From 739b2d948b461053832d69fab3f2f60c9f51a3a6 Mon Sep 17 00:00:00 2001
From: Scott Bonds
+ Post-installation configuration steps for Parabola GNU/Linux-libre. Parabola is extremely flexible; this is just an example.
+
+ While not strictly related to the libreboot project, this guide
+ is intended to be useful for those interested in installing
+ Parabola on their libreboot system.
+
+ It details configuration steps that I took after installing the base system,
+ as a follow up to encrypted_parabola.html.
+ This guide is likely to become obsolete at a later date (due to the volatile
+ 'rolling-release' model that Arch/Parabola both use), but attempts will be made to maintain it.
+
+
+ This guide was valid on 2014-09-21. If you see any changes that should to be made at the present date, please get in touch
+ with the libreboot project!
+
+
+ You do not necessarily have to follow this guide word-for-word; parabola is extremely flexible.
+ The aim here is to provide a common setup that most users will be happy with. While Parabola
+ can seem daunting at first glance (especially for new GNU/Linux users), with a simple guide it can provide
+ all the same usability as Debian, without hiding any details from the user.
+
+ Paradoxically, as you get more advanced Parabola can actually become easier to use
+ when you want to set up your system in a special way compared to what most distributions provide.
+ You will find over time that other distributions tend to get in your way.
+
+
+ This guide assumes that you already have Parabola installed. If you have not yet installed Parabola,
+ then this guide is highly recommended!
+
+
+ A lot of the steps in this guide will refer to the Arch wiki. Arch is the upstream distribution that Parabola uses.
+ Most of this guide will also tell you to read wiki articles, other pages, manuals, and so on. In general it tries
+ to cherry pick the most useful information but nonetheless you are encouraged to learn as much as possible.
+ It might take you a few days to fully install your system how you like, depending on how much you need to read. Patience is key,
+ especially for new users.
+
+ The Arch wiki will sometimes use bad language, such as calling the whole system Linux, using the term open-source (or closed-source),
+ and it will sometimes recommend the use of proprietary software. You need to be careful about this when reading anything on the
+ Arch wiki.
+
+ Some of these steps require internet access. I'll go into networking later but for now, I just connected
+ my system to a switch and did:
+ pacman (package manager) is the name of the package management system in Arch, which Parabola
+ (as a deblobbed parallel effort) also uses. Like with 'apt-get' on Debian,
+ this can be used to add/remove and update the software on your computer.
+
+ Based on https://wiki.parabolagnulinux.org/Installation_Guide#Configure_pacman
+ and from reading https://wiki.archlinux.org/index.php/Pacman (make sure to read and understand this,
+ it's very important) and
+ https://wiki.parabolagnulinux.org/Official_Repositories
+
+ In the end, I didn't change my configuration for pacman. When you are updating, resync with the latest package names/versions:
+
+ Before installing packages with 'pacman -S', always update first, using the notes above.
+
+
+ Keep an eye out on the output, or read it in /var/log/pacman.log. Sometimes, pacman will show messages
+ about maintenance steps that you will need to perform with certain files (typically configurations)
+ after the update. Also, you should check both the Parabola and Arch home pages to see if they mention any issues.
+ If a new kernel is installed, you should also update to be able to use it (the currently running kernel will
+ also be fine). It's generally good enough to update Parabola once every week, or maybe twice. As a
+ rolling release distribution, it's a good idea never to leave your install too outdated; update regularly. This
+ is simply because of the way the project works; old packages are deleted from the repositories quickly, once they are updated.
+ A system that hasn't been updated for quite a while will mean potentially more reading of previous posts through the website,
+ and more maintenance work.
+
+ The Arch forum can also be useful, if others have the same issue as you (if you encounter issues, that is). The Parabola
+ IRC channel (#parabola on freenode) can also help you.
+
+ Due to this and the volatile nature of Parabola/Arch, you should only update when you have at least a couple hours of spare time
+ in case of issues that need to be resolved. You should never update, for example, if you need your system for an important event,
+ like a presentation or sending an email to an important person before an allocated deadline, and so on.
+
+ Relax - packages are well-tested regularly when new updates are made to the repositories. Separate 'testing' repositories
+ exist for this exact reason. Despite what many people will tell you, Parabola is fairly stable and trouble-free,
+ so long as you are aware of how to check for issues, and are willing to spend some time fixing issues in
+ the rare event that they do occur.
+
+ Parabola is a very simple distro, in the sense that you are in full control
+ and everything is made transparent to you. One consequence is
+ that you also need to know what you are doing, and what you have done before. In general, keeping notes (such as what I have done
+ with this page) can be very useful as a reference in the future (if you wanted to re-install it or install the distro
+ on another computer, for example).
+
+
+ The following is very important as you continue to use, update and maintain your Parabola system:
+ To clean out all old packages that are cached:
+ The wiki cautions that this should be used with care. For example, since older packages are deleted from the repo,
+ if you encounter issues and want to revert back to an older package then it's useful to have the caches available.
+ Only do this if you are sure that you won't need it.
+
+ The wiki also mentions this method for removing everything from the cache, including currently installed packages that are cached:
+ The following table lists other distro package manager commands, and their equivalent in pacman:
+ your-freedom is a package specific to Parabola, and it is installed by default. What it does is conflict with packages
+ from Arch that are known to be non-free (proprietary) software. When migrating from Arch (there is a guide on the Parabola
+ wiki for migrating - converting - an existing Arch system to a Parabola system), installing
+ your-freedom will also fail if these packages are installed, citing them as conflicts; the recommended solution
+ is then to delete the offending packages, and continue installing your-freedom.
+
+ Based on https://wiki.archlinux.org/index.php/Users_and_Groups.
+
+ It is important (for security reasons) to create and use a non-root (non-admin) user account for everyday use. The default 'root' account is intended
+ only for critical administrative work, since it has complete access to the entire operating system.
+
+ Read the entire document linked to above, and then continue.
+
+ Add your user:
+ Use of the diceware method is recommended, for generating secure passphrases (instead of passwords).
+
+ This is the name of the system used for managing services in Parabola. It is a good idea to become familiar with it.
+ Read https://wiki.archlinux.org/index.php/systemd
+ and https://wiki.archlinux.org/index.php/systemd#Basic_systemctl_usage
+ to gain a full understanding. This is very important! Make sure to read them.
+
+ An example of a 'service' could be a webserver (such as lighttpd), or sshd (openssh), dhcp, etc. There are countless others.
+
+ https://bbs.archlinux.org/viewtopic.php?pid=1149530#p1149530 explains
+ the background behind the decision by Arch (Parabola's upstream supplier) to use systemd.
+
+ The manpage should also help:
+ According to the wiki, systemd 'journal' keeps logs of a size up to 10% of the total size your / partition takes up.
+ on a 60GB root this would mean 6GB. That's not exactly practical, and can have performance implications later when the
+ log gets too big. Based on instructions from the wiki, I will reduce the total size of the journal to 50MiB (the wiki
+ recommends 50MiB).
+
+ Open /etc/systemd/journald.conf and find the line that says:
+ The wiki also recommended a method for forwarding journal output to TTY 12 (accessible by pressing ctrl+alt+f12,
+ and you use ctrl+alt+[F1-F12] to switch between terminals). I decided not to enable it.
+
+ Restart journald:
+ The wiki recommends that if the journal gets too large, you can also simply delete (rm -Rf) everything inside /var/log/journald/*
+ but recommends backing it up. This shouldn't be necessary, since you already set the size limit above and systemd will automatically
+ start to delete older records when the journal size reaches it's limit (according to systemd developers).
+
+ Finally, the wiki mentions 'temporary' files and the utility for managing them.
+ I looked in /etc/tmpfiles.d/ and found that it was empty on my system. However, /usr/lib/tmpfiles.d/ contained some files.
+ The first one was etc.conf, containing information and a reference to this manpage:
+ The systemd developers tell me that it isn't usually necessary to touch the systemd-tmpfiles utility manually at all.
+
+ Parabola wiki at https://wiki.parabolagnulinux.org/Repositories#kernels
+ mentions about a repository called [kernels] for custom kernels that aren't in the default base. It might be worth looking into what is available
+ there, depending on your use case.
+
+ I enabled it on my system, to see what was in it. Edit /etc/pacman.conf and below the 'extra' section add:
+ Now sync with the repository:
+ List all available packages in this repository:
+ In the end, I decided not to install anything from it but I kept the repository enabled regardless.
+
+ Read https://wiki.archlinux.org/index.php/Configuring_Network.
+
+ This should be the same as the hostname that you set in /etc/hostname when installing Parabola. You can also do it with systemd (do so now, if you like):
+ Add the same hostname to /etc/hosts, on each line. Example:
+ You'll note that I set both lines; the 2nd line is for IPv6. More and more ISPs are providing this now (mine does)
+ so it's good to be forward-thinking here.
+
+ The hostname utility is part of the inetutils package and is in core/, installed by default (as part of base).
+
+ According to the Arch wiki, udev should already detect the ethernet chipset
+ and load the driver for it automatically at boot time. You can check this in the "Ethernet controller" section
+ when running this command:
+ Look at the remaining sections 'Kernel driver in use' and 'Kernel modules'. In my case it was as follows:
+ Check that the driver was loaded by issuing dmesg | grep module_name. In my case, I did:
+ According to https://wiki.archlinux.org/index.php/Configuring_Network#Device_names,
+ it is important to note that the old interface names like eth0, wlan0, wwan0 and so on no longer apply. Instead, systemd
+ creates device names starting with en (for enternet), wl (for wifi) and ww (for wwan) with a fixed identifier that systemd automatically generates.
+ An example device name for your ethernet chipset would be enp0s25, where it is never supposed to change.
+
+ If you want to enable the old names (eth0, wlan0, wwan0, etc), the Arch wiki recommends
+ adding net.ifnames=0 to your kernel parameters (in libreboot context, this would be accomplished by following the
+ instructions in grub_cbfs.html).
+
+ For background information,
+ read Predictable Network Interface Names
+
+ Show device names:
+ Changing the device names is possible (I chose not to do it):
+ I actually chose to ignore most of Networking section on the wiki. Instead, I plan to set up LXDE desktop with the graphical
+ network-manager client. Here is a list of network managers:
+ Read https://wiki.archlinux.org/index.php/System_maintenance before continuing.
+ Also read https://wiki.archlinux.org/index.php/Enhance_system_stability.
+ This is important, so make sure to read them!
+
+ Install smartmontools (it can be used to check smart data. HDDs use non-free firmware inside, but it's transparent to you
+ but the smart data comes from it. Therefore, don't rely on it too much):
+ Based on steps from
+ General Recommendations on the Arch wiki.
+ The plan is to use LXDE and LXDM/LightDM, along with everything else that you would expect on other distributions that provide LXDE
+ by default.
+
+ Based on https://wiki.archlinux.org/index.php/Xorg.
+
+ Firstly, install it!
+ Install the driver. For me this was xf86-video-intel on the ThinkPad X60. T60 and macbook11/21 should be the same.
+ Other drivers (not just video) can be found by looking at the xorg-drivers group:
+ Mostly you will rely on a display manager, but in case you ever want to start X without one:
+ <optional>
+ Refer to https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg.
+
+ Xorg uses a different configuration method for keyboard layouts, so you will notice that the layout you
+ set in /etc/vconsole.conf earlier might not actually be the same in X.
+
+ To see what layout you currently use, try this on a terminal emulator in X:
+ In my case, I wanted to use the Dvorak (UK) keyboard which is quite different from Xorg's default Qwerty (US) layout.
+
+ I'll just say it now: XkbModel can be pc105 in this case (ThinkPad X60, with a 105-key UK keyboard).
+ If you use an American keyboard (typically 104 keys) you will want to use pc104.
+
+ XkbLayout in my case would be gb, and XkbVariant would be dvorak.
+
+ The Arch wiki recommends two different methods for setting the keyboard layout:
+ In my case, I chose to use the configuration file method:
+ For you, the steps above may differ if you have a different layout. If you use a US Qwerty keyboard, then
+ you don't even need to do anything (though it might help, for the sake of being explicit).
+
+ Desktop choice isn't that important to me, so for simplicity I decided to use LXDE. It's lightweight
+ and does everything that I need.
+ If you would like to try something different, refer to
+ https://wiki.archlinux.org/index.php/Desktop_environment
+
+ Refer to https://wiki.archlinux.org/index.php/LXDE.
+
+ Install it, choosing 'all' when asked for the default package list:
+ I didn't want the following, so I removed them:
+ I also lazily installed all fonts:
+ And a mail client:
+ In IceCat, go to Preferences :: Advanced and disable GNU IceCat Health Report.
+
+ I also like to install these:
+ Enable LXDM (the default display manager, providing a graphical login):
+ Log in with your standard (non-root) user that you created earlier.
+ It is advisable to also create an xinitrc rule in case you ever want to start lxde without lxdm.
+ Read https://wiki.archlinux.org/index.php/Xinitrc.
+
+ Open LXterminal:
+ In Digital Clock Settings (right click the clock) I set the Clock Format to %Y/%m/%d %H:%M:%S
+
+ Arch wiki recommends to use xscreensaver:
+ Under Preferences :: Screensaver in the LXDE menu, I chose Mode: Blank Screen Only,
+ setting Blank After, Cycle After and Lock Screen After (checked) to 10 minutes.
+
+ You can now lock the screen with Logout :: Lock Screen in the LXDE menu.
+
+ Refer to https://wiki.archlinux.org/index.php/File_manager_functionality.
+
+ I chose to ignore this for now. NOTE TO SELF: come back to this later.
+
+ When closing the laptop lid, the system suspends. This is annoying at least to me.
+ NOTE TO SELF: disable it, then document the steps here.
+
+ Right click lxde panel and Add/Remove Panel Items. Click Add and select Battery Monitor, then click Add.
+ Close and then right-click the applet and go to Battery Monitor Settings, check the box that says Show Extended Information.
+ Now click Close. When you hover the cursor over it, it'll show information about the battery.
+
+ Refer to https://wiki.archlinux.org/index.php/LXDE#Network_Management.
+ Then I read: https://wiki.archlinux.org/index.php/NetworkManager.
+
+ Install Network Manager:
+ You will also want the graphical applet:
+ I want to be able to use a VPN at some point, so the wiki tells me to do:
+ LXDE uses openbox, so I refer to:
+ It tells me for the applet I need:
+ I wanted to quickly enable networkmanager:
+ Restart LXDE (log out, and then log back in).
+
+ I added the volume control applet to the panel (right click panel, and add a new applet).
+ I also later changed the icons to use the gnome icon theme, in lxappearance.
+
+ Copyright © 2014, 2015 Leah Rowe <info@minifree.org>
+ Updated versions of the license (when available) can be found at
+ https://creativecommons.org/licenses/by-sa/4.0/legalcode
+
+ UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
+ EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
+ AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
+ ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
+ IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
+ WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
+ ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
+ KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
+ ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
+
+ TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
+ TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
+ NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
+ INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
+ COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
+ USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
+ ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
+ DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
+ IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
+
+ The disclaimer of warranties and limitation of liability provided
+ above shall be interpreted in a manner that, to the extent
+ possible, most closely approximates an absolute disclaimer and
+ waiver of all liability.
+
+ The libreboot project recommends Debian, because it is more stable and up to date,
+ while still being entirely free software by default. Leah Rowe, libreboot's
+ lead maintainer, also uses Debian. See:
+ ../distros/
+
+ Libreboot on x86 uses the GRUB payload
+ by default, which means that the GRUB configuration file
+ (where your GRUB menu comes from) is stored directly alongside libreboot
+ and its GRUB payload executable, inside
+ the flash chip. In context, this means that installing distributions and managing them
+ is handled slightly differently compared to traditional BIOS systems.
+
+ On most systems, the /boot partition has to be left unencrypted while the others are encrypted.
+ This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware
+ can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a
+ payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical
+ access to the system.
+
+ This guide is written for Debian.
+ This also works in Trisquel 7 (probably Trisquel 8), and probably Trisquel 6. Boot the 'net installer' (Install Trisquel in Text Mode).
+ How to boot a GNU/Linux installer.
+
+ This guide is *only* for the GRUB payload. If you use the depthcharge payload, ignore this section entirely.
+
+ Note: on some thinkpads, a faulty DVD drive can cause the cryptomount -a step during boot to fail. If this happens to you, try removing the drive.
+
+ Set a strong user password (lots of lowercase/uppercase, numbers and symbols).
+
+ Use of the diceware method is recommended, for generating secure passphrases (instead of passwords).
+
+ when the installer asks you to set up
+ encryption (ecryptfs) for your home directory, select 'Yes' if you want to: LUKS is already secure and performs well. Having ecryptfs on top of it
+ will add noticeable performance penalty, for little security gain in most use cases. This is therefore optional, and not recommended.
+ Choose 'no'.
+
+
+ Your user password should be different from the LUKS password which you will set later on.
+ Your LUKS password should, like the user password, be secure.
+
+ Choose 'Manual' partitioning:
+ Now you are back at the main partitioning screen. You will simply set mountpoints and filesystems to use.
+
+ Installation will ask what kernel you want to use. linux-generic is fine.
+
+ Choose "Trisquel Desktop Environment" if you want GNOME,
+ "Trisquel-mini Desktop Environment" if you
+ want LXDE or "Triskel Desktop Environment" if you want KDE.
+ If you want to have no desktop (just a basic shell)
+ when you boot or if you want to create your own custom setup, then choose nothing here (don't select anything).
+ You might also want to choose some of the other package groups; it's up to you.
+
+ For Debian, use the MATE option, or one of the others if you want.
