diff options
Diffstat (limited to 'docs/gnulinux')
-rw-r--r-- | docs/gnulinux/configuring_parabola.md | 137 | ||||
-rw-r--r-- | docs/gnulinux/encrypted_debian.md | 91 | ||||
-rw-r--r-- | docs/gnulinux/encrypted_parabola.md | 213 | ||||
-rw-r--r-- | docs/gnulinux/grub_boot_installer.md | 112 | ||||
-rw-r--r-- | docs/gnulinux/grub_cbfs.md | 103 | ||||
-rw-r--r-- | docs/gnulinux/grub_hardening.md | 35 | ||||
-rw-r--r-- | docs/gnulinux/index.md | 6 |
7 files changed, 372 insertions, 325 deletions
diff --git a/docs/gnulinux/configuring_parabola.md b/docs/gnulinux/configuring_parabola.md index 29dc0243..af6e18d3 100644 --- a/docs/gnulinux/configuring_parabola.md +++ b/docs/gnulinux/configuring_parabola.md @@ -1,5 +1,6 @@ --- title: Configuring Parabola (post-install) +x-toc-enable: true ... Post-installation configuration steps for Parabola GNU+Linux-libre. @@ -7,38 +8,6 @@ Parabola is extremely flexible; this is just an example. This example uses LXDE because it's lightweight, but we recommend the *MATE* desktop (which is actually about as lightweight as LXDE). -Table of Contents -================= - -- [Configuring pacman](#pacman_configure) - - [Updating Parabola](#pacman_update) - - [Maintaining Parabola during system updates](#pacman_maintain) - - [Clearing package cache after updating](#pacman_cacheclean) - - [Pacman command equivalents (compared to other package - managers)](#pacman_commandequiv) - - [your-freedom](#yourfreedom) - -- [Add a user account](#useradd) -- [System D](#systemd) -- [Interesting repositories](#interesting_repos) -- [Setup a network connection in Parabola](#network) - - [Setting hostname](#network_hostname) - - [Network status](#network_status) - - [Network interface names](#network_devicenames) - - [Network setup](#network_setup) -- [System maintenance](#system_maintain) - important! -- [Configuring the desktop](#desktop) - - [Install Xorg](#desktop_xorg) - - [Xorg keyboard layout](#desktop_kblayout) - - [Install LXDE](#desktop_lxde) - - [LXDE - clock](#lxde_clock) - - [LXDE - font](#lxde_font) - - [LXDE - screenlock](#lxde_screenlock) - - [LXDE - automounting](#lxde_automount) - - [LXDE - disable suspend](#lxde_suspend) - - [LXDE - battery monitor](#lxde_battery) - - [LXDE - network manager](#lxde_network) - While not strictly related to the libreboot project, this guide is intended to be useful for those interested in installing Parabola on their libreboot system. @@ -50,9 +19,9 @@ likely to become obsolete at a later date (due to the volatile 'rolling-release' model that Arch/Parabola both use), but attempts will be made to maintain it. -**This guide was valid on 2014-09-21. If you see any changes that should +*This guide was valid on 2014-09-21. If you see any changes that should to be made at the present date, please get in touch with the libreboot -project!** +project!* You do not necessarily have to follow this guide word-for-word; *parabola* is extremely flexible. The aim here is to provide a common @@ -66,18 +35,18 @@ Paradoxically, as you get more advanced Parabola can actually become compared to what most distributions provide. You will find over time that other distributions tend to *get in your way*. -**This guide assumes that you already have Parabola installed. If you +*This guide assumes that you already have Parabola installed. If you have not yet installed Parabola, then [this -guide](encrypted_parabola.md) is highly recommended!** +guide](encrypted_parabola.md) is highly recommended!* A lot of the steps in this guide will refer to the Arch wiki. Arch is the upstream distribution that Parabola uses. Most of this guide will also tell you to read wiki articles, other pages, manuals, and so on. In general it tries to cherry pick the most useful information but -nonetheless you are encouraged to learn as much as possible. **It might +nonetheless you are encouraged to learn as much as possible. *It might take you a few days to fully install your system how you like, depending on how much you need to read. Patience is key, especially for new -users**. +users*. The Arch wiki will sometimes use bad language, such as calling the whole system Linux, using the term open-source (or closed-source), and it will @@ -86,9 +55,13 @@ careful about this when reading anything on the Arch wiki. Some of these steps require internet access. I'll go into networking later but for now, I just connected my system to a switch and did: + # systemctl start dhcpcd.service + You can stop it later by running: + # systemctl stop dhcpcd.service\ + For most people this should be enough, but if you don't have DHCP on your network then you should setup your network connection first:\ [Setup network connection in Parabola](#network) @@ -96,7 +69,7 @@ your network then you should setup your network connection first:\ Configure pacman {#pacman_configure} ---------------- -pacman (**pac**kage **man**ager) is the name of the package management +pacman (*pac*kage *man*ager) is the name of the package management system in Arch, which Parabola (as a deblobbed parallel effort) also uses. Like with 'apt-get' on Debian or Devuan, this can be used to add/remove and update the software on your computer. @@ -114,6 +87,7 @@ In the end, I didn't change my configuration for pacman. When you are updating, resync with the latest package names/versions: # pacman -Syy + (according to the wiki, -Syy is better than Sy because it refreshes the package list even if it appears to be up to date, which can be useful when switching to another mirror).\ @@ -121,8 +95,8 @@ Then, update the system: # pacman -Syu -**Before installing packages with 'pacman -S', always update first, -using the notes above.** +*Before installing packages with 'pacman -S', always update first, +using the notes above.* Keep an eye out on the output, or read it in /var/log/pacman.log. Sometimes, pacman will show messages about maintenance steps that you @@ -169,13 +143,13 @@ re-install it or install the distro on another computer, for example). ### Cleaning the package cache {#pacman_cacheclean} -**The following is very important as you continue to use, update and +*The following is very important as you continue to use, update and maintain your Parabola system:\ <https://wiki.archlinux.org/index.php/Pacman#Cleaning_the_package_cache>. Essentially, this guide talks about a directory that has to be cleaned once in a while, to prevent it from growing too big (it's a cache of old package information, updated automatically when you do anything in -pacman).** +pacman).