diff options
Diffstat (limited to 'docs/gnulinux')
| -rw-r--r-- | docs/gnulinux/configuring_parabola.md | 106 | ||||
| -rw-r--r-- | docs/gnulinux/encrypted_debian.md | 48 | ||||
| -rw-r--r-- | docs/gnulinux/encrypted_parabola.md | 68 | ||||
| -rw-r--r-- | docs/gnulinux/grub_boot_installer.md | 30 | ||||
| -rw-r--r-- | docs/gnulinux/grub_cbfs.md | 32 | ||||
| -rw-r--r-- | docs/gnulinux/grub_hardening.md | 6 |
6 files changed, 145 insertions, 145 deletions
diff --git a/docs/gnulinux/configuring_parabola.md b/docs/gnulinux/configuring_parabola.md index c81c6f06..ca7e5417 100644 --- a/docs/gnulinux/configuring_parabola.md +++ b/docs/gnulinux/configuring_parabola.md @@ -4,7 +4,7 @@ Configuring Parabola (post-install) Post-installation configuration steps for Parabola GNU+Linux-libre. Parabola is extremely flexible; this is just an example. This example -uses LXDE because it\'s lightweight, but we recommend the *MATE* desktop +uses LXDE because it's lightweight, but we recommend the *MATE* desktop (which is actually about as lightweight as LXDE). [Back to previous index](./) @@ -52,7 +52,7 @@ It details configuration steps that I took after installing the base system, as a follow up to [encrypted\_parabola.html](encrypted_parabola.html). This guide is likely to become obsolete at a later date (due to the volatile -\'rolling-release\' model that Arch/Parabola both use), but attempts +'rolling-release' model that Arch/Parabola both use), but attempts will be made to maintain it. **This guide was valid on 2014-09-21. If you see any changes that should @@ -95,12 +95,12 @@ careful about this when reading anything on the Arch wiki. -Some of these steps require internet access. I\'ll go into networking +Some of these steps require internet access. I'll go into networking later but for now, I just connected my system to a switch and did:\ \# **systemctl start dhcpcd.service**\ You can stop it later by running:\ \# **systemctl stop dhcpcd.service**\ -For most people this should be enough, but if you don\'t have DHCP on +For most people this should be enough, but if you don't have DHCP on your network then you should setup your network connection first:\ [Setup network connection in Parabola](#network) @@ -111,13 +111,13 @@ Configure pacman {#pacman_configure} pacman (**pac**kage **man**ager) is the name of the package management system in Arch, which Parabola (as a deblobbed parallel effort) also -uses. Like with \'apt-get\' on Debian or Devuan, this can be used to +uses. Like with 'apt-get' on Debian or Devuan, this can be used to add/remove and update the software on your computer. Based on <https://wiki.parabolagnulinux.org/Installation_Guide#Configure_pacman> and from reading <https://wiki.archlinux.org/index.php/Pacman> (make -sure to read and understand this, it\'s very important) and +sure to read and understand this, it's very important) and <https://wiki.parabolagnulinux.org/Official_Repositories> [Back to top of page.](#pagetop) @@ -127,7 +127,7 @@ sure to read and understand this, it\'s very important) and Updating Parabola {#pacman_update} ----------------- -In the end, I didn\'t change my configuration for pacman. When you are +In the end, I didn't change my configuration for pacman. When you are updating, resync with the latest package names/versions:\ \# **pacman -Syy**\ (according to the wiki, -Syy is better than Sy because it refreshes the @@ -136,7 +136,7 @@ when switching to another mirror).\ Then, update the system:\ \# **pacman -Syu** -**Before installing packages with \'pacman -S\', always update first, +**Before installing packages with 'pacman -S', always update first, using the notes above.** Keep an eye out on the output, or read it in /var/log/pacman.log. @@ -145,12 +145,12 @@ will need to perform with certain files (typically configurations) after the update. Also, you should check both the Parabola and Arch home pages to see if they mention any issues. If a new kernel is installed, you should also update to be able to use it (the currently running kernel -will also be fine). It\'s generally good enough to update Parabola once -every week, or maybe twice. As a rolling release distribution, it\'s a +will also be fine). It's generally good enough to update Parabola once +every week, or maybe twice. As a rolling release distribution, it's a good idea never to leave your install too outdated; update regularly. This is simply because of the way the project works; old packages are deleted from the repositories quickly, once they are updated. A system -that hasn\'t been updated for quite a while will mean potentially more +that hasn't been updated for quite a while will mean potentially more reading of previous posts through the website, and more maintenance work. @@ -166,7 +166,7 @@ sending an email to an important person before an allocated deadline, and so on. Relax - packages are well-tested regularly when new updates are made to -the repositories. Separate \'testing\' repositories exist for this exact +the repositories. Separate 'testing' repositories exist for this exact reason. Despite what many people will tell you, Parabola is fairly stable and trouble-free, so long as you are aware of how to check for issues, and are willing to spend some time fixing issues in the rare @@ -194,7 +194,7 @@ re-install it or install the distro on another computer, for example). maintain your Parabola system:\ <https://wiki.archlinux.org/index.php/Pacman#Cleaning_the_package_cache>. Essentially, this guide talks about a directory that has to be cleaned -once in a while, to prevent it from growing too big (it\'s a cache of +once in a while, to prevent it from growing too big (it's a cache of old package information, updated automatically when you do anything in pacman).