aboutsummaryrefslogtreecommitdiff
path: root/docs/gnulinux
diff options
context:
space:
mode:
Diffstat (limited to 'docs/gnulinux')
-rw-r--r--docs/gnulinux/encrypted_debian.md44
-rw-r--r--docs/gnulinux/grub_boot_installer.md67
-rw-r--r--docs/gnulinux/grub_cbfs.md14
-rw-r--r--docs/gnulinux/grub_hardening.md14
4 files changed, 74 insertions, 65 deletions
diff --git a/docs/gnulinux/encrypted_debian.md b/docs/gnulinux/encrypted_debian.md
index 29e34e43..2a1e2e79 100644
--- a/docs/gnulinux/encrypted_debian.md
+++ b/docs/gnulinux/encrypted_debian.md
@@ -22,17 +22,20 @@ tampering by someone with physical access to the system.
This guide is written for Debian net installer. You can download the ISO
from the homepage on [debian.org](https://www.debian.org/). Use this on
-the GRUB terminal to boot it from USB (for 64-bit Intel or AMD):\
-**set root='usb0'\
-linux /install.amd/vmlinuz\
-initrd /install.amd/initrd.gz\
-boot\
-** If you are on a 32-bit system (e.g. X60):\
-**set root='usb0'\
-linux /install.386/vmlinuz\
-initrd /install.386/initrd.gz\
-boot**
-
+the GRUB terminal to boot it from USB (for 64-bit Intel or AMD):
+
+ set root='usb0'
+ linux /install.amd/vmlinuz
+ initrd /install.amd/initrd.gz
+ boot
+
+If you are on a 32-bit system (e.g. X60):
+
+ set root='usb0'
+ linux /install.386/vmlinuz
+ initrd /install.386/initrd.gz
+ boot
+
[This guide](grub_boot_installer.md) shows how to create a boot USB
drive with the Debian ISO image.
@@ -165,13 +168,11 @@ Booting your system
===================
At this point, you will have finished the installation. At your GRUB
-payload, press C to get to the command line.
+payload, press C to get to the command line, and enter:
-Do that:\
grub> cryptomount -a
- grub> set root='lvm/matrix-rootvol'\
-grub> **linux /vmlinuz root=/dev/mapper/matrix-rootvol
-cryptdevice=/dev/mapper/matrix-rootvol:root**\
+ grub> set root='lvm/matrix-rootvol'
+ grub> linux /vmlinuz root=/dev/mapper/matrix-rootvolcryptdevice=/dev/mapper/matrix-rootvol:root
grub> initrd /initrd.img
grub> boot
@@ -200,12 +201,11 @@ Modify your grub.cfg (in the firmware) [using this
tutorial](grub_cbfs.md); just change the default menu entry 'Load
Operating System' to say this inside:
-**cryptomount -a**\
-**set root='lvm/matrix-rootvol'**\
-**linux /vmlinuz root=/dev/mapper/matrix-rootvol
-cryptdevice=/dev/mapper/matrix-rootvol:root**\
-**initrd /initrd.img**
-
+ cryptomount -a
+ set root='lvm/matrix-rootvol'
+ linux /vmlinuz root=/dev/mapper/matrix-rootvolcryptdevice=/dev/mapper/matrix-rootvol:root
+ initrd /initrd.img
+
Without specifying a device, the *-a* parameter tries to unlock all
detected LUKS volumes. You can also specify -u UUID or -a (device).
diff --git a/docs/gnulinux/grub_boot_installer.md b/docs/gnulinux/grub_boot_installer.md
index b89c5b5d..6137b5b7 100644
--- a/docs/gnulinux/grub_boot_installer.md
+++ b/docs/gnulinux/grub_boot_installer.md
@@ -87,10 +87,8 @@ Continue reading, for information about how to do that.
Installing GNU+Linux with full disk encryption
----------------------------------------------
-- [Installing Debian or Devuan GNU+Linux with full disk encryption
- (including /boot)](encrypted_debian.md)
-- [Installing Parabola GNU+Linux with full disk encryption (including
- /boot)](encrypted_parabola.md)
+- [Debian or Devuan GNU+Linux with full disk encryption](encrypted_debian.md)
+- [Parabola GNU+Linux with full disk encryption](encrypted_parabola.md)
Debian or Devuan net install?
