diff options
Diffstat (limited to 'docs/gnulinux')
| -rw-r--r-- | docs/gnulinux/configuring_parabola.html | 884 | ||||
| -rw-r--r-- | docs/gnulinux/configuring_parabola.md | 827 | ||||
| -rw-r--r-- | docs/gnulinux/encrypted_debian.html | 495 | ||||
| -rw-r--r-- | docs/gnulinux/encrypted_debian.md | 392 | ||||
| -rw-r--r-- | docs/gnulinux/encrypted_parabola.html | 830 | ||||
| -rw-r--r-- | docs/gnulinux/encrypted_parabola.md | 834 | ||||
| -rw-r--r-- | docs/gnulinux/grub_boot_installer.html | 355 | ||||
| -rw-r--r-- | docs/gnulinux/grub_boot_installer.md | 287 | ||||
| -rw-r--r-- | docs/gnulinux/grub_cbfs.html | 366 | ||||
| -rw-r--r-- | docs/gnulinux/grub_cbfs.md | 305 | ||||
| -rw-r--r-- | docs/gnulinux/grub_hardening.html | 281 | ||||
| -rw-r--r-- | docs/gnulinux/grub_hardening.md | 234 | ||||
| -rw-r--r-- | docs/gnulinux/index.html | 93 | ||||
| -rw-r--r-- | docs/gnulinux/index.md | 65 |
14 files changed, 2944 insertions, 3304 deletions
diff --git a/docs/gnulinux/configuring_parabola.html b/docs/gnulinux/configuring_parabola.html deleted file mode 100644 index ba4d7575..00000000 --- a/docs/gnulinux/configuring_parabola.html +++ /dev/null @@ -1,884 +0,0 @@ -<!DOCTYPE html> -<html> -<head> - <meta charset="utf-8"> - <meta name="viewport" content="width=device-width, initial-scale=1"> - - <style type="text/css"> - @import url('../css/main.css'); - </style> - - <title>Configuring Parabola (post-install)</title> -</head> - -<body> - <div class="section"> - <h1 id="pagetop">Configuring Parabola (post-install)</h1> - <p> - Post-installation configuration steps for Parabola GNU+Linux-libre. Parabola is extremely flexible; this is just an example. - This example uses LXDE because it's lightweight, but we recommend the <em>MATE</em> - desktop (which is actually about as lightweight as LXDE). - </p> - <p> - <a href="./">Back to previous index</a> - </p> - </div> - - <div class="section"> - - <h1>Table of Contents</h1> - <ul> - <li> - <a href="#pacman_configure">Configuring pacman</a> - <ul> - <li><a href="#pacman_update">Updating Parabola</a></li> - <li> - <a href="#pacman_maintain">Maintaining Parabola during system updates</a> - <ul> - <li><a href="#pacman_cacheclean">Clearing package cache after updating</a></li> - <li><a href="#pacman_commandequiv">Pacman command equivalents (compared to other package managers)</a></li> - </ul> - </li> - <li><a href="#yourfreedom">your-freedom</a></li> - </ul> - </li> - <li><a href="#useradd">Add a user account</a></li> - <li><a href="#systemd">System D</a></li> - <li><a href="#interesting_repos">Interesting repositories</a></li> - <li> - <a href="#network">Setup a network connection in Parabola</a> - <ul> - <li><a href="#network_hostname">Setting hostname</a></li> - <li><a href="#network_status">Network status</a></li> - <li><a href="#network_devicenames">Network interface names</a></li> - <li><a href="#network_setup">Network setup</a></li> - </ul> - </li> - <li><a href="#system_maintain">System maintenance</a> - important!</li> - <li> - <a href="#desktop">Configuring the desktop</a> - <ul> - <li><a href="#desktop_xorg">Install Xorg</a></li> - <li><a href="#desktop_kblayout">Xorg keyboard layout</a></li> - <li><a href="#desktop_lxde">Install LXDE</a></li> - <li><a href="#lxde_clock">LXDE - clock</a></li> - <li><a href="#lxde_font">LXDE - font</a></li> - <li><a href="#lxde_screenlock">LXDE - screenlock</a></li> - <li><a href="#lxde_automount">LXDE - automounting</a></li> - <li><a href="#lxde_suspend">LXDE - disable suspend</a></li> - <li><a href="#lxde_battery">LXDE - battery monitor</a></li> - <li><a href="#lxde_network">LXDE - network manager</a></li> - </ul> - </li> - </ul> - - </div> - - <div class="section"> - - <p> - While not strictly related to the libreboot project, this guide - is intended to be useful for those interested in installing - Parabola on their libreboot system. - </p> - - <p> - It details configuration steps that I took after installing the base system, - as a follow up to <a href="encrypted_parabola.html">encrypted_parabola.html</a>. - This guide is likely to become obsolete at a later date (due to the volatile - 'rolling-release' model that Arch/Parabola both use), but attempts will be made to maintain it. - </p> - - <p> - <b> - This guide was valid on 2014-09-21. If you see any changes that should to be made at the present date, please get in touch - with the libreboot project! - </b> - </p> - - </div> - - <div class="section"> - - <p> - You do not necessarily have to follow this guide word-for-word; <i>parabola</i> is extremely flexible. - The aim here is to provide a common setup that most users will be happy with. While Parabola - can seem daunting at first glance (especially for new GNU+Linux users), with a simple guide it can provide - all the same usability as Debian or Devuan, without hiding any details from the user. - </p> - - <p> - Paradoxically, as you get more advanced Parabola can actually become <i>easier to use</i> - when you want to set up your system in a special way compared to what most distributions provide. - You will find over time that other distributions tend to <i>get in your way</i>. - </p> - - </div> - - <div class="section"> - - <p> - <b> - This guide assumes that you already have Parabola installed. If you have not yet installed Parabola, - then <a href="encrypted_parabola.html">this guide</a> is highly recommended! - </b> - </p> - - <p> - A lot of the steps in this guide will refer to the Arch wiki. Arch is the upstream distribution that Parabola uses. - Most of this guide will also tell you to read wiki articles, other pages, manuals, and so on. In general it tries - to cherry pick the most useful information but nonetheless you are encouraged to learn as much as possible. - <b>It might take you a few days to fully install your system how you like, depending on how much you need to read. Patience is key, - especially for new users</b>. - </p> - - <p> - The Arch wiki will sometimes use bad language, such as calling the whole system Linux, using the term open-source (or closed-source), - and it will sometimes recommend the use of proprietary software. You need to be careful about this when reading anything on the - Arch wiki. - </p> - - </div> - - <div class="section"> - - <p> - Some of these steps require internet access. I'll go into networking later but for now, I just connected - my system to a switch and did:<br/> - # <b>systemctl start dhcpcd.service</b><br/> - You can stop it later by running:<br/> - # <b>systemctl stop dhcpcd.service</b><br/> - For most people this should be enough, but if you don't have DHCP on your network then you should setup your network connection first:<br/> - <a href="#network">Setup network connection in Parabola</a> - </p> - - </div> - - <div class="section"> - - <h2 id="pacman_configure">Configure pacman</h2> - <p> - pacman (<b>pac</b>kage <b>man</b>ager) is the name of the package management system in Arch, which Parabola - (as a deblobbed parallel effort) also uses. Like with 'apt-get' on Debian or Devuan, - this can be used to add/remove and update the software on your computer. - </p> - <p> - Based on <a href="https://wiki.parabolagnulinux.org/Installation_Guide#Configure_pacman">https://wiki.parabolagnulinux.org/Installation_Guide#Configure_pacman</a> - and from reading <a href="https://wiki.archlinux.org/index.php/Pacman">https://wiki.archlinux.org/index.php/Pacman</a> (make sure to read and understand this, - it's very important) and - <a href="https://wiki.parabolagnulinux.org/Official_Repositories">https://wiki.parabolagnulinux.org/Official_Repositories</a> - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - - </div> - - <div class="section"> - - <h2 id="pacman_update">Updating Parabola</h2> - <p> - In the end, I didn't change my configuration for pacman. When you are updating, resync with the latest package names/versions:<br/> - # <b>pacman -Syy</b><br/> - (according to the wiki, -Syy is better than Sy because it refreshes the package list even if it appears to be up to date, - which can be useful when switching to another mirror).<br/> - Then, update the system:<br/> - # <b>pacman -Syu</b> - </p> - <p> - <b> - Before installing packages with 'pacman -S', always update first, using the notes above. - </b> - </p> - <p> - Keep an eye out on the output, or read it in /var/log/pacman.log. Sometimes, pacman will show messages - about maintenance steps that you will need to perform with certain files (typically configurations) - after the update. Also, you should check both the Parabola and Arch home pages to see if they mention any issues. - If a new kernel is installed, you should also update to be able to use it (the currently running kernel will - also be fine). It's generally good enough to update Parabola once every week, or maybe twice. As a - rolling release distribution, it's a good idea never to leave your install too outdated; update regularly. This - is simply because of the way the project works; old packages are deleted from the repositories quickly, once they are updated. - A system that hasn't been updated for quite a while will mean potentially more reading of previous posts through the website, - and more maintenance work. - </p> - <p> - The Arch forum can also be useful, if others have the same issue as you (if you encounter issues, that is). The <i>Parabola</i> - IRC channel (#parabola on freenode) can also help you. - </p> - <p> - Due to this and the volatile nature of Parabola/Arch, you should only update when you have at least a couple hours of spare time - in case of issues that need to be resolved. You should never update, for example, if you need your system for an important event, - like a presentation or sending an email to an important person before an allocated deadline, and so on. - </p> - <p> - Relax - packages are well-tested regularly when new updates are made to the repositories. Separate 'testing' repositories - exist for this exact reason. Despite what many people will tell you, Parabola is fairly stable and trouble-free, - so long as you are aware of how to check for issues, and are willing to spend some time fixing issues in - the rare event that they do occur. - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - - </div> - - <div class="section"> - - <h2 id="pacman_maintain">Maintaining Parabola</h2> - <p> - Parabola is a very simple distro, in the sense that you are in full control - and everything is made transparent to you. One consequence is - that you also need to know what you are doing, and what you have done before. In general, keeping notes (such as what I have done - with this page) can be very useful as a reference in the future (if you wanted to re-install it or install the distro - on another computer, for example). - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - <h3 id="pacman_cacheclean">Cleaning the package cache</h3> - <p> - <b> - The following is very important as you continue to use, update and maintain your Parabola system:<br/> - <a href="https://wiki.archlinux.org/index.php/Pacman#Cleaning_the_package_cache">https://wiki.archlinux.org/index.php/Pacman#Cleaning_the_package_cache</a>. - Essentially, this guide talks about a directory that has to be cleaned once in a while, to prevent it from growing too big (it's a cache - of old package information, updated automatically when you do anything in pacman). - </b> - </p> - <p> - To clean out all old packages that are cached:<br/> - # <b>pacman -Sc</b> - </p> - <p> - The wiki cautions that this should be used with care. For example, since older packages are deleted from the repo, - if you encounter issues and want to revert back to an older package then it's useful to have the caches available. - Only do this if you are sure that you won't need it. - </p> - <p> - The wiki also mentions this method for removing everything from the cache, including currently installed packages that are cached:<br/> - # <b>pacman -Scc</b><br/> - This is inadvisable, since it means re-downloading the package again if you wanted to quickly re-install it. This should only be used - when disk space is at a premium. - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - <h3 id="pacman_commandequiv">pacman command equivalents</h3> - <p> - The following table lists other distro package manager commands, and their equivalent in pacman:<br/> - <a href="https://wiki.archlinux.org/index.php/Pacman_Rosetta">https://wiki.archlinux.org/index.php/Pacman_Rosetta</a> - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - - </div> - - <div class="section"> - - <h2 id="yourfreedom">your-freedom</h2> - <p> - your-freedom is a package specific to Parabola, and it is installed by default. What it does is conflict with packages - from Arch that are known to be non-free (proprietary) software. When migrating from Arch (there is a guide on the Parabola - wiki for migrating - converting - an existing Arch system to a Parabola system), installing - your-freedom will also fail if these packages are installed, citing them as conflicts; the recommended solution - is then to delete the offending packages, and continue installing <i>your-freedom</i>. - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - - </div> - - <div class="section"> - - <h2 id="useradd">Add a user</h2> - <p> - Based on <a href="https://wiki.archlinux.org/index.php/Users_and_Groups">https://wiki.archlinux.org/index.php/Users_and_Groups</a>. - </p> - <p> - It is important (for security reasons) to create and use a non-root (non-admin) user account for everyday use. The default 'root' account is intended - only for critical administrative work, since it has complete access to the entire operating system. - </p> - <p> - Read the entire document linked to above, and then continue. - </p> - <p> - Add your user:<br/> - # <b>useradd -m -G wheel -s /bin/bash <i>yourusername</i></b><br/> - Set a password:<br/> - # <b>passwd <i>yourusername</i></b> - </p> - - <p> - Use of the <i>diceware method</i> is recommended, for generating secure passphrases (instead of passwords). - </p> - - <p><a href="#pagetop">Back to top of page</a></p> - - </div> - - <div class="section"> - - <h2 id="systemd">systemd</h2> - <p> - This is the name of the system used for managing services in Parabola. It is a good idea to become familiar with it. - Read <a href="https://wiki.archlinux.org/index.php/systemd">https://wiki.archlinux.org/index.php/systemd</a> - and <a href="https://wiki.archlinux.org/index.php/systemd#Basic_systemctl_usage">https://wiki.archlinux.org/index.php/systemd#Basic_systemctl_usage</a> - to gain a full understanding. <b>This is very important! Make sure to read them.</b> - </p> - <p> - An example of a 'service' could be a webserver (such as lighttpd), or sshd (openssh), dhcp, etc. There are countless others. - </p> - <p> - <a href="https://bbs.archlinux.org/viewtopic.php?pid=1149530#p1149530">https://bbs.archlinux.org/viewtopic.php?pid=1149530#p1149530</a> explains - the background behind the decision by Arch (Parabola's upstream supplier) to use systemd. - </p> - - <p> - The manpage should also help:<br/> - # <b>man systemd</b><br/> - The section on 'unit types' is especially useful. - </p> - - <p> - According to the wiki, systemd 'journal' keeps logs of a size up to 10% of the total size your / partition takes up. - on a 60GB root this would mean 6GB. That's not exactly practical, and can have performance implications later when the - log gets too big. Based on instructions from the wiki, I will reduce the total size of the journal to 50MiB (the wiki - recommends 50MiB). - </p> - <p> - Open /etc/systemd/journald.conf and find the line that says:<br/> - <i>#SystemMaxUse=</i><br/> - Change it to say:<br/> - <i>SystemMaxUse=50M</i> - </p> - <p> - The wiki also recommended a method for forwarding journal output to TTY 12 (accessible by pressing ctrl+alt+f12, - and you use ctrl+alt+[F1-F12] to switch between terminals). I decided not to enable it. - </p> - <p> - Restart journald:<br/> - # <b>systemctl restart systemd-journald</b> - </p> - - <p> - The wiki recommends that if the journal gets too large, you can also simply delete (rm -Rf) everything inside /var/log/journald/* - but recommends backing it up. This shouldn't be necessary, since you already set the size limit above and systemd will automatically - start to delete older records when the journal size reaches it's limit (according to systemd developers). - </p> - - <p> - Finally, the wiki mentions 'temporary' files and the utility for managing them.<br/> - # <b>man systemd-tmpfiles</b><br/> - The command for 'clean' is:<br/> - # <b>systemd-tmpfiles --clean</b><br/> - According to the manpage, this <i>"cleans all files and directories with an age parameter"</i>. - According to the Arch wiki, this reads information in /etc/tmpfiles.d/ and /usr/lib/tmpfiles.d/ - to know what actions to perform. Therefore, it is a good idea to read what's stored in these locations - to get a better understanding. - </p> - <p> - I looked in /etc/tmpfiles.d/ and found that it was empty on my system. However, /usr/lib/tmpfiles.d/ contained some files. - The first one was etc.conf, containing information and a reference to this manpage:<br/> - # <b>man tmpfiles.d</b><br/> - Read that manpage, and then continue studying all the files. - </p> - <p> - The systemd developers tell me that it isn't usually necessary to touch the systemd-tmpfiles utility manually at all. - </p> - - <p><a href="#pagetop">Back to top of page</a></p> - - </div> - - <div class="section"> - - <h2 id="interesting_repos">Interesting repositories</h2> - <p> - Parabola wiki at <a href="https://wiki.parabolagnulinux.org/Repositories#kernels">https://wiki.parabolagnulinux.org/Repositories#kernels</a> - mentions about a repository called [kernels] for custom kernels that aren't in the default base. It might be worth looking into what is available - there, depending on your use case. - </p> - <p> - I enabled it on my system, to see what was in it. Edit /etc/pacman.conf and below the 'extra' section add:<br/> - <i> - [kernels]<br/> - Include = /etc/pacman.d/mirrorlist - </i> - </p> - <p> - Now sync with the repository:<br/> - # <b>pacman -Syy</b> - </p> - <p> - List all available packages in this repository:<br/> - # <b>pacman -Sl kernels</b> - </p> - <p> - In the end, I decided not to install anything from it but I kept the repository enabled regardless. - </p> - <p><a href="#pagetop">Back to top of page.</a></p> - - </div> - - <div class="section"> - - <h2 id="network">Setup a network connection in Parabola</h2> - <p> - Read <a href="https://wiki.archlinux.org/index.php/Configuring_Network">https://wiki.archlinux.org/index.php/Configuring_Network</a>. - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - <h3 id="network_hostname">Set the hostname</h3> - <p> - This should be the same as the hostname that you set in /etc/hostname when installing Parabola. You can also do it with systemd (do so now, if you like):<br/> - # <b>hostnamectl set-hostname <i>yourhostname</i></b><br/> - This writes the specified hostname to /etc/hostname. More information can be found in these manpages:<br/> - # <b>man hostname</b><br/> - # <b>info hostname</b><br/> - # <b>man hostnamectl</b> - </p> - <p> - Add the same hostname to /etc/hosts, on each line. Example:<br/> - <i> - 127.0.0.1 localhost.localdomain localhost <u>myhostname</u><br/> - ::1 localhost.localdomain localhost <u>myhostname</u> - </i> - </p> - <p> - You'll note that I set both lines; the 2nd line is for IPv6. More and more ISPs are providing this now (mine does) - so it's good to be forward-thinking here. - </p> - <p> - The <i>hostname</i> utility is part of the <i>inetutils</i> package and is in core/, installed by default (as part of <i>base</i>). - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - <h3 id="network_status">Network Status</h3> - <p> - According to the Arch wiki, <a href="https://wiki.archlinux.org/index.php/Udev">udev</a> should already detect the ethernet chipset - and load the driver for it automatically at boot time. You can check this in the <i>"Ethernet controller"</i> section - when running this command:<br/> - # <b>lspci -v</b> - </p> - <p> - Look at the remaining sections <i>'Kernel driver in use'</i> and <i>'Kernel modules'</i>. In my case it was as follows:<br/> - <i> - Kernel driver in use: e1000e<br/> - Kernel modules: e1000e - </i> - </p> - <p> - Check that the driver was loaded by issuing <i>dmesg | grep module_name</i>. In my case, I did:<br/> - # <b>dmesg | grep e1000e</b> - </p> - <h3 id="network_devicenames">Network device names</h3> - <p> - According to <a href="https://wiki.archlinux.org/index.php/Configuring_Network#Device_names">https://wiki.archlinux.org/index.php/Configuring_Network#Device_names</a>, - it is important to note that the old interface names like eth0, wlan0, wwan0 and so on no longer apply. Instead, <i>systemd</i> - creates device names starting with en (for enternet), wl (for wifi) and ww (for wwan) with a fixed identifier that systemd automatically generates. - An example device name for your ethernet chipset would be <i>enp0s25</i>, where it is never supposed to change. - </p> - <p> - If you want to enable the old names (eth0, wlan0, wwan0, etc), the Arch wiki recommends - adding <i>net.ifnames=0</i> to your kernel parameters (in libreboot context, this would be accomplished by following the - instructions in <a href="grub_cbfs.html">grub_cbfs.html</a>). - </p> - <p> - For background information, - read <a href="http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/">Predictable Network Interface Names</a> - </p> - <p> - Show device names:<br/> - # <b>ls /sys/class/net</b> - </p> - <p> - Changing the device names is possible (I chose not to do it):<br/> - <a href="https://wiki.archlinux.org/index.php/Configuring_Network#Change_device_name">https://wiki.archlinux.org/index.php/Configuring_Network#Change_device_name</a> - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - <h3 id="network_setup">Network setup</h3> - <p> - I actually chose to ignore most of Networking section on the wiki. Instead, I plan to set up LXDE desktop with the graphical - network-manager client. Here is a list of network managers:<br/> - <a href="https://wiki.archlinux.org/index.php/List_of_applications/Internet#Network_managers">https://wiki.archlinux.org/index.php/List_of_applications/Internet#Network_managers</a>. - If you need to, set a static IP address (temporarily) using the networking guide and the Arch wiki, or start the dhcpcd service in systemd. - NetworkManager will be setup later, after installing LXDE. - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - - </div> - - <div class="section"> - - <h2 id="system_maintain">System Maintenance</h2> - <p> - Read <a href="https://wiki.archlinux.org/index.php/System_maintenance">https://wiki.archlinux.org/index.php/System_maintenance</a> before continuing. - Also read <a href="https://wiki.archlinux.org/index.php/Enhance_system_stability">https://wiki.archlinux.org/index.php/Enhance_system_stability</a>. - <b>This is important, so make sure to read them!</b> - </p> - <p> - Install smartmontools (it can be used to check smart data. HDDs use non-free firmware inside, but it's transparent to you - but the smart data comes from it. Therefore, don't rely on it too much):<br/> - # <b>pacman -S smartmontools</b><br/> - Read <a href="https://wiki.archlinux.org/index.php/S.M.A.R.T.">https://wiki.archlinux.org/index.php/S.M.A.R.T.</a> to learn how to use it. - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - - </div> - - <div class="section"> - - <h2 id="desktop">Configuring the desktop</h2> - <p> - Based on steps from - <a href="https://wiki.archlinux.org/index.php/General_recommendations#Graphical_user_interface">General Recommendations</a> on the Arch wiki. - The plan is to use LXDE and LXDM/LightDM, along with everything else that you would expect on other distributions that provide LXDE - by default. - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - - <div class="subsection"> - <h3 id="desktop_xorg">Installing Xorg</h3> - <p> - Based on <a href="https://wiki.archlinux.org/index.php/Xorg">https://wiki.archlinux.org/index.php/Xorg</a>. - </p> - <p> - Firstly, install it!<br/> - # <b>pacman -S xorg-server</b><br/> - I also recommend installing this (contains lots of useful tools, including <i>xrandr</i>):<br/> - # <b>pacman -S xorg-server-utils</b> - </p> - <p> - Install the driver. For me this was <i>xf86-video-intel</i> on the ThinkPad X60. T60 and macbook11/21 should be the same.<br/> - # <b>pacman -S xf86-video-intel</b><br/> - For other systems you can try:<br/> - # <b>pacman -Ss xf86-video- | less</b><br/> - Combined with looking at your <i>lspci</i> output, you can determine which driver is needed. - By default, Xorg will revert to xf86-video-vesa which is a generic driver and doesn't provide true hardware acceleration. - </p> - <p> - Other drivers (not just video) can be found by looking at the <i>xorg-drivers</i> group:<br/> - # <b>pacman -Sg xorg-drivers</b><br/> - </p> - <p> - Mostly you will rely on a display manager, but in case you ever want to start X without one:<br/> - # <b>pacman -S xorg-xinit</b> - </p> - <p> - <optional><br/> - Arch wiki recommends installing these, for testing that X works:<br/> - # <b>pacman -S xorg-twm xorg-xclock xterm</b><br/> - Refer to <a href="https://wiki.archlinux.org/index.php/Xinitrc">https://wiki.archlinux.org/index.php/Xinitrc</a>. - and test X:<br/> - # <b>startx</b><br/> - When you are satisfied, type <b><i>exit</i></b> in xterm, inside the X session.<br/> - Uninstall them (clutter. eww): # <b>pacman -S xorg-xinit xorg-twm xorg-xclock xterm</b><br/> - </optional> - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - </div> - - <div class="subsection"> - <h3 id="desktop_kblayout">Xorg keyboard layout</h3> - <p> - Refer to <a href="https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg">https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg</a>. - </p> - <p> - Xorg uses a different configuration method for keyboard layouts, so you will notice that the layout you - set in /etc/vconsole.conf earlier might not actually be the same in X. - </p> - <p> - To see what layout you currently use, try this on a terminal emulator in X:<br/> - # <b>setxkbmap -print -verbose 10</b> - </p> - <p> - In my case, I wanted to use the Dvorak (UK) keyboard which is quite different from Xorg's default Qwerty (US) layout. - </p> - <p> - I'll just say it now: <i>XkbModel</i> can be <i>pc105</i> in this case (ThinkPad X60, with a 105-key UK keyboard). - If you use an American keyboard (typically 104 keys) you will want to use <i>pc104</i>. - </p> - <p> - <i>XkbLayout</i> in my case would be <i>gb</i>, and <i>XkbVariant</i> would be <i>dvorak</i>. - </p> - <p> - The Arch wiki recommends two different methods for setting the keyboard layout:<br/> - <a href="https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_X_configuration_files">https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_X_configuration_files</a> and<br/> - <a href="https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_localectl">https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_localectl</a>. - </p> - <p> - In my case, I chose to use the <i>configuration file</i> method:<br/> - Create the file /etc/X11/xorg.conf.d/10-keyboard.conf and put this inside:<br/> - <i> - Section "InputClass"<br/> - Identifier "system-keyboard"<br/> - MatchIsKeyboard "on"<br/> - Option "XkbLayout" "gb"<br/> - Option "XkbModel" "pc105"<br/> - Option "XkbVariant" "dvorak"<br/> - EndSection - </i> - </p> - <p> - For you, the steps above may differ if you have a different layout. If you use a US Qwerty keyboard, then - you don't even need to do anything (though it might help, for the sake of being explicit). - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - </div> - - <div class="subsection"> - <h3 id="desktop_lxde">Install LXDE</h3> - <p> - Desktop choice isn't that important to me, so for simplicity I decided to use LXDE. It's lightweight - and does everything that I need. - If you would like to try something different, refer to - <a href="https://wiki.archlinux.org/index.php/Desktop_environment">https://wiki.archlinux.org/index.php/Desktop_environment</a> - </p> - <p> - Refer to <a href="https://wiki.archlinux.org/index.php/LXDE">https://wiki.archlinux.org/index.php/LXDE</a>. - </p> - <p> - Install it, choosing 'all' when asked for the default package list:<br/> - # <b>pacman -S lxde obconf</b> - </p> - <p> - I didn't want the following, so I removed them:<br/> - # <b>pacman -R lxmusic lxtask</b> - </p> - <p> - I also lazily installed all fonts:<br/> - # <b>pacman -S $(pacman -Ssq ttf-)</b> - </p> - <p> - And a mail client:<br/> - # <b>pacman -S icedove</b> - </p> - <p> - In IceCat, go to <i>Preferences :: Advanced</i> and disable <i>GNU IceCat Health Report</i>. - </p> - <p> - I also like to install these:<br/> - # <b>pacman -S xsensors stress htop</b> - </p> - <p> - Enable LXDM (the default display manager, providing a graphical login):<br/> - # <b>systemctl enable lxdm.service</b><br/> - It will start when you boot up the system. To start it now, do:<br/> - # <b>systemctl start lxdm.service</b> - </p> - <p> - Log in with your standard (non-root) user that you created earlier. - It is advisable to also create an xinitrc rule in case you ever want to start lxde without lxdm. - Read <a href="https://wiki.archlinux.org/index.php/Xinitrc">https://wiki.archlinux.org/index.php/Xinitrc</a>. - </p> - <p> - Open LXterminal:<br/> - $ <b>cp /etc/skel/.xinitrc ~</b><br/> - Open .xinitrc and add the following plus a line break at the bottom of the file.