* To clean out all old packages that are cached: @@ -190,6 +164,7 @@ The wiki also mentions this method for removing everything from the cache, including currently installed packages that are cached: # pacman -Scc + This is inadvisable, since it means re-downloading the package again if you wanted to quickly re-install it. This should only be used when disk space is at a premium. @@ -227,6 +202,7 @@ Read the entire document linked to above, and then continue. Add your user: # useradd -m -G wheel -s /bin/bash *yourusername* + Set a password: # passwd *yourusername* @@ -241,8 +217,8 @@ This is the name of the system used for managing services in Parabola. It is a good idea to become familiar with it. Read <https://wiki.archlinux.org/index.php/systemd> and <https://wiki.archlinux.org/index.php/systemd#Basic_systemctl_usage> to -gain a full understanding. **This is very important! Make sure to read -them.** +gain a full understanding. *This is very important! Make sure to read +them.* An example of a 'service' could be a webserver (such as lighttpd), or sshd (openssh), dhcp, etc. There are countless others. @@ -254,6 +230,7 @@ supplier) to use systemd. The manpage should also help: # man systemd + The section on 'unit types' is especially useful. According to the wiki, systemd 'journal' keeps logs of a size up to @@ -287,9 +264,11 @@ Finally, the wiki mentions 'temporary' files and the utility for managing them. # man systemd-tmpfiles + The command for 'clean' is: # systemd-tmpfiles --clean + According to the manpage, this *"cleans all files and directories with an age parameter"*. According to the Arch wiki, this reads information in /etc/tmpfiles.d/ and /usr/lib/tmpfiles.d/ to know what actions to @@ -301,6 +280,7 @@ However, /usr/lib/tmpfiles.d/ contained some files. The first one was etc.conf, containing information and a reference to this manpage: # man tmpfiles.d + Read that manpage, and then continue studying all the files. The systemd developers tell me that it isn't usually necessary to touch @@ -343,6 +323,7 @@ when installing Parabola. You can also do it with systemd (do so now, if you like): # hostnamectl set-hostname *yourhostname* + This writes the specified hostname to /etc/hostname. More information can be found in these manpages: @@ -422,14 +403,15 @@ System Maintenance {#system_maintain} Read <https://wiki.archlinux.org/index.php/System_maintenance> before continuing. Also read -<https://wiki.archlinux.org/index.php/Enhance_system_stability>. **This -is important, so make sure to read them!** +<https://wiki.archlinux.org/index.php/Enhance_system_stability>. *This +is important, so make sure to read them!* Install smartmontools (it can be used to check smart data. HDDs use non-free firmware inside, but it's transparent to you but the smart data comes from it. Therefore, don't rely on it too much): # pacman -S smartmontools + Read <https://wiki.archlinux.org/index.php/S.M.A.R.T.> to learn how to use it. @@ -449,6 +431,7 @@ Based on <https://wiki.archlinux.org/index.php/Xorg>. Firstly, install it! # pacman -S xorg-server + I also recommend installing this (contains lots of useful tools, including *xrandr*): @@ -458,33 +441,38 @@ Install the driver. For me this was *xf86-video-intel* on the ThinkPad X60. T60 and macbook11/21 should be the same. # pacman -S xf86-video-intel + For other systems you can try: # pacman -Ss xf86-video- | less + Combined with looking at your *lspci* output, you can determine which driver is needed. By default, Xorg will revert to xf86-video-vesa which is a generic driver and doesn't provide true hardware acceleration. Other drivers (not just video) can be found by looking at the -*xorg-drivers* group: +`xorg-drivers` group: # pacman -Sg xorg-drivers -Mostly you will rely on a display manager, but in case you ever want to -start X without one: +Mostly you will rely on a display manager, but in case you ever want to start X +without one: # pacman -S xorg-xinit -<optional>\ - Arch wiki recommends installing these, for testing that X works:\ - \# **pacman -S xorg-twm xorg-xclock xterm**\ - Refer to <https://wiki.archlinux.org/index.php/Xinitrc>. and test X:\ - \# **startx**\ - When you are satisfied, type ***exit*** in xterm, inside the X -session.\ - Uninstall them (clutter. eww): \# **pacman -S xorg-xinit xorg-twm -xorg-xclock xterm**\ -</optional> +Optionally, to test X, install these: + + # pacman -S xorg-twm xorg-xclock xterm + +Refer to <https://wiki.archlinux.org/index.php/Xinitrc>. and test X: + + # startx + +When you are satisfied, type `exit` in xterm, inside the X session. + +Uninstall them (clutter. eww): + + # pacman -S xorg-xinit xorg-twm xorg-xclock xterm ### Xorg keyboard layout {#desktop_kblayout} @@ -566,6 +554,7 @@ I also like to install these: Enable LXDM (the default display manager, providing a graphical login): # systemctl enable lxdm.service + It will start when you boot up the system. To start it now, do: # systemctl start lxdm.service @@ -576,23 +565,26 @@ start lxde without lxdm. Read <https://wiki.archlinux.org/index.php/Xinitrc>. Open LXterminal: + $ cp /etc/skel/.xinitrc \~ + Open .xinitrc and add the following plus a line break at the bottom of -the file.\ -*\# Probably not needed. The same locale info that we set before\ -\# Based on advice from the LXDE wiki export LC\_ALL=en\_GB.UTF-8\ -export LANGUAGE=en\_GB.UTF-8\ -export LANG=en\_GB.UTF-8\ -\ -\# Start lxde desktop\ -exec startlxde\ +the file. + + export LC_ALL=en_GB.UTF-8 + export LANGUAGE=en_GB.UTF-8 + export LANG=en_GB.UTF-8 + + exec startlxde + * Now make sure that it is executable: + $ chmod +x .xinitrc ### LXDE - clock {#lxde_clock} -In **Digital Clock Settings** (right click the clock) I set the Clock -Format to *%Y/%m/%d %H:%M:%S* +In *Digital Clock Settings* (right click the clock) I set the Clock +Format to `%Y/%m/%d %H:%M:%S` ### LXDE - font {#lxde_font} @@ -643,6 +635,7 @@ Install Network Manager: You will also want the graphical applet: # pacman -S network-manager-applet + Arch wiki says that an autostart rule will be written at */etc/xdg/autostart/nm-applet.desktop* @@ -657,6 +650,7 @@ LXDE uses openbox, so I refer to:\ It tells me for the applet I need: # pacman -S xfce4-notifyd gnome-icon-theme + Also, for storing authentication details (wifi) I need: # pacman -S gnome-keyring @@ -665,6 +659,7 @@ I wanted to quickly enable networkmanager: # systemctl stop dhcpcd # systemctl start NetworkManager + Enable NetworkManager at boot time: # systemctl enable NetworkManager @@ -677,8 +672,6 @@ theme, in *lxappearance*. Copyright © 2014, 2015 Leah Rowe <info@minifree.org>\ - - Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License Version 1.3 or any later version published by the Free Software Foundation diff --git a/docs/gnulinux/encrypted_debian.md b/docs/gnulinux/encrypted_debian.md index 27e5be35..71129950 100644 --- a/docs/gnulinux/encrypted_debian.md +++ b/docs/gnulinux/encrypted_debian.md @@ -22,42 +22,43 @@ tampering by someone with physical access to the system. This guide is written for Debian net installer. You can download the ISO from the homepage on [debian.org](https://www.debian.org/). Use this on -the GRUB terminal to boot it from USB (for 64-bit Intel or AMD):\ -**set root='usb0'\ -linux /install.amd/vmlinuz\ -initrd /install.amd/initrd.gz\ -boot\ -** If you are on a 32-bit system (e.g. X60):\ -**set root='usb0'\ -linux /install.386/vmlinuz\ -initrd /install.386/initrd.gz\ -boot** - +the GRUB terminal to boot it from USB (for 64-bit Intel or AMD): + + set root='usb0' + linux /install.amd/vmlinuz + initrd /install.amd/initrd.gz + boot + +If you are on a 32-bit system (e.g. X60): + + set root='usb0' + linux /install.386/vmlinuz + initrd /install.386/initrd.gz + boot + [This guide](grub_boot_installer.md) shows how to create a boot USB drive with the Debian ISO image. -**This guide is \*only\* for the GRUB payload. If you use the -depthcharge payload, ignore this section entirely.