summaryrefslogtreecommitdiffstats
path: root/docs/gnulinux/encrypted_parabola.html
diff options
context:
space:
mode:
Diffstat (limited to 'docs/gnulinux/encrypted_parabola.html')
-rw-r--r--docs/gnulinux/encrypted_parabola.html727
1 files changed, 393 insertions, 334 deletions
diff --git a/docs/gnulinux/encrypted_parabola.html b/docs/gnulinux/encrypted_parabola.html
index a48e489..85cb6ce 100644
--- a/docs/gnulinux/encrypted_parabola.html
+++ b/docs/gnulinux/encrypted_parabola.html
@@ -12,262 +12,293 @@
</head>
<body>
- <header>
+ <div class="section">
<h1>Installing Parabola GNU/Linux with full disk encryption (including /boot)</h1>
- <aside>Or <a href="index.html">back to main index</a></aside>
- </header>
-
- <p>
- Libreboot uses the GRUB <a href="http://www.coreboot.org/Payloads#GRUB_2">payload</a>
- by default, which means that the GRUB configuration file
- (where your GRUB menu comes from) is stored directly alongside libreboot
- and it's GRUB payload executable, inside
- the flash chip. In context, this means that installing distributions and managing them
- is handled slightly differently compared to traditional BIOS systems.
- </p>
-
- <p>
- On most systems, the /boot partition has to be left unencrypted while the others are encrypted.
- This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware
- can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a
- payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical
- access to the machine.
- </p>
-
- <p>
- Boot Parabola's install environment. <a href="grub_boot_installer.html">How to boot a GNU/Linux installer</a>.
- </p>
-
- <p>
- For this guide I used the 2013 09 01 image to boot the live installer and install the system.
- </p>
-
- <p>
- Parabola is much more flexible than Trisquel, but also more involved to set up.
- </p>
-
- <p>
- Firstly if you use an SSD, beware there are issues with TRIM (not enabled through luks) and security issues if you do enable it.
- See <a href="https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Discard.2FTRIM_support_for_solid_state_drives_.28SSD.29">this page</a>
- for more info.
- </p>
-
- <p>
- <b>If you are using an SSD for this, make sure it's brand-new (or barely used). Or, otherwise, be sure that it never previously
- contained plaintext copies of your data.</b>
- </p>
-
- <p>
- Wipe the MBR (if you use MBR):<br/>
- # <b>lsblk</b><br/>
- Your HDD is probably /dev/sda:
- # <b>dd if=/dev/zero of=/dev/sda bs=446 count=1; sync</b><br/>
- Never use SeaBIOS! The MBR section can easily be changed with malicious code, which SeaBIOS will blindly execute.
- This guide is for libreboot with GRUB-as-payload only.
- </p>
-
- <p>
- Securely wipe the drive:<br/>
- # <b>dd if=/dev/urandom of=/dev/sda; sync</b><br/>
- NOTE: If you have an SSD, only do this the first time. If it was already LUKS-encrypted before,
- use the info below to wipe the LUKS header. Also, check online for your SSD what the recommended
- erase block size is. For example if it was 2MiB:<br/>
- # <b>dd if=/dev/urandom of=/dev/sda bs=2M; sync</b>
- </p>
- <p>
- If your drive was already LUKS encrypted (maybe you are re-installing your distro) then
- it is already 'wiped'. You should just wipe the LUKS header.
- <a href="https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/">https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/</a>
- showed me how to do this. It recommends doing the first 3MiB. Now, that guide is recommending putting zero there. I'm doing to use urandom. Do this:<br/>
- # <b>head -c 3145728 /dev/urandom &gt; /dev/sda; sync</b><br/>
- (wiping the LUKS header is important, since it has hashed passphrases and so on. It's 'secure', but 'potentially' a risk).
- </p>
- <p>
- <b>
- If you do plan to use an SSD, make sure to read
- <a href="https://wiki.archlinux.org/index.php/Solid_State_Drives">https://wiki.archlinux.org/index.php/Solid_State_Drives</a><br/>
- Edit /etc/fstab later on when chrooted into your install. Also, read the whole article and keep all points in mind, adapting
- them for this guide.
- </b>
- </p>
-
- <p>
- This guide will go through the installation steps taken at the time of writing, which may or may not change due to
- the volatile nature of Parabola (it changes all the time). In general most of it should remain the same. If you spot mistakes,
- please say so! This guide will be ported to the Parabola wiki at a later date. For up to date Parabola install guide, go to
- the Parabola wiki. This guide essentially cherry picks the useful information (valid at the time of writing: 2014-09-15).
- </p>
-
- <h2>
- Change keyboard layout
- </h2>
- <p>
- Parabola live shell assumes US Qwerty. If you have something different, use:<br/>
- # <b>loadkeys LAYOUT</b><br/>
- For me, LAYOUT would have been dvorak-uk.