<br/> - <i> - # Probably not needed. The same locale info that we set before<br/> - # Based on advice from the LXDE wiki - export LC_ALL=en_GB.UTF-8<br/> - export LANGUAGE=en_GB.UTF-8<br/> - export LANG=en_GB.UTF-8<br/> - <br/> - # Start lxde desktop<br/> - exec startlxde<br/> - </i> - Now make sure that it is executable:<br/> - $ <b>chmod +x .xinitrc</b> - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - </div> - - <div class="subsection"> - <h3 id="lxde_clock">LXDE - clock</h3> - <p> - In <b>Digital Clock Settings</b> (right click the clock) I set the Clock Format to <i>%Y/%m/%d %H:%M:%S</i> - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - </div> - - <div class="subsection"> - <h3 id="lxde_font">LXDE - font</h3> - <p> - NOTE TO SELF: come back to this later. - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - </div> - - <div class="subsection"> - <h3 id="lxde_screenlock">LXDE - screenlock</h3> - <p> - Arch wiki recommends to use <i>xscreensaver</i>:<br/> - # <b>pacman -S xscreensaver</b> - </p> - <p> - Under <i>Preferences :: Screensaver</i> in the LXDE menu, I chose <i>Mode: Blank Screen Only</i>, - setting <i>Blank After</i>, <i>Cycle After</i> and <i>Lock Screen After</i> (checked) to 10 minutes. - </p> - <p> - You can now lock the screen with <i>Logout :: Lock Screen</i> in the LXDE menu. - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - </div> - - <div class="subsection"> - <h3 id="lxde_automount">LXDE - automounting</h3> - <p> - Refer to <a href="https://wiki.archlinux.org/index.php/File_manager_functionality">https://wiki.archlinux.org/index.php/File_manager_functionality</a>. - </p> - <p> - I chose to ignore this for now. NOTE TO SELF: come back to this later. - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - </div> - - <div class="subsection"> - <h3 id="lxde_suspend">LXDE - disable suspend</h3> - <p> - When closing the laptop lid, the system suspends. This is annoying at least to me. - NOTE TO SELF: disable it, then document the steps here. - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - </div> - - <div class="subsection"> - <h3 id="lxde_battery">LXDE - battery monitor</h3> - <p> - Right click lxde panel and <i>Add/Remove Panel Items</i>. Click <i>Add</i> and select <i>Battery Monitor</i>, then click <i>Add</i>. - Close and then right-click the applet and go to <i>Battery Monitor Settings</i>, check the box that says <i>Show Extended Information</i>. - Now click <i>Close</i>. When you hover the cursor over it, it'll show information about the battery. - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - </div> - - <div class="subsection"> - <h3 id="lxde_network">LXDE - Network Manager</h3> - <p> - Refer to <a href="https://wiki.archlinux.org/index.php/LXDE#Network_Management">https://wiki.archlinux.org/index.php/LXDE#Network_Management</a>. - Then I read: <a href="https://wiki.archlinux.org/index.php/NetworkManager">https://wiki.archlinux.org/index.php/NetworkManager</a>. - </p> - <p> - Install Network Manager:<br/> - # <b>pacman -S networkmanager</b> - </p> - <p> - You will also want the graphical applet:<br/> - # <b>pacman -S network-manager-applet</b><br/> - Arch wiki says that an autostart rule will be written at <i>/etc/xdg/autostart/nm-applet.desktop</i> - </p> - <p> - I want to be able to use a VPN at some point, so the wiki tells me to do:<br/> - # <b>pacman -S networkmanager-openvpn</b> - </p> - <p> - LXDE uses openbox, so I refer to:<br/> - <a href="https://wiki.archlinux.org/index.php/NetworkManager#Openbox">https://wiki.archlinux.org/index.php/NetworkManager#Openbox</a>. - </p> - <p> - It tells me for the applet I need:<br/> - # <b>pacman -S xfce4-notifyd gnome-icon-theme</b><br/> - Also, for storing authentication details (wifi) I need:<br/> - # <b>pacman -S gnome-keyring</b> - </p> - <p> - I wanted to quickly enable networkmanager:<br/> - # <b>systemctl stop dhcpcd</b><br/> - # <b>systemctl start NetworkManager</b><br/> - Enable NetworkManager at boot time:<br/> - # <b>systemctl enable NetworkManager</b> - </p> - <p> - Restart LXDE (log out, and then log back in). - </p> - <p> - I added the volume control applet to the panel (right click panel, and add a new applet). - I also later changed the icons to use the gnome icon theme, in <i>lxappearance</i>. - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - </div> - - </div> - - <div class="section"> - - <p> - Copyright © 2014, 2015 Leah Rowe <info@minifree.org><br/> - Permission is granted to copy, distribute and/or modify this document - under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license - or any later version published by Creative Commons; - - A copy of the license can be found at <a href="../cc-by-sa-4.0.txt">../cc-by-sa-4.0.txt</a> - </p> - - <p> - Updated versions of the license (when available) can be found at - <a href="https://creativecommons.org/licenses/by-sa/4.0/legalcode">https://creativecommons.org/licenses/by-sa/4.0/legalcode</a> - </p> - - <p> - UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE - EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS - AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF - ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, - IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, - WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR - PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, - ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT - KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT - ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. - </p> - <p> - TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE - TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, - NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, - INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, - COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR - USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN - ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR - DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR - IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. - </p> - <p> - The disclaimer of warranties and limitation of liability provided - above shall be interpreted in a manner that, to the extent - possible, most closely approximates an absolute disclaimer and - waiver of all liability. - </p> - - </div> - -</body> -</html> diff --git a/docs/gnulinux/configuring_parabola.md b/docs/gnulinux/configuring_parabola.md new file mode 100644 index 00000000..24278ba6 --- /dev/null +++ b/docs/gnulinux/configuring_parabola.md @@ -0,0 +1,827 @@ +<div class="section"> + +Configuring Parabola (post-install) {#pagetop} +=================================== + +Post-installation configuration steps for Parabola GNU+Linux-libre. +Parabola is extremely flexible; this is just an example. This example +uses LXDE because it\'s lightweight, but we recommend the *MATE* desktop +(which is actually about as lightweight as LXDE). + +[Back to previous index](./) + +</div> + +<div class="section"> + +Table of Contents +================= + +- [Configuring pacman](#pacman_configure) + - [Updating Parabola](#pacman_update) + - [Maintaining Parabola during system updates](#pacman_maintain) + - [Clearing package cache after updating](#pacman_cacheclean) + - [Pacman command equivalents (compared to other package + managers)](#pacman_commandequiv) + - [your-freedom](#yourfreedom) +- [Add a user account](#useradd) +- [System D](#systemd) +- [Interesting repositories](#interesting_repos) +- [Setup a network connection in Parabola](#network) + - [Setting hostname](#network_hostname) + - [Network status](#network_status) + - [Network interface names](#network_devicenames) + - [Network setup](#network_setup) +- [System maintenance](#system_maintain) - important! +- [Configuring the desktop](#desktop) + - [Install Xorg](#desktop_xorg) + - [Xorg keyboard layout](#desktop_kblayout) + - [Install LXDE](#desktop_lxde) + - [LXDE - clock](#lxde_clock) + - [LXDE - font](#lxde_font) + - [LXDE - screenlock](#lxde_screenlock) + - [LXDE - automounting](#lxde_automount) + - [LXDE - disable suspend](#lxde_suspend) + - [LXDE - battery monitor](#lxde_battery) + - [LXDE - network manager](#lxde_network) + +</div> + +<div class="section"> + +While not strictly related to the libreboot project, this guide is +intended to be useful for those interested in installing Parabola on +their libreboot system. + +It details configuration steps that I took after installing the base +system, as a follow up to +[encrypted\_parabola.html](encrypted_parabola.html). This guide is +likely to become obsolete at a later date (due to the volatile +\'rolling-release\' model that Arch/Parabola both use), but attempts +will be made to maintain it. + +**This guide was valid on 2014-09-21. If you see any changes that should +to be made at the present date, please get in touch with the libreboot +project!** + +</div> + +<div class="section"> + +You do not necessarily have to follow this guide word-for-word; +*parabola* is extremely flexible. The aim here is to provide a common +setup that most users will be happy with. While Parabola can seem +daunting at first glance (especially for new GNU+Linux users), with a +simple guide it can provide all the same usability as Debian or Devuan, +without hiding any details from the user. + +Paradoxically, as you get more advanced Parabola can actually become +*easier to use* when you want to set up your system in a special way +compared to what most distributions provide. You will find over time +that other distributions tend to *get in your way*. + +</div> + +<div class="section"> + +**This guide assumes that you already have Parabola installed. If you +have not yet installed Parabola, then [this +guide](encrypted_parabola.html) is highly recommended!** + +A lot of the steps in this guide will refer to the Arch wiki. Arch is +the upstream distribution that Parabola uses. Most of this guide will +also tell you to read wiki articles, other pages, manuals, and so on. In +general it tries to cherry pick the most useful information but +nonetheless you are encouraged to learn as much as possible. **It might +take you a few days to fully install your system how you like, depending +on how much you need to read. Patience is key, especially for new +users**. + +The Arch wiki will sometimes use bad language, such as calling the whole +system Linux, using the term open-source (or closed-source), and it will +sometimes recommend the use of proprietary software. You need to be +careful about this when reading anything on the Arch wiki. + +</div> + +<div class="section"> + +Some of these steps require internet access. I\'ll go into networking +later but for now, I just connected my system to a switch and did:\ +\# **systemctl start dhcpcd.service**\ +You can stop it later by running:\ +\# **systemctl stop dhcpcd.service**\ +For most people this should be enough, but if you don\'t have DHCP on +your network then you should setup your network connection first:\ +[Setup network connection in Parabola](#network) + +</div> + +<div class="section"> + +Configure pacman {#pacman_configure} +---------------- + +pacman (**pac**kage **man**ager) is the name of the package management +system in Arch, which Parabola (as a deblobbed parallel effort) also +uses. Like with \'apt-get\' on Debian or Devuan, this can be used to +add/remove and update the software on your computer. + +Based on +<https://wiki.parabolagnulinux.org/Installation_Guide#Configure_pacman> +and from reading <https://wiki.archlinux.org/index.php/Pacman> (make +sure to read and understand this, it\'s very important) and +<https://wiki.parabolagnulinux.org/Official_Repositories> + +[Back to top of page.](#pagetop) + +</div> + +<div class="section"> + +Updating Parabola {#pacman_update} +----------------- + +In the end, I didn\'t change my configuration for pacman. When you are +updating, resync with the latest package names/versions:\ +\# **pacman -Syy**\ +(according to the wiki, -Syy is better than Sy because it refreshes the +package list even if it appears to be up to date, which can be useful +when switching to another mirror).\ +Then, update the system:\ +\# **pacman -Syu** + +**Before installing packages with \'pacman -S\', always update first, +using the notes above.** + +Keep an eye out on the output, or read it in /var/log/pacman.log. +Sometimes, pacman will show messages about maintenance steps that you +will need to perform with certain files (typically configurations) after +the update. Also, you should check both the Parabola and Arch home pages +to see if they mention any issues. If a new kernel is installed, you +should also update to be able to use it (the currently running kernel +will also be fine). It\'s generally good enough to update Parabola once +every week, or maybe twice. As a rolling release distribution, it\'s a +good idea never to leave your install too outdated; update regularly. +This is simply because of the way the project works; old packages are +deleted from the repositories quickly, once they are updated. A system +that hasn\'t been updated for quite a while will mean potentially more +reading of previous posts through the website, and more maintenance +work. + +The Arch forum can also be useful, if others have the same issue as you +(if you encounter issues, that is). The *Parabola* IRC channel +(\#parabola on freenode) can also help you. + +Due to this and the volatile nature of Parabola/Arch, you should only +update when you have at least a couple hours of spare time in case of +issues that need to be resolved. You should never update, for example, +if you need your system for an important event, like a presentation or +sending an email to an important person before an allocated deadline, +and so on. + +Relax - packages are well-tested regularly when new updates are made to +the repositories. Separate \'testing\' repositories exist for this exact +reason. Despite what many people will tell you, Parabola is fairly +stable and trouble-free, so long as you are aware of how to check for +issues, and are willing to spend some time fixing issues in the rare +event that they do occur. + +[Back to top of page.](#pagetop) + +</div> + +<div class="section"> + +Maintaining Parabola {#pacman_maintain} +-------------------- + +Parabola is a very simple distro, in the sense that you are in full +control and everything is made transparent to you. One consequence is +that you also need to know what you are doing, and what you have done +before. In general, keeping notes (such as what I have done with this +page) can be very useful as a reference in the future (if you wanted to +re-install it or install the distro on another computer, for example). + +[Back to top of page.](#pagetop) + +### Cleaning the package cache {#pacman_cacheclean} + +**The following is very important as you continue to use, update and +maintain your Parabola system:\ +<https://wiki.archlinux.org/index.php/Pacman#Cleaning_the_package_cache>. +Essentially, this guide talks about a directory that has to be cleaned +once in a while, to prevent it from growing too big (it\'s a cache of +old package information, updated automatically when you do anything in +pacman).** + +To clean out all old packages that are cached:\ +\# **pacman -Sc** + +The wiki cautions that this should be used with care. For example, since +older packages are deleted from the repo, if you encounter issues and +want to revert back to an older package then it\'s useful to have the +caches available. Only do this if you are sure that you won\'t need it. + +The wiki also mentions this method for removing everything from the +cache, including currently installed packages that are cached:\ +\# **pacman -Scc**\ +This is inadvisable, since it means re-downloading the package again if +you wanted to quickly re-install it. This should only be used when disk +space is at a premium. + +[Back to top of page.](#pagetop) + +### pacman command equivalents {#pacman_commandequiv} + +The following table lists other distro package manager commands, and +their equivalent in pacman:\ +<https://wiki.archlinux.org/index.php/Pacman_Rosetta> + +[Back to top of page.](#pagetop) + +</div> + +<div class="section"> + +your-freedom {#yourfreedom} +------------ + +your-freedom is a package specific to Parabola, and it is installed by +default. What it does is conflict with packages from Arch that are known +to be non-free (proprietary) software. When migrating from Arch (there +is a guide on the Parabola wiki for migrating - converting - an existing +Arch system to a Parabola system), installing your-freedom will also +fail if these packages are installed, citing them as conflicts; the +recommended solution is then to delete the offending packages, and +continue installing *your-freedom*. + +[Back to top of page.](#pagetop) + +</div> + +<div class="section"> + +Add a user {#useradd} +---------- + +Based on <https://wiki.archlinux.org/index.php/Users_and_Groups>. + +It is important (for security reasons) to create and use a non-root +(non-admin) user account for everyday use. The default \'root\' account +is intended only for critical administrative work, since it has complete +access to the entire operating system. + +Read the entire document linked to above, and then continue. + +Add your user:\ +\# **useradd -m -G wheel -s /bin/bash *yourusername***\ +Set a password:\ +\# **passwd *yourusername*** + +Use of the *diceware method* is recommended, for generating secure +passphrases (instead of passwords). + +[Back to top of page](#pagetop) + +</div> + +<div class="section"> + +systemd +------- + +This is the name of the system used for managing services in Parabola. +It is a good idea to become familiar with it. Read +<https://wiki.archlinux.org/index.php/systemd> and +<https://wiki.archlinux.org/index.php/systemd#Basic_systemctl_usage> to +gain a full understanding. **This is very important! Make sure to read +them.** + +An example of a \'service\' could be a webserver (such as lighttpd), or +sshd (openssh), dhcp, etc. There are countless others. + +<https://bbs.archlinux.org/viewtopic.php?pid=1149530#p1149530> explains +the background behind the decision by Arch (Parabola\'s upstream +supplier) to use systemd. + +The manpage should also help:\ +\# **man systemd**\ +The section on \'unit types\' is especially useful. + +According to the wiki, systemd \'journal\' keeps logs of a size up to +10% of the total size your / partition takes up. on a 60GB root this +would mean 6GB. That\'s not exactly practical, and can have performance +implications later when the log gets too big. Based on instructions from +the wiki, I will reduce the total size of the journal to 50MiB (the wiki +recommends 50MiB). + +Open /etc/systemd/journald.conf and find the line that says:\ +*\#SystemMaxUse=*\ +Change it to say:\ +*SystemMaxUse=50M* + +The wiki also recommended a method for forwarding journal output to TTY +12 (accessible by pressing ctrl+alt+f12, and you use ctrl+alt+\[F1-F12\] +to switch between terminals). I decided not to enable it. + +Restart journald:\ +\# **systemctl restart systemd-journald** + +The wiki recommends that if the journal gets too large, you can also +simply delete (rm -Rf) everything inside /var/log/journald/\* but +recommends backing it up. This shouldn\'t be necessary, since you +already set the size limit above and systemd will automatically start to +delete older records when the journal size reaches it\'s limit +(according to systemd developers). + +Finally, the wiki mentions \'temporary\' files and the utility for +managing them.\ +\# **man systemd-tmpfiles**\ +The command for \'clean\' is:\ +\# **systemd-tmpfiles \--clean**\ +According to the manpage, this *\"cleans all files and directories with +an age parameter\"*. According to the Arch wiki, this reads information +in /etc/tmpfiles.d/ and /usr/lib/tmpfiles.d/ to know what actions to +perform. Therefore, it is a good idea to read what\'s stored in these +locations to get a better understanding. + +I looked in /etc/tmpfiles.d/ and found that it was empty on my system. +However, /usr/lib/tmpfiles.d/ contained some files. The first one was +etc.conf, containing information and a reference to this manpage:\ +\# **man tmpfiles.d**\ +Read that manpage, and then continue studying all the files. + +The systemd developers tell me that it isn\'t usually necessary to touch +the systemd-tmpfiles utility manually at all. + +[Back to top of page](#pagetop) + +</div> + +<div class="section"> + +Interesting repositories {#interesting_repos} +------------------------ + +Parabola wiki at +<https://wiki.parabolagnulinux.org/Repositories#kernels> mentions about +a repository called \[kernels\] for custom kernels that aren\'t in the +default base. It might be worth looking into what is available there, +depending on your use case. + +I enabled it on my system, to see what was in it. Edit /etc/pacman.conf +and below the \'extra\' section add:\ +*\[kernels\]\ +Include = /etc/pacman.d/mirrorlist* + +Now sync with the repository:\ +\# **pacman -Syy** + +List all available packages in this repository:\ +\# **pacman -Sl kernels** + +In the end, I decided not to install anything from it but I kept the +repository enabled regardless. + +[Back to top of page.](#pagetop) + +</div> + +<div class="section"> + +Setup a network connection in Parabola {#network} +-------------------------------------- + +Read <https://wiki.archlinux.org/index.php/Configuring_Network>. + +[Back to top of page.](#pagetop) + +### Set the hostname {#network_hostname} + +This should be the same as the hostname that you set in /etc/hostname +when installing Parabola. You can also do it with systemd (do so now, if +you like):\ +\# **hostnamectl set-hostname *yourhostname***\ +This writes the specified hostname to /etc/hostname. More information +can be found in these manpages:\ +\# **man hostname**\ +\# **info hostname**\ +\# **man hostnamectl** + +Add the same hostname to /etc/hosts, on each line. Example:\ +*127.0.0.1 localhost.localdomain localhost myhostname\ +::1 localhost.localdomain localhost myhostname* + +You\'ll note that I set both lines; the 2nd line is for IPv6. More and +more ISPs are providing this now (mine does) so it\'s good to be +forward-thinking here. + +The *hostname* utility is part of the *inetutils* package and is in +core/, installed by default (as part of *base*). + +[Back to top of page.](#pagetop) + +### Network Status {#network_status} + +According to the Arch wiki, +[udev](https://wiki.archlinux.org/index.php/Udev) should already detect +the ethernet chipset and load the driver for it automatically at boot +time. You can check this in the *\"Ethernet controller\"* section when +running this command:\ +\# **lspci -v** + +Look at the remaining sections *\'Kernel driver in use\'* and *\'Kernel +modules\'*. In my case it was as follows:\ +*Kernel driver in use: e1000e\ +Kernel modules: e1000e* + +Check that the driver was loaded by issuing *dmesg | grep module\_name*. +In my case, I did:\ +\# **dmesg | grep e1000e** + +### Network device names {#network_devicenames} + +According to +<https://wiki.archlinux.org/index.php/Configuring_Network#Device_names>, +it is important to note that the old interface names like eth0, wlan0, +wwan0 and so on no longer apply. Instead, *systemd* creates device names +starting with en (for enternet), wl (for wifi) and ww (for wwan) with a +fixed identifier that systemd automatically generates. An example device +name for your ethernet chipset would be *enp0s25*, where it is never +supposed to change. + +If you want to enable the old names (eth0, wlan0, wwan0, etc), the Arch +wiki recommends adding *net.ifnames=0* to your kernel parameters (in +libreboot context, this would be accomplished by following the +instructions in [grub\_cbfs.html](grub_cbfs.html)). + +For background information, read [Predictable Network Interface +Names](http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/) + +Show device names:\ +\# **ls /sys/class/net** + +Changing the device names is possible (I chose not to do it):\ +<https://wiki.archlinux.org/index.php/Configuring_Network#Change_device_name> + +[Back to top of page.](#pagetop) + +### Network setup {#network_setup} + +I actually chose to ignore most of Networking section on the wiki. +Instead, I plan to set up LXDE desktop with the graphical +network-manager client. Here is a list of network managers:\ +<https://wiki.archlinux.org/index.php/List_of_applications/Internet#Network_managers>. +If you need to, set a static IP address (temporarily) using the +networking guide and the Arch wiki, or start the dhcpcd service in +systemd. NetworkManager will be setup later, after installing LXDE. + +[Back to top of page.](#pagetop) + +</div> + +<div class="section"> + +System Maintenance {#system_maintain} +------------------ + +Read <https://wiki.archlinux.org/index.php/System_maintenance> before +continuing. Also read +<https://wiki.archlinux.org/index.php/Enhance_system_stability>. **This +is important, so make sure to read them!** + +Install smartmontools (it can be used to check smart data. HDDs use +non-free firmware inside, but it\'s transparent to you but the smart +data comes from it. Therefore, don\'t rely on it too much):\ +\# **pacman -S smartmontools**\ +Read <https://wiki.archlinux.org/index.php/S.M.A.R.T.> to learn how to +use it. + +[Back to top of page.](#pagetop) + +</div> + +<div class="section"> + +Configuring the desktop {#desktop} +----------------------- + +Based on steps from [General +Recommendations](https://wiki.archlinux.org/index.php/General_recommendations#Graphical_user_interface) +on the Arch wiki. The plan is to use LXDE and LXDM/LightDM, along with +everything else that you would expect on other distributions that +provide LXDE by default. + +[Back to top of page.](#pagetop) + +<div class="subsection"> + +### Installing Xorg {#desktop_xorg} + +Based on <https://wiki.archlinux.org/index.php/Xorg>. + +Firstly, install it!\ +\# **pacman -S xorg-server**\ +I also recommend installing this (contains lots of useful tools, +including *xrandr*):\ +\# **pacman -S xorg-server-utils** + +Install the driver. For me this was *xf86-video-intel* on the ThinkPad +X60. T60 and macbook11/21 should be the same.\ +\# **pacman -S xf86-video-intel**\ +For other systems you can try:\ +\# **pacman -Ss xf86-video- | less**\ +Combined with looking at your *lspci* output, you can determine which +driver is needed. By default, Xorg will revert to xf86-video-vesa which +is a generic driver and doesn\'t provide true hardware acceleration. + +Other drivers (not just video) can be found by looking at the +*xorg-drivers* group:\ +\# **pacman -Sg xorg-drivers**\ + +Mostly you will rely on a display manager, but in case you ever want to +start X without one:\ +\# **pacman -S xorg-xinit** + +<optional>\ + Arch wiki recommends installing these, for testing that X works:\ + \# **pacman -S xorg-twm xorg-xclock xterm**\ + Refer to <https://wiki.archlinux.org/index.php/Xinitrc>. and test X:\ + \# **startx**\ + When you are satisfied, type ***exit*** in xterm, inside the X +session.\ + Uninstall them (clutter. eww): \# **pacman -S xorg-xinit xorg-twm +xorg-xclock xterm**\ +</optional> + +[Back to top of page.](#pagetop) + +</div> + +<div class="subsection"> + +### Xorg keyboard layout {#desktop_kblayout} + +Refer to +<https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg>. + +Xorg uses a different configuration method for keyboard layouts, so you +will notice that the layout you set in /etc/vconsole.conf earlier might +not actually be the same in X. + +To see what layout you currently use, try this on a terminal emulator in +X:\ +\# **setxkbmap -print -verbose 10** + +In my case, I wanted to use the Dvorak (UK) keyboard which is quite +different from Xorg\'s default Qwerty (US) layout. + +I\'ll just say it now: *XkbModel* can be *pc105* in this case (ThinkPad +X60, with a 105-key UK keyboard). If you use an American keyboard +(typically 104 keys) you will want to use *pc104*. + +*XkbLayout* in my case would be *gb*, and *XkbVariant* would be +*dvorak*. + +The Arch wiki recommends two different methods for setting the keyboard +layout:\ +<https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_X_configuration_files> +and\ +<https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_localectl>. + +In my case, I chose to use the *configuration file* method:\ +Create the file /etc/X11/xorg.conf.d/10-keyboard.conf and put this +inside:\ +*Section \"InputClass\"\ + Identifier \"system-keyboard\"\ + MatchIsKeyboard \"on\"\ + Option \"XkbLayout\" \"gb\"\ + Option \"XkbModel\" \"pc105\"\ + Option \"XkbVariant\" \"dvorak\"\ +EndSection* + +For you, the steps above may differ if you have a different layout. If +you use a US Qwerty keyboard, then you don\'t even need to do anything +(though it might help, for the sake of being explicit). + +[Back to top of page.](#pagetop) + +</div> + +<div class="subsection"> + +### Install LXDE {#desktop_lxde} + +Desktop choice isn\'t that important to me, so for simplicity I decided +to use LXDE. It\'s lightweight and does everything that I need. If you +would like to try something different, refer to +<https://wiki.archlinux.org/index.php/Desktop_environment> + +Refer to <https://wiki.archlinux.org/index.php/LXDE>. + +Install it, choosing \'all\' when asked for the default package list:\ +\# **pacman -S lxde obconf** + +I didn\'t want the following, so I removed them:\ +\# **pacman -R lxmusic lxtask** + +I also lazily installed all fonts:\ +\# **pacman -S \$(pacman -Ssq ttf-)** + +And a mail client:\ +\# **pacman -S icedove** + +In IceCat, go to *Preferences :: Advanced* and disable *GNU IceCat +Health Report*. + +I also like to install these:\ +\# **pacman -S xsensors stress htop** + +Enable LXDM (the default display manager, providing a graphical login):\ +\# **systemctl enable lxdm.service**\ +It will start when you boot up the system. To start it now, do:\ +\# **systemctl start lxdm.service** + +Log in with your standard (non-root) user that you created earlier. It +is advisable to also create an xinitrc rule in case you ever want to +start lxde without lxdm. Read +<https://wiki.archlinux.org/index.php/Xinitrc>. + +Open LXterminal:\ +\$ **cp /etc/skel/.xinitrc \~**\ +Open .xinitrc and add the following plus a line break at the bottom of +the file.