+
+ On Debian or Trisquel, you may also want to select the option for a printer server,
+ so that you can print.
+
+ If you want debian-testing, then you should only select barebones options here
+ and change the entries in /etc/apt/sources.list after install to point to the new distro,
+ and then run apt-get update and apt-get dist-upgrade
+ as root, then reboot and run tasksel as root. This is to avoid downloading large
+ packages twice.
+
+ If asked, choose "No Configuration" here (or maybe you want to select something else. It's up to you.)
+
+ Choose 'Yes'. It will fail, but don't worry. Then at the main menu, choose 'Continue without a bootloader'.
+ You could also choose 'No'. Choice is irrelevant here.
+
+ You do not need to install GRUB at all, since in libreboot you are using the GRUB payload (for libreboot) to boot your system directly.
+
+ Just say 'Yes'.
+
+ At this point, you will have finished the installation. At your GRUB payload, press C to get to the command line.
+
+ Do that:
+ If you didn't encrypt your home directory, then you can safely ignore this section.
+
+ Immediately after logging in, do that:
+ This will be needed in the future if you ever need to recover your home directory from another system, so write it down and keep the note
+ somewhere secret. Ideally, you should memorize it and then burn the note (or not even write it down, and memorize it still)>
+
+ Now you need to set it up so that the system will automatically boot, without having to type a bunch of commands.
+
+ Modify your grub.cfg (in the firmware) using this tutorial;
+ just change the default menu entry 'Load Operating System' to say this inside:
+
+ cryptomount -a
+ Without specifying a device, the -a parameter tries to unlock all detected LUKS volumes.
+ You can also specify -u UUID or -a (device).
+
+ Additionally, you should set a GRUB password. This is not your LUKS password, but it's a password that you have to enter to see
+ GRUB. This protects your system from an attacker simply booting a live USB and re-flashing your firmware. This should be different than your LUKS passphrase and user password.
+
+ Use of the diceware method is recommended, for generating secure passphrases (as opposed to passwords).
+
+ The GRUB utility can be used like so:
+ Give it a password (remember, it has to be secure) and it'll output something like:
+ Use of the diceware method is recommended, for generating secure passphrases (instead of passwords).
+
+ Put that in the grub.cfg (the one for CBFS inside the ROM) before the 'Load Operating System' menu entry like so (example):
+ MAKE SURE TO DO THIS ON grubtest.cfg *BEFORE* DOING IT ON grub.cfg.
+ Then select the menu entry that says Switch to grubtest.cfg and test that it works.
+ Then copy that to grub.cfg once you're satisfied.
+ WHY? BECAUSE AN INCORRECTLY SET PASSWORD CONFIG MEANS YOU CAN'T AUTHENTICATE, WHICH MEANS 'BRICK'.
+
+ (emphasis added, because it's needed. This is a common roadblock for users)
+
+ Obviously, replace it with the correct hash that you actually got for the password that you entered. Meaning, not the hash that you see above!
+
+ After this, you will have a modified ROM with the menu entry for cryptomount, and the entry before that for the GRUB password. Flash the modified ROM
+ using this tutorial.
+
+ A user reported issues when booting with a docking station attached
+ on an X200, when decrypting the disk in GRUB. The error
+ AHCI transfer timed out was observed. The workaround
+ was to remove the docking station.
+
+ Further investigation revealed that it was the DVD drive causing problems.
+ Removing that worked around the issue.
+
+ Copyright © 2014, 2015 Leah Rowe <info@minifree.org>
+ Updated versions of the license (when available) can be found at
+ https://creativecommons.org/licenses/by-sa/4.0/legalcode
+
+ UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
+ EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
+ AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
+ ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
+ IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
+ WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
+ ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
+ KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
+ ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
+
+ TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
+ TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
+ NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
+ INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
+ COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
+ USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
+ ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
+ DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
+ IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
+
+ The disclaimer of warranties and limitation of liability provided
+ above shall be interpreted in a manner that, to the extent
+ possible, most closely approximates an absolute disclaimer and
+ waiver of all liability.
+
+ Libreboot on x86 uses the GRUB payload
+ by default, which means that the GRUB configuration file
+ (where your GRUB menu comes from) is stored directly alongside libreboot
+ and it's GRUB payload executable, inside
+ the flash chip. In context, this means that installing distributions and managing them
+ is handled slightly differently compared to traditional BIOS systems.
+
+ On most systems, the /boot partition has to be left unencrypted while the others are encrypted.
+ This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware
+ can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a
+ payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical
+ access to the system.
+
+ This guide is *only* for the GRUB payload. If you use the depthcharge payload, ignore this section entirely.
+
+ This guide is intended for the Parabola distribution, but it should also work (with some adaptation)
+ for Arch.
+ We recomend using Parabola, which is a version of Arch that removes all
+ proprietary software, both in the default installation and in the package repositories. It usually lags
+ behind Arch by only a day or two, so it is still usable for most people.
+ See Arch to Parabola migration guide.
+
+ Note: on some thinkpads, a faulty DVD drive can cause the cryptomount -a step during boot to fail. If this happens to you, try removing the drive.
+
+ Boot Parabola's install environment. How to boot a GNU/Linux installer.
+
+ For this guide I used the 2015 08 01 image to boot the live installer and install the system.
+ This is available at this page.
+
+ This guide will go through the installation steps taken at the time of writing, which may or may not change due to
+ the volatile nature of Parabola (it changes all the time). In general most of it should remain the same. If you spot mistakes,
+ please say so! This guide will be ported to the Parabola wiki at a later date. For up to date Parabola install guide, go to
+ the Parabola wiki. This guide essentially cherry picks the useful information (valid at the
+ time of writing: 2015-08-25).
+ This section deals with wiping the storage device on which you plan to install Parabola
+ GNU/Linux. Follow these steps, but if you use an SSD, also:
+
+
+ - beware there are issues with TRIM (not enabled through luks) and security issues if you do enable it.
+ See this page
+ for more info.
+ - make sure it's brand-new (or barely used). Or, otherwise, be sure that it never previously contained plaintext copies of your data.
+ - make sure to read this article. Edit /etc/fstab later on when
+ chrooted into your install. Also, read the whole article and keep all points in mind, adapting them for this guide.
+
+ Securely wipe the drive:
+ If your drive was already LUKS encrypted (maybe you are re-installing your distro) then
+ it is already 'wiped'. You should just wipe the LUKS header.
+ https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/
+ showed me how to do this. It recommends doing the first 3MiB. Now, that guide is recommending putting zero there. I'm going to use urandom. Do this:
+ Parabola live shell assumes US Qwerty. If you have something different, list the available keymaps and use yours:
+ Refer to this guide. Wired is recommended,
+ but wireless is also explained there.
+
+ The beginning is based on https://wiki.parabolagnulinux.org/Installation_Guide.
+ Then I referred to https://wiki.archlinux.org/index.php/Partitioning at first.
+
+ device-mapper will be used - a lot. Make sure that the kernel module is loaded:
+ Note that the default iteration time is 2000ms (20 seconds) if not specified
+ in cryptsetup. You should set a lower time than this, otherwise there will be
+ an approximate 20 second delay when booting your system.
+ We recommend 500ms (5 seconds), and this is included in the prepared
+ cryptsetup command below.
+ Note that the iteration time is for security purposes (mitigates
+ brute force attacks), so anything lower than 5 seconds is probably
+ not ok.
+
+ I am using MBR partitioning, so I use cfdisk:
+ I create a single large sda1 filling the whole drive, leaving it as the default type 'Linux' (83).
+
+ Now I refer to https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#Partitioning:
+ Parabola forces you to RTFM. Do that.
+
+ It tells me to run:
+ Following that page, based on my requirements, I do the following based on https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode.
+ Reading through, it seems like Serpent (encryption) and Whirlpool (hash) is the best option.
+
+ I am initializing LUKS with the following:
+ Use of the diceware method is recommended, for generating secure passphrases (instead of passwords).
+
+ Now I refer to https://wiki.archlinux.org/index.php/LVM.
+
+ Open the LUKS partition:
+ Create LVM partition:
+ Now I create the volume group, inside of which the logical volumes will be created:
+ Now create the logical volumes:
+ Verify that the logical volumes were created, using the following command:
+ For the swapvol LV I use:
+ For the root LV I use:
+ Mount the root (/) partition:
+ This guide is really about GRUB, Parabola and cryptomount. I have to show how to install Parabola
+ so that the guide can continue.
+
+ Now I am following the rest of https://wiki.parabolagnulinux.org/Installation_Guide.
+ I also cross referenced https://wiki.archlinux.org/index.php/Installation_guide.
+
+ Create /home and /boot on root mountpoint:
+ Once all the remaining partitions, if any, have been mounted, the devices are ready to install Parabola.
+
+ In /etc/pacman.d/mirrorlist, comment out all lines except the Server line closest to where you are (I chose the UK Parabola
+ server (main server)) and then did:
+ <troubleshooting>
+ I also like to install other packages (base-devel, compilers and so on) and wpa_supplicant/dialog/iw/wpa_actiond are needed for wireless after the install:
+ Generate an fstab - UUIDs are used because they have certain advantages (see https://wiki.parabola.nu/Fstab#Identifying_filesystems.
+ If you prefer labels instead, replace the -U option with -L):
+ Chroot into new system:
+ It's a good idea to have this installed:
+ It was also suggested that you should install this kernel (read up on what GRSEC is):
+ This is another kernel that sits inside /boot, which you can use. LTS means 'long-term support'. These are so-called 'stable' kernels
+ that can be used as a fallback during updates, if a bad kernel causes issues for you.
+
+ Parabola does not have wget. This is sinister. Install it:
+ Locale:
+ Console font and keymap:
+ Time zone:
+ Hardware clock:
+ Hostname:
+ Write your hostname to /etc/hostname. For example, if your hostname is parabola: Configure the network:
+ Refer to https://wiki.parabola.nu/Beginners%27_guide#Configure_the_network.
+ Mkinitcpio:
+ Configure /etc/mkinitcpio.conf as needed (see https://wiki.parabola.nu/Mkinitcpio).
+ Runtime modules can be found in /usr/lib/initcpio/hooks, and build hooks can be found in /usr/lib/initcpio/install. (# mkinitcpio -H hookname gives information about each hook.)
+ Specifically, for this use case:
+ Now using mkinitcpio, you can create the kernel and ramdisk for booting with (this is different from Arch, specifying linux-libre instead of linux):
+ Set the root password:
+ At the time of writing, Parabola used SHA512 by default for its password hashing. I referred to https://wiki.archlinux.org/index.php/SHA_password_hashes.
+ Use of the diceware method is recommended, for generating secure passphrases (instead of passwords).
+
+ Based on https://wiki.archlinux.org/index.php/Security.
+
+ Restrict access to important directories:
+ Lockout user after three failed login attempts:
+ Configure sudo - not covered here. Will be covered post-installation in another tutorial, at a later date.
+ If this is a single-user system, you don't really need sudo.
+
+ Exit from chroot:
+ unmount:
+ deactivate the lvm lv's:
+ Lock the encrypted partition (close it):
+ # shutdown -h now
+ Initially you will have to boot manually. Press C to get to the GRUB command line. The underlined parts are optional
+ (using those 2 underlines will boot lts kernel instead of normal).
+
+ grub> cryptomount -a
+ You could also make it load /boot/vmlinuz-linux-libre-grsec and /boot/initramfs-linux-libre-grsec.img
+
+ We will modify grub.config inside the ROM and do all kinds of fun stuff, but I recommend that you first transform the current bare-bones Parabola install into a more useable system.
+ Doing so will make the upcoming ROM modifications MUCH easier to perform and less risky!
+ configuring_parabola.html shows my own notes post-installation. Using these, you can get a basic
+ system similar to the one that I chose for myself. You can also cherry pick useful notes and come up with your own system.
+ Parabola is user-centric, which means that you are in control. For more information, read The Arch Way
+ (Parabola also follows it).
+
+ (Re-)log in to your system, pressing C, so booting manually from GRUB (see above). You need to modify the ROM, so that Parabola can boot automatically with this configuration.
+ grub_cbfs.html shows you how. Follow that guide, using the configuration details below.
+ If you go for option 2 (re-flash), promise to do this on grubtest.cfg first! We can't emphasise this enough. This is to reduce the possibility of bricking your device!
+
+ I will go for the re-flash option here. Firstly, cd to the libreboot_util/cbfstool/{armv7l i686 x86_64} directory.
+ Dump the current firmware - where libreboot.rom is an example: make sure to adapt:
+ In grubtest.cfg, inside the 'Load Operating System' menu entry, change the contents to:
+
+ Note: the underlined parts above (-lts) can also be removed, to boot the latest kernel instead of LTS (long-term support) kernels.
+ You could also copy the menu entry and in one have -lts, and without in the other menuentry.
+ You could also create a menu entry to load /boot/vmlinuz-linux-libre-grsec and /boot/initramfs-linux-libre-grsec.img
+ The first entry will load by default.
+
+ Without specifying a device, the -a parameter tries to unlock all detected LUKS volumes.
+ You can also specify -u UUID or -a (device).
+
+ Now, to protect your system from an attacker simply booting a live usb distro and re-flashing the boot firmware, we are going to add a password for GRUB.
+ In a new terminal window, if you are not yet online, start dhcp on ethernet:
+ Use of the diceware method is recommended, for generating secure passphrases (instead of passwords).
+
+ AGAIN: MAKE SURE TO DO THIS WHOLE SECTION ON grubtest.cfg *BEFORE* DOING IT ON grub.cfg.
+ (When we get there, upon reboot, select the menu entry that says Switch to grubtest.cfg and test that it works.
+ Only once you are satisfied, copy that to grub.cfg. Only a few steps to go, though.)
+ WHY? BECAUSE AN INCORRECTLY SET PASSWORD CONFIG MEANS YOU CAN'T AUTHENTICATE, WHICH MEANS 'BRICK'.
+
+ (emphasis added, because it's needed: this is a common roadblock for users.)
+
+ We need a utility that comes with GRUB, so we will download it temporarily. (Remember that GRUB isn't needed for booting, since it's already included as a payload in libreboot.)
+ Also, we will use flashrom, and I installed dmidecode. You only need base-devel (compilers and so on) to build and use cbfstool. It was already installed if you followed this tutorial, but here
+ it is:
+ The password below (it's password, by the way) after 'password_pbkdf2 root' should be changed to your own.
+ Make sure to specify a password that is different from both your LUKS *and* your root/user password.
+ Obviously, do not simply copy and paste the examples shown here...
+
+ Next, back in grubtest.cfg, above the first 'Load Operating System' menu entry, you should now add your GRUB password, like so
+ (replace with your own name (I used root on both lines, feel free to choose another one) and the password hash which you copied):
+
+ Save your changes in grubtest.cfg, then delete the unmodified config from the ROM image:
+ Now refer to http://libreboot.org/docs/install/index.html#flashrom.
+ Cd (up) to the libreboot_util directory and update the flash chip contents:
+ With this new configuration, Parabola can boot automatically and you will have to enter a password at boot time, in GRUB, before being able to use any of the menu entries or switch to the terminal.
+ Let's test it out: reboot and choose grubtest.cfg from the GRUB menu, using the arrow keys on your keyboard.
+ Enter the name you chose, the GRUB password, your LUKS passphrase and login as root/your user. All went well? Great!
+
+ If it does not work like you want it to, if you are unsure or sceptical in any way, don't despair: you have been wise and did not brick your device! Reboot and login the default way, and then modify
+ your grubtest.cfg until you get it right!
+ Do *not* proceed past this point unless you are 100% sure that your new configuration is safe (or desirable) to use.
+
+ Now, we can easily and safely create a copy of grubtest.cfg, called grub.cfg. This will be the same except for one difference: the menuentry 'Switch to grub.cfg' is changed to 'Switch to grubtest.cfg'
+ and, inside it, all instances of grub.cfg to grubtest.cfg. This is so that the main config still links (in the menu) to grubtest.cfg, so that you don't have to manually switch to it, in case you ever
+ want to follow this guide again in the future (modifying the already modified config).
+ Inside libreboot_util/cbfstool/{armv7l i686 x86_64}, we can do this with the following command:
+ Now you have a modified ROM. Once more, refer to http://libreboot.org/docs/install/index.html#flashrom.
+ Cd to the libreboot_util directory and update the flash chip contents:
+ When done, delete GRUB (remember, we only needed it for the grub-mkpasswd-pbkdf2 utility;
+ GRUB is already part of libreboot, flashed alongside it as a payload):
+ If you followed all that correctly, you should now have a fully encrypted Parabola installation.
+ Refer to the wiki for how to do the rest.
+
+ By default, you will have to enter your LUKS passphrase twice; once in GRUB, and once when booting the kernel.
+ GRUB unlocks the encrypted partition and then loads the kernel, but the kernel is not aware of the fact
+ that it is being loaded from an encrypted volume. Therefore, you will be asked to enter your passphrase a second time.
+ A workaround is to put a keyfile inside initramfs, with instructions for the kernel to use it when
+ booting. This is safe, because /boot/ is encrypted (otherwise, putting a keyfile inside initramfs would be a bad idea).
+ https://wiki.archlinux.org/index.php/Security.
+ A user reported issues when booting with a docking station attached
+ on an X200, when decrypting the disk in GRUB. The error
+ AHCI transfer timed out was observed. The workaround
+ was to remove the docking station.
+
+ Further investigation revealed that it was the DVD drive causing problems.
+ Removing that worked around the issue.