- </p>
+ <p>
+ Libreboot uses the GRUB <a href="http://www.coreboot.org/Payloads#GRUB_2">payload</a>
+ by default, which means that the GRUB configuration file
+ (where your GRUB menu comes from) is stored directly alongside libreboot
+ and it's GRUB payload executable, inside
+ the flash chip. In context, this means that installing distributions and managing them
+ is handled slightly differently compared to traditional BIOS systems.
+ </p>
- <h2>Getting started</h2>
- <p>
- The beginning is based on <a href="https://wiki.parabolagnulinux.org/Installation_Guide">https://wiki.parabolagnulinux.org/Installation_Guide</a>.
- Then I referred to <a href="https://wiki.archlinux.org/index.php/Partitioning">https://wiki.archlinux.org/index.php/Partitioning</a> at first.
- </p>
+ <p>
+ On most systems, the /boot partition has to be left unencrypted while the others are encrypted.
+ This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware
+ can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a
+ payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical
+ access to the machine.
+ </p>
+ <p>
+ <a href="index.html">Back to previous index</a>
+ </p>
+ </div>
- <h2>dm-mod</h2>
+ <div class="section">
+
<p>
- device-mapper will be used - a lot. Make sure that the kernel module is loaded:<br/>
- # <b>modprobe dm-mod</b>
+ Boot Parabola's install environment. <a href="grub_boot_installer.html">How to boot a GNU/Linux installer</a>.
</p>
- <h2>Create LUKS partition</h2>
- <p>
- I am using MBR partitioning, so I use cfdisk:<br/>
- # <b>cfdisk /dev/sda</b>
- </p>
- <p>
- I create a single large sda1 filling the whole drive, leaving it as the default type 'Linux' (83).
- </p>
<p>
- Now I refer to <a href="https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#Partitioning">https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#Partitioning</a>:<br/>
- I am then directed to <a href="https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption">https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption</a>.
+ For this guide I used the 2013 09 01 image to boot the live installer and install the system.
</p>
+
<p>
- Parabola forces you to RTFM.
- </p>
- <p>
- It tells me to run:<br/>
- # <b>cryptsetup benchmark</b> (for making sure the list below is populated)<br/>
- Then:<br/>
- # <b>cat /proc/crypto</b><br/>
- This gives me crypto options that I can use. It also provides a representation of the best way to set up LUKS (in this case, security is a priority; speed, a distant second).
- To gain a better understanding, I am also reading:<br/>
- # <b>man cryptsetup</b>
- </p>
- <p>
- Following that page, based on my requirements, I do the following based on <a href="https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode">https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode</a>.
- Reading through, it seems like Serpent (encryption) and Whirlpool (hash) is the best option.
- </p>
- <p>
- I am initializing LUKS with the following:<br/>
- # <b>cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --use-random --verify-passphrase luksFormat /dev/sda1</b>
- -- choose a <b>secure</b> passphrase here. Ideally lots of lowercase/uppercase numbers, letters, symbols etc all in a random pattern. The password
- length should be as long as you are able to handle without writing it down or storing it anywhere. Ideally, 100 characters or more.
- It might take you a while to memorize a long passphrase before beginning this step.
+ This guide will go through the installation steps taken at the time of writing, which may or may not change due to
+ the volatile nature of Parabola (it changes all the time). In general most of it should remain the same. If you spot mistakes,
+ please say so! This guide will be ported to the Parabola wiki at a later date. For up to date Parabola install guide, go to
+ the Parabola wiki. This guide essentially cherry picks the useful information (valid at the time of writing: 2014-09-15).
</p>
+
+ </div>
- <h2>Create LVM</h2>
- <p>
- Now I refer to <a href="https://wiki.archlinux.org/index.php/LVM">https://wiki.archlinux.org/index.php/LVM</a>.
- </p>
+ <div class="section">
+
<p>
- Open the LUKS partition:<br/>
- # <b>cryptsetup open --type luks /dev/sda1 lvm</b><br/>
- (it will be available at /dev/mapper/lvm)<br/>
- I'm told that the above is old syntax, which is what I did anyway. You could also try:<br/>
- # <b>cryptsetup luksOpen /dev/sda1 lvm</b>
- </p>
- <p>
- Create LVM partition:<br/>
- # <b>pvcreate /dev/mapper/lvm</b><br/>
- Show that you just created it:<br/>
- # <b>pvdisplay</b>
- </p>
- <p>
- Now I create the volume group, inside of which the logical volumes will be created:<br/>
- # <b>vgcreate matrix /dev/mapper/lvm</b> (volume group name is 'matrix')<br/>
- Show that you created it:<br/>
- # <b>vgdisplay</b>
- </p>
- <p>
- Now create the logical volumes:<br/>
- # <b>lvcreate -L 2G matrix -n swapvol</b> (2G swap partition, named <u>swapvol</u>)<br/>
- # <b>lvcreate -l +100%FREE matrix -n rootvol</b> (single large partition in the rest of the space, named <u>rootvol</u>)<br/>
- You can also be flexible here, for example you can specify a /boot, a /, a /home, a /var, a /usr, etc. For example,
- if you will be running a web/mail server then you want /var in its own partition (so that if it fills up with logs, it won't crash your system).