\ +*\# Probably not needed. The same locale info that we set before\ +\# Based on advice from the LXDE wiki export LC\_ALL=en\_GB.UTF-8\ +export LANGUAGE=en\_GB.UTF-8\ +export LANG=en\_GB.UTF-8\ +\ +\# Start lxde desktop\ +exec startlxde\ +* Now make sure that it is executable:\ +\$ **chmod +x .xinitrc** + +[Back to top of page.](#pagetop) + +</div> + +<div class="subsection"> + +### LXDE - clock {#lxde_clock} + +In **Digital Clock Settings** (right click the clock) I set the Clock +Format to *%Y/%m/%d %H:%M:%S* + +[Back to top of page.](#pagetop) + +</div> + +<div class="subsection"> + +### LXDE - font {#lxde_font} + +NOTE TO SELF: come back to this later. + +[Back to top of page.](#pagetop) + +</div> + +<div class="subsection"> + +### LXDE - screenlock {#lxde_screenlock} + +Arch wiki recommends to use *xscreensaver*:\ +\# **pacman -S xscreensaver** + +Under *Preferences :: Screensaver* in the LXDE menu, I chose *Mode: +Blank Screen Only*, setting *Blank After*, *Cycle After* and *Lock +Screen After* (checked) to 10 minutes. + +You can now lock the screen with *Logout :: Lock Screen* in the LXDE +menu. + +[Back to top of page.](#pagetop) + +</div> + +<div class="subsection"> + +### LXDE - automounting {#lxde_automount} + +Refer to +<https://wiki.archlinux.org/index.php/File_manager_functionality>. + +I chose to ignore this for now. NOTE TO SELF: come back to this later. + +[Back to top of page.](#pagetop) + +</div> + +<div class="subsection"> + +### LXDE - disable suspend {#lxde_suspend} + +When closing the laptop lid, the system suspends. This is annoying at +least to me. NOTE TO SELF: disable it, then document the steps here. + +[Back to top of page.](#pagetop) + +</div> + +<div class="subsection"> + +### LXDE - battery monitor {#lxde_battery} + +Right click lxde panel and *Add/Remove Panel Items*. Click *Add* and +select *Battery Monitor*, then click *Add*. Close and then right-click +the applet and go to *Battery Monitor Settings*, check the box that says +*Show Extended Information*. Now click *Close*. When you hover the +cursor over it, it\'ll show information about the battery. + +[Back to top of page.](#pagetop) + +</div> + +<div class="subsection"> + +### LXDE - Network Manager {#lxde_network} + +Refer to <https://wiki.archlinux.org/index.php/LXDE#Network_Management>. +Then I read: <https://wiki.archlinux.org/index.php/NetworkManager>. + +Install Network Manager:\ +\# **pacman -S networkmanager** + +You will also want the graphical applet:\ +\# **pacman -S network-manager-applet**\ +Arch wiki says that an autostart rule will be written at +*/etc/xdg/autostart/nm-applet.desktop* + +I want to be able to use a VPN at some point, so the wiki tells me to +do:\ +\# **pacman -S networkmanager-openvpn** + +LXDE uses openbox, so I refer to:\ +<https://wiki.archlinux.org/index.php/NetworkManager#Openbox>. + +It tells me for the applet I need:\ +\# **pacman -S xfce4-notifyd gnome-icon-theme**\ +Also, for storing authentication details (wifi) I need:\ +\# **pacman -S gnome-keyring** + +I wanted to quickly enable networkmanager:\ +\# **systemctl stop dhcpcd**\ +\# **systemctl start NetworkManager**\ +Enable NetworkManager at boot time:\ +\# **systemctl enable NetworkManager** + +Restart LXDE (log out, and then log back in). + +I added the volume control applet to the panel (right click panel, and +add a new applet). I also later changed the icons to use the gnome icon +theme, in *lxappearance*. + +[Back to top of page.](#pagetop) + +</div> + +</div> + +<div class="section"> + +Copyright © 2014, 2015 Leah Rowe <info@minifree.org>\ +Permission is granted to copy, distribute and/or modify this document +under the terms of the Creative Commons Attribution-ShareAlike 4.0 +International license or any later version published by Creative +Commons; A copy of the license can be found at +[../cc-by-sa-4.0.txt](../cc-by-sa-4.0.txt) + +Updated versions of the license (when available) can be found at +<https://creativecommons.org/licenses/by-sa/4.0/legalcode> + +UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE EXTENT +POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS AND +AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND +CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, IMPLIED, STATUTORY, +OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, WARRANTIES OF TITLE, +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, +ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OR ABSENCE +OF ERRORS, WHETHER OR NOT KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF +WARRANTIES ARE NOT ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT +APPLY TO YOU. + +TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE TO YOU +ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, NEGLIGENCE) OR +OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL, +PUNITIVE, EXEMPLARY, OR OTHER LOSSES, COSTS, EXPENSES, OR DAMAGES +ARISING OUT OF THIS PUBLIC LICENSE OR USE OF THE LICENSED MATERIAL, EVEN +IF THE LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSSES, +COSTS, EXPENSES, OR DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT +ALLOWED IN FULL OR IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. + +The disclaimer of warranties and limitation of liability provided above +shall be interpreted in a manner that, to the extent possible, most +closely approximates an absolute disclaimer and waiver of all liability. + +</div> diff --git a/docs/gnulinux/encrypted_debian.html b/docs/gnulinux/encrypted_debian.html deleted file mode 100644 index 1201d4ce..00000000 --- a/docs/gnulinux/encrypted_debian.html +++ /dev/null @@ -1,495 +0,0 @@ -<!DOCTYPE html> -<html> -<head> - <meta charset="utf-8"> - <meta name="viewport" content="width=device-width, initial-scale=1"> - - <style type="text/css"> - @import url('../css/main.css'); - </style> - - <title>Installing Debian or Devuan GNU+Linux with full disk encryption (including /boot)</title> -</head> - -<body> - <div class="section"> - <h1>Installing Debian or Devuan GNU+Linux with full disk encryption (including /boot)</h1> - <p> - This guide is written for the Debian distribution, but it should - also work for Devuan with the net installer. - </p> - <p> - Libreboot on x86 uses the GRUB <a href="http://www.coreboot.org/Payloads#GRUB_2">payload</a> - by default, which means that the GRUB configuration file - (where your GRUB menu comes from) is stored directly alongside libreboot - and its GRUB payload executable, inside - the flash chip. In context, this means that installing distributions and managing them - is handled slightly differently compared to traditional BIOS systems. - </p> - - <p> - On most systems, the /boot partition has to be left unencrypted while the others are encrypted. - This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware - can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a - payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical - access to the system. - </p> - <p> - This guide is written for Debian net installer. You can download the ISO from the homepage on - <a href="https://www.debian.org/">debian.org</a>. - Use this on the GRUB terminal to boot it from USB (for 64-bit Intel or AMD):<br/> - <strong> - set root='usb0'<br/> - linux /install.amd/vmlinuz<br/> - initrd /install.amd/initrd.gz<br/> - boot<br/> - </strong> - If you are on a 32-bit system (e.g. X60):<br/> - <strong> - set root='usb0'<br/> - linux /install.386/vmlinuz<br/> - initrd /install.386/initrd.gz<br/> - boot - </strong> - </p> - <p> - <a href="grub_boot_installer.html">This guide</a> shows how to - create a boot USB drive with the Debian ISO image. - </p> - <p> - <b>This guide is *only* for the GRUB payload. If you use the depthcharge payload, ignore this section entirely.</b> - </p> - - - <p> - Note: on some thinkpads, a faulty DVD drive can cause the cryptomount -a step during boot to fail. If this happens to you, try removing the drive. - </p> - <p><a href="./">Back to previous index</a></p> - </div> - - <div class="section"> - - <p> - Set a strong user password (lots of lowercase/uppercase, numbers and symbols). - </p> - - <p> - Use of the <i>diceware method</i> is recommended, for generating secure passphrases (instead of passwords). - </p> - - <p> - when the installer asks you to set up - encryption (ecryptfs) for your home directory, select 'Yes' if you want to: <b>LUKS is already secure and performs well. Having ecryptfs on top of it - will add noticeable performance penalty, for little security gain in most use cases. This is therefore optional, and not recommended. - Choose 'no'.</b> - </p> - - <p> - <b> - Your user password should be different from the LUKS password which you will set later on. - Your LUKS password should, like the user password, be secure. - </b> - </p> - - </div> - - <div class="section"> - - <h1>Partitioning</h1> - - <p>Choose 'Manual' partitioning:</p> - <ul> - <li>Select drive and create new partition table</li> - <li> - Single large partition. The following are mostly defaults: - <ul> - <li>Use as: physical volume for encryption</li> - <li>Encryption: aes</li> - <li>key size: whatever default is given to you</li> - <li>IV algorithm: whatever default is given to you</li> - <li>Encryption key: passphrase</li> (<i>diceware method</i> recommended for choosing password) - <li>erase data: Yes (only choose 'No' if it's a new drive that doesn't contain your private data)</li> - </ul> - </li> - <li> - Select 'configure encrypted volumes' - <ul> - <li>Create encrypted volumes</li> - <li>Select your partition</li> - <li>Finish</li> - <li>Really erase: Yes</li> - <li>(erase will take a long time. be patient)</li> - <li>(if your old system was encrypted, just let this run for about a minute to - make sure that the LUKS header is wiped out)</li> - </ul> - </li> - <li> - Select encrypted space: - <ul> - <li>use as: physical volume for LVM</li> - <li>Choose 'done setting up the partition'</li> - </ul> - </li> - <li> - Configure the logical volume manager: - <ul> - <li>Keep settings: Yes</li> - </ul> - </li> - <li> - Create volume group: - <ul> - <li>Name: <b>matrix</b> (use this exact name)</li> - <li>Select crypto partition</li> - </ul> - </li> - <li> - Create logical volume - <ul> - <li>select <b>matrix</b> (use this exact name)</li> - <li>name: <b>rootvol</b> (use this exact name)</li> - <li>size: default, minus 2048 MB</li> - </ul> - </li> - <li> - Create logical volume - <ul> - <li>select <b>matrix</b> (use this exact name)</li> - <li>name: <b>swap</b> (user this exact name)</li> - <li>size: press enter</li> - </ul> - </li> - </ul> - - </div> - - <div class="section"> - - <h1>Further partitioning</h1> - - <p> - Now you are back at the main partitioning screen. You will simply set mountpoints and filesystems to use. - </p> - <ul> - <li> - LVM LV rootvol - <ul> - <li>use as: btrfs</li> - <li>mount point: /</li> - <li>done setting up partition</li> - </ul> - </li> - <li> - LVM LV swap - <ul> - <li>use as: swap area</li> - <li>done setting up partition</li> - </ul> - </li> - <li>Now you select 'Finished partitioning and write changes to disk'.</li> - </ul> - - </div> - - <div class="section"> - - <h1>Kernel</h1> - - <p> - Installation will ask what kernel you want to use. linux-generic is fine. - </p> - - </div> - - <div class="section"> - - <h1>Tasksel</h1> - - <p> - For Debian, use the <em>MATE</em> option, or one of the others if you want. - The libreboot project recommends MATE, unless you're saavy enough to choose something - else. - </p> - <p> - If you want debian-testing, then you should only select barebones options here - and change the entries in /etc/apt/sources.list after install to point to the new distro, - and then run <strong>apt-get update</strong> and <strong>apt-get dist-upgrade</strong> - as root, then reboot and run <b>tasksel</b> as root. This is to avoid downloading large - packages twice. - </p> - <p> - NOTE: If you want the latest up to date version of the Linux kernel, - Debian's kernel is sometimes outdated, even in the testing distro. - You might consider using <a href="https://jxself.org/linux-libre/">this repository</a> - instead, which contains the most up to date versions of the Linux kernel. - These kernels are also deblobbed, like Debian's kernels, so you can - be sure that no binary blobs are present. - </p> - - </div> - - <div class="section"> - - <h1>Postfix configuration</h1> - - <p> - If asked, choose <i>"No Configuration"</i> here (or maybe you want to select something else. It's up to you.) - </p> - - </div> - - <div class="section"> - - <h1>Install the GRUB boot loader to the master boot record</h1> - - <p> - Choose 'Yes'. It will fail, but don't worry. Then at the main menu, choose 'Continue without a bootloader'. - You could also choose 'No'. Choice is irrelevant here. - </p> - - <p> - <i>You do not need to install GRUB at all, since in libreboot you are using the GRUB payload (for libreboot) to boot your system directly.</i> - </p> - - </div> - - <div class="section"> - - <h1>Clock UTC</h1> - - <p> - Just say 'Yes'. - </p> - - </div> - - <div class="section"> - - <h1> - Booting your system - </h1> - - <p> - At this point, you will have finished the installation. At your GRUB payload, press C to get to the command line. - </p> - - <p> - Do that:<br/> - grub> <b>cryptomount -a</b><br/> - grub> <b>set root='lvm/matrix-rootvol'</b><br/> - grub> <b>linux /vmlinuz root=/dev/mapper/matrix-rootvol cryptdevice=/dev/mapper/matrix-rootvol:root</b><br/> - grub> <b>initrd /initrd.img</b><br/> - grub> <b>boot</b> - </p> - - </div> - - <div class="section"> - - <h1> - ecryptfs - </h1> - - <p> - If you didn't encrypt your home directory, then you can safely ignore this section. - </p> - - <p> - Immediately after logging in, do that:<br/> - $ <b>sudo ecryptfs-unwrap-passphrase</b> - </p> - - <p> - This will be needed in the future if you ever need to recover your home directory from another system, so write it down and keep the note - somewhere secret. Ideally, you should memorize it and then burn the note (or not even write it down, and memorize it still)> - </p> - - </div> - - <div class="section"> - - <h1> - Modify grub.cfg (CBFS) - </h1> - - <p> - Now you need to set it up so that the system will automatically boot, without having to type a bunch of commands. - </p> - - <p> - Modify your grub.cfg (in the firmware) <a href="grub_cbfs.html">using this tutorial</a>; - just change the default menu entry 'Load Operating System' to say this inside: - </p> - - <p> - <b>cryptomount -a</b><br/> - <b>set root='lvm/matrix-rootvol'</b><br/> - <b>linux /vmlinuz root=/dev/mapper/matrix-rootvol cryptdevice=/dev/mapper/matrix-rootvol:root</b><br/> - <b>initrd /initrd.img</b> - </p> - - <p> - Without specifying a device, the <i>-a</i> parameter tries to unlock all detected LUKS volumes. - You can also specify -u UUID or -a (device). - </p> - - <p> - <a href="grub_hardening.html">Refer to this guide</a> for further guidance - on hardening your GRUB configuration, for security purposes. - </p> - - <p> - Flash the modified ROM - using <a href="../install/#flashrom">this tutorial</a>. - </p> - - </div> - - <div class="section"> - - <h1 id="troubleshooting">Troubleshooting</h1> - - <p> - A user reported issues when booting with a docking station attached - on an X200, when decrypting the disk in GRUB. The error - <i>AHCI transfer timed out</i> was observed. The workaround - was to remove the docking station. - </p> - - <p> - Further investigation revealed that it was the DVD drive causing problems. - Removing that worked around the issue. - </p> - -<pre> - -"sudo wodim -prcap" shows information about the drive: -Device was not specified. Trying to find an appropriate drive... -Detected CD-R drive: /dev/sr0 -Using /dev/cdrom of unknown capabilities -Device type : Removable CD-ROM -Version : 5 -Response Format: 2 -Capabilities : -Vendor_info : 'HL-DT-ST' -Identification : 'DVDRAM GU10N ' -Revision : 'MX05' -Device seems to be: Generic mmc2 DVD-R/DVD-RW. - -Drive capabilities, per MMC-3 page 2A: - - Does read CD-R media - Does write CD-R media - Does read CD-RW media - Does write CD-RW media - Does read DVD-ROM media - Does read DVD-R media - Does write DVD-R media - Does read DVD-RAM media - Does write DVD-RAM media - Does support test writing - - Does read Mode 2 Form 1 blocks - Does read Mode 2 Form 2 blocks - Does read digital audio blocks - Does restart non-streamed digital audio reads accurately - Does support Buffer-Underrun-Free recording - Does read multi-session CDs - Does read fixed-packet CD media using Method 2 - Does not read CD bar code - Does not read R-W subcode information - Does read raw P-W subcode data from lead in - Does return CD media catalog number - Does return CD ISRC information - Does support C2 error pointers - Does not deliver composite A/V data - - Does play audio CDs - Number of volume control levels: 256 - Does support individual volume control setting for each channel - Does support independent mute setting for each channel - Does not support digital output on port 1 - Does not support digital output on port 2 - - Loading mechanism type: tray - Does support ejection of CD via START/STOP command - Does not lock media on power up via prevent jumper - Does allow media to be locked in the drive via PREVENT/ALLOW command - Is not currently in a media-locked state - Does not support changing side of disk - Does not have load-empty-slot-in-changer feature - Does not support Individual Disk Present feature - - Maximum read speed: 4234 kB/s (CD 24x, DVD 3x) - Current read speed: 4234 kB/s (CD 24x, DVD 3x) - Maximum write speed: 4234 kB/s (CD 24x, DVD 3x) - Current write speed: 4234 kB/s (CD 24x, DVD 3x) - Rotational control selected: CLV/PCAV - Buffer size in KB: 1024 - Copy management revision supported: 1 - Number of supported write speeds: 4 - Write speed # 0: 4234 kB/s CLV/PCAV (CD 24x, DVD 3x) - Write speed # 1: 2822 kB/s CLV/PCAV (CD 16x, DVD 2x) - Write speed # 2: 1764 kB/s CLV/PCAV (CD 10x, DVD 1x) - Write speed # 3: 706 kB/s CLV/PCAV (CD 4x, DVD 0x) - -Supported CD-RW media types according to MMC-4 feature 0x37: - Does write multi speed CD-RW media - Does write high speed CD-RW media - Does write ultra high speed CD-RW media - Does not write ultra high speed+ CD-RW media - -</pre> - - </div> - - <div class="section"> - - <p> - Copyright © 2014, 2015, 2016 Leah Rowe <info@minifree.org><br/> - Permission is granted to copy, distribute and/or modify this document - under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license - or any later version published by Creative Commons; - - A copy of the license can be found at <a href="../cc-by-sa-4.0.txt">../cc-by-sa-4.0.txt</a> - </p> - - <p> - Updated versions of the license (when available) can be found at - <a href="https://creativecommons.org/licenses/by-sa/4.0/legalcode">https://creativecommons.org/licenses/by-sa/4.0/legalcode</a> - </p> - - <p> - UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE - EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS - AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF - ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, - IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, - WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR - PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, - ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT - KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT - ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. - </p> - <p> - TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE - TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, - NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, - INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, - COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR - USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN - ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR - DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR - IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. - </p> - <p> - The disclaimer of warranties and limitation of liability provided - above shall be interpreted in a manner that, to the extent - possible, most closely approximates an absolute disclaimer and - waiver of all liability. - </p> - - </div> - -</body> -</html> diff --git a/docs/gnulinux/encrypted_debian.md b/docs/gnulinux/encrypted_debian.md new file mode 100644 index 00000000..61265f7f --- /dev/null +++ b/docs/gnulinux/encrypted_debian.md @@ -0,0 +1,392 @@ +<div class="section"> + +Installing Debian or Devuan GNU+Linux with full disk encryption (including /boot) +================================================================================= + +This guide is written for the Debian distribution, but it should also +work for Devuan with the net installer. + +Libreboot on x86 uses the GRUB +[payload](http://www.coreboot.org/Payloads#GRUB_2) by default, which +means that the GRUB configuration file (where your GRUB menu comes from) +is stored directly alongside libreboot and its GRUB payload executable, +inside the flash chip. In context, this means that installing +distributions and managing them is handled slightly differently compared +to traditional BIOS systems. + +On most systems, the /boot partition has to be left unencrypted while +the others are encrypted. This is so that GRUB, and therefore the +kernel, can be loaded and executed since the firmware can\'t open a LUKS +volume. Not so with libreboot! Since GRUB is already included directly +as a payload, even /boot can be encrypted. This protects /boot from +tampering by someone with physical access to the system. + +This guide is written for Debian net installer. You can download the ISO +from the homepage on [debian.org](https://www.debian.org/). Use this on +the GRUB terminal to boot it from USB (for 64-bit Intel or AMD):\ +**set root=\'usb0\'\ +linux /install.amd/vmlinuz\ +initrd /install.amd/initrd.gz\ +boot\ +** If you are on a 32-bit system (e.g. X60):\ +**set root=\'usb0\'\ +linux /install.386/vmlinuz\ +initrd /install.386/initrd.gz\ +boot** + +[This guide](grub_boot_installer.html) shows how to create a boot USB +drive with the Debian ISO image. + +**This guide is \*only\* for the GRUB payload. If you use the +depthcharge payload, ignore this section entirely.** + +Note: on some thinkpads, a faulty DVD drive can cause the cryptomount -a +step during boot to fail. If this happens to you, try removing the +drive. + +[Back to previous index](./) + +</div> + +<div class="section"> + +Set a strong user password (lots of lowercase/uppercase, numbers and +symbols). + +Use of the *diceware method* is recommended, for generating secure +passphrases (instead of passwords). + +when the installer asks you to set up encryption (ecryptfs) for your +home directory, select \'Yes\' if you want to: **LUKS is already secure +and performs well. Having ecryptfs on top of it will add noticeable +performance penalty, for little security gain in most use cases. This is +therefore optional, and not recommended. Choose \'no\'.** + +**Your user password should be different from the LUKS password which +you will set later on. Your LUKS password should, like the user +password, be secure.** + +</div> + +<div class="section"> + +Partitioning +============ + +Choose \'Manual\' partitioning: + +- Select drive and create new partition table +- Single large partition. The following are mostly defaults: + - Use as: physical volume for encryption + - Encryption: aes + - key size: whatever default is given to you + - IV algorithm: whatever default is given to you + - Encryption key: passphrase + - erase data: Yes (only choose \'No\' if it\'s a new drive that + doesn\'t contain your private data) +- Select \'configure encrypted volumes\' + - Create encrypted volumes + - Select your partition + - Finish + - Really erase: Yes + - (erase will take a long time. be patient) + - (if your old system was encrypted, just let this run for about a + minute to make sure that the LUKS header is wiped out) +- Select encrypted space: + - use as: physical volume for LVM + - Choose \'done setting up the partition\' +- Configure the logical volume manager: + - Keep settings: Yes +- Create volume group: + - Name: **matrix** (use this exact name) + - Select crypto partition +- Create logical volume + - select **matrix** (use this exact name) + - name: **rootvol** (use this exact name) + - size: default, minus 2048 MB +- Create logical volume + - select **matrix** (use this exact name) + - name: **swap** (user this exact name) + - size: press enter + +</div> + +<div class="section"> + +Further partitioning +==================== + +Now you are back at the main partitioning screen. You will simply set +mountpoints and filesystems to use. + +- LVM LV rootvol + - use as: btrfs + - mount point: / + - done setting up partition +- LVM LV swap + - use as: swap area + - done setting up partition +- Now you select \'Finished partitioning and write changes to disk\'. + +</div> + +<div class="section"> + +Kernel +====== + +Installation will ask what kernel you want to use. linux-generic is +fine. + +</div> + +<div class="section"> + +Tasksel +======= + +For Debian, use the *MATE* option, or one of the others if you want. The +libreboot project recommends MATE, unless you\'re saavy enough to choose +something else. + +If you want debian-testing, then you should only select barebones +options here and change the entries in /etc/apt/sources.list after +install to point to the new distro, and then run **apt-get update** and +**apt-get dist-upgrade** as root, then reboot and run **tasksel** as +root. This is to avoid downloading large packages twice. + +NOTE: If you want the latest up to date version of the Linux kernel, +Debian\'s kernel is sometimes outdated, even in the testing distro. You +might consider using [this repository](https://jxself.org/linux-libre/) +instead, which contains the most up to date versions of the Linux +kernel. These kernels are also deblobbed, like Debian\'s kernels, so you +can be sure that no binary blobs are present. + +</div> + +<div class="section"> + +Postfix configuration +===================== + +If asked, choose *\"No Configuration\"* here (or maybe you want to +select something else. It\'s up to you.) + +</div> + +<div class="section"> + +Install the GRUB boot loader to the master boot record +====================================================== + +Choose \'Yes\'. It will fail, but don\'t worry. Then at the main menu, +choose \'Continue without a bootloader\'. You could also choose \'No\'. +Choice is irrelevant here. + +*You do not need to install GRUB at all, since in libreboot you are +using the GRUB payload (for libreboot) to boot your system directly.