+
+ Copyright © 2014, 2015, 2016 Leah Rowe <info@minifree.org>
+ Updated versions of the license (when available) can be found at
+ https://creativecommons.org/licenses/by-sa/4.0/legalcode
+
+ UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
+ EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
+ AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
+ ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
+ IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
+ WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
+ ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
+ KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
+ ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
+
+ TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
+ TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
+ NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
+ INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
+ COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
+ USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
+ ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
+ DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
+ IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
+
+ The disclaimer of warranties and limitation of liability provided
+ above shall be interpreted in a manner that, to the extent
+ possible, most closely approximates an absolute disclaimer and
+ waiver of all liability.
+
+ This section relates to preparing, booting and installing a
+ OpenBSD distribution on your libreboot system, using nothing more than a USB flash drive (and dd). They've only been tested on a Lenovo ThinkPad x200.
+
+ This section is only for the GRUB payload. For depthcharge (used on CrOS devices in libreboot), instructions
+ have yet to be written in the libreboot documentation.
+
+ Connect the USB drive. Check dmesg:
+ Check that it wasn't automatically mounted. If it was, unmount it. For example:
+ dmesg told you what device it is. Overwrite the drive, writing your distro ISO to it with dd. For example:
+ You should now be able to boot the installer from your USB drive. Continue reading, for
+ information about how to do that.
+
+ Back to top of page.
+
+ Press C in GRUB to access the command line:
+
+ grub> kopenbsd (usb0)/6.0/amd64/bsd.rd
+
+ It will start booting into the OpenBSD installer. Follow the normal process for installing OpenBSD.
+
+ Back to top of page.
+
+ Not working. You can modify the above procedure (installation w/o encryption) to install OpenBSD using full disk encryption, and it appears to work, except that its not yet clear how to actually boot an OpenBSD+FDE installation using libreboot+Grub2. If you get it working, please let us know.
+
+ Back to top of page.
+
+ Press C in GRUB to access the command line:
+
+ grub> kopenbsd -r sd0a (ahci0,openbsd1)/bsd
+
+ OpenBSD will start booting. Yay!
+
+ Back to top of page.
+
+ If you don't want to drop to the GRUB command line and type in a command to boot OpenBSD every time, you can create a GRUB configuration that's aware of your OpenBSD installation and that will automatically be used by libreboot. The instructions are the same as for GNU/Linux.
+
+ In short, create a Grub2 config file that will add OpenBSD to the GRUB menu and set it as the default. Place your config at /grub/libreboot_grub.cfg. Reboot. Viola.
+
+ Back to top of page.
+
+ Most of these issues occur when using libreboot with coreboot's 'text mode' instead of the coreboot framebuffer.
+ This mode is useful for booting payloads like memtest86+ which expect text-mode, but for OpenBSD distributions
+ it can be problematic when they are trying to switch to a framebuffer because it doesn't exist.
+
+ In most cases, you should use the vesafb ROM images. Example filename: libreboot_ukdvorak_vesafb.rom.
+
+ You device names (i.e. usb0, usb1, sd0, sd1, wd0, ahci0, hd0, etc) and numbers may differ. Use TAB completion.
+
+ Back to top of page.
+
+ Copyright © 2014, 2015 Leah Rowe <info@minifree.org>
+ Updated versions of the license (when available) can be found at
+ https://creativecommons.org/licenses/by-sa/4.0/legalcode
+
+ UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
+ EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
+ AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
+ ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
+ IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
+ WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
+ ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
+ KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
+ ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
+
+ TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
+ TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
+ NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
+ INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
+ COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
+ USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
+ ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
+ DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
+ IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
+
+ The disclaimer of warranties and limitation of liability provided
+ above shall be interpreted in a manner that, to the extent
+ possible, most closely approximates an absolute disclaimer and
+ waiver of all liability.
+
+ Libreboot on x86 uses the GRUB payload
+ by default, which means that the GRUB configuration file
+ (where your GRUB menu comes from) is stored directly alongside libreboot
+ and its GRUB payload executable, inside
+ the flash chip. In context, this means that installing distributions and managing them
+ is handled slightly differently compared to traditional BIOS systems.
+
+ A libreboot (or coreboot) ROM image is not simply "flat"; there is an actual
+ filesystem inside called CBFS (coreboot filesystem). A utility called 'cbfstool'
+ allows you to change the contents of the ROM image. In this case, libreboot is configured
+ such that the 'grub.cfg' and 'grubtest.cfg' files exist directly inside CBFS instead of
+ inside the GRUB payload 'memdisk' (which is itself stored in CBFS).
+
+ You can either modify
+ the GRUB configuration stored in the flash chip, or you can modify a GRUB configuration
+ file on the main storage which the libreboot GRUB payload will automatically search for.
+
+ Here is an excellent writeup about CBFS (coreboot filesystem):
+ http://lennartb.home.xs4all.nl/coreboot/col5.html.
+
+ This guide is *only* for the GRUB payload. If you use the depthcharge payload, ignore this section entirely.
+
+ Download the latest release from
+ http://libreboot.org/
+
+ There are several advantages to modifying the GRUB configuration stored in CBFS, but
+ this also means that you have to flash a new libreboot ROM image on your system (some users
+ feel intimidated by this, to say the least).
+ Doing so can be risky if not handled correctly, because it can result in a bricked
+ system (recovery is easy if you have the equipment
+ for it, but most people don't). If you aren't up to that then don't worry; it is possible
+ to use a custom GRUB menu without flashing a new image, by loading a GRUB configuration
+ from a partition on the main storage instead.
+
+ By default, GRUB in libreboot is configured to scan all partitions on the main storage
+ for /boot/grub/libreboot_grub.cfg or /grub/libreboot_grub.cfg(for systems where /boot
+ is on a dedicated partition), and then use it automatically.
+
+ Simply create your custom GRUB configuration and save it to /boot/grub/libreboot_grub.cfg
+ on the running system. The next time you boot, GRUB (in libreboot) will automatically switch to
+ this configuration file. This means that you do not have to re-flash, recompile or otherwise
+ modify libreboot at all!
+
+ Ideally, your distribution should automatically generate a libreboot_grub.cfg file that is written
+ specifically under the assumption that it will be read and used on a libreboot system that uses
+ GRUB as a payload. If your distribution does not do this, then you can try to add that feature
+ yourself or politely ask someone involved with or otherwise knowledgeable about the distribution
+ to do it for you. The libreboot_grub.cfg could either contain the full configuration, or it could
+ chainload another GRUB ELF executable (built to be used as a coreboot payload) that is located in
+ a partition on the main storage.
+
+ If you want to adapt a copy of the existing libreboot GRUB configuration and use that for the libreboot_grub.cfg file, then
+ follow #tools, #rom and
+ #extract_testconfig to get the grubtest.cfg.
+ Rename grubtest.cfg to libreboot_grub.cfg and save it to /boot/grub/
+ on the running system where it is intended to be used. Modify the file at that location however you see fit,
+ and then stop reading this guide (the rest of this page is irrelevant to you); in libreboot_grub.cfg on disk,
+ if you are adapting it based on grub.cfg from CBFS then remove the check for libreboot_grub.cfg otherwise it will loop..
+
+ You can modify what is stored inside the flash chip quite easily. Read on to find out how.
+
+ Use cbfstool and flashrom. There are available in the libreboot_util release archive,
+ or they can be compiled (see ../git/index.html#build_flashrom).
+ Flashrom is also available from the repositories:
+ You can either work directly with one of the ROM images already included in the libreboot ROM archives, or re-use the ROM that
+ you have currently flashed. For the purpose of this tutorial it is assumed that your ROM image file is named libreboot.rom,
+ so please make sure to adapt.
+
+ ROM images are included pre-compiled in libreboot. You can also dump your current firmware, using flashrom:
+ You can check the contents of the ROM image, inside CBFS:
+ The files grub.cfg and grubtest.cfg should be present. grub.cfg is loaded by default,
+ with a menuentry for switching to grubtest.cfg. In this tutorial, you will first modify and test grubtest.cfg.
+ This is to reduce the possibility of bricking your device, so DO NOT SKIP THIS!
+
+ Extract grubtest.cfg from the ROM image:
+ Modify the grubtest.cfg accordingly.
+
+ Once your grubtest.cfg is modified and saved, delete the unmodified config from the ROM image:
+ Next, insert the modified version:
+
+ Now you have a modified ROM. Refer back to ../install/index.html#flashrom for information
+ on how to flash it.
+ Choose (in GRUB) the menu entry that switches to grubtest.cfg. If it works, then your config is safe and you can continue below.
+
+
+ If it does not work like you want it to, if you are unsure or sceptical in any way,
+ then re-do the steps above until you get it right! Do *not* proceed past this point
+ unless you are 100% sure that your new configuration is safe (or desirable) to use.
+
+
+ When you are satisfied booting from grubtest.cfg, you can create a copy of grubtest.cfg, called grub.cfg. This is the same except for one difference:
+ the menuentry 'Switch to grub.cfg' will be changed to 'Switch to grubtest.cfg' and inside it,
+ all instances of grub.cfg to grubtest.cfg. This is so that the main config still
+ links (in the menu) to grubtest.cfg, so that you don't have to manually switch to it, in
+ case you ever want to follow this guide again in the future (modifying the already modified config). From /libreboot_util/cbfstool, do:
+ Delete the grub.cfg that remained inside the ROM:
+ Add the modified version that you just made:
+
+ Now you have a modified ROM. Again, refer back to ../install/index.html#flashrom for information
+ on how to flash it. It's the same method as you used before. Shut down and then boot up with your new configuration.
+
+
+ Copyright © 2014, 2015 Leah Rowe <info@minifree.org>
+ Updated versions of the license (when available) can be found at
+ https://creativecommons.org/licenses/by-sa/4.0/legalcode
+
+ UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
+ EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
+ AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
+ ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
+ IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
+ WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
+ ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
+ KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
+ ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
+
+ TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
+ TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
+ NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
+ INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
+ COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
+ USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
+ ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
+ DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
+ IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
+
+ The disclaimer of warranties and limitation of liability provided
+ above shall be interpreted in a manner that, to the extent
+ possible, most closely approximates an absolute disclaimer and
+ waiver of all liability.
+
+ This section relates to dealing with BSD distributions: preparing bootable USB drives,
+ changing the default GRUB menu and so on.
+
+ This section is only for the *GRUB* payload. For depthcharge, instructions have yet to be written.
+
+ Copyright © 2014, 2015 Leah Rowe <info@minifree.org>
+ Updated versions of the license (when available) can be found at
+ https://creativecommons.org/licenses/by-sa/4.0/legalcode
+
+ UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
+ EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
+ AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
+ ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
+ IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
+ WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
+ ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
+ KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
+ ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
+
+ TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
+ TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
+ NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
+ INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
+ COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
+ USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
+ ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
+ DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
+ IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
+
+ The disclaimer of warranties and limitation of liability provided
+ above shall be interpreted in a manner that, to the extent
+ possible, most closely approximates an absolute disclaimer and
+ waiver of all liability.
+
- Post-installation configuration steps for Parabola GNU/Linux-libre. Parabola is extremely flexible; this is just an example.
-
- While not strictly related to the libreboot project, this guide
- is intended to be useful for those interested in installing
- Parabola on their libreboot system.
-
- It details configuration steps that I took after installing the base system,
- as a follow up to encrypted_parabola.html.
- This guide is likely to become obsolete at a later date (due to the volatile
- 'rolling-release' model that Arch/Parabola both use), but attempts will be made to maintain it.
-
-
- This guide was valid on 2014-09-21. If you see any changes that should to be made at the present date, please get in touch
- with the libreboot project!
-
-
- You do not necessarily have to follow this guide word-for-word; parabola is extremely flexible.
- The aim here is to provide a common setup that most users will be happy with. While Parabola
- can seem daunting at first glance (especially for new GNU/Linux users), with a simple guide it can provide
- all the same usability as Debian, without hiding any details from the user.
-
- Paradoxically, as you get more advanced Parabola can actually become easier to use
- when you want to set up your system in a special way compared to what most distributions provide.
- You will find over time that other distributions tend to get in your way.
-
-
- This guide assumes that you already have Parabola installed. If you have not yet installed Parabola,
- then this guide is highly recommended!
-
-
- A lot of the steps in this guide will refer to the Arch wiki. Arch is the upstream distribution that Parabola uses.
- Most of this guide will also tell you to read wiki articles, other pages, manuals, and so on. In general it tries
- to cherry pick the most useful information but nonetheless you are encouraged to learn as much as possible.
- It might take you a few days to fully install your system how you like, depending on how much you need to read. Patience is key,
- especially for new users.
-
- The Arch wiki will sometimes use bad language, such as calling the whole system Linux, using the term open-source (or closed-source),
- and it will sometimes recommend the use of proprietary software. You need to be careful about this when reading anything on the
- Arch wiki.
-
- Some of these steps require internet access. I'll go into networking later but for now, I just connected
- my system to a switch and did:
- pacman (package manager) is the name of the package management system in Arch, which Parabola
- (as a deblobbed parallel effort) also uses. Like with 'apt-get' on Debian,
- this can be used to add/remove and update the software on your computer.
-
- Based on https://wiki.parabolagnulinux.org/Installation_Guide#Configure_pacman
- and from reading https://wiki.archlinux.org/index.php/Pacman (make sure to read and understand this,
- it's very important) and
- https://wiki.parabolagnulinux.org/Official_Repositories
-
- In the end, I didn't change my configuration for pacman. When you are updating, resync with the latest package names/versions:
-
- Before installing packages with 'pacman -S', always update first, using the notes above.
-
-
- Keep an eye out on the output, or read it in /var/log/pacman.log. Sometimes, pacman will show messages
- about maintenance steps that you will need to perform with certain files (typically configurations)
- after the update. Also, you should check both the Parabola and Arch home pages to see if they mention any issues.
- If a new kernel is installed, you should also update to be able to use it (the currently running kernel will
- also be fine). It's generally good enough to update Parabola once every week, or maybe twice. As a
- rolling release distribution, it's a good idea never to leave your install too outdated; update regularly. This
- is simply because of the way the project works; old packages are deleted from the repositories quickly, once they are updated.
- A system that hasn't been updated for quite a while will mean potentially more reading of previous posts through the website,
- and more maintenance work.
-
- The Arch forum can also be useful, if others have the same issue as you (if you encounter issues, that is). The Parabola
- IRC channel (#parabola on freenode) can also help you.
-
- Due to this and the volatile nature of Parabola/Arch, you should only update when you have at least a couple hours of spare time
- in case of issues that need to be resolved. You should never update, for example, if you need your system for an important event,
- like a presentation or sending an email to an important person before an allocated deadline, and so on.
-
- Relax - packages are well-tested regularly when new updates are made to the repositories. Separate 'testing' repositories
- exist for this exact reason. Despite what many people will tell you, Parabola is fairly stable and trouble-free,
- so long as you are aware of how to check for issues, and are willing to spend some time fixing issues in
- the rare event that they do occur.
-
- Parabola is a very simple distro, in the sense that you are in full control
- and everything is made transparent to you. One consequence is
- that you also need to know what you are doing, and what you have done before. In general, keeping notes (such as what I have done
- with this page) can be very useful as a reference in the future (if you wanted to re-install it or install the distro
- on another computer, for example).
-
-
- The following is very important as you continue to use, update and maintain your Parabola system:
- To clean out all old packages that are cached:
- The wiki cautions that this should be used with care. For example, since older packages are deleted from the repo,
- if you encounter issues and want to revert back to an older package then it's useful to have the caches available.
- Only do this if you are sure that you won't need it.
-
- The wiki also mentions this method for removing everything from the cache, including currently installed packages that are cached:
- The following table lists other distro package manager commands, and their equivalent in pacman:
- your-freedom is a package specific to Parabola, and it is installed by default. What it does is conflict with packages
- from Arch that are known to be non-free (proprietary) software. When migrating from Arch (there is a guide on the Parabola
- wiki for migrating - converting - an existing Arch system to a Parabola system), installing
- your-freedom will also fail if these packages are installed, citing them as conflicts; the recommended solution
- is then to delete the offending packages, and continue installing your-freedom.
-
- Based on https://wiki.archlinux.org/index.php/Users_and_Groups.
-
- It is important (for security reasons) to create and use a non-root (non-admin) user account for everyday use. The default 'root' account is intended
- only for critical administrative work, since it has complete access to the entire operating system.
-
- Read the entire document linked to above, and then continue.
-
- Add your user:
- Use of the diceware method is recommended, for generating secure passphrases (instead of passwords).
-
- This is the name of the system used for managing services in Parabola. It is a good idea to become familiar with it.
- Read https://wiki.archlinux.org/index.php/systemd
- and https://wiki.archlinux.org/index.php/systemd#Basic_systemctl_usage
- to gain a full understanding. This is very important! Make sure to read them.
-
- An example of a 'service' could be a webserver (such as lighttpd), or sshd (openssh), dhcp, etc. There are countless others.
-
- https://bbs.archlinux.org/viewtopic.php?pid=1149530#p1149530 explains
- the background behind the decision by Arch (Parabola's upstream supplier) to use systemd.
-
- The manpage should also help:
- According to the wiki, systemd 'journal' keeps logs of a size up to 10% of the total size your / partition takes up.
- on a 60GB root this would mean 6GB. That's not exactly practical, and can have performance implications later when the
- log gets too big. Based on instructions from the wiki, I will reduce the total size of the journal to 50MiB (the wiki
- recommends 50MiB).
-
- Open /etc/systemd/journald.conf and find the line that says:
- The wiki also recommended a method for forwarding journal output to TTY 12 (accessible by pressing ctrl+alt+f12,
- and you use ctrl+alt+[F1-F12] to switch between terminals). I decided not to enable it.
