diff options
Diffstat (limited to 'docs/gnulinux')
-rw-r--r-- | docs/gnulinux/configuring_parabola.md | 2 | ||||
-rw-r--r-- | docs/gnulinux/encrypted_parabola.md | 32 | ||||
-rw-r--r-- | docs/gnulinux/grub_boot_installer.md | 15 | ||||
-rw-r--r-- | docs/gnulinux/grub_cbfs.md | 17 | ||||
-rw-r--r-- | docs/gnulinux/grub_hardening.md | 5 | ||||
-rw-r--r-- | docs/gnulinux/index.md | 19 |
6 files changed, 63 insertions, 27 deletions
diff --git a/docs/gnulinux/configuring_parabola.md b/docs/gnulinux/configuring_parabola.md index 1e525f59..935ff099 100644 --- a/docs/gnulinux/configuring_parabola.md +++ b/docs/gnulinux/configuring_parabola.md @@ -63,7 +63,7 @@ For more information related to `pacman`, review the following articles on the A * [Configuring pacman](https://wiki.parabolagnulinux.org/Installation_Guide#Configure_pacman) * [Using pacman](https://wiki.archlinux.org/index.php/Pacman) -* [Additional Repositories](https://wiki.parabolagnulinux.org/Official_Repositories>) +* [Additional Repositories](https://wiki.parabolagnulinux.org/Official_Repositories) ## Updating Parabola Parabola is kept up-to-date, using `pacman`. When you are updating Parabola, diff --git a/docs/gnulinux/encrypted_parabola.md b/docs/gnulinux/encrypted_parabola.md index a4d7dd16..5ff070a6 100644 --- a/docs/gnulinux/encrypted_parabola.md +++ b/docs/gnulinux/encrypted_parabola.md @@ -3,6 +3,8 @@ title: Installing Parabola or Arch GNU+Linux-Libre, with Full-Disk Encryption (i x-toc-enable: true ... +Also see: +[Installing Hyperbola GNU+Linux, with Full-Disk Encryption (including /boot)](https://wiki.hyperbola.info/en:guide:encrypted_installation) This guide covers how to install Parabola GNU+Linux-Libre, with full disk encryption, including **/boot** (the boot directory). On most systems, **/boot** has @@ -83,7 +85,9 @@ if it's not new, then there are two ways to handle it: you can either choose to fill it with zeroes or random data; I chose random data (e.g., `urandom`), because it's more secure. Depending on the size of the drive, this could take a while to complete: - `# dd if=/dev/urandom of=/dev/sdX; sync` + ~~~ + # dd if=/dev/urandom of=/dev/sdX; sync + ~~~ 2. If the drive were previously encrypted, all you need to do is wipe the LUKS header. The size of the header depends upon the specific model of the hard drive; @@ -91,12 +95,14 @@ you can find this information by doing some research online. Refer to this [article](https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/), for more information about LUKS headers. You can either fill the header with zeroes, or with random data; again, I chose random data, using `urandom`: - `# head -c 3145728 /dev/urandom > /dev/sdX; sync` + ~~~ + # head -c 3145728 /dev/urandom > /dev/sdX; sync + ~~~ Also, if you're using an SSD, there are a two things you should keep in mind: - There are issues with TRIM; it's not enabled by default through LUKS, -and there are security issues, if you do enable it. See [this page](https://wiki.archlinux.org/index.php/Dm-cryptSpecialties#Discard.2FTRIM_support_for_solid_state_drives_.28SSD.29) for more info. +and there are security issues, if you do enable it. See [this page](https://wiki.archlinux.org/index.php/Dm-crypt#Specialties) for more info. - Make sure to read [this article](https://wiki.archlinux.org/index.php/Solid_State_Drives), for information on managing SSD's in Arch Linux (the information applies to Parabola, as well). @@ -192,11 +198,15 @@ equally cleverly named as **rootvol**. Also, make sure to [choose an appropriate swap size](http://www.linux.com/news/software/applications/8208-all-about-linux-swap-space) (e.g., **2G** refers