** @@ -203,8 +203,8 @@ To clean out all old packages that are cached:\ The wiki cautions that this should be used with care. For example, since older packages are deleted from the repo, if you encounter issues and -want to revert back to an older package then it\'s useful to have the -caches available. Only do this if you are sure that you won\'t need it. +want to revert back to an older package then it's useful to have the +caches available. Only do this if you are sure that you won't need it. The wiki also mentions this method for removing everything from the cache, including currently installed packages that are cached:\ @@ -247,7 +247,7 @@ Add a user {#useradd} Based on <https://wiki.archlinux.org/index.php/Users_and_Groups>. It is important (for security reasons) to create and use a non-root -(non-admin) user account for everyday use. The default \'root\' account +(non-admin) user account for everyday use. The default 'root' account is intended only for critical administrative work, since it has complete access to the entire operating system. @@ -275,20 +275,20 @@ It is a good idea to become familiar with it. Read gain a full understanding. **This is very important! Make sure to read them.** -An example of a \'service\' could be a webserver (such as lighttpd), or +An example of a 'service' could be a webserver (such as lighttpd), or sshd (openssh), dhcp, etc. There are countless others. <https://bbs.archlinux.org/viewtopic.php?pid=1149530#p1149530> explains -the background behind the decision by Arch (Parabola\'s upstream +the background behind the decision by Arch (Parabola's upstream supplier) to use systemd. The manpage should also help:\ \# **man systemd**\ -The section on \'unit types\' is especially useful. +The section on 'unit types' is especially useful. -According to the wiki, systemd \'journal\' keeps logs of a size up to +According to the wiki, systemd 'journal' keeps logs of a size up to 10% of the total size your / partition takes up. on a 60GB root this -would mean 6GB. That\'s not exactly practical, and can have performance +would mean 6GB. That's not exactly practical, and can have performance implications later when the log gets too big. Based on instructions from the wiki, I will reduce the total size of the journal to 50MiB (the wiki recommends 50MiB). @@ -307,20 +307,20 @@ Restart journald:\ The wiki recommends that if the journal gets too large, you can also simply delete (rm -Rf) everything inside /var/log/journald/\* but -recommends backing it up. This shouldn\'t be necessary, since you +recommends backing it up. This shouldn't be necessary, since you already set the size limit above and systemd will automatically start to -delete older records when the journal size reaches it\'s limit +delete older records when the journal size reaches it's limit (according to systemd developers). -Finally, the wiki mentions \'temporary\' files and the utility for +Finally, the wiki mentions 'temporary' files and the utility for managing them.\ \# **man systemd-tmpfiles**\ -The command for \'clean\' is:\ +The command for 'clean' is:\ \# **systemd-tmpfiles \--clean**\ -According to the manpage, this *\"cleans all files and directories with -an age parameter\"*. According to the Arch wiki, this reads information +According to the manpage, this *"cleans all files and directories with +an age parameter"*. According to the Arch wiki, this reads information in /etc/tmpfiles.d/ and /usr/lib/tmpfiles.d/ to know what actions to -perform. Therefore, it is a good idea to read what\'s stored in these +perform. Therefore, it is a good idea to read what's stored in these locations to get a better understanding. I looked in /etc/tmpfiles.d/ and found that it was empty on my system. @@ -329,7 +329,7 @@ etc.conf, containing information and a reference to this manpage:\ \# **man tmpfiles.d**\ Read that manpage, and then continue studying all the files. -The systemd developers tell me that it isn\'t usually necessary to touch +The systemd developers tell me that it isn't usually necessary to touch the systemd-tmpfiles utility manually at all. [Back to top of page](#pagetop) @@ -341,12 +341,12 @@ Interesting repositories {#interesting_repos} Parabola wiki at <https://wiki.parabolagnulinux.org/Repositories#kernels> mentions about -a repository called \[kernels\] for custom kernels that aren\'t in the +a repository called \[kernels\] for custom kernels that aren't in the default base. It might be worth looking into what is available there, depending on your use case. I enabled it on my system, to see what was in it. Edit /etc/pacman.conf -and below the \'extra\' section add:\ +and below the 'extra' section add:\ *\[kernels\]\ Include = /etc/pacman.d/mirrorlist* @@ -386,8 +386,8 @@ Add the same hostname to /etc/hosts, on each line. Example:\ *127.0.0.1 localhost.localdomain localhost myhostname\ ::1 localhost.localdomain localhost myhostname* -You\'ll note that I set both lines; the 2nd line is for IPv6. More and -more ISPs are providing this now (mine does) so it\'s good to be +You'll note that I set both lines; the 2nd line is for IPv6. More and +more ISPs are providing this now (mine does) so it's good to be forward-thinking here. The *hostname* utility is part of the *inetutils* package and is in @@ -400,12 +400,12 @@ core/, installed by default (as part of *base*). According to the Arch wiki, [udev](https://wiki.archlinux.org/index.php/Udev) should already detect the ethernet chipset and load the driver for it automatically at boot -time. You can check this in the *\"Ethernet controller\"* section when +time. You can check this in the *"Ethernet controller"* section when running this command:\ \# **lspci -v** -Look at the remaining sections *\'Kernel driver in use\'* and *\'Kernel -modules\'*. In my case it was as follows:\ +Look at the remaining sections *'Kernel driver in use'* and *'Kernel +modules'*. In my case it was as follows:\ *Kernel driver in use: e1000e\ Kernel modules: e1000e* @@ -463,8 +463,8 @@ continuing. Also read is important, so make sure to read them!** Install smartmontools (it can be used to check smart data. HDDs use -non-free firmware inside, but it\'s transparent to you but the smart -data comes from it. Therefore, don\'t rely on it too much):\ +non-free firmware inside, but it's transparent to you but the smart +data comes from it. Therefore, don't rely on it too much):\ \# **pacman -S smartmontools**\ Read <https://wiki.archlinux.org/index.php/S.M.A.R.T.> to learn how to use it. @@ -502,7 +502,7 @@ For other systems you can try:\ \# **pacman -Ss xf86-video- | less**\ Combined with looking at your *lspci* output, you can determine which driver is needed. By default, Xorg will revert to xf86-video-vesa which -is a generic driver and doesn\'t provide true hardware acceleration. +is a generic driver and doesn't provide true hardware acceleration. Other drivers (not just video) can be found by looking at the *xorg-drivers* group:\ @@ -541,9 +541,9 @@ X:\ \# **setxkbmap -print -verbose 10** In my case, I wanted to use the Dvorak (UK) keyboard which is quite -different from Xorg\'s default Qwerty (US) layout. +different from Xorg's default Qwerty (US) layout. -I\'ll just say it now: *XkbModel* can be *pc105* in this case (ThinkPad +I'll just say it now: *XkbModel* can be *pc105* in this case (ThinkPad X60, with a 105-key UK keyboard). If you use an American keyboard (typically 104 keys) you will want to use *pc104*. @@ -559,16 +559,16 @@ and\ In my case, I chose to use the *configuration file* method:\ Create the file /etc/X11/xorg.conf.d/10-keyboard.conf and put this inside:\ -*Section \"InputClass\"\ - Identifier \"system-keyboard\"\ - MatchIsKeyboard \"on\"\ - Option \"XkbLayout\" \"gb\"\ - Option \"XkbModel\" \"pc105\"\ - Option \"XkbVariant\" \"dvorak\"\ +*Section "InputClass"\ + Identifier "system-keyboard"\ + MatchIsKeyboard "on"\ + Option "XkbLayout" "gb"\ + Option "XkbModel" "pc105"\ + Option "XkbVariant" "dvorak"\ EndSection* For you, the steps above may differ if you have a different layout. If -you use a US Qwerty keyboard, then you don\'t even need to do anything +you use a US Qwerty keyboard, then you don't even need to do anything (though it might help, for the sake of being explicit). [Back to top of page.](#pagetop) @@ -577,17 +577,17 @@ you use a US Qwerty keyboard, then you don\'t even need to do anything ### Install LXDE {#desktop_lxde} -Desktop choice isn\'t that important to me, so for simplicity I decided -to use LXDE. It\'s lightweight and does everything that I need. If you +Desktop choice isn't that important to me, so for simplicity I decided +to use LXDE. It's lightweight and does everything that I need. If you would like to try something different, refer to <https://wiki.archlinux.org/index.php/Desktop_environment> Refer to <https://wiki.archlinux.org/index.php/LXDE>. -Install it, choosing \'all\' when asked for the default package list:\ +Install it, choosing 'all' when asked for the default package list:\ \# **pacman -S lxde obconf** -I didn\'t want the following, so I removed them:\ +I didn't want the following, so I removed them:\ \# **pacman -R lxmusic lxtask** I also lazily installed all fonts:\ @@ -689,7 +689,7 @@ Right click lxde panel and *Add/Remove Panel Items*. Click *Add* and select *Battery Monitor*, then click *Add*. Close and then right-click the applet and go to *Battery Monitor Settings*, check the box that says *Show Extended Information*. Now click *Close*. When you hover the -cursor over it, it\'ll show information about the battery. +cursor over it, it'll show information about the battery. [Back to top of page.](#pagetop) diff --git a/docs/gnulinux/encrypted_debian.md b/docs/gnulinux/encrypted_debian.md index a8b5efdb..99c3fc47 100644 --- a/docs/gnulinux/encrypted_debian.md +++ b/docs/gnulinux/encrypted_debian.md @@ -15,7 +15,7 @@ to traditional BIOS systems. On most systems, the /boot partition has to be left unencrypted while the others are encrypted. This is so that GRUB, and therefore the -kernel, can be loaded and executed since the firmware can\'t open a LUKS +kernel, can be loaded and executed since the firmware can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical access to the system. @@ -23,12 +23,12 @@ tampering by someone with physical access to the system. This guide is written for Debian net installer. You can download the ISO from the homepage on [debian.org](https://www.debian.org/). Use this on the GRUB terminal to boot it from USB (for 64-bit Intel or AMD):\ -**set root=\'usb0\'\ +**set root='usb0'\ linux /install.amd/vmlinuz\ initrd /install.amd/initrd.gz\ boot\ ** If you are on a 32-bit system (e.g. X60):\ -**set root=\'usb0\'\ +**set root='usb0'\ linux /install.386/vmlinuz\ initrd /install.386/initrd.gz\ boot** @@ -54,10 +54,10 @@ Use of the *diceware method* is recommended, for generating secure passphrases (instead of passwords). when the installer asks you to set up encryption (ecryptfs) for your -home directory, select \'Yes\' if you want to: **LUKS is already secure +home directory, select 'Yes' if you want to: **LUKS is already secure and performs well. Having ecryptfs on top of it will add noticeable performance penalty, for little security gain in most use cases. This is -therefore optional, and not recommended. Choose \'no\'.