-
- Restart journald:
- The wiki recommends that if the journal gets too large, you can also simply delete (rm -Rf) everything inside /var/log/journald/*
- but recommends backing it up. This shouldn't be necessary, since you already set the size limit above and systemd will automatically
- start to delete older records when the journal size reaches it's limit (according to systemd developers).
-
- Finally, the wiki mentions 'temporary' files and the utility for managing them.
- I looked in /etc/tmpfiles.d/ and found that it was empty on my system. However, /usr/lib/tmpfiles.d/ contained some files.
- The first one was etc.conf, containing information and a reference to this manpage:
- The systemd developers tell me that it isn't usually necessary to touch the systemd-tmpfiles utility manually at all.
-
- Parabola wiki at https://wiki.parabolagnulinux.org/Repositories#kernels
- mentions about a repository called [kernels] for custom kernels that aren't in the default base. It might be worth looking into what is available
- there, depending on your use case.
-
- I enabled it on my system, to see what was in it. Edit /etc/pacman.conf and below the 'extra' section add:
- Now sync with the repository:
- List all available packages in this repository:
- In the end, I decided not to install anything from it but I kept the repository enabled regardless.
-
- Read https://wiki.archlinux.org/index.php/Configuring_Network.
-
- This should be the same as the hostname that you set in /etc/hostname when installing Parabola. You can also do it with systemd (do so now, if you like):
- Add the same hostname to /etc/hosts, on each line. Example:
- You'll note that I set both lines; the 2nd line is for IPv6. More and more ISPs are providing this now (mine does)
- so it's good to be forward-thinking here.
-
- The hostname utility is part of the inetutils package and is in core/, installed by default (as part of base).
-
- According to the Arch wiki, udev should already detect the ethernet chipset
- and load the driver for it automatically at boot time. You can check this in the "Ethernet controller" section
- when running this command:
- Look at the remaining sections 'Kernel driver in use' and 'Kernel modules'. In my case it was as follows:
- Check that the driver was loaded by issuing dmesg | grep module_name. In my case, I did:
- According to https://wiki.archlinux.org/index.php/Configuring_Network#Device_names,
- it is important to note that the old interface names like eth0, wlan0, wwan0 and so on no longer apply. Instead, systemd
- creates device names starting with en (for enternet), wl (for wifi) and ww (for wwan) with a fixed identifier that systemd automatically generates.
- An example device name for your ethernet chipset would be enp0s25, where it is never supposed to change.
-
- If you want to enable the old names (eth0, wlan0, wwan0, etc), the Arch wiki recommends
- adding net.ifnames=0 to your kernel parameters (in libreboot context, this would be accomplished by following the
- instructions in grub_cbfs.html).
-
- For background information,
- read Predictable Network Interface Names
-
- Show device names:
- Changing the device names is possible (I chose not to do it):
- I actually chose to ignore most of Networking section on the wiki. Instead, I plan to set up LXDE desktop with the graphical
- network-manager client. Here is a list of network managers:
- Read https://wiki.archlinux.org/index.php/System_maintenance before continuing.
- Also read https://wiki.archlinux.org/index.php/Enhance_system_stability.
- This is important, so make sure to read them!
-
- Install smartmontools (it can be used to check smart data. HDDs use non-free firmware inside, but it's transparent to you
- but the smart data comes from it. Therefore, don't rely on it too much):
- Based on steps from
- General Recommendations on the Arch wiki.
- The plan is to use LXDE and LXDM/LightDM, along with everything else that you would expect on other distributions that provide LXDE
- by default.
-
- Based on https://wiki.archlinux.org/index.php/Xorg.
-
- Firstly, install it!
- Install the driver. For me this was xf86-video-intel on the ThinkPad X60. T60 and macbook11/21 should be the same.
- Other drivers (not just video) can be found by looking at the xorg-drivers group:
- Mostly you will rely on a display manager, but in case you ever want to start X without one:
- <optional>
- Refer to https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg.
-
- Xorg uses a different configuration method for keyboard layouts, so you will notice that the layout you
- set in /etc/vconsole.conf earlier might not actually be the same in X.
-
- To see what layout you currently use, try this on a terminal emulator in X:
- In my case, I wanted to use the Dvorak (UK) keyboard which is quite different from Xorg's default Qwerty (US) layout.
-
- I'll just say it now: XkbModel can be pc105 in this case (ThinkPad X60, with a 105-key UK keyboard).
- If you use an American keyboard (typically 104 keys) you will want to use pc104.
-
- XkbLayout in my case would be gb, and XkbVariant would be dvorak.
-
- The Arch wiki recommends two different methods for setting the keyboard layout:
- In my case, I chose to use the configuration file method:
- For you, the steps above may differ if you have a different layout. If you use a US Qwerty keyboard, then
- you don't even need to do anything (though it might help, for the sake of being explicit).
-
- Desktop choice isn't that important to me, so for simplicity I decided to use LXDE. It's lightweight
- and does everything that I need.
- If you would like to try something different, refer to
- https://wiki.archlinux.org/index.php/Desktop_environment
-
- Refer to https://wiki.archlinux.org/index.php/LXDE.
-
- Install it, choosing 'all' when asked for the default package list:
- I didn't want the following, so I removed them:
- I also lazily installed all fonts:
- And a mail client:
- In IceCat, go to Preferences :: Advanced and disable GNU IceCat Health Report.
-
- I also like to install these:
- Enable LXDM (the default display manager, providing a graphical login):
- Log in with your standard (non-root) user that you created earlier.
- It is advisable to also create an xinitrc rule in case you ever want to start lxde without lxdm.
- Read https://wiki.archlinux.org/index.php/Xinitrc.
-
- Open LXterminal:
- In Digital Clock Settings (right click the clock) I set the Clock Format to %Y/%m/%d %H:%M:%S
-
- Arch wiki recommends to use xscreensaver:
- Under Preferences :: Screensaver in the LXDE menu, I chose Mode: Blank Screen Only,
- setting Blank After, Cycle After and Lock Screen After (checked) to 10 minutes.
-
- You can now lock the screen with Logout :: Lock Screen in the LXDE menu.
-
- Refer to https://wiki.archlinux.org/index.php/File_manager_functionality.
-
- I chose to ignore this for now. NOTE TO SELF: come back to this later.
-
- When closing the laptop lid, the system suspends. This is annoying at least to me.
- NOTE TO SELF: disable it, then document the steps here.
-
- Right click lxde panel and Add/Remove Panel Items. Click Add and select Battery Monitor, then click Add.
- Close and then right-click the applet and go to Battery Monitor Settings, check the box that says Show Extended Information.
- Now click Close. When you hover the cursor over it, it'll show information about the battery.
-
- Refer to https://wiki.archlinux.org/index.php/LXDE#Network_Management.
- Then I read: https://wiki.archlinux.org/index.php/NetworkManager.
-
- Install Network Manager:
- You will also want the graphical applet:
- I want to be able to use a VPN at some point, so the wiki tells me to do:
- LXDE uses openbox, so I refer to:
- It tells me for the applet I need:
- I wanted to quickly enable networkmanager:
- Restart LXDE (log out, and then log back in).
-
- I added the volume control applet to the panel (right click panel, and add a new applet).
- I also later changed the icons to use the gnome icon theme, in lxappearance.
-
- Copyright © 2014, 2015 Leah Rowe <info@minifree.org>
- Updated versions of the license (when available) can be found at
- https://creativecommons.org/licenses/by-sa/4.0/legalcode
-
- UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
- EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
- AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
- ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
- IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
- WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
- PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
- ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
- KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
- ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
-
- TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
- TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
- NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
- INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
- COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
- USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
- ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
- DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
- IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
-
- The disclaimer of warranties and limitation of liability provided
- above shall be interpreted in a manner that, to the extent
- possible, most closely approximates an absolute disclaimer and
- waiver of all liability.
-
- The libreboot project recommends Debian, because it is more stable and up to date,
- while still being entirely free software by default. Leah Rowe, libreboot's
- lead maintainer, also uses Debian. See:
- ../distros/
-
- Libreboot on x86 uses the GRUB payload
- by default, which means that the GRUB configuration file
- (where your GRUB menu comes from) is stored directly alongside libreboot
- and its GRUB payload executable, inside
- the flash chip. In context, this means that installing distributions and managing them
- is handled slightly differently compared to traditional BIOS systems.
-
- On most systems, the /boot partition has to be left unencrypted while the others are encrypted.
- This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware
- can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a
- payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical
- access to the system.
-
- This guide is written for Debian.
- This also works in Trisquel 7 (probably Trisquel 8), and probably Trisquel 6. Boot the 'net installer' (Install Trisquel in Text Mode).
- How to boot a GNU/Linux installer.
-
- This guide is *only* for the GRUB payload. If you use the depthcharge payload, ignore this section entirely.
-
- Note: on some thinkpads, a faulty DVD drive can cause the cryptomount -a step during boot to fail. If this happens to you, try removing the drive.
-
- Set a strong user password (lots of lowercase/uppercase, numbers and symbols).
-
- Use of the diceware method is recommended, for generating secure passphrases (instead of passwords).
-
- when the installer asks you to set up
- encryption (ecryptfs) for your home directory, select 'Yes' if you want to: LUKS is already secure and performs well. Having ecryptfs on top of it
- will add noticeable performance penalty, for little security gain in most use cases. This is therefore optional, and not recommended.
- Choose 'no'.
-
-
- Your user password should be different from the LUKS password which you will set later on.
- Your LUKS password should, like the user password, be secure.
-
- Choose 'Manual' partitioning:
- Now you are back at the main partitioning screen. You will simply set mountpoints and filesystems to use.
-
- Installation will ask what kernel you want to use. linux-generic is fine.
-
- Choose "Trisquel Desktop Environment" if you want GNOME,
- "Trisquel-mini Desktop Environment" if you
- want LXDE or "Triskel Desktop Environment" if you want KDE.
- If you want to have no desktop (just a basic shell)
- when you boot or if you want to create your own custom setup, then choose nothing here (don't select anything).
- You might also want to choose some of the other package groups; it's up to you.
-
- For Debian, use the MATE option, or one of the others if you want.
-
- On Debian or Trisquel, you may also want to select the option for a printer server,
- so that you can print.
-
- If you want debian-testing, then you should only select barebones options here
- and change the entries in /etc/apt/sources.list after install to point to the new distro,
- and then run apt-get update and apt-get dist-upgrade
- as root, then reboot and run tasksel as root. This is to avoid downloading large
- packages twice.
-
- If asked, choose "No Configuration" here (or maybe you want to select something else. It's up to you.)
-
- Choose 'Yes'. It will fail, but don't worry. Then at the main menu, choose 'Continue without a bootloader'.
- You could also choose 'No'. Choice is irrelevant here.
-
- You do not need to install GRUB at all, since in libreboot you are using the GRUB payload (for libreboot) to boot your system directly.
-
- Just say 'Yes'.
-
- At this point, you will have finished the installation. At your GRUB payload, press C to get to the command line.
-
- Do that:
- If you didn't encrypt your home directory, then you can safely ignore this section.
-
- Immediately after logging in, do that:
- This will be needed in the future if you ever need to recover your home directory from another system, so write it down and keep the note
- somewhere secret. Ideally, you should memorize it and then burn the note (or not even write it down, and memorize it still)>
-
- Now you need to set it up so that the system will automatically boot, without having to type a bunch of commands.
-
- Modify your grub.cfg (in the firmware) using this tutorial;
- just change the default menu entry 'Load Operating System' to say this inside:
-
- cryptomount -a
- Without specifying a device, the -a parameter tries to unlock all detected LUKS volumes.
- You can also specify -u UUID or -a (device).
-
- Additionally, you should set a GRUB password. This is not your LUKS password, but it's a password that you have to enter to see
- GRUB. This protects your system from an attacker simply booting a live USB and re-flashing your firmware. This should be different than your LUKS passphrase and user password.
-
- Use of the diceware method is recommended, for generating secure passphrases (as opposed to passwords).
-
- The GRUB utility can be used like so:
- Give it a password (remember, it has to be secure) and it'll output something like:
- Use of the diceware method is recommended, for generating secure passphrases (instead of passwords).
-
- Put that in the grub.cfg (the one for CBFS inside the ROM) before the 'Load Operating System' menu entry like so (example):
- MAKE SURE TO DO THIS ON grubtest.cfg *BEFORE* DOING IT ON grub.cfg.
- Then select the menu entry that says Switch to grubtest.cfg and test that it works.
- Then copy that to grub.cfg once you're satisfied.
- WHY? BECAUSE AN INCORRECTLY SET PASSWORD CONFIG MEANS YOU CAN'T AUTHENTICATE, WHICH MEANS 'BRICK'.
-
- (emphasis added, because it's needed. This is a common roadblock for users)
-
- Obviously, replace it with the correct hash that you actually got for the password that you entered. Meaning, not the hash that you see above!
-
- After this, you will have a modified ROM with the menu entry for cryptomount, and the entry before that for the GRUB password. Flash the modified ROM
- using this tutorial.
-
- A user reported issues when booting with a docking station attached
- on an X200, when decrypting the disk in GRUB. The error
- AHCI transfer timed out was observed. The workaround
- was to remove the docking station.
-
- Further investigation revealed that it was the DVD drive causing problems.
- Removing that worked around the issue.
-
- Copyright © 2014, 2015 Leah Rowe <info@minifree.org>
- Updated versions of the license (when available) can be found at
- https://creativecommons.org/licenses/by-sa/4.0/legalcode
-
- UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
- EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
- AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
- ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
- IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
- WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
- PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
- ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
- KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
- ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
-
- TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
- TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
- NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
- INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
- COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
- USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
- ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
- DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
- IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
-
- The disclaimer of warranties and limitation of liability provided
- above shall be interpreted in a manner that, to the extent
- possible, most closely approximates an absolute disclaimer and
- waiver of all liability.
-
- Libreboot on x86 uses the GRUB payload
- by default, which means that the GRUB configuration file
- (where your GRUB menu comes from) is stored directly alongside libreboot
- and it's GRUB payload executable, inside
- the flash chip. In context, this means that installing distributions and managing them
- is handled slightly differently compared to traditional BIOS systems.
-
- On most systems, the /boot partition has to be left unencrypted while the others are encrypted.
- This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware
- can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a
- payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical
- access to the system.
-
- This guide is *only* for the GRUB payload. If you use the depthcharge payload, ignore this section entirely.
-
- This guide is intended for the Parabola distribution, but it should also work (with some adaptation)
- for Arch.
- We recomend using Parabola, which is a version of Arch that removes all
- proprietary software, both in the default installation and in the package repositories. It usually lags
- behind Arch by only a day or two, so it is still usable for most people.
- See Arch to Parabola migration guide.
-
- Note: on some thinkpads, a faulty DVD drive can cause the cryptomount -a step during boot to fail. If this happens to you, try removing the drive.
-
- Boot Parabola's install environment. How to boot a GNU/Linux installer.
-
- For this guide I used the 2015 08 01 image to boot the live installer and install the system.
- This is available at this page.
-
- This guide will go through the installation steps taken at the time of writing, which may or may not change due to
- the volatile nature of Parabola (it changes all the time). In general most of it should remain the same. If you spot mistakes,
- please say so! This guide will be ported to the Parabola wiki at a later date. For up to date Parabola install guide, go to
- the Parabola wiki. This guide essentially cherry picks the useful information (valid at the
- time of writing: 2015-08-25).
- This section deals with wiping the storage device on which you plan to install Parabola
- GNU/Linux. Follow these steps, but if you use an SSD, also:
-
-
- - beware there are issues with TRIM (not enabled through luks) and security issues if you do enable it.
- See this page
- for more info.
- - make sure it's brand-new (or barely used). Or, otherwise, be sure that it never previously contained plaintext copies of your data.
- - make sure to read this article. Edit /etc/fstab later on when
- chrooted into your install. Also, read the whole article and keep all points in mind, adapting them for this guide.
-
- Securely wipe the drive:
- If your drive was already LUKS encrypted (maybe you are re-installing your distro) then
- it is already 'wiped'. You should just wipe the LUKS header.
- https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/
- showed me how to do this. It recommends doing the first 3MiB. Now, that guide is recommending putting zero there. I'm going to use urandom. Do this:
- Parabola live shell assumes US Qwerty. If you have something different, list the available keymaps and use yours:
- Refer to this guide. Wired is recommended,
- but wireless is also explained there.
-
- The beginning is based on https://wiki.parabolagnulinux.org/Installation_Guide.
- Then I referred to https://wiki.archlinux.org/index.php/Partitioning at first.
-
- device-mapper will be used - a lot. Make sure that the kernel module is loaded:
- Note that the default iteration time is 2000ms (20 seconds) if not specified
- in cryptsetup. You should set a lower time than this, otherwise there will be
- an approximate 20 second delay when booting your system.
- We recommend 500ms (5 seconds), and this is included in the prepared
- cryptsetup command below.
- Note that the iteration time is for security purposes (mitigates
- brute force attacks), so anything lower than 5 seconds is probably
- not ok.
-
- I am using MBR partitioning, so I use cfdisk:
- I create a single large sda1 filling the whole drive, leaving it as the default type 'Linux' (83).
-
- Now I refer to https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#Partitioning:
- Parabola forces you to RTFM. Do that.
-
- It tells me to run:
- Following that page, based on my requirements, I do the following based on https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode.
- Reading through, it seems like Serpent (encryption) and Whirlpool (hash) is the best option.
-
- I am initializing LUKS with the following:
- Use of the diceware method is recommended, for generating secure passphrases (instead of passwords).
-
- Now I refer to https://wiki.archlinux.org/index.php/LVM.