to two gigabytes; change this however you see fit): - `# lvcreate -L 2G matrix -n swapvol` + ~~~ + # lvcreate -L 2G matrix -n swapvol + ~~~ 2. Now, we will create a single, large partition in the rest of the space, for **rootvol**: - `# lvcreate -l +100%FREE matrix -n rootvol` + ~~~ + # lvcreate -l +100%FREE matrix -n rootvol + ~~~ You can also be flexible here, for example you can specify a **/boot**, a **/**, a **/home**, a **/var**, or a **/usr** volume. For example, if you will be running a @@ -274,7 +284,7 @@ directory to the one you created in the previous steps, so that you can modify f and install software onto it, as if it were the host operating system. To `chroot` into your installation, follow the instructions [on the -Prabola beginner's guide](https://wiki.parabola.nu/Beginners%27_guide#Chroot_and_configure_the_base_system). +Parabola beginner's guide](https://wiki.parabola.nu/Beginners%27_guide#Chroot_and_configure_the_base_system). ### Setting up the Locale Locale refers to the language that your operating system will use, as well as some @@ -313,7 +323,11 @@ There are several modifications that we need to make to the file: Make sure to separate each module by one space. 2. Change the value of the uncommented `HOOKS` line to the following: - “`base udev autodetect modconf block keyboard keymap consolefont encrypt lvm2 filesystems fsck shutdown`”; + + ~~~ + base udev autodetect modconf block keyboard keymap consolefont encrypt lvm2 filesystems fsck shutdown + ~~~ + here's what each module does: * `keymap` adds to *initramfs* the keymap that you specified in **/etc/vconsole.conf** @@ -367,7 +381,7 @@ for the LUKS passphrase, apply here as well. You will set this password with the ### Extra Security Tweaks There are some final changes that we can make to the installation, to make it -significantly more secure; these are based on the [Security](https://wiki.archlinux.org/index.php/Securit) section of the Arch wiki. +significantly more secure; these are based on the [Security](https://wiki.archlinux.org/index.php/Security) section of the Arch wiki. #### Key Strengthening We will want to open the configuration file for password settings, and increase @@ -408,7 +422,7 @@ Edit configuration in `/etc/default/grub`, remembering to use UUID when poitning Use `blkid` to get list of devices with their respective UUIDs. Next generate grub.cfg with - # grub-mkconfig /boot/grub/grub.cfg + # grub-mkconfig -o /boot/grub/grub.cfg If you have separate `/boot` partition, don't forget to add `boot` symlink inside that points to current directory diff --git a/docs/gnulinux/grub_boot_installer.md b/docs/gnulinux/grub_boot_installer.md index 085ad34b..7d4375e6 100644 --- a/docs/gnulinux/grub_boot_installer.md +++ b/docs/gnulinux/grub_boot_installer.md @@ -25,7 +25,7 @@ Overwrite the drive, writing your distro ISO to it with `dd`. For example, if we That's it! You should now be able to boot the installer from your USB drive (the instructions for doing so will be given later). ## Prepare the USB drive in NetBSD -[This page](https://wiki.netbsd.org/tutorials how_to_install_netbsd_from_an_usb_memory_stick/) on the NetBSD website shows how to create a NetBSD bootable USB drive, from within NetBSD itself. You should the `dd` method documented there. This will work with any GNU+Linux ISO image. +[This page](https://wiki.netbsd.org/tutorials/how_to_install_netbsd_from_an_usb_memory_stick/) on the NetBSD website shows how to create a NetBSD bootable USB drive, from within NetBSD itself. You should the `dd` method documented there. This will