aboutsummaryrefslogtreecommitdiff
path: root/docs/bsd
diff options
context:
space:
mode:
authorScott Bonds <scott@ggr.com>2016-10-03 16:57:28 -0700
committerScott Bonds <scott@ggr.com>2016-10-03 16:57:28 -0700
commit739b2d948b461053832d69fab3f2f60c9f51a3a6 (patch)
tree7d7f1c1a67aaee63b4a04bf2230070eed71e7f05 /docs/bsd
parente778154cd833090d4093631d56887785dd2e9e35 (diff)
downloadlibrebootfr-739b2d948b461053832d69fab3f2f60c9f51a3a6.tar.gz
librebootfr-739b2d948b461053832d69fab3f2f60c9f51a3a6.zip
first stab at OpenBSD docs, not all steps are verified yet
Diffstat (limited to 'docs/bsd')
-rw-r--r--docs/bsd/configuring_parabola.html882
-rw-r--r--docs/bsd/encrypted_debian.html519
-rw-r--r--docs/bsd/encrypted_parabola.html872
-rw-r--r--docs/bsd/grub_boot_installer.html219
-rw-r--r--docs/bsd/grub_cbfs.html366
-rw-r--r--docs/bsd/index.html85
6 files changed, 2943 insertions, 0 deletions
diff --git a/docs/bsd/configuring_parabola.html b/docs/bsd/configuring_parabola.html
new file mode 100644
index 00000000..c8efc841
--- /dev/null
+++ b/docs/bsd/configuring_parabola.html
@@ -0,0 +1,882 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8">
+ <meta name="viewport" content="width=device-width, initial-scale=1">
+
+ <style type="text/css">
+ @import url('../css/main.css');
+ </style>
+
+ <title>Configuring Parabola (post-install)</title>
+</head>
+
+<body>
+ <div class="section">
+ <h1 id="pagetop">Configuring Parabola (post-install)</h1>
+ <p>
+ Post-installation configuration steps for Parabola GNU/Linux-libre. Parabola is extremely flexible; this is just an example.
+ </p>
+ <p>
+ <a href="index.html">Back to previous index</a>
+ </p>
+ </div>
+
+ <div class="section">
+
+ <h1>Table of Contents</h1>
+ <ul>
+ <li>
+ <a href="#pacman_configure">Configuring pacman</a>
+ <ul>
+ <li><a href="#pacman_update">Updating Parabola</a></li>
+ <li>
+ <a href="#pacman_maintain">Maintaining Parabola during system updates</a>
+ <ul>
+ <li><a href="#pacman_cacheclean">Clearing package cache after updating</a></li>
+ <li><a href="#pacman_commandequiv">Pacman command equivalents (compared to other package managers)</a></li>
+ </ul>
+ </li>
+ <li><a href="#yourfreedom">your-freedom</a></li>
+ </ul>
+ </li>
+ <li><a href="#useradd">Add a user account</a></li>
+ <li><a href="#systemd">System D</a></li>
+ <li><a href="#interesting_repos">Interesting repositories</a></li>
+ <li>
+ <a href="#network">Setup a network connection in Parabola</a>
+ <ul>
+ <li><a href="#network_hostname">Setting hostname</a></li>
+ <li><a href="#network_status">Network status</a></li>
+ <li><a href="#network_devicenames">Network interface names</a></li>
+ <li><a href="#network_setup">Network setup</a></li>
+ </ul>
+ </li>
+ <li><a href="#system_maintain">System maintenance</a> - important!</li>
+ <li>
+ <a href="#desktop">Configuring the desktop</a>
+ <ul>
+ <li><a href="#desktop_xorg">Install Xorg</a></li>
+ <li><a href="#desktop_kblayout">Xorg keyboard layout</a></li>
+ <li><a href="#desktop_lxde">Install LXDE</a></li>
+ <li><a href="#lxde_clock">LXDE - clock</a></li>
+ <li><a href="#lxde_font">LXDE - font</a></li>
+ <li><a href="#lxde_screenlock">LXDE - screenlock</a></li>
+ <li><a href="#lxde_automount">LXDE - automounting</a></li>
+ <li><a href="#lxde_suspend">LXDE - disable suspend</a></li>
+ <li><a href="#lxde_battery">LXDE - battery monitor</a></li>
+ <li><a href="#lxde_network">LXDE - network manager</a></li>
+ </ul>
+ </li>
+ </ul>
+
+ </div>
+
+ <div class="section">
+
+ <p>
+ While not strictly related to the libreboot project, this guide
+ is intended to be useful for those interested in installing
+ Parabola on their libreboot system.
+ </p>
+
+ <p>
+ It details configuration steps that I took after installing the base system,
+ as a follow up to <a href="encrypted_parabola.html">encrypted_parabola.html</a>.
+ This guide is likely to become obsolete at a later date (due to the volatile
+ 'rolling-release' model that Arch/Parabola both use), but attempts will be made to maintain it.
+ </p>
+
+ <p>
+ <b>
+ This guide was valid on 2014-09-21. If you see any changes that should to be made at the present date, please get in touch
+ with the libreboot project!
+ </b>
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <p>
+ You do not necessarily have to follow this guide word-for-word; <i>parabola</i> is extremely flexible.
+ The aim here is to provide a common setup that most users will be happy with. While Parabola
+ can seem daunting at first glance (especially for new GNU/Linux users), with a simple guide it can provide
+ all the same usability as Debian, without hiding any details from the user.
+ </p>
+
+ <p>
+ Paradoxically, as you get more advanced Parabola can actually become <i>easier to use</i>
+ when you want to set up your system in a special way compared to what most distributions provide.
+ You will find over time that other distributions tend to <i>get in your way</i>.
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <p>
+ <b>
+ This guide assumes that you already have Parabola installed. If you have not yet installed Parabola,
+ then <a href="encrypted_parabola.html">this guide</a> is highly recommended!
+ </b>
+ </p>
+
+ <p>
+ A lot of the steps in this guide will refer to the Arch wiki. Arch is the upstream distribution that Parabola uses.
+ Most of this guide will also tell you to read wiki articles, other pages, manuals, and so on. In general it tries
+ to cherry pick the most useful information but nonetheless you are encouraged to learn as much as possible.
+ <b>It might take you a few days to fully install your system how you like, depending on how much you need to read. Patience is key,
+ especially for new users</b>.
+ </p>
+
+ <p>
+ The Arch wiki will sometimes use bad language, such as calling the whole system Linux, using the term open-source (or closed-source),
+ and it will sometimes recommend the use of proprietary software. You need to be careful about this when reading anything on the
+ Arch wiki.
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <p>
+ Some of these steps require internet access. I'll go into networking later but for now, I just connected
+ my system to a switch and did:<br/>
+ # <b>systemctl start dhcpcd.service</b><br/>
+ You can stop it later by running:<br/>
+ # <b>systemctl stop dhcpcd.service</b><br/>
+ For most people this should be enough, but if you don't have DHCP on your network then you should setup your network connection first:<br/>
+ <a href="#network">Setup network connection in Parabola</a>
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2 id="pacman_configure">Configure pacman</h2>
+ <p>
+ pacman (<b>pac</b>kage <b>man</b>ager) is the name of the package management system in Arch, which Parabola
+ (as a deblobbed parallel effort) also uses. Like with 'apt-get' on Debian,
+ this can be used to add/remove and update the software on your computer.
+ </p>
+ <p>
+ Based on <a href="https://wiki.parabolagnulinux.org/Installation_Guide#Configure_pacman">https://wiki.parabolagnulinux.org/Installation_Guide#Configure_pacman</a>
+ and from reading <a href="https://wiki.archlinux.org/index.php/Pacman">https://wiki.archlinux.org/index.php/Pacman</a> (make sure to read and understand this,
+ it's very important) and
+ <a href="https://wiki.parabolagnulinux.org/Official_Repositories">https://wiki.parabolagnulinux.org/Official_Repositories</a>
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2 id="pacman_update">Updating Parabola</h2>
+ <p>
+ In the end, I didn't change my configuration for pacman. When you are updating, resync with the latest package names/versions:<br/>
+ # <b>pacman -Syy</b><br/>
+ (according to the wiki, -Syy is better than Sy because it refreshes the package list even if it appears to be up to date,
+ which can be useful when switching to another mirror).<br/>
+ Then, update the system:<br/>
+ # <b>pacman -Syu</b>
+ </p>
+ <p>
+ <b>
+ Before installing packages with 'pacman -S', always update first, using the notes above.
+ </b>
+ </p>
+ <p>
+ Keep an eye out on the output, or read it in /var/log/pacman.log. Sometimes, pacman will show messages
+ about maintenance steps that you will need to perform with certain files (typically configurations)
+ after the update. Also, you should check both the Parabola and Arch home pages to see if they mention any issues.
+ If a new kernel is installed, you should also update to be able to use it (the currently running kernel will
+ also be fine). It's generally good enough to update Parabola once every week, or maybe twice. As a
+ rolling release distribution, it's a good idea never to leave your install too outdated; update regularly. This
+ is simply because of the way the project works; old packages are deleted from the repositories quickly, once they are updated.
+ A system that hasn't been updated for quite a while will mean potentially more reading of previous posts through the website,
+ and more maintenance work.
+ </p>
+ <p>
+ The Arch forum can also be useful, if others have the same issue as you (if you encounter issues, that is). The <i>Parabola</i>
+ IRC channel (#parabola on freenode) can also help you.
+ </p>
+ <p>
+ Due to this and the volatile nature of Parabola/Arch, you should only update when you have at least a couple hours of spare time
+ in case of issues that need to be resolved. You should never update, for example, if you need your system for an important event,
+ like a presentation or sending an email to an important person before an allocated deadline, and so on.
+ </p>
+ <p>
+ Relax - packages are well-tested regularly when new updates are made to the repositories. Separate 'testing' repositories
+ exist for this exact reason. Despite what many people will tell you, Parabola is fairly stable and trouble-free,
+ so long as you are aware of how to check for issues, and are willing to spend some time fixing issues in
+ the rare event that they do occur.
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2 id="pacman_maintain">Maintaining Parabola</h2>
+ <p>
+ Parabola is a very simple distro, in the sense that you are in full control
+ and everything is made transparent to you. One consequence is
+ that you also need to know what you are doing, and what you have done before. In general, keeping notes (such as what I have done
+ with this page) can be very useful as a reference in the future (if you wanted to re-install it or install the distro
+ on another computer, for example).
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+ <h3 id="pacman_cacheclean">Cleaning the package cache</h3>
+ <p>
+ <b>
+ The following is very important as you continue to use, update and maintain your Parabola system:<br/>
+ <a href="https://wiki.archlinux.org/index.php/Pacman#Cleaning_the_package_cache">https://wiki.archlinux.org/index.php/Pacman#Cleaning_the_package_cache</a>.
+ Essentially, this guide talks about a directory that has to be cleaned once in a while, to prevent it from growing too big (it's a cache
+ of old package information, updated automatically when you do anything in pacman).
+ </b>
+ </p>
+ <p>
+ To clean out all old packages that are cached:<br/>
+ # <b>pacman -Sc</b>
+ </p>
+ <p>
+ The wiki cautions that this should be used with care. For example, since older packages are deleted from the repo,
+ if you encounter issues and want to revert back to an older package then it's useful to have the caches available.
+ Only do this if you are sure that you won't need it.
+ </p>
+ <p>
+ The wiki also mentions this method for removing everything from the cache, including currently installed packages that are cached:<br/>
+ # <b>pacman -Scc</b><br/>
+ This is inadvisable, since it means re-downloading the package again if you wanted to quickly re-install it. This should only be used
+ when disk space is at a premium.
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+ <h3 id="pacman_commandequiv">pacman command equivalents</h3>
+ <p>
+ The following table lists other distro package manager commands, and their equivalent in pacman:<br/>
+ <a href="https://wiki.archlinux.org/index.php/Pacman_Rosetta">https://wiki.archlinux.org/index.php/Pacman_Rosetta</a>
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2 id="yourfreedom">your-freedom</h2>
+ <p>
+ your-freedom is a package specific to Parabola, and it is installed by default. What it does is conflict with packages
+ from Arch that are known to be non-free (proprietary) software. When migrating from Arch (there is a guide on the Parabola
+ wiki for migrating - converting - an existing Arch system to a Parabola system), installing
+ your-freedom will also fail if these packages are installed, citing them as conflicts; the recommended solution
+ is then to delete the offending packages, and continue installing <i>your-freedom</i>.
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2 id="useradd">Add a user</h2>
+ <p>
+ Based on <a href="https://wiki.archlinux.org/index.php/Users_and_Groups">https://wiki.archlinux.org/index.php/Users_and_Groups</a>.
+ </p>
+ <p>
+ It is important (for security reasons) to create and use a non-root (non-admin) user account for everyday use. The default 'root' account is intended
+ only for critical administrative work, since it has complete access to the entire operating system.
+ </p>
+ <p>
+ Read the entire document linked to above, and then continue.
+ </p>
+ <p>
+ Add your user:<br/>
+ # <b>useradd -m -G wheel -s /bin/bash <i>yourusername</i></b><br/>
+ Set a password:<br/>
+ # <b>passwd <i>yourusername</i></b>
+ </p>
+
+ <p>
+ Use of the <i>diceware method</i> is recommended, for generating secure passphrases (instead of passwords).
+ </p>
+
+ <p><a href="#pagetop">Back to top of page</a></p>
+
+ </div>
+
+ <div class="section">
+
+ <h2 id="systemd">systemd</h2>
+ <p>
+ This is the name of the system used for managing services in Parabola. It is a good idea to become familiar with it.
+ Read <a href="https://wiki.archlinux.org/index.php/systemd">https://wiki.archlinux.org/index.php/systemd</a>
+ and <a href="https://wiki.archlinux.org/index.php/systemd#Basic_systemctl_usage">https://wiki.archlinux.org/index.php/systemd#Basic_systemctl_usage</a>
+ to gain a full understanding. <b>This is very important! Make sure to read them.</b>
+ </p>
+ <p>
+ An example of a 'service' could be a webserver (such as lighttpd), or sshd (openssh), dhcp, etc. There are countless others.
+ </p>
+ <p>
+ <a href="https://bbs.archlinux.org/viewtopic.php?pid=1149530#p1149530">https://bbs.archlinux.org/viewtopic.php?pid=1149530#p1149530</a> explains
+ the background behind the decision by Arch (Parabola's upstream supplier) to use systemd.
+ </p>
+
+ <p>
+ The manpage should also help:<br/>
+ # <b>man systemd</b><br/>
+ The section on 'unit types' is especially useful.