** +*This guide is only for the GRUB payload. If you use the depthcharge payload, +ignore this section entirely.* -Note: on some thinkpads, a faulty DVD drive can cause the cryptomount -a -step during boot to fail. If this happens to you, try removing the -drive. +Note: on some thinkpads, a faulty DVD drive can cause the cryptomount -a step +during boot to fail. If this happens to you, try removing the drive. -Set a strong user password (lots of lowercase/uppercase, numbers and -symbols). +Set a strong user password (lots of lowercase/uppercase, numbers and symbols). -Use of the *diceware method* is recommended, for generating secure -passphrases (instead of passwords). +Use of the *diceware method* is recommended, for generating secure passphrases +(instead of passwords). -when the installer asks you to set up encryption (ecryptfs) for your -home directory, select 'Yes' if you want to: **LUKS is already secure -and performs well. Having ecryptfs on top of it will add noticeable -performance penalty, for little security gain in most use cases. This is -therefore optional, and not recommended. Choose 'no'.** +When the installer asks you to set up encryption (ecryptfs) for your home +directory, select 'Yes' if you want to: *LUKS is already secure and performs +well. Having ecryptfs on top of it will add noticeable performance penalty, for +little security gain in most use cases. This is therefore optional, and not +recommended. Choose 'no'.* -**Your user password should be different from the LUKS password which +*Your user password should be different from the LUKS password which you will set later on. Your LUKS password should, like the user -password, be secure.** +password, be secure.* Partitioning ============ @@ -88,15 +89,15 @@ Choose 'Manual' partitioning: - Configure the logical volume manager: - Keep settings: Yes - Create volume group: - - Name: **matrix** (use this exact name) + - Name: `matrix` (use this exact name) - Select crypto partition - Create logical volume - - select **matrix** (use this exact name) - - name: **rootvol** (use this exact name) + - select `matrix` (use this exact name) + - name: `rootvol` (use this exact name) - size: default, minus 2048 MB - Create logical volume - - select **matrix** (use this exact name) - - name: **swap** (user this exact name) + - select `matrix` (use this exact name) + - name: `swap` (user this exact name) - size: press enter Further partitioning @@ -129,8 +130,8 @@ something else. If you want debian-testing, then you should only select barebones options here and change the entries in /etc/apt/sources.list after -install to point to the new distro, and then run **apt-get update** and -**apt-get dist-upgrade** as root, then reboot and run **tasksel** as +install to point to the new distro, and then run `apt-get update` and +`apt-get dist-upgrade` as root, then reboot and run `tasksel` as root. This is to avoid downloading large packages twice. NOTE: If you want the latest up to date version of the Linux kernel, @@ -165,13 +166,11 @@ Booting your system =================== At this point, you will have finished the installation. At your GRUB -payload, press C to get to the command line. +payload, press C to get to the command line, and enter: -Do that:\ grub> cryptomount -a - grub> set root='lvm/matrix-rootvol'\ -grub> **linux /vmlinuz root=/dev/mapper/matrix-rootvol -cryptdevice=/dev/mapper/matrix-rootvol:root**\ + grub> set root='lvm/matrix-rootvol' + grub> linux /vmlinuz root=/dev/mapper/matrix-rootvolcryptdevice=/dev/mapper/matrix-rootvol:root grub> initrd /initrd.img grub> boot @@ -182,6 +181,7 @@ If you didn't encrypt your home directory, then you can safely ignore this section. Immediately after logging in, do that: + $ sudo ecryptfs-unwrap-passphrase This will be needed in the future if you ever need to recover your home @@ -199,12 +199,11 @@ Modify your grub.cfg (in the firmware) [using this tutorial](grub_cbfs.md); just change the default menu entry 'Load Operating System' to say this inside: -**cryptomount -a**\ -**set root='lvm/matrix-rootvol'**\ -**linux /vmlinuz root=/dev/mapper/matrix-rootvol -cryptdevice=/dev/mapper/matrix-rootvol:root**\ -**initrd /initrd.img** - + cryptomount -a + set root='lvm/matrix-rootvol' + linux /vmlinuz root=/dev/mapper/matrix-rootvolcryptdevice=/dev/mapper/matrix-rootvol:root + initrd /initrd.img + Without specifying a device, the *-a* parameter tries to unlock all detected LUKS volumes. You can also specify -u UUID or -a (device). @@ -302,8 +301,6 @@ problems. Removing that worked around the issue. Copyright © 2014, 2015, 2016 Leah Rowe <info@minifree.org>\ - - Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License Version 1.3 or any later version published by the Free Software Foundation diff --git a/docs/gnulinux/encrypted_parabola.md b/docs/gnulinux/encrypted_parabola.md index 25c4e5c6..d2f77482 100644 --- a/docs/gnulinux/encrypted_parabola.md +++ b/docs/gnulinux/encrypted_parabola.md @@ -17,8 +17,8 @@ volume. Not so with libreboot! Since GRUB is already included directly as a payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical access to the system. -**This guide is \*only\* for the GRUB payload. If you use the -depthcharge payload, ignore this section entirely.** +*This guide is \*only\* for the GRUB payload. If you use the +depthcharge payload, ignore this section entirely.* This guide is intended for the Parabola distribution, but it should also work (with some adaptation) for *Arch*. We recomend using Parabola, @@ -65,12 +65,14 @@ article](https://wiki.archlinux.org/index.php/Solid_State_Drives). Edit whole article and keep all points in mind, adapting them for this guide. Securely wipe the drive: + # dd if=/dev/urandom of=/dev/sda; sync NOTE: If you have an SSD, only do this the first time. If it was already LUKS-encrypted before, use the info below to wipe the LUKS header. Also, check online for your SSD what the recommended erase block size is. For example if it was 2MiB: + # dd if=/dev/urandom of=/dev/sda bs=2M; sync If your drive was already LUKS encrypted (maybe you are re-installing @@ -82,6 +84,7 @@ guide is recommending putting zero there. I'm going to use urandom. Do this: # head -c 3145728 /dev/urandom > /dev/sda; sync + (Wiping the LUKS header is important, since it has hashed passphrases and so on. It's 'secure', but 'potentially' a risk). @@ -93,6 +96,7 @@ list the available keymaps and use yours: # localectl