work with any GNU+Linux ISO image. ## Prepare the USB drive in FreeBSD [This page](https://www.freebsd.org/doc/handbook/bsdinstall-pre.html) on the FreeBSD website shows how to create a bootable USB drive for installing FreeBSD. Use the `dd` method documented. This will work with any GNU+Linux ISO image. @@ -53,18 +53,23 @@ Make sure that the device isn't mounted, with `doas`; if it is, this command wil That's it! You should now be able to boot the installer from your USB drive (the instructions for doing so will be given later). ## Debian or Devuan net install -1. Download the Debian or Devuan net installer. You can download the Debian ISO from [the Debian homepage](https://www.debian.org/), or the Devuan ISO from [the Devuan homepage](https://www.devuan.org/). +Download the Debian or Devuan net installer. You can download the Debian ISO +from [the Debian homepage](https://www.debian.org/), or the Devuan ISO from +[the Devuan homepage](https://www.devuan.org/). -2. Create a bootable USB, using the commands in *Prepare the USB Drive in GNU+Linux*, above. +Secondly, create a bootable USB drive using the commands in +[#prepare-the-usb-drive-in-gnulinux](#prepare-the-usb-drive-in-gnulinux). -3. Boot the USB, and enter these commands in the GRUB terminal (for 64-bit Intel or AMD): +Thirdly, boot the USB and enter these commands in the GRUB terminal +(for 64-bit Intel or AMD): grub> set root='usb0' grub> linux /install.amd/vmlinuz grub> initrd /install.amd/initrd.gz grub> boot -4. If you are on a 32-bit system (e.g. some Thinkpad X60's), you will need to use these commands: +If you are on a 32-bit system (e.g. some Thinkpad X60's) then you will need to +use these commands instead: grub> set root='usb0' grub> linux /install.386/vmlinuz diff --git a/docs/gnulinux/grub_cbfs.md b/docs/gnulinux/grub_cbfs.md index 5283b4fc..4879d9cf 100644 --- a/docs/gnulinux/grub_cbfs.md +++ b/docs/gnulinux/grub_cbfs.md @@ -152,19 +152,17 @@ used by coreboot native graphics initialization. I'll choose **x200_8mb_usqwerty_vesafb.rom**; I'll copy the file (to the `cbfstool` directory), and rename it with one command: - $ mv "x200_8mb_usqwerty_vesafb.rom" ../cbfstool/x86_64/cbfstool/x86_64/libreboot.rom + $ mv "x200_8mb_usqwerty_vesafb.rom" ../cbfstool/x86_64/libreboot.rom #### 2. Create an Image from the Current ROM The simpler way to get a ROM image is to just create it from your current ROM, using `flashrom`, making sure to save it in the `cbfstool` folder, inside **libreboot\_util**: - $ sudo flashrom -p internal -r ~/Downloads/libreboot_util/cbfstool/\ - >x86_64/cbfstool/x86_64/libreboot.rom + $ sudo flashrom -p internal -r ~/Downloads/libreboot_util/cbfstool/x86_64/libreboot.rom If you are told to specify the chip, add the option `-c {your chip}` to the command, like this: - $ sudo flashrom -c MX25L6405 -p internal -r ~/Downloads/libreboot_util/\ - >cbfstool/x86_64/cbfstool/x86_64/libreboot.rom + $ sudo flashrom -c MX25L6405 -p internal -r ~/Downloads/libreboot_util/cbfstool/x86_64/libreboot.rom Now you are ready to extract the GRUB configuration files from the ROM, and modify them the way you want. @@ -173,7 +171,7 @@ Now you are ready to extract the GRUB configuration files from the ROM, and modi You can check the contents of the ROM image, inside CBFS, using `cbfstool`. First, navigate to the cbfstool folder: - $ cd ~/Downloads/libreboot_util/cbfstool/x86_64/cbfstool/x86_64/ + $ cd ~/Downloads/libreboot_util/cbfstool/x86_64/ Then, run the `cbfstool` commmand, with the `print` option; this will display a list of all the files located in the ROM: @@ -215,7 +213,7 @@ Or, replace