-----------------------------
@@ -98,16 +96,21 @@ Debian or Devuan net install?
Download the Debian or Devuan net installer. You can download the ISO
from the homepage on [debian.org](https://www.debian.org/), or [the
Devuan homepage](https://www.devuan.org/) for Devuan. Use this on the
-GRUB terminal to boot it from USB (for 64-bit Intel or AMD):\
-**set root='usb0'\
-linux /install.amd/vmlinuz\
-initrd /install.amd/initrd.gz\
-boot\
-** If you are on a 32-bit system (e.g. X60):\
-**set root='usb0'\
-linux /install.386/vmlinuz\
-initrd /install.386/initrd.gz\
-boot**\
+GRUB terminal to boot it from USB (for 64-bit Intel or AMD):
+
+
+ set root='usb0'
+ linux /install.amd/vmlinuz
+ initrd /install.amd/initrd.gz
+ boot
+
+If you are on a 32-bit system (e.g. X60):
+
+ set root='usb0'
+ linux /install.386/vmlinuz
+ initrd /install.386/initrd.gz
+ boot
+
We recommend using the *MATE* desktop.
Booting ISOLINUX images (automatic method)
@@ -126,14 +129,21 @@ distribution. You must adapt them appropriately, for whatever GNU+Linux
distribution it is that you are trying to install.*
If the ISOLINUX parser or *Search for GRUB configuration* options won't
-work, then press C in GRUB to access the command line.\
+work, then press C in GRUB to access the command line.
+
grub> ls
-Get the device from above output, eg (usb0). Example:\
- grub> cat (usb0)/isolinux/isolinux.cfg\
+
+Get the device from above output, eg (usb0). Example:
+
+ grub> cat (usb0)/isolinux/isolinux.cfg
+
Either this will show the ISOLINUX menuentries for that ISO, or link to
-other .cfg files, for example /isolinux/foo.cfg.\
-If it did that, then you do:\
+other .cfg files, for example /isolinux/foo.cfg.
+
+If it did that, then you do:
+
grub> cat (usb0)/isolinux/foo.cfg
+
And so on, until you find the correct menuentries for ISOLINUX. **The
file */isolinux/foo.cfg* is a fictional example. Do not actually use
this example, unless you actually have that file, if it is
@@ -149,15 +159,17 @@ options in txt.cfg. This is important if you want 64-bit booting on your
system. Devuan versions based on Debian 8.x may also have the same
issue.
-Now look at the ISOLINUX menuentry. It'll look like:\
-**kernel /path/to/kernel\
-append PARAMETERS initrd=/path/to/initrd MAYBE\_MORE\_PARAMETERS\
-** GRUB works the same way, but in it's own way. Example GRUB
-commands:\
- grub> set root='usb0'\
+Now look at the ISOLINUX menuentry. It'll look like:
+
+ kernel /path/to/kernel append PARAMETERS initrd=/path/to/initrd ...
+
+GRUB works similarly. Example GRUB commands:
+
+ grub> set root='usb0'
grub> linux /path/to/kernel PARAMETERS MAYBE\_MORE\_PARAMETERS
grub> initrd /path/to/initrd
grub> boot
+
Note: *usb0* may be incorrect. Check the output of the *ls* command in
GRUB, to see a list of USB devices/partitions. Of course this will vary
from distro to distro. If you did all of that correctly, then it should
@@ -188,8 +200,9 @@ When using the ROM images that use coreboot's "text mode" instead of
the coreboot framebuffer, booting the Debian or Devuan net installer
results in graphical corruption because it is trying to switch to a
framebuffer which doesn't exist. Use that kernel parameter on the
-'linux' line when booting it:\
-**vga=normal fb=false**
+'linux' line when booting it:
+
+ vga=normal fb=false
This forces debian-installer to start in text-mode, instead of trying to
switch to a framebuffer.
diff --git a/docs/gnulinux/grub_cbfs.md b/docs/gnulinux/grub_cbfs.md
index 30089f9f..01e4d3de 100644
--- a/docs/gnulinux/grub_cbfs.md
+++ b/docs/gnulinux/grub_cbfs.md
@@ -45,7 +45,7 @@ If you aren't up to that then don't worry; it is possible to use a
custom GRUB menu without flashing a new image, by loading a GRUB
configuration from a partition on the main storage instead.