- For a home/laptop system (typical use case), a root and a swap will do (really).
- </p>
- <p>
- Verify that the logical volumes were created, using the following command:<br/>
- # <b>lvdisplay</b>
+ Firstly if you use an SSD, beware there are issues with TRIM (not enabled through luks) and security issues if you do enable it.
+ See <a href="https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Discard.2FTRIM_support_for_solid_state_drives_.28SSD.29">this page</a>
+ for more info.
</p>
- <h2>Create / and swap partitions</h2>
<p>
- For the swapvol LV I use:<br/>
- # <b>mkswap /dev/mapper/matrix-swapvol</b>
- </p>
- <p>
- For the rootvol LV I use:<br/>
- # <b>mkfs.ext4 /dev/mapper/matrix-rootvol</b>
+ <b>If you are using an SSD for this, make sure it's brand-new (or barely used). Or, otherwise, be sure that it never previously
+ contained plaintext copies of your data.</b>
</p>
- <h2>Continue with Parabola installation</h2>
- <p>
- Mount the root (/) partition:<br/>
- # <b>mount /dev/matrix/rootvol /mnt</b><br/>
- </p>
- <p>
- This guide is really about GRUB, Parabola and cryptomount. I have to show how to install Parabola
- so that the guide can continue.
- </p>
<p>
- Now I am following the rest of <a href="https://wiki.parabolagnulinux.org/Installation_Guide">https://wiki.parabolagnulinux.org/Installation_Guide</a>.
- I also cross referenced <a href="https://wiki.archlinux.org/index.php/Installation_guide">https://wiki.archlinux.org/index.php/Installation_guide</a>.
- </p>
- <p>
- Create /home and /boot on rootvol mountpoint:<br/>
- # <b>mkdir /mnt/home</b><br/>
- # <b>mkdir /mnt/boot</b>
- </p>
- <p>
- The wiki says to enable the swap so that it can be detected by 'genfstab':<br/>
- # <b>swapon /dev/matrix/swapvol</b>
- </p>
- <p>
- DHCP was already working for me, so I had internet during the install. Therefore, I ignore the 'Connect to the Internet' section of the install guide.
- I also ignore wifi, since I can set that up after the install. For now, I am just using ethernet.
- Otherwise, refer to <a href="https://wiki.archlinux.org/index.php/Configuring_Network">https://wiki.archlinux.org/index.php/Configuring_Network</a>.
- You can test to see if internet is already working by pinging a few domains.
+ Wipe the MBR (if you use MBR):<br/>
+ # <b>lsblk</b><br/>
+ Your HDD is probably /dev/sda:
+ # <b>dd if=/dev/zero of=/dev/sda bs=446 count=1; sync</b><br/>
+ Never use SeaBIOS! The MBR section can easily be changed with malicious code, which SeaBIOS will blindly execute.
+ This guide is for libreboot with GRUB-as-payload only.
</p>
<p>
- I commented out all lines except the Server line for the UK Parabola server (main server) in <b>/etc/pacman.d/mirrorlist</b> and then did:<br/>
- # <b>pacman -Syy</b><br/>
- # <b>pacman -Syu</b><br/>
- # <b>pacman -Sy pacman</b> (and then I did the other 2 steps above, again)<br/>
- In my case I did the steps in the next paragraph, and followed the steps in this paragraph again.
+ Securely wipe the drive:<br/>
+ # <b>dd if=/dev/urandom of=/dev/sda; sync</b><br/>
+ NOTE: If you have an SSD, only do this the first time. If it was already LUKS-encrypted before,
+ use the info below to wipe the LUKS header. Also, check online for your SSD what the recommended
+ erase block size is. For example if it was 2MiB:<br/>
+ # <b>dd if=/dev/urandom of=/dev/sda bs=2M; sync</b>
</p>
<p>
- &lt;troubleshooting&gt;<br/>
- &nbsp;&nbsp;&nbsp;The following is based on 'Verification of package signatures' in the Parabola install guide.<br/>
- &nbsp;&nbsp;&nbsp;Check there first to see if steps differ by now.<br/>
- &nbsp;&nbsp;&nbsp;Now you have to update the default Parabola keyring. This is used for signing and verifying packages:<br/>
- &nbsp;&nbsp;&nbsp;# <b>pacman -Sy parabola-keyring</b><br/>
- &nbsp;&nbsp;&nbsp;It says that if you get GPG errors, then it's probably an expired key and, therefore, you should do:<br/>
- &nbsp;&nbsp;&nbsp;# <b>pacman-key --populate parabola</b><br/>
- &nbsp;&nbsp;&nbsp;# <b>pacman-key --refresh-keys</b><br/>
- &nbsp;&nbsp;&nbsp;# <b>pacman -Sy parabola-keyring</b><br/>
- &nbsp;&nbsp;&nbsp;To be honest, you should do the above anyway. Parabola has a lot of maintainers, and a lot of keys. Really!<br/>
- &nbsp;&nbsp;&nbsp;Also, it says that if the clock is set incorrectly then you have to manually set the correct time <br/>
