap /mnt base base-devel wpa_supplicant dialog
-
@@ -345,7 +387,7 @@
Or just delete it. Above it, put:
auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog
To unlock a user manually (if a password attempt is failed 3 times), do:
- # pam_tally --user --reset
+ # pam_tally --user theusername --reset
What the above configuration does is lock the user out for 10 minutes, if they make 3 failed login attempts.
@@ -418,6 +460,10 @@
+ Personally, I opted to have the entry for linux-libre-grsec at the top, so that it would load by default. +
+ +Above the 'Load Operating System' menu entry you should also add a GRUB password, like so:
set superusers="root" @@ -469,6 +515,12 @@ password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB97 # pacman -S dmidecode ++ When done, deleted GRUB (remember, we only needed it for the grub-mkpasswd-pbkdf2 utility; + GRUB is already part of libreboot, flashed alongside it as a payload):
+
+ # pacman -R grub +
@@ -487,6 +539,16 @@ password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB97
+Follow-up tutorial: configuring Parabola
++ configuring_parabola.html shows my own notes post-installation. Using these, you can get a basic + system similar to the one that I chose for myself. You can also cherry pick useful notes and come up with your own system. + Parabola is user-centric, which means that you are in control. For more information, read The Arch Way + (Parabola also follows it). +
+ +
+Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. -- cgit v0.9.1