* + +</div> + +<div class="section"> + +Clock UTC +========= + +Just say \'Yes\'. + +</div> + +<div class="section"> + +Booting your system +=================== + +At this point, you will have finished the installation. At your GRUB +payload, press C to get to the command line. + +Do that:\ +grub> **cryptomount -a**\ +grub> **set root=\'lvm/matrix-rootvol\'**\ +grub> **linux /vmlinuz root=/dev/mapper/matrix-rootvol +cryptdevice=/dev/mapper/matrix-rootvol:root**\ +grub> **initrd /initrd.img**\ +grub> **boot** + +</div> + +<div class="section"> + +ecryptfs +======== + +If you didn\'t encrypt your home directory, then you can safely ignore +this section. + +Immediately after logging in, do that:\ +\$ **sudo ecryptfs-unwrap-passphrase** + +This will be needed in the future if you ever need to recover your home +directory from another system, so write it down and keep the note +somewhere secret. Ideally, you should memorize it and then burn the note +(or not even write it down, and memorize it still)> + +</div> + +<div class="section"> + +Modify grub.cfg (CBFS) +====================== + +Now you need to set it up so that the system will automatically boot, +without having to type a bunch of commands. + +Modify your grub.cfg (in the firmware) [using this +tutorial](grub_cbfs.html); just change the default menu entry \'Load +Operating System\' to say this inside: + +**cryptomount -a**\ +**set root=\'lvm/matrix-rootvol\'**\ +**linux /vmlinuz root=/dev/mapper/matrix-rootvol +cryptdevice=/dev/mapper/matrix-rootvol:root**\ +**initrd /initrd.img** + +Without specifying a device, the *-a* parameter tries to unlock all +detected LUKS volumes. You can also specify -u UUID or -a (device). + +[Refer to this guide](grub_hardening.html) for further guidance on +hardening your GRUB configuration, for security purposes. + +Flash the modified ROM using [this tutorial](../install/#flashrom). + +</div> + +<div class="section"> + +Troubleshooting +=============== + +A user reported issues when booting with a docking station attached on +an X200, when decrypting the disk in GRUB. The error *AHCI transfer +timed out* was observed. The workaround was to remove the docking +station. + +Further investigation revealed that it was the DVD drive causing +problems. Removing that worked around the issue. + + + "sudo wodim -prcap" shows information about the drive: + Device was not specified. Trying to find an appropriate drive... + Detected CD-R drive: /dev/sr0 + Using /dev/cdrom of unknown capabilities + Device type : Removable CD-ROM + Version : 5 + Response Format: 2 + Capabilities : + Vendor_info : 'HL-DT-ST' + Identification : 'DVDRAM GU10N ' + Revision : 'MX05' + Device seems to be: Generic mmc2 DVD-R/DVD-RW. + + Drive capabilities, per MMC-3 page 2A: + + Does read CD-R media + Does write CD-R media + Does read CD-RW media + Does write CD-RW media + Does read DVD-ROM media + Does read DVD-R media + Does write DVD-R media + Does read DVD-RAM media + Does write DVD-RAM media + Does support test writing + + Does read Mode 2 Form 1 blocks + Does read Mode 2 Form 2 blocks + Does read digital audio blocks + Does restart non-streamed digital audio reads accurately + Does support Buffer-Underrun-Free recording + Does read multi-session CDs + Does read fixed-packet CD media using Method 2 + Does not read CD bar code + Does not read R-W subcode information + Does read raw P-W subcode data from lead in + Does return CD media catalog number + Does return CD ISRC information + Does support C2 error pointers + Does not deliver composite A/V data + + Does play audio CDs + Number of volume control levels: 256 + Does support individual volume control setting for each channel + Does support independent mute setting for each channel + Does not support digital output on port 1 + Does not support digital output on port 2 + + Loading mechanism type: tray + Does support ejection of CD via START/STOP command + Does not lock media on power up via prevent jumper + Does allow media to be locked in the drive via PREVENT/ALLOW command + Is not currently in a media-locked state + Does not support changing side of disk + Does not have load-empty-slot-in-changer feature + Does not support Individual Disk Present feature + + Maximum read speed: 4234 kB/s (CD 24x, DVD 3x) + Current read speed: 4234 kB/s (CD 24x, DVD 3x) + Maximum write speed: 4234 kB/s (CD 24x, DVD 3x) + Current write speed: 4234 kB/s (CD 24x, DVD 3x) + Rotational control selected: CLV/PCAV + Buffer size in KB: 1024 + Copy management revision supported: 1 + Number of supported write speeds: 4 + Write speed # 0: 4234 kB/s CLV/PCAV (CD 24x, DVD 3x) + Write speed # 1: 2822 kB/s CLV/PCAV (CD 16x, DVD 2x) + Write speed # 2: 1764 kB/s CLV/PCAV (CD 10x, DVD 1x) + Write speed # 3: 706 kB/s CLV/PCAV (CD 4x, DVD 0x) + + Supported CD-RW media types according to MMC-4 feature 0x37: + Does write multi speed CD-RW media + Does write high speed CD-RW media + Does write ultra high speed CD-RW media + Does not write ultra high speed+ CD-RW media + +</div> + +<div class="section"> + +Copyright © 2014, 2015, 2016 Leah Rowe <info@minifree.org>\ +Permission is granted to copy, distribute and/or modify this document +under the terms of the Creative Commons Attribution-ShareAlike 4.0 +International license or any later version published by Creative +Commons; A copy of the license can be found at +[../cc-by-sa-4.0.txt](../cc-by-sa-4.0.txt) + +Updated versions of the license (when available) can be found at +<https://creativecommons.org/licenses/by-sa/4.0/legalcode> + +UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE EXTENT +POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS AND +AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND +CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, IMPLIED, STATUTORY, +OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, WARRANTIES OF TITLE, +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, +ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OR ABSENCE +OF ERRORS, WHETHER OR NOT KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF +WARRANTIES ARE NOT ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT +APPLY TO YOU. + +TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE TO YOU +ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, NEGLIGENCE) OR +OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL, +PUNITIVE, EXEMPLARY, OR OTHER LOSSES, COSTS, EXPENSES, OR DAMAGES +ARISING OUT OF THIS PUBLIC LICENSE OR USE OF THE LICENSED MATERIAL, EVEN +IF THE LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSSES, +COSTS, EXPENSES, OR DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT +ALLOWED IN FULL OR IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. + +The disclaimer of warranties and limitation of liability provided above +shall be interpreted in a manner that, to the extent possible, most +closely approximates an absolute disclaimer and waiver of all liability. + +</div> diff --git a/docs/gnulinux/encrypted_parabola.html b/docs/gnulinux/encrypted_parabola.html deleted file mode 100644 index ec4229e8..00000000 --- a/docs/gnulinux/encrypted_parabola.html +++ /dev/null @@ -1,830 +0,0 @@ -<!DOCTYPE html> -<html> -<head> - <meta charset="utf-8"> - <meta name="viewport" content="width=device-width, initial-scale=1"> - - <style type="text/css"> - @import url('../css/main.css'); - </style> - - <title>Installing Parabola or Arch GNU+Linux with full disk encryption (including /boot)</title> -</head> - -<body> - <div class="section"> - <h1>Installing Parabola or Arch GNU+Linux with full disk encryption (including /boot)</h1> - <p> - Libreboot on x86 uses the GRUB <a href="http://www.coreboot.org/Payloads#GRUB_2">payload</a> - by default, which means that the GRUB configuration file - (where your GRUB menu comes from) is stored directly alongside libreboot - and it's GRUB payload executable, inside - the flash chip. In context, this means that installing distributions and managing them - is handled slightly differently compared to traditional BIOS systems. - </p> - - <p> - On most systems, the /boot partition has to be left unencrypted while the others are encrypted. - This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware - can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a - payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical - access to the system. - </p> - <p> - <b>This guide is *only* for the GRUB payload. If you use the depthcharge payload, ignore this section entirely.</b> - </p> - <p> - This guide is intended for the Parabola distribution, but it should also work (with some adaptation) - for <em>Arch</em>. - We recomend using Parabola, which is a version of Arch that removes all - proprietary software, both in the default installation and in the package repositories. It usually lags - behind Arch by only a day or two, so it is still usable for most people. - See <a href="https://wiki.parabola.nu/index.php?title=Migration_from_the_GNU+Linux_distribution_of_Arch&redirect=no">Arch to Parabola migration guide</a>. - </p> - - <p> - Note: on some thinkpads, a faulty DVD drive can cause the cryptomount -a step during boot to fail. If this happens to you, try removing the drive. - </p> - <p> - <a href="./">Back to previous index</a> - </p> - </div> - - <div class="section"> - - <p> - Boot Parabola's install environment. <a href="grub_boot_installer.html">How to boot a GNU+Linux installer</a>. - </p> - - <p> - For this guide I used the 2015 08 01 image to boot the live installer and install the system. - This is available at <a href="https://wiki.parabola.nu/Get_Parabola#Main_live_ISO">this page</a>. - </p> - - <p> - This guide will go through the installation steps taken at the time of writing, which may or may not change due to - the volatile nature of Parabola (it changes all the time). In general most of it should remain the same. If you spot mistakes, - please say so! This guide will be ported to the Parabola wiki at a later date. For up to date Parabola install guide, go to - the Parabola wiki. This guide essentially cherry picks the useful information (valid at the - time of writing: 2015-08-25). - </p> - - </div> - - <div class="section"> - - <p> This section deals with wiping the storage device on which you plan to install Parabola - GNU+Linux. Follow these steps, but if you use an SSD, also: - - <p> - - beware there are issues with TRIM (not enabled through luks) and security issues if you do enable it. - See <a href="https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Discard.2FTRIM_support_for_solid_state_drives_.28SSD.29">this page</a> - for more info. - </p> - - <p> - make sure it's brand-new (or barely used). Or, otherwise, be sure that it never previously contained plaintext copies of your data. - </p> - - <p> - make sure to read <a href="https://wiki.archlinux.org/index.php/Solid_State_Drives">this article</a>. Edit /etc/fstab later on when - chrooted into your install. Also, read the whole article and keep all points in mind, adapting them for this guide. - </p> - - <p> - Securely wipe the drive:<br/> - # <b>dd if=/dev/urandom of=/dev/sda; sync</b><br/> - NOTE: If you have an SSD, only do this the first time. If it was already LUKS-encrypted before, - use the info below to wipe the LUKS header. Also, check online for your SSD what the recommended - erase block size is. For example if it was 2MiB:<br/> - # <b>dd if=/dev/urandom of=/dev/sda bs=2M; sync</b> - </p> - <p> - If your drive was already LUKS encrypted (maybe you are re-installing your distro) then - it is already 'wiped'. You should just wipe the LUKS header. - <a href="https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/">https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/</a> - showed me how to do this. It recommends doing the first 3MiB. Now, that guide is recommending putting zero there. I'm going to use urandom. Do this:<br/> - # <b>head -c 3145728 /dev/urandom > /dev/sda; sync</b><br/> - (Wiping the LUKS header is important, since it has hashed passphrases and so on. It's 'secure', but 'potentially' a risk). - </p> - - </div> - - <div class="section"> - - <h2> - Change keyboard layout - </h2> - <p> - Parabola live shell assumes US Qwerty. If you have something different, list the available keymaps and use yours:<br/> - # <b>localectl list-keymaps</b><br/> - # <b>loadkeys LAYOUT</b><br/> - For me, LAYOUT would have been dvorak-uk. - </p> - - </div> - - <div class="section"> - - <h2>Establish an internet connection</h2> - <p> - Refer to <a href="https://wiki.parabola.nu/Beginners%27_guide#Establish_an_internet_connection">this guide</a>. Wired is recommended, - but wireless is also explained there. - </p> - - </div> - - <div class="section"> - - <h2>Getting started</h2> - <p> - The beginning is based on <a href="https://wiki.parabolagnulinux.org/Installation_Guide">https://wiki.parabolagnulinux.org/Installation_Guide</a>. - Then I referred to <a href="https://wiki.archlinux.org/index.php/Partitioning">https://wiki.archlinux.org/index.php/Partitioning</a> at first. - </p> - - </div> - - <div class="section"> - - <h2>dm-mod</h2> - <p> - device-mapper will be used - a lot. Make sure that the kernel module is loaded:<br/> - # <b>modprobe dm-mod</b> - </p> - - <h2>Create LUKS partition</h2> - <p> - Note that the default iteration time is 2000ms (2 seconds) if not specified - in cryptsetup. You should set a lower time than this, otherwise there will be - an approximate 20 second delay when booting your system. - We recommend 500ms (0.5 seconds), and this is included in the prepared - cryptsetup command below. - Note that the iteration time is for security purposes (mitigates - brute force attacks), so anything lower than 5 seconds is probably - not ok. - </p> - <p> - I am using MBR partitioning, so I use cfdisk:<br/> - # <b>cfdisk /dev/sda</b> - </p> - <p> - I create a single large sda1 filling the whole drive, leaving it as the default type 'Linux' (83). - </p> - <p> - Now I refer to <a href="https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#Partitioning">https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#Partitioning</a>:<br/> - I am then directed to <a href="https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption">https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption</a>. - </p> - <p> - Parabola forces you to RTFM. Do that. - </p> - <p> - It tells me to run:<br/> - # <b>cryptsetup benchmark</b> (for making sure the list below is populated)<br/> - Then:<br/> - # <b>cat /proc/crypto</b><br/> - This gives me crypto options that I can use. It also provides a representation of the best way to set up LUKS (in this case, security is a priority; speed, a distant second). - To gain a better understanding, I am also reading:<br/> - # <b>man cryptsetup</b> - </p> - <p> - Following that page, based on my requirements, I do the following based on <a href="https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode">https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode</a>. - Reading through, it seems like Serpent (encryption) and Whirlpool (hash) is the best option. - </p> - <p> - I am initializing LUKS with the following:<br/> - # <b>cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --iter-time 500 --use-random --verify-passphrase luksFormat /dev/sda1</b> - Choose a <b>secure</b> passphrase here. Ideally lots of lowercase/uppercase numbers, letters, symbols etc all in a random pattern. The - password length should be as long as you are able to handle without writing it down or storing it anywhere. - </p> - - <p> - Use of the <i>diceware method</i> is recommended, for generating secure passphrases (instead of passwords). - </p> - - </div> - - <div class="section"> - - <h2>Create LVM</h2> - <p> - Now I refer to <a href="https://wiki.archlinux.org/index.php/LVM">https://wiki.archlinux.org/index.php/LVM</a>. - </p> - <p> - Open the LUKS partition:<br/> - # <b>cryptsetup luksOpen /dev/sda1 lvm</b><br/> - (it will be available at /dev/mapper/lvm) - </p> - <p> - Create LVM partition:<br/> - # <b>pvcreate /dev/mapper/lvm</b><br/> - Show that you just created it:<br/> - # <b>pvdisplay</b> - </p> - <p> - Now I create the volume group, inside of which the logical volumes will be created:<br/> - # <b>vgcreate matrix /dev/mapper/lvm</b><br/> - (volume group name is 'matrix' - choose your own name, if you like) - Show that you created it:<br/> - # <b>vgdisplay</b> - </p> - <p> - Now create the logical volumes:<br/> - # <b>lvcreate -L 2G matrix -n swapvol</b> (2G swap partition, named <u>swapvol</u>)<br/> - Again, choose your own name if you like. Also, make sure to choose a swap size of your own needs. It basically depends on how much RAM - you have installed. I refer to <a -href="http://www.linux.com/news/software/applications/8208-all-about-linux-swap-space">http://www.linux.com/news/software/applications/8208-all-about-linux-swap-space</a>.<br/> - # <b>lvcreate -l +100%FREE matrix -n root</b> (single large partition in the rest of the space, named <u>root</u>)<br/> - You can also be flexible here, for example you can specify a /boot, a /, a /home, a /var, a /usr, etc. For example, - if you will be running a web/mail server then you want /var in its own partition (so that if it fills up with logs, it won't crash your system). - For a home/laptop system (typical use case), a root and a swap will do (really). - </p> - <p> - Verify that the logical volumes were created, using the following command:<br/> - # <b>lvdisplay</b> - </p> - - </div> - - <div class="section"> - - <h2>Create / and swap partitions, and mount</h2> - <p> - For the swapvol LV I use:<br/> - # <b>mkswap /dev/mapper/matrix-swapvol</b><br/> - Activate swap:<br/> - # <b>swapon /dev/matrix/swapvol</b> - </p> - <p> - For the root LV I use:<br/> - # <b>mkfs.btrfs /dev/mapper/matrix-root</b> - </p> - <p> - Mount the root (/) partition:<br/> - # <b>mount /dev/matrix/root /mnt</b> - </p> - - </div> - - <div class="section"> - - <h2>Continue with Parabola installation</h2> - <p> - This guide is really about GRUB, Parabola and cryptomount. I have to show how to install Parabola - so that the guide can continue. - </p> - <p> - Now I am following the rest of <a href="https://wiki.parabolagnulinux.org/Installation_Guide">https://wiki.parabolagnulinux.org/Installation_Guide</a>. - I also cross referenced <a href="https://wiki.archlinux.org/index.php/Installation_guide">https://wiki.archlinux.org/index.php/Installation_guide</a>. - </p> - <p> - Create /home and /boot on root mountpoint:<br/> - # <b>mkdir -p /mnt/home</b><br/> - # <b>mkdir -p /mnt/boot</b> - </p> - <p> - Once all the remaining partitions, if any, have been mounted, the devices are ready to install Parabola. - </p> - - <p> - In <b>/etc/pacman.d/mirrorlist</b>, comment out all lines except the Server line closest to where you are (I chose the UK Parabola - server (main server)) and then did:<br/> - # <b>pacman -Syy</b><br/> - # <b>pacman -Syu</b><br/> - # <b>pacman -Sy pacman</b> (and then I did the other 2 steps above, again)<br/> - In my case I did the steps in the next paragraph, and followed the steps in this paragraph again. - </p> - <p> - <troubleshooting><br/> - The following is based on 'Verification of package signatures' in the Parabola install guide.<br/> - Check there first to see if steps differ by now.<br/> - Now you have to update the default Parabola keyring. This is used for signing and verifying packages:<br/> - # <b>pacman -Sy parabola-keyring</b><br/> - It says that if you get GPG errors, then it's probably an expired key and, therefore, you should do:<br/> - # <b>pacman-key --populate parabola</b><br/> - # <b>pacman-key --refresh-keys</b><br/> - # <b>pacman -Sy parabola-keyring</b><br/> - To be honest, you should do the above anyway. Parabola has a lot of maintainers, and a lot of keys. Really!<br/> - If you get an error mentioning dirmngr, do:<br/> - # <b>dirmngr </dev/null</b><br/> - Also, it says that if the clock is set incorrectly then you have to manually set the correct time <br/> - (if keys are listed as expired because of it):<br/> - # <b>date MMDDhhmm[[CC]YY][.ss]</b><br/> - I also had to install:<br/> - # <b>pacman -S archlinux-keyring</b><br/> - # <b>pacman-key --populate archlinux</b><br/> - In my case I saw some conflicting files reported in pacman, stopping me from using it.<br/> - I deleted the files that it mentioned - and then it worked. Specifically, I had this error:<br/> - <i>licenses: /usr/share/licenses/common/MPS exists in filesystem</i><br/> - I rm -Rf'd the file and then pacman worked. I'm told that the following would have also made it work:<br/> - # <b>pacman -Sf licenses</b><br/> - </troubleshooting><br/> - </p> - <p> - I also like to install other packages (base-devel, compilers and so on) and wpa_supplicant/dialog/iw/wpa_actiond are needed for wireless after the install:<br/> - # <b>pacstrap /mnt base base-devel wpa_supplicant dialog iw wpa_actiond</b> - </p> - - </div> - - <div class="section"> - - <h2>Configure the system</h2> - <p> - Generate an fstab - UUIDs are used because they have certain advantages (see <a href="https://wiki.parabola.nu/Fstab#Identifying_filesystems">https://wiki.parabola.nu/Fstab#Identifying_filesystems</a>. - If you prefer labels instead, replace the -U option with -L):<br/> - # <b>genfstab -U -p /mnt >> /mnt/etc/fstab</b><br/> - Check the created file:<br/> - # <b>cat /mnt/etc/fstab</b><br/> - (If there are any errors, edit the file. Do <b>NOT</b> run the genfstab command again!) - </p> - <p> - Chroot into new system:<br/> - # <b>arch-chroot /mnt /bin/bash</b> - </p> - <p> - It's a good idea to have this installed:<br/> - # <b>pacman -S linux-libre-lts</b> - </p> - <p> - It was also suggested that you should install this kernel (read up on what GRSEC is):<br/> - # <b>pacman -S linux-libre-grsec</b> - </p> - <p> - This is another kernel that sits inside /boot, which you can use. LTS means 'long-term support'. These are so-called 'stable' kernels - that can be used as a fallback during updates, if a bad kernel causes issues for you. - </p> - <p> - Parabola does not have wget. This is sinister. Install it:<br/> - # <b>pacman -S wget</b> - </p> - <p> - Locale:<br/> - # <b>vi /etc/locale.gen</b><br/> - Uncomment your needed localisations. For example en_GB.UTF-8 (UTF-8 is highly recommended over other options).<br/> - # <b>locale-gen</b><br/> - # <b>echo LANG=en_GB.UTF-8 > /etc/locale.conf</b><br/> - # <b>export LANG=en_GB.UTF-8</b> - </p> - <p> - Console font and keymap:<br/> - # <b>vi /etc/vconsole.conf</b><br/> - In my case: - </p> -<pre> -KEYMAP=dvorak-uk -FONT=lat9w-16 -</pre> - <p> - Time zone:<br/> - # <b>ln -s /usr/share/zoneinfo/Europe/London /etc/localtime</b><br/> - (Replace Zone and Subzone to your liking. See /usr/share/zoneinfo) - </p> - <p> - Hardware clock:<br/> - # <b>hwclock --systohc --utc</b> - </p> - <p> - Hostname: - Write your hostname to /etc/hostname. For example, if your hostname is parabola:<br/> - # <b>echo parabola > /etc/hostname</b><br/> - Add the same hostname to /etc/hosts:<br/> - # <b>vi /etc/hosts</b><br/> - </p> -<pre> -#<ip-address> <hostname.domain.org> <hostname> -127.0.0.1 localhost.localdomain localhost parabola -::1 localhost.localdomain localhost parabola -</pre> - <p> Configure the network: - Refer to <a href="https://wiki.parabola.nu/Beginners%27_guide#Configure_the_network">https://wiki.parabola.nu/Beginners%27_guide#Configure_the_network</a>. - </p> - <p> Mkinitcpio: - Configure /etc/mkinitcpio.conf as needed (see <a href="https://wiki.parabola.nu/Mkinitcpio">https://wiki.parabola.nu/Mkinitcpio</a>). - Runtime modules can be found in /usr/lib/initcpio/hooks, and build hooks can be found in /usr/lib/initcpio/install. (# <b>mkinitcpio -H hookname</b> gives information about each hook.) - Specifically, for this use case:<br/> - # <b>vi /etc/mkinitcpio.conf</b><br/> - Then modify the file like so: - </p> - <ul> - <li>MODULES="i915"</li> - <li>This forces the driver to load earlier, so that the console font isn't wiped out after getting to login). Macbook21 users will also need <strong>hid-generic, hid and hid-apple to have a working keyboard when asked to enter the LUKS password.</strong></li> - <li>HOOKS="base udev autodetect modconf block keyboard keymap consolefont encrypt lvm2 filesystems fsck shutdown"</li> - <li>Explanation:</li> - <li>keymap adds to initramfs the keymap that you specified in /etc/vconsole.conf</li> - <li>consolefont adds to initramfs the font that you specified in /etc/vconsole.conf</li> - <li>encrypt adds LUKS support to the initramfs - needed to unlock your disks at boot time</li> - <li>lvm2 adds LVM support to the initramfs - needed to mount the LVM partitions at boot time</li> - <li>shutdown is needed according to Parabola wiki for unmounting devices (such as LUKS/LVM) during shutdown)</li> - </ul> - <p> - Now using mkinitcpio, you can create the kernel and ramdisk for booting with (this is different from Arch, specifying linux-libre instead of linux):<br/> - # <b>mkinitcpio -p linux-libre</b><br/> - Also do it for linux-libre-lts:<br/> - # <b>mkinitcpio -p linux-libre-lts</b><br/> - Also do it for linux-libre-grsec:<br/> - # <b>mkinitcpio -p linux-libre-grsec</b> - </p> - <p> - Set the root password: - At the time of writing, Parabola used SHA512 by default for its password hashing. I referred to <a href="https://wiki.archlinux.org/index.php/SHA_password_hashes">https://wiki.archlinux.org/index.php/SHA_password_hashes</a>.<br/> - # <b>vi /etc/pam.d/passwd</b><br/> - Add rounds=65536 at the end of the uncommented 'password' line.<br/> - # <b>passwd root</b><br/> - Make sure to set a secure password! Also, it must never be the same as your LUKS password. - </p> - - <p> - Use of the <i>diceware method</i> is recommended, for generating secure passphrases (instead of passwords). - </p> - - </div> - - <div class="section"> - - <h2>Extra security tweaks</h2> - <p> - Based on <a href="https://wiki.archlinux.org/index.php/Security">https://wiki.archlinux.org/index.php/Security</a>. - </p> - <p> - Restrict access to important directories:<br/> - # <b>chmod 700 /boot /etc/{iptables,arptables}</b> - </p> - <p> - Lockout user after three failed login attempts:<br/> - Edit the file /etc/pam.d/system-login and comment out that line:<br/> - <i># auth required pam_tally.so onerr=succeed file=/var/log/faillog</i><br/> - Or just delete it. Above it, put:<br/> - <i>auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog</i><br/> - To unlock a user manually (if a password attempt is failed 3 times), do:<br/> - # <b>pam_tally --user <i>theusername</i> --reset</b> - What the above configuration does is lock the user out for 10 minutes, if they make 3 failed login attempts. - </p> - <p> - Configure sudo - not covered here. Will be covered post-installation in another tutorial, at a later date. - If this is a single-user system, you don't really need sudo. - </p> - - </div> - - <div class="section"> - - <h2>Unmount, reboot!</h2> - <p> - Exit from chroot:<br/> - # <b>exit</b> - </p> - <p> - unmount:<br/> - # <b>umount -R /mnt</b><br/> - # <b>swapoff -a</b> - </p> - <p> - deactivate the lvm lv's:<br/> - # <b>lvchange -an /dev/matrix/root</b><br/> - # <b>lvchange -an /dev/matrix/swapvol</b><br/> - </p> - <p> - Lock the encrypted partition (close it):<br/> - # <b>cryptsetup luksClose lvm</b> - </p> - <p> - # <b>shutdown -h now</b><br/> - Remove the installation media, then boot up again. - </p> - - </div> - - <div class="section"> - - <h2>Booting from GRUB</h2> - <p> - Initially you will have to boot manually. Press C to get to the GRUB command line. The underlined parts are optional - (using those 2 underlines will boot lts kernel instead of normal). - </p> - <p> - grub> <b>cryptomount -a</b><br/> - grub> <b>set root='lvm/matrix-root'</b><br/> - grub> <b>linux /boot/vmlinuz-linux-libre<u>-lts</u> root=/dev/matrix/root cryptdevice=/dev/sda1:root</b><br/> - grub> <b>initrd /boot/initramfs-linux-libre<u>-lts</u>.img</b><br/> - grub> <b>boot</b><br/> - </p> - <p> - You could also make it load /boot/vmlinuz-linux-libre-grsec and /boot/initramfs-linux-libre-grsec.img - </p> - - </div> - - <div class="section"> - - <h2>Follow-up tutorial: configuring Parabola</h2> - <p> - We will modify grub.config inside the ROM and do all kinds of fun stuff, but I recommend that you first transform the current bare-bones Parabola install into a more useable system. - Doing so will make the upcoming ROM modifications MUCH easier to perform and less risky! - <a href="configuring_parabola.html">configuring_parabola.html</a> shows my own notes post-installation. Using these, you can get a basic - system similar to the one that I chose for myself. You can also cherry pick useful notes and come up with your own system. - Parabola is user-centric, which means that you are in control. For more information, read <a href="https://wiki.archlinux.org/index.php/The_Arch_Way">The Arch Way</a> - (Parabola also follows it). - </p> - - </div> - - <div class="section"> - - <h2>Modify grub.cfg inside the ROM</h2> - - <p> - (Re-)log in to your system, pressing C, so booting manually from GRUB (see above). You need to modify the ROM, so that Parabola can boot automatically with this configuration. - <a href="grub_cbfs.html">grub_cbfs.html</a> shows you how. Follow that guide, using the configuration details below. - If you go for option 2 (re-flash), promise to do this on grubtest.cfg first! We can't emphasise this enough. This is to reduce the possibility of bricking your device! - </p> - - <p> - I will go for the re-flash option here. Firstly, cd to the libreboot_util/cbfstool/{armv7l i686 x86_64} directory. - Dump the current firmware - where <i>libreboot.rom</i> is an example: make sure to adapt:<br/> - # <b>flashrom -p internal -r libreboot.rom</b><br/> - If flashrom complains about multiple flash chips detected, add a <i>-c</i> option at the end, with the name of your chosen chip is quotes.