- &nbsp;&nbsp;&nbsp;(if keys are listed as expired because of it):<br/>
- &nbsp;&nbsp;&nbsp;# <b>date MMDDhhmm[[CC]YY][.ss]</b><br/>
- &nbsp;&nbsp;&nbsp;I also had to install:<br/>
- &nbsp;&nbsp;&nbsp;# <b>pacman -S archlinux-keyring</b><br/>
- &nbsp;&nbsp;&nbsp;# <b>pacman-key --populate archlinux</b><br/>
- &nbsp;&nbsp;&nbsp;In my case I saw some conflicting files reported in pacman, stopping me from using it.<br/>
- &nbsp;&nbsp;&nbsp;I deleted the files that it mentioned
- and then it worked. Specifically, I had this error:<br/>
- &nbsp;&nbsp;&nbsp;<i>licenses: /usr/share/licenses/common/MPS exists in filesystem</i><br/>
- &nbsp;&nbsp;&nbsp;I rm -rf'd the file and then pacman worked. I'm told that the following would have also made it work:<br/>
- &nbsp;&nbsp;&nbsp;# <b>pacman -Sf licenses</b><br/>
- &lt;/troubleshooting&gt;<br/>
+ If your drive was already LUKS encrypted (maybe you are re-installing your distro) then
+ it is already 'wiped'. You should just wipe the LUKS header.
+ <a href="https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/">https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/</a>
+ showed me how to do this. It recommends doing the first 3MiB. Now, that guide is recommending putting zero there. I'm doing to use urandom. Do this:<br/>
+ # <b>head -c 3145728 /dev/urandom &gt; /dev/sda; sync</b><br/>
+ (wiping the LUKS header is important, since it has hashed passphrases and so on. It's 'secure', but 'potentially' a risk).
</p>
<p>
- I also like to install other packages (base-devel, compilers and so on) and wpa_supplicant/dialog are needed for wireless after the install:<br/>
- # <b>pacstrap /mnt base base-devel wpa_supplicant dialog</b>
+ <b>
+ If you do plan to use an SSD, make sure to read
+ <a href="https://wiki.archlinux.org/index.php/Solid_State_Drives">https://wiki.archlinux.org/index.php/Solid_State_Drives</a><br/>
+ Edit /etc/fstab later on when chrooted into your install. Also, read the whole article and keep all points in mind, adapting
+ them for this guide.
+ </b>
</p>
+
+ </div>
+
+ <div class="section">
+
+ <h2>
+ Change keyboard layout
+ </h2>
+ <p>
+ Parabola live shell assumes US Qwerty. If you have something different, use:<br/>
+ # <b>loadkeys LAYOUT</b><br/>
+ For me, LAYOUT would have been dvorak-uk.
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2>Getting started</h2>
+ <p>
+ The beginning is based on <a href="https://wiki.parabolagnulinux.org/Installation_Guide">https://wiki.parabolagnulinux.org/Installation_Guide</a>.
+ Then I referred to <a href="https://wiki.archlinux.org/index.php/Partitioning">https://wiki.archlinux.org/index.php/Partitioning</a> at first.
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2>dm-mod</h2>
+ <p>
+ device-mapper will be used - a lot. Make sure that the kernel module is loaded:<br/>
+ # <b>modprobe dm-mod</b>
+ </p>
+
+ <h2>Create LUKS partition</h2>
+ <p>
+ I am using MBR partitioning, so I use cfdisk:<br/>
+ # <b>cfdisk /dev/sda</b>
+ </p>
+ <p>
+ I create a single large sda1 filling the whole drive, leaving it as the default type 'Linux' (83).
+ </p>
+ <p>
+ Now I refer to <a href="https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#Partitioning">https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#Partitioning</a>:<br/>
+ I am then directed to <a href="https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption">https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption</a>.
+ </p>
+ <p>
+ Parabola forces you to RTFM.
+ </p>
+ <p>
+ It tells me to run:<br/>
+ # <b>cryptsetup benchmark</b> (for making sure the list below is populated)<br/>
+ Then:<br/>
+ # <b>cat /proc/crypto</b><br/>
+ This gives me crypto options that I can use. It also provides a representation of the best way to set up LUKS (in this case, security is a priority; speed, a distant second).
+ To gain a better understanding, I am also reading:<br/>
+ # <b>man cryptsetup</b>
+ </p>
+ <p>
+ Following that page, based on my requirements, I do the following based on <a href="https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode">https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode</a>.
+ Reading through, it seems like Serpent (encryption) and Whirlpool (hash) is the best option.