** +therefore optional, and not recommended. Choose 'no'.** **Your user password should be different from the LUKS password which you will set later on. Your LUKS password should, like the user @@ -68,7 +68,7 @@ password, be secure.** Partitioning ============ -Choose \'Manual\' partitioning: +Choose 'Manual' partitioning: - Select drive and create new partition table - Single large partition. The following are mostly defaults: @@ -77,9 +77,9 @@ Choose \'Manual\' partitioning: - key size: whatever default is given to you - IV algorithm: whatever default is given to you - Encryption key: passphrase - - erase data: Yes (only choose \'No\' if it\'s a new drive that - doesn\'t contain your private data) -- Select \'configure encrypted volumes\' + - erase data: Yes (only choose 'No' if it's a new drive that + doesn't contain your private data) +- Select 'configure encrypted volumes' - Create encrypted volumes - Select your partition - Finish @@ -89,7 +89,7 @@ Choose \'Manual\' partitioning: minute to make sure that the LUKS header is wiped out) - Select encrypted space: - use as: physical volume for LVM - - Choose \'done setting up the partition\' + - Choose 'done setting up the partition' - Configure the logical volume manager: - Keep settings: Yes - Create volume group: @@ -119,7 +119,7 @@ mountpoints and filesystems to use. - LVM LV swap - use as: swap area - done setting up partition -- Now you select \'Finished partitioning and write changes to disk\'. +- Now you select 'Finished partitioning and write changes to disk'. @@ -135,7 +135,7 @@ Tasksel ======= For Debian, use the *MATE* option, or one of the others if you want. The -libreboot project recommends MATE, unless you\'re saavy enough to choose +libreboot project recommends MATE, unless you're saavy enough to choose something else. If you want debian-testing, then you should only select barebones @@ -145,10 +145,10 @@ install to point to the new distro, and then run **apt-get update** and root. This is to avoid downloading large packages twice. NOTE: If you want the latest up to date version of the Linux kernel, -Debian\'s kernel is sometimes outdated, even in the testing distro. You +Debian's kernel is sometimes outdated, even in the testing distro. You might consider using [this repository](https://jxself.org/linux-libre/) instead, which contains the most up to date versions of the Linux -kernel. These kernels are also deblobbed, like Debian\'s kernels, so you +kernel. These kernels are also deblobbed, like Debian's kernels, so you can be sure that no binary blobs are present. @@ -156,16 +156,16 @@ can be sure that no binary blobs are present. Postfix configuration ===================== -If asked, choose *\"No Configuration\"* here (or maybe you want to -select something else. It\'s up to you.) +If asked, choose *"No Configuration"* here (or maybe you want to +select something else. It's up to you.) Install the GRUB boot loader to the master boot record ====================================================== -Choose \'Yes\'. It will fail, but don\'t worry. Then at the main menu, -choose \'Continue without a bootloader\'. You could also choose \'No\'. +Choose 'Yes'. It will fail, but don't worry. Then at the main menu, +choose 'Continue without a bootloader'. You could also choose 'No'. Choice is irrelevant here. *You do not need to install GRUB at all, since in libreboot you are @@ -176,7 +176,7 @@ using the GRUB payload (for libreboot) to boot your system directly.* Clock UTC ========= -Just say \'Yes\'. +Just say 'Yes'. @@ -188,7 +188,7 @@ payload, press C to get to the command line. Do that:\ grub> **cryptomount -a**\ -grub> **set root=\'lvm/matrix-rootvol\'**\ +grub> **set root='lvm/matrix-rootvol'**\ grub> **linux /vmlinuz root=/dev/mapper/matrix-rootvol cryptdevice=/dev/mapper/matrix-rootvol:root**\ grub> **initrd /initrd.img**\ @@ -199,7 +199,7 @@ grub> **boot** ecryptfs ======== -If you didn\'t encrypt your home directory, then you can safely ignore +If you didn't encrypt your home directory, then you can safely ignore this section. Immediately after logging in, do that:\ @@ -219,11 +219,11 @@ Now you need to set it up so that the system will automatically boot, without having to type a bunch of commands. Modify your grub.cfg (in the firmware) [using this -tutorial](grub_cbfs.html); just change the default menu entry \'Load -Operating System\' to say this inside: +tutorial](grub_cbfs.html); just change the default menu entry 'Load +Operating System' to say this inside: **cryptomount -a**\ -**set root=\'lvm/matrix-rootvol\'**\ +**set root='lvm/matrix-rootvol'**\ **linux /vmlinuz root=/dev/mapper/matrix-rootvol cryptdevice=/dev/mapper/matrix-rootvol:root**\ **initrd /initrd.img** diff --git a/docs/gnulinux/encrypted_parabola.md b/docs/gnulinux/encrypted_parabola.md index 7bda2625..c743459f 100644 --- a/docs/gnulinux/encrypted_parabola.md +++ b/docs/gnulinux/encrypted_parabola.md @@ -5,14 +5,14 @@ Installing Parabola or Arch GNU+Linux with full disk encryption (including /boot Libreboot on x86 uses the GRUB [payload](http://www.coreboot.org/Payloads#GRUB_2) by default, which means that the GRUB configuration file (where your GRUB menu comes from) -is stored directly alongside libreboot and it\'s GRUB payload +is stored directly alongside libreboot and it's GRUB payload executable, inside the flash chip. In context, this means that installing distributions and managing them is handled slightly differently compared to traditional BIOS systems. On most systems, the /boot partition has to be left unencrypted while the others are encrypted. This is so that GRUB, and therefore the -kernel, can be loaded and executed since the firmware can\'t open a LUKS +kernel, can be loaded and executed since the firmware can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical access to the system. @@ -36,7 +36,7 @@ drive. -Boot Parabola\'s install environment. [How to boot a GNU+Linux +Boot Parabola's install environment. [How to boot a GNU+Linux installer](grub_boot_installer.html). For this guide I used the 2015 08 01 image to boot the live installer @@ -62,7 +62,7 @@ security issues if you do enable it. See [this page](https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Discard.2FTRIM_support_for_solid_state_drives_.28SSD.29) for more info. -- make sure it\'s brand-new (or barely used). Or, otherwise, be sure +- make sure it's brand-new (or barely used). Or, otherwise, be sure that it never previously contained plaintext copies of your data. - make sure to read [this @@ -79,15 +79,15 @@ example if it was 2MiB:\ \# **dd if=/dev/urandom of=/dev/sda bs=2M; sync** If your drive was already LUKS encrypted (maybe you are re-installing -your distro) then it is already \'wiped\'. You should just wipe the LUKS +your distro) then it is already 'wiped'. You should just wipe the LUKS header. <https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/> showed me how to do this. It recommends doing the first 3MiB. Now, that -guide is recommending putting zero there. I\'m going to use urandom. Do +guide is recommending putting zero there. I'm going to use urandom. Do this:\ \# **head -c 3145728 /dev/urandom > /dev/sda; sync**\ (Wiping the LUKS header is important, since it has hashed passphrases -and so on. It\'s \'secure\', but \'potentially\' a risk). +and so on. It's 'secure', but 'potentially' a risk). @@ -142,7 +142,7 @@ I am using MBR partitioning, so I use cfdisk:\ \# **cfdisk /dev/sda** I create a single large sda1 filling the whole drive, leaving it as the -default type \'Linux\' (83). +default type 'Linux' (83). Now I refer to <https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#Partitioning>:\ @@ -198,7 +198,7 @@ Show that you just created it:\ Now I create the volume group, inside of which the logical volumes will be created:\ \# **vgcreate matrix /dev/mapper/lvm**\ -(volume group name is \'matrix\' - choose your own name, if you like) +(volume group name is 'matrix' - choose your own name, if you like) Show that you created it:\ \# **vgdisplay** @@ -214,7 +214,7 @@ the rest of the space, named root)\ You can also be flexible here, for example you can specify a /boot, a /, a /home, a /var, a /usr, etc. For example, if you will be running a web/mail server then you want /var in its own partition (so that if it -fills up with logs, it won\'t crash your system). For a home/laptop +fills up with logs, it won't crash your system). For a home/laptop system (typical use case), a root and a swap will do (really). Verify that the logical volumes were created, using the following @@ -267,13 +267,13 @@ In my case I did the steps in the next paragraph, and followed the steps in this paragraph again. <troubleshooting>\ - The following is based on \'Verification of package signatures\' in + The following is based on 'Verification of package signatures' in the Parabola install guide.\ Check there first to see if steps differ by now.\ Now you have to update the default Parabola keyring. This is used for signing and verifying packages:\ \# **pacman -Sy parabola-keyring**\ - It says that if you get GPG errors, then it\'s probably an expired + It says that if you get GPG errors, then it's probably an expired key and, therefore, you should do:\ \# **pacman-key \--populate parabola**\ \# **pacman-key \--refresh-keys**\ @@ -294,7 +294,7 @@ me from using it.\ I deleted the files that it mentioned and then it worked. Specifically, I had this error:\ *licenses: /usr/share/licenses/common/MPS exists in filesystem*\ - I rm -Rf\'d the file and then pacman worked. I\'m told that the + I rm -Rf'd the file and then pacman worked. I'm told that the following would have also made it work:\ \# **pacman -Sf licenses**\ </troubleshooting>\ @@ -322,7 +322,7 @@ command again!) Chroot into new system:\ \# **arch-chroot /mnt /bin/bash** -It\'s a good idea to have this installed:\ +It's a good idea to have this installed:\ \# **pacman -S linux-libre-lts** It was also suggested that you should install this kernel (read up on @@ -330,7 +330,7 @@ what GRSEC is):\ \# **pacman -S linux-libre-grsec** This is another kernel that sits inside /boot, which you can use. LTS -means \'long-term support\'. These are so-called \'stable\' kernels that +means 'long-term support'. These are so-called 'stable' kernels that can be used as a fallback during updates, if a bad kernel causes issues for you. @@ -380,13 +380,13 @@ information about each hook.) Specifically, for this use case:\ \# **vi /etc/mkinitcpio.conf**\ Then modify the file like so: -- MODULES=\"i915\" +- MODULES="i915" - This forces the driver to load earlier, so that the console font - isn\'t wiped out after getting to login). Macbook21 users will also + isn't wiped out after getting to login). Macbook21 users will also need **hid-generic, hid and hid-apple to have a working keyboard when asked to enter the LUKS password.