-
- Open the LUKS partition:
- Create LVM partition:
- Now I create the volume group, inside of which the logical volumes will be created:
- Now create the logical volumes:
- Verify that the logical volumes were created, using the following command:
- For the swapvol LV I use:
- For the root LV I use:
- Mount the root (/) partition:
- This guide is really about GRUB, Parabola and cryptomount. I have to show how to install Parabola
- so that the guide can continue.
-
- Now I am following the rest of https://wiki.parabolagnulinux.org/Installation_Guide.
- I also cross referenced https://wiki.archlinux.org/index.php/Installation_guide.
-
- Create /home and /boot on root mountpoint:
- Once all the remaining partitions, if any, have been mounted, the devices are ready to install Parabola.
-
- In /etc/pacman.d/mirrorlist, comment out all lines except the Server line closest to where you are (I chose the UK Parabola
- server (main server)) and then did:
- <troubleshooting>
- I also like to install other packages (base-devel, compilers and so on) and wpa_supplicant/dialog/iw/wpa_actiond are needed for wireless after the install:
- Generate an fstab - UUIDs are used because they have certain advantages (see https://wiki.parabola.nu/Fstab#Identifying_filesystems.
- If you prefer labels instead, replace the -U option with -L):
- Chroot into new system:
- It's a good idea to have this installed:
- It was also suggested that you should install this kernel (read up on what GRSEC is):
- This is another kernel that sits inside /boot, which you can use. LTS means 'long-term support'. These are so-called 'stable' kernels
- that can be used as a fallback during updates, if a bad kernel causes issues for you.
-
- Parabola does not have wget. This is sinister. Install it:
- Locale:
- Console font and keymap:
- Time zone:
- Hardware clock:
- Hostname:
- Write your hostname to /etc/hostname. For example, if your hostname is parabola: Configure the network:
- Refer to https://wiki.parabola.nu/Beginners%27_guide#Configure_the_network.
- Mkinitcpio:
- Configure /etc/mkinitcpio.conf as needed (see https://wiki.parabola.nu/Mkinitcpio).
- Runtime modules can be found in /usr/lib/initcpio/hooks, and build hooks can be found in /usr/lib/initcpio/install. (# mkinitcpio -H hookname gives information about each hook.)
- Specifically, for this use case:
- Now using mkinitcpio, you can create the kernel and ramdisk for booting with (this is different from Arch, specifying linux-libre instead of linux):
- Set the root password:
- At the time of writing, Parabola used SHA512 by default for its password hashing. I referred to https://wiki.archlinux.org/index.php/SHA_password_hashes.
- Use of the diceware method is recommended, for generating secure passphrases (instead of passwords).
-
- Based on https://wiki.archlinux.org/index.php/Security.
-
- Restrict access to important directories:
- Lockout user after three failed login attempts:
- Configure sudo - not covered here. Will be covered post-installation in another tutorial, at a later date.
- If this is a single-user system, you don't really need sudo.
-
- Exit from chroot:
- unmount:
- deactivate the lvm lv's:
- Lock the encrypted partition (close it):
- # shutdown -h now
- Initially you will have to boot manually. Press C to get to the GRUB command line. The underlined parts are optional
- (using those 2 underlines will boot lts kernel instead of normal).
-
- grub> cryptomount -a
- You could also make it load /boot/vmlinuz-linux-libre-grsec and /boot/initramfs-linux-libre-grsec.img
-
- We will modify grub.config inside the ROM and do all kinds of fun stuff, but I recommend that you first transform the current bare-bones Parabola install into a more useable system.
- Doing so will make the upcoming ROM modifications MUCH easier to perform and less risky!
- configuring_parabola.html shows my own notes post-installation. Using these, you can get a basic
- system similar to the one that I chose for myself. You can also cherry pick useful notes and come up with your own system.
- Parabola is user-centric, which means that you are in control. For more information, read The Arch Way
- (Parabola also follows it).
-
- (Re-)log in to your system, pressing C, so booting manually from GRUB (see above). You need to modify the ROM, so that Parabola can boot automatically with this configuration.
- grub_cbfs.html shows you how. Follow that guide, using the configuration details below.
- If you go for option 2 (re-flash), promise to do this on grubtest.cfg first! We can't emphasise this enough. This is to reduce the possibility of bricking your device!
-
- I will go for the re-flash option here. Firstly, cd to the libreboot_util/cbfstool/{armv7l i686 x86_64} directory.
- Dump the current firmware - where libreboot.rom is an example: make sure to adapt:
- In grubtest.cfg, inside the 'Load Operating System' menu entry, change the contents to:
-
- Note: the underlined parts above (-lts) can also be removed, to boot the latest kernel instead of LTS (long-term support) kernels.
- You could also copy the menu entry and in one have -lts, and without in the other menuentry.
- You could also create a menu entry to load /boot/vmlinuz-linux-libre-grsec and /boot/initramfs-linux-libre-grsec.img
- The first entry will load by default.
-
- Without specifying a device, the -a parameter tries to unlock all detected LUKS volumes.
- You can also specify -u UUID or -a (device).
-
- Now, to protect your system from an attacker simply booting a live usb distro and re-flashing the boot firmware, we are going to add a password for GRUB.
- In a new terminal window, if you are not yet online, start dhcp on ethernet:
- Use of the diceware method is recommended, for generating secure passphrases (instead of passwords).
-
- AGAIN: MAKE SURE TO DO THIS WHOLE SECTION ON grubtest.cfg *BEFORE* DOING IT ON grub.cfg.
- (When we get there, upon reboot, select the menu entry that says Switch to grubtest.cfg and test that it works.
- Only once you are satisfied, copy that to grub.cfg. Only a few steps to go, though.)
- WHY? BECAUSE AN INCORRECTLY SET PASSWORD CONFIG MEANS YOU CAN'T AUTHENTICATE, WHICH MEANS 'BRICK'.
-
- (emphasis added, because it's needed: this is a common roadblock for users.)
-
- We need a utility that comes with GRUB, so we will download it temporarily. (Remember that GRUB isn't needed for booting, since it's already included as a payload in libreboot.)
- Also, we will use flashrom, and I installed dmidecode. You only need base-devel (compilers and so on) to build and use cbfstool. It was already installed if you followed this tutorial, but here
- it is:
- The password below (it's password, by the way) after 'password_pbkdf2 root' should be changed to your own.
- Make sure to specify a password that is different from both your LUKS *and* your root/user password.
- Obviously, do not simply copy and paste the examples shown here...
-
- Next, back in grubtest.cfg, above the first 'Load Operating System' menu entry, you should now add your GRUB password, like so
- (replace with your own name (I used root on both lines, feel free to choose another one) and the password hash which you copied):
-
- Save your changes in grubtest.cfg, then delete the unmodified config from the ROM image:
- Now refer to http://libreboot.org/docs/install/index.html#flashrom.
- Cd (up) to the libreboot_util directory and update the flash chip contents:
- With this new configuration, Parabola can boot automatically and you will have to enter a password at boot time, in GRUB, before being able to use any of the menu entries or switch to the terminal.
- Let's test it out: reboot and choose grubtest.cfg from the GRUB menu, using the arrow keys on your keyboard.
- Enter the name you chose, the GRUB password, your LUKS passphrase and login as root/your user. All went well? Great!
-
- If it does not work like you want it to, if you are unsure or sceptical in any way, don't despair: you have been wise and did not brick your device! Reboot and login the default way, and then modify
- your grubtest.cfg until you get it right!
- Do *not* proceed past this point unless you are 100% sure that your new configuration is safe (or desirable) to use.
-
- Now, we can easily and safely create a copy of grubtest.cfg, called grub.cfg. This will be the same except for one difference: the menuentry 'Switch to grub.cfg' is changed to 'Switch to grubtest.cfg'
- and, inside it, all instances of grub.cfg to grubtest.cfg. This is so that the main config still links (in the menu) to grubtest.cfg, so that you don't have to manually switch to it, in case you ever
- want to follow this guide again in the future (modifying the already modified config).
- Inside libreboot_util/cbfstool/{armv7l i686 x86_64}, we can do this with the following command:
- Now you have a modified ROM. Once more, refer to http://libreboot.org/docs/install/index.html#flashrom.
- Cd to the libreboot_util directory and update the flash chip contents:
- When done, delete GRUB (remember, we only needed it for the grub-mkpasswd-pbkdf2 utility;
- GRUB is already part of libreboot, flashed alongside it as a payload):
- If you followed all that correctly, you should now have a fully encrypted Parabola installation.
- Refer to the wiki for how to do the rest.
-
- By default, you will have to enter your LUKS passphrase twice; once in GRUB, and once when booting the kernel.
- GRUB unlocks the encrypted partition and then loads the kernel, but the kernel is not aware of the fact
- that it is being loaded from an encrypted volume. Therefore, you will be asked to enter your passphrase a second time.
- A workaround is to put a keyfile inside initramfs, with instructions for the kernel to use it when
- booting. This is safe, because /boot/ is encrypted (otherwise, putting a keyfile inside initramfs would be a bad idea).
- https://wiki.archlinux.org/index.php/Security.
- A user reported issues when booting with a docking station attached
- on an X200, when decrypting the disk in GRUB. The error
- AHCI transfer timed out was observed. The workaround
- was to remove the docking station.
-
- Further investigation revealed that it was the DVD drive causing problems.
- Removing that worked around the issue.
-
- Copyright © 2014, 2015, 2016 Leah Rowe <info@minifree.org>
- Updated versions of the license (when available) can be found at
- https://creativecommons.org/licenses/by-sa/4.0/legalcode
-
- UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
- EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
- AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
- ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
- IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
- WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
- PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
- ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
- KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
- ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
-
- TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
- TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
- NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
- INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
- COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
- USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
- ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
- DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
- IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
-
- The disclaimer of warranties and limitation of liability provided
- above shall be interpreted in a manner that, to the extent
- possible, most closely approximates an absolute disclaimer and
- waiver of all liability.
-
- This section relates to preparing, booting and installing a
- OpenBSD distribution on your libreboot system, using nothing more than a USB flash drive (and dd). They've only been tested on a Lenovo ThinkPad x200.
-
- This section is only for the GRUB payload. For depthcharge (used on CrOS devices in libreboot), instructions
- have yet to be written in the libreboot documentation.
-
- Connect the USB drive. Check dmesg:
- Check that it wasn't automatically mounted. If it was, unmount it. For example:
- dmesg told you what device it is. Overwrite the drive, writing your distro ISO to it with dd. For example:
- You should now be able to boot the installer from your USB drive. Continue reading, for
- information about how to do that.
-
- Back to top of page.
-
- Press C in GRUB to access the command line:
-
- grub> kopenbsd (usb0)/6.0/amd64/bsd.rd
-
- It will start booting into the OpenBSD installer. Follow the normal process for installing OpenBSD.
-
- Back to top of page.
-
- Not working. You can modify the above procedure (installation w/o encryption) to install OpenBSD using full disk encryption, and it appears to work, except that its not yet clear how to actually boot an OpenBSD+FDE installation using libreboot+Grub2. If you get it working, please let us know.
-
- Back to top of page.
-
- Press C in GRUB to access the command line:
-
- grub> kopenbsd -r sd0a (ahci0,openbsd1)/bsd
-
- OpenBSD will start booting. Yay!
-
- Back to top of page.
-
- If you don't want to drop to the GRUB command line and type in a command to boot OpenBSD every time, you can create a GRUB configuration that's aware of your OpenBSD installation and that will automatically be used by libreboot. The instructions are the same as for GNU/Linux.
-
- In short, create a Grub2 config file that will add OpenBSD to the GRUB menu and set it as the default. Place your config at /grub/libreboot_grub.cfg. Reboot. Viola.
-
- Back to top of page.
-
- Most of these issues occur when using libreboot with coreboot's 'text mode' instead of the coreboot framebuffer.
- This mode is useful for booting payloads like memtest86+ which expect text-mode, but for OpenBSD distributions
- it can be problematic when they are trying to switch to a framebuffer because it doesn't exist.
-
- In most cases, you should use the vesafb ROM images. Example filename: libreboot_ukdvorak_vesafb.rom.
-
- You device names (i.e. usb0, usb1, sd0, sd1, wd0, ahci0, hd0, etc) and numbers may differ. Use TAB completion.
-
- Back to top of page.
-
- Copyright © 2014, 2015 Leah Rowe <info@minifree.org>
- Updated versions of the license (when available) can be found at
- https://creativecommons.org/licenses/by-sa/4.0/legalcode
-
- UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
- EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
- AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
- ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
- IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
- WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
- PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
- ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
- KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
- ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
-
- TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
- TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
- NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
- INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
- COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
- USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
- ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
- DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
- IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
-
- The disclaimer of warranties and limitation of liability provided
- above shall be interpreted in a manner that, to the extent
- possible, most closely approximates an absolute disclaimer and
- waiver of all liability.
-
- Libreboot on x86 uses the GRUB payload
- by default, which means that the GRUB configuration file
- (where your GRUB menu comes from) is stored directly alongside libreboot
- and its GRUB payload executable, inside
- the flash chip. In context, this means that installing distributions and managing them
- is handled slightly differently compared to traditional BIOS systems.
-
- A libreboot (or coreboot) ROM image is not simply "flat"; there is an actual
- filesystem inside called CBFS (coreboot filesystem). A utility called 'cbfstool'
- allows you to change the contents of the ROM image. In this case, libreboot is configured
- such that the 'grub.cfg' and 'grubtest.cfg' files exist directly inside CBFS instead of
- inside the GRUB payload 'memdisk' (which is itself stored in CBFS).
-
- You can either modify
- the GRUB configuration stored in the flash chip, or you can modify a GRUB configuration
- file on the main storage which the libreboot GRUB payload will automatically search for.
-
- Here is an excellent writeup about CBFS (coreboot filesystem):
- http://lennartb.home.xs4all.nl/coreboot/col5.html.
-
- This guide is *only* for the GRUB payload. If you use the depthcharge payload, ignore this section entirely.
-
- Download the latest release from
- http://libreboot.org/
-
- There are several advantages to modifying the GRUB configuration stored in CBFS, but
- this also means that you have to flash a new libreboot ROM image on your system (some users
- feel intimidated by this, to say the least).
- Doing so can be risky if not handled correctly, because it can result in a bricked
- system (recovery is easy if you have the equipment
- for it, but most people don't). If you aren't up to that then don't worry; it is possible
- to use a custom GRUB menu without flashing a new image, by loading a GRUB configuration
- from a partition on the main storage instead.
-
- By default, GRUB in libreboot is configured to scan all partitions on the main storage
- for /boot/grub/libreboot_grub.cfg or /grub/libreboot_grub.cfg(for systems where /boot
- is on a dedicated partition), and then use it automatically.
-
- Simply create your custom GRUB configuration and save it to /boot/grub/libreboot_grub.cfg
- on the running system. The next time you boot, GRUB (in libreboot) will automatically switch to
- this configuration file. This means that you do not have to re-flash, recompile or otherwise
- modify libreboot at all!
-
- Ideally, your distribution should automatically generate a libreboot_grub.cfg file that is written
- specifically under the assumption that it will be read and used on a libreboot system that uses
- GRUB as a payload. If your distribution does not do this, then you can try to add that feature
- yourself or politely ask someone involved with or otherwise knowledgeable about the distribution
- to do it for you. The libreboot_grub.cfg could either contain the full configuration, or it could
- chainload another GRUB ELF executable (built to be used as a coreboot payload) that is located in
- a partition on the main storage.
-
- If you want to adapt a copy of the existing libreboot GRUB configuration and use that for the libreboot_grub.cfg file, then
- follow #tools, #rom and
- #extract_testconfig to get the grubtest.cfg.
- Rename grubtest.cfg to libreboot_grub.cfg and save it to /boot/grub/
- on the running system where it is intended to be used. Modify the file at that location however you see fit,
- and then stop reading this guide (the rest of this page is irrelevant to you); in libreboot_grub.cfg on disk,
- if you are adapting it based on grub.cfg from CBFS then remove the check for libreboot_grub.cfg otherwise it will loop..
-
- You can modify what is stored inside the flash chip quite easily. Read on to find out how.
-
- Use cbfstool and flashrom. There are available in the libreboot_util release archive,
- or they can be compiled (see ../git/index.html#build_flashrom).
- Flashrom is also available from the repositories:
- You can either work directly with one of the ROM images already included in the libreboot ROM archives, or re-use the ROM that
- you have currently flashed. For the purpose of this tutorial it is assumed that your ROM image file is named libreboot.rom,
- so please make sure to adapt.
-
- ROM images are included pre-compiled in libreboot. You can also dump your current firmware, using flashrom:
- You can check the contents of the ROM image, inside CBFS:
- The files grub.cfg and grubtest.cfg should be present. grub.cfg is loaded by default,
- with a menuentry for switching to grubtest.cfg. In this tutorial, you will first modify and test grubtest.cfg.
- This is to reduce the possibility of bricking your device, so DO NOT SKIP THIS!
-
- Extract grubtest.cfg from the ROM image:
- Modify the grubtest.cfg accordingly.
-
- Once your grubtest.cfg is modified and saved, delete the unmodified config from the ROM image:
- Next, insert the modified version:
-
- Now you have a modified ROM. Refer back to ../install/index.html#flashrom for information
- on how to flash it.
- Choose (in GRUB) the menu entry that switches to grubtest.cfg. If it works, then your config is safe and you can continue below.
-
-
- If it does not work like you want it to, if you are unsure or sceptical in any way,
- then re-do the steps above until you get it right! Do *not* proceed past this point
- unless you are 100% sure that your new configuration is safe (or desirable) to use.