+ </p>
+ <p>
+ I am initializing LUKS with the following:<br/>
+ # <b>cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --use-random --verify-passphrase luksFormat /dev/sda1</b>
+ -- choose a <b>secure</b> passphrase here. Ideally lots of lowercase/uppercase numbers, letters, symbols etc all in a random pattern. The password
+ length should be as long as you are able to handle without writing it down or storing it anywhere. Ideally, 100 characters or more.
+ It might take you a while to memorize a long passphrase before beginning this step.
+ </p>
+
+ </div>
- <h3>Configure the system</h3>
+ <div class="section">
+
+ <h2>Create LVM</h2>
+ <p>
+ Now I refer to <a href="https://wiki.archlinux.org/index.php/LVM">https://wiki.archlinux.org/index.php/LVM</a>.
+ </p>
+ <p>
+ Open the LUKS partition:<br/>
+ # <b>cryptsetup open --type luks /dev/sda1 lvm</b><br/>
+ (it will be available at /dev/mapper/lvm)<br/>
+ I'm told that the above is old syntax, which is what I did anyway. You could also try:<br/>
+ # <b>cryptsetup luksOpen /dev/sda1 lvm</b>
+ </p>
+ <p>
+ Create LVM partition:<br/>
+ # <b>pvcreate /dev/mapper/lvm</b><br/>
+ Show that you just created it:<br/>
+ # <b>pvdisplay</b>
+ </p>
+ <p>
+ Now I create the volume group, inside of which the logical volumes will be created:<br/>
+ # <b>vgcreate matrix /dev/mapper/lvm</b> (volume group name is 'matrix')<br/>
+ Show that you created it:<br/>
+ # <b>vgdisplay</b>
+ </p>
+ <p>
+ Now create the logical volumes:<br/>
+ # <b>lvcreate -L 2G matrix -n swapvol</b> (2G swap partition, named <u>swapvol</u>)<br/>
+ # <b>lvcreate -l +100%FREE matrix -n rootvol</b> (single large partition in the rest of the space, named <u>rootvol</u>)<br/>
+ You can also be flexible here, for example you can specify a /boot, a /, a /home, a /var, a /usr, etc. For example,
+ if you will be running a web/mail server then you want /var in its own partition (so that if it fills up with logs, it won't crash your system).
+ For a home/laptop system (typical use case), a root and a swap will do (really).
+ </p>
+ <p>
+ Verify that the logical volumes were created, using the following command:<br/>
+ # <b>lvdisplay</b>
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2>Create / and swap partitions</h2>
+ <p>
+ For the swapvol LV I use:<br/>
+ # <b>mkswap /dev/mapper/matrix-swapvol</b>
+ </p>
+ <p>
+ For the rootvol LV I use:<br/>
+ # <b>mkfs.ext4 /dev/mapper/matrix-rootvol</b>
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2>Continue with Parabola installation</h2>
+ <p>
+ Mount the root (/) partition:<br/>
+ # <b>mount /dev/matrix/rootvol /mnt</b><br/>
+ </p>
+ <p>
+ This guide is really about GRUB, Parabola and cryptomount. I have to show how to install Parabola
+ so that the guide can continue.
+ </p>
+ <p>
+ Now I am following the rest of <a href="https://wiki.parabolagnulinux.org/Installation_Guide">https://wiki.parabolagnulinux.org/Installation_Guide</a>.
+ I also cross referenced <a href="https://wiki.archlinux.org/index.php/Installation_guide">https://wiki.archlinux.org/index.php/Installation_guide</a>.
+ </p>
+ <p>
+ Create /home and /boot on rootvol mountpoint:<br/>
+ # <b>mkdir /mnt/home</b><br/>
+ # <b>mkdir /mnt/boot</b>
+ </p>
+ <p>
+ The wiki says to enable the swap so that it can be detected by 'genfstab':<br/>
+ # <b>swapon /dev/matrix/swapvol</b>
+ </p>
+ <p>
+ DHCP was already working for me, so I had internet during the install. Therefore, I ignore the 'Connect to the Internet' section of the install guide.
+ I also ignore wifi, since I can set that up after the install. For now, I am just using ethernet.
+ Otherwise, refer to <a href="https://wiki.archlinux.org/index.php/Configuring_Network">https://wiki.archlinux.org/index.php/Configuring_Network</a>.
+ You can test to see if internet is already working by pinging a few domains.
+ </p>
+
+ <p>
+ I commented out all lines except the Server line for the UK Parabola server (main server) in <b>/etc/pacman.d/mirrorlist</b> and then did:<br/>
+ # <b>pacman -Syy</b><br/>
+ # <b>pacman -Syu</b><br/>
+ # <b>pacman -Sy pacman</b> (and then I did the other 2 steps above, again)<br/>
+ In my case I did the steps in the next paragraph, and followed the steps in this paragraph again.