** -- HOOKS=\"base udev autodetect modconf block keyboard keymap - consolefont encrypt lvm2 filesystems fsck shutdown\" +- HOOKS="base udev autodetect modconf block keyboard keymap + consolefont encrypt lvm2 filesystems fsck shutdown" - Explanation: - keymap adds to initramfs the keymap that you specified in /etc/vconsole.conf @@ -412,7 +412,7 @@ Set the root password: At the time of writing, Parabola used SHA512 by default for its password hashing. I referred to <https://wiki.archlinux.org/index.php/SHA_password_hashes>.\ \# **vi /etc/pam.d/passwd**\ -Add rounds=65536 at the end of the uncommented \'password\' line.\ +Add rounds=65536 at the end of the uncommented 'password' line.\ \# **passwd root**\ Make sure to set a secure password! Also, it must never be the same as your LUKS password. @@ -444,7 +444,7 @@ failed login attempts. Configure sudo - not covered here. Will be covered post-installation in another tutorial, at a later date. If this is a single-user system, you -don\'t really need sudo. +don't really need sudo. @@ -458,7 +458,7 @@ unmount:\ \# **umount -R /mnt**\ \# **swapoff -a** -deactivate the lvm lv\'s:\ +deactivate the lvm lv's:\ \# **lvchange -an /dev/matrix/root**\ \# **lvchange -an /dev/matrix/swapvol**\ @@ -478,7 +478,7 @@ command line. The underlined parts are optional (using those 2 underlines will boot lts kernel instead of normal). grub> **cryptomount -a**\ -grub> **set root=\'lvm/matrix-root\'**\ +grub> **set root='lvm/matrix-root'**\ grub> **linux /boot/vmlinuz-linux-libre-lts root=/dev/matrix/root cryptdevice=/dev/sda1:root**\ grub> **initrd /boot/initramfs-linux-libre-lts.img**\ @@ -514,7 +514,7 @@ Modify grub.cfg inside the ROM automatically with this configuration. [grub\_cbfs.html](grub_cbfs.html) shows you how. Follow that guide, using the configuration details below. If you go for option 2 (re-flash), promise to do this on grubtest.cfg -first! We can\'t emphasise this enough. This is to reduce the +first! We can't emphasise this enough. This is to reduce the possibility of bricking your device! I will go for the re-flash option here. Firstly, cd to the @@ -532,7 +532,7 @@ Extract grubtest.cfg:\ And modify:\ \$ **vi grubtest.cfg** -In grubtest.cfg, inside the \'Load Operating System\' menu entry, change +In grubtest.cfg, inside the 'Load Operating System' menu entry, change the contents to: cryptomount -a @@ -571,18 +571,18 @@ Ocassionally, coreboot changes the name of a given board. If flashrom complains about a board mismatch, but you are sure that you chose the correct ROM image, then run this alternative command:\ \# **./flash forceupdate libreboot.rom**\ -You should see \"Verifying flash\... VERIFIED.\" written at the end of +You should see "Verifying flash\... VERIFIED." written at the end of the flashrom output. With this new configuration, Parabola can boot automatically and you will have to enter a password at boot time, in GRUB, before being able -to use any of the menu entries or switch to the terminal. Let\'s test it +to use any of the menu entries or switch to the terminal. Let's test it out: reboot and choose grubtest.cfg from the GRUB menu, using the arrow keys on your keyboard. Enter the name you chose, the GRUB password, your LUKS passphrase and login as root/your user. All went well? Great! If it does not work like you want it to, if you are unsure or sceptical -in any way, don\'t despair: you have been wise and did not brick your +in any way, don't despair: you have been wise and did not brick your device! Reboot and login the default way, and then modify your grubtest.cfg until you get it right! **Do \*not\* proceed past this point unless you are 100% sure that your new configuration is safe (or @@ -590,15 +590,15 @@ desirable) to use.** Now, we can easily and safely create a copy of grubtest.cfg, called grub.cfg. This will be the same except for one difference: the menuentry -\'Switch to grub.cfg\' is changed to \'Switch to grubtest.cfg\' and, +'Switch to grub.cfg' is changed to 'Switch to grubtest.cfg' and, inside it, all instances of grub.cfg to grubtest.cfg. This is so that the main config still links (in the menu) to grubtest.cfg, so that you -don\'t have to manually switch to it, in case you ever want to follow +don't have to manually switch to it, in case you ever want to follow this guide again in the future (modifying the already modified config). Inside libreboot\_util/cbfstool/{armv7l i686 x86\_64}, we can do this with the following command:\ -\$ **sed -e \'s:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g\' -e -\'s:Switch to grub.cfg:Switch to grubtest.cfg:g\' < grubtest.cfg > +\$ **sed -e 's:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g' -e +'s:Switch to grub.cfg:Switch to grubtest.cfg:g' < grubtest.cfg > grub.cfg**\ Delete the grub.cfg that remained inside the ROM:\ \$ **./cbfstool libreboot.rom remove -n grub.cfg**\ @@ -609,7 +609,7 @@ Now you have a modified ROM. Once more, refer to <http://libreboot.org/docs/install/#flashrom>. Cd to the libreboot\_util directory and update the flash chip contents:\ \# **./flash update libreboot.rom**\ -And wait for the \"Verifying flash\... VERIFIED.