+ </p>
+
+ <p>
+ According to the wiki, systemd 'journal' keeps logs of a size up to 10% of the total size your / partition takes up.
+ on a 60GB root this would mean 6GB. That's not exactly practical, and can have performance implications later when the
+ log gets too big. Based on instructions from the wiki, I will reduce the total size of the journal to 50MiB (the wiki
+ recommends 50MiB).
+ </p>
+ <p>
+ Open /etc/systemd/journald.conf and find the line that says:<br/>
+ <i>#SystemMaxUse=</i><br/>
+ Change it to say:<br/>
+ <i>SystemMaxUse=50M</i>
+ </p>
+ <p>
+ The wiki also recommended a method for forwarding journal output to TTY 12 (accessible by pressing ctrl+alt+f12,
+ and you use ctrl+alt+[F1-F12] to switch between terminals). I decided not to enable it.
+ </p>
+ <p>
+ Restart journald:<br/>
+ # <b>systemctl restart systemd-journald</b>
+ </p>
+
+ <p>
+ The wiki recommends that if the journal gets too large, you can also simply delete (rm -Rf) everything inside /var/log/journald/*
+ but recommends backing it up. This shouldn't be necessary, since you already set the size limit above and systemd will automatically
+ start to delete older records when the journal size reaches it's limit (according to systemd developers).
+ </p>
+
+ <p>
+ Finally, the wiki mentions 'temporary' files and the utility for managing them.<br/>
+ # <b>man systemd-tmpfiles</b><br/>
+ The command for 'clean' is:<br/>
+ # <b>systemd-tmpfiles --clean</b><br/>
+ According to the manpage, this <i>&quot;cleans all files and directories with an age parameter&quot;</i>.
+ According to the Arch wiki, this reads information in /etc/tmpfiles.d/ and /usr/lib/tmpfiles.d/
+ to know what actions to perform. Therefore, it is a good idea to read what's stored in these locations
+ to get a better understanding.
+ </p>
+ <p>
+ I looked in /etc/tmpfiles.d/ and found that it was empty on my system. However, /usr/lib/tmpfiles.d/ contained some files.
+ The first one was etc.conf, containing information and a reference to this manpage:<br/>
+ # <b>man tmpfiles.d</b><br/>
+ Read that manpage, and then continue studying all the files.
+ </p>
+ <p>
+ The systemd developers tell me that it isn't usually necessary to touch the systemd-tmpfiles utility manually at all.
+ </p>
+
+ <p><a href="#pagetop">Back to top of page</a></p>
+
+ </div>
+
+ <div class="section">
+
+ <h2 id="interesting_repos">Interesting repositories</h2>
+ <p>
+ Parabola wiki at <a href="https://wiki.parabolagnulinux.org/Repositories#kernels">https://wiki.parabolagnulinux.org/Repositories#kernels</a>
+ mentions about a repository called [kernels] for custom kernels that aren't in the default base. It might be worth looking into what is available
+ there, depending on your use case.
+ </p>
+ <p>
+ I enabled it on my system, to see what was in it. Edit /etc/pacman.conf and below the 'extra' section add:<br/>
+ <i>
+ [kernels]<br/>
+ Include = /etc/pacman.d/mirrorlist
+ </i>
+ </p>
+ <p>
+ Now sync with the repository:<br/>
+ # <b>pacman -Syy</b>
+ </p>
+ <p>
+ List all available packages in this repository:<br/>
+ # <b>pacman -Sl kernels</b>
+ </p>
+ <p>
+ In the end, I decided not to install anything from it but I kept the repository enabled regardless.
+ </p>
+ <p><a href="#pagetop">Back to top of page.</a></p>
+
+ </div>
+
+ <div class="section">
+
+ <h2 id="network">Setup a network connection in Parabola</h2>
+ <p>
+ Read <a href="https://wiki.archlinux.org/index.php/Configuring_Network">https://wiki.archlinux.org/index.php/Configuring_Network</a>.
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+ <h3 id="network_hostname">Set the hostname</h3>
+ <p>
+ This should be the same as the hostname that you set in /etc/hostname when installing Parabola. You can also do it with systemd (do so now, if you like):<br/>
+ # <b>hostnamectl set-hostname <i>yourhostname</i></b><br/>
+ This writes the specified hostname to /etc/hostname. More information can be found in these manpages:<br/>
+ # <b>man hostname</b><br/>
+ # <b>info hostname</b><br/>
+ # <b>man hostnamectl</b>
+ </p>
+ <p>
+ Add the same hostname to /etc/hosts, on each line. Example:<br/>
+ <i>
+ 127.0.0.1 localhost.localdomain localhost <u>myhostname</u><br/>
+ ::1 localhost.localdomain localhost <u>myhostname</u>
+ </i>
+ </p>
+ <p>
+ You'll note that I set both lines; the 2nd line is for IPv6. More and more ISPs are providing this now (mine does)
+ so it's good to be forward-thinking here.
+ </p>
+ <p>
+ The <i>hostname</i> utility is part of the <i>inetutils</i> package and is in core/, installed by default (as part of <i>base</i>).
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+ <h3 id="network_status">Network Status</h3>
+ <p>
+ According to the Arch wiki, <a href="https://wiki.archlinux.org/index.php/Udev">udev</a> should already detect the ethernet chipset
+ and load the driver for it automatically at boot time. You can check this in the <i>&quot;Ethernet controller&quot;</i> section
+ when running this command:<br/>
+ # <b>lspci -v</b>
+ </p>
+ <p>
+ Look at the remaining sections <i>'Kernel driver in use'</i> and <i>'Kernel modules'</i>. In my case it was as follows:<br/>
+ <i>
+ Kernel driver in use: e1000e<br/>
+ Kernel modules: e1000e
+ </i>
+ </p>
+ <p>
+ Check that the driver was loaded by issuing <i>dmesg | grep module_name</i>. In my case, I did:<br/>
+ # <b>dmesg | grep e1000e</b>
+ </p>
+ <h3 id="network_devicenames">Network device names</h3>
+ <p>
+ According to <a href="https://wiki.archlinux.org/index.php/Configuring_Network#Device_names">https://wiki.archlinux.org/index.php/Configuring_Network#Device_names</a>,
+ it is important to note that the old interface names like eth0, wlan0, wwan0 and so on no longer apply. Instead, <i>systemd</i>
+ creates device names starting with en (for enternet), wl (for wifi) and ww (for wwan) with a fixed identifier that systemd automatically generates.
+ An example device name for your ethernet chipset would be <i>enp0s25</i>, where it is never supposed to change.
+ </p>
+ <p>
+ If you want to enable the old names (eth0, wlan0, wwan0, etc), the Arch wiki recommends
+ adding <i>net.ifnames=0</i> to your kernel parameters (in libreboot context, this would be accomplished by following the
+ instructions in <a href="grub_cbfs.html">grub_cbfs.html</a>).
+ </p>
+ <p>
+ For background information,
+ read <a href="http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/">Predictable Network Interface Names</a>
+ </p>
+ <p>
+ Show device names:<br/>
+ # <b>ls /sys/class/net</b>
+ </p>
+ <p>
+ Changing the device names is possible (I chose not to do it):<br/>
+ <a href="https://wiki.archlinux.org/index.php/Configuring_Network#Change_device_name">https://wiki.archlinux.org/index.php/Configuring_Network#Change_device_name</a>
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+ <h3 id="network_setup">Network setup</h3>
+ <p>
+ I actually chose to ignore most of Networking section on the wiki. Instead, I plan to set up LXDE desktop with the graphical
+ network-manager client. Here is a list of network managers:<br/>
+ <a href="https://wiki.archlinux.org/index.php/List_of_applications/Internet#Network_managers">https://wiki.archlinux.org/index.php/List_of_applications/Internet#Network_managers</a>.
+ If you need to, set a static IP address (temporarily) using the networking guide and the Arch wiki, or start the dhcpcd service in systemd.
+ NetworkManager will be setup later, after installing LXDE.
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2 id="system_maintain">System Maintenance</h2>
+ <p>
+ Read <a href="https://wiki.archlinux.org/index.php/System_maintenance">https://wiki.archlinux.org/index.php/System_maintenance</a> before continuing.
+ Also read <a href="https://wiki.archlinux.org/index.php/Enhance_system_stability">https://wiki.archlinux.org/index.php/Enhance_system_stability</a>.
+ <b>This is important, so make sure to read them!</b>
+ </p>
+ <p>
+ Install smartmontools (it can be used to check smart data. HDDs use non-free firmware inside, but it's transparent to you
+ but the smart data comes from it. Therefore, don't rely on it too much):<br/>
+ # <b>pacman -S smartmontools</b><br/>
+ Read <a href="https://wiki.archlinux.org/index.php/S.M.A.R.T.">https://wiki.archlinux.org/index.php/S.M.A.R.T.</a> to learn how to use it.
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2 id="desktop">Configuring the desktop</h2>
+ <p>
+ Based on steps from
+ <a href="https://wiki.archlinux.org/index.php/General_recommendations#Graphical_user_interface">General Recommendations</a> on the Arch wiki.
+ The plan is to use LXDE and LXDM/LightDM, along with everything else that you would expect on other distributions that provide LXDE
+ by default.
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+
+ <div class="subsection">
+ <h3 id="desktop_xorg">Installing Xorg</h3>
+ <p>
+ Based on <a href="https://wiki.archlinux.org/index.php/Xorg">https://wiki.archlinux.org/index.php/Xorg</a>.
+ </p>
+ <p>
+ Firstly, install it!<br/>
+ # <b>pacman -S xorg-server</b><br/>
+ I also recommend installing this (contains lots of useful tools, including <i>xrandr</i>):<br/>
+ # <b>pacman -S xorg-server-utils</b>
+ </p>
+ <p>
+ Install the driver. For me this was <i>xf86-video-intel</i> on the ThinkPad X60. T60 and macbook11/21 should be the same.<br/>
+ # <b>pacman -S xf86-video-intel</b><br/>
+ For other systems you can try:<br/>
+ # <b>pacman -Ss xf86-video- | less</b><br/>
+ Combined with looking at your <i>lspci</i> output, you can determine which driver is needed.
+ By default, Xorg will revert to xf86-video-vesa which is a generic driver and doesn't provide true hardware acceleration.
+ </p>
+ <p>
+ Other drivers (not just video) can be found by looking at the <i>xorg-drivers</i> group:<br/>
+ # <b>pacman -Sg xorg-drivers</b><br/>
+ </p>
+ <p>
+ Mostly you will rely on a display manager, but in case you ever want to start X without one:<br/>
+ # <b>pacman -S xorg-xinit</b>
+ </p>
+ <p>
+ &lt;optional&gt;<br/>
+ &nbsp;&nbsp;&nbsp;Arch wiki recommends installing these, for testing that X works:<br/>
+ &nbsp;&nbsp;&nbsp;# <b>pacman -S xorg-twm xorg-xclock xterm</b><br/>
+ &nbsp;&nbsp;&nbsp;Refer to <a href="https://wiki.archlinux.org/index.php/Xinitrc">https://wiki.archlinux.org/index.php/Xinitrc</a>.
+ and test X:<br/>
+ &nbsp;&nbsp;&nbsp;# <b>startx</b><br/>
+ &nbsp;&nbsp;&nbsp;When you are satisfied, type <b><i>exit</i></b> in xterm, inside the X session.<br/>
+ &nbsp;&nbsp;&nbsp;Uninstall them (clutter. eww): # <b>pacman -S xorg-xinit xorg-twm xorg-xclock xterm</b><br/>
+ &lt;/optional&gt;
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+ </div>
+
+ <div class="subsection">
+ <h3 id="desktop_kblayout">Xorg keyboard layout</h3>
+ <p>
+ Refer to <a href="https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg">https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg</a>.
+ </p>
+ <p>
+ Xorg uses a different configuration method for keyboard layouts, so you will notice that the layout you
+ set in /etc/vconsole.conf earlier might not actually be the same in X.
+ </p>
+ <p>
+ To see what layout you currently use, try this on a terminal emulator in X:<br/>
+ # <b>setxkbmap -print -verbose 10</b>
+ </p>
+ <p>
+ In my case, I wanted to use the Dvorak (UK) keyboard which is quite different from Xorg's default Qwerty (US) layout.
+ </p>
+ <p>
+ I'll just say it now: <i>XkbModel</i> can be <i>pc105</i> in this case (ThinkPad X60, with a 105-key UK keyboard).
+ If you use an American keyboard (typically 104 keys) you will want to use <i>pc104</i>.
+ </p>
+ <p>
+ <i>XkbLayout</i> in my case would be <i>gb</i>, and <i>XkbVariant</i> would be <i>dvorak</i>.
+ </p>
+ <p>
+ The Arch wiki recommends two different methods for setting the keyboard layout:<br/>
+ <a href="https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_X_configuration_files">https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_X_configuration_files</a> and<br/>
+ <a href="https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_localectl">https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_localectl</a>.
+ </p>
+ <p>
+ In my case, I chose to use the <i>configuration file</i> method:<br/>
+ Create the file /etc/X11/xorg.conf.d/10-keyboard.conf and put this inside:<br/>
+ <i>
+ Section "InputClass"<br/>
+ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Identifier "system-keyboard"<br/>
+ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;MatchIsKeyboard "on"<br/>
+ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Option "XkbLayout" "gb"<br/>
+ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Option "XkbModel" "pc105"<br/>
+ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Option "XkbVariant" "dvorak"<br/>
+ EndSection
+ </i>
+ </p>
+ <p>
+ For you, the steps above may differ if you have a different layout. If you use a US Qwerty keyboard, then
+ you don't even need to do anything (though it might help, for the sake of being explicit).
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+ </div>
+
+ <div class="subsection">
+ <h3 id="desktop_lxde">Install LXDE</h3>
+ <p>
+ Desktop choice isn't that important to me, so for simplicity I decided to use LXDE. It's lightweight
+ and does everything that I need.
+ If you would like to try something different, refer to
+ <a href="https://wiki.archlinux.org/index.php/Desktop_environment">https://wiki.archlinux.org/index.php/Desktop_environment</a>
+ </p>
+ <p>
+ Refer to <a href="https://wiki.archlinux.org/index.php/LXDE">https://wiki.archlinux.org/index.php/LXDE</a>.