list-keymaps # loadkeys LAYOUT + For me, LAYOUT would have been dvorak-uk. Establish an internet connection @@ -142,13 +146,14 @@ I am then directed to Parabola forces you to RTFM. Do that. -It tells me to run: +To populate the list below, it tells me to run: + + # cryptsetup benchmark - # cryptsetup benchmark (for making sure the list below is -populated)\ Then: # cat /proc/crypto + This gives me crypto options that I can use. It also provides a representation of the best way to set up LUKS (in this case, security is a priority; speed, a distant second). To gain a better understanding, I @@ -162,10 +167,14 @@ on Reading through, it seems like Serpent (encryption) and Whirlpool (hash) is the best option. -I am initializing LUKS with the following:\ -\# **cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash +I am initializing LUKS with the following: + + # cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash + whirlpool --iter-time 500 --use-random --verify-passphrase luksFormat -/dev/sda1** Choose a **secure** passphrase here. Ideally lots of +/dev/sda1 + + Choose a *secure* passphrase here. Ideally lots of lowercase/uppercase numbers, letters, symbols etc all in a random pattern. The password length should be as long as you are able to handle without writing it down or storing it anywhere. @@ -178,14 +187,14 @@ Create LVM Now I refer to <https://wiki.archlinux.org/index.php/LVM>. -Open the LUKS partition: +Open the LUKS partition at /dev/mapper/lvm: # cryptsetup luksOpen /dev/sda1 lvm -(it will be available at /dev/mapper/lvm) Create LVM partition: # pvcreate /dev/mapper/lvm + Show that you just created it: # pvdisplay @@ -194,22 +203,24 @@ Now I create the volume group, inside of which the logical volumes will be created: # vgcreate matrix /dev/mapper/lvm + (volume group name is 'matrix' - choose your own name, if you like) Show that you created it: # vgdisplay -Now create the logical volumes: +Now create the logical volumes (2G swap parittion named swapvol): + + # lvcreate -L 2G matrix -n swapvol - # lvcreate -L 2G matrix -n swapvol (2G swap partition, named -swapvol)\ -Again, choose your own name if you like. Also, make sure to choose a -swap size of your own needs. It basically depends on how much RAM you -have installed. I refer to +Again, choose your own name if you like. Also, make sure to choose a swap size +of your own needs. It basically depends on how much RAM you have installed. I +refer to <http://www.linux.com/news/software/applications/8208-all-about-linux-swap-space>. +This creates a single large partition in the rest of the space, named root: + + # lvcreate -l +100%FREE matrix -n root - # lvcreate -l +100%FREE matrix -n root (single large partition in -the rest of the space, named root)\ You can also be flexible here, for example you can specify a /boot, a /, a /home, a /var, a /usr, etc. For example, if you will be running a web/mail server then you want /var in its own partition (so that if it @@ -227,6 +238,7 @@ Create / and swap partitions, and mount For the swapvol LV I use: # mkswap /dev/mapper/matrix-swapvol + Activate swap: # swapon /dev/matrix/swapvol @@ -257,55 +269,76 @@ Create /home and /boot on root mountpoint: Once all the remaining partitions, if any, have been mounted, the devices are ready to install Parabola. -In **/etc/pacman.d/mirrorlist**, comment out all lines except the Server +In `/etc/pacman.d/mirrorlist`, comment out all lines except the Server line closest to where you are (I chose the UK Parabola server (main server)) and then did: # pacman -Syy # pacman -Syu - # pacman -Sy pacman (and then I did the other 2 steps above, -again)\ + # pacman -Sy pacman + In my case I did the steps in the next paragraph, and followed the steps in this paragraph again. -<troubleshooting>\ - The following is based on 'Verification of package signatures' in -the Parabola install guide.\ - Check there first to see if steps differ by now.\ - Now you have to update the default Parabola keyring. This is used for -signing and verifying packages:\ - \# **pacman -Sy parabola-keyring**\ - It says that if you get GPG errors, then it's probably an expired -key and, therefore, you should do:\ - \# **pacman-key --populate parabola**\ - \# **pacman-key --refresh-keys**\ - \# **pacman -Sy parabola-keyring**\ - To be honest, you should do the above anyway. Parabola has a lot of -maintainers, and a lot of keys. Really!\ - If you get an error mentioning dirmngr, do:\ - \# **dirmngr </dev/null**\ - Also, it says that if the clock is set incorrectly then you have to -manually set the correct time\ - (if keys are listed as expired because of it):\ - \# **date MMDDhhmm\[\[CC\]YY\]\[.ss\]**\ - I also had to install:\ - \# **pacman -S archlinux-keyring**\ - \# **pacman-key --populate archlinux**\ - In my case I saw some conflicting files reported in pacman, stopping -me from using it.\ - I deleted the files that it mentioned and then it worked. -Specifically, I had this error:\ - *licenses: /usr/share/licenses/common/MPS exists in filesystem*\ - I rm -Rf'd the file and then pacman worked. I'm told that the -following would have also made it work:\ - \# **pacman -Sf licenses**\ -</troubleshooting>\ +Troubleshooting +--------------- + +The following is based on 'Verification of package signatures' in +the Parabola install guide. + +Check there first to see if steps differ by now. + +Now you have to update the default Parabola keyring. This is used for +signing and verifying packages: + + # pacman -Sy parabola-keyring + +It says that if you get GPG errors, then it's probably an expired +key and, therefore, you should do: + + # pacman-key --populate parabola + # pacman-key --refresh-keys + # pacman -Sy parabola-keyring + +To be honest, you should do the above anyway. Parabola has a lot of +maintainers, and a lot of keys. Really! + +If you get an error mentioning dirmngr, do: + + # dirmngr < /dev/null + +Also, it says that if the clock is set incorrectly then you have to manually +set the correct time + + # date MMDDhhmm\[\[CC\]YY\]\[.ss\] + +I also had to install: + + # pacman -S archlinux-keyring + # pacman-key --populate archlinux + +In my case I saw some conflicting files reported in pacman, stopping +me from using it. +I deleted the files that it mentioned and then it worked. +Specifically, I had this error: + + licenses: /usr/share/licenses/common/MPS exists in filesystem + +I rm -Rf'd the file and then pacman worked. I'm told that the +following would have also made it work: + + # pacman -Sf licenses + +More packages +-------------- I also like to install other packages (base-devel, compilers and so on) and wpa\_supplicant/dialog/iw/wpa\_actiond are needed for wireless after -the install:\ -\# **pacstrap /mnt base base-devel wpa\_supplicant dialog iw -wpa\_actiond** +the install: + + # pacstrap /mnt base base-devel wpa_supplicant dialog iw + +wpa\_actiond Configure the system -------------------- @@ -315,10 +348,12 @@ Generate an fstab - UUIDs are