-1st option: don't re-flash {#option1_dont_reflash}
+1st option: don't re-flash
---------------------------
By default, GRUB in libreboot is configured to scan all partitions on
@@ -81,13 +81,13 @@ of this page is irrelevant to you); **in libreboot\_grub.cfg on disk, if
you are adapting it based on grub.cfg from CBFS then remove the check
for libreboot\_grub.cfg otherwise it will loop.**.
-2nd option: re-flash {#option2_reflash}
+2nd option: re-flash
--------------------
You can modify what is stored inside the flash chip quite easily. Read
on to find out how.
-Acquire the necessary utilities {#tools}
+Acquire the necessary utilities
-------------------------------
Use ***cbfstool*** and ***flashrom***. There are available in the
@@ -97,7 +97,7 @@ available from the repositories:
# pacman -S flashrom
-Acquiring the correct ROM image {#rom}
+Acquiring the correct ROM image
-------------------------------
You can either work directly with one of the ROM images already included
@@ -116,7 +116,7 @@ to the command, for example:
# flashrom -c MX25L6405 -p internal -r libreboot.rom
-Extract grubtest.cfg from the ROM image {#extract_testconfig}
+Extract grubtest.cfg from the ROM image
---------------------------------------
You can check the contents of the ROM image, inside CBFS:
@@ -136,7 +136,7 @@ Extract grubtest.cfg from the ROM image:
Modify the grubtest.cfg accordingly.
-Re-insert the modified grubtest.cfg into the ROM image {#reinsert_modified_testconfig}
+Re-insert the modified grubtest.cfg into the ROM image
------------------------------------------------------
Once your grubtest.cfg is modified and saved, delete the unmodified
@@ -174,7 +174,7 @@ sceptical in any way, then re-do the steps above until you get it right!
Do \*not\* proceed past this point unless you are 100% sure that your
new configuration is safe (or desirable) to use.**
-Final steps {#final_steps}
+Final steps
-----------
When you are satisfied booting from grubtest.cfg, you can create a copy
diff --git a/docs/gnulinux/grub_hardening.md b/docs/gnulinux/grub_hardening.md
index 918fd45b..c4843890 100644
--- a/docs/gnulinux/grub_hardening.md
+++ b/docs/gnulinux/grub_hardening.md
@@ -31,15 +31,10 @@ image:
Helpful links:
-- [GRUB manual
- \#security](https://www.gnu.org/software/grub/manual/html_node/Security.html#Security)
-
-- [GRUB info
- pages](http://git.savannah.gnu.org/cgit/grub.git/tree/docs/grub.texi)
-- [SATA connected storage considered dangerous until proven
- otherwise.](../../faq.md#firmware-hddssd)
-- [Coreboot GRUB security
- howto](https://www.coreboot.org/GRUB2#Security)
+- [GRUB manual](https://www.gnu.org/software/grub/manual/html_node/Security.html#Security)
+- [GRUB info pages](http://git.savannah.gnu.org/cgit/grub.git/tree/docs/grub.texi)
+- [SATA connected storage considered dangerous.](../../faq.md#firmware-hddssd)
+- [Coreboot GRUB security howto](https://www.coreboot.org/GRUB2#Security)
GRUB Password
=============
@@ -159,6 +154,7 @@ Now that we have a key, we can sign some files with it. We have to sign:
Suppose that we have a pair of **my.kernel** and **my.initramfs** and an
on-disk **libreboot\_grub.cfg**. We sign them by issuing the following
commands:
+
gpg --homedir keys --detach-sign my.initramfs
gpg --homedir keys --detach-sign my.kernel
gpg --homedir keys --detach-sign libreboot_grub.cfg