+ </p>
+ <p>
+ Install it, choosing 'all' when asked for the default package list:<br/>
+ # <b>pacman -S lxde obconf</b>
+ </p>
+ <p>
+ I didn't want the following, so I removed them:<br/>
+ # <b>pacman -R lxmusic lxtask</b>
+ </p>
+ <p>
+ I also lazily installed all fonts:<br/>
+ # <b>pacman -S $(pacman -Ssq ttf-)</b>
+ </p>
+ <p>
+ And a mail client:<br/>
+ # <b>pacman -S icedove</b>
+ </p>
+ <p>
+ In IceCat, go to <i>Preferences :: Advanced</i> and disable <i>GNU IceCat Health Report</i>.
+ </p>
+ <p>
+ I also like to install these:<br/>
+ # <b>pacman -S xsensors stress htop</b>
+ </p>
+ <p>
+ Enable LXDM (the default display manager, providing a graphical login):<br/>
+ # <b>systemctl enable lxdm.service</b><br/>
+ It will start when you boot up the system. To start it now, do:<br/>
+ # <b>systemctl start lxdm.service</b>
+ </p>
+ <p>
+ Log in with your standard (non-root) user that you created earlier.
+ It is advisable to also create an xinitrc rule in case you ever want to start lxde without lxdm.
+ Read <a href="https://wiki.archlinux.org/index.php/Xinitrc">https://wiki.archlinux.org/index.php/Xinitrc</a>.
+ </p>
+ <p>
+ Open LXterminal:<br/>
+ $ <b>cp /etc/skel/.xinitrc ~</b><br/>
+ Open .xinitrc and add the following plus a line break at the bottom of the file.<br/>
+ <i>
+ # Probably not needed. The same locale info that we set before<br/>
+ # Based on advice from the LXDE wiki
+ export LC_ALL=en_GB.UTF-8<br/>
+ export LANGUAGE=en_GB.UTF-8<br/>
+ export LANG=en_GB.UTF-8<br/>
+ <br/>
+ # Start lxde desktop<br/>
+ exec startlxde<br/>
+ </i>
+ Now make sure that it is executable:<br/>
+ $ <b>chmod +x .xinitrc</b>
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+ </div>
+
+ <div class="subsection">
+ <h3 id="lxde_clock">LXDE - clock</h3>
+ <p>
+ In <b>Digital Clock Settings</b> (right click the clock) I set the Clock Format to <i>%Y/%m/%d %H:%M:%S</i>
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+ </div>
+
+ <div class="subsection">
+ <h3 id="lxde_font">LXDE - font</h3>
+ <p>
+ NOTE TO SELF: come back to this later.
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+ </div>
+
+ <div class="subsection">
+ <h3 id="lxde_screenlock">LXDE - screenlock</h3>
+ <p>
+ Arch wiki recommends to use <i>xscreensaver</i>:<br/>
+ # <b>pacman -S xscreensaver</b>
+ </p>
+ <p>
+ Under <i>Preferences :: Screensaver</i> in the LXDE menu, I chose <i>Mode: Blank Screen Only</i>,
+ setting <i>Blank After</i>, <i>Cycle After</i> and <i>Lock Screen After</i> (checked) to 10 minutes.
+ </p>
+ <p>
+ You can now lock the screen with <i>Logout :: Lock Screen</i> in the LXDE menu.
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+ </div>
+
+ <div class="subsection">
+ <h3 id="lxde_automount">LXDE - automounting</h3>
+ <p>
+ Refer to <a href="https://wiki.archlinux.org/index.php/File_manager_functionality">https://wiki.archlinux.org/index.php/File_manager_functionality</a>.
+ </p>
+ <p>
+ I chose to ignore this for now. NOTE TO SELF: come back to this later.
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+ </div>
+
+ <div class="subsection">
+ <h3 id="lxde_suspend">LXDE - disable suspend</h3>
+ <p>
+ When closing the laptop lid, the system suspends. This is annoying at least to me.
+ NOTE TO SELF: disable it, then document the steps here.
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+ </div>
+
+ <div class="subsection">
+ <h3 id="lxde_battery">LXDE - battery monitor</h3>
+ <p>
+ Right click lxde panel and <i>Add/Remove Panel Items</i>. Click <i>Add</i> and select <i>Battery Monitor</i>, then click <i>Add</i>.
+ Close and then right-click the applet and go to <i>Battery Monitor Settings</i>, check the box that says <i>Show Extended Information</i>.
+ Now click <i>Close</i>. When you hover the cursor over it, it'll show information about the battery.
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+ </div>
+
+ <div class="subsection">
+ <h3 id="lxde_network">LXDE - Network Manager</h3>
+ <p>
+ Refer to <a href="https://wiki.archlinux.org/index.php/LXDE#Network_Management">https://wiki.archlinux.org/index.php/LXDE#Network_Management</a>.
+ Then I read: <a href="https://wiki.archlinux.org/index.php/NetworkManager">https://wiki.archlinux.org/index.php/NetworkManager</a>.
+ </p>
+ <p>
+ Install Network Manager:<br/>
+ # <b>pacman -S networkmanager</b>
+ </p>
+ <p>
+ You will also want the graphical applet:<br/>
+ # <b>pacman -S network-manager-applet</b><br/>
+ Arch wiki says that an autostart rule will be written at <i>/etc/xdg/autostart/nm-applet.desktop</i>
+ </p>
+ <p>
+ I want to be able to use a VPN at some point, so the wiki tells me to do:<br/>
+ # <b>pacman -S networkmanager-openvpn</b>
+ </p>
+ <p>
+ LXDE uses openbox, so I refer to:<br/>
+ <a href="https://wiki.archlinux.org/index.php/NetworkManager#Openbox">https://wiki.archlinux.org/index.php/NetworkManager#Openbox</a>.
+ </p>
+ <p>
+ It tells me for the applet I need:<br/>
+ # <b>pacman -S xfce4-notifyd gnome-icon-theme</b><br/>
+ Also, for storing authentication details (wifi) I need:<br/>
+ # <b>pacman -S gnome-keyring</b>
+ </p>
+ <p>
+ I wanted to quickly enable networkmanager:<br/>
+ # <b>systemctl stop dhcpcd</b><br/>
+ # <b>systemctl start NetworkManager</b><br/>
+ Enable NetworkManager at boot time:<br/>
+ # <b>systemctl enable NetworkManager</b>
+ </p>
+ <p>
+ Restart LXDE (log out, and then log back in).
+ </p>
+ <p>
+ I added the volume control applet to the panel (right click panel, and add a new applet).
+ I also later changed the icons to use the gnome icon theme, in <i>lxappearance</i>.
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+ </div>
+
+ </div>
+
+ <div class="section">
+
+ <p>
+ Copyright &copy; 2014, 2015 Leah Rowe &lt;info@minifree.org&gt;<br/>
+ Permission is granted to copy, distribute and/or modify this document
+ under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license
+ or any later version published by Creative Commons;
+
+ A copy of the license can be found at <a href="../cc-by-sa-4.0.txt">../cc-by-sa-4.0.txt</a>
+ </p>
+
+ <p>
+ Updated versions of the license (when available) can be found at
+ <a href="https://creativecommons.org/licenses/by-sa/4.0/legalcode">https://creativecommons.org/licenses/by-sa/4.0/legalcode</a>
+ </p>
+
+ <p>
+ UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
+ EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
+ AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
+ ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
+ IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
+ WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
+ ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
+ KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
+ ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
+ </p>
+ <p>
+ TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
+ TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
+ NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
+ INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
+ COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
+ USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
+ ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
+ DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
+ IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
+ </p>
+ <p>
+ The disclaimer of warranties and limitation of liability provided
+ above shall be interpreted in a manner that, to the extent
+ possible, most closely approximates an absolute disclaimer and
+ waiver of all liability.
+ </p>
+
+ </div>
+
+</body>
+</html>
diff --git a/docs/bsd/encrypted_debian.html b/docs/bsd/encrypted_debian.html
new file mode 100644
index 00000000..64f4668d
--- /dev/null
+++ b/docs/bsd/encrypted_debian.html
@@ -0,0 +1,519 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8">
+ <meta name="viewport" content="width=device-width, initial-scale=1">
+
+ <style type="text/css">
+ @import url('../css/main.css');
+ </style>
+
+ <title>Installing Debian or Trisquel GNU/Linux with full disk encryption (including /boot)</title>
+</head>
+
+<body>
+ <div class="section">
+ <h1>Installing Debian or Trisquel GNU/Linux with full disk encryption (including /boot)</h1>
+ <p>
+ The libreboot project recommends Debian, because it is more stable and up to date,
+ while still being entirely free software by default. Leah Rowe, libreboot's
+ lead maintainer, also uses Debian. See:
+ <a href="../distros/">../distros/</a>
+ </p>
+ <p>
+ Libreboot on x86 uses the GRUB <a href="http://www.coreboot.org/Payloads#GRUB_2">payload</a>
+ by default, which means that the GRUB configuration file
+ (where your GRUB menu comes from) is stored directly alongside libreboot
+ and its GRUB payload executable, inside
+ the flash chip. In context, this means that installing distributions and managing them
+ is handled slightly differently compared to traditional BIOS systems.
+ </p>
+
+ <p>
+ On most systems, the /boot partition has to be left unencrypted while the others are encrypted.
+ This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware
+ can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a
+ payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical
+ access to the system.
+ </p>
+ <p>
+ This guide is written for Debian.
+ This also works in Trisquel 7 (probably Trisquel 8), and probably Trisquel 6. Boot the 'net installer' (Install Trisquel in Text Mode).
+ <a href="grub_boot_installer.html">How to boot a GNU/Linux installer</a>.
+ </p>
+ <p>
+ <b>This guide is *only* for the GRUB payload. If you use the depthcharge payload, ignore this section entirely.</b>
+ </p>
+
+
+ <p>
+ Note: on some thinkpads, a faulty DVD drive can cause the cryptomount -a step during boot to fail. If this happens to you, try removing the drive.
+ </p>
+ <p><a href="index.html">Back to previous index</a></p>
+ </div>
+
+ <div class="section">
+
+ <p>
+ Set a strong user password (lots of lowercase/uppercase, numbers and symbols).
+ </p>
+
+ <p>
+ Use of the <i>diceware method</i> is recommended, for generating secure passphrases (instead of passwords).
+ </p>
+
+ <p>
+ when the installer asks you to set up
+ encryption (ecryptfs) for your home directory, select 'Yes' if you want to: <b>LUKS is already secure and performs well. Having ecryptfs on top of it
+ will add noticeable performance penalty, for little security gain in most use cases. This is therefore optional, and not recommended.
+ Choose 'no'.</b>
+ </p>
+
+ <p>
+ <b>
+ Your user password should be different from the LUKS password which you will set later on.
+ Your LUKS password should, like the user password, be secure.
+ </b>
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h1>Partitioning</h1>
+
+ <p>Choose 'Manual' partitioning:</p>
+ <ul>
+ <li>Select drive and create new partition table</li>
+ <li>
+ Single large partition. The following are mostly defaults:
+ <ul>
+ <li>Use as: physical volume for encryption</li>
+ <li>Encryption: aes</li>
+ <li>key size: whatever default is given to you</li>
+ <li>IV algorithm: whatever default is given to you</li>
+ <li>Encryption key: passphrase</li> (<i>diceware method</i> recommended for choosing password)
+ <li>erase data: Yes (only choose 'No' if it's a new drive that doesn't contain your private data)</li>
+ </ul>
+ </li>
+ <li>
+ Select 'configure encrypted volumes'
+ <ul>
+ <li>Create encrypted volumes</li>
+ <li>Select your partition</li>
+ <li>Finish</li>
+ <li>Really erase: Yes</li>
+ <li>(erase will take a long time. be patient)</li>
+ <li>(if your old system was encrypted, just let this run for about a minute to
+ make sure that the LUKS header is wiped out)</li>
+ </ul>
+ </li>
+ <li>
+ Select encrypted space:
+ <ul>
+ <li>use as: physical volume for LVM</li>
+ <li>Choose 'done setting up the partition'</li>
+ </ul>
+ </li>
+ <li>
+ Configure the logical volume manager:
+ <ul>
+ <li>Keep settings: Yes</li>
+ </ul>
+ </li>
+ <li>
+ Create volume group:
+ <ul>
+ <li>Name: <b>matrix</b> (use this exact name)</li>
+ <li>Select crypto partition</li>
+ </ul>
+ </li>
+ <li>
+ Create logical volume
+ <ul>
+ <li>select <b>matrix</b> (use this exact name)</li>
+ <li>name: <b>root</b> (use this exact name)</li>
+ <li>size: default, minus 2048 MB</li>
+ </ul>
+ </li>
+ <li>
+ Create logical volume
+ <ul>
+ <li>select <b>matrix</b> (use this exact name)</li>
+ <li>name: <b>swap</b> (user this exact name)</li>
+ <li>size: press enter</li>
+ </ul>
+ </li>
+ </ul>
+
+ </div>
+
+ <div class="section">
+
+ <h1>Further partitioning</h1>
+
+ <p>
+ Now you are back at the main partitioning screen. You will simply set mountpoints and filesystems to use.
+ </p>
+ <ul>
+ <li>
+ LVM LV root
+ <ul>
+ <li>use as: btrfs</li>
+ <li>mount point: /</li>
+ <li>done setting up partition</li>
+ </ul>
+ </li>
+ <li>
+ LVM LV swap
+ <ul>
+ <li>use as: swap area</li>
+ <li>done setting up partition</li>
+ </ul>
+ </li>
+ <li>Now you select 'Finished partitioning and write changes to disk'.</li>
+ </ul>
+
+ </div>
+
+ <div class="section">
+
+ <h1>Kernel</h1>
+
+ <p>
+ Installation will ask what kernel you want to use. linux-generic is fine.
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h1>Tasksel (Debian or Trisquel)</h1>
+
+ <p>
+ Choose <i>&quot;Trisquel Desktop Environment&quot;</i> if you want GNOME,
+ <i>&quot;Trisquel-mini Desktop Environment&quot;</i> if you
+ want LXDE or <i>&quot;Triskel Desktop Environment&quot;</i> if you want KDE.
+ If you want to have no desktop (just a basic shell)
+ when you boot or if you want to create your own custom setup, then choose nothing here (don't select anything).
+ You might also want to choose some of the other package groups; it's up to you.
+ </p>
+ <p>
+ For Debian, use the <em>MATE</em> option, or one of the others if you want.
+ </p>
+ <p>
+ On Debian or Trisquel, you may also want to select the option for a printer server,
+ so that you can print.
+ </p>
+ <p>
+ If you want debian-testing, then you should only select barebones options here
+ and change the entries in /etc/apt/sources.list after install to point to the new distro,
+ and then run <strong>apt-get update</strong> and <strong>apt-get dist-upgrade</strong>
+ as root, then reboot and run <b>tasksel</b> as root. This is to avoid downloading large
+ packages twice.