+ </p>
+ <p>
+ &lt;troubleshooting&gt;<br/>
+ &nbsp;&nbsp;&nbsp;The following is based on 'Verification of package signatures' in the Parabola install guide.<br/>
+ &nbsp;&nbsp;&nbsp;Check there first to see if steps differ by now.<br/>
+ &nbsp;&nbsp;&nbsp;Now you have to update the default Parabola keyring. This is used for signing and verifying packages:<br/>
+ &nbsp;&nbsp;&nbsp;# <b>pacman -Sy parabola-keyring</b><br/>
+ &nbsp;&nbsp;&nbsp;It says that if you get GPG errors, then it's probably an expired key and, therefore, you should do:<br/>
+ &nbsp;&nbsp;&nbsp;# <b>pacman-key --populate parabola</b><br/>
+ &nbsp;&nbsp;&nbsp;# <b>pacman-key --refresh-keys</b><br/>
+ &nbsp;&nbsp;&nbsp;# <b>pacman -Sy parabola-keyring</b><br/>
+ &nbsp;&nbsp;&nbsp;To be honest, you should do the above anyway. Parabola has a lot of maintainers, and a lot of keys. Really!<br/>
+ &nbsp;&nbsp;&nbsp;Also, it says that if the clock is set incorrectly then you have to manually set the correct time <br/>
+ &nbsp;&nbsp;&nbsp;(if keys are listed as expired because of it):<br/>
+ &nbsp;&nbsp;&nbsp;# <b>date MMDDhhmm[[CC]YY][.ss]</b><br/>
+ &nbsp;&nbsp;&nbsp;I also had to install:<br/>
+ &nbsp;&nbsp;&nbsp;# <b>pacman -S archlinux-keyring</b><br/>
+ &nbsp;&nbsp;&nbsp;# <b>pacman-key --populate archlinux</b><br/>
+ &nbsp;&nbsp;&nbsp;In my case I saw some conflicting files reported in pacman, stopping me from using it.<br/>
+ &nbsp;&nbsp;&nbsp;I deleted the files that it mentioned
+ and then it worked. Specifically, I had this error:<br/>
+ &nbsp;&nbsp;&nbsp;<i>licenses: /usr/share/licenses/common/MPS exists in filesystem</i><br/>
+ &nbsp;&nbsp;&nbsp;I rm -rf'd the file and then pacman worked. I'm told that the following would have also made it work:<br/>
+ &nbsp;&nbsp;&nbsp;# <b>pacman -Sf licenses</b><br/>
+ &lt;/troubleshooting&gt;<br/>
+ </p>
+ <p>
+ I also like to install other packages (base-devel, compilers and so on) and wpa_supplicant/dialog are needed for wireless after the install:<br/>
+ # <b>pacstrap /mnt base base-devel wpa_supplicant dialog</b>
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2>Configure the system</h2>
<p>
From the Parabola installation guide (Arch's one was identical):<br/>
# <b>genfstab -p /mnt &gt;&gt; /mnt/etc/fstab</b>
@@ -359,8 +390,12 @@
# <b>mkinitcpio -p linux-libre-grsec</b>
</li>
</ul>
+
+ </div>
- <h3>Set a root password</h3>
+ <div class="section">
+
+ <h2>Set a root password</h2>
<p>
At the time of writing, Parabola used SHA512 by default for it's password hashing.
</p>
@@ -374,8 +409,12 @@
# <b>passwd root</b><br/>
Make sure to set a secure password! Also, it must never be the same as your LUKS password.
</p>
+
+ </div>
+
+ <div class="section">
- <h3>Extra security tweaks</h3>
+ <h2>Extra security tweaks</h2>
<p>
Based on <a href="https://wiki.archlinux.org/index.php/Security">https://wiki.archlinux.org/index.php/Security</a>.
</p>
@@ -397,8 +436,12 @@
Configure sudo - not covered here. Will be covered post-installation in another tutorial, at a later date.
If this is a single-user system, you don't really need sudo.
</p>
+
+ </div>
+
+ <div class="section">
- <h3>Unmount, reboot!</h3>
+ <h2>Unmount, reboot!</h2>
<p>
Exit from chroot:<br/>
# <b>exit</b>
@@ -421,8 +464,12 @@
# <b>shutdown -h now</b><br/>
Then boot up again.
</p>
+
+ </div>
- <h3>Booting from GRUB</h3>
+ <div class="section">
+
+ <h2>Booting from GRUB</h2>
<p>
Initially you will have to boot manually. Press C to get to the GRUB command line. The underlined parts are optional
(using those 2 underlines will boot lts kernel instead of normal).
@@ -437,132 +484,144 @@
<p>
You could also make it load /boot/vmlinuz-linux-libre-grsec and /boot/initramfs-linux-libre-grsec.img
</p>
+
+ </div>
-<hr/>
+ <div class="section">
+
+ <h2>Modify grub.cfg inside the ROM</h2>
- <h2>Modify grub.cfg inside the ROM</h2>
+ <p>
+ Now you need to modify the ROM, so that Parabola can boot automatically with this configuration.
+ <a href="grub_cbfs.html">grub_cbfs.html</a> shows you how. Follow that guide, using the configuration details below.