used because they have certain advantages prefer labels instead, replace the -U option with -L): # genfstab -U -p /mnt >> /mnt/etc/fstab + Check the created file: # cat /mnt/etc/fstab -(If there are any errors, edit the file. Do **NOT** run the genfstab + +(If there are any errors, edit the file. Do *NOT* run the genfstab command again!) Chroot into new system: @@ -346,16 +381,18 @@ Parabola does not have wget. This is sinister. Install it: Locale: # vi /etc/locale.gen + Uncomment your needed localisations. For example en\_GB.UTF-8 (UTF-8 is highly recommended over other options). # locale-gen - # echo LANG=en\_GB.UTF-8 > /etc/locale.conf - # export LANG=en\_GB.UTF-8 + # echo LANG=en_GB.UTF-8 > /etc/locale.conf + # export LANG=en_GB.UTF-8 Console font and keymap: # vi /etc/vconsole.conf + In my case: KEYMAP=dvorak-uk @@ -364,6 +401,7 @@ In my case: Time zone: # ln -s /usr/share/zoneinfo/Europe/London /etc/localtime + (Replace Zone and Subzone to your liking. See /usr/share/zoneinfo) Hardware clock: @@ -374,6 +412,7 @@ Hostname: Write your hostname to /etc/hostname. For example, if your hostname is parabola: # echo parabola > /etc/hostname + Add the same hostname to /etc/hosts: # vi /etc/hosts @@ -392,6 +431,7 @@ Mkinitcpio: Configure /etc/mkinitcpio.conf as needed (see information about each hook.) Specifically, for this use case: # vi /etc/mkinitcpio.conf + Then modify the file like so: - MODULES="i915" @@ -418,9 +458,11 @@ with (this is different from Arch, specifying linux-libre instead of linux): # mkinitcpio -p linux-libre + Also do it for linux-libre-lts: # mkinitcpio -p linux-libre-lts + Also do it for linux-libre-grsec: # mkinitcpio -p linux-libre-grsec @@ -430,9 +472,11 @@ default for its password hashing. I referred to <https://wiki.archlinux.org/index.php/SHA_password_hashes>. # vi /etc/pam.d/passwd + Add rounds=65536 at the end of the uncommented 'password' line. # passwd root + Make sure to set a secure password! Also, it must never be the same as your LUKS password. @@ -457,7 +501,8 @@ file=/var/log/faillog*\ To unlock a user manually (if a password attempt is failed 3 times), do: - # pam\_tally --user *theusername* --reset What the above + # pam_tally --user *theusername* --reset What the above + configuration does is lock the user out for 10 minutes, if they make 3 failed login attempts. @@ -487,6 +532,7 @@ Lock the encrypted partition (close it): # cryptsetup luksClose lvm # shutdown -h now + Remove the installation media, then boot up again. Booting from GRUB @@ -538,13 +584,18 @@ current firmware - where *libreboot.rom* is an example: make sure to adapt: # flashrom -p internal -r libreboot.rom + If flashrom complains about multiple flash chips detected, add a *-c* option at the end, with the name of your chosen chip is quotes.\ You can check if everything is in there (*grub.cfg* and *grubtest.cfg* would be really nice): + $ ./cbfstool libreboot.rom print + Extract grubtest.cfg: + $ ./cbfstool libreboot.rom extract -n grubtest.cfg -f grubtest.cfg\ + And modify: $ vi grubtest.cfg @@ -578,20 +629,25 @@ Save your changes in grubtest.cfg, then delete the unmodified config from the ROM image: $ ./cbfstool libreboot.rom remove -n grubtest.cfg -and insert the modified grubtest.cfg:\ -\$ **./cbfstool libreboot.rom add -n grubtest.cfg -f grubtest.cfg -t -raw**\ + +and insert the modified grubtest.cfg: + + # ./cbfstool libreboot.rom add -n grubtest.cfg -f grubtest.cfg -t + +raw Now refer to [../install/#flashrom](../install/#flashrom). Cd (up) to the libreboot\_util directory and update the flash chip contents: # ./flash update libreboot.rom + Ocassionally, coreboot changes the name of a given board. If flashrom complains about a board mismatch, but you are sure that you chose the correct ROM image, then run this alternative command: # ./flash forceupdate libreboot.rom -You should see "Verifying flash\... VERIFIED." written at the end of + +You should see "Verifying flash... VERIFIED." written at the end of the flashrom output. With this new configuration, Parabola can boot automatically and you @@ -616,13 +672,17 @@ the main config still links (in the menu) to grubtest.cfg, so that you don't have to manually switch to it, in case you ever want to follow this guide again in the future (modifying the already modified config). Inside libreboot\_util/cbfstool/{armv7l i686 x86\_64}, we can do this -with the following command:\ -\$ **sed -e 's:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g' -e +with the following command: + + # sed -e 's:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g' -e + 's:Switch to grub.cfg:Switch to grubtest.cfg:g' < grubtest.cfg > -grub.cfg**\ +grub.cfg + Delete the grub.cfg that remained inside the ROM: $ ./cbfstool libreboot.rom remove -n grub.cfg + Add the modified version that you just made: $ ./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw @@ -632,7 +692,8 @@ Now you have a modified ROM. Once more, refer to directory and update the flash chip contents: # ./flash update libreboot.rom -And wait for the "Verifying flash\... VERIFIED." Once you have done + +And wait for the "Verifying flash... VERIFIED." Once you have done that, shut down and then boot up with your new configuration. When done, delete GRUB (remember, we only needed it for the @@ -656,26 +717,32 @@ will be asked to enter your passphrase a second time. A workaround is to put a keyfile inside initramfs, with instructions for the kernel to use it when booting. This is safe, because /boot/ is encrypted (otherwise, putting a keyfile inside initramfs would be a bad idea).\ -Boot up and login as root or your user. Then generate the key file:\ -\# **dd bs=512 count=4 if=/dev/urandom of=/etc/mykeyfile -iflag=fullblock**\ +Boot up and login as root or your user. Then generate the key file: + + # dd bs=512 count=4 if=/dev/urandom of=/etc/mykeyfile + +iflag=fullblock + Insert it into the luks volume: # cryptsetup luksAddKey /dev/sdX /etc/mykeyfile + and enter your LUKS passphrase when prompted. Add the keyfile to the initramfs by adding it to FILES in /etc/mkinitcpio.conf. For example: # FILES="/etc/mykeyfile" + Create the initramfs image from scratch: # mkinitcpio -p linux-libre # mkinitcpio -p linux-libre-lts # mkinitcpio -p linux-libre-grsec + Add the following to your grub.cfg - you are now able to do that, see above! -, or add it in the kernel command line for GRUB: # cryptkey=rootfs:/etc/mykeyfile -\ + You can also place this inside the grub.cfg that exists in CBFS: [grub\_cbfs.md](grub_cbfs.md). @@ -775,8 +842,6 @@ problems. Removing that worked around the issue. Copyright © 2014, 2015, 2016 Leah Rowe <info@minifree.org>\ Copyright © 2015 Jeroen Quint <jezza@diplomail.ch>\ - - Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License Version 1.3 or any later version published by the Free Software Foundation diff --git a/docs/gnulinux/grub_boot_installer.md b/docs/gnulinux/grub_boot_installer.md index 228dadff..10158619 100644 --- a/docs/gnulinux/grub_boot_installer.md +++ b/docs/gnulinux/grub_boot_installer.md @@ -1,21 +1,15 @@ --- title: How to install GNU+Linux on a libreboot system +x-toc-enable: true ... This section relates to preparing, booting and installing a GNU+Linux distribution on your libreboot system, using nothing more than a USB -flash drive (and *dd*). +flash drive (and `dd`). -- [Prepare the USB drive (in GNU+Linux)](#prepare) -- [Installing GNU+Linux with full disk encryption](#encryption) -- [Debian or Devuan net install?](#debian_netinstall) -- [Booting ISOLINUX images (automatic method)](#parse_isolinux) -- [Booting ISOLINUX images (manual method)](#manual_isolinux) -- [Troubleshooting](#troubleshooting) - -**This section is only for the GRUB payload. For depthcharge (used on +*This section is only for the GRUB payload. For depthcharge (used on CrOS devices in libreboot), instructions have yet to be written in the -libreboot documentation.