<br/> - You can check if everything is in there (<i>grub.cfg</i> and <i>grubtest.cfg</i> would be really nice):<br/> - $ <b>./cbfstool libreboot.rom print</b><br/> - Extract grubtest.cfg:<br/> - $ <b>./cbfstool libreboot.rom extract -n grubtest.cfg -f grubtest.cfg</b><br/> - And modify:<br/> - $ <b>vi grubtest.cfg</b> - </p> - - <p> - In grubtest.cfg, inside the 'Load Operating System' menu entry, change the contents to: - </p> -<pre> -cryptomount -a<br/> -set root='lvm/matrix-root'<br/> -linux /boot/vmlinuz-linux-libre<u>-lts</u> root=/dev/matrix/root cryptdevice=/dev/sda1:root<br/> -initrd /boot/initramfs-linux-libre<u>-lts</u>.img -</pre> - - <p> - Note: the underlined parts above (-lts) can also be removed, to boot the latest kernel instead of LTS (long-term support) kernels. - You could also copy the menu entry and in one have -lts, and without in the other menuentry. - You could also create a menu entry to load /boot/vmlinuz-linux-libre-grsec and /boot/initramfs-linux-libre-grsec.img - The first entry will load by default. - </p> - - <p> - Without specifying a device, the <i>-a</i> parameter tries to unlock all detected LUKS volumes. - You can also specify -u UUID or -a (device). - </p> - - <p> - <a href="grub_hardening.html">Refer to this guide</a> for further guidance - on hardening your GRUB configuration, for security purposes. - </p> - - <p> - Save your changes in grubtest.cfg, then delete the unmodified config from the ROM image:<br/> - $ <b>./cbfstool libreboot.rom remove -n grubtest.cfg</b><br/> - and insert the modified grubtest.cfg:<br/> - $ <b>./cbfstool libreboot.rom add -n grubtest.cfg -f grubtest.cfg -t raw</b><br/> - </p> - - <p> - Now refer to <a href="http://libreboot.org/docs/install/#flashrom">http://libreboot.org/docs/install/#flashrom</a>. - Cd (up) to the libreboot_util directory and update the flash chip contents:<br/> - # <b>./flash update libreboot.rom</b><br/> - Ocassionally, coreboot changes the name of a given board. If flashrom complains about a board mismatch, but you are sure that you chose the correct ROM image, then run this alternative command:<br/> - # <b>./flash forceupdate libreboot.rom</b><br/> - You should see "Verifying flash... VERIFIED." written at the end of the flashrom output. - </p> - - <p> - With this new configuration, Parabola can boot automatically and you will have to enter a password at boot time, in GRUB, before being able to use any of the menu entries or switch to the terminal. - Let's test it out: reboot and choose grubtest.cfg from the GRUB menu, using the arrow keys on your keyboard. - Enter the name you chose, the GRUB password, your LUKS passphrase and login as root/your user. All went well? Great! - </p> - - <p> - If it does not work like you want it to, if you are unsure or sceptical in any way, don't despair: you have been wise and did not brick your device! Reboot and login the default way, and then modify - your grubtest.cfg until you get it right! - <b>Do *not* proceed past this point unless you are 100% sure that your new configuration is safe (or desirable) to use.</b> - </p> - - <p> - Now, we can easily and safely create a copy of grubtest.cfg, called grub.cfg. This will be the same except for one difference: the menuentry 'Switch to grub.cfg' is changed to 'Switch to grubtest.cfg' - and, inside it, all instances of grub.cfg to grubtest.cfg. This is so that the main config still links (in the menu) to grubtest.cfg, so that you don't have to manually switch to it, in case you ever - want to follow this guide again in the future (modifying the already modified config). - Inside libreboot_util/cbfstool/{armv7l i686 x86_64}, we can do this with the following command:<br/> - $ <b>sed -e 's:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g' -e 's:Switch to grub.cfg:Switch to grubtest.cfg:g' < grubtest.cfg > grub.cfg</b><br/> - Delete the grub.cfg that remained inside the ROM:<br/> - $ <b>./cbfstool libreboot.rom remove -n grub.cfg</b><br/> - Add the modified version that you just made:<br/> - $ <b>./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw</b><br/> - </p> - - <p> - Now you have a modified ROM. Once more, refer to <a href="http://libreboot.org/docs/install/#flashrom">http://libreboot.org/docs/install/#flashrom</a>. - Cd to the libreboot_util directory and update the flash chip contents:<br/> - # <b>./flash update libreboot.rom</b><br/> - And wait for the "Verifying flash... VERIFIED." Once you have done that, shut down and then boot up with your new configuration. - </p> - - <p> - When done, delete GRUB (remember, we only needed it for the <i>grub-mkpasswd-pbkdf2</i> utility; - GRUB is already part of libreboot, flashed alongside it as a <i>payload</i>):<br/> - # <b>pacman -R grub</b> - </p> - - </div> - - <div class="section"> - - <p> - If you followed all that correctly, you should now have a fully encrypted Parabola installation. - Refer to the wiki for how to do the rest. - </p> - - </div> - - <div class="section"> - <h2>Bonus: Using a key file to unlock /boot/</h2> - <p> - By default, you will have to enter your LUKS passphrase twice; once in GRUB, and once when booting the kernel. - GRUB unlocks the encrypted partition and then loads the kernel, but the kernel is not aware of the fact - that it is being loaded from an encrypted volume. Therefore, you will be asked to enter your passphrase a second time. - A workaround is to put a keyfile inside initramfs, with instructions for the kernel to use it when - booting. This is safe, because /boot/ is encrypted (otherwise, putting a keyfile inside initramfs would be a bad idea).<br/> - - Boot up and login as root or your user. Then generate the key file:<br/> - # <b>dd bs=512 count=4 if=/dev/urandom of=/etc/mykeyfile iflag=fullblock</b><br/> - Insert it into the luks volume:<br/> - # <b>cryptsetup luksAddKey /dev/sdX /etc/mykeyfile</b><br/> - and enter your LUKS passphrase when prompted. - Add the keyfile to the initramfs by adding it to FILES in /etc/mkinitcpio.conf. For example:<br/> - # <b>FILES="/etc/mykeyfile"</b><br/> - Create the initramfs image from scratch:<br/> - # <b>mkinitcpio -p linux-libre</b><br/> - # <b>mkinitcpio -p linux-libre-lts</b><br/> - # <b>mkinitcpio -p linux-libre-grsec</b><br/> - Add the following to your grub.cfg - you are now able to do that, see above! -, or add it in the kernel command line for GRUB:<br/> - # <b>cryptkey=rootfs:/etc/mykeyfile</b><br/> - <br/> - You can also place this inside the grub.cfg that exists in CBFS: <a href="grub_cbfs.html">grub_cbfs.html</a>. - </p> - - </div> - - <div class="section"> - - <h2>Further security tips</h2> - <p> - <a href="https://wiki.archlinux.org/index.php/Security">https://wiki.archlinux.org/index.php/Security</a>.<br/> - <a href="https://wiki.parabolagnulinux.org/User:GNUtoo/laptop">https://wiki.parabolagnulinux.org/User:GNUtoo/laptop</a> - </p> - - </div> - - <div class="section"> - - <h1 id="troubleshooting">Troubleshooting</h1> - - <p> - A user reported issues when booting with a docking station attached - on an X200, when decrypting the disk in GRUB. The error - <i>AHCI transfer timed out</i> was observed. The workaround - was to remove the docking station. - </p> - - <p> - Further investigation revealed that it was the DVD drive causing problems. - Removing that worked around the issue. - </p> - -<pre> - -"sudo wodim -prcap" shows information about the drive: -Device was not specified. Trying to find an appropriate drive... -Detected CD-R drive: /dev/sr0 -Using /dev/cdrom of unknown capabilities -Device type : Removable CD-ROM -Version : 5 -Response Format: 2 -Capabilities : -Vendor_info : 'HL-DT-ST' -Identification : 'DVDRAM GU10N ' -Revision : 'MX05' -Device seems to be: Generic mmc2 DVD-R/DVD-RW. - -Drive capabilities, per MMC-3 page 2A: - - Does read CD-R media - Does write CD-R media - Does read CD-RW media - Does write CD-RW media - Does read DVD-ROM media - Does read DVD-R media - Does write DVD-R media - Does read DVD-RAM media - Does write DVD-RAM media - Does support test writing - - Does read Mode 2 Form 1 blocks - Does read Mode 2 Form 2 blocks - Does read digital audio blocks - Does restart non-streamed digital audio reads accurately - Does support Buffer-Underrun-Free recording - Does read multi-session CDs - Does read fixed-packet CD media using Method 2 - Does not read CD bar code - Does not read R-W subcode information - Does read raw P-W subcode data from lead in - Does return CD media catalog number - Does return CD ISRC information - Does support C2 error pointers - Does not deliver composite A/V data - - Does play audio CDs - Number of volume control levels: 256 - Does support individual volume control setting for each channel - Does support independent mute setting for each channel - Does not support digital output on port 1 - Does not support digital output on port 2 - - Loading mechanism type: tray - Does support ejection of CD via START/STOP command - Does not lock media on power up via prevent jumper - Does allow media to be locked in the drive via PREVENT/ALLOW command - Is not currently in a media-locked state - Does not support changing side of disk - Does not have load-empty-slot-in-changer feature - Does not support Individual Disk Present feature - - Maximum read speed: 4234 kB/s (CD 24x, DVD 3x) - Current read speed: 4234 kB/s (CD 24x, DVD 3x) - Maximum write speed: 4234 kB/s (CD 24x, DVD 3x) - Current write speed: 4234 kB/s (CD 24x, DVD 3x) - Rotational control selected: CLV/PCAV - Buffer size in KB: 1024 - Copy management revision supported: 1 - Number of supported write speeds: 4 - Write speed # 0: 4234 kB/s CLV/PCAV (CD 24x, DVD 3x) - Write speed # 1: 2822 kB/s CLV/PCAV (CD 16x, DVD 2x) - Write speed # 2: 1764 kB/s CLV/PCAV (CD 10x, DVD 1x) - Write speed # 3: 706 kB/s CLV/PCAV (CD 4x, DVD 0x) - -Supported CD-RW media types according to MMC-4 feature 0x37: - Does write multi speed CD-RW media - Does write high speed CD-RW media - Does write ultra high speed CD-RW media - Does not write ultra high speed+ CD-RW media - -</pre> - - </div> - - <div class="section"> - - <p> - Copyright © 2014, 2015, 2016 Leah Rowe <info@minifree.org><br/> - Copyright © 2015 Jeroen Quint <jezza@diplomail.ch><br/> - Permission is granted to copy, distribute and/or modify this document - under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license - or any later version published by Creative Commons; - - A copy of the license can be found at <a href="../cc-by-sa-4.0.txt">../cc-by-sa-4.0.txt</a> - </p> - - <p> - Updated versions of the license (when available) can be found at - <a href="https://creativecommons.org/licenses/by-sa/4.0/legalcode">https://creativecommons.org/licenses/by-sa/4.0/legalcode</a> - </p> - - <p> - UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE - EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS - AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF - ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, - IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, - WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR - PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, - ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT - KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT - ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. - </p> - <p> - TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE - TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, - NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, - INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, - COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR - USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN - ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR - DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR - IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. - </p> - <p> - The disclaimer of warranties and limitation of liability provided - above shall be interpreted in a manner that, to the extent - possible, most closely approximates an absolute disclaimer and - waiver of all liability. - </p> - - </div> - -</body> -</html> diff --git a/docs/gnulinux/encrypted_parabola.md b/docs/gnulinux/encrypted_parabola.md new file mode 100644 index 00000000..3480a2e9 --- /dev/null +++ b/docs/gnulinux/encrypted_parabola.md @@ -0,0 +1,834 @@ +<div class="section"> + +Installing Parabola or Arch GNU+Linux with full disk encryption (including /boot) +================================================================================= + +Libreboot on x86 uses the GRUB +[payload](http://www.coreboot.org/Payloads#GRUB_2) by default, which +means that the GRUB configuration file (where your GRUB menu comes from) +is stored directly alongside libreboot and it\'s GRUB payload +executable, inside the flash chip. In context, this means that +installing distributions and managing them is handled slightly +differently compared to traditional BIOS systems. + +On most systems, the /boot partition has to be left unencrypted while +the others are encrypted. This is so that GRUB, and therefore the +kernel, can be loaded and executed since the firmware can\'t open a LUKS +volume. Not so with libreboot! Since GRUB is already included directly +as a payload, even /boot can be encrypted. This protects /boot from +tampering by someone with physical access to the system. + +**This guide is \*only\* for the GRUB payload. If you use the +depthcharge payload, ignore this section entirely.** + +This guide is intended for the Parabola distribution, but it should also +work (with some adaptation) for *Arch*. We recomend using Parabola, +which is a version of Arch that removes all proprietary software, both +in the default installation and in the package repositories. It usually +lags behind Arch by only a day or two, so it is still usable for most +people. See [Arch to Parabola migration +guide](https://wiki.parabola.nu/index.php?title=Migration_from_the_GNU+Linux_distribution_of_Arch&redirect=no). + +Note: on some thinkpads, a faulty DVD drive can cause the cryptomount -a +step during boot to fail. If this happens to you, try removing the +drive. + +[Back to previous index](./) + +</div> + +<div class="section"> + +Boot Parabola\'s install environment. [How to boot a GNU+Linux +installer](grub_boot_installer.html). + +For this guide I used the 2015 08 01 image to boot the live installer +and install the system. This is available at [this +page](https://wiki.parabola.nu/Get_Parabola#Main_live_ISO). + +This guide will go through the installation steps taken at the time of +writing, which may or may not change due to the volatile nature of +Parabola (it changes all the time). In general most of it should remain +the same. If you spot mistakes, please say so! This guide will be ported +to the Parabola wiki at a later date. For up to date Parabola install +guide, go to the Parabola wiki. This guide essentially cherry picks the +useful information (valid at the time of writing: 2015-08-25). + +</div> + +<div class="section"> + +This section deals with wiping the storage device on which you plan to +install Parabola GNU+Linux. Follow these steps, but if you use an SSD, +also: + +- beware there are issues with TRIM (not enabled through luks) and +security issues if you do enable it. See [this +page](https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Discard.2FTRIM_support_for_solid_state_drives_.28SSD.29) +for more info. + +- make sure it\'s brand-new (or barely used). Or, otherwise, be sure +that it never previously contained plaintext copies of your data. + +- make sure to read [this +article](https://wiki.archlinux.org/index.php/Solid_State_Drives). Edit +/etc/fstab later on when chrooted into your install. Also, read the +whole article and keep all points in mind, adapting them for this guide. + +Securely wipe the drive:\ +\# **dd if=/dev/urandom of=/dev/sda; sync**\ +NOTE: If you have an SSD, only do this the first time. If it was already +LUKS-encrypted before, use the info below to wipe the LUKS header. Also, +check online for your SSD what the recommended erase block size is. For +example if it was 2MiB:\ +\# **dd if=/dev/urandom of=/dev/sda bs=2M; sync** + +If your drive was already LUKS encrypted (maybe you are re-installing +your distro) then it is already \'wiped\'. You should just wipe the LUKS +header. +<https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/> +showed me how to do this. It recommends doing the first 3MiB. Now, that +guide is recommending putting zero there. I\'m going to use urandom. Do +this:\ +\# **head -c 3145728 /dev/urandom > /dev/sda; sync**\ +(Wiping the LUKS header is important, since it has hashed passphrases +and so on. It\'s \'secure\', but \'potentially\' a risk). + +</div> + +<div class="section"> + +Change keyboard layout +---------------------- + +Parabola live shell assumes US Qwerty. If you have something different, +list the available keymaps and use yours:\ +\# **localectl list-keymaps**\ +\# **loadkeys LAYOUT**\ +For me, LAYOUT would have been dvorak-uk. + +</div> + +<div class="section"> + +Establish an internet connection +-------------------------------- + +Refer to [this +guide](https://wiki.parabola.nu/Beginners%27_guide#Establish_an_internet_connection). +Wired is recommended, but wireless is also explained there. + +</div> + +<div class="section"> + +Getting started +--------------- + +The beginning is based on +<https://wiki.parabolagnulinux.org/Installation_Guide>. Then I referred +to <https://wiki.archlinux.org/index.php/Partitioning> at first. + +</div> + +<div class="section"> + +dm-mod +------ + +device-mapper will be used - a lot. Make sure that the kernel module is +loaded:\ +\# **modprobe dm-mod** + +Create LUKS partition +--------------------- + +Note that the default iteration time is 2000ms (2 seconds) if not +specified in cryptsetup. You should set a lower time than this, +otherwise there will be an approximate 20 second delay when booting your +system. We recommend 500ms (0.5 seconds), and this is included in the +prepared cryptsetup command below. Note that the iteration time is for +security purposes (mitigates brute force attacks), so anything lower +than 5 seconds is probably not ok. + +I am using MBR partitioning, so I use cfdisk:\ +\# **cfdisk /dev/sda** + +I create a single large sda1 filling the whole drive, leaving it as the +default type \'Linux\' (83). + +Now I refer to +<https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#Partitioning>:\ +I am then directed to +<https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption>. + +Parabola forces you to RTFM. Do that. + +It tells me to run:\ +\# **cryptsetup benchmark** (for making sure the list below is +populated)\ +Then:\ +\# **cat /proc/crypto**\ +This gives me crypto options that I can use. It also provides a +representation of the best way to set up LUKS (in this case, security is +a priority; speed, a distant second). To gain a better understanding, I +am also reading:\ +\# **man cryptsetup** + +Following that page, based on my requirements, I do the following based +on +<https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode>. +Reading through, it seems like Serpent (encryption) and Whirlpool (hash) +is the best option. + +I am initializing LUKS with the following:\ +\# **cryptsetup -v \--cipher serpent-xts-plain64 \--key-size 512 \--hash +whirlpool \--iter-time 500 \--use-random \--verify-passphrase luksFormat +/dev/sda1** Choose a **secure** passphrase here. Ideally lots of +lowercase/uppercase numbers, letters, symbols etc all in a random +pattern. The password length should be as long as you are able to handle +without writing it down or storing it anywhere. + +Use of the *diceware method* is recommended, for generating secure +passphrases (instead of passwords). + +</div> + +<div class="section"> + +Create LVM +---------- + +Now I refer to <https://wiki.archlinux.org/index.php/LVM>. + +Open the LUKS partition:\ +\# **cryptsetup luksOpen /dev/sda1 lvm**\ +(it will be available at /dev/mapper/lvm) + +Create LVM partition:\ +\# **pvcreate /dev/mapper/lvm**\ +Show that you just created it:\ +\# **pvdisplay** + +Now I create the volume group, inside of which the logical volumes will +be created:\ +\# **vgcreate matrix /dev/mapper/lvm**\ +(volume group name is \'matrix\' - choose your own name, if you like) +Show that you created it:\ +\# **vgdisplay** + +Now create the logical volumes:\ +\# **lvcreate -L 2G matrix -n swapvol** (2G swap partition, named +swapvol)\ +Again, choose your own name if you like. Also, make sure to choose a +swap size of your own needs. It basically depends on how much RAM you +have installed. I refer to +<http://www.linux.com/news/software/applications/8208-all-about-linux-swap-space>.\ +\# **lvcreate -l +100%FREE matrix -n root** (single large partition in +the rest of the space, named root)\ +You can also be flexible here, for example you can specify a /boot, a /, +a /home, a /var, a /usr, etc. For example, if you will be running a +web/mail server then you want /var in its own partition (so that if it +fills up with logs, it won\'t crash your system). For a home/laptop +system (typical use case), a root and a swap will do (really). + +Verify that the logical volumes were created, using the following +command:\ +\# **lvdisplay** + +</div> + +<div class="section"> + +Create / and swap partitions, and mount +--------------------------------------- + +For the swapvol LV I use:\ +\# **mkswap /dev/mapper/matrix-swapvol**\ +Activate swap:\ +\# **swapon /dev/matrix/swapvol** + +For the root LV I use:\ +\# **mkfs.btrfs /dev/mapper/matrix-root** + +Mount the root (/) partition:\ +\# **mount /dev/matrix/root /mnt** + +</div> + +<div class="section"> + +Continue with Parabola installation +----------------------------------- + +This guide is really about GRUB, Parabola and cryptomount. I have to +show how to install Parabola so that the guide can continue. + +Now I am following the rest of +<https://wiki.parabolagnulinux.org/Installation_Guide>. I also cross +referenced <https://wiki.archlinux.org/index.php/Installation_guide>. + +Create /home and /boot on root mountpoint:\ +\# **mkdir -p /mnt/home**\ +\# **mkdir -p /mnt/boot** + +Once all the remaining partitions, if any, have been mounted, the +devices are ready to install Parabola. + +In **/etc/pacman.d/mirrorlist**, comment out all lines except the Server +line closest to where you are (I chose the UK Parabola server (main +server)) and then did:\ +\# **pacman -Syy**\ +\# **pacman -Syu**\ +\# **pacman -Sy pacman** (and then I did the other 2 steps above, +again)\ +In my case I did the steps in the next paragraph, and followed the steps +in this paragraph again. + +<troubleshooting>\ + The following is based on \'Verification of package signatures\' in +the Parabola install guide.\ + Check there first to see if steps differ by now.\ + Now you have to update the default Parabola keyring. This is used for +signing and verifying packages:\ + \# **pacman -Sy parabola-keyring**\ + It says that if you get GPG errors, then it\'s probably an expired +key and, therefore, you should do:\ + \# **pacman-key \--populate parabola**\ + \# **pacman-key \--refresh-keys**\ + \# **pacman -Sy parabola-keyring**\ + To be honest, you should do the above anyway. Parabola has a lot of +maintainers, and a lot of keys. Really!\ + If you get an error mentioning dirmngr, do:\ + \# **dirmngr </dev/null**\ + Also, it says that if the clock is set incorrectly then you have to +manually set the correct time\ + (if keys are listed as expired because of it):\ + \# **date MMDDhhmm\[\[CC\]YY\]\[.ss\]**\ + I also had to install:\ + \# **pacman -S archlinux-keyring**\ + \# **pacman-key \--populate archlinux**\ + In my case I saw some conflicting files reported in pacman, stopping +me from using it.\ + I deleted the files that it mentioned and then it worked. +Specifically, I had this error:\ + *licenses: /usr/share/licenses/common/MPS exists in filesystem*\ + I rm -Rf\'d the file and then pacman worked. I\'m told that the +following would have also made it work:\ + \# **pacman -Sf licenses**\ +</troubleshooting>\ + +I also like to install other packages (base-devel, compilers and so on) +and wpa\_supplicant/dialog/iw/wpa\_actiond are needed for wireless after +the install:\ +\# **pacstrap /mnt base base-devel wpa\_supplicant dialog iw +wpa\_actiond** + +</div> + +<div class="section"> + +Configure the system +-------------------- + +Generate an fstab - UUIDs are used because they have certain advantages +(see <https://wiki.parabola.nu/Fstab#Identifying_filesystems>. If you +prefer labels instead, replace the -U option with -L):\ +\# **genfstab -U -p /mnt >> /mnt/etc/fstab**\ +Check the created file:\ +\# **cat /mnt/etc/fstab**\ +(If there are any errors, edit the file. Do **NOT** run the genfstab +command again!) + +Chroot into new system:\ +\# **arch-chroot /mnt /bin/bash** + +It\'s a good idea to have this installed:\ +\# **pacman -S linux-libre-lts** + +It was also suggested that you should install this kernel (read up on +what GRSEC is):\ +\# **pacman -S linux-libre-grsec** + +This is another kernel that sits inside /boot, which you can use. LTS +means \'long-term support\'. These are so-called \'stable\' kernels that +can be used as a fallback during updates, if a bad kernel causes issues +for you. + +Parabola does not have wget. This is sinister. Install it:\ +\# **pacman -S wget** + +Locale:\ +\# **vi /etc/locale.gen**\ +Uncomment your needed localisations. For example en\_GB.UTF-8 (UTF-8 is +highly recommended over other options).\ +\# **locale-gen**\ +\# **echo LANG=en\_GB.UTF-8 > /etc/locale.conf**\ +\# **export LANG=en\_GB.UTF-8** + +Console font and keymap:\ +\# **vi /etc/vconsole.conf**\ +In my case: + + KEYMAP=dvorak-uk + FONT=lat9w-16 + +Time zone:\ +\# **ln -s /usr/share/zoneinfo/Europe/London /etc/localtime**\ +(Replace Zone and Subzone to your liking. See /usr/share/zoneinfo) + +Hardware clock:\ +\# **hwclock \--systohc \--utc** + +Hostname: Write your hostname to /etc/hostname. For example, if your +hostname is parabola:\ +\# **echo parabola > /etc/hostname**\ +Add the same hostname to /etc/hosts:\ +\# **vi /etc/hosts**\ + + #<ip-address> <hostname.domain.org> <hostname> + 127.0.0.1 localhost.localdomain localhost parabola + ::1 localhost.localdomain localhost parabola + +Configure the network: Refer to +<https://wiki.parabola.nu/Beginners%27_guide#Configure_the_network>. + +Mkinitcpio: Configure /etc/mkinitcpio.conf as needed (see +<https://wiki.parabola.nu/Mkinitcpio>). Runtime modules can be found in +/usr/lib/initcpio/hooks, and build hooks can be found in +/usr/lib/initcpio/install. (\# **mkinitcpio -H hookname** gives +information about each hook.) Specifically, for this use case:\ +\# **vi /etc/mkinitcpio.conf**\ +Then modify the file like so: + +- MODULES=\"i915\" +- This forces the driver to load earlier, so that the console font + isn\'t wiped out after getting to login). Macbook21 users will also + need **hid-generic, hid and hid-apple to have a working keyboard + when asked to enter the LUKS password.** +- HOOKS=\"base udev autodetect modconf block keyboard keymap + consolefont encrypt lvm2 filesystems fsck shutdown\" +- Explanation: +- keymap adds to initramfs the keymap that you specified in + /etc/vconsole.conf +- consolefont adds to initramfs the font that you specified in + /etc/vconsole.conf +- encrypt adds LUKS support to the initramfs - needed to unlock your + disks at boot time +- lvm2 adds LVM support to the initramfs - needed to mount the LVM + partitions at boot time +- shutdown is needed according to Parabola wiki for unmounting devices + (such as LUKS/LVM) during shutdown) + +Now using mkinitcpio, you can create the kernel and ramdisk for booting +with (this is different from Arch, specifying linux-libre instead of +linux):\ +\# **mkinitcpio -p linux-libre**\ +Also do it for linux-libre-lts:\ +\# **mkinitcpio -p linux-libre-lts**\ +Also do it for linux-libre-grsec:\ +\# **mkinitcpio -p linux-libre-grsec** + +Set the root password: At the time of writing, Parabola used SHA512 by +default for its password hashing. I referred to +<https://wiki.archlinux.org/index.php/SHA_password_hashes>.\ +\# **vi /etc/pam.d/passwd**\ +Add rounds=65536 at the end of the uncommented \'password\' line.\ +\# **passwd root**\ +Make sure to set a secure password! Also, it must never be the same as +your LUKS password. + +Use of the *diceware method* is recommended, for generating secure +passphrases (instead of passwords). + +</div> + +<div class="section"> + +Extra security tweaks +--------------------- + +Based on <https://wiki.archlinux.org/index.php/Security>. + +Restrict access to important directories:\ +\# **chmod 700 /boot /etc/{iptables,arptables}** + +Lockout user after three failed login attempts:\ +Edit the file /etc/pam.d/system-login and comment out that line:\ +*\# auth required pam\_tally.so onerr=succeed file=/var/log/faillog*\ +Or just delete it. Above it, put:\ +*auth required pam\_tally.so deny=2 unlock\_time=600 onerr=succeed +file=/var/log/faillog*\ +To unlock a user manually (if a password attempt is failed 3 times), +do:\ +\# **pam\_tally \--user *theusername* \--reset** What the above +configuration does is lock the user out for 10 minutes, if they make 3 +failed login attempts. + +Configure sudo - not covered here. Will be covered post-installation in +another tutorial, at a later date. If this is a single-user system, you +don\'t really need sudo. + +</div> + +<div class="section"> + +Unmount, reboot! +---------------- + +Exit from chroot:\ +\# **exit** + +unmount:\ +\# **umount -R /mnt**\ +\# **swapoff -a** + +deactivate the lvm lv\'s:\ +\# **lvchange -an /dev/matrix/root**\ +\# **lvchange -an /dev/matrix/swapvol**\ + +Lock the encrypted partition (close it):\ +\# **cryptsetup luksClose lvm** + +\# **shutdown -h now**\ +Remove the installation media, then boot up again. + +</div> + +<div class="section"> + +Booting from GRUB +----------------- + +Initially you will have to boot manually. Press C to get to the GRUB +command line. The underlined parts are optional (using those 2 +underlines will boot lts kernel instead of normal). + +grub> **cryptomount -a**\ +grub> **set root=\'lvm/matrix-root\'**\ +grub> **linux /boot/vmlinuz-linux-libre-lts root=/dev/matrix/root +cryptdevice=/dev/sda1:root**\ +grub> **initrd /boot/initramfs-linux-libre-lts.img**\ +grub> **boot**\ + +You could also make it load /boot/vmlinuz-linux-libre-grsec and +/boot/initramfs-linux-libre-grsec.img + +</div> + +<div class="section"> + +Follow-up tutorial: configuring Parabola +---------------------------------------- + +We will modify grub.config inside the ROM and do all kinds of fun stuff, +but I recommend that you first transform the current bare-bones Parabola +install into a more useable system. Doing so will make the upcoming ROM +modifications MUCH easier to perform and less risky! +[configuring\_parabola.html](configuring_parabola.html) shows my own +notes post-installation. Using these, you can get a basic system similar +to the one that I chose for myself. You can also cherry pick useful +notes and come up with your own system. Parabola is user-centric, which +means that you are in control. For more information, read [The Arch +Way](https://wiki.archlinux.org/index.php/The_Arch_Way) (Parabola also +follows it). + +</div> + +<div class="section"> + +Modify grub.cfg inside the ROM +------------------------------ + +(Re-)log in to your system, pressing C, so booting manually from GRUB +(see above). You need to modify the ROM, so that Parabola can boot +automatically with this configuration. [grub\_cbfs.html](grub_cbfs.html) +shows you how. Follow that guide, using the configuration details below. +If you go for option 2 (re-flash), promise to do this on grubtest.cfg +first! We can\'t emphasise this enough. This is to reduce the +possibility of bricking your device! + +I will go for the re-flash option here. Firstly, cd to the +libreboot\_util/cbfstool/{armv7l i686 x86\_64} directory. Dump the +current firmware - where *libreboot.rom* is an example: make sure to +adapt:\ +\# **flashrom -p internal -r libreboot.rom**\ +If flashrom complains about multiple flash chips detected, add a *-c* +option at the end, with the name of your chosen chip is quotes.