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h1>Postfix configuration</h1>
+
+ <p>
+ If asked, choose <i>&quot;No Configuration&quot;</i> here (or maybe you want to select something else. It's up to you.)
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h1>Install the GRUB boot loader to the master boot record</h1>
+
+ <p>
+ Choose 'Yes'. It will fail, but don't worry. Then at the main menu, choose 'Continue without a bootloader'.
+ You could also choose 'No'. Choice is irrelevant here.
+ </p>
+
+ <p>
+ <i>You do not need to install GRUB at all, since in libreboot you are using the GRUB payload (for libreboot) to boot your system directly.</i>
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h1>Clock UTC</h1>
+
+ <p>
+ Just say 'Yes'.
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h1>
+ Booting your system
+ </h1>
+
+ <p>
+ At this point, you will have finished the installation. At your GRUB payload, press C to get to the command line.
+ </p>
+
+ <p>
+ Do that:<br/>
+ grub&gt; <b>cryptomount -a</b><br/>
+ grub&gt; <b>set root='lvm/matrix-root'</b><br/>
+ grub&gt; <b>linux /vmlinuz root=/dev/mapper/matrix-root cryptdevice=/dev/mapper/matrix-root:root</b><br/>
+ grub&gt; <b>initrd /initrd.img</b><br/>
+ grub&gt; <b>boot</b>
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h1>
+ ecryptfs
+ </h1>
+
+ <p>
+ If you didn't encrypt your home directory, then you can safely ignore this section.
+ </p>
+
+ <p>
+ Immediately after logging in, do that:<br/>
+ $ <b>sudo ecryptfs-unwrap-passphrase</b>
+ </p>
+
+ <p>
+ This will be needed in the future if you ever need to recover your home directory from another system, so write it down and keep the note
+ somewhere secret. Ideally, you should memorize it and then burn the note (or not even write it down, and memorize it still)>
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h1>
+ Modify grub.cfg (CBFS)
+ </h1>
+
+ <p>
+ Now you need to set it up so that the system will automatically boot, without having to type a bunch of commands.
+ </p>
+
+ <p>
+ Modify your grub.cfg (in the firmware) <a href="grub_cbfs.html">using this tutorial</a>;
+ just change the default menu entry 'Load Operating System' to say this inside:
+ </p>
+
+ <p>
+ <b>cryptomount -a</b><br/>
+ <b>set root='lvm/matrix-root'</b><br/>
+ <b>linux /vmlinuz root=/dev/mapper/matrix-root cryptdevice=/dev/mapper/matrix-root:root</b><br/>
+ <b>initrd /initrd.img</b>
+ </p>
+
+ <p>
+ Without specifying a device, the <i>-a</i> parameter tries to unlock all detected LUKS volumes.
+ You can also specify -u UUID or -a (device).
+ </p>
+
+ <p>
+ Additionally, you should set a GRUB password. This is not your LUKS password, but it's a password that you have to enter to see
+ GRUB. This protects your system from an attacker simply booting a live USB and re-flashing your firmware. <b>This should be different than your LUKS passphrase and user password.</b>
+ </p>
+ <p>
+ Use of the <i>diceware method</i> is recommended, for generating secure passphrases (as opposed to passwords).
+ </p>
+
+ <p>
+ The GRUB utility can be used like so:<br/>
+ $ <b>grub-mkpasswd-pbkdf2</b>
+ </p>
+
+ <p>
+ Give it a password (remember, it has to be secure) and it'll output something like:<br/>
+ <b>grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711</b>
+ </p>
+ <p>
+ Use of the <i>diceware method</i> is recommended, for generating secure passphrases (instead of passwords).
+ </p>
+
+ <p>
+ Put that in the grub.cfg (the one for CBFS inside the ROM) before the 'Load Operating System' menu entry like so (example):<br/>
+ </p>
+ <pre>
+<b>set superusers=&quot;root&quot;</b>
+<b>password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711</b>
+ </pre>
+ <p style="font-size:2em;">
+ MAKE SURE TO DO THIS ON grubtest.cfg *BEFORE* DOING IT ON grub.cfg.
+ Then select the menu entry that says <i>Switch to grubtest.cfg</i> and test that it works.
+ Then copy that to grub.cfg once you're satisfied.
+ WHY? BECAUSE AN INCORRECTLY SET PASSWORD CONFIG MEANS YOU CAN'T AUTHENTICATE, WHICH MEANS 'BRICK'.
+ </p>
+ <p>
+ (emphasis added, because it's needed. This is a common roadblock for users)
+ </p>
+
+ <p>
+ Obviously, replace it with the correct hash that you actually got for the password that you entered. Meaning, not the hash that you see above!
+ </p>
+
+ <p>
+ After this, you will have a modified ROM with the menu entry for cryptomount, and the entry before that for the GRUB password. Flash the modified ROM
+ using <a href="../install/index.html#flashrom">this tutorial</a>.
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h1 id="troubleshooting">Troubleshooting</h1>
+
+ <p>
+ A user reported issues when booting with a docking station attached
+ on an X200, when decrypting the disk in GRUB. The error
+ <i>AHCI transfer timed out</i> was observed. The workaround
+ was to remove the docking station.
+ </p>
+
+ <p>
+ Further investigation revealed that it was the DVD drive causing problems.
+ Removing that worked around the issue.
+ </p>
+
+<pre>
+
+&quot;sudo wodim -prcap&quot; shows information about the drive:
+Device was not specified. Trying to find an appropriate drive...
+Detected CD-R drive: /dev/sr0
+Using /dev/cdrom of unknown capabilities
+Device type : Removable CD-ROM
+Version : 5
+Response Format: 2
+Capabilities :
+Vendor_info : 'HL-DT-ST'
+Identification : 'DVDRAM GU10N '
+Revision : 'MX05'
+Device seems to be: Generic mmc2 DVD-R/DVD-RW.
+
+Drive capabilities, per MMC-3 page 2A:
+
+ Does read CD-R media
+ Does write CD-R media
+ Does read CD-RW media
+ Does write CD-RW media
+ Does read DVD-ROM media
+ Does read DVD-R media
+ Does write DVD-R media
+ Does read DVD-RAM media
+ Does write DVD-RAM media
+ Does support test writing
+
+ Does read Mode 2 Form 1 blocks
+ Does read Mode 2 Form 2 blocks
+ Does read digital audio blocks
+ Does restart non-streamed digital audio reads accurately
+ Does support Buffer-Underrun-Free recording
+ Does read multi-session CDs
+ Does read fixed-packet CD media using Method 2
+ Does not read CD bar code
+ Does not read R-W subcode information
+ Does read raw P-W subcode data from lead in
+ Does return CD media catalog number
+ Does return CD ISRC information
+ Does support C2 error pointers
+ Does not deliver composite A/V data
+
+ Does play audio CDs
+ Number of volume control levels: 256
+ Does support individual volume control setting for each channel
+ Does support independent mute setting for each channel
+ Does not support digital output on port 1
+ Does not support digital output on port 2
+
+ Loading mechanism type: tray
+ Does support ejection of CD via START/STOP command
+ Does not lock media on power up via prevent jumper
+ Does allow media to be locked in the drive via PREVENT/ALLOW command
+ Is not currently in a media-locked state
+ Does not support changing side of disk
+ Does not have load-empty-slot-in-changer feature
+ Does not support Individual Disk Present feature
+
+ Maximum read speed: 4234 kB/s (CD 24x, DVD 3x)
+ Current read speed: 4234 kB/s (CD 24x, DVD 3x)
+ Maximum write speed: 4234 kB/s (CD 24x, DVD 3x)
+ Current write speed: 4234 kB/s (CD 24x, DVD 3x)
+ Rotational control selected: CLV/PCAV
+ Buffer size in KB: 1024
+ Copy management revision supported: 1
+ Number of supported write speeds: 4
+ Write speed # 0: 4234 kB/s CLV/PCAV (CD 24x, DVD 3x)
+ Write speed # 1: 2822 kB/s CLV/PCAV (CD 16x, DVD 2x)
+ Write speed # 2: 1764 kB/s CLV/PCAV (CD 10x, DVD 1x)
+ Write speed # 3: 706 kB/s CLV/PCAV (CD 4x, DVD 0x)
+
+Supported CD-RW media types according to MMC-4 feature 0x37:
+ Does write multi speed CD-RW media
+ Does write high speed CD-RW media
+ Does write ultra high speed CD-RW media
+ Does not write ultra high speed+ CD-RW media
+
+</pre>
+
+ </div>
+
+ <div class="section">
+
+ <p>
+ Copyright &copy; 2014, 2015 Leah Rowe &lt;info@minifree.org&gt;<br/>
+ Permission is granted to copy, distribute and/or modify this document
+ under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license
+ or any later version published by Creative Commons;
+
+ A copy of the license can be found at <a href="../cc-by-sa-4.0.txt">../cc-by-sa-4.0.txt</a>
+ </p>
+
+ <p>
+ Updated versions of the license (when available) can be found at
+ <a href="https://creativecommons.org/licenses/by-sa/4.0/legalcode">https://creativecommons.org/licenses/by-sa/4.0/legalcode</a>
+ </p>
+
+ <p>
+ UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
+ EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
+ AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
+ ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
+ IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
+ WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
+ ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
+ KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
+ ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
+ </p>
+ <p>
+ TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
+ TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
+ NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
+ INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
+ COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
+ USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
+ ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
+ DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
+ IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
+ </p>
+ <p>
+ The disclaimer of warranties and limitation of liability provided
+ above shall be interpreted in a manner that, to the extent
+ possible, most closely approximates an absolute disclaimer and
+ waiver of all liability.
+ </p>
+
+ </div>
+
+</body>
+</html>
diff --git a/docs/bsd/encrypted_parabola.html b/docs/bsd/encrypted_parabola.html
new file mode 100644
index 00000000..a68b2baf
--- /dev/null
+++ b/docs/bsd/encrypted_parabola.html
@@ -0,0 +1,872 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8">
+ <meta name="viewport" content="width=device-width, initial-scale=1">
+
+ <style type="text/css">
+ @import url('../css/main.css');
+ </style>
+
+ <title>Installing Parabola or Arch GNU/Linux with full disk encryption (including /boot)</title>
+</head>
+
+<body>
+ <div class="section">
+ <h1>Installing Parabola or Arch GNU/Linux with full disk encryption (including /boot)</h1>
+ <p>
+ Libreboot on x86 uses the GRUB <a href="http://www.coreboot.org/Payloads#GRUB_2">payload</a>
+ by default, which means that the GRUB configuration file
+ (where your GRUB menu comes from) is stored directly alongside libreboot
+ and it's GRUB payload executable, inside
+ the flash chip. In context, this means that installing distributions and managing them
+ is handled slightly differently compared to traditional BIOS systems.
+ </p>
+
+ <p>
+ On most systems, the /boot partition has to be left unencrypted while the others are encrypted.
+ This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware
+ can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a
+ payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical
+ access to the system.
+ </p>
+ <p>
+ <b>This guide is *only* for the GRUB payload. If you use the depthcharge payload, ignore this section entirely.</b>
+ </p>
+ <p>
+ This guide is intended for the Parabola distribution, but it should also work (with some adaptation)
+ for <em>Arch</em>.
+ We recomend using Parabola, which is a version of Arch that removes all
+ proprietary software, both in the default installation and in the package repositories. It usually lags
+ behind Arch by only a day or two, so it is still usable for most people.
+ See <a href="https://wiki.parabola.nu/index.php?title=Migration_from_the_GNU/Linux_distribution_of_Arch&redirect=no">Arch to Parabola migration guide</a>.
+ </p>
+
+ <p>
+ Note: on some thinkpads, a faulty DVD drive can cause the cryptomount -a step during boot to fail. If this happens to you, try removing the drive.
+ </p>
+ <p>
+ <a href="index.html">Back to previous index</a>
+ </p>
+ </div>
+
+ <div class="section">
+
+ <p>
+ Boot Parabola's install environment. <a href="grub_boot_installer.html">How to boot a GNU/Linux installer</a>.
+ </p>
+
+ <p>
+ For this guide I used the 2015 08 01 image to boot the live installer and install the system.
+ This is available at <a href="https://wiki.parabola.nu/Get_Parabola#Main_live_ISO">this page</a>.
+ </p>
+
+ <p>
+ This guide will go through the installation steps taken at the time of writing, which may or may not change due to
+ the volatile nature of Parabola (it changes all the time). In general most of it should remain the same. If you spot mistakes,
+ please say so! This guide will be ported to the Parabola wiki at a later date. For up to date Parabola install guide, go to
+ the Parabola wiki. This guide essentially cherry picks the useful information (valid at the
+ time of writing: 2015-08-25).
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <p> This section deals with wiping the storage device on which you plan to install Parabola
+ GNU/Linux. Follow these steps, but if you use an SSD, also:
+
+ <p>
+ - beware there are issues with TRIM (not enabled through luks) and security issues if you do enable it.
+ See <a href="https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Discard.2FTRIM_support_for_solid_state_drives_.28SSD.29">this page</a>
+ for more info.
+ </p>
+
+ <p> - make sure it's brand-new (or barely used). Or, otherwise, be sure that it never previously contained plaintext copies of your data.
+ </p>
+
+ <p> - make sure to read <a href="https://wiki.archlinux.org/index.php/Solid_State_Drives">this article</a>. Edit /etc/fstab later on when
+ chrooted into your install. Also, read the whole article and keep all points in mind, adapting them for this guide.
+ </p>
+
+ <p>
+ Securely wipe the drive:<br/>
+ # <b>dd if=/dev/urandom of=/dev/sda; sync</b><br/>
+ NOTE: If you have an SSD, only do this the first time. If it was already LUKS-encrypted before,
+ use the info below to wipe the LUKS header. Also, check online for your SSD what the recommended
+ erase block size is. For example if it was 2MiB:<br/>
+ # <b>dd if=/dev/urandom of=/dev/sda bs=2M; sync</b>
+ </p>
+ <p>
+ If your drive was already LUKS encrypted (maybe you are re-installing your distro) then
+ it is already 'wiped'. You should just wipe the LUKS header.
+ <a href="https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/">https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/</a>
+ showed me how to do this. It recommends doing the first 3MiB. Now, that guide is recommending putting zero there. I'm going to use urandom. Do this:<br/>
+ # <b>head -c 3145728 /dev/urandom &gt; /dev/sda; sync</b><br/>
+ (Wiping the LUKS header is important, since it has hashed passphrases and so on. It's 'secure', but 'potentially' a risk).