** +libreboot documentation.* Prepare the USB drive (in GNU+Linux) ------------------------------------ @@ -72,6 +66,7 @@ how to create the bootable GNU+Linux USB drive: Connect the USB drive. Check dmesg: $ dmesg | tail + Check to confirm which drive it is, for example, if you think its sd3: $ disklabel sd3 @@ -92,10 +87,8 @@ Continue reading, for information about how to do that. Installing GNU+Linux with full disk encryption ---------------------------------------------- -- [Installing Debian or Devuan GNU+Linux with full disk encryption - (including /boot)](encrypted_debian.md) -- [Installing Parabola GNU+Linux with full disk encryption (including - /boot)](encrypted_parabola.md) +- [Debian or Devuan GNU+Linux with full disk encryption](encrypted_debian.md) +- [Parabola GNU+Linux with full disk encryption](encrypted_parabola.md) Debian or Devuan net install? ----------------------------- @@ -103,16 +96,21 @@ Debian or Devuan net install? Download the Debian or Devuan net installer. You can download the ISO from the homepage on [debian.org](https://www.debian.org/), or [the Devuan homepage](https://www.devuan.org/) for Devuan. Use this on the -GRUB terminal to boot it from USB (for 64-bit Intel or AMD):\ -**set root='usb0'\ -linux /install.amd/vmlinuz\ -initrd /install.amd/initrd.gz\ -boot\ -** If you are on a 32-bit system (e.g. X60):\ -**set root='usb0'\ -linux /install.386/vmlinuz\ -initrd /install.386/initrd.gz\ -boot**\ +GRUB terminal to boot it from USB (for 64-bit Intel or AMD): + + + set root='usb0' + linux /install.amd/vmlinuz + initrd /install.amd/initrd.gz + boot + +If you are on a 32-bit system (e.g. X60): + + set root='usb0' + linux /install.386/vmlinuz + initrd /install.386/initrd.gz + boot + We recommend using the *MATE* desktop. Booting ISOLINUX images (automatic method) @@ -131,38 +129,45 @@ distribution. You must adapt them appropriately, for whatever GNU+Linux distribution it is that you are trying to install.* If the ISOLINUX parser or *Search for GRUB configuration* options won't -work, then press C in GRUB to access the command line.\ +work, then press C in GRUB to access the command line. + grub> ls -Get the device from above output, eg (usb0). Example:\ - grub> cat (usb0)/isolinux/isolinux.cfg\ + +Get the device from above output, eg (usb0). Example: + + grub> cat (usb0)/isolinux/isolinux.cfg + Either this will show the ISOLINUX menuentries for that ISO, or link to -other .cfg files, for example /isolinux/foo.cfg.\ -If it did that, then you do:\ +other .cfg files, for example /isolinux/foo.cfg. + +If it did that, then you do: + grub> cat (usb0)/isolinux/foo.cfg -And so on, until you find the correct menuentries for ISOLINUX. **The -file */isolinux/foo.cfg* is a fictional example. Do not actually use -this example, unless you actually have that file, if it is -appropriate.** - -For Debian or Devuan (and other debian-based distros), there are -typically menuentries listed in */isolinux/txt.cfg* or -*/isolinux/gtk.cfg*. For dual-architecture ISO images (i686 and -x86\_64), there may be separate files/directories for each architecture. -Just keep searching through the image, until you find the correct -ISOLINUX configuration file. NOTE: Debian 8.6 ISO only lists 32-bit boot -options in txt.cfg. This is important if you want 64-bit booting on your -system. Devuan versions based on Debian 8.x may also have the same -issue. - -Now look at the ISOLINUX menuentry. It'll look like:\ -**kernel /path/to/kernel\ -append PARAMETERS initrd=/path/to/initrd MAYBE\_MORE\_PARAMETERS\ -** GRUB works the same way, but in it's own way. Example GRUB -commands:\ - grub> set root='usb0'\ + +And so on, until you find the correct menuentries for ISOLINUX. *The file +`/isolinux/foo.cfg` is a fictional example. Do not actually use this example, +unless you actually have that file, if it is appropriate.* + +For Debian or Devuan (and other debian-based distros), there are typically +menuentries listed in */isolinux/txt.cfg* or */isolinux/gtk.cfg*. For +dual-architecture ISO images (i686 and x86\_64), there may be separate +files/directories for each architecture. Just keep searching through the +image, until you find the correct ISOLINUX configuration file. NOTE: Debian 8.6 +ISO only lists 32-bit boot options in txt.cfg. This is important if you want +64-bit booting on your system. Devuan versions based on Debian 8.x may also +have the same issue. + +Now look at the ISOLINUX menuentry. It'll look like: + + kernel /path/to/kernel append PARAMETERS initrd=/path/to/initrd ... + +GRUB works similarly. Example GRUB commands: + + grub> set root='usb0' grub> linux /path/to/kernel PARAMETERS MAYBE\_MORE\_PARAMETERS grub> initrd /path/to/initrd grub> boot + Note: *usb0* may be incorrect. Check the output of the *ls* command in GRUB, to see a list of USB devices/partitions. Of course this will vary from distro to distro. If you did all of that correctly, then it should @@ -193,8 +198,9 @@ When using the ROM images that use coreboot's "text mode" instead of the coreboot framebuffer, booting the Debian or Devuan net installer results in graphical corruption because it is trying to switch to a framebuffer which doesn't exist. Use that kernel parameter on the -'linux' line when booting it:\ -**vga=normal fb=false** +'linux' line when booting it: + + vga=normal fb=false This forces debian-installer to start in text-mode, instead of trying to switch to a framebuffer. @@ -211,8 +217,6 @@ debian-installer (text mode) net install method. Copyright © 2014, 2015, 2016 Leah Rowe <info@minifree.org>\ Copyright © 2016 Scott Bonds <scott@ggr.com>\ - - Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License Version 1.3 or any later version published by the Free Software Foundation diff --git a/docs/gnulinux/grub_cbfs.md b/docs/gnulinux/grub_cbfs.md index 4b58d3e5..d1c5428a 100644 --- a/docs/gnulinux/grub_cbfs.md +++ b/docs/gnulinux/grub_cbfs.md @@ -1,5 +1,6 @@ --- title: How to replace the default GRUB configuration file +x-toc-enable: true ... Libreboot on x86 uses the GRUB @@ -24,29 +25,15 @@ the libreboot GRUB payload will automatically search for. Here is an excellent writeup about CBFS (coreboot filesystem): <http://lennartb.home.xs4all.nl/coreboot/col5.html>. -**This guide is \*only\* for the GRUB payload. If you use the -depthcharge payload, ignore this section entirely.