\" Once you have done +And wait for the "Verifying flash\... VERIFIED." Once you have done that, shut down and then boot up with your new configuration. When done, delete GRUB (remember, we only needed it for the @@ -643,7 +643,7 @@ Insert it into the luks volume:\ \# **cryptsetup luksAddKey /dev/sdX /etc/mykeyfile**\ and enter your LUKS passphrase when prompted. Add the keyfile to the initramfs by adding it to FILES in /etc/mkinitcpio.conf. For example:\ -\# **FILES=\"/etc/mykeyfile\"**\ +\# **FILES="/etc/mykeyfile"**\ Create the initramfs image from scratch:\ \# **mkinitcpio -p linux-libre**\ \# **mkinitcpio -p linux-libre-lts**\ diff --git a/docs/gnulinux/grub_boot_installer.md b/docs/gnulinux/grub_boot_installer.md index b61fd7a2..c62ac863 100644 --- a/docs/gnulinux/grub_boot_installer.md +++ b/docs/gnulinux/grub_boot_installer.md @@ -35,7 +35,7 @@ Connect the USB drive. Check dmesg:\ Check lsblk to confirm which drive it is:\ **\$ lsblk** -Check that it wasn\'t automatically mounted. If it was, unmount it. For +Check that it wasn't automatically mounted. If it was, unmount it. For example:\ **\$ sudo umount /dev/sdX\***\ **\# umount /dev/sdX\*** @@ -78,7 +78,7 @@ Connect the USB drive. Check dmesg:\ Check to confirm which drive it is, for example, if you think its sd3:\ **\$ disklabel sd3** -Check that it wasn\'t automatically mounted. If it was, unmount it. For +Check that it wasn't automatically mounted. If it was, unmount it. For example:\ **\$ doas umount /dev/sd3i**\ @@ -112,12 +112,12 @@ Download the Debian or Devuan net installer. You can download the ISO from the homepage on [debian.org](https://www.debian.org/), or [the Devuan homepage](https://www.devuan.org/) for Devuan. Use this on the GRUB terminal to boot it from USB (for 64-bit Intel or AMD):\ -**set root=\'usb0\'\ +**set root='usb0'\ linux /install.amd/vmlinuz\ initrd /install.amd/initrd.gz\ boot\ ** If you are on a 32-bit system (e.g. X60):\ -**set root=\'usb0\'\ +**set root='usb0'\ linux /install.386/vmlinuz\ initrd /install.386/initrd.gz\ boot**\ @@ -146,7 +146,7 @@ Booting ISOLINUX images (manual method) distribution. You must adapt them appropriately, for whatever GNU+Linux distribution it is that you are trying to install.* -If the ISOLINUX parser or *Search for GRUB configuration* options won\'t +If the ISOLINUX parser or *Search for GRUB configuration* options won't work, then press C in GRUB to access the command line.\ grub> **ls**\ Get the device from above output, eg (usb0). Example:\ @@ -170,12 +170,12 @@ options in txt.cfg. This is important if you want 64-bit booting on your system. Devuan versions based on Debian 8.x may also have the same issue. -Now look at the ISOLINUX menuentry. It\'ll look like:\ +Now look at the ISOLINUX menuentry. It'll look like:\ **kernel /path/to/kernel\ append PARAMETERS initrd=/path/to/initrd MAYBE\_MORE\_PARAMETERS\ -** GRUB works the same way, but in it\'s own way. Example GRUB +** GRUB works the same way, but in it's own way. Example GRUB commands:\ -grub> **set root=\'usb0\'**\ +grub> **set root='usb0'**\ grub> **linux /path/to/kernel PARAMETERS MAYBE\_MORE\_PARAMETERS**\ grub> **initrd /path/to/initrd**\ grub> **boot**\ @@ -191,16 +191,16 @@ now be booting your USB drive in the way that you specified. Troubleshooting =============== -Most of these issues occur when using libreboot with coreboot\'s \'text -mode\' instead of the coreboot framebuffer. This mode is useful for +Most of these issues occur when using libreboot with coreboot's 'text +mode' instead of the coreboot framebuffer. This mode is useful for booting payloads like memtest86+ which expect text-mode, but for GNU+Linux distributions it can be problematic when they are trying to -switch to a framebuffer because it doesn\'t exist. +switch to a framebuffer because it doesn't exist. In most cases, you should use the vesafb ROM images. Example filename: libreboot\_ukdvorak\_vesafb.rom. -parabola won\'t boot in text-mode +parabola won't boot in text-mode --------------------------------- Use one of the ROM images with vesafb in the filename (uses coreboot @@ -209,11 +209,11 @@ framebuffer instead of text-mode). debian-installer graphical corruption in text-mode (Debian and Devuan) ---------------------------------------------------------------------- -When using the ROM images that use coreboot\'s \"text mode\" instead of +When using the ROM images that use coreboot's "text mode" instead of the coreboot framebuffer, booting the Debian or Devuan net installer results in graphical corruption because it is trying to switch to a -framebuffer which doesn\'t exist. Use that kernel parameter on the -\'linux\' line when booting it:\ +framebuffer which doesn't exist. Use that kernel parameter on the +'linux' line when booting it:\ **vga=normal fb=false** This forces debian-installer to start in text-mode, instead of trying to diff --git a/docs/gnulinux/grub_cbfs.md b/docs/gnulinux/grub_cbfs.md index c654d76a..e5b6a9b0 100644 --- a/docs/gnulinux/grub_cbfs.md +++ b/docs/gnulinux/grub_cbfs.md @@ -10,12 +10,12 @@ inside the flash chip. In context, this means that installing distributions and managing them is handled slightly differently compared to traditional BIOS systems. -A libreboot (or coreboot) ROM image is not simply \"flat\"; there