\ +You can check if everything is in there (*grub.cfg* and *grubtest.cfg* +would be really nice):\ +\$ **./cbfstool libreboot.rom print**\ +Extract grubtest.cfg:\ +\$ **./cbfstool libreboot.rom extract -n grubtest.cfg -f grubtest.cfg**\ +And modify:\ +\$ **vi grubtest.cfg** + +In grubtest.cfg, inside the \'Load Operating System\' menu entry, change +the contents to: + + cryptomount -a + + set root='lvm/matrix-root' + + linux /boot/vmlinuz-linux-libre-lts root=/dev/matrix/root cryptdevice=/dev/sda1:root + + initrd /boot/initramfs-linux-libre-lts.img + +Note: the underlined parts above (-lts) can also be removed, to boot the +latest kernel instead of LTS (long-term support) kernels. You could also +copy the menu entry and in one have -lts, and without in the other +menuentry. You could also create a menu entry to load +/boot/vmlinuz-linux-libre-grsec and +/boot/initramfs-linux-libre-grsec.img The first entry will load by +default. + +Without specifying a device, the *-a* parameter tries to unlock all +detected LUKS volumes. You can also specify -u UUID or -a (device). + +[Refer to this guide](grub_hardening.html) for further guidance on +hardening your GRUB configuration, for security purposes. + +Save your changes in grubtest.cfg, then delete the unmodified config +from the ROM image:\ +\$ **./cbfstool libreboot.rom remove -n grubtest.cfg**\ +and insert the modified grubtest.cfg:\ +\$ **./cbfstool libreboot.rom add -n grubtest.cfg -f grubtest.cfg -t +raw**\ + +Now refer to <http://libreboot.org/docs/install/#flashrom>. Cd (up) to +the libreboot\_util directory and update the flash chip contents:\ +\# **./flash update libreboot.rom**\ +Ocassionally, coreboot changes the name of a given board. If flashrom +complains about a board mismatch, but you are sure that you chose the +correct ROM image, then run this alternative command:\ +\# **./flash forceupdate libreboot.rom**\ +You should see \"Verifying flash\... VERIFIED.\" written at the end of +the flashrom output. + +With this new configuration, Parabola can boot automatically and you +will have to enter a password at boot time, in GRUB, before being able +to use any of the menu entries or switch to the terminal. Let\'s test it +out: reboot and choose grubtest.cfg from the GRUB menu, using the arrow +keys on your keyboard. Enter the name you chose, the GRUB password, your +LUKS passphrase and login as root/your user. All went well? Great! + +If it does not work like you want it to, if you are unsure or sceptical +in any way, don\'t despair: you have been wise and did not brick your +device! Reboot and login the default way, and then modify your +grubtest.cfg until you get it right! **Do \*not\* proceed past this +point unless you are 100% sure that your new configuration is safe (or +desirable) to use.** + +Now, we can easily and safely create a copy of grubtest.cfg, called +grub.cfg. This will be the same except for one difference: the menuentry +\'Switch to grub.cfg\' is changed to \'Switch to grubtest.cfg\' and, +inside it, all instances of grub.cfg to grubtest.cfg. This is so that +the main config still links (in the menu) to grubtest.cfg, so that you +don\'t have to manually switch to it, in case you ever want to follow +this guide again in the future (modifying the already modified config). +Inside libreboot\_util/cbfstool/{armv7l i686 x86\_64}, we can do this +with the following command:\ +\$ **sed -e \'s:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g\' -e +\'s:Switch to grub.cfg:Switch to grubtest.cfg:g\' < grubtest.cfg > +grub.cfg**\ +Delete the grub.cfg that remained inside the ROM:\ +\$ **./cbfstool libreboot.rom remove -n grub.cfg**\ +Add the modified version that you just made:\ +\$ **./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw**\ + +Now you have a modified ROM. Once more, refer to +<http://libreboot.org/docs/install/#flashrom>. Cd to the libreboot\_util +directory and update the flash chip contents:\ +\# **./flash update libreboot.rom**\ +And wait for the \"Verifying flash\... VERIFIED.\" Once you have done +that, shut down and then boot up with your new configuration. + +When done, delete GRUB (remember, we only needed it for the +*grub-mkpasswd-pbkdf2* utility; GRUB is already part of libreboot, +flashed alongside it as a *payload*):\ +\# **pacman -R grub** + +</div> + +<div class="section"> + +If you followed all that correctly, you should now have a fully +encrypted Parabola installation. Refer to the wiki for how to do the +rest. + +</div> + +<div class="section"> + +Bonus: Using a key file to unlock /boot/ +---------------------------------------- + +By default, you will have to enter your LUKS passphrase twice; once in +GRUB, and once when booting the kernel. GRUB unlocks the encrypted +partition and then loads the kernel, but the kernel is not aware of the +fact that it is being loaded from an encrypted volume. Therefore, you +will be asked to enter your passphrase a second time. A workaround is to +put a keyfile inside initramfs, with instructions for the kernel to use +it when booting. This is safe, because /boot/ is encrypted (otherwise, +putting a keyfile inside initramfs would be a bad idea).\ +Boot up and login as root or your user. Then generate the key file:\ +\# **dd bs=512 count=4 if=/dev/urandom of=/etc/mykeyfile +iflag=fullblock**\ +Insert it into the luks volume:\ +\# **cryptsetup luksAddKey /dev/sdX /etc/mykeyfile**\ +and enter your LUKS passphrase when prompted. Add the keyfile to the +initramfs by adding it to FILES in /etc/mkinitcpio.conf. For example:\ +\# **FILES=\"/etc/mykeyfile\"**\ +Create the initramfs image from scratch:\ +\# **mkinitcpio -p linux-libre**\ +\# **mkinitcpio -p linux-libre-lts**\ +\# **mkinitcpio -p linux-libre-grsec**\ +Add the following to your grub.cfg - you are now able to do that, see +above! -, or add it in the kernel command line for GRUB:\ +\# **cryptkey=rootfs:/etc/mykeyfile**\ +\ +You can also place this inside the grub.cfg that exists in CBFS: +[grub\_cbfs.html](grub_cbfs.html). + +</div> + +<div class="section"> + +Further security tips +--------------------- + +<https://wiki.archlinux.org/index.php/Security>.\ +<https://wiki.parabolagnulinux.org/User:GNUtoo/laptop> + +</div> + +<div class="section"> + +Troubleshooting +=============== + +A user reported issues when booting with a docking station attached on +an X200, when decrypting the disk in GRUB. The error *AHCI transfer +timed out* was observed. The workaround was to remove the docking +station. + +Further investigation revealed that it was the DVD drive causing +problems. Removing that worked around the issue. + + + "sudo wodim -prcap" shows information about the drive: + Device was not specified. Trying to find an appropriate drive... + Detected CD-R drive: /dev/sr0 + Using /dev/cdrom of unknown capabilities + Device type : Removable CD-ROM + Version : 5 + Response Format: 2 + Capabilities : + Vendor_info : 'HL-DT-ST' + Identification : 'DVDRAM GU10N ' + Revision : 'MX05' + Device seems to be: Generic mmc2 DVD-R/DVD-RW. + + Drive capabilities, per MMC-3 page 2A: + + Does read CD-R media + Does write CD-R media + Does read CD-RW media + Does write CD-RW media + Does read DVD-ROM media + Does read DVD-R media + Does write DVD-R media + Does read DVD-RAM media + Does write DVD-RAM media + Does support test writing + + Does read Mode 2 Form 1 blocks + Does read Mode 2 Form 2 blocks + Does read digital audio blocks + Does restart non-streamed digital audio reads accurately + Does support Buffer-Underrun-Free recording + Does read multi-session CDs + Does read fixed-packet CD media using Method 2 + Does not read CD bar code + Does not read R-W subcode information + Does read raw P-W subcode data from lead in + Does return CD media catalog number + Does return CD ISRC information + Does support C2 error pointers + Does not deliver composite A/V data + + Does play audio CDs + Number of volume control levels: 256 + Does support individual volume control setting for each channel + Does support independent mute setting for each channel + Does not support digital output on port 1 + Does not support digital output on port 2 + + Loading mechanism type: tray + Does support ejection of CD via START/STOP command + Does not lock media on power up via prevent jumper + Does allow media to be locked in the drive via PREVENT/ALLOW command + Is not currently in a media-locked state + Does not support changing side of disk + Does not have load-empty-slot-in-changer feature + Does not support Individual Disk Present feature + + Maximum read speed: 4234 kB/s (CD 24x, DVD 3x) + Current read speed: 4234 kB/s (CD 24x, DVD 3x) + Maximum write speed: 4234 kB/s (CD 24x, DVD 3x) + Current write speed: 4234 kB/s (CD 24x, DVD 3x) + Rotational control selected: CLV/PCAV + Buffer size in KB: 1024 + Copy management revision supported: 1 + Number of supported write speeds: 4 + Write speed # 0: 4234 kB/s CLV/PCAV (CD 24x, DVD 3x) + Write speed # 1: 2822 kB/s CLV/PCAV (CD 16x, DVD 2x) + Write speed # 2: 1764 kB/s CLV/PCAV (CD 10x, DVD 1x) + Write speed # 3: 706 kB/s CLV/PCAV (CD 4x, DVD 0x) + + Supported CD-RW media types according to MMC-4 feature 0x37: + Does write multi speed CD-RW media + Does write high speed CD-RW media + Does write ultra high speed CD-RW media + Does not write ultra high speed+ CD-RW media + +</div> + +<div class="section"> + +Copyright © 2014, 2015, 2016 Leah Rowe <info@minifree.org>\ +Copyright © 2015 Jeroen Quint <jezza@diplomail.ch>\ +Permission is granted to copy, distribute and/or modify this document +under the terms of the Creative Commons Attribution-ShareAlike 4.0 +International license or any later version published by Creative +Commons; A copy of the license can be found at +[../cc-by-sa-4.0.txt](../cc-by-sa-4.0.txt) + +Updated versions of the license (when available) can be found at +<https://creativecommons.org/licenses/by-sa/4.0/legalcode> + +UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE EXTENT +POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS AND +AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND +CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, IMPLIED, STATUTORY, +OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, WARRANTIES OF TITLE, +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, +ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OR ABSENCE +OF ERRORS, WHETHER OR NOT KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF +WARRANTIES ARE NOT ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT +APPLY TO YOU. + +TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE TO YOU +ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, NEGLIGENCE) OR +OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL, +PUNITIVE, EXEMPLARY, OR OTHER LOSSES, COSTS, EXPENSES, OR DAMAGES +ARISING OUT OF THIS PUBLIC LICENSE OR USE OF THE LICENSED MATERIAL, EVEN +IF THE LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSSES, +COSTS, EXPENSES, OR DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT +ALLOWED IN FULL OR IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. + +The disclaimer of warranties and limitation of liability provided above +shall be interpreted in a manner that, to the extent possible, most +closely approximates an absolute disclaimer and waiver of all liability. + +</div> diff --git a/docs/gnulinux/grub_boot_installer.html b/docs/gnulinux/grub_boot_installer.html deleted file mode 100644 index 0de04cac..00000000 --- a/docs/gnulinux/grub_boot_installer.html +++ /dev/null @@ -1,355 +0,0 @@ -<!DOCTYPE html> -<html> -<head> - <meta charset="utf-8"> - <meta name="viewport" content="width=device-width, initial-scale=1"> - - <style type="text/css"> - @import url('../css/main.css'); - </style> - - <title>How to install GNU+Linux on a libreboot system</title> -</head> - -<body> - <div id="pagetop" class="section"> - <h1>How to install GNU+Linux on a libreboot system</h1> - <p> - This section relates to preparing, booting and installing a - GNU+Linux distribution on your libreboot system, using nothing more than a USB flash drive (and <i>dd</i>). - </p> - <ul> - <li><a href="../distros">List of recommended GNU+Linux distributions</a></li> - <li><a href="#prepare">Prepare the USB drive (in GNU+Linux)</a></li> - <li><a href="#encryption">Installing GNU+Linux with full disk encryption</a></li> - <li><a href="#debian_netinstall">Debian or Devuan net install?</a></li> - <li><a href="#parse_isolinux">Booting ISOLINUX images (automatic method)</a></li> - <li><a href="#manual_isolinux">Booting ISOLINUX images (manual method)</a></li> - <li><a href="#troubleshooting">Troubleshooting</a></li> - </ul> - <p> - <a href="./">Back to previous index</a> - </p> - </div> - - <div class="section"> - <p> - <b>This section is only for the GRUB payload. For depthcharge (used on CrOS devices in libreboot), instructions - have yet to be written in the libreboot documentation.</b> - </p> - </div> - - <div id="prepare" class="section"> - - <h2>Prepare the USB drive (in GNU+Linux)</h2> - - <p> - If you downloaded your ISO on an existing GNU+Linux system, - here is how to create the bootable GNU+Linux USB drive: - </p> - - <p> - Connect the USB drive. Check dmesg:<br/> - <b>$ dmesg</b><br/> - - Check lsblk to confirm which drive it is:<br/> - <b>$ lsblk</b> - </p> - - <p> - Check that it wasn't automatically mounted. If it was, unmount it. For example:<br/> - <b>$ sudo umount /dev/sdX*</b><br/> - <b># umount /dev/sdX*</b> - </p> - - <p> - dmesg told you what device it is. Overwrite the drive, writing your distro ISO to it with dd. For example:<br/> - <b>$ sudo dd if=gnulinux.iso of=/dev/sdX bs=8M; sync</b><br/> - <b># dd if=gnulinux.iso of=/dev/sdX bs=8M; sync</b> - </p> - - <p> - You should now be able to boot the installer from your USB drive. Continue reading, for - information about how to do that. - </p> - - <p> - <a href="#pagetop">Back to top of page</a>. - </p> - - <h2>Prepare the USB drive (in NetBSD)</h2> - <p> - <a href="https://wiki.netbsd.org/tutorials/how_to_install_netbsd_from_an_usb_memory_stick/">This page</a> - on the NetBSD website shows how to create a NetBSD bootable USB drive - from within NetBSD itself. You should use the <em>dd</em> method - documented there. This will also work with any GNU+Linux ISO image. - </p> - - <h2>Prepare the USB drive (in FreeBSD)</h2> - <p> - <a href="https://www.freebsd.org/doc/handbook/bsdinstall-pre.html">This page</a> - on the FreeBSD website shows how to create a bootable USB drive - for installing FreeBSD. Use the <em>dd</em> on that page. You can - also use the same instructions with any GNU+Linux ISO image.. - </p> - - <h2>Prepare the USB drive (in LibertyBSD or OpenBSD)</h2> - - <p> - If you downloaded your ISO on a LibertyBSD or OpenBSD system, - here is how to create the bootable GNU+Linux USB drive: - </p> - - <p> - Connect the USB drive. Check dmesg:<br/> - <b>$ dmesg | tail</b><br/> - - Check to confirm which drive it is, for example, if you think its sd3:<br/> - <b>$ disklabel sd3</b> - </p> - - <p> - Check that it wasn't automatically mounted. If it was, unmount it. For example:<br/> - <b>$ doas umount /dev/sd3i</b><br/> - </p> - - <p> - dmesg told you what device it is. Overwrite the drive, writing the OpenBSD installer to it with dd. For example:<br/> - <b>$ doas dd if=gnulinux.iso of=/dev/rsdXc bs=1M; sync</b><br/> - </p> - - <p> - You should now be able to boot the installer from your USB drive. Continue reading, for - information about how to do that. - </p> - - <p> - <a href="#pagetop">Back to top of page</a>. - </p> - - </div> - - <div id="encryption" class="section"> - - <h2>Installing GNU+Linux with full disk encryption</h2> - - <ul> - <li><a href="encrypted_debian.html">Installing Debian or Devuan GNU+Linux with full disk encryption (including /boot)</a></li> - <li><a href="encrypted_parabola.html">Installing Parabola GNU+Linux with full disk encryption (including /boot)</a></li> - </ul> - - <p> - <a href="#pagetop">Back to top of page</a>. - </p> - - </div> - - <div id="debian_netinstall" class="section"> - - <h2>Debian or Devuan net install?</h2> - - <p> - Download the Debian or Devuan net installer. You can download the ISO from the homepage on - <a href="https://www.debian.org/">debian.org</a>, or <a href="https://www.devuan.org/">the Devuan homepage</a> for Devuan. - Use this on the GRUB terminal to boot it from USB (for 64-bit Intel or AMD):<br/> - <strong> - set root='usb0'<br/> - linux /install.amd/vmlinuz<br/> - initrd /install.amd/initrd.gz<br/> - boot<br/> - </strong> - If you are on a 32-bit system (e.g. X60):<br/> - <strong> - set root='usb0'<br/> - linux /install.386/vmlinuz<br/> - initrd /install.386/initrd.gz<br/> - boot - </strong> - <br/> - We recommend using the <em>MATE</em> desktop. - </p> - - <p> - <a href="#pagetop">Back to top of page</a>. - </p> - - </div> - - <div id="parse_isolinux" class="section"> - - <h2>Booting ISOLINUX images (automatic method)</h2> - - <p> - Boot it in GRUB using the <i>Parse ISOLINUX config (USB)</i> option. - - A new menu should appear in GRUB, showing the boot options for that distro; this is a GRUB menu, converted from the usual - ISOLINUX menu provided by that distro. - </p> - - <p> - <a href="#pagetop">Back to top of page</a>. - </p> - - </div> - - <div id="manual_isolinux" class="section"> - - <h2>Booting ISOLINUX images (manual method)</h2> - - <p> - <i>These are generic instructions. They may or may not be correct for your - distribution. You must adapt them appropriately, for whatever GNU+Linux distribution - it is that you are trying to install.</i> - </p> - - <p> - If the ISOLINUX parser or <i>Search for GRUB configuration</i> options won't work, then press C in GRUB to access the command line.<br/> - grub> <b>ls</b><br/> - - Get the device from above output, eg (usb0). Example:<br/> - grub> <b>cat (usb0)/isolinux/isolinux.cfg</b><br/> - - Either this will show the ISOLINUX menuentries for that ISO, or link to other .cfg files, for example /isolinux/foo.cfg.<br/> - - If it did that, then you do:<br/> - grub> <b>cat (usb0)/isolinux/foo.cfg</b><br/> - - And so on, until you find the correct menuentries for ISOLINUX. - <b>The file <i>/isolinux/foo.cfg</i> is a fictional example. Do not actually - use this example, unless you actually have that file, if it is appropriate.</b> - </p> - - <p> - For Debian or Devuan (and other debian-based distros), there are typically menuentries listed in - <i>/isolinux/txt.cfg</i> or <i>/isolinux/gtk.cfg</i>. For dual-architecture ISO images - (i686 and x86_64), there may be separate files/directories for each architecture. - Just keep searching through the image, until you find the correct ISOLINUX configuration file. - NOTE: Debian 8.6 ISO only lists 32-bit boot options in txt.cfg. This is important if you want - 64-bit booting on your system. Devuan versions based on Debian 8.x may also have the same - issue. - </p> - - <p> - Now look at the ISOLINUX menuentry. It'll look like:<br/> - <b> - kernel /path/to/kernel<br/> - append PARAMETERS initrd=/path/to/initrd MAYBE_MORE_PARAMETERS<br/> - </b> - - GRUB works the same way, but in it's own way. Example GRUB commands:<br/> - grub> <b>set root='usb0'</b><br/> - grub> <b>linux /path/to/kernel PARAMETERS MAYBE_MORE_PARAMETERS</b><br/> - grub> <b>initrd /path/to/initrd</b><br/> - grub> <b>boot</b><br/> - Note: <i>usb0</i> may be incorrect. Check the output of the <i>ls</i> command in GRUB, - to see a list of USB devices/partitions. - - Of course this will vary from distro to distro. If you did all of that correctly, then it should now be booting your USB - drive in the way that you specified. - </p> - - <p> - <a href="#pagetop">Back to top of page</a>. - </p> - - </div> - - <div id="troubleshooting" class="section"> - - <h1>Troubleshooting</h1> - - <p> - Most of these issues occur when using libreboot with coreboot's 'text mode' instead of the coreboot framebuffer. - This mode is useful for booting payloads like memtest86+ which expect text-mode, but for GNU+Linux distributions - it can be problematic when they are trying to switch to a framebuffer because it doesn't exist. - </p> - - <p> - In most cases, you should use the vesafb ROM images. Example filename: libreboot_ukdvorak_vesafb.rom. - </p> - - <h2>parabola won't boot in text-mode</h2> - - <p> - Use one of the ROM images with vesafb in the filename (uses coreboot framebuffer instead of text-mode). - </p> - - <h2>debian-installer graphical corruption in text-mode (Debian and Devuan)</h2> - <p> - When using the ROM images that use coreboot's "text mode" instead of the coreboot framebuffer, - booting the Debian or Devuan net installer results in graphical corruption because it is trying to switch to a framebuffer which doesn't - exist. Use that kernel parameter on the 'linux' line when booting it:<br/> - <b>vga=normal fb=false</b> - </p> - - <p> - This forces debian-installer to start in text-mode, instead of trying to switch to a framebuffer. - </p> - - <p> - If selecting text-mode from a GRUB menu created using the ISOLINUX parser, you can press E on the menu entry to add this. - Or, if you are booting manually (from GRUB terminal) then just add the parameters. - </p> - - <p> - This workaround was found on the page: <a href="https://www.debian.org/releases/stable/i386/ch05s04.html">https://www.debian.org/releases/stable/i386/ch05s04.html</a>. - It should also work for Debian, Devuan and any other apt-get distro that provides debian-installer (text mode) net install method. - </p> - - <p> - <a href="#pagetop">Back to top of page</a>. - </p> - - </div> - - <div class="section"> - - <p> - Copyright © 2014, 2015, 2016 Leah Rowe <info@minifree.org><br/> - Copyright © 2016 Scott Bonds <scott@ggr.com><br/> - Permission is granted to copy, distribute and/or modify this document - under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license - or any later version published by Creative Commons; - - A copy of the license can be found at <a href="../cc-by-sa-4.0.txt">../cc-by-sa-4.0.txt</a> - </p> - - <p> - Updated versions of the license (when available) can be found at - <a href="https://creativecommons.org/licenses/by-sa/4.0/legalcode">https://creativecommons.org/licenses/by-sa/4.0/legalcode</a> - </p> - - <p> - UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE - EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS - AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF - ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, - IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, - WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR - PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, - ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT - KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT - ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. - </p> - <p> - TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE - TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, - NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, - INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, - COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR - USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN - ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR - DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR - IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. - </p> - <p> - The disclaimer of warranties and limitation of liability provided - above shall be interpreted in a manner that, to the extent - possible, most closely approximates an absolute disclaimer and - waiver of all liability. - </p> - - </div> - -</body> -</html> diff --git a/docs/gnulinux/grub_boot_installer.md b/docs/gnulinux/grub_boot_installer.md new file mode 100644 index 00000000..adab1da1 --- /dev/null +++ b/docs/gnulinux/grub_boot_installer.md @@ -0,0 +1,287 @@ +<div id="pagetop" class="section"> + +How to install GNU+Linux on a libreboot system +============================================== + +This section relates to preparing, booting and installing a GNU+Linux +distribution on your libreboot system, using nothing more than a USB +flash drive (and *dd*). + +- [List of recommended GNU+Linux distributions](../distros) +- [Prepare the USB drive (in GNU+Linux)](#prepare) +- [Installing GNU+Linux with full disk encryption](#encryption) +- [Debian or Devuan net install?](#debian_netinstall) +- [Booting ISOLINUX images (automatic method)](#parse_isolinux) +- [Booting ISOLINUX images (manual method)](#manual_isolinux) +- [Troubleshooting](#troubleshooting) + +[Back to previous index](./) + +</div> + +<div class="section"> + +**This section is only for the GRUB payload. For depthcharge (used on +CrOS devices in libreboot), instructions have yet to be written in the +libreboot documentation.** + +</div> + +<div id="prepare" class="section"> + +Prepare the USB drive (in GNU+Linux) +------------------------------------ + +If you downloaded your ISO on an existing GNU+Linux system, here is how +to create the bootable GNU+Linux USB drive: + +Connect the USB drive. Check dmesg:\ +**\$ dmesg**\ +Check lsblk to confirm which drive it is:\ +**\$ lsblk** + +Check that it wasn\'t automatically mounted. If it was, unmount it. For +example:\ +**\$ sudo umount /dev/sdX\***\ +**\# umount /dev/sdX\*** + +dmesg told you what device it is. Overwrite the drive, writing your +distro ISO to it with dd. For example:\ +**\$ sudo dd if=gnulinux.iso of=/dev/sdX bs=8M; sync**\ +**\# dd if=gnulinux.iso of=/dev/sdX bs=8M; sync** + +You should now be able to boot the installer from your USB drive. +Continue reading, for information about how to do that. + +[Back to top of page](#pagetop). + +Prepare the USB drive (in NetBSD) +--------------------------------- + +[This +page](https://wiki.netbsd.org/tutorials/how_to_install_netbsd_from_an_usb_memory_stick/) +on the NetBSD website shows how to create a NetBSD bootable USB drive +from within NetBSD itself. You should use the *dd* method documented +there. This will also work with any GNU+Linux ISO image. + +Prepare the USB drive (in FreeBSD) +---------------------------------- + +[This page](https://www.freebsd.org/doc/handbook/bsdinstall-pre.html) on +the FreeBSD website shows how to create a bootable USB drive for +installing FreeBSD. Use the *dd* on that page. You can also use the same +instructions with any GNU+Linux ISO image.. + +Prepare the USB drive (in LibertyBSD or OpenBSD) +------------------------------------------------ + +If you downloaded your ISO on a LibertyBSD or OpenBSD system, here is +how to create the bootable GNU+Linux USB drive: + +Connect the USB drive. Check dmesg:\ +**\$ dmesg | tail**\ +Check to confirm which drive it is, for example, if you think its sd3:\ +**\$ disklabel sd3** + +Check that it wasn\'t automatically mounted. If it was, unmount it. For +example:\ +**\$ doas umount /dev/sd3i**\ + +dmesg told you what device it is. Overwrite the drive, writing the +OpenBSD installer to it with dd. For example:\ +**\$ doas dd if=gnulinux.iso of=/dev/rsdXc bs=1M; sync**\ + +You should now be able to boot the installer from your USB drive. +Continue reading, for information about how to do that. + +[Back to top of page](#pagetop). + +</div> + +<div id="encryption" class="section"> + +Installing GNU+Linux with full disk encryption +---------------------------------------------- + +- [Installing Debian or Devuan GNU+Linux with full disk encryption + (including /boot)](encrypted_debian.html) +- [Installing Parabola GNU+Linux with full disk encryption (including + /boot)](encrypted_parabola.html) + +[Back to top of page](#pagetop). + +</div> + +<div id="debian_netinstall" class="section"> + +Debian or Devuan net install? +----------------------------- + +Download the Debian or Devuan net installer. You can download the ISO +from the homepage on [debian.org](https://www.debian.org/), or [the +Devuan homepage](https://www.devuan.org/) for Devuan. Use this on the +GRUB terminal to boot it from USB (for 64-bit Intel or AMD):\ +**set root=\'usb0\'\ +linux /install.amd/vmlinuz\ +initrd /install.amd/initrd.gz\ +boot\ +** If you are on a 32-bit system (e.g. X60):\ +**set root=\'usb0\'\ +linux /install.386/vmlinuz\ +initrd /install.386/initrd.gz\ +boot**\ +We recommend using the *MATE* desktop. + +[Back to top of page](#pagetop). + +</div> + +<div id="parse_isolinux" class="section"> + +Booting ISOLINUX images (automatic method) +------------------------------------------ + +Boot it in GRUB using the *Parse ISOLINUX config (USB)* option. A new +menu should appear in GRUB, showing the boot options for that distro; +this is a GRUB menu, converted from the usual ISOLINUX menu provided by +that distro. + +[Back to top of page](#pagetop). + +</div> + +<div id="manual_isolinux" class="section"> + +Booting ISOLINUX images (manual method) +--------------------------------------- + +*These are generic instructions. They may or may not be correct for your +distribution. You must adapt them appropriately, for whatever GNU+Linux +distribution it is that you are trying to install.