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2>
+ Change keyboard layout
+ </h2>
+ <p>
+ Parabola live shell assumes US Qwerty. If you have something different, list the available keymaps and use yours:<br/>
+ # <b>localectl list-keymaps</b><br/>
+ # <b>loadkeys LAYOUT</b><br/>
+ For me, LAYOUT would have been dvorak-uk.
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2>Establish an internet connection</h2>
+ <p>
+ Refer to <a href="https://wiki.parabola.nu/Beginners%27_guide#Establish_an_internet_connection">this guide</a>. Wired is recommended,
+ but wireless is also explained there.
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2>Getting started</h2>
+ <p>
+ The beginning is based on <a href="https://wiki.parabolagnulinux.org/Installation_Guide">https://wiki.parabolagnulinux.org/Installation_Guide</a>.
+ Then I referred to <a href="https://wiki.archlinux.org/index.php/Partitioning">https://wiki.archlinux.org/index.php/Partitioning</a> at first.
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2>dm-mod</h2>
+ <p>
+ device-mapper will be used - a lot. Make sure that the kernel module is loaded:<br/>
+ # <b>modprobe dm-mod</b>
+ </p>
+
+ <h2>Create LUKS partition</h2>
+ <p>
+ Note that the default iteration time is 2000ms (20 seconds) if not specified
+ in cryptsetup. You should set a lower time than this, otherwise there will be
+ an approximate 20 second delay when booting your system.
+ We recommend 500ms (5 seconds), and this is included in the prepared
+ cryptsetup command below.
+ Note that the iteration time is for security purposes (mitigates
+ brute force attacks), so anything lower than 5 seconds is probably
+ not ok.
+ </p>
+ <p>
+ I am using MBR partitioning, so I use cfdisk:<br/>
+ # <b>cfdisk /dev/sda</b>
+ </p>
+ <p>
+ I create a single large sda1 filling the whole drive, leaving it as the default type 'Linux' (83).
+ </p>
+ <p>
+ Now I refer to <a href="https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#Partitioning">https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#Partitioning</a>:<br/>
+ I am then directed to <a href="https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption">https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption</a>.
+ </p>
+ <p>
+ Parabola forces you to RTFM. Do that.
+ </p>
+ <p>
+ It tells me to run:<br/>
+ # <b>cryptsetup benchmark</b> (for making sure the list below is populated)<br/>
+ Then:<br/>
+ # <b>cat /proc/crypto</b><br/>
+ This gives me crypto options that I can use. It also provides a representation of the best way to set up LUKS (in this case, security is a priority; speed, a distant second).
+ To gain a better understanding, I am also reading:<br/>
+ # <b>man cryptsetup</b>
+ </p>
+ <p>
+ Following that page, based on my requirements, I do the following based on <a href="https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode">https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode</a>.
+ Reading through, it seems like Serpent (encryption) and Whirlpool (hash) is the best option.
+ </p>
+ <p>
+ I am initializing LUKS with the following:<br/>
+ # <b>cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --iter-time 500 --use-random --verify-passphrase luksFormat /dev/sda1</b>
+ Choose a <b>secure</b> passphrase here. Ideally lots of lowercase/uppercase numbers, letters, symbols etc all in a random pattern. The
+ password length should be as long as you are able to handle without writing it down or storing it anywhere.
+ </p>
+
+ <p>
+ Use of the <i>diceware method</i> is recommended, for generating secure passphrases (instead of passwords).
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2>Create LVM</h2>
+ <p>
+ Now I refer to <a href="https://wiki.archlinux.org/index.php/LVM">https://wiki.archlinux.org/index.php/LVM</a>.
+ </p>
+ <p>
+ Open the LUKS partition:<br/>
+ # <b>cryptsetup luksOpen /dev/sda1 lvm</b><br/>
+ (it will be available at /dev/mapper/lvm)
+ </p>
+ <p>
+ Create LVM partition:<br/>
+ # <b>pvcreate /dev/mapper/lvm</b><br/>
+ Show that you just created it:<br/>
+ # <b>pvdisplay</b>
+ </p>
+ <p>
+ Now I create the volume group, inside of which the logical volumes will be created:<br/>
+ # <b>vgcreate matrix /dev/mapper/lvm</b><br/>
+ (volume group name is 'matrix' - choose your own name, if you like)
+ Show that you created it:<br/>
+ # <b>vgdisplay</b>
+ </p>
+ <p>
+ Now create the logical volumes:<br/>
+ # <b>lvcreate -L 2G matrix -n swapvol</b> (2G swap partition, named <u>swapvol</u>)<br/>
+ Again, choose your own name if you like. Also, make sure to choose a swap size of your own needs. It basically depends on how much RAM
+ you have installed. I refer to <a
+href="http://www.linux.com/news/software/applications/8208-all-about-linux-swap-space">http://www.linux.com/news/software/applications/8208-all-about-linux-swap-space</a>.<br/>
+ # <b>lvcreate -l +100%FREE matrix -n root</b> (single large partition in the rest of the space, named <u>root</u>)<br/>
+ You can also be flexible here, for example you can specify a /boot, a /, a /home, a /var, a /usr, etc. For example,
+ if you will be running a web/mail server then you want /var in its own partition (so that if it fills up with logs, it won't crash your system).
+ For a home/laptop system (typical use case), a root and a swap will do (really).
+ </p>
+ <p>
+ Verify that the logical volumes were created, using the following command:<br/>
+ # <b>lvdisplay</b>
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2>Create / and swap partitions, and mount</h2>
+ <p>
+ For the swapvol LV I use:<br/>
+ # <b>mkswap /dev/mapper/matrix-swapvol</b><br/>
+ Activate swap:<br/>
+ # <b>swapon /dev/matrix/swapvol</b>
+ </p>
+ <p>
+ For the root LV I use:<br/>
+ # <b>mkfs.btrfs /dev/mapper/matrix-root</b>
+ </p>
+ <p>
+ Mount the root (/) partition:<br/>
+ # <b>mount /dev/matrix/root /mnt</b>
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2>Continue with Parabola installation</h2>
+ <p>
+ This guide is really about GRUB, Parabola and cryptomount. I have to show how to install Parabola
+ so that the guide can continue.
+ </p>
+ <p>
+ Now I am following the rest of <a href="https://wiki.parabolagnulinux.org/Installation_Guide">https://wiki.parabolagnulinux.org/Installation_Guide</a>.
+ I also cross referenced <a href="https://wiki.archlinux.org/index.php/Installation_guide">https://wiki.archlinux.org/index.php/Installation_guide</a>.
+ </p>
+ <p>
+ Create /home and /boot on root mountpoint:<br/>
+ # <b>mkdir -p /mnt/home</b><br/>
+ # <b>mkdir -p /mnt/boot</b>
+ </p>
+ <p>
+ Once all the remaining partitions, if any, have been mounted, the devices are ready to install Parabola.
+ </p>
+
+ <p>
+ In <b>/etc/pacman.d/mirrorlist</b>, comment out all lines except the Server line closest to where you are (I chose the UK Parabola
+ server (main server)) and then did:<br/>
+ # <b>pacman -Syy</b><br/>
+ # <b>pacman -Syu</b><br/>
+ # <b>pacman -Sy pacman</b> (and then I did the other 2 steps above, again)<br/>
+ In my case I did the steps in the next paragraph, and followed the steps in this paragraph again.
+ </p>
+ <p>
+ &lt;troubleshooting&gt;<br/>
+ &nbsp;&nbsp;&nbsp;The following is based on 'Verification of package signatures' in the Parabola install guide.<br/>
+ &nbsp;&nbsp;&nbsp;Check there first to see if steps differ by now.<br/>
+ &nbsp;&nbsp;&nbsp;Now you have to update the default Parabola keyring. This is used for signing and verifying packages:<br/>
+ &nbsp;&nbsp;&nbsp;# <b>pacman -Sy parabola-keyring</b><br/>
+ &nbsp;&nbsp;&nbsp;It says that if you get GPG errors, then it's probably an expired key and, therefore, you should do:<br/>
+ &nbsp;&nbsp;&nbsp;# <b>pacman-key --populate parabola</b><br/>
+ &nbsp;&nbsp;&nbsp;# <b>pacman-key --refresh-keys</b><br/>
+ &nbsp;&nbsp;&nbsp;# <b>pacman -Sy parabola-keyring</b><br/>
+ &nbsp;&nbsp;&nbsp;To be honest, you should do the above anyway. Parabola has a lot of maintainers, and a lot of keys. Really!<br/>
+ &nbsp;&nbsp;&nbsp;If you get an error mentioning dirmngr, do:<br/>
+ &nbsp;&nbsp;&nbsp;# <b>dirmngr &lt;/dev/null</b><br/>
+ &nbsp;&nbsp;&nbsp;Also, it says that if the clock is set incorrectly then you have to manually set the correct time <br/>
+ &nbsp;&nbsp;&nbsp;(if keys are listed as expired because of it):<br/>
+ &nbsp;&nbsp;&nbsp;# <b>date MMDDhhmm[[CC]YY][.ss]</b><br/>
+ &nbsp;&nbsp;&nbsp;I also had to install:<br/>
+ &nbsp;&nbsp;&nbsp;# <b>pacman -S archlinux-keyring</b><br/>
+ &nbsp;&nbsp;&nbsp;# <b>pacman-key --populate archlinux</b><br/>
+ &nbsp;&nbsp;&nbsp;In my case I saw some conflicting files reported in pacman, stopping me from using it.<br/>
+ &nbsp;&nbsp;&nbsp;I deleted the files that it mentioned
+ and then it worked. Specifically, I had this error:<br/>
+ &nbsp;&nbsp;&nbsp;<i>licenses: /usr/share/licenses/common/MPS exists in filesystem</i><br/>
+ &nbsp;&nbsp;&nbsp;I rm -Rf'd the file and then pacman worked. I'm told that the following would have also made it work:<br/>
+ &nbsp;&nbsp;&nbsp;# <b>pacman -Sf licenses</b><br/>
+ &lt;/troubleshooting&gt;<br/>
+ </p>
+ <p>
+ I also like to install other packages (base-devel, compilers and so on) and wpa_supplicant/dialog/iw/wpa_actiond are needed for wireless after the install:<br/>
+ # <b>pacstrap /mnt base base-devel wpa_supplicant dialog iw wpa_actiond</b>
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2>Configure the system</h2>
+ <p>
+ Generate an fstab - UUIDs are used because they have certain advantages (see <a href="https://wiki.parabola.nu/Fstab#Identifying_filesystems">https://wiki.parabola.nu/Fstab#Identifying_filesystems</a>.
+ If you prefer labels instead, replace the -U option with -L):<br/>
+ # <b>genfstab -U -p /mnt &gt;&gt; /mnt/etc/fstab</b><br/>
+ Check the created file:<br/>
+ # <b>cat /mnt/etc/fstab</b><br/>
+ (If there are any errors, edit the file. Do <b>NOT</b> run the genfstab command again!)
+ </p>
+ <p>
+ Chroot into new system:<br/>
+ # <b>arch-chroot /mnt /bin/bash</b>
+ </p>
+ <p>
+ It's a good idea to have this installed:<br/>
+ # <b>pacman -S linux-libre-lts</b>
+ </p>
+ <p>
+ It was also suggested that you should install this kernel (read up on what GRSEC is):<br/>
+ # <b>pacman -S linux-libre-grsec</b>
+ </p>
+ <p>
+ This is another kernel that sits inside /boot, which you can use. LTS means 'long-term support'. These are so-called 'stable' kernels
+ that can be used as a fallback during updates, if a bad kernel causes issues for you.
+ </p>
+ <p>
+ Parabola does not have wget. This is sinister. Install it:<br/>
+ # <b>pacman -S wget</b>
+ </p>
+ <p>
+ Locale:<br/>
+ # <b>nano /etc/locale.gen</b><br/>
+ Uncomment your needed localisations. For example en_GB.UTF-8 (UTF-8 is highly recommended over other options).<br/>
+ # <b>locale-gen</b><br/>
+ # <b>echo LANG=en_GB.UTF-8 &gt; /etc/locale.conf</b><br/>
+ # <b>export LANG=en_GB.UTF-8</b>
+ </p>
+ <p>
+ Console font and keymap:<br/>
+ # <b>nano /etc/vconsole.conf</b><br/>
+ In my case:
+ </p>
+<pre>
+KEYMAP=dvorak-uk
+FONT=lat9w-16
+</pre>
+ <p>
+ Time zone:<br/>
+ # <b>ln -s /usr/share/zoneinfo/Europe/London /etc/localtime</b><br/>
+ (Replace Zone and Subzone to your liking. See /usr/share/zoneinfo)
+ </p>
+ <p>
+ Hardware clock:<br/>
+ # <b>hwclock --systohc --utc</b>
+ </p>
+ <p>
+ Hostname:
+ Write your hostname to /etc/hostname. For example, if your hostname is parabola:<br/>
+ # <b>echo parabola &gt; /etc/hostname</b><br/>
+ Add the same hostname to /etc/hosts:<br/>
+ # <b>nano /etc/hosts</b><br/>
+ </p>
+<pre>
+#&lt;ip-address&gt; &lt;hostname.domain.org&gt; &lt;hostname&gt;
+127.0.0.1 localhost.localdomain localhost parabola
+::1 localhost.localdomain localhost parabola
+</pre>
+ <p> Configure the network:
+ Refer to <a href="https://wiki.parabola.nu/Beginners%27_guide#Configure_the_network">https://wiki.parabola.nu/Beginners%27_guide#Configure_the_network</a>.
+ </p>
+ <p> Mkinitcpio:
+ Configure /etc/mkinitcpio.conf as needed (see <a href="https://wiki.parabola.nu/Mkinitcpio">https://wiki.parabola.nu/Mkinitcpio</a>).
+ Runtime modules can be found in /usr/lib/initcpio/hooks, and build hooks can be found in /usr/lib/initcpio/install. (# <b>mkinitcpio -H hookname</b> gives information about each hook.)