is an +A libreboot (or coreboot) ROM image is not simply "flat"; there is an actual filesystem inside called CBFS (coreboot filesystem). A utility -called \'cbfstool\' allows you to change the contents of the ROM image. -In this case, libreboot is configured such that the \'grub.cfg\' and -\'grubtest.cfg\' files exist directly inside CBFS instead of inside the -GRUB payload \'memdisk\' (which is itself stored in CBFS). +called 'cbfstool' allows you to change the contents of the ROM image. +In this case, libreboot is configured such that the 'grub.cfg' and +'grubtest.cfg' files exist directly inside CBFS instead of inside the +GRUB payload 'memdisk' (which is itself stored in CBFS). You can either modify the GRUB configuration stored in the flash chip, or you can modify a GRUB configuration file on the main storage which @@ -35,7 +35,7 @@ Table of Contents ================= - [Introduction](#introduction) -- [1st option: don\'t re-flash](#option1_dont_reflash) +- [1st option: don't re-flash](#option1_dont_reflash) - [2nd option: re-flash](#option2_reflash) - [Acquire the necessary utilities](#tools) - [Acquiring the correct ROM image](#rom) @@ -61,14 +61,14 @@ in CBFS, but this also means that you have to flash a new libreboot ROM image on your system (some users feel intimidated by this, to say the least). Doing so can be risky if not handled correctly, because it can result in a bricked system (recovery is easy if you have the -[equipment](../install/bbb_setup.html) for it, but most people don\'t). -If you aren\'t up to that then don\'t worry; it is possible to use a +[equipment](../install/bbb_setup.html) for it, but most people don't). +If you aren't up to that then don't worry; it is possible to use a custom GRUB menu without flashing a new image, by loading a GRUB configuration from a partition on the main storage instead. -1st option: don\'t re-flash {#option1_dont_reflash} +1st option: don't re-flash {#option1_dont_reflash} --------------------------- By default, GRUB in libreboot is configured to scan all partitions on @@ -198,7 +198,7 @@ Ocassionally, coreboot changes the name of a given board. If flashrom complains about a board mismatch, but you are sure that you chose the correct ROM image, then run this alternative command:\ \# **./flash forceupdate libreboot.rom**\ -You should see **\"Verifying flash\... VERIFIED.\"** written at the end +You should see **"Verifying flash\... VERIFIED."** written at the end of the flashrom output. Once you have done that, shut down and then boot up with your new test configuration.** @@ -219,14 +219,14 @@ Final steps {#final_steps} When you are satisfied booting from grubtest.cfg, you can create a copy of grubtest.cfg, called grub.cfg. This is the same except for one -difference: the menuentry \'Switch to grub.cfg\' will be changed to -\'Switch to grubtest.cfg\' and inside it, all instances of grub.cfg to +difference: the menuentry 'Switch to grub.cfg' will be changed to +'Switch to grubtest.cfg' and inside it, all instances of grub.cfg to grubtest.cfg. This is so that the main config still links (in the menu) -to grubtest.cfg, so that you don\'t have to manually switch to it, in +to grubtest.cfg, so that you don't have to manually switch to it, in case you ever want to follow this guide again in the future (modifying the already modified config). From /libreboot\_util/cbfstool, do:\ -\$ **sed -e \'s:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g\' -e -\'s:Switch to grub.cfg:Switch to grubtest.cfg:g\' < grubtest.cfg > +\$ **sed -e 's:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g' -e +'s:Switch to grub.cfg:Switch to grubtest.cfg:g' < grubtest.cfg > grub.cfg**\ Delete the grub.cfg that remained inside the ROM:\ @@ -237,7 +237,7 @@ Add the modified version that you just made:\ **Now you have a modified ROM. Again, refer back to [../install/\#flashrom](../install/#flashrom) for information on how to -flash it. It\'s the same method as you used before. Shut down and then +flash it. It's the same method as you used before. Shut down and then boot up with your new configuration.** [Back to top of page.](#pagetop) diff --git a/docs/gnulinux/grub_hardening.md b/docs/gnulinux/grub_hardening.md index fc14574b..78cd86a2 100644 --- a/docs/gnulinux/grub_hardening.md +++ b/docs/gnulinux/grub_hardening.md @@ -20,7 +20,7 @@ on the [GPG project website](https://www.gnu.org/software/gnupg/). GRUB has some GPG support built in, for checking signatures. This tutorial assumes you have a libreboot image (rom) that you wish to -modify, to which we shall henceforth refer to as \"my.rom\". This +modify, to which we shall henceforth refer to as "my.rom". This tutorial modifies grubtest.cfg, this means signing and password protection will work after switching to it in the main boot menu and bricking due to incorrect configuration will be impossible. After you @@ -61,8 +61,8 @@ signature checking code currently looks for and as such it is not possible to supply signatures in an alternate location. -Note that this is not your LUKS password, but it\'s a password that you -have to enter in order to use \"restricted\" functionality (such as +Note that this is not your LUKS password, but it's a password that you +have to enter in order to use "restricted" functionality (such as console). This protects your system from an attacker simply booting a live USB and re-flashing your firmware. **This should be different than your LUKS passphrase and user password.** |