+ </p>
+ <p>
+ Inside the 'Load Operating System' menu entry, change the contents to:<br/>
+ <b><i>
+ cryptomount -a (ahci0,msdos1)<br/>
+ set root='lvm/matrix-rootvol'<br/>
+ linux /boot/vmlinuz-linux-libre<u>-lts</u> root=/dev/matrix/rootvol cryptdevice=/dev/sda1:root<br/>
+ initrd /boot/initramfs-linux-libre<u>-lts</u>.img
+ </i></b>
+ </p>
- <p>
- Now you need to modify the ROM, so that Parabola can boot automatically with this configuration.
- <a href="grub_cbfs.html">grub_cbfs.html</a> shows you how. Follow that guide, using the configuration details below.
- </p>
- <p>
- Inside the 'Load Operating System' menu entry, change the contents to:<br/>
- <b><i>
- cryptomount -a (ahci0,msdos1)<br/>
- set root='lvm/matrix-rootvol'<br/>
- linux /boot/vmlinuz-linux-libre<u>-lts</u> root=/dev/matrix/rootvol cryptdevice=/dev/sda1:root<br/>
- initrd /boot/initramfs-linux-libre<u>-lts</u>.img
- </i></b>
- </p>
+ <p>
+ Note: the underlined parts above (-lts) can also be removed, to boot the latest kernel instead of LTS (long-term support) kernels.
+ You could also copy the menu entry and in one have -lts, and without in the other menuentry.
+ You could also create a menu entry to load /boot/vmlinuz-linux-libre-grsec and /boot/initramfs-linux-libre-grsec.img
+ </p>
- <p>
- Note: the underlined parts above (-lts) can also be removed, to boot the latest kernel instead of LTS (long-term support) kernels.
- You could also copy the menu entry and in one have -lts, and without in the other menuentry.
- You could also create a menu entry to load /boot/vmlinuz-linux-libre-grsec and /boot/initramfs-linux-libre-grsec.img
- </p>
+ <p>
+ Personally, I opted to have the entry for linux-libre-grsec at the top, so that it would load by default.
+ </p>
- <p>
- Personally, I opted to have the entry for linux-libre-grsec at the top, so that it would load by default.
- </p>
+ <p>
+ Above the 'Load Operating System' menu entry you should also add a GRUB password, like so:
+ </p>
+ <pre><b><i>set superusers=&quot;root&quot;
+ password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
+ </i></b></pre>
- <p>
- Above the 'Load Operating System' menu entry you should also add a GRUB password, like so:
- </p>
-<pre><b><i>set superusers=&quot;root&quot;
-password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
-</i></b></pre>
+ <p>
+ Note that the above entry specifies user 'root'; this is just a username for GRUB. You don't even need to use root.
+ Change root on both of those 2 lines to whatever you want.
+ </p>
- <p>
- Note that the above entry specifies user 'root'; this is just a username for GRUB. You don't even need to use root.
- Change root on both of those 2 lines to whatever you want.
- </p>
+ <p>
+ Start dhcp on ethernet:<br/>
+ # <b>systemctl start dhcpcd.service</b>
+ This is just for the step below. I won't cover network configuration here. That is for another Parabola article.
+ </p>
- <p>
- Start dhcp on ethernet:<br/>
- # <b>systemctl start dhcpcd.service</b>
- This is just for the step below. I won't cover network configuration here. That is for another Parabola article.
- </p>
+ <p>
+ The password hash (it's <b>password</b>, by the way) after <i>'password_pbkdf2 root'</i> <i>should be changed</i> and is created by the <b>grub-mkpasswd-pbkdf2</b> utility, which you need to install or otherwise compile,
+ like so:<br/>
+ # <b>pacman -S grub</b>
+ </p>
+
+ <p>
+ GRUB isn't needed for booting, since it's already included as a payload in libreboot. This is only so that the utility needed becomes available. Get your hash
+ by entering your chosen password at the prompt, when running this command:<br/>
+ # <b>grub-mkpasswd-pbkdf2</b>
+ </p>
- <p>
- The password hash (it's <b>password</b>, by the way) after <i>'password_pbkdf2 root'</i> <i>should be changed</i> and is created by the <b>grub-mkpasswd-pbkdf2</b> utility, which you need to install or otherwise compile,
- like so:<br/>
- # <b>pacman -S grub</b>
- </p>
-
- <p>
- GRUB isn't needed for booting, since it's already included as a payload in libreboot. This is only so that the utility needed becomes available. Get your hash
- by entering your chosen password at the prompt, when running this command:<br/>
- # <b>grub-mkpasswd-pbkdf2</b>
- </p>
+ <p>
+ It will output the hash for the password that you entered. Make sure to specify a password that is different from both your LUKS *and* your root/user password.
+ Use it to replace the default hash mentioned above.
+ </p>
- <p>
- It will output the hash for the password that you entered. Make sure to specify a password that is different from both your LUKS *and* your root/user password.
- Use it to replace the default hash mentioned above.
- </p>
+ <p>
+ With this setup, you will have to enter a password at boot time, in GRUB, before being able to use any of the menu entries or switch to the terminal.