-
-
- When you are satisfied booting from grubtest.cfg, you can create a copy of grubtest.cfg, called grub.cfg. This is the same except for one difference:
- the menuentry 'Switch to grub.cfg' will be changed to 'Switch to grubtest.cfg' and inside it,
- all instances of grub.cfg to grubtest.cfg. This is so that the main config still
- links (in the menu) to grubtest.cfg, so that you don't have to manually switch to it, in
- case you ever want to follow this guide again in the future (modifying the already modified config). From /libreboot_util/cbfstool, do:
- Delete the grub.cfg that remained inside the ROM:
- Add the modified version that you just made:
-
- Now you have a modified ROM. Again, refer back to ../install/index.html#flashrom for information
- on how to flash it. It's the same method as you used before. Shut down and then boot up with your new configuration.
-
-
- Copyright © 2014, 2015 Leah Rowe <info@minifree.org>
- Updated versions of the license (when available) can be found at
- https://creativecommons.org/licenses/by-sa/4.0/legalcode
-
- UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
- EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
- AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
- ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
- IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
- WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
- PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
- ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
- KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
- ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
-
- TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
- TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
- NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
- INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
- COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
- USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
- ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
- DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
- IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
-
- The disclaimer of warranties and limitation of liability provided
- above shall be interpreted in a manner that, to the extent
- possible, most closely approximates an absolute disclaimer and
- waiver of all liability.
- Configuring Parabola (post-install)
+ Table of Contents
+
+
+
+
+ # systemctl start dhcpcd.service
+ You can stop it later by running:
+ # systemctl stop dhcpcd.service
+ For most people this should be enough, but if you don't have DHCP on your network then you should setup your network connection first:
+ Setup network connection in Parabola
+ Configure pacman
+ Updating Parabola
+
+ # pacman -Syy
+ (according to the wiki, -Syy is better than Sy because it refreshes the package list even if it appears to be up to date,
+ which can be useful when switching to another mirror).
+ Then, update the system:
+ # pacman -Syu
+ Maintaining Parabola
+ Cleaning the package cache
+
+ https://wiki.archlinux.org/index.php/Pacman#Cleaning_the_package_cache.
+ Essentially, this guide talks about a directory that has to be cleaned once in a while, to prevent it from growing too big (it's a cache
+ of old package information, updated automatically when you do anything in pacman).
+
+
+ # pacman -Sc
+
+ # pacman -Scc
+ This is inadvisable, since it means re-downloading the package again if you wanted to quickly re-install it. This should only be used
+ when disk space is at a premium.
+ pacman command equivalents
+
+ https://wiki.archlinux.org/index.php/Pacman_Rosetta
+ your-freedom
+ Add a user
+
+ # useradd -m -G wheel -s /bin/bash yourusername
+ Set a password:
+ # passwd yourusername
+ systemd
+
+ # man systemd
+ The section on 'unit types' is especially useful.
+
+ #SystemMaxUse=
+ Change it to say:
+ SystemMaxUse=50M
+
+ # systemctl restart systemd-journald
+
+ # man systemd-tmpfiles
+ The command for 'clean' is:
+ # systemd-tmpfiles --clean
+ According to the manpage, this "cleans all files and directories with an age parameter".
+ According to the Arch wiki, this reads information in /etc/tmpfiles.d/ and /usr/lib/tmpfiles.d/
+ to know what actions to perform. Therefore, it is a good idea to read what's stored in these locations
+ to get a better understanding.
+
+ # man tmpfiles.d
+ Read that manpage, and then continue studying all the files.
+ Interesting repositories
+
+
+ [kernels]
+ Include = /etc/pacman.d/mirrorlist
+
+
+ # pacman -Syy
+
+ # pacman -Sl kernels
+ Setup a network connection in Parabola
+ Set the hostname
+
+ # hostnamectl set-hostname yourhostname
+ This writes the specified hostname to /etc/hostname. More information can be found in these manpages:
+ # man hostname
+ # info hostname
+ # man hostnamectl
+
+
+ 127.0.0.1 localhost.localdomain localhost myhostname
+ ::1 localhost.localdomain localhost myhostname
+
+ Network Status
+
+ # lspci -v
+
+
+ Kernel driver in use: e1000e
+ Kernel modules: e1000e
+
+
+ # dmesg | grep e1000e
+ Network device names
+
+ # ls /sys/class/net
+
+ https://wiki.archlinux.org/index.php/Configuring_Network#Change_device_name
+ Network setup
+
+ https://wiki.archlinux.org/index.php/List_of_applications/Internet#Network_managers.
+ If you need to, set a static IP address (temporarily) using the networking guide and the Arch wiki, or start the dhcpcd service in systemd.
+ NetworkManager will be setup later, after installing LXDE.
+ System Maintenance
+
+ # pacman -S smartmontools
+ Read https://wiki.archlinux.org/index.php/S.M.A.R.T. to learn how to use it.
+ Configuring the desktop
+ Installing Xorg
+
+ # pacman -S xorg-server
+ I also recommend installing this (contains lots of useful tools, including xrandr):
+ # pacman -S xorg-server-utils
+
+ # pacman -S xf86-video-intel
+ For other systems you can try:
+ # pacman -Ss xf86-video- | less
+ Combined with looking at your lspci output, you can determine which driver is needed.
+ By default, Xorg will revert to xf86-video-vesa which is a generic driver and doesn't provide true hardware acceleration.
+
+ # pacman -Sg xorg-drivers
+
+ # pacman -S xorg-xinit
+
+ Arch wiki recommends installing these, for testing that X works:
+ # pacman -S xorg-twm xorg-xclock xterm
+ Refer to https://wiki.archlinux.org/index.php/Xinitrc.
+ and test X:
+ # startx
+ When you are satisfied, type exit in xterm, inside the X session.
+ Uninstall them (clutter. eww): # pacman -S xorg-xinit xorg-twm xorg-xclock xterm
+ </optional>
+ Xorg keyboard layout
+
+ # setxkbmap -print -verbose 10
+
+ https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_X_configuration_files and
+ https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_localectl.
+
+ Create the file /etc/X11/xorg.conf.d/10-keyboard.conf and put this inside:
+
+ Section "InputClass"
+ Identifier "system-keyboard"
+ MatchIsKeyboard "on"
+ Option "XkbLayout" "gb"
+ Option "XkbModel" "pc105"
+ Option "XkbVariant" "dvorak"
+ EndSection
+
+ Install LXDE
+
+ # pacman -S lxde obconf
+
+ # pacman -R lxmusic lxtask
+
+ # pacman -S $(pacman -Ssq ttf-)
+
+ # pacman -S icedove
+
+ # pacman -S xsensors stress htop
+
+ # systemctl enable lxdm.service
+ It will start when you boot up the system. To start it now, do:
+ # systemctl start lxdm.service
+
+ $ cp /etc/skel/.xinitrc ~
+ Open .xinitrc and add the following plus a line break at the bottom of the file.
+
+ # Probably not needed. The same locale info that we set before
+ # Based on advice from the LXDE wiki
+ export LC_ALL=en_GB.UTF-8
+ export LANGUAGE=en_GB.UTF-8
+ export LANG=en_GB.UTF-8
+
+ # Start lxde desktop
+ exec startlxde
+
+ Now make sure that it is executable:
+ $ chmod +x .xinitrc
+ LXDE - clock
+ LXDE - screenlock
+
+ # pacman -S xscreensaver
+ LXDE - automounting
+ LXDE - disable suspend
+ LXDE - battery monitor
+ LXDE - Network Manager
+
+ # pacman -S networkmanager
+
+ # pacman -S network-manager-applet
+ Arch wiki says that an autostart rule will be written at /etc/xdg/autostart/nm-applet.desktop
+
+ # pacman -S networkmanager-openvpn
+
+ https://wiki.archlinux.org/index.php/NetworkManager#Openbox.
+
+ # pacman -S xfce4-notifyd gnome-icon-theme
+ Also, for storing authentication details (wifi) I need:
+ # pacman -S gnome-keyring
+
+ # systemctl stop dhcpcd
+ # systemctl start NetworkManager
+ Enable NetworkManager at boot time:
+ # systemctl enable NetworkManager
+
+ Permission is granted to copy, distribute and/or modify this document
+ under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license
+ or any later version published by Creative Commons;
+
+ A copy of the license can be found at ../cc-by-sa-4.0.txt
+ Installing Debian or Trisquel GNU/Linux with full disk encryption (including /boot)
+ Partitioning
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Further partitioning
+
+
+
+
+
+
+
+
+ Kernel
+
+ Tasksel (Debian or Trisquel)
+
+ Postfix configuration
+
+ Install the GRUB boot loader to the master boot record
+
+ Clock UTC
+
+
+ Booting your system
+
+
+
+ grub> cryptomount -a
+ grub> set root='lvm/matrix-root'
+ grub> linux /vmlinuz root=/dev/mapper/matrix-root cryptdevice=/dev/mapper/matrix-root:root
+ grub> initrd /initrd.img
+ grub> boot
+
+ ecryptfs
+
+
+
+ $ sudo ecryptfs-unwrap-passphrase
+
+ Modify grub.cfg (CBFS)
+
+
+
+ set root='lvm/matrix-root'
+ linux /vmlinuz root=/dev/mapper/matrix-root cryptdevice=/dev/mapper/matrix-root:root
+ initrd /initrd.img
+
+ $ grub-mkpasswd-pbkdf2
+
+ grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
+
+
+set superusers="root"
+password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
+
+ Troubleshooting
+
+
+
+"sudo wodim -prcap" shows information about the drive:
+Device was not specified. Trying to find an appropriate drive...
+Detected CD-R drive: /dev/sr0
+Using /dev/cdrom of unknown capabilities
+Device type : Removable CD-ROM
+Version : 5
+Response Format: 2
+Capabilities :
+Vendor_info : 'HL-DT-ST'
+Identification : 'DVDRAM GU10N '
+Revision : 'MX05'
+Device seems to be: Generic mmc2 DVD-R/DVD-RW.
+
+Drive capabilities, per MMC-3 page 2A:
+
+ Does read CD-R media
+ Does write CD-R media
+ Does read CD-RW media
+ Does write CD-RW media
+ Does read DVD-ROM media
+ Does read DVD-R media
+ Does write DVD-R media
+ Does read DVD-RAM media
+ Does write DVD-RAM media
+ Does support test writing
+
+ Does read Mode 2 Form 1 blocks
+ Does read Mode 2 Form 2 blocks
+ Does read digital audio blocks
+ Does restart non-streamed digital audio reads accurately
+ Does support Buffer-Underrun-Free recording
+ Does read multi-session CDs
+ Does read fixed-packet CD media using Method 2
+ Does not read CD bar code
+ Does not read R-W subcode information
+ Does read raw P-W subcode data from lead in
+ Does return CD media catalog number
+ Does return CD ISRC information
+ Does support C2 error pointers
+ Does not deliver composite A/V data
+
+ Does play audio CDs
+ Number of volume control levels: 256
+ Does support individual volume control setting for each channel
+ Does support independent mute setting for each channel
+ Does not support digital output on port 1
+ Does not support digital output on port 2
+
+ Loading mechanism type: tray
+ Does support ejection of CD via START/STOP command
+ Does not lock media on power up via prevent jumper
+ Does allow media to be locked in the drive via PREVENT/ALLOW command
+ Is not currently in a media-locked state
+ Does not support changing side of disk
+ Does not have load-empty-slot-in-changer feature
+ Does not support Individual Disk Present feature
+
+ Maximum read speed: 4234 kB/s (CD 24x, DVD 3x)
+ Current read speed: 4234 kB/s (CD 24x, DVD 3x)
+ Maximum write speed: 4234 kB/s (CD 24x, DVD 3x)
+ Current write speed: 4234 kB/s (CD 24x, DVD 3x)
+ Rotational control selected: CLV/PCAV
+ Buffer size in KB: 1024
+ Copy management revision supported: 1
+ Number of supported write speeds: 4
+ Write speed # 0: 4234 kB/s CLV/PCAV (CD 24x, DVD 3x)
+ Write speed # 1: 2822 kB/s CLV/PCAV (CD 16x, DVD 2x)
+ Write speed # 2: 1764 kB/s CLV/PCAV (CD 10x, DVD 1x)
+ Write speed # 3: 706 kB/s CLV/PCAV (CD 4x, DVD 0x)
+
+Supported CD-RW media types according to MMC-4 feature 0x37:
+ Does write multi speed CD-RW media
+ Does write high speed CD-RW media
+ Does write ultra high speed CD-RW media
+ Does not write ultra high speed+ CD-RW media
+
+
+
+
+ Permission is granted to copy, distribute and/or modify this document
+ under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license
+ or any later version published by Creative Commons;
+
+ A copy of the license can be found at ../cc-by-sa-4.0.txt
+ Installing Parabola or Arch GNU/Linux with full disk encryption (including /boot)
+
+ # dd if=/dev/urandom of=/dev/sda; sync
+ NOTE: If you have an SSD, only do this the first time. If it was already LUKS-encrypted before,
+ use the info below to wipe the LUKS header. Also, check online for your SSD what the recommended
+ erase block size is. For example if it was 2MiB:
+ # dd if=/dev/urandom of=/dev/sda bs=2M; sync
+
+ # head -c 3145728 /dev/urandom > /dev/sda; sync
+ (Wiping the LUKS header is important, since it has hashed passphrases and so on. It's 'secure', but 'potentially' a risk).
+
+ Change keyboard layout
+
+
+ # localectl list-keymaps
+ # loadkeys LAYOUT
+ For me, LAYOUT would have been dvorak-uk.
+ Establish an internet connection
+ Getting started
+ dm-mod
+
+ # modprobe dm-mod
+ Create LUKS partition
+
+ # cfdisk /dev/sda
+
+ I am then directed to https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption.
+
+ # cryptsetup benchmark (for making sure the list below is populated)
+ Then:
+ # cat /proc/crypto
+ This gives me crypto options that I can use. It also provides a representation of the best way to set up LUKS (in this case, security is a priority; speed, a distant second).
+ To gain a better understanding, I am also reading:
+ # man cryptsetup
+
+ # cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --iter-time 500 --use-random --verify-passphrase luksFormat /dev/sda1
+ Choose a secure passphrase here. Ideally lots of lowercase/uppercase numbers, letters, symbols etc all in a random pattern. The
+ password length should be as long as you are able to handle without writing it down or storing it anywhere.
+ Create LVM
+
+ # cryptsetup luksOpen /dev/sda1 lvm
+ (it will be available at /dev/mapper/lvm)
+
+ # pvcreate /dev/mapper/lvm
+ Show that you just created it:
+ # pvdisplay
+
+ # vgcreate matrix /dev/mapper/lvm
+ (volume group name is 'matrix' - choose your own name, if you like)
+ Show that you created it:
+ # vgdisplay
+
+ # lvcreate -L 2G matrix -n swapvol (2G swap partition, named swapvol)
+ Again, choose your own name if you like. Also, make sure to choose a swap size of your own needs. It basically depends on how much RAM
+ you have installed. I refer to http://www.linux.com/news/software/applications/8208-all-about-linux-swap-space.
+ # lvcreate -l +100%FREE matrix -n root (single large partition in the rest of the space, named root)
+ You can also be flexible here, for example you can specify a /boot, a /, a /home, a /var, a /usr, etc. For example,
+ if you will be running a web/mail server then you want /var in its own partition (so that if it fills up with logs, it won't crash your system).
+ For a home/laptop system (typical use case), a root and a swap will do (really).
+
+ # lvdisplay
+ Create / and swap partitions, and mount
+
+ # mkswap /dev/mapper/matrix-swapvol
+ Activate swap:
+ # swapon /dev/matrix/swapvol
+
+ # mkfs.btrfs /dev/mapper/matrix-root
+
+ # mount /dev/matrix/root /mnt
+ Continue with Parabola installation
+
+ # mkdir -p /mnt/home
+ # mkdir -p /mnt/boot
+
+ # pacman -Syy
+ # pacman -Syu
+ # pacman -Sy pacman (and then I did the other 2 steps above, again)
+ In my case I did the steps in the next paragraph, and followed the steps in this paragraph again.
+
+ The following is based on 'Verification of package signatures' in the Parabola install guide.
+ Check there first to see if steps differ by now.
+ Now you have to update the default Parabola keyring. This is used for signing and verifying packages:
+ # pacman -Sy parabola-keyring
+ It says that if you get GPG errors, then it's probably an expired key and, therefore, you should do:
+ # pacman-key --populate parabola
+ # pacman-key --refresh-keys
+ # pacman -Sy parabola-keyring
+ To be honest, you should do the above anyway. Parabola has a lot of maintainers, and a lot of keys. Really!
+ If you get an error mentioning dirmngr, do:
+ # dirmngr </dev/null
+ Also, it says that if the clock is set incorrectly then you have to manually set the correct time
+ (if keys are listed as expired because of it):
+ # date MMDDhhmm[[CC]YY][.ss]
+ I also had to install:
+ # pacman -S archlinux-keyring
+ # pacman-key --populate archlinux
+ In my case I saw some conflicting files reported in pacman, stopping me from using it.
+ I deleted the files that it mentioned
+ and then it worked. Specifically, I had this error:
+ licenses: /usr/share/licenses/common/MPS exists in filesystem
+ I rm -Rf'd the file and then pacman worked. I'm told that the following would have also made it work:
+ # pacman -Sf licenses
+ </troubleshooting>
+
+ # pacstrap /mnt base base-devel wpa_supplicant dialog iw wpa_actiond
+ Configure the system
+
+ # genfstab -U -p /mnt >> /mnt/etc/fstab
+ Check the created file:
+ # cat /mnt/etc/fstab
+ (If there are any errors, edit the file. Do NOT run the genfstab command again!)