+ Specifically, for this use case:<br/>
+ # <b>nano /etc/mkinitcpio.conf</b><br/>
+ Then modify the file like so:
+ </p>
+ <ul>
+ <li>MODULES="i915"</li>
+ <li>This forces the driver to load earlier, so that the console font isn't wiped out after getting to login). Macbook21 users will also need <strong>hid-generic, hid and hid-apple to have a working keyboard when asked to enter the LUKS password.</strong></li>
+ <li>HOOKS="base udev autodetect modconf block keyboard keymap consolefont encrypt lvm2 filesystems fsck shutdown"</li>
+ <li>Explanation:</li>
+ <li>keymap adds to initramfs the keymap that you specified in /etc/vconsole.conf</li>
+ <li>consolefont adds to initramfs the font that you specified in /etc/vconsole.conf</li>
+ <li>encrypt adds LUKS support to the initramfs - needed to unlock your disks at boot time</li>
+ <li>lvm2 adds LVM support to the initramfs - needed to mount the LVM partitions at boot time</li>
+ <li>shutdown is needed according to Parabola wiki for unmounting devices (such as LUKS/LVM) during shutdown)</li>
+ </ul>
+ <p>
+ Now using mkinitcpio, you can create the kernel and ramdisk for booting with (this is different from Arch, specifying linux-libre instead of linux):<br/>
+ # <b>mkinitcpio -p linux-libre</b><br/>
+ Also do it for linux-libre-lts:<br/>
+ # <b>mkinitcpio -p linux-libre-lts</b><br/>
+ Also do it for linux-libre-grsec:<br/>
+ # <b>mkinitcpio -p linux-libre-grsec</b>
+ </p>
+ <p>
+ Set the root password:
+ At the time of writing, Parabola used SHA512 by default for its password hashing. I referred to <a href="https://wiki.archlinux.org/index.php/SHA_password_hashes">https://wiki.archlinux.org/index.php/SHA_password_hashes</a>.<br/>
+ # <b>nano /etc/pam.d/passwd</b><br/>
+ Add rounds=65536 at the end of the uncommented 'password' line.<br/>
+ # <b>passwd root</b><br/>
+ Make sure to set a secure password! Also, it must never be the same as your LUKS password.
+ </p>
+
+ <p>
+ Use of the <i>diceware method</i> is recommended, for generating secure passphrases (instead of passwords).
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2>Extra security tweaks</h2>
+ <p>
+ Based on <a href="https://wiki.archlinux.org/index.php/Security">https://wiki.archlinux.org/index.php/Security</a>.
+ </p>
+ <p>
+ Restrict access to important directories:<br/>
+ # <b>chmod 700 /boot /etc/{iptables,arptables}</b>
+ </p>
+ <p>
+ Lockout user after three failed login attempts:<br/>
+ Edit the file /etc/pam.d/system-login and comment out that line:<br/>
+ <i># auth required pam_tally.so onerr=succeed file=/var/log/faillog</i><br/>
+ Or just delete it. Above it, put:<br/>
+ <i>auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog</i><br/>
+ To unlock a user manually (if a password attempt is failed 3 times), do:<br/>
+ # <b>pam_tally --user <i>theusername</i> --reset</b>
+ What the above configuration does is lock the user out for 10 minutes, if they make 3 failed login attempts.
+ </p>
+ <p>
+ Configure sudo - not covered here. Will be covered post-installation in another tutorial, at a later date.
+ If this is a single-user system, you don't really need sudo.
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2>Unmount, reboot!</h2>
+ <p>
+ Exit from chroot:<br/>
+ # <b>exit</b>
+ </p>
+ <p>
+ unmount:<br/>
+ # <b>umount -R /mnt</b><br/>
+ # <b>swapoff -a</b>
+ </p>
+ <p>
+ deactivate the lvm lv's:<br/>
+ # <b>lvchange -an /dev/matrix/root</b><br/>
+ # <b>lvchange -an /dev/matrix/swapvol</b><br/>
+ </p>
+ <p>
+ Lock the encrypted partition (close it):<br/>
+ # <b>cryptsetup luksClose lvm</b>
+ </p>
+ <p>
+ # <b>shutdown -h now</b><br/>
+ Remove the installation media, then boot up again.
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2>Booting from GRUB</h2>
+ <p>
+ Initially you will have to boot manually. Press C to get to the GRUB command line. The underlined parts are optional
+ (using those 2 underlines will boot lts kernel instead of normal).
+ </p>
+ <p>
+ grub> <b>cryptomount -a</b><br/>
+ grub> <b>set root='lvm/matrix-root'</b><br/>
+ grub> <b>linux /boot/vmlinuz-linux-libre<u>-lts</u> root=/dev/matrix/root cryptdevice=/dev/sda1:root</b><br/>
+ grub> <b>initrd /boot/initramfs-linux-libre<u>-lts</u>.img</b><br/>
+ grub> <b>boot</b><br/>
+ </p>
+ <p>
+ You could also make it load /boot/vmlinuz-linux-libre-grsec and /boot/initramfs-linux-libre-grsec.img
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2>Follow-up tutorial: configuring Parabola</h2>
+ <p>
+ We will modify grub.config inside the ROM and do all kinds of fun stuff, but I recommend that you first transform the current bare-bones Parabola install into a more useable system.
+ Doing so will make the upcoming ROM modifications MUCH easier to perform and less risky!
+ <a href="configuring_parabola.html">configuring_parabola.html</a> shows my own notes post-installation. Using these, you can get a basic
+ system similar to the one that I chose for myself. You can also cherry pick useful notes and come up with your own system.
+ Parabola is user-centric, which means that you are in control. For more information, read <a href="https://wiki.archlinux.org/index.php/The_Arch_Way">The Arch Way</a>
+ (Parabola also follows it).
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2>Modify grub.cfg inside the ROM</h2>
+
+ <p>
+ (Re-)log in to your system, pressing C, so booting manually from GRUB (see above). You need to modify the ROM, so that Parabola can boot automatically with this configuration.
+ <a href="grub_cbfs.html">grub_cbfs.html</a> shows you how. Follow that guide, using the configuration details below.
+ If you go for option 2 (re-flash), promise to do this on grubtest.cfg first! We can't emphasise this enough. This is to reduce the possibility of bricking your device!
+ </p>
+
+ <p>
+ I will go for the re-flash option here. Firstly, cd to the libreboot_util/cbfstool/{armv7l i686 x86_64} directory.
+ Dump the current firmware - where <i>libreboot.rom</i> is an example: make sure to adapt:<br/>
+ # <b>flashrom -p internal -r libreboot.rom</b><br/>
+ If flashrom complains about multiple flash chips detected, add a <i>-c</i> option at the end, with the name of your chosen chip is quotes.<br/>
+ You can check if everything is in there (<i>grub.cfg</i> and <i>grubtest.cfg</i> would be really nice):<br/>
+ $ <b>./cbfstool libreboot.rom print</b><br/>
+ Extract grubtest.cfg:<br/>
+ $ <b>./cbfstool libreboot.rom extract -n grubtest.cfg -f grubtest.cfg</b><br/>
+ And modify:<br/>
+ $ <b>nano grubtest.cfg</b>
+ </p>
+
+ <p>
+ In grubtest.cfg, inside the 'Load Operating System' menu entry, change the contents to:
+ </p>
+<pre>
+cryptomount -a<br/>
+set root='lvm/matrix-root'<br/>
+linux /boot/vmlinuz-linux-libre<u>-lts</u> root=/dev/matrix/root cryptdevice=/dev/sda1:root<br/>
+initrd /boot/initramfs-linux-libre<u>-lts</u>.img
+</pre>
+
+ <p>
+ Note: the underlined parts above (-lts) can also be removed, to boot the latest kernel instead of LTS (long-term support) kernels.
+ You could also copy the menu entry and in one have -lts, and without in the other menuentry.
+ You could also create a menu entry to load /boot/vmlinuz-linux-libre-grsec and /boot/initramfs-linux-libre-grsec.img
+ The first entry will load by default.
+ </p>
+
+ <p>
+ Without specifying a device, the <i>-a</i> parameter tries to unlock all detected LUKS volumes.
+ You can also specify -u UUID or -a (device).
+ </p>
+
+ <p>
+ Now, to protect your system from an attacker simply booting a live usb distro and re-flashing the boot firmware, we are going to add a password for GRUB.
+ In a new terminal window, if you are not yet online, start dhcp on ethernet:<br/>
+ # <b>systemctl start dhcpcd.service</b>
+ Or make sure to get connected to the internet in any other way you prefer, at least.
+ </p>
+
+ <p>
+ Use of the <i>diceware method</i> is recommended, for generating secure passphrases (instead of passwords).
+ </p>
+
+ <p style="font-size:2em;">
+ AGAIN: MAKE SURE TO DO THIS WHOLE SECTION ON grubtest.cfg *BEFORE* DOING IT ON grub.cfg.
+ (When we get there, upon reboot, select the menu entry that says <i>Switch to grubtest.cfg</i> and test that it works.
+ Only once you are satisfied, copy that to grub.cfg. Only a few steps to go, though.)
+ WHY? BECAUSE AN INCORRECTLY SET PASSWORD CONFIG MEANS YOU CAN'T AUTHENTICATE, WHICH MEANS 'BRICK'.
+ </p>
+
+ <p>
+ (emphasis added, because it's needed: this is a common roadblock for users.)
+ </p>
+
+ <p>
+ We need a utility that comes with GRUB, so we will download it temporarily. (Remember that GRUB isn't needed for booting, since it's already included as a payload in libreboot.)
+ Also, we will use flashrom, and I installed dmidecode. You only need base-devel (compilers and so on) to build and use cbfstool. It was already installed if you followed this tutorial, but here
+ it is:<br/>
+ # <b>pacman -S grub flashrom dmidecode base-devel</b><br/>
+ Next, do:<br/>
+ # <b>grub-mkpasswd-pbkdf2</b><br/>
+ Enter your chosen password at the prompt and your hash will be shown. Copy this string - you will add it to your grubtest.cfg.
+ </p>
+
+ <p>
+ The password below (it's <b>password</b>, by the way) after <i>'password_pbkdf2 root'</i> <i>should be changed</i> to your own.
+ Make sure to specify a password that is different from both your LUKS *and* your root/user password.
+ Obviously, do not simply copy and paste the examples shown here...
+ </p>
+
+ <p>
+ Next, back in grubtest.cfg, above the first 'Load Operating System' menu entry, you should now add your GRUB password, like so
+ (replace with your own name (I used <b>root</b> on both lines, feel free to choose another one) and the password hash which you copied):
+ </p>
+<pre>
+set superusers=&quot;root&quot;
+password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
+</pre>
+
+ <p>
+ Save your changes in grubtest.cfg, then delete the unmodified config from the ROM image:<br/>
+ $ <b>./cbfstool libreboot.rom remove -n grubtest.cfg</b><br/>
+ and insert the modified grubtest.cfg:<br/>
+ $ <b>./cbfstool libreboot.rom add -n grubtest.cfg -f grubtest.cfg -t raw</b><br/>
+ </p>
+
+ <p>
+ Now refer to <a href="http://libreboot.org/docs/install/index.html#flashrom">http://libreboot.org/docs/install/index.html#flashrom</a>.
+ Cd (up) to the libreboot_util directory and update the flash chip contents:<br/>
+ # <b>./flash update libreboot.rom</b><br/>
+ Ocassionally, coreboot changes the name of a given board. If flashrom complains about a board mismatch, but you are sure that you chose the correct ROM image, then run this alternative command:<br/>
+ # <b>./flash forceupdate libreboot.rom</b><br/>
+ You should see "Verifying flash... VERIFIED." written at the end of the flashrom output.
+ </p>
+
+ <p>
+ With this new configuration, Parabola can boot automatically and you will have to enter a password at boot time, in GRUB, before being able to use any of the menu entries or switch to the terminal.
+ Let's test it out: reboot and choose grubtest.cfg from the GRUB menu, using the arrow keys on your keyboard.
+ Enter the name you chose, the GRUB password, your LUKS passphrase and login as root/your user. All went well? Great!
+ </p>
+
+ <p>
+ If it does not work like you want it to, if you are unsure or sceptical in any way, don't despair: you have been wise and did not brick your device! Reboot and login the default way, and then modify
+ your grubtest.cfg until you get it right!
+ <b>Do *not* proceed past this point unless you are 100% sure that your new configuration is safe (or desirable) to use.</b>
+ </p>
+
+ <p>
+ Now, we can easily and safely create a copy of grubtest.cfg, called grub.cfg. This will be the same except for one difference: the menuentry 'Switch to grub.cfg' is changed to 'Switch to grubtest.cfg'
+ and, inside it, all instances of grub.cfg to grubtest.cfg. This is so that the main config still links (in the menu) to grubtest.cfg, so that you don't have to manually switch to it, in case you ever
+ want to follow this guide again in the future (modifying the already modified config).
+ Inside libreboot_util/cbfstool/{armv7l i686 x86_64}, we can do this with the following command:<br/>
+ $ <b>sed -e 's:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g' -e 's:Switch to grub.cfg:Switch to grubtest.cfg:g' &lt; grubtest.cfg &gt; grub.cfg</b><br/>
+ Delete the grub.cfg that remained inside the ROM:<br/>
+ $ <b>./cbfstool libreboot.rom remove -n grub.cfg</b><br/>
+ Add the modified version that you just made:<br/>
+ $ <b>./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw</b><br/>
+ </p>
+
+ <p>
+ Now you have a modified ROM. Once more, refer to <a href="http://libreboot.org/docs/install/index.html#flashrom">http://libreboot.org/docs/install/index.html#flashrom</a>.
+ Cd to the libreboot_util directory and update the flash chip contents:<br/>
+ # <b>./flash update libreboot.rom</b><br/>
+ And wait for the "Verifying flash... VERIFIED." Once you have done that, shut down and then boot up with your new configuration.
+ </p>
+
+ <p>
+ When done, delete GRUB (remember, we only needed it for the <i>grub-mkpasswd-pbkdf2</i> utility;
+ GRUB is already part of libreboot, flashed alongside it as a <i>payload</i>):<br/>
+ # <b>pacman -R grub</b>
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <p>
+ If you followed all that correctly, you should now have a fully encrypted Parabola installation.
+ Refer to the wiki for how to do the rest.
+ </p>
+
+ </div>
+
+ <div class="section">
+ <h2>Bonus: Using a key file to unlock /boot/</h2>
+ <p>
+ By default, you will have to enter your LUKS passphrase twice; once in GRUB, and once when booting the kernel.
+ GRUB unlocks the encrypted partition and then loads the kernel, but the kernel is not aware of the fact
+ that it is being loaded from an encrypted volume. Therefore, you will be asked to enter your passphrase a second time.