** - -Table of Contents -================= - -- [Introduction](#introduction) -- [1st option: don't re-flash](#option1_dont_reflash) -- [2nd option: re-flash](#option2_reflash) - - [Acquire the necessary utilities](#tools) - - [Acquiring the correct ROM image](#rom) - - [Extract grubtest from the ROM image](#extract_testconfig) - - [Re-insert the modified grubtest.cfg into the ROM - image](#reinsert_modified_testconfig) - - [Testing](#testing) - - [Final steps](#final_steps) +*This guide is only for the GRUB payload. If you use the depthcharge payload, +ignore this section entirely.* Introduction ------------ Download the latest release from [libreboot.org](/)\ -**If you downloaded from git, refer to -[../git/\#build\_meta](../git/#build_meta) before continuing.** +*If you downloaded from git, refer to +[../git/\#build\_meta](../git/#build_meta) before continuing.* There are several advantages to modifying the GRUB configuration stored in CBFS, but this also means that you have to flash a new libreboot ROM @@ -58,7 +45,7 @@ If you aren't up to that then don't worry; it is possible to use a custom GRUB menu without flashing a new image, by loading a GRUB configuration from a partition on the main storage instead. -1st option: don't re-flash {#option1_dont_reflash} +1st option: don't re-flash --------------------------- By default, GRUB in libreboot is configured to scan all partitions on @@ -67,10 +54,10 @@ the main storage for /boot/grub/libreboot\_grub.cfg or partition), and then use it automatically. Simply create your custom GRUB configuration and save it to -**/boot/grub/libreboot\_grub.cfg** on the running system. The next time +`/boot/grub/libreboot_grub.cfg` on the running system. The next time you boot, GRUB (in libreboot) will automatically switch to this -configuration file. **This means that you do not have to re-flash, -recompile or otherwise modify libreboot at all!** +configuration file. *This means that you do not have to re-flash, +recompile or otherwise modify libreboot at all!* Ideally, your distribution should automatically generate a libreboot\_grub.cfg file that is written specifically under the @@ -86,30 +73,31 @@ If you want to adapt a copy of the existing *libreboot* GRUB configuration and use that for the libreboot\_grub.cfg file, then follow [\#tools](#tools), [\#rom](#rom) and [\#extract\_testconfig](#extract_testconfig) to get the -***grubtest.cfg***. Rename ***grubtest.cfg*** to -***libreboot\_grub.cfg*** and save it to ***/boot/grub/*** on the +`grubtest.cfg`. Rename `grubtest.cfg` to +`libreboot_grub.cfg` and save it to `/boot/grub/` on the running system where it is intended to be used. Modify the file at that location however you see fit, and then stop reading this guide (the rest -of this page is irrelevant to you); **in libreboot\_grub.cfg on disk, if +of this page is irrelevant to you); in `libreboot_grub.cfg` on disk, if you are adapting it based on grub.cfg from CBFS then remove the check -for libreboot\_grub.cfg otherwise it will loop.**. +for `libreboot_grub.cfg` otherwise it will loop. -2nd option: re-flash {#option2_reflash} +2nd option: re-flash -------------------- You can modify what is stored inside the flash chip quite easily. Read on to find out how. -Acquire the necessary utilities {#tools} +Acquire the necessary utilities ------------------------------- -Use ***cbfstool*** and ***flashrom***. There are available in the +Use `cbfstool` and `flashrom`. There are available in the *libreboot\_util* release archive, or they can be compiled (see [../git/\#build\_flashrom](../git/#build_flashrom)). Flashrom is also available from the repositories: + # pacman -S flashrom -Acquiring the correct ROM image {#rom} +Acquiring the correct ROM image ------------------------------- You can either work directly with one of the ROM images already included @@ -119,20 +107,22 @@ image file is named *libreboot.rom*, so please make sure to adapt. ROM images are included pre-compiled in libreboot. You can also dump your current firmware, using flashrom: + $ sudo flashrom -p internal -r libreboot.rom # flashrom -p internal -r libreboot.rom -If you are told to specify the chip, add the option **-c {your chip}** -to the command, for example: + +If you are told to specify the chip, add the option `-c {your chip}` to the +command, for example: # flashrom -c MX25L6405 -p internal -r libreboot.rom -Extract grubtest.cfg from the ROM image {#extract_testconfig} +Extract grubtest.cfg from the ROM image --------------------------------------- You can check the contents of the ROM image, inside CBFS: - $ cd \.../libreboot\_util/cbfstool** $ ./cbfstool libreboot.rom -print** + $ cd .../libreboot\_util/cbfstool + $ ./cbfstool libreboot.rom The files *grub.cfg* and *grubtest.cfg* should be present. grub.cfg is loaded by default, with a menuentry for switching to grubtest.cfg. In @@ -145,7 +135,7 @@ Extract grubtest.cfg from the ROM image: Modify the grubtest.cfg accordingly. -Re-insert the modified grubtest.cfg into the ROM image {#reinsert_modified_testconfig} +Re-insert the modified grubtest.cfg into the ROM image ------------------------------------------------------ Once your grubtest.cfg is modified and saved, delete the unmodified @@ -153,34 +143,39 @@ config from the ROM image: $ ./cbfstool libreboot.rom remove -n grubtest.cfg -Next, insert the modified version:\ -**\$ ./cbfstool libreboot.rom add -n grubtest.cfg -f grubtest.cfg -t -raw** +Next, insert the modified version: + + $ ./cbfstool libreboot.rom add -n grubtest.cfg -f grubtest.cfg -t raw Testing ------- -**Now you have a modified ROM. Refer back to +Now you have a modified ROM. Refer back to [../install/\#flashrom](../install/#flashrom) for information on how to flash it. - $ cd /libreboot\_util** \# **./flash update libreboot.rom\ + + $ cd /libreboot\_util + # ./flash update libreboot.rom + Ocassionally, coreboot changes the name of a given board. If flashrom complains about a board mismatch, but you are sure that you chose the correct ROM image, then run this alternative command: + # ./flash forceupdate libreboot.rom -You should see **"Verifying flash\... VERIFIED."** written at the end + +You should see `Verifying flash... VERIFIED.` written at the end of the flashrom output. Once you have done that, shut down and then boot -up with your new test configuration.** +up with your new test configuration. Choose (in GRUB) the menu entry that switches to grubtest.cfg. If it works, then your config is safe and you can continue below. -**If it does not work like you want it to, if you are unsure or +*If it does not work like you want it to, if you are unsure or sceptical in any way, then re-do the steps above until you get it right! -Do \*not\* proceed past this point unless you are 100% sure that your -new configuration is safe (or desirable) to use.