+
+ # arch-chroot /mnt /bin/bash
+
+ # pacman -S linux-libre-lts
+
+ # pacman -S linux-libre-grsec
+
+ # pacman -S wget
+
+ # nano /etc/locale.gen
+ Uncomment your needed localisations. For example en_GB.UTF-8 (UTF-8 is highly recommended over other options).
+ # locale-gen
+ # echo LANG=en_GB.UTF-8 > /etc/locale.conf
+ # export LANG=en_GB.UTF-8
+
+ # nano /etc/vconsole.conf
+ In my case:
+
+KEYMAP=dvorak-uk
+FONT=lat9w-16
+
+
+ # ln -s /usr/share/zoneinfo/Europe/London /etc/localtime
+ (Replace Zone and Subzone to your liking. See /usr/share/zoneinfo)
+
+ # hwclock --systohc --utc
+
+ # echo parabola > /etc/hostname
+ Add the same hostname to /etc/hosts:
+ # nano /etc/hosts
+
+#<ip-address> <hostname.domain.org> <hostname>
+127.0.0.1 localhost.localdomain localhost parabola
+::1 localhost.localdomain localhost parabola
+
+
+ # nano /etc/mkinitcpio.conf
+ Then modify the file like so:
+
+
+
+ # mkinitcpio -p linux-libre
+ Also do it for linux-libre-lts:
+ # mkinitcpio -p linux-libre-lts
+ Also do it for linux-libre-grsec:
+ # mkinitcpio -p linux-libre-grsec
+
+ # nano /etc/pam.d/passwd
+ Add rounds=65536 at the end of the uncommented 'password' line.
+ # passwd root
+ Make sure to set a secure password! Also, it must never be the same as your LUKS password.
+ Extra security tweaks
+
+ # chmod 700 /boot /etc/{iptables,arptables}
+
+ Edit the file /etc/pam.d/system-login and comment out that line:
+ # auth required pam_tally.so onerr=succeed file=/var/log/faillog
+ Or just delete it. Above it, put:
+ auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog
+ To unlock a user manually (if a password attempt is failed 3 times), do:
+ # pam_tally --user theusername --reset
+ What the above configuration does is lock the user out for 10 minutes, if they make 3 failed login attempts.
+ Unmount, reboot!
+
+ # exit
+
+ # umount -R /mnt
+ # swapoff -a
+
+ # lvchange -an /dev/matrix/root
+ # lvchange -an /dev/matrix/swapvol
+
+ # cryptsetup luksClose lvm
+
+ Remove the installation media, then boot up again.
+ Booting from GRUB
+
+ grub> set root='lvm/matrix-root'
+ grub> linux /boot/vmlinuz-linux-libre-lts root=/dev/matrix/root cryptdevice=/dev/sda1:root
+ grub> initrd /boot/initramfs-linux-libre-lts.img
+ grub> boot
+ Follow-up tutorial: configuring Parabola
+ Modify grub.cfg inside the ROM
+
+
+ # flashrom -p internal -r libreboot.rom
+ If flashrom complains about multiple flash chips detected, add a -c option at the end, with the name of your chosen chip is quotes.
+ You can check if everything is in there (grub.cfg and grubtest.cfg would be really nice):
+ $ ./cbfstool libreboot.rom print
+ Extract grubtest.cfg:
+ $ ./cbfstool libreboot.rom extract -n grubtest.cfg -f grubtest.cfg
+ And modify:
+ $ nano grubtest.cfg
+
+cryptomount -a
+
+
+set root='lvm/matrix-root'
+linux /boot/vmlinuz-linux-libre-lts root=/dev/matrix/root cryptdevice=/dev/sda1:root
+initrd /boot/initramfs-linux-libre-lts.img
+
+ # systemctl start dhcpcd.service
+ Or make sure to get connected to the internet in any other way you prefer, at least.
+
+ # pacman -S grub flashrom dmidecode base-devel
+ Next, do:
+ # grub-mkpasswd-pbkdf2
+ Enter your chosen password at the prompt and your hash will be shown. Copy this string - you will add it to your grubtest.cfg.
+
+set superusers="root"
+password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
+
+
+
+ $ ./cbfstool libreboot.rom remove -n grubtest.cfg
+ and insert the modified grubtest.cfg:
+ $ ./cbfstool libreboot.rom add -n grubtest.cfg -f grubtest.cfg -t raw
+
+ # ./flash update libreboot.rom
+ Ocassionally, coreboot changes the name of a given board. If flashrom complains about a board mismatch, but you are sure that you chose the correct ROM image, then run this alternative command:
+ # ./flash forceupdate libreboot.rom
+ You should see "Verifying flash... VERIFIED." written at the end of the flashrom output.
+
+ $ sed -e 's:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g' -e 's:Switch to grub.cfg:Switch to grubtest.cfg:g' < grubtest.cfg > grub.cfg
+ Delete the grub.cfg that remained inside the ROM:
+ $ ./cbfstool libreboot.rom remove -n grub.cfg
+ Add the modified version that you just made:
+ $ ./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw
+
+ # ./flash update libreboot.rom
+ And wait for the "Verifying flash... VERIFIED." Once you have done that, shut down and then boot up with your new configuration.
+
+ # pacman -R grub
+ Bonus: Using a key file to unlock /boot/
+
+
+ Boot up and login as root or your user. Then generate the key file:
+ # dd bs=512 count=4 if=/dev/urandom of=/etc/mykeyfile iflag=fullblock
+ Insert it into the luks volume:
+ # cryptsetup luksAddKey /dev/sdX /etc/mykeyfile
+ and enter your LUKS passphrase when prompted.
+ Add the keyfile to the initramfs by adding it to FILES in /etc/mkinitcpio.conf. For example:
+ # FILES="/etc/mykeyfile"
+ Create the initramfs image from scratch:
+ # mkinitcpio -p linux-libre
+ # mkinitcpio -p linux-libre-lts
+ # mkinitcpio -p linux-libre-grsec
+ Add the following to your grub.cfg - you are now able to do that, see above! -, or add it in the kernel command line for GRUB:
+ # cryptkey=rootfs:/etc/mykeyfile
+
+ You can also place this inside the grub.cfg that exists in CBFS: grub_cbfs.html.
+ Further security tips
+
+ https://wiki.parabolagnulinux.org/User:GNUtoo/laptop
+ Troubleshooting
+
+
+
+"sudo wodim -prcap" shows information about the drive:
+Device was not specified. Trying to find an appropriate drive...
+Detected CD-R drive: /dev/sr0
+Using /dev/cdrom of unknown capabilities
+Device type : Removable CD-ROM
+Version : 5
+Response Format: 2
+Capabilities :
+Vendor_info : 'HL-DT-ST'
+Identification : 'DVDRAM GU10N '
+Revision : 'MX05'
+Device seems to be: Generic mmc2 DVD-R/DVD-RW.
+
+Drive capabilities, per MMC-3 page 2A:
+
+ Does read CD-R media
+ Does write CD-R media
+ Does read CD-RW media
+ Does write CD-RW media
+ Does read DVD-ROM media
+ Does read DVD-R media
+ Does write DVD-R media
+ Does read DVD-RAM media
+ Does write DVD-RAM media
+ Does support test writing
+
+ Does read Mode 2 Form 1 blocks
+ Does read Mode 2 Form 2 blocks
+ Does read digital audio blocks
+ Does restart non-streamed digital audio reads accurately
+ Does support Buffer-Underrun-Free recording
+ Does read multi-session CDs
+ Does read fixed-packet CD media using Method 2
+ Does not read CD bar code
+ Does not read R-W subcode information
+ Does read raw P-W subcode data from lead in
+ Does return CD media catalog number
+ Does return CD ISRC information
+ Does support C2 error pointers
+ Does not deliver composite A/V data
+
+ Does play audio CDs
+ Number of volume control levels: 256
+ Does support individual volume control setting for each channel
+ Does support independent mute setting for each channel
+ Does not support digital output on port 1
+ Does not support digital output on port 2
+
+ Loading mechanism type: tray
+ Does support ejection of CD via START/STOP command
+ Does not lock media on power up via prevent jumper
+ Does allow media to be locked in the drive via PREVENT/ALLOW command
+ Is not currently in a media-locked state
+ Does not support changing side of disk
+ Does not have load-empty-slot-in-changer feature
+ Does not support Individual Disk Present feature
+
+ Maximum read speed: 4234 kB/s (CD 24x, DVD 3x)
+ Current read speed: 4234 kB/s (CD 24x, DVD 3x)
+ Maximum write speed: 4234 kB/s (CD 24x, DVD 3x)
+ Current write speed: 4234 kB/s (CD 24x, DVD 3x)
+ Rotational control selected: CLV/PCAV
+ Buffer size in KB: 1024
+ Copy management revision supported: 1
+ Number of supported write speeds: 4
+ Write speed # 0: 4234 kB/s CLV/PCAV (CD 24x, DVD 3x)
+ Write speed # 1: 2822 kB/s CLV/PCAV (CD 16x, DVD 2x)
+ Write speed # 2: 1764 kB/s CLV/PCAV (CD 10x, DVD 1x)
+ Write speed # 3: 706 kB/s CLV/PCAV (CD 4x, DVD 0x)
+
+Supported CD-RW media types according to MMC-4 feature 0x37:
+ Does write multi speed CD-RW media
+ Does write high speed CD-RW media
+ Does write ultra high speed CD-RW media
+ Does not write ultra high speed+ CD-RW media
+
+
+
+
+ Copyright © 2015 Jeroen Quint <jezza@diplomail.ch>
+ Permission is granted to copy, distribute and/or modify this document
+ under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license
+ or any later version published by Creative Commons;
+
+ A copy of the license can be found at ../cc-by-sa-4.0.txt
+ How to install OpenBSD on a libreboot system
+ Prepare the USB drive (in OpenBSD)
+
+
+ $ dmesg | tail
+
+ Check to confirm which drive it is, for example, if you think its sd3:
+ $ disklabel sd3
+
+ $ doas umount /dev/sdXz
+
+ $ doas dd if=install60.iso of=/dev/rsdXz bs=1M; sync
+ Installing OpenBSD without full disk encryption
+
+ Installing OpenBSD with full disk encryption
+
+ Booting
+
+ Configuring Grub
+
+ Troubleshooting
+
+ won't boot...something about file not found
+
+ Permission is granted to copy, distribute and/or modify this document
+ under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license
+ or any later version published by Creative Commons;
+
+ A copy of the license can be found at ../cc-by-sa-4.0.txt
+ How to replace the default GRUB configuration file on a libreboot system
+ Table of Contents
+
+
+
+ Introduction
+
+
If you downloaded from git, refer to
+ ../git/index.html#build_meta before continuing.
+ 1st option: don't re-flash
+
+ 2nd option: re-flash
+
+ Acquire the necessary utilities
+
+
+ # pacman -S flashrom
+ Acquiring the correct ROM image
+
+
+ $ sudo flashrom -p internal -r libreboot.rom
+ # flashrom -p internal -r libreboot.rom
+ If you are told to specify the chip, add the option -c {your chip} to the command, for example:
+ # flashrom -c MX25L6405 -p internal -r libreboot.rom
+ Extract grubtest.cfg from the ROM image
+
+
+ $ cd .../libreboot_util/cbfstool
+ $ ./cbfstool libreboot.rom print
+
+ $ ./cbfstool libreboot.rom extract -n grubtest.cfg -f grubtest.cfg
+ Re-insert the modified grubtest.cfg into the ROM image
+
+
+ $ ./cbfstool libreboot.rom remove -n grubtest.cfg
+
+ $ ./cbfstool libreboot.rom add -n grubtest.cfg -f grubtest.cfg -t raw
+ Testing
+
+
+ $ cd /libreboot_util
+ # ./flash update libreboot.rom
+ Ocassionally, coreboot changes the name of a given board. If flashrom complains about a board mismatch, but you are sure that you chose the correct ROM image, then run this alternative command:
+ # ./flash forceupdate libreboot.rom
+ You should see "Verifying flash... VERIFIED." written at the end of the flashrom output.
+ Once you have done that, shut down and then boot up with your new test configuration.
+
+ Final steps
+
+
+ $ sed -e 's:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g' -e 's:Switch to grub.cfg:Switch to grubtest.cfg:g' < grubtest.cfg > grub.cfg
+
+ $ ./cbfstool libreboot.rom remove -n grub.cfg
+
+ $ ./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw
+
+ Copyright © 2015 Jeroen Quint <jezza@diplomail.ch>
+ Permission is granted to copy, distribute and/or modify this document
+ under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license
+ or any later version published by Creative Commons;
+
+ A copy of the license can be found at ../cc-by-sa-4.0.txt
+ BSD distributions
+
+ Permission is granted to copy, distribute and/or modify this document
+ under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license
+ or any later version published by Creative Commons;
+
+ A copy of the license can be found at ../cc-by-sa-4.0.txt
+ Informaton for developers
--
cgit v1.2.3-70-g09d2
From 98cc00d45b3bdf62ab4b1cbe813d95aea4f8c9f9 Mon Sep 17 00:00:00 2001
From: Scott Bonds
Configuring Parabola (post-install)
- Table of Contents
-
-
-
-
- # systemctl start dhcpcd.service
- You can stop it later by running:
- # systemctl stop dhcpcd.service
- For most people this should be enough, but if you don't have DHCP on your network then you should setup your network connection first:
- Setup network connection in Parabola
- Configure pacman
- Updating Parabola
-
- # pacman -Syy
- (according to the wiki, -Syy is better than Sy because it refreshes the package list even if it appears to be up to date,
- which can be useful when switching to another mirror).
- Then, update the system:
- # pacman -Syu
- Maintaining Parabola
- Cleaning the package cache
-
- https://wiki.archlinux.org/index.php/Pacman#Cleaning_the_package_cache.
- Essentially, this guide talks about a directory that has to be cleaned once in a while, to prevent it from growing too big (it's a cache
- of old package information, updated automatically when you do anything in pacman).
-
-
- # pacman -Sc
-
- # pacman -Scc
- This is inadvisable, since it means re-downloading the package again if you wanted to quickly re-install it. This should only be used
- when disk space is at a premium.
- pacman command equivalents
-
- https://wiki.archlinux.org/index.php/Pacman_Rosetta
- your-freedom
- Add a user
-
- # useradd -m -G wheel -s /bin/bash yourusername
- Set a password:
- # passwd yourusername
- systemd
-
- # man systemd
- The section on 'unit types' is especially useful.
-
- #SystemMaxUse=
- Change it to say:
- SystemMaxUse=50M
-
- # systemctl restart systemd-journald
-
- # man systemd-tmpfiles
- The command for 'clean' is:
- # systemd-tmpfiles --clean
- According to the manpage, this "cleans all files and directories with an age parameter".
- According to the Arch wiki, this reads information in /etc/tmpfiles.d/ and /usr/lib/tmpfiles.d/
- to know what actions to perform. Therefore, it is a good idea to read what's stored in these locations
- to get a better understanding.
-
- # man tmpfiles.d
- Read that manpage, and then continue studying all the files.
- Interesting repositories
-
-
- [kernels]
- Include = /etc/pacman.d/mirrorlist
-
-
- # pacman -Syy
-
- # pacman -Sl kernels
- Setup a network connection in Parabola
- Set the hostname
-
- # hostnamectl set-hostname yourhostname
- This writes the specified hostname to /etc/hostname. More information can be found in these manpages:
- # man hostname
- # info hostname
- # man hostnamectl
-
-
- 127.0.0.1 localhost.localdomain localhost myhostname
- ::1 localhost.localdomain localhost myhostname
-
- Network Status
-
- # lspci -v
-
-
- Kernel driver in use: e1000e
- Kernel modules: e1000e
-
-
- # dmesg | grep e1000e
- Network device names
-
- # ls /sys/class/net
-
- https://wiki.archlinux.org/index.php/Configuring_Network#Change_device_name
- Network setup
-
- https://wiki.archlinux.org/index.php/List_of_applications/Internet#Network_managers.
- If you need to, set a static IP address (temporarily) using the networking guide and the Arch wiki, or start the dhcpcd service in systemd.
- NetworkManager will be setup later, after installing LXDE.
- System Maintenance
-
- # pacman -S smartmontools
- Read https://wiki.archlinux.org/index.php/S.M.A.R.T. to learn how to use it.
- Configuring the desktop
- Installing Xorg
-
- # pacman -S xorg-server
- I also recommend installing this (contains lots of useful tools, including xrandr):
- # pacman -S xorg-server-utils
-
- # pacman -S xf86-video-intel
- For other systems you can try:
- # pacman -Ss xf86-video- | less
- Combined with looking at your lspci output, you can determine which driver is needed.
- By default, Xorg will revert to xf86-video-vesa which is a generic driver and doesn't provide true hardware acceleration.
-
- # pacman -Sg xorg-drivers
-
- # pacman -S xorg-xinit
-
- Arch wiki recommends installing these, for testing that X works:
- # pacman -S xorg-twm xorg-xclock xterm
- Refer to https://wiki.archlinux.org/index.php/Xinitrc.
- and test X:
- # startx
- When you are satisfied, type exit in xterm, inside the X session.
- Uninstall them (clutter. eww): # pacman -S xorg-xinit xorg-twm xorg-xclock xterm
- </optional>
- Xorg keyboard layout
-
- # setxkbmap -print -verbose 10
-
- https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_X_configuration_files and
- https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_localectl.