+ A workaround is to put a keyfile inside initramfs, with instructions for the kernel to use it when
+ booting. This is safe, because /boot/ is encrypted (otherwise, putting a keyfile inside initramfs would be a bad idea).<br/>
+
+ Boot up and login as root or your user. Then generate the key file:<br/>
+ # <b>dd bs=512 count=4 if=/dev/urandom of=/etc/mykeyfile iflag=fullblock</b><br/>
+ Insert it into the luks volume:<br/>
+ # <b>cryptsetup luksAddKey /dev/sdX /etc/mykeyfile</b><br/>
+ and enter your LUKS passphrase when prompted.
+ Add the keyfile to the initramfs by adding it to FILES in /etc/mkinitcpio.conf. For example:<br/>
+ # <b>FILES="/etc/mykeyfile"</b><br/>
+ Create the initramfs image from scratch:<br/>
+ # <b>mkinitcpio -p linux-libre</b><br/>
+ # <b>mkinitcpio -p linux-libre-lts</b><br/>
+ # <b>mkinitcpio -p linux-libre-grsec</b><br/>
+ Add the following to your grub.cfg - you are now able to do that, see above! -, or add it in the kernel command line for GRUB:<br/>
+ # <b>cryptkey=rootfs:/etc/mykeyfile</b><br/>
+ <br/>
+ You can also place this inside the grub.cfg that exists in CBFS: <a href="grub_cbfs.html">grub_cbfs.html</a>.
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2>Further security tips</h2>
+ <p>
+ <a href="https://wiki.archlinux.org/index.php/Security">https://wiki.archlinux.org/index.php/Security</a>.<br/>
+ <a href="https://wiki.parabolagnulinux.org/User:GNUtoo/laptop">https://wiki.parabolagnulinux.org/User:GNUtoo/laptop</a>
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h1 id="troubleshooting">Troubleshooting</h1>
+
+ <p>
+ A user reported issues when booting with a docking station attached
+ on an X200, when decrypting the disk in GRUB. The error
+ <i>AHCI transfer timed out</i> was observed. The workaround
+ was to remove the docking station.
+ </p>
+
+ <p>
+ Further investigation revealed that it was the DVD drive causing problems.
+ Removing that worked around the issue.
+ </p>
+
+<pre>
+
+&quot;sudo wodim -prcap&quot; shows information about the drive:
+Device was not specified. Trying to find an appropriate drive...
+Detected CD-R drive: /dev/sr0
+Using /dev/cdrom of unknown capabilities
+Device type : Removable CD-ROM
+Version : 5
+Response Format: 2
+Capabilities :
+Vendor_info : 'HL-DT-ST'
+Identification : 'DVDRAM GU10N '
+Revision : 'MX05'
+Device seems to be: Generic mmc2 DVD-R/DVD-RW.
+
+Drive capabilities, per MMC-3 page 2A:
+
+ Does read CD-R media
+ Does write CD-R media
+ Does read CD-RW media
+ Does write CD-RW media
+ Does read DVD-ROM media
+ Does read DVD-R media
+ Does write DVD-R media
+ Does read DVD-RAM media
+ Does write DVD-RAM media
+ Does support test writing
+
+ Does read Mode 2 Form 1 blocks
+ Does read Mode 2 Form 2 blocks
+ Does read digital audio blocks
+ Does restart non-streamed digital audio reads accurately
+ Does support Buffer-Underrun-Free recording
+ Does read multi-session CDs
+ Does read fixed-packet CD media using Method 2
+ Does not read CD bar code
+ Does not read R-W subcode information
+ Does read raw P-W subcode data from lead in
+ Does return CD media catalog number
+ Does return CD ISRC information
+ Does support C2 error pointers
+ Does not deliver composite A/V data
+
+ Does play audio CDs
+ Number of volume control levels: 256
+ Does support individual volume control setting for each channel
+ Does support independent mute setting for each channel
+ Does not support digital output on port 1
+ Does not support digital output on port 2
+
+ Loading mechanism type: tray
+ Does support ejection of CD via START/STOP command
+ Does not lock media on power up via prevent jumper
+ Does allow media to be locked in the drive via PREVENT/ALLOW command
+ Is not currently in a media-locked state
+ Does not support changing side of disk
+ Does not have load-empty-slot-in-changer feature
+ Does not support Individual Disk Present feature
+
+ Maximum read speed: 4234 kB/s (CD 24x, DVD 3x)
+ Current read speed: 4234 kB/s (CD 24x, DVD 3x)
+ Maximum write speed: 4234 kB/s (CD 24x, DVD 3x)
+ Current write speed: 4234 kB/s (CD 24x, DVD 3x)
+ Rotational control selected: CLV/PCAV
+ Buffer size in KB: 1024
+ Copy management revision supported: 1
+ Number of supported write speeds: 4
+ Write speed # 0: 4234 kB/s CLV/PCAV (CD 24x, DVD 3x)
+ Write speed # 1: 2822 kB/s CLV/PCAV (CD 16x, DVD 2x)
+ Write speed # 2: 1764 kB/s CLV/PCAV (CD 10x, DVD 1x)
+ Write speed # 3: 706 kB/s CLV/PCAV (CD 4x, DVD 0x)
+
+Supported CD-RW media types according to MMC-4 feature 0x37:
+ Does write multi speed CD-RW media
+ Does write high speed CD-RW media
+ Does write ultra high speed CD-RW media
+ Does not write ultra high speed+ CD-RW media
+
+</pre>
+
+ </div>
+
+ <div class="section">
+
+ <p>
+ Copyright &copy; 2014, 2015, 2016 Leah Rowe &lt;info@minifree.org&gt;<br/>
+ Copyright &copy; 2015 Jeroen Quint &lt;jezza@diplomail.ch&gt;<br/>
+ Permission is granted to copy, distribute and/or modify this document
+ under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license
+ or any later version published by Creative Commons;
+
+ A copy of the license can be found at <a href="../cc-by-sa-4.0.txt">../cc-by-sa-4.0.txt</a>
+ </p>
+
+ <p>
+ Updated versions of the license (when available) can be found at
+ <a href="https://creativecommons.org/licenses/by-sa/4.0/legalcode">https://creativecommons.org/licenses/by-sa/4.0/legalcode</a>
+ </p>
+
+ <p>
+ UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
+ EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
+ AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
+ ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
+ IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
+ WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
+ ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
+ KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
+ ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
+ </p>
+ <p>
+ TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
+ TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
+ NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
+ INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
+ COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
+ USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
+ ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
+ DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
+ IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
+ </p>
+ <p>
+ The disclaimer of warranties and limitation of liability provided
+ above shall be interpreted in a manner that, to the extent
+ possible, most closely approximates an absolute disclaimer and
+ waiver of all liability.
+ </p>
+
+ </div>
+
+</body>
+</html>
diff --git a/docs/bsd/grub_boot_installer.html b/docs/bsd/grub_boot_installer.html
new file mode 100644
index 00000000..d3baa90d
--- /dev/null
+++ b/docs/bsd/grub_boot_installer.html
@@ -0,0 +1,219 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8">
+ <meta name="viewport" content="width=device-width, initial-scale=1">
+
+ <style type="text/css">
+ @import url('../css/main.css');
+ </style>
+
+ <title>How to install OpenBSD on a libreboot system</title>
+</head>
+
+<body>
+ <div id="pagetop" class="section">
+ <h1>How to install OpenBSD on a libreboot system</h1>
+ <p>
+ This section relates to preparing, booting and installing a
+ OpenBSD distribution on your libreboot system, using nothing more than a USB flash drive (and <i>dd</i>). They've only been tested on a Lenovo ThinkPad x200.
+ </p>
+ <ul>
+ <li><a href="#prepare">Prepare the USB drive (in OpenBSD)</a></li>
+ <li><a href="#noencryption">Installing OpenBSD without full disk encryption</a></li>
+ <li><a href="#encryption">Installing OpenBSD with full disk encryption</a></li>
+ <li><a href="#bootuing">Booting</a></li>
+ <li><a href="#configuring_grub">Configuring Grub</a></li>
+ <li><a href="#troubleshooting">Troubleshooting</a></li>
+ </ul>
+ <p>
+ <a href="index.html">Back to previous index</a>
+ </p>
+ </div>
+
+ <div class="section">
+ <p>
+ <b>This section is only for the GRUB payload. For depthcharge (used on CrOS devices in libreboot), instructions
+ have yet to be written in the libreboot documentation.</b>
+ </p>
+ </div>
+
+ <div id="prepare" class="section">
+
+ <h2>Prepare the USB drive (in OpenBSD)</h2>
+
+ <p>
+ Connect the USB drive. Check dmesg:<br/>
+ <b>$ dmesg | tail</b><br/>
+
+ Check to confirm which drive it is, for example, if you think its sd3:<br/>
+ <b>$ disklabel sd3</b>
+ </p>
+
+ <p>
+ Check that it wasn't automatically mounted. If it was, unmount it. For example:<br/>
+ <b>$ doas umount /dev/sdXz</b><br/>
+ </p>
+
+ <p>
+ dmesg told you what device it is. Overwrite the drive, writing your distro ISO to it with dd. For example:<br/>
+ <b>$ doas dd if=install60.iso of=/dev/rsdXz bs=1M; sync</b><br/>
+ </p>
+
+ <p>
+ You should now be able to boot the installer from your USB drive. Continue reading, for
+ information about how to do that.
+ </p>
+
+ <p>
+ <a href="#pagetop">Back to top of page</a>.
+ </p>
+
+ </div>
+
+ <div id="noencryption" class="section">
+
+ <h2>Installing OpenBSD without full disk encryption</h2>
+
+ <p>
+ Press C in GRUB to access the command line:
+ </p>
+ <p>
+ grub> <b>kopenbsd (usb0)/6.0/amd64/bsd.rd</b>
+ </p>
+ <p>
+ It will start booting into the OpenBSD installer. Follow the normal process for installing OpenBSD.
+ </p>
+
+ <p>
+ <a href="#pagetop">Back to top of page</a>.
+ </p>
+
+ </div>
+
+ <div id="encryption" class="section">
+
+ <h2>Installing OpenBSD with full disk encryption</h2>
+
+ <p>
+ Not working. You can modify the above procedure (installation w/o encryption) to install OpenBSD using full disk encryption, and it appears to work, except that its not yet clear how to actually <i>boot</i> an OpenBSD+FDE installation using libreboot+Grub2. If you get it working, please let us know.
+ </p>
+
+ <p>
+ <a href="#pagetop">Back to top of page</a>.
+ </p>
+
+ </div>
+
+ <div id="booting" class="section">
+
+ <h2>Booting</h2>
+
+ <p>
+ Press C in GRUB to access the command line:
+ </p>
+ <p>
+ grub> <b>kopenbsd -r sd0a (ahci0,openbsd1)/bsd</b>
+ </p>
+ <p>
+ OpenBSD will start booting. Yay!
+ </p>
+
+ <p>
+ <a href="#pagetop">Back to top of page</a>.
+ </p>
+
+ </div>
+
+ <div id="configuring_grub" class="section">
+
+ <h2>Configuring Grub</h2>
+
+ <p>
+ If you don't want to drop to the GRUB command line and type in a command to boot OpenBSD every time, you can create a GRUB configuration that's aware of your OpenBSD installation and that will automatically be used by libreboot. The <a href="../gnulinux/grub_cbfs.html">instructions</a> are the same as for GNU/Linux.
+ </p>
+ <p>
+ In short, create a Grub2 config file that will add OpenBSD to the GRUB menu and set it as the default. Place your config at /grub/libreboot_grub.cfg. Reboot. Viola.
+ </p>
+
+ <p>
+ <a href="#pagetop">Back to top of page</a>.
+ </p>
+
+ </div>
+
+ <div id="troubleshooting" class="section">
+
+ <h1>Troubleshooting</h1>
+
+ <p>
+ Most of these issues occur when using libreboot with coreboot's 'text mode' instead of the coreboot framebuffer.
+ This mode is useful for booting payloads like memtest86+ which expect text-mode, but for OpenBSD distributions
+ it can be problematic when they are trying to switch to a framebuffer because it doesn't exist.
+ </p>
+
+ <p>
+ In most cases, you should use the vesafb ROM images. Example filename: libreboot_ukdvorak_vesafb.rom.
+ </p>
+
+ <h2>won't boot...something about file not found</h2>
+ <p>
+ You device names (i.e. usb0, usb1, sd0, sd1, wd0, ahci0, hd0, etc) and numbers may differ. Use TAB completion.
+ </p>
+
+ <p>
+ <a href="#pagetop">Back to top of page</a>.
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <p>
+ Copyright &copy; 2014, 2015 Leah Rowe &lt;info@minifree.org&gt;<br/>
+ Permission is granted to copy, distribute and/or modify this document
+ under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license
+ or any later version published by Creative Commons;
+
+ A copy of the license can be found at <a href="../cc-by-sa-4.0.txt">../cc-by-sa-4.0.txt</a>
+ </p>
+
+ <p>
+ Updated versions of the license (when available) can be found at
+ <a href="https://creativecommons.org/licenses/by-sa/4.0/legalcode">https://creativecommons.org/licenses/by-sa/4.0/legalcode</a>
+ </p>
+
+ <p>
+ UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
+ EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
+ AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
+ ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
+ IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
+ WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
+ ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
+ KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
+ ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
+ </p>
+ <p>
+ TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
+ TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
+ NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
+ INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
+ COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
+ USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
+ ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
+ DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
+ IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
+ </p>
+ <p>
+ The disclaimer of warranties and limitation of liability provided
+ above shall be interpreted in a manner that, to the extent
+ possible, most closely approximates an absolute disclaimer and
+ waiver of all liability.
+ </p>
+
+ </div>
+
+</body>
+</html>
diff --git a/docs/bsd/grub_cbfs.html b/docs/bsd/grub_cbfs.html
new file mode 100644
index 00000000..6e7ba447
--- /dev/null
+++ b/docs/bsd/grub_cbfs.html
@@ -0,0 +1,366 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8">
+ <meta name="viewport" content="width=device-width, initial-scale=1">
+
+ <style type="text/css">
+ @import url('../css/main.css');
+ </style>
+
+ <title>How to replace the default GRUB configuration file on a libreboot system</title>
+</head>
+
+<body>
+ <div class="section">
+ <h1 id="pagetop">How to replace the default GRUB configuration file on a libreboot system</h1>
+ <p>
+ Libreboot on x86 uses the GRUB <a href="http://www.coreboot.org/Payloads#GRUB_2">payload</a>
+ by default, which means that the GRUB configuration file
+ (where your GRUB menu comes from) is stored directly alongside libreboot
+ and its GRUB payload executable, inside
+ the flash chip. In context, this means that installing distributions and managing them
+ is handled slightly differently compared to traditional BIOS systems.