* + +If the ISOLINUX parser or *Search for GRUB configuration* options won\'t +work, then press C in GRUB to access the command line.\ +grub> **ls**\ +Get the device from above output, eg (usb0). Example:\ +grub> **cat (usb0)/isolinux/isolinux.cfg**\ +Either this will show the ISOLINUX menuentries for that ISO, or link to +other .cfg files, for example /isolinux/foo.cfg.\ +If it did that, then you do:\ +grub> **cat (usb0)/isolinux/foo.cfg**\ +And so on, until you find the correct menuentries for ISOLINUX. **The +file */isolinux/foo.cfg* is a fictional example. Do not actually use +this example, unless you actually have that file, if it is +appropriate.** + +For Debian or Devuan (and other debian-based distros), there are +typically menuentries listed in */isolinux/txt.cfg* or +*/isolinux/gtk.cfg*. For dual-architecture ISO images (i686 and +x86\_64), there may be separate files/directories for each architecture. +Just keep searching through the image, until you find the correct +ISOLINUX configuration file. NOTE: Debian 8.6 ISO only lists 32-bit boot +options in txt.cfg. This is important if you want 64-bit booting on your +system. Devuan versions based on Debian 8.x may also have the same +issue. + +Now look at the ISOLINUX menuentry. It\'ll look like:\ +**kernel /path/to/kernel\ +append PARAMETERS initrd=/path/to/initrd MAYBE\_MORE\_PARAMETERS\ +** GRUB works the same way, but in it\'s own way. Example GRUB +commands:\ +grub> **set root=\'usb0\'**\ +grub> **linux /path/to/kernel PARAMETERS MAYBE\_MORE\_PARAMETERS**\ +grub> **initrd /path/to/initrd**\ +grub> **boot**\ +Note: *usb0* may be incorrect. Check the output of the *ls* command in +GRUB, to see a list of USB devices/partitions. Of course this will vary +from distro to distro. If you did all of that correctly, then it should +now be booting your USB drive in the way that you specified. + +[Back to top of page](#pagetop). + +</div> + +<div id="troubleshooting" class="section"> + +Troubleshooting +=============== + +Most of these issues occur when using libreboot with coreboot\'s \'text +mode\' instead of the coreboot framebuffer. This mode is useful for +booting payloads like memtest86+ which expect text-mode, but for +GNU+Linux distributions it can be problematic when they are trying to +switch to a framebuffer because it doesn\'t exist. + +In most cases, you should use the vesafb ROM images. Example filename: +libreboot\_ukdvorak\_vesafb.rom. + +parabola won\'t boot in text-mode +--------------------------------- + +Use one of the ROM images with vesafb in the filename (uses coreboot +framebuffer instead of text-mode). + +debian-installer graphical corruption in text-mode (Debian and Devuan) +---------------------------------------------------------------------- + +When using the ROM images that use coreboot\'s \"text mode\" instead of +the coreboot framebuffer, booting the Debian or Devuan net installer +results in graphical corruption because it is trying to switch to a +framebuffer which doesn\'t exist. Use that kernel parameter on the +\'linux\' line when booting it:\ +**vga=normal fb=false** + +This forces debian-installer to start in text-mode, instead of trying to +switch to a framebuffer. + +If selecting text-mode from a GRUB menu created using the ISOLINUX +parser, you can press E on the menu entry to add this. Or, if you are +booting manually (from GRUB terminal) then just add the parameters. + +This workaround was found on the page: +<https://www.debian.org/releases/stable/i386/ch05s04.html>. It should +also work for Debian, Devuan and any other apt-get distro that provides +debian-installer (text mode) net install method. + +[Back to top of page](#pagetop). + +</div> + +<div class="section"> + +Copyright © 2014, 2015, 2016 Leah Rowe <info@minifree.org>\ +Copyright © 2016 Scott Bonds <scott@ggr.com>\ +Permission is granted to copy, distribute and/or modify this document +under the terms of the Creative Commons Attribution-ShareAlike 4.0 +International license or any later version published by Creative +Commons; A copy of the license can be found at +[../cc-by-sa-4.0.txt](../cc-by-sa-4.0.txt) + +Updated versions of the license (when available) can be found at +<https://creativecommons.org/licenses/by-sa/4.0/legalcode> + +UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE EXTENT +POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS AND +AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND +CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, IMPLIED, STATUTORY, +OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, WARRANTIES OF TITLE, +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, +ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OR ABSENCE +OF ERRORS, WHETHER OR NOT KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF +WARRANTIES ARE NOT ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT +APPLY TO YOU. + +TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE TO YOU +ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, NEGLIGENCE) OR +OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL, +PUNITIVE, EXEMPLARY, OR OTHER LOSSES, COSTS, EXPENSES, OR DAMAGES +ARISING OUT OF THIS PUBLIC LICENSE OR USE OF THE LICENSED MATERIAL, EVEN +IF THE LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSSES, +COSTS, EXPENSES, OR DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT +ALLOWED IN FULL OR IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. + +The disclaimer of warranties and limitation of liability provided above +shall be interpreted in a manner that, to the extent possible, most +closely approximates an absolute disclaimer and waiver of all liability. + +</div> diff --git a/docs/gnulinux/grub_cbfs.html b/docs/gnulinux/grub_cbfs.html deleted file mode 100644 index 4b1923ee..00000000 --- a/docs/gnulinux/grub_cbfs.html +++ /dev/null @@ -1,366 +0,0 @@ -<!DOCTYPE html> -<html> -<head> - <meta charset="utf-8"> - <meta name="viewport" content="width=device-width, initial-scale=1"> - - <style type="text/css"> - @import url('../css/main.css'); - </style> - - <title>How to replace the default GRUB configuration file on a libreboot system</title> -</head> - -<body> - <div class="section"> - <h1 id="pagetop">How to replace the default GRUB configuration file on a libreboot system</h1> - <p> - Libreboot on x86 uses the GRUB <a href="http://www.coreboot.org/Payloads#GRUB_2">payload</a> - by default, which means that the GRUB configuration file - (where your GRUB menu comes from) is stored directly alongside libreboot - and its GRUB payload executable, inside - the flash chip. In context, this means that installing distributions and managing them - is handled slightly differently compared to traditional BIOS systems. - </p> - <p> - A libreboot (or coreboot) ROM image is not simply "flat"; there is an actual - filesystem inside called CBFS (coreboot filesystem). A utility called 'cbfstool' - allows you to change the contents of the ROM image. In this case, libreboot is configured - such that the 'grub.cfg' and 'grubtest.cfg' files exist directly inside CBFS instead of - inside the GRUB payload 'memdisk' (which is itself stored in CBFS). - </p> - <p> - You can either modify - the GRUB configuration stored in the flash chip, or you can modify a GRUB configuration - file on the main storage which the libreboot GRUB payload will automatically search for. - </p> - <p> - Here is an excellent writeup about CBFS (coreboot filesystem): - <a href="http://lennartb.home.xs4all.nl/coreboot/col5.html">http://lennartb.home.xs4all.nl/coreboot/col5.html</a>. - </p> - <p> - <b>This guide is *only* for the GRUB payload. If you use the depthcharge payload, ignore this section entirely.</b> - </p> - <p> - <a href="./">Back to previous index</a> - </p> - </div> - - <div class="section"> - - <h1>Table of Contents</h1> - - <ul> - <li><a href="#introduction">Introduction</a></li> - <li><a href="#option1_dont_reflash">1st option: don't re-flash</a></li> - <li> - <a href="#option2_reflash">2nd option: re-flash</a> - <ul> - <li><a href="#tools">Acquire the necessary utilities</a></li> - <li><a href="#rom">Acquiring the correct ROM image</a></li> - <li><a href="#extract_testconfig">Extract grubtest from the ROM image</a> - <li><a href="#reinsert_modified_testconfig">Re-insert the modified grubtest.cfg into the ROM image</a></li> - <li><a href="#testing">Testing</a> - <li><a href="#final_steps">Final steps</a></li> - </ul> - </li> - </ul> - - </div> - - <div class="section"> - - <h2 id="introduction">Introduction</h2> - - <p> - Download the latest release from - <a href="http://libreboot.org/">http://libreboot.org/</a> - <br/><b>If you downloaded from git, refer to - <a href="../git/#build_meta">../git/#build_meta</a> before continuing.</b> - </p> - - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - - <p> - There are several advantages to modifying the GRUB configuration stored in CBFS, but - this also means that you have to flash a new libreboot ROM image on your system (some users - feel intimidated by this, to say the least). - Doing so can be risky if not handled correctly, because it can result in a bricked - system (recovery is easy if you have the <a href="../install/bbb_setup.html">equipment</a> - for it, but most people don't). If you aren't up to that then don't worry; it is possible - to use a custom GRUB menu without flashing a new image, by loading a GRUB configuration - from a partition on the main storage instead. - </p> - - - </div> - - <div class="section"> - - <h2 id="option1_dont_reflash">1st option: don't re-flash</h2> - - <p> - By default, GRUB in libreboot is configured to scan all partitions on the main storage - for /boot/grub/libreboot_grub.cfg or /grub/libreboot_grub.cfg(for systems where /boot - is on a dedicated partition), and then use it automatically. - </p> - <p> - Simply create your custom GRUB configuration and save it to <b>/boot/grub/libreboot_grub.cfg</b> - on the running system. The next time you boot, GRUB (in libreboot) will automatically switch to - this configuration file. <b>This means that you do not have to re-flash, recompile or otherwise - modify libreboot at all!</b> - </p> - - <p> - Ideally, your distribution should automatically generate a libreboot_grub.cfg file that is written - specifically under the assumption that it will be read and used on a libreboot system that uses - GRUB as a payload. If your distribution does not do this, then you can try to add that feature - yourself or politely ask someone involved with or otherwise knowledgeable about the distribution - to do it for you. The libreboot_grub.cfg could either contain the full configuration, or it could - chainload another GRUB ELF executable (built to be used as a coreboot payload) that is located in - a partition on the main storage. - </p> - - <p> - If you want to adapt a copy of the existing <i>libreboot</i> GRUB configuration and use that for the libreboot_grub.cfg file, then - follow <a href="#tools">#tools</a>, <a href="#rom">#rom</a> and - <a href="#extract_testconfig">#extract_testconfig</a> to get the <b><i>grubtest.cfg</i></b>. - Rename <b><i>grubtest.cfg</i></b> to <b><i>libreboot_grub.cfg</i></b> and save it to <b><i>/boot/grub/</i></b> - on the running system where it is intended to be used. Modify the file at that location however you see fit, - and then stop reading this guide (the rest of this page is irrelevant to you); <b>in libreboot_grub.cfg on disk, - if you are adapting it based on grub.cfg from CBFS then remove the check for libreboot_grub.cfg otherwise it will loop.</b>. - </p> - - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - - </div> - - <div class="section"> - - <h2 id="option2_reflash">2nd option: re-flash</h2> - - <p> - You can modify what is stored inside the flash chip quite easily. Read on to find out how. - </p> - - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - - </div> - <div class="section"> - <h2 id="tools">Acquire the necessary utilities</h2> - - <p> - Use <b><i>cbfstool</i></b> and <b><i>flashrom</i></b>. There are available in the <i>libreboot_util</i> release archive, - or they can be compiled (see <a href="../git/#build_flashrom">../git/#build_flashrom</a>). - Flashrom is also available from the repositories:<br/> - # <b>pacman -S flashrom</b> - </p> - - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - - </div> - - <div class="section"> - - <h2 id="rom">Acquiring the correct ROM image</h2> - - <p> - You can either work directly with one of the ROM images already included in the libreboot ROM archives, or re-use the ROM that - you have currently flashed. For the purpose of this tutorial it is assumed that your ROM image file is named <i>libreboot.rom</i>, - so please make sure to adapt. - </p> - <p> - ROM images are included pre-compiled in libreboot. You can also dump your current firmware, using flashrom:<br/> - $ <b>sudo flashrom -p internal -r libreboot.rom</b><br/> - # <b>flashrom -p internal -r libreboot.rom</b><br/> - If you are told to specify the chip, add the option <b>-c {your chip}</b> to the command, for example:<br/> - # <b>flashrom -c MX25L6405 -p internal -r libreboot.rom</b> - </p> - - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - - </div> - - <div class="section"> - - <h2 id="extract_testconfig">Extract grubtest.cfg from the ROM image</h2> - - <p> - You can check the contents of the ROM image, inside CBFS:<br/> - <b>$ cd .../libreboot_util/cbfstool</b> - <b>$ ./cbfstool libreboot.rom print</b> - </p> - - <p> - The files <i>grub.cfg</i> and <i>grubtest.cfg</i> should be present. grub.cfg is loaded by default, - with a menuentry for switching to grubtest.cfg. In this tutorial, you will first modify and test <i>grubtest.cfg</i>. - This is to reduce the possibility of bricking your device, so DO NOT SKIP THIS! - </p> - - <p> - Extract grubtest.cfg from the ROM image:<br/> - <b>$ ./cbfstool libreboot.rom extract -n grubtest.cfg -f grubtest.cfg</b> - </p> - - <p> - Modify the grubtest.cfg accordingly. - </p> - - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - - </div> - - <div class="section"> - - <h2 id="reinsert_modified_testconfig">Re-insert the modified grubtest.cfg into the ROM image</h2> - - <p> - Once your grubtest.cfg is modified and saved, delete the unmodified config from the ROM image:<br/> - <b>$ ./cbfstool libreboot.rom remove -n grubtest.cfg</b> - </p> - - <p> - Next, insert the modified version:<br/> - <b>$ ./cbfstool libreboot.rom add -n grubtest.cfg -f grubtest.cfg -t raw</b> - </p> - - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - - </div> - - <div class="section"> - - <h2 id="testing">Testing</h2> - - <p> - <b> - Now you have a modified ROM. Refer back to <a href="../install/#flashrom">../install/#flashrom</a> for information - on how to flash it.<br/> - $ <b>cd /libreboot_util</b> - # <b>./flash update libreboot.rom</b><br/> - Ocassionally, coreboot changes the name of a given board. If flashrom complains about a board mismatch, but you are sure that you chose the correct ROM image, then run this alternative command:<br/> - # <b>./flash forceupdate libreboot.rom</b><br/> - You should see <b>"Verifying flash... VERIFIED."</b> written at the end of the flashrom output. - Once you have done that, shut down and then boot up with your new test configuration. - </b> - </p> - - <p> - Choose (in GRUB) the menu entry that switches to grubtest.cfg. If it works, then your config is safe and you can continue below. - </p> - - <p> - <b> - If it does not work like you want it to, if you are unsure or sceptical in any way, - then re-do the steps above until you get it right! Do *not* proceed past this point - unless you are 100% sure that your new configuration is safe (or desirable) to use. - </b> - </p> - - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - - </div> - - <div class="section"> - - <h2 id="final_steps">Final steps</h2> - - <p> - When you are satisfied booting from grubtest.cfg, you can create a copy of grubtest.cfg, called grub.cfg. This is the same except for one difference: - the menuentry 'Switch to grub.cfg' will be changed to 'Switch to grubtest.cfg' and inside it, - all instances of grub.cfg to grubtest.cfg. This is so that the main config still - links (in the menu) to grubtest.cfg, so that you don't have to manually switch to it, in - case you ever want to follow this guide again in the future (modifying the already modified config). From /libreboot_util/cbfstool, do:<br/> - $ <b>sed -e 's:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g' -e 's:Switch to grub.cfg:Switch to grubtest.cfg:g' < grubtest.cfg > grub.cfg</b><br/> - </p> - - <p> - Delete the grub.cfg that remained inside the ROM:<br/> - <b>$ ./cbfstool libreboot.rom remove -n grub.cfg</b> - </p> - - <p> - Add the modified version that you just made:<br/> - <b>$ ./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw</b> - </p> - - <p> - <b> - Now you have a modified ROM. Again, refer back to <a href="../install/#flashrom">../install/#flashrom</a> for information - on how to flash it. It's the same method as you used before. Shut down and then boot up with your new configuration. - </b> - </p> - - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - - </div> - - <div class="section"> - - <p> - Copyright © 2014, 2015 Leah Rowe <info@minifree.org><br/> - Copyright © 2015 Jeroen Quint <jezza@diplomail.ch><br/> - Permission is granted to copy, distribute and/or modify this document - under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license - or any later version published by Creative Commons; - - A copy of the license can be found at <a href="../cc-by-sa-4.0.txt">../cc-by-sa-4.0.txt</a> - </p> - - <p> - Updated versions of the license (when available) can be found at - <a href="https://creativecommons.org/licenses/by-sa/4.0/legalcode">https://creativecommons.org/licenses/by-sa/4.0/legalcode</a> - </p> - - <p> - UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE - EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS - AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF - ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, - IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, - WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR - PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, - ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT - KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT - ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. - </p> - <p> - TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE - TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, - NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, - INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, - COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR - USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN - ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR - DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR - IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. - </p> - <p> - The disclaimer of warranties and limitation of liability provided - above shall be interpreted in a manner that, to the extent - possible, most closely approximates an absolute disclaimer and - waiver of all liability. - </p> - - </div> - -</body> -</html> diff --git a/docs/gnulinux/grub_cbfs.md b/docs/gnulinux/grub_cbfs.md new file mode 100644 index 00000000..1dd1a983 --- /dev/null +++ b/docs/gnulinux/grub_cbfs.md @@ -0,0 +1,305 @@ +<div class="section"> + +How to replace the default GRUB configuration file on a libreboot system {#pagetop} +======================================================================== + +Libreboot on x86 uses the GRUB +[payload](http://www.coreboot.org/Payloads#GRUB_2) by default, which +means that the GRUB configuration file (where your GRUB menu comes from) +is stored directly alongside libreboot and its GRUB payload executable, +inside the flash chip. In context, this means that installing +distributions and managing them is handled slightly differently compared +to traditional BIOS systems. + +A libreboot (or coreboot) ROM image is not simply \"flat\"; there is an +actual filesystem inside called CBFS (coreboot filesystem). A utility +called \'cbfstool\' allows you to change the contents of the ROM image. +In this case, libreboot is configured such that the \'grub.cfg\' and +\'grubtest.cfg\' files exist directly inside CBFS instead of inside the +GRUB payload \'memdisk\' (which is itself stored in CBFS). + +You can either modify the GRUB configuration stored in the flash chip, +or you can modify a GRUB configuration file on the main storage which +the libreboot GRUB payload will automatically search for. + +Here is an excellent writeup about CBFS (coreboot filesystem): +<http://lennartb.home.xs4all.nl/coreboot/col5.html>. + +**This guide is \*only\* for the GRUB payload. If you use the +depthcharge payload, ignore this section entirely.** + +[Back to previous index](./) + +</div> + +<div class="section"> + +Table of Contents +================= + +- [Introduction](#introduction) +- [1st option: don\'t re-flash](#option1_dont_reflash) +- [2nd option: re-flash](#option2_reflash) + - [Acquire the necessary utilities](#tools) + - [Acquiring the correct ROM image](#rom) + - [Extract grubtest from the ROM image](#extract_testconfig) + - [Re-insert the modified grubtest.cfg into the ROM + image](#reinsert_modified_testconfig) + - [Testing](#testing) + - [Final steps](#final_steps) + +</div> + +<div class="section"> + +Introduction +------------ + +Download the latest release from <http://libreboot.org/>\ +**If you downloaded from git, refer to +[../git/\#build\_meta](../git/#build_meta) before continuing.** + +[Back to top of page.](#pagetop) + +There are several advantages to modifying the GRUB configuration stored +in CBFS, but this also means that you have to flash a new libreboot ROM +image on your system (some users feel intimidated by this, to say the +least). Doing so can be risky if not handled correctly, because it can +result in a bricked system (recovery is easy if you have the +[equipment](../install/bbb_setup.html) for it, but most people don\'t). +If you aren\'t up to that then don\'t worry; it is possible to use a +custom GRUB menu without flashing a new image, by loading a GRUB +configuration from a partition on the main storage instead. + +</div> + +<div class="section"> + +1st option: don\'t re-flash {#option1_dont_reflash} +--------------------------- + +By default, GRUB in libreboot is configured to scan all partitions on +the main storage for /boot/grub/libreboot\_grub.cfg or +/grub/libreboot\_grub.cfg(for systems where /boot is on a dedicated +partition), and then use it automatically. + +Simply create your custom GRUB configuration and save it to +**/boot/grub/libreboot\_grub.cfg** on the running system. The next time +you boot, GRUB (in libreboot) will automatically switch to this +configuration file. **This means that you do not have to re-flash, +recompile or otherwise modify libreboot at all!** + +Ideally, your distribution should automatically generate a +libreboot\_grub.cfg file that is written specifically under the +assumption that it will be read and used on a libreboot system that uses +GRUB as a payload. If your distribution does not do this, then you can +try to add that feature yourself or politely ask someone involved with +or otherwise knowledgeable about the distribution to do it for you. The +libreboot\_grub.cfg could either contain the full configuration, or it +could chainload another GRUB ELF executable (built to be used as a +coreboot payload) that is located in a partition on the main storage. + +If you want to adapt a copy of the existing *libreboot* GRUB +configuration and use that for the libreboot\_grub.cfg file, then follow +[\#tools](#tools), [\#rom](#rom) and +[\#extract\_testconfig](#extract_testconfig) to get the +***grubtest.cfg***. Rename ***grubtest.cfg*** to +***libreboot\_grub.cfg*** and save it to ***/boot/grub/*** on the +running system where it is intended to be used. Modify the file at that +location however you see fit, and then stop reading this guide (the rest +of this page is irrelevant to you); **in libreboot\_grub.cfg on disk, if +you are adapting it based on grub.cfg from CBFS then remove the check +for libreboot\_grub.cfg otherwise it will loop.**. + +[Back to top of page.](#pagetop) + +</div> + +<div class="section"> + +2nd option: re-flash {#option2_reflash} +-------------------- + +You can modify what is stored inside the flash chip quite easily. Read +on to find out how. + +[Back to top of page.](#pagetop) + +</div> + +<div class="section"> + +Acquire the necessary utilities {#tools} +------------------------------- + +Use ***cbfstool*** and ***flashrom***. There are available in the +*libreboot\_util* release archive, or they can be compiled (see +[../git/\#build\_flashrom](../git/#build_flashrom)). Flashrom is also +available from the repositories:\ +\# **pacman -S flashrom** + +[Back to top of page.](#pagetop) + +</div> + +<div class="section"> + +Acquiring the correct ROM image {#rom} +------------------------------- + +You can either work directly with one of the ROM images already included +in the libreboot ROM archives, or re-use the ROM that you have currently +flashed. For the purpose of this tutorial it is assumed that your ROM +image file is named *libreboot.rom*, so please make sure to adapt. + +ROM images are included pre-compiled in libreboot. You can also dump +your current firmware, using flashrom:\ +\$ **sudo flashrom -p internal -r libreboot.rom**\ +\# **flashrom -p internal -r libreboot.rom**\ +If you are told to specify the chip, add the option **-c {your chip}** +to the command, for example:\ +\# **flashrom -c MX25L6405 -p internal -r libreboot.rom** + +[Back to top of page.](#pagetop) + +</div> + +<div class="section"> + +Extract grubtest.cfg from the ROM image {#extract_testconfig} +--------------------------------------- + +You can check the contents of the ROM image, inside CBFS:\ +**\$ cd \.../libreboot\_util/cbfstool** **\$ ./cbfstool libreboot.rom +print** + +The files *grub.cfg* and *grubtest.cfg* should be present. grub.cfg is +loaded by default, with a menuentry for switching to grubtest.cfg. In +this tutorial, you will first modify and test *grubtest.cfg*. This is to +reduce the possibility of bricking your device, so DO NOT SKIP THIS! + +Extract grubtest.cfg from the ROM image:\ +**\$ ./cbfstool libreboot.rom extract -n grubtest.cfg -f grubtest.cfg** + +Modify the grubtest.cfg accordingly. + +[Back to top of page.](#pagetop) + +</div> + +<div class="section"> + +Re-insert the modified grubtest.cfg into the ROM image {#reinsert_modified_testconfig} +------------------------------------------------------ + +Once your grubtest.cfg is modified and saved, delete the unmodified +config from the ROM image:\ +**\$ ./cbfstool libreboot.rom remove -n grubtest.cfg** + +Next, insert the modified version:\ +**\$ ./cbfstool libreboot.rom add -n grubtest.cfg -f grubtest.cfg -t +raw** + +[Back to top of page.](#pagetop) + +</div> + +<div class="section"> + +Testing +------- + +**Now you have a modified ROM. Refer back to +[../install/\#flashrom](../install/#flashrom) for information on how to +flash it.\ +\$ **cd /libreboot\_util** \# **./flash update libreboot.rom**\ +Ocassionally, coreboot changes the name of a given board. If flashrom +complains about a board mismatch, but you are sure that you chose the +correct ROM image, then run this alternative command:\ +\# **./flash forceupdate libreboot.rom**\ +You should see **\"Verifying flash\... VERIFIED.\"** written at the end +of the flashrom output. Once you have done that, shut down and then boot +up with your new test configuration.** + +Choose (in GRUB) the menu entry that switches to grubtest.cfg. If it +works, then your config is safe and you can continue below. + +**If it does not work like you want it to, if you are unsure or +sceptical in any way, then re-do the steps above until you get it right! +Do \*not\* proceed past this point unless you are 100% sure that your +new configuration is safe (or desirable) to use.