** +Do not proceed past this point unless you are 100% sure that your +new configuration is safe (or desirable) to use.* -Final steps {#final_steps} +Final steps ----------- When you are satisfied booting from grubtest.cfg, you can create a copy @@ -190,10 +185,12 @@ difference: the menuentry 'Switch to grub.cfg' will be changed to grubtest.cfg. This is so that the main config still links (in the menu) to grubtest.cfg, so that you don't have to manually switch to it, in case you ever want to follow this guide again in the future (modifying -the already modified config). From /libreboot\_util/cbfstool, do:\ -\$ **sed -e 's:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g' -e +the already modified config). From /libreboot\_util/cbfstool, do: + + # sed -e 's:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g' -e + 's:Switch to grub.cfg:Switch to grubtest.cfg:g' < grubtest.cfg > -grub.cfg**\ +grub.cfg Delete the grub.cfg that remained inside the ROM: @@ -203,16 +200,14 @@ Add the modified version that you just made: $ ./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw -**Now you have a modified ROM. Again, refer back to +*Now you have a modified ROM. Again, refer back to [../install/\#flashrom](../install/#flashrom) for information on how to flash it. It's the same method as you used before. Shut down and then -boot up with your new configuration.** +boot up with your new configuration.* Copyright © 2014, 2015 Leah Rowe <info@minifree.org>\ Copyright © 2015 Jeroen Quint <jezza@diplomail.ch>\ - - Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License Version 1.3 or any later version published by the Free Software Foundation diff --git a/docs/gnulinux/grub_hardening.md b/docs/gnulinux/grub_hardening.md index 12485949..c32a0534 100644 --- a/docs/gnulinux/grub_hardening.md +++ b/docs/gnulinux/grub_hardening.md @@ -31,14 +31,10 @@ image: Helpful links: -- [GRUB manual - \#security](https://www.gnu.org/software/grub/manual/html_node/Security.html#Security) -- [GRUB info - pages](http://git.savannah.gnu.org/cgit/grub.git/tree/docs/grub.texi) -- [SATA connected storage considered dangerous until proven - otherwise.](../../faq.md#firmware-hddssd) -- [Coreboot GRUB security - howto](https://www.coreboot.org/GRUB2#Security) +- [GRUB manual](https://www.gnu.org/software/grub/manual/html_node/Security.html#Security) +- [GRUB info pages](http://git.savannah.gnu.org/cgit/grub.git/tree/docs/grub.texi) +- [SATA connected storage considered dangerous.](../../faq.md#firmware-hddssd) +- [Coreboot GRUB security howto](https://www.coreboot.org/GRUB2#Security) GRUB Password ============= @@ -58,8 +54,8 @@ location. Note that this is not your LUKS password, but it's a password that you have to enter in order to use "restricted" functionality (such as console). This protects your system from an attacker simply booting a -live USB and re-flashing your firmware. **This should be different than -your LUKS passphrase and user password.** +live USB and re-flashing your firmware. *This should be different than +your LUKS passphrase and user password.* Use of the *diceware method* is recommended, for generating secure passphrases (as opposed to passwords). Diceware method involves using @@ -80,7 +76,7 @@ The GRUB password can be entered in two ways: - protected with [PBKDF2](https://en.wikipedia.org/wiki/Pbkdf2) We will (obviously) use the later. Generating the PBKDF2 derived key is -done using the **grub-mkpasswd-pbkdf2** utility. You can get it by +done using the `grub-mkpasswd-pbkdf2` utility. You can get it by installing GRUB version 2. Generate a key by giving it a password: grub-mkpasswd-pbkdf2 @@ -101,13 +97,13 @@ As enabling password protection as above means that you have to input it on every single boot, we will make one menu entry work without it. Remember that we will have GPG signing active, thus a potential attacker will not be able to boot an arbitrary operating system. We do this by -adding option **--unrestricted** to a menuentry definition: +adding option `--unrestricted` to a menuentry definition: menuentry 'Load Operating System (incl. fully encrypted disks) [o]' --hotkey='o' --unrestricted { ... Another good thing to do, if we chose to load signed on-disk GRUB -configurations, is to remove (or comment out) **unset superusers** in +configurations, is to remove (or comment out) `unset superusers` in function try\_user\_config: function try_user_config { @@ -137,8 +133,8 @@ GPG keys First generate a GPG keypair to use for signing. Option RSA (sign only) is ok. -**Warning:** GRUB does not read ASCII armored keys. When attempting to -trust \... a key filename it will print error: bad signature +Warning: GRUB does not read ASCII armored keys. When attempting to +trust ... a key filename it will print error: bad signature mkdir --mode 0700 keys gpg --homedir keys --gen-key @@ -155,9 +151,10 @@ Now that we have a key, we can sign some files with it. We have to sign: by pressing ESC, but afterwards grubtest.cfg is not signed and it will not load. -Suppose that we have a pair of **my.kernel** and **my.initramfs** and an -on-disk **libreboot\_grub.cfg**. We sign them by issuing the following +Suppose that we have a pair of `my.kernel` and `my.initramfs` and an +on-disk `libreboot_grub.cfg`. We sign them by issuing the following commands: + gpg --homedir keys --detach-sign my.initramfs gpg --homedir keys --detach-sign my.kernel gpg --homedir keys --detach-sign libreboot_grub.cfg @@ -176,12 +173,10 @@ What remains now is to include the modifications into the image (rom): cbfstool my.rom add -n grubtest.cfg -f my.grubtest.cfg -t raw cbfstool my.rom add -n grubtest.cfg.sig -f my.grubtest.cfg.sig -t raw -\... and flashing it. +... and flashing it. Copyright © 2017 Fedja Beader <fedja@protonmail.ch>\ - - Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License Version 1.3 or any later version published by the Free Software Foundation diff --git a/docs/gnulinux/index.md b/docs/gnulinux/index.md index 3814b75f..85777b95 100644 --- a/docs/gnulinux/index.md +++ b/docs/gnulinux/index.md @@ -5,8 +5,8 @@ title: GNU+Linux installation instructions This section relates to dealing with GNU+Linux distributions: preparing bootable USB drives, changing the default GRUB menu and so on. -**This section is only for the \*GRUB\* payload. For depthcharge, -instructions have yet to be written.** +*This section is only for the GRUB payload. For depthcharge, +instructions have yet to be written.* - [How to install GNU+Linux on a libreboot system](grub_boot_installer.md) @@ -24,8 +24,6 @@ instructions have yet to be written.** Copyright © 2014, 2015 Leah Rowe <info@minifree.org>\ - - Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License Version 1.3 or any later version published by the Free Software Foundation |