it with this, if you are using a Debian-based distribution (e.g., Tr cryptomount -a set root='lvm/matrix-rootvol' - linux /vmlinuz root=/dev/mapper/matrix-rootvolcryptdevice=/dev/mapper/matrix-rootvol:root + linux /vmlinuz root=/dev/mapper/matrix-rootvol cryptdevice=/dev/mapper/matrix-rootvol:root initrd /initrd.img Remember, that these names come from the instructions to install GNU+Linux @@ -243,8 +241,7 @@ the main storage for **/boot/grub/libreboot\_grub.cfg** or **/grub/libreboot\_gr Therefore, we need to either copy **libreboot\_grub.cfg** to **/grub**, or to **/boot/grub**: - $ sudo cp ~/Downloads/libreboot_util/cbfstool/x86_64/cbfstool/x86_64/grubtest.cfg \ - >/boot/grub # or /grub + $ sudo cp ~/Downloads/libreboot_util/cbfstool/x86_64/grubtest.cfg /boot/grub # or /grub Now, the next time we boot our computer, GRUB (in Libreboot) will automatically switch to this configuration file. *This means that you do not have to re-flash, @@ -354,7 +351,7 @@ of **grubtest.cfg**, called **grub.cfg**. First, go to the `cbfstool` directory: - $ cd ~/Downloads/libreboot_util/cbfstool/x86_64/cbfstool/x86_64/ + $ cd ~/Downloads/libreboot_util/cbfstool/x86_64/ Then, create a copy of **grubest.cfg**, named **grub.cfg**: diff --git a/docs/gnulinux/grub_hardening.md b/docs/gnulinux/grub_hardening.md index c32a0534..e1329f21 100644 --- a/docs/gnulinux/grub_hardening.md +++ b/docs/gnulinux/grub_hardening.md @@ -33,7 +33,7 @@ Helpful links: - [GRUB manual](https://www.gnu.org/software/grub/manual/html_node/Security.html#Security) - [GRUB info pages](http://git.savannah.gnu.org/cgit/grub.git/tree/docs/grub.texi) -- [SATA connected storage considered dangerous.](../../faq.md#firmware-hddssd) +- [SATA connected storage considered dangerous.](../../faq.md#hddssd-firmware) - [Coreboot GRUB security howto](https://www.coreboot.org/GRUB2#Security) GRUB Password @@ -81,7 +81,8 @@ installing GRUB version 2. Generate a key by giving it a password: grub-mkpasswd-pbkdf2 Its output will be a string of the following form: -grub.pbkdf2.sha512.10000.HEXDIGITS.MOREHEXDIGITS + + grub.pbkdf2.sha512.10000.HEXDIGITS.MOREHEXDIGITS Now open my.grubtest.cfg and put the following before the menu entries (prefered above the functions and after other directives). Of course use diff --git a/docs/gnulinux/index.md b/docs/gnulinux/index.md index f8738d4a..bc7a04f8 100644 --- a/docs/gnulinux/index.md +++ b/docs/gnulinux/index.md @@ -20,12 +20,31 @@ However, with Libreboot, GRUB is already included directly (as a payload), so ev - Follow-Up Tutorial: [Configuring Parabola (Post-Install)](configuring_parabola.md) +- [Installing Hyperbola GNU+Linux, with Full-Disk Encryption (including /boot)](https://wiki.hyperbola.info/en:guide:encrypted_installation) + - [Installing Trisquel GNU+Linux-Libre, with Full-Disk Encryption (including /boot)](encrypted_trisquel.md) - [Installing Debian or Devuan GNU+Linux-Libre, with Full-Disk Encryption (including /boot)](encrypted_debian.md) - [How to Harden Your GRUB Configuration, for Security](grub_hardening.md) +Fedora won't boot? +------------------ + +This may also apply to CentOS or Redhat. + +When you use Libreboot's default GRUB config, and libreboot-grub uses fedora's +default grub.cfg (in /boot/grub2/grub.cfg), fedora by default makes use of the +`linux16` command, whereas it should be saying `linux` + +Do this in fedora: + +Open `/etc/grub.d/10_linux` + +Set the `sixteenbit` variable to an empty string, then do: + + grub2-mkconfig -o /boot/grub2/grub.cfg + Copyright © 2014, 2015 Leah Rowe <info@minifree.org> Copyright © 2017 Elijah Smith <esmith1412@posteo.net> |