** + +[Back to top of page.](#pagetop) + +</div> + +<div class="section"> + +Final steps {#final_steps} +----------- + +When you are satisfied booting from grubtest.cfg, you can create a copy +of grubtest.cfg, called grub.cfg. This is the same except for one +difference: the menuentry \'Switch to grub.cfg\' will be changed to +\'Switch to grubtest.cfg\' and inside it, all instances of grub.cfg to +grubtest.cfg. This is so that the main config still links (in the menu) +to grubtest.cfg, so that you don\'t have to manually switch to it, in +case you ever want to follow this guide again in the future (modifying +the already modified config). From /libreboot\_util/cbfstool, do:\ +\$ **sed -e \'s:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g\' -e +\'s:Switch to grub.cfg:Switch to grubtest.cfg:g\' < grubtest.cfg > +grub.cfg**\ + +Delete the grub.cfg that remained inside the ROM:\ +**\$ ./cbfstool libreboot.rom remove -n grub.cfg** + +Add the modified version that you just made:\ +**\$ ./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw** + +**Now you have a modified ROM. Again, refer back to +[../install/\#flashrom](../install/#flashrom) for information on how to +flash it. It\'s the same method as you used before. Shut down and then +boot up with your new configuration.** + +[Back to top of page.](#pagetop) + +</div> + +<div class="section"> + +Copyright © 2014, 2015 Leah Rowe <info@minifree.org>\ +Copyright © 2015 Jeroen Quint <jezza@diplomail.ch>\ +Permission is granted to copy, distribute and/or modify this document +under the terms of the Creative Commons Attribution-ShareAlike 4.0 +International license or any later version published by Creative +Commons; A copy of the license can be found at +[../cc-by-sa-4.0.txt](../cc-by-sa-4.0.txt) + +Updated versions of the license (when available) can be found at +<https://creativecommons.org/licenses/by-sa/4.0/legalcode> + +UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE EXTENT +POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS AND +AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND +CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, IMPLIED, STATUTORY, +OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, WARRANTIES OF TITLE, +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, +ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OR ABSENCE +OF ERRORS, WHETHER OR NOT KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF +WARRANTIES ARE NOT ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT +APPLY TO YOU. + +TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE TO YOU +ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, NEGLIGENCE) OR +OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL, +PUNITIVE, EXEMPLARY, OR OTHER LOSSES, COSTS, EXPENSES, OR DAMAGES +ARISING OUT OF THIS PUBLIC LICENSE OR USE OF THE LICENSED MATERIAL, EVEN +IF THE LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSSES, +COSTS, EXPENSES, OR DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT +ALLOWED IN FULL OR IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. + +The disclaimer of warranties and limitation of liability provided above +shall be interpreted in a manner that, to the extent possible, most +closely approximates an absolute disclaimer and waiver of all liability. + +</div> diff --git a/docs/gnulinux/grub_hardening.html b/docs/gnulinux/grub_hardening.html deleted file mode 100644 index f86b7c4d..00000000 --- a/docs/gnulinux/grub_hardening.html +++ /dev/null @@ -1,281 +0,0 @@ -<!DOCTYPE html> -<html> -<head> - <meta charset="utf-8"> - <meta name="viewport" content="width=device-width, initial-scale=1"> - - <style type="text/css"> - @import url('../css/main.css'); - </style> - - <title>GRUB hardening</title> -</head> - -<body> - <div class="section"> - <h1>GRUB hardening</h1> - <p> - This guide deals with various ways in which you can harden - your GRUB configuration, for security purposes. These steps - are optional, but highly recommended by the Libreboot project. - </p> - <p> - <a href="./">Back to previous index</a> - </p> - </div> - <div class="section"> - <h1> - GRUB secure boot with GPG - </h1> - - <p> - This uses the free implementation of the GPG standard for encryption - and signing/verifying data. We will be using this for checking the signature - of a Linux kernel at boot time. - More information about GPG can be found on the - <a href="https://www.gnu.org/software/gnupg/">GPG project website</a>. - GRUB has some GPG support built in, for checking signatures. - </p> - - <p> - This tutorial assumes you have a libreboot image (rom) that you wish to modify, - to which we shall henceforth refer to as "my.rom". - This tutorial modifies grubtest.cfg, this means signing and password protection - will work after switching to it in the main boot menu and bricking due to - incorrect configuration will be impossible. - After you are satisfied with the setup, you should transfer the new settings - to grub.cfg to make your machine actually secure. - </p> - - <p> - First extract the old grubtest.cfg and remove it from the libreboot image: -<pre> -cbfstool my.rom extract -n grubtest.cfg -f my.grubtest.cfg -cbfstool my.rom remove -n grubtest.cfg -</pre> - </p> - <p> - Helpful links: - <ul> - <li><a href="https://www.gnu.org/software/grub/manual/html_node/Security.html#Security"> - GRUB manual #security</a></li> - <li><a href="http://git.savannah.gnu.org/cgit/grub.git/tree/docs/grub.texi"> - GRUB info pages</a></li> - <li><a href="https://libreboot.org/faq/#firmware-hddssd"> - SATA connected storage considered dangerous until proven otherwise.</a></li> - <li><a href="https://www.coreboot.org/GRUB2#Security"> - Coreboot GRUB security howto</a></li> - </ul> - </p> - </div> - <div class="section"> - <h1> - GRUB Password - </h1> - <p> - The security of this setup depends on a good GRUB password as GPG signature - checking can be disabled through the interactive console: - </p> - <pre>set check_signatures=no</pre> - <p> - This is good in that it allows you to occasionally boot unsigned liveCDs and such. - You may think of supplying signatures on an usb key, but the signature - checking code currently looks for </path/to/filename>.sig when verifying - </path/to/filename> and as such it is not possible to supply signatures - in an alternate location. - </p> - <p> - Note that this is not your LUKS password, but it's a password that you have to - enter in order to use "restricted" functionality (such as console). This - protects your system from an attacker simply booting a live USB and re-flashing - your firmware. - <b>This should be different than your LUKS passphrase and user password.</b> - </p> - - <p> - Use of the <i>diceware method</i> is recommended, for generating secure passphrases (as opposed to passwords). - Diceware method involves using dice to generate random numbers, which are - then used as an index to pick a random word from a large dictionary of words. - You can use any language (e.g. English, German). - Look it up on a search engine. Diceware method is a way to generate - secure passphrases that are very hard (almost impossible, with enough words) - to crack, while being easy enough to remember. On the other hand, most - kinds of secure passwords are hard to remember and easier to crack. - Diceware passphrases are harder to crack because of far higher entropy - (there are many words available to use, but only about 50 commonly used symbols - in pass<em>words</em>). - </p> ---> - <p> - The GRUB password can be entered in two ways: - <ul> - <li>plaintext</li> - <li>protected with <a href="https://en.wikipedia.org/wiki/Pbkdf2">PBKDF2</a></li> - </ul> - We will (obviously) use the later. Generating the PBKDF2 derived key is done - using the <b>grub-mkpasswd-pbkdf2</b> utility. You can get it by installing - GRUB version 2. Generate a key by giving it a password: - </p> - <pre>grub-mkpasswd-pbkdf2</pre> - <p> - Its output will be a string of the following form: - grub.pbkdf2.sha512.10000.HEXDIGITS.MOREHEXDIGITS - </p> - <p> - Now open my.grubtest.cfg and put the following before the menu entries (prefered - above the functions and after other directives). Of course use the pbdkf string - that you had generated yourself: - </p> - <pre> -set superusers="root" -password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711</pre> - <p> - Obviously, replace it with the correct hash that you actually got for the password - that you entered. Meaning, not the hash that you see above! - </p> - <p> - As enabling password protection as above means that you have to input it on - every single boot, we will make one menu entry work without it. Remember that - we will have GPG signing active, thus a potential attacker will not be able - to boot an arbitrary operating system. We do this by adding option - <b>--unrestricted</b> to a menuentry definition: - </p> - <pre>menuentry 'Load Operating System (incl. fully encrypted disks) [o]' --hotkey='o' --unrestricted { -...</pre> - <p> - Another good thing to do, if we chose to load signed on-disk GRUB configurations, - is to remove (or comment out) <b>unset superusers</b> in function try_user_config: - </p> - <pre> -function try_user_config { - set root="${1}" - for dir in boot grub grub2 boot/grub boot/grub2; do - for name in '' autoboot_ libreboot_ coreboot_; do - if [ -f /"${dir}"/"${name}"grub.cfg ]; then - #unset superusers - configfile /"${dir}"/"${name}"grub.cfg - fi - done - done -}</pre> - <p> - Why? We allowed booting normally without entering a password above. - When we unset superusers and then load a signed GRUB configuration file, - we can easily use the command line as password protection will be completely - disabled. Disabling signature checking and booting whatever an attacker wants - is then just a few GRUB commands away. - </p> - - <p> - As far as basic password setup is concerned we are done and we can now move on to signing. - </p> - </div> - <div class="section"> - <h1> - GPG keys - </h1> - <p> - First generate a GPG keypair to use for signing. Option RSA (sign only) is ok. - </p> - <p> - <b>Warning:</b> GRUB does not read ASCII armored keys. - When attempting to trust ... a key filename it will print error: bad signature - </p> - <pre> -mkdir --mode 0700 keys -gpg --homedir keys --gen-key -gpg --homedir keys --export-secret-keys --armor > boot.secret.key # backup -gpg --homedir keys --export > boot.key</pre> - - <p> - Now that we have a key, we can sign some files with it. We have to sign: - <ul> - <li>a kernel</li> - <li>(if we have one) an initramfs</li> - <li>(if we wish to transfer control to it) an on-disk grub.cfg</li> - <li>grubtest.cfg (this is so one can go back to grubtest.cfg after signature - checking is enforced. You can always get back to grub.cfg by pressing ESC, - but afterwards grubtest.cfg is not signed and it will not load.</li> - </ul> - - Suppose that we have a pair of <b>my.kernel</b> and <b>my.initramfs</b> - and an on-disk <b>libreboot_grub.cfg</b>. We sign them by issuing the - following commands: - </p> -<pre> -gpg --homedir keys --detach-sign my.initramfs -gpg --homedir keys --detach-sign my.kernel -gpg --homedir keys --detach-sign libreboot_grub.cfg -gpg --homedir keys --detach-sign my.grubtest.cfg -</pre> - <p> - Of course some further modifications to my.grubtest.cfg will be required. - We have to trust the key and enable signature enforcement - (put this before menu entries): - </p> -<pre> -trust (cbfsdisk)/boot.key -set check_signatures=enforce -</pre> - <p> - What remains now is to include the modifications into the image (rom): - </p> -<pre> -cbfstool my.rom add -n boot.key -f boot.key -t raw -cbfstool my.rom add -n grubtest.cfg -f my.grubtest.cfg -t raw -cbfstool my.rom add -n grubtest.cfg.sig -f my.grubtest.cfg.sig -t raw -</pre> - <p> - ... and flashing it. - </p> - </div> - - <div class="section"> - - <p> - Copyright © 2017 Fedja Beader <fedja@protonmail.ch><br/> - Permission is granted to copy, distribute and/or modify this document - under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license - or any later version published by Creative Commons; - - A copy of the license can be found at <a href="../cc-by-sa-4.0.txt">../cc-by-sa-4.0.txt</a> - </p> - - <p> - Updated versions of the license (when available) can be found at - <a href="https://creativecommons.org/licenses/by-sa/4.0/legalcode">https://creativecommons.org/licenses/by-sa/4.0/legalcode</a> - </p> - - <p> - UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE - EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS - AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF - ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, - IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, - WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR - PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, - ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT - KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT - ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. - </p> - <p> - TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE - TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, - NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, - INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, - COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR - USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN - ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR - DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR - IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. - </p> - <p> - The disclaimer of warranties and limitation of liability provided - above shall be interpreted in a manner that, to the extent - possible, most closely approximates an absolute disclaimer and - waiver of all liability. - </p> - </div> - -</body> -</html> diff --git a/docs/gnulinux/grub_hardening.md b/docs/gnulinux/grub_hardening.md new file mode 100644 index 00000000..e2a6a6a1 --- /dev/null +++ b/docs/gnulinux/grub_hardening.md @@ -0,0 +1,234 @@ +<div class="section"> + +GRUB hardening +============== + +This guide deals with various ways in which you can harden your GRUB +configuration, for security purposes. These steps are optional, but +highly recommended by the Libreboot project. + +[Back to previous index](./) + +</div> + +<div class="section"> + +GRUB secure boot with GPG +========================= + +This uses the free implementation of the GPG standard for encryption and +signing/verifying data. We will be using this for checking the signature +of a Linux kernel at boot time. More information about GPG can be found +on the [GPG project website](https://www.gnu.org/software/gnupg/). GRUB +has some GPG support built in, for checking signatures. + +This tutorial assumes you have a libreboot image (rom) that you wish to +modify, to which we shall henceforth refer to as \"my.rom\". This +tutorial modifies grubtest.cfg, this means signing and password +protection will work after switching to it in the main boot menu and +bricking due to incorrect configuration will be impossible. After you +are satisfied with the setup, you should transfer the new settings to +grub.cfg to make your machine actually secure. + +First extract the old grubtest.cfg and remove it from the libreboot +image: + + cbfstool my.rom extract -n grubtest.cfg -f my.grubtest.cfg + cbfstool my.rom remove -n grubtest.cfg + +Helpful links: + +- [GRUB manual + \#security](https://www.gnu.org/software/grub/manual/html_node/Security.html#Security) +- [GRUB info + pages](http://git.savannah.gnu.org/cgit/grub.git/tree/docs/grub.texi) +- [SATA connected storage considered dangerous until proven + otherwise.](https://libreboot.org/faq/#firmware-hddssd) +- [Coreboot GRUB security + howto](https://www.coreboot.org/GRUB2#Security) + +</div> + +<div class="section"> + +GRUB Password +============= + +The security of this setup depends on a good GRUB password as GPG +signature checking can be disabled through the interactive console: + + set check_signatures=no + +This is good in that it allows you to occasionally boot unsigned liveCDs +and such. You may think of supplying signatures on an usb key, but the +signature checking code currently looks for +</path/to/filename>.sig when verifying </path/to/filename> +and as such it is not possible to supply signatures in an alternate +location. + +Note that this is not your LUKS password, but it\'s a password that you +have to enter in order to use \"restricted\" functionality (such as +console). This protects your system from an attacker simply booting a +live USB and re-flashing your firmware. **This should be different than +your LUKS passphrase and user password.** + +Use of the *diceware method* is recommended, for generating secure +passphrases (as opposed to passwords). Diceware method involves using +dice to generate random numbers, which are then used as an index to pick +a random word from a large dictionary of words. You can use any language +(e.g. English, German). Look it up on a search engine. Diceware method +is a way to generate secure passphrases that are very hard (almost +impossible, with enough words) to crack, while being easy enough to +remember. On the other hand, most kinds of secure passwords are hard to +remember and easier to crack. Diceware passphrases are harder to crack +because of far higher entropy (there are many words available to use, +but only about 50 commonly used symbols in pass*words*). + +\--> +The GRUB password can be entered in two ways: + +- plaintext +- protected with [PBKDF2](https://en.wikipedia.org/wiki/Pbkdf2) + +We will (obviously) use the later. Generating the PBKDF2 derived key is +done using the **grub-mkpasswd-pbkdf2** utility. You can get it by +installing GRUB version 2. Generate a key by giving it a password: + grub-mkpasswd-pbkdf2 + +Its output will be a string of the following form: +grub.pbkdf2.sha512.10000.HEXDIGITS.MOREHEXDIGITS + +Now open my.grubtest.cfg and put the following before the menu entries +(prefered above the functions and after other directives). Of course use +the pbdkf string that you had generated yourself: + + set superusers="root" + password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711 + +Obviously, replace it with the correct hash that you actually got for +the password that you entered. Meaning, not the hash that you see above! + +As enabling password protection as above means that you have to input it +on every single boot, we will make one menu entry work without it. +Remember that we will have GPG signing active, thus a potential attacker +will not be able to boot an arbitrary operating system. We do this by +adding option **\--unrestricted** to a menuentry definition: + + menuentry 'Load Operating System (incl. fully encrypted disks) [o]' --hotkey='o' --unrestricted { + ... + +Another good thing to do, if we chose to load signed on-disk GRUB +configurations, is to remove (or comment out) **unset superusers** in +function try\_user\_config: + + function try_user_config { + set root="${1}" + for dir in boot grub grub2 boot/grub boot/grub2; do + for name in '' autoboot_ libreboot_ coreboot_; do + if [ -f /"${dir}"/"${name}"grub.cfg ]; then + #unset superusers + configfile /"${dir}"/"${name}"grub.cfg + fi + done + done + } + +Why? We allowed booting normally without entering a password above. When +we unset superusers and then load a signed GRUB configuration file, we +can easily use the command line as password protection will be +completely disabled. Disabling signature checking and booting whatever +an attacker wants is then just a few GRUB commands away. + +As far as basic password setup is concerned we are done and we can now +move on to signing. + +</div> + +<div class="section"> + +GPG keys +======== + +First generate a GPG keypair to use for signing. Option RSA (sign only) +is ok. + +**Warning:** GRUB does not read ASCII armored keys. When attempting to +trust \... a key filename it will print error: bad signature + + mkdir --mode 0700 keys + gpg --homedir keys --gen-key + gpg --homedir keys --export-secret-keys --armor > boot.secret.key # backup + gpg --homedir keys --export > boot.key + +Now that we have a key, we can sign some files with it. We have to sign: + +- a kernel +- (if we have one) an initramfs +- (if we wish to transfer control to it) an on-disk grub.cfg +- grubtest.cfg (this is so one can go back to grubtest.cfg after + signature checking is enforced. You can always get back to grub.cfg + by pressing ESC, but afterwards grubtest.cfg is not signed and it + will not load. + +Suppose that we have a pair of **my.kernel** and **my.initramfs** and an +on-disk **libreboot\_grub.cfg**. We sign them by issuing the following +commands: + gpg --homedir keys --detach-sign my.initramfs + gpg --homedir keys --detach-sign my.kernel + gpg --homedir keys --detach-sign libreboot_grub.cfg + gpg --homedir keys --detach-sign my.grubtest.cfg + +Of course some further modifications to my.grubtest.cfg will be +required. We have to trust the key and enable signature enforcement (put +this before menu entries): + + trust (cbfsdisk)/boot.key + set check_signatures=enforce + +What remains now is to include the modifications into the image (rom): + + cbfstool my.rom add -n boot.key -f boot.key -t raw + cbfstool my.rom add -n grubtest.cfg -f my.grubtest.cfg -t raw + cbfstool my.rom add -n grubtest.cfg.sig -f my.grubtest.cfg.sig -t raw + +\... and flashing it. + +</div> + +<div class="section"> + +Copyright © 2017 Fedja Beader <fedja@protonmail.ch>\ +Permission is granted to copy, distribute and/or modify this document +under the terms of the Creative Commons Attribution-ShareAlike 4.0 +International license or any later version published by Creative +Commons; A copy of the license can be found at +[../cc-by-sa-4.0.txt](../cc-by-sa-4.0.txt) + +Updated versions of the license (when available) can be found at +<https://creativecommons.org/licenses/by-sa/4.0/legalcode> + +UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE EXTENT +POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS AND +AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND +CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, IMPLIED, STATUTORY, +OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, WARRANTIES OF TITLE, +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, +ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OR ABSENCE +OF ERRORS, WHETHER OR NOT KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF +WARRANTIES ARE NOT ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT +APPLY TO YOU. + +TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE TO YOU +ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, NEGLIGENCE) OR +OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL, +PUNITIVE, EXEMPLARY, OR OTHER LOSSES, COSTS, EXPENSES, OR DAMAGES +ARISING OUT OF THIS PUBLIC LICENSE OR USE OF THE LICENSED MATERIAL, EVEN +IF THE LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSSES, +COSTS, EXPENSES, OR DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT +ALLOWED IN FULL OR IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. + +The disclaimer of warranties and limitation of liability provided above +shall be interpreted in a manner that, to the extent possible, most +closely approximates an absolute disclaimer and waiver of all liability. + +</div> diff --git a/docs/gnulinux/index.html b/docs/gnulinux/index.html deleted file mode 100644 index 2b1ef868..00000000 --- a/docs/gnulinux/index.html +++ /dev/null @@ -1,93 +0,0 @@ -<!DOCTYPE html> -<html> -<head> - <meta charset="utf-8"> - <meta name="viewport" content="width=device-width, initial-scale=1"> - - <style type="text/css"> - @import url('../css/main.css'); - </style> - - <title>GNU+Linux distributions</title> -</head> - -<body> - - <div class="section"> - - <h1 id="pagetop">GNU+Linux distributions</h1> - <p> - This section relates to dealing with GNU+Linux distributions: preparing bootable USB drives, - changing the default GRUB menu and so on. - </p> - <p> - <b>This section is only for the *GRUB* payload. For depthcharge, instructions have yet to be written.</b> - </p> - <p> - <a href="../">Back to previous index</a>. - </p> - <ul> - <li><a href="grub_boot_installer.html">How to install GNU+Linux on a libreboot system</a></li> - <li><a href="grub_cbfs.html">How to replace the default GRUB configuration file on a libreboot system</a></li> - <li> - <a href="encrypted_parabola.html">Installing Parabola or Arch GNU+Linux-libre with full disk encryption (including /boot)</a> - <ul> - <li>Follow-up tutorial: <a href="configuring_parabola.html">Configuring Parabola (post-install)</a></li> - </ul> - </li> - <li><a href="encrypted_debian.html">Installing Debian or Devuan GNU+Linux-libre with full disk encryption (including /boot)</a></li> - <li><a href="grub_hardening.html">How to harden your GRUB configuration, for security</a></li> - </ul> - - </div> - - <div class="section"> - - <p> - Copyright © 2014, 2015 Leah Rowe <info@minifree.org><br/> - Permission is granted to copy, distribute and/or modify this document - under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license - or any later version published by Creative Commons; - - A copy of the license can be found at <a href="../cc-by-sa-4.0.txt">../cc-by-sa-4.0.txt</a> - </p> - - <p> - Updated versions of the license (when available) can be found at - <a href="https://creativecommons.org/licenses/by-sa/4.0/legalcode">https://creativecommons.org/licenses/by-sa/4.0/legalcode</a> - </p> - - <p> - UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE - EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS - AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF - ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, - IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, - WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR - PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, - ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT - KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT - ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. - </p> - <p> - TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE - TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, - NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, - INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, - COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR - USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN - ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR - DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR - IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. - </p> - <p> - The disclaimer of warranties and limitation of liability provided - above shall be interpreted in a manner that, to the extent - possible, most closely approximates an absolute disclaimer and - waiver of all liability. - </p> - - </div> - -</body> -</html> diff --git a/docs/gnulinux/index.md b/docs/gnulinux/index.md new file mode 100644 index 00000000..070296bb --- /dev/null +++ b/docs/gnulinux/index.md @@ -0,0 +1,65 @@ +<div class="section"> + +GNU+Linux distributions {#pagetop} +======================= + +This section relates to dealing with GNU+Linux distributions: preparing +bootable USB drives, changing the default GRUB menu and so on. + +**This section is only for the \*GRUB\* payload. For depthcharge, +instructions have yet to be written.** + +[Back to previous index](../). + +- [How to install GNU+Linux on a libreboot + system](grub_boot_installer.html) +- [How to replace the default GRUB configuration file on a libreboot + system](grub_cbfs.html) +- [Installing Parabola or Arch GNU+Linux-libre with full disk + encryption (including /boot)](encrypted_parabola.html) + - Follow-up tutorial: [Configuring Parabola + (post-install)](configuring_parabola.html) +- [Installing Debian or Devuan GNU+Linux-libre with full disk + encryption (including /boot)](encrypted_debian.html) +- [How to harden your GRUB configuration, for + security](grub_hardening.html) + +</div> + +<div class="section"> + +Copyright © 2014, 2015 Leah Rowe <info@minifree.org>\ +Permission is granted to copy, distribute and/or modify this document +under the terms of the Creative Commons Attribution-ShareAlike 4.0 +International license or any later version published by Creative +Commons; A copy of the license can be found at +[../cc-by-sa-4.0.txt](../cc-by-sa-4.0.txt) + +Updated versions of the license (when available) can be found at +<https://creativecommons.org/licenses/by-sa/4.0/legalcode> + +UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE EXTENT +POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS AND +AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND +CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, IMPLIED, STATUTORY, +OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, WARRANTIES OF TITLE, +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, +ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OR ABSENCE +OF ERRORS, WHETHER OR NOT KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF +WARRANTIES ARE NOT ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT +APPLY TO YOU. + +TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE TO YOU +ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, NEGLIGENCE) OR +OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL, +PUNITIVE, EXEMPLARY, OR OTHER LOSSES, COSTS, EXPENSES, OR DAMAGES +ARISING OUT OF THIS PUBLIC LICENSE OR USE OF THE LICENSED MATERIAL, EVEN +IF THE LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSSES, +COSTS, EXPENSES, OR DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT +ALLOWED IN FULL OR IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. + +The disclaimer of warranties and limitation of liability provided above +shall be interpreted in a manner that, to the extent possible, most +closely approximates an absolute disclaimer and waiver of all liability. + +</div> |