+ This protects your system from an attacker simply booting a live usb distro and re-flashing the boot firmware.
+ </p>
- <p>
- With this setup, you will have to enter a password at boot time, in GRUB, before being able to use any of the menu entries or switch to the terminal.
- This protects your system from an attacker simply booting a live usb distro and re-flashing the boot firmware.
- </p>
+ <p>
+ You probably only need base-devel (compilers and so on) to build and use cbfstool. It was already installed if you followed this tutorial, but here it is:<br/>
+ # <b>pacman -S base-devel</b>
+ </p>
- <p>
- You probably only need base-devel (compilers and so on) to build and use cbfstool. It was already installed if you followed this tutorial, but here it is:<br/>
- # <b>pacman -S base-devel</b>
- </p>
+ <p>
+ For flashing the modified ROM, I just used flashrom from the Parabola repo's:<br/>
+ # <b>pacman -S flashrom</b><br/>
+ I also installed dmidecode:<br/>
+ # <b>pacman -S dmidecode</b>
+ </p>
- <p>
- For flashing the modified ROM, I just used flashrom from the Parabola repo's:<br/>
- # <b>pacman -S flashrom</b><br/>
- I also installed dmidecode:<br/>
- # <b>pacman -S dmidecode</b>
- </p>
+ <p>
+ When done, deleted GRUB (remember, we only needed it for the <i>grub-mkpasswd-pbkdf2</i> utility;
+ GRUB is already part of libreboot, flashed alongside it as a <i>payload</i>):<br/>
+ # <b>pacman -R grub</b>
+ </p>
+
+ </div>
+
+ <div class="section">
<p>
- When done, deleted GRUB (remember, we only needed it for the <i>grub-mkpasswd-pbkdf2</i> utility;
- GRUB is already part of libreboot, flashed alongside it as a <i>payload</i>):<br/>
- # <b>pacman -R grub</b>
+ If you followed all that correctly, you should now have a fully encrypted Parabola installation.
+ This is a very barebones Parabola install (the default one). Refer to the wiki for how to do the rest
+ (desktop, etc).
</p>
+
+ </div>
-<hr/>
+ <div class="section">
- <p>
- If you followed all that correctly, you should now have a fully encrypted Parabola installation.
- This is a very barebones Parabola install (the default one). Refer to the wiki for how to do the rest
- (desktop, etc).
- </p>
+ <h2>Further security tips</h2>
+ <p>
+ <a href="https://wiki.archlinux.org/index.php/Security">https://wiki.archlinux.org/index.php/Security</a>.<br/>
+ <a href="https://wiki.parabolagnulinux.org/User:GNUtoo/laptop">https://wiki.parabolagnulinux.org/User:GNUtoo/laptop</a>
+ </p>
+
+ </div>
-<hr/>
+ <div class="section">
- <h2>Further security tips</h2>
- <p>
- <a href="https://wiki.archlinux.org/index.php/Security">https://wiki.archlinux.org/index.php/Security</a>.<br/>
- <a href="https://wiki.parabolagnulinux.org/User:GNUtoo/laptop">https://wiki.parabolagnulinux.org/User:GNUtoo/laptop</a>
- </p>
+ <h2>Follow-up tutorial: configuring Parabola</h2>
+ <p>
+ <a href="configuring_parabola.html">configuring_parabola.html</a> shows my own notes post-installation. Using these, you can get a basic
+ system similar to the one that I chose for myself. You can also cherry pick useful notes and come up with your own system.
+ Parabola is user-centric, which means that you are in control. For more information, read <a href="https://wiki.archlinux.org/index.php/The_Arch_Way">The Arch Way</a>
+ (Parabola also follows it).
+ </p>
+
+ </div>
-<hr/>
+ <div class="section">
- <h2>Follow-up tutorial: configuring Parabola</h2>
<p>
- <a href="configuring_parabola.html">configuring_parabola.html</a> shows my own notes post-installation. Using these, you can get a basic
- system similar to the one that I chose for myself. You can also cherry pick useful notes and come up with your own system.
- Parabola is user-centric, which means that you are in control. For more information, read <a href="https://wiki.archlinux.org/index.php/The_Arch_Way">The Arch Way</a>
- (Parabola also follows it).
+ Copyright &copy; 2014, 2015 Francis Rowe &lt;info@gluglug.org.uk&gt;<br/>
+ This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions.
+ A copy of the license can be found at <a href="../license.txt">../license.txt</a>.
</p>
-<hr/>
-
- <p>
- Copyright &copy; 2014 Francis Rowe &lt;info@gluglug.org.uk&gt;<br/>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions.
- A copy of the license can be found at <a href="../license.txt">../license.txt</a>.
- </p>
-
- <p>
- This document is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See <a href="../license.txt">../license.txt</a> for more information.
- </p>
+ <p>
+ This document is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See <a href="../license.txt">../license.txt</a> for more information.
+ </p>
+
+ </div>
</body>
</html>