+ </p>
+ <p>
+ A libreboot (or coreboot) ROM image is not simply &quot;flat&quot;; there is an actual
+ filesystem inside called CBFS (coreboot filesystem). A utility called 'cbfstool'
+ allows you to change the contents of the ROM image. In this case, libreboot is configured
+ such that the 'grub.cfg' and 'grubtest.cfg' files exist directly inside CBFS instead of
+ inside the GRUB payload 'memdisk' (which is itself stored in CBFS).
+ </p>
+ <p>
+ You can either modify
+ the GRUB configuration stored in the flash chip, or you can modify a GRUB configuration
+ file on the main storage which the libreboot GRUB payload will automatically search for.
+ </p>
+ <p>
+ Here is an excellent writeup about CBFS (coreboot filesystem):
+ <a href="http://lennartb.home.xs4all.nl/coreboot/col5.html">http://lennartb.home.xs4all.nl/coreboot/col5.html</a>.
+ </p>
+ <p>
+ <b>This guide is *only* for the GRUB payload. If you use the depthcharge payload, ignore this section entirely.</b>
+ </p>
+ <p>
+ <a href="index.html">Back to previous index</a>
+ </p>
+ </div>
+
+ <div class="section">
+
+ <h1>Table of Contents</h1>
+
+ <ul>
+ <li><a href="#introduction">Introduction</a></li>
+ <li><a href="#option1_dont_reflash">1st option: don't re-flash</a></li>
+ <li>
+ <a href="#option2_reflash">2nd option: re-flash</a>
+ <ul>
+ <li><a href="#tools">Acquire the necessary utilities</a></li>
+ <li><a href="#rom">Acquiring the correct ROM image</a></li>
+ <li><a href="#extract_testconfig">Extract grubtest from the ROM image</a>
+ <li><a href="#reinsert_modified_testconfig">Re-insert the modified grubtest.cfg into the ROM image</a></li>
+ <li><a href="#testing">Testing</a>
+ <li><a href="#final_steps">Final steps</a></li>
+ </ul>
+ </li>
+ </ul>
+
+ </div>
+
+ <div class="section">
+
+ <h2 id="introduction">Introduction</h2>
+
+ <p>
+ Download the latest release from
+ <a href="http://libreboot.org/">http://libreboot.org/</a>
+ <br/><b>If you downloaded from git, refer to
+ <a href="../git/index.html#build_meta">../git/index.html#build_meta</a> before continuing.</b>
+ </p>
+
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+
+ <p>
+ There are several advantages to modifying the GRUB configuration stored in CBFS, but
+ this also means that you have to flash a new libreboot ROM image on your system (some users
+ feel intimidated by this, to say the least).
+ Doing so can be risky if not handled correctly, because it can result in a bricked
+ system (recovery is easy if you have the <a href="../install/bbb_setup.html">equipment</a>
+ for it, but most people don't). If you aren't up to that then don't worry; it is possible
+ to use a custom GRUB menu without flashing a new image, by loading a GRUB configuration
+ from a partition on the main storage instead.
+ </p>
+
+
+ </div>
+
+ <div class="section">
+
+ <h2 id="option1_dont_reflash">1st option: don't re-flash</h2>
+
+ <p>
+ By default, GRUB in libreboot is configured to scan all partitions on the main storage
+ for /boot/grub/libreboot_grub.cfg or /grub/libreboot_grub.cfg(for systems where /boot
+ is on a dedicated partition), and then use it automatically.
+ </p>
+ <p>
+ Simply create your custom GRUB configuration and save it to <b>/boot/grub/libreboot_grub.cfg</b>
+ on the running system. The next time you boot, GRUB (in libreboot) will automatically switch to
+ this configuration file. <b>This means that you do not have to re-flash, recompile or otherwise
+ modify libreboot at all!</b>
+ </p>
+
+ <p>
+ Ideally, your distribution should automatically generate a libreboot_grub.cfg file that is written
+ specifically under the assumption that it will be read and used on a libreboot system that uses
+ GRUB as a payload. If your distribution does not do this, then you can try to add that feature
+ yourself or politely ask someone involved with or otherwise knowledgeable about the distribution
+ to do it for you. The libreboot_grub.cfg could either contain the full configuration, or it could
+ chainload another GRUB ELF executable (built to be used as a coreboot payload) that is located in
+ a partition on the main storage.
+ </p>
+
+ <p>
+ If you want to adapt a copy of the existing <i>libreboot</i> GRUB configuration and use that for the libreboot_grub.cfg file, then
+ follow <a href="#tools">#tools</a>, <a href="#rom">#rom</a> and
+ <a href="#extract_testconfig">#extract_testconfig</a> to get the <b><i>grubtest.cfg</i></b>.
+ Rename <b><i>grubtest.cfg</i></b> to <b><i>libreboot_grub.cfg</i></b> and save it to <b><i>/boot/grub/</i></b>
+ on the running system where it is intended to be used. Modify the file at that location however you see fit,
+ and then stop reading this guide (the rest of this page is irrelevant to you); <b>in libreboot_grub.cfg on disk,
+ if you are adapting it based on grub.cfg from CBFS then remove the check for libreboot_grub.cfg otherwise it will loop.</b>.
+ </p>
+
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2 id="option2_reflash">2nd option: re-flash</h2>
+
+ <p>
+ You can modify what is stored inside the flash chip quite easily. Read on to find out how.
+ </p>
+
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+
+ </div>
+ <div class="section">
+ <h2 id="tools">Acquire the necessary utilities</h2>
+
+ <p>
+ Use <b><i>cbfstool</i></b> and <b><i>flashrom</i></b>. There are available in the <i>libreboot_util</i> release archive,
+ or they can be compiled (see <a href="../git/index.html#build_flashrom">../git/index.html#build_flashrom</a>).
+ Flashrom is also available from the repositories:<br/>
+ # <b>pacman -S flashrom</b>
+ </p>
+
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2 id="rom">Acquiring the correct ROM image</h2>
+
+ <p>
+ You can either work directly with one of the ROM images already included in the libreboot ROM archives, or re-use the ROM that
+ you have currently flashed. For the purpose of this tutorial it is assumed that your ROM image file is named <i>libreboot.rom</i>,
+ so please make sure to adapt.
+ </p>
+ <p>
+ ROM images are included pre-compiled in libreboot. You can also dump your current firmware, using flashrom:<br/>
+ $ <b>sudo flashrom -p internal -r libreboot.rom</b><br/>
+ # <b>flashrom -p internal -r libreboot.rom</b><br/>
+ If you are told to specify the chip, add the option <b>-c {your chip}</b> to the command, for example:<br/>
+ # <b>flashrom -c MX25L6405 -p internal -r libreboot.rom</b>
+ </p>
+
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2 id="extract_testconfig">Extract grubtest.cfg from the ROM image</h2>
+
+ <p>
+ You can check the contents of the ROM image, inside CBFS:<br/>
+ <b>$ cd .../libreboot_util/cbfstool</b>
+ <b>$ ./cbfstool libreboot.rom print</b>
+ </p>
+
+ <p>
+ The files <i>grub.cfg</i> and <i>grubtest.cfg</i> should be present. grub.cfg is loaded by default,
+ with a menuentry for switching to grubtest.cfg. In this tutorial, you will first modify and test <i>grubtest.cfg</i>.
+ This is to reduce the possibility of bricking your device, so DO NOT SKIP THIS!
+ </p>
+
+ <p>
+ Extract grubtest.cfg from the ROM image:<br/>
+ <b>$ ./cbfstool libreboot.rom extract -n grubtest.cfg -f grubtest.cfg</b>
+ </p>
+
+ <p>
+ Modify the grubtest.cfg accordingly.
+ </p>
+
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2 id="reinsert_modified_testconfig">Re-insert the modified grubtest.cfg into the ROM image</h2>
+
+ <p>
+ Once your grubtest.cfg is modified and saved, delete the unmodified config from the ROM image:<br/>
+ <b>$ ./cbfstool libreboot.rom remove -n grubtest.cfg</b>
+ </p>
+
+ <p>
+ Next, insert the modified version:<br/>
+ <b>$ ./cbfstool libreboot.rom add -n grubtest.cfg -f grubtest.cfg -t raw</b>
+ </p>
+
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2 id="testing">Testing</h2>
+
+ <p>
+ <b>
+ Now you have a modified ROM. Refer back to <a href="../install/index.html#flashrom">../install/index.html#flashrom</a> for information
+ on how to flash it.<br/>
+ $ <b>cd /libreboot_util</b>
+ # <b>./flash update libreboot.rom</b><br/>
+ Ocassionally, coreboot changes the name of a given board. If flashrom complains about a board mismatch, but you are sure that you chose the correct ROM image, then run this alternative command:<br/>
+ # <b>./flash forceupdate libreboot.rom</b><br/>
+ You should see <b>&quot;Verifying flash... VERIFIED.&quot;</b> written at the end of the flashrom output.
+ Once you have done that, shut down and then boot up with your new test configuration.
+ </b>
+ </p>
+
+ <p>
+ Choose (in GRUB) the menu entry that switches to grubtest.cfg. If it works, then your config is safe and you can continue below.
+ </p>
+
+ <p>
+ <b>
+ If it does not work like you want it to, if you are unsure or sceptical in any way,
+ then re-do the steps above until you get it right! Do *not* proceed past this point
+ unless you are 100% sure that your new configuration is safe (or desirable) to use.
+ </b>
+ </p>
+
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2 id="final_steps">Final steps</h2>
+
+ <p>
+ When you are satisfied booting from grubtest.cfg, you can create a copy of grubtest.cfg, called grub.cfg. This is the same except for one difference:
+ the menuentry 'Switch to grub.cfg' will be changed to 'Switch to grubtest.cfg' and inside it,
+ all instances of grub.cfg to grubtest.cfg. This is so that the main config still
+ links (in the menu) to grubtest.cfg, so that you don't have to manually switch to it, in
+ case you ever want to follow this guide again in the future (modifying the already modified config). From /libreboot_util/cbfstool, do:<br/>
+ $ <b>sed -e 's:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g' -e 's:Switch to grub.cfg:Switch to grubtest.cfg:g' &lt; grubtest.cfg &gt; grub.cfg</b><br/>
+ </p>
+
+ <p>
+ Delete the grub.cfg that remained inside the ROM:<br/>
+ <b>$ ./cbfstool libreboot.rom remove -n grub.cfg</b>
+ </p>
+
+ <p>
+ Add the modified version that you just made:<br/>
+ <b>$ ./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw</b>
+ </p>
+
+ <p>
+ <b>
+ Now you have a modified ROM. Again, refer back to <a href="../install/index.html#flashrom">../install/index.html#flashrom</a> for information
+ on how to flash it. It's the same method as you used before. Shut down and then boot up with your new configuration.
+ </b>
+ </p>
+
+ <p>
+ <a href="#pagetop">Back to top of page.</a>
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <p>
+ Copyright &copy; 2014, 2015 Leah Rowe &lt;info@minifree.org&gt;<br/>
+ Copyright &copy; 2015 Jeroen Quint &lt;jezza@diplomail.ch&gt;<br/>
+ Permission is granted to copy, distribute and/or modify this document
+ under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license
+ or any later version published by Creative Commons;
+
+ A copy of the license can be found at <a href="../cc-by-sa-4.0.txt">../cc-by-sa-4.0.txt</a>
+ </p>
+
+ <p>
+ Updated versions of the license (when available) can be found at
+ <a href="https://creativecommons.org/licenses/by-sa/4.0/legalcode">https://creativecommons.org/licenses/by-sa/4.0/legalcode</a>
+ </p>
+
+ <p>
+ UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
+ EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
+ AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
+ ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
+ IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
+ WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
+ ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
+ KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
+ ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
+ </p>
+ <p>
+ TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
+ TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
+ NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
+ INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
+ COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
+ USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
+ ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
+ DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
+ IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
+ </p>
+ <p>
+ The disclaimer of warranties and limitation of liability provided
+ above shall be interpreted in a manner that, to the extent
+ possible, most closely approximates an absolute disclaimer and
+ waiver of all liability.
+ </p>
+
+ </div>
+
+</body>
+</html>
diff --git a/docs/bsd/index.html b/docs/bsd/index.html
new file mode 100644
index 00000000..028befc6
--- /dev/null
+++ b/docs/bsd/index.html
@@ -0,0 +1,85 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8">
+ <meta name="viewport" content="width=device-width, initial-scale=1">
+
+ <style type="text/css">
+ @import url('../css/main.css');
+ </style>
+
+ <title>BSD distributions</title>
+</head>
+
+<body>
+
+ <div class="section">
+
+ <h1 id="pagetop">BSD distributions</h1>
+ <p>
+ This section relates to dealing with BSD distributions: preparing bootable USB drives,
+ changing the default GRUB menu and so on.
+ </p>
+ <p>
+ <b>This section is only for the *GRUB* payload. For depthcharge, instructions have yet to be written.</b>
+ </p>
+ <p>
+ <a href="../index.html">Back to previous index</a>.
+ </p>
+ <ul>
+ <li><a href="grub_boot_installer.html">How to install OpenBSD on a libreboot system</a></li>
+ <li><a href="grub_cbfs.html">How to replace the default GRUB configuration file on a libreboot system</a></li>
+ </ul>
+
+ </div>
+
+ <div class="section">
+
+ <p>
+ Copyright &copy; 2014, 2015 Leah Rowe &lt;info@minifree.org&gt;<br/>
+ Permission is granted to copy, distribute and/or modify this document
+ under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license
+ or any later version published by Creative Commons;
+
+ A copy of the license can be found at <a href="../cc-by-sa-4.0.txt">../cc-by-sa-4.0.txt</a>
+ </p>
+
+ <p>
+ Updated versions of the license (when available) can be found at
+ <a href="https://creativecommons.org/licenses/by-sa/4.0/legalcode">https://creativecommons.org/licenses/by-sa/4.0/legalcode</a>
+ </p>
+
+ <p>
+ UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
+ EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
+ AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
+ ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
+ IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
+ WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
+ ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
+ KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
+ ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
+ </p>
+ <p>
+ TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
+ TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
+ NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
+ INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
+ COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
+ USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
+ ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
+ DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
+ IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
+ </p>
+ <p>
+ The disclaimer of warranties and limitation of liability provided
+ above shall be interpreted in a manner that, to the extent
+ possible, most closely approximates an absolute disclaimer and
+ waiver of all liability.
+ </p>
+
+ </div>
+
+</body>
+</html>