-
- Create the file /etc/X11/xorg.conf.d/10-keyboard.conf and put this inside:
-
- Section "InputClass"
- Identifier "system-keyboard"
- MatchIsKeyboard "on"
- Option "XkbLayout" "gb"
- Option "XkbModel" "pc105"
- Option "XkbVariant" "dvorak"
- EndSection
-
- Install LXDE
-
- # pacman -S lxde obconf
-
- # pacman -R lxmusic lxtask
-
- # pacman -S $(pacman -Ssq ttf-)
-
- # pacman -S icedove
-
- # pacman -S xsensors stress htop
-
- # systemctl enable lxdm.service
- It will start when you boot up the system. To start it now, do:
- # systemctl start lxdm.service
-
- $ cp /etc/skel/.xinitrc ~
- Open .xinitrc and add the following plus a line break at the bottom of the file.
-
- # Probably not needed. The same locale info that we set before
- # Based on advice from the LXDE wiki
- export LC_ALL=en_GB.UTF-8
- export LANGUAGE=en_GB.UTF-8
- export LANG=en_GB.UTF-8
-
- # Start lxde desktop
- exec startlxde
-
- Now make sure that it is executable:
- $ chmod +x .xinitrc
- LXDE - clock
- LXDE - screenlock
-
- # pacman -S xscreensaver
- LXDE - automounting
- LXDE - disable suspend
- LXDE - battery monitor
- LXDE - Network Manager
-
- # pacman -S networkmanager
-
- # pacman -S network-manager-applet
- Arch wiki says that an autostart rule will be written at /etc/xdg/autostart/nm-applet.desktop
-
- # pacman -S networkmanager-openvpn
-
- https://wiki.archlinux.org/index.php/NetworkManager#Openbox.
-
- # pacman -S xfce4-notifyd gnome-icon-theme
- Also, for storing authentication details (wifi) I need:
- # pacman -S gnome-keyring
-
- # systemctl stop dhcpcd
- # systemctl start NetworkManager
- Enable NetworkManager at boot time:
- # systemctl enable NetworkManager
-
- Permission is granted to copy, distribute and/or modify this document
- under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license
- or any later version published by Creative Commons;
-
- A copy of the license can be found at ../cc-by-sa-4.0.txt
- Installing Debian or Trisquel GNU/Linux with full disk encryption (including /boot)
- Partitioning
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Further partitioning
-
-
-
-
-
-
-
-
- Kernel
-
- Tasksel (Debian or Trisquel)
-
- Postfix configuration
-
- Install the GRUB boot loader to the master boot record
-
- Clock UTC
-
-
- Booting your system
-
-
-
- grub> cryptomount -a
- grub> set root='lvm/matrix-root'
- grub> linux /vmlinuz root=/dev/mapper/matrix-root cryptdevice=/dev/mapper/matrix-root:root
- grub> initrd /initrd.img
- grub> boot
-
- ecryptfs
-
-
-
- $ sudo ecryptfs-unwrap-passphrase
-
- Modify grub.cfg (CBFS)
-
-
-
- set root='lvm/matrix-root'
- linux /vmlinuz root=/dev/mapper/matrix-root cryptdevice=/dev/mapper/matrix-root:root
- initrd /initrd.img
-
- $ grub-mkpasswd-pbkdf2
-
- grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
-
-
-set superusers="root"
-password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
-
- Troubleshooting
-
-
-
-"sudo wodim -prcap" shows information about the drive:
-Device was not specified. Trying to find an appropriate drive...
-Detected CD-R drive: /dev/sr0
-Using /dev/cdrom of unknown capabilities
-Device type : Removable CD-ROM
-Version : 5
-Response Format: 2
-Capabilities :
-Vendor_info : 'HL-DT-ST'
-Identification : 'DVDRAM GU10N '
-Revision : 'MX05'
-Device seems to be: Generic mmc2 DVD-R/DVD-RW.
-
-Drive capabilities, per MMC-3 page 2A:
-
- Does read CD-R media
- Does write CD-R media
- Does read CD-RW media
- Does write CD-RW media
- Does read DVD-ROM media
- Does read DVD-R media
- Does write DVD-R media
- Does read DVD-RAM media
- Does write DVD-RAM media
- Does support test writing
-
- Does read Mode 2 Form 1 blocks
- Does read Mode 2 Form 2 blocks
- Does read digital audio blocks
- Does restart non-streamed digital audio reads accurately
- Does support Buffer-Underrun-Free recording
- Does read multi-session CDs
- Does read fixed-packet CD media using Method 2
- Does not read CD bar code
- Does not read R-W subcode information
- Does read raw P-W subcode data from lead in
- Does return CD media catalog number
- Does return CD ISRC information
- Does support C2 error pointers
- Does not deliver composite A/V data
-
- Does play audio CDs
- Number of volume control levels: 256
- Does support individual volume control setting for each channel
- Does support independent mute setting for each channel
- Does not support digital output on port 1
- Does not support digital output on port 2
-
- Loading mechanism type: tray
- Does support ejection of CD via START/STOP command
- Does not lock media on power up via prevent jumper
- Does allow media to be locked in the drive via PREVENT/ALLOW command
- Is not currently in a media-locked state
- Does not support changing side of disk
- Does not have load-empty-slot-in-changer feature
- Does not support Individual Disk Present feature
-
- Maximum read speed: 4234 kB/s (CD 24x, DVD 3x)
- Current read speed: 4234 kB/s (CD 24x, DVD 3x)
- Maximum write speed: 4234 kB/s (CD 24x, DVD 3x)
- Current write speed: 4234 kB/s (CD 24x, DVD 3x)
- Rotational control selected: CLV/PCAV
- Buffer size in KB: 1024
- Copy management revision supported: 1
- Number of supported write speeds: 4
- Write speed # 0: 4234 kB/s CLV/PCAV (CD 24x, DVD 3x)
- Write speed # 1: 2822 kB/s CLV/PCAV (CD 16x, DVD 2x)
- Write speed # 2: 1764 kB/s CLV/PCAV (CD 10x, DVD 1x)
- Write speed # 3: 706 kB/s CLV/PCAV (CD 4x, DVD 0x)
-
-Supported CD-RW media types according to MMC-4 feature 0x37:
- Does write multi speed CD-RW media
- Does write high speed CD-RW media
- Does write ultra high speed CD-RW media
- Does not write ultra high speed+ CD-RW media
-
-
-
-
- Permission is granted to copy, distribute and/or modify this document
- under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license
- or any later version published by Creative Commons;
-
- A copy of the license can be found at ../cc-by-sa-4.0.txt
- Installing Parabola or Arch GNU/Linux with full disk encryption (including /boot)
-
- # dd if=/dev/urandom of=/dev/sda; sync
- NOTE: If you have an SSD, only do this the first time. If it was already LUKS-encrypted before,
- use the info below to wipe the LUKS header. Also, check online for your SSD what the recommended
- erase block size is. For example if it was 2MiB:
- # dd if=/dev/urandom of=/dev/sda bs=2M; sync
-
- # head -c 3145728 /dev/urandom > /dev/sda; sync
- (Wiping the LUKS header is important, since it has hashed passphrases and so on. It's 'secure', but 'potentially' a risk).
-
- Change keyboard layout
-
-
- # localectl list-keymaps
- # loadkeys LAYOUT
- For me, LAYOUT would have been dvorak-uk.
- Establish an internet connection
- Getting started
- dm-mod
-
- # modprobe dm-mod
- Create LUKS partition
-
- # cfdisk /dev/sda
-
- I am then directed to https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption.
-
- # cryptsetup benchmark (for making sure the list below is populated)
- Then:
- # cat /proc/crypto
- This gives me crypto options that I can use. It also provides a representation of the best way to set up LUKS (in this case, security is a priority; speed, a distant second).
- To gain a better understanding, I am also reading:
- # man cryptsetup
-
- # cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --iter-time 500 --use-random --verify-passphrase luksFormat /dev/sda1
- Choose a secure passphrase here. Ideally lots of lowercase/uppercase numbers, letters, symbols etc all in a random pattern. The
- password length should be as long as you are able to handle without writing it down or storing it anywhere.
- Create LVM
-
- # cryptsetup luksOpen /dev/sda1 lvm
- (it will be available at /dev/mapper/lvm)
-
- # pvcreate /dev/mapper/lvm
- Show that you just created it:
- # pvdisplay
-
- # vgcreate matrix /dev/mapper/lvm
- (volume group name is 'matrix' - choose your own name, if you like)
- Show that you created it:
- # vgdisplay
-
- # lvcreate -L 2G matrix -n swapvol (2G swap partition, named swapvol)
- Again, choose your own name if you like. Also, make sure to choose a swap size of your own needs. It basically depends on how much RAM
- you have installed. I refer to http://www.linux.com/news/software/applications/8208-all-about-linux-swap-space.
- # lvcreate -l +100%FREE matrix -n root (single large partition in the rest of the space, named root)
- You can also be flexible here, for example you can specify a /boot, a /, a /home, a /var, a /usr, etc. For example,
- if you will be running a web/mail server then you want /var in its own partition (so that if it fills up with logs, it won't crash your system).
- For a home/laptop system (typical use case), a root and a swap will do (really).
-
- # lvdisplay
- Create / and swap partitions, and mount
-
- # mkswap /dev/mapper/matrix-swapvol
- Activate swap:
- # swapon /dev/matrix/swapvol
-
- # mkfs.btrfs /dev/mapper/matrix-root
-
- # mount /dev/matrix/root /mnt
- Continue with Parabola installation
-
- # mkdir -p /mnt/home
- # mkdir -p /mnt/boot
-
- # pacman -Syy
- # pacman -Syu
- # pacman -Sy pacman (and then I did the other 2 steps above, again)
- In my case I did the steps in the next paragraph, and followed the steps in this paragraph again.
-
- The following is based on 'Verification of package signatures' in the Parabola install guide.
- Check there first to see if steps differ by now.
- Now you have to update the default Parabola keyring. This is used for signing and verifying packages:
- # pacman -Sy parabola-keyring
- It says that if you get GPG errors, then it's probably an expired key and, therefore, you should do:
- # pacman-key --populate parabola
- # pacman-key --refresh-keys
- # pacman -Sy parabola-keyring
- To be honest, you should do the above anyway. Parabola has a lot of maintainers, and a lot of keys. Really!
- If you get an error mentioning dirmngr, do:
- # dirmngr </dev/null
- Also, it says that if the clock is set incorrectly then you have to manually set the correct time
- (if keys are listed as expired because of it):
- # date MMDDhhmm[[CC]YY][.ss]
- I also had to install:
- # pacman -S archlinux-keyring
- # pacman-key --populate archlinux
- In my case I saw some conflicting files reported in pacman, stopping me from using it.
- I deleted the files that it mentioned
- and then it worked. Specifically, I had this error:
- licenses: /usr/share/licenses/common/MPS exists in filesystem
- I rm -Rf'd the file and then pacman worked. I'm told that the following would have also made it work:
- # pacman -Sf licenses
- </troubleshooting>
-
- # pacstrap /mnt base base-devel wpa_supplicant dialog iw wpa_actiond
- Configure the system
-
- # genfstab -U -p /mnt >> /mnt/etc/fstab
- Check the created file:
- # cat /mnt/etc/fstab
- (If there are any errors, edit the file. Do NOT run the genfstab command again!)
-
- # arch-chroot /mnt /bin/bash
-
- # pacman -S linux-libre-lts
-
- # pacman -S linux-libre-grsec
-
- # pacman -S wget
-
- # nano /etc/locale.gen
- Uncomment your needed localisations. For example en_GB.UTF-8 (UTF-8 is highly recommended over other options).
- # locale-gen
- # echo LANG=en_GB.UTF-8 > /etc/locale.conf
- # export LANG=en_GB.UTF-8
-
- # nano /etc/vconsole.conf
- In my case:
-
-KEYMAP=dvorak-uk
-FONT=lat9w-16
-
-
- # ln -s /usr/share/zoneinfo/Europe/London /etc/localtime
- (Replace Zone and Subzone to your liking. See /usr/share/zoneinfo)
-
- # hwclock --systohc --utc
-
- # echo parabola > /etc/hostname
- Add the same hostname to /etc/hosts:
- # nano /etc/hosts
-
-#<ip-address> <hostname.domain.org> <hostname>
-127.0.0.1 localhost.localdomain localhost parabola
-::1 localhost.localdomain localhost parabola
-
-
- # nano /etc/mkinitcpio.conf
- Then modify the file like so:
-
-
-
- # mkinitcpio -p linux-libre
- Also do it for linux-libre-lts:
- # mkinitcpio -p linux-libre-lts
- Also do it for linux-libre-grsec:
- # mkinitcpio -p linux-libre-grsec
-
- # nano /etc/pam.d/passwd
- Add rounds=65536 at the end of the uncommented 'password' line.
- # passwd root
- Make sure to set a secure password! Also, it must never be the same as your LUKS password.
- Extra security tweaks
-
- # chmod 700 /boot /etc/{iptables,arptables}
-
- Edit the file /etc/pam.d/system-login and comment out that line:
- # auth required pam_tally.so onerr=succeed file=/var/log/faillog
- Or just delete it. Above it, put:
- auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog
- To unlock a user manually (if a password attempt is failed 3 times), do:
- # pam_tally --user theusername --reset
- What the above configuration does is lock the user out for 10 minutes, if they make 3 failed login attempts.
- Unmount, reboot!
-
- # exit
-
- # umount -R /mnt
- # swapoff -a
-
- # lvchange -an /dev/matrix/root
- # lvchange -an /dev/matrix/swapvol
-
- # cryptsetup luksClose lvm
-
- Remove the installation media, then boot up again.
- Booting from GRUB
-
- grub> set root='lvm/matrix-root'
- grub> linux /boot/vmlinuz-linux-libre-lts root=/dev/matrix/root cryptdevice=/dev/sda1:root
- grub> initrd /boot/initramfs-linux-libre-lts.img
- grub> boot
- Follow-up tutorial: configuring Parabola
- Modify grub.cfg inside the ROM
-
-
- # flashrom -p internal -r libreboot.rom
- If flashrom complains about multiple flash chips detected, add a -c option at the end, with the name of your chosen chip is quotes.
- You can check if everything is in there (grub.cfg and grubtest.cfg would be really nice):
- $ ./cbfstool libreboot.rom print
- Extract grubtest.cfg:
- $ ./cbfstool libreboot.rom extract -n grubtest.cfg -f grubtest.cfg
- And modify:
- $ nano grubtest.cfg
-
-cryptomount -a
-
-
-set root='lvm/matrix-root'
-linux /boot/vmlinuz-linux-libre-lts root=/dev/matrix/root cryptdevice=/dev/sda1:root
-initrd /boot/initramfs-linux-libre-lts.img
-
- # systemctl start dhcpcd.service
- Or make sure to get connected to the internet in any other way you prefer, at least.
-
- # pacman -S grub flashrom dmidecode base-devel
- Next, do:
- # grub-mkpasswd-pbkdf2
- Enter your chosen password at the prompt and your hash will be shown. Copy this string - you will add it to your grubtest.cfg.
-
-set superusers="root"
-password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
-
-
-
- $ ./cbfstool libreboot.rom remove -n grubtest.cfg
- and insert the modified grubtest.cfg:
- $ ./cbfstool libreboot.rom add -n grubtest.cfg -f grubtest.cfg -t raw
-
- # ./flash update libreboot.rom
- Ocassionally, coreboot changes the name of a given board. If flashrom complains about a board mismatch, but you are sure that you chose the correct ROM image, then run this alternative command:
- # ./flash forceupdate libreboot.rom
- You should see "Verifying flash... VERIFIED." written at the end of the flashrom output.
-
- $ sed -e 's:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g' -e 's:Switch to grub.cfg:Switch to grubtest.cfg:g' < grubtest.cfg > grub.cfg
- Delete the grub.cfg that remained inside the ROM:
- $ ./cbfstool libreboot.rom remove -n grub.cfg
- Add the modified version that you just made:
- $ ./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw
-
- # ./flash update libreboot.rom
- And wait for the "Verifying flash... VERIFIED." Once you have done that, shut down and then boot up with your new configuration.
-
- # pacman -R grub
- Bonus: Using a key file to unlock /boot/
-
-
- Boot up and login as root or your user. Then generate the key file:
- # dd bs=512 count=4 if=/dev/urandom of=/etc/mykeyfile iflag=fullblock
- Insert it into the luks volume:
- # cryptsetup luksAddKey /dev/sdX /etc/mykeyfile
- and enter your LUKS passphrase when prompted.
- Add the keyfile to the initramfs by adding it to FILES in /etc/mkinitcpio.conf. For example:
- # FILES="/etc/mykeyfile"
- Create the initramfs image from scratch:
- # mkinitcpio -p linux-libre
- # mkinitcpio -p linux-libre-lts
- # mkinitcpio -p linux-libre-grsec
- Add the following to your grub.cfg - you are now able to do that, see above! -, or add it in the kernel command line for GRUB:
- # cryptkey=rootfs:/etc/mykeyfile
-
- You can also place this inside the grub.cfg that exists in CBFS: grub_cbfs.html.
- Further security tips
-
- https://wiki.parabolagnulinux.org/User:GNUtoo/laptop
- Troubleshooting
-
-
-
-"sudo wodim -prcap" shows information about the drive:
-Device was not specified. Trying to find an appropriate drive...
-Detected CD-R drive: /dev/sr0
-Using /dev/cdrom of unknown capabilities
-Device type : Removable CD-ROM
-Version : 5
-Response Format: 2
-Capabilities :
-Vendor_info : 'HL-DT-ST'
-Identification : 'DVDRAM GU10N '
-Revision : 'MX05'
-Device seems to be: Generic mmc2 DVD-R/DVD-RW.
-
-Drive capabilities, per MMC-3 page 2A:
-
- Does read CD-R media
- Does write CD-R media
- Does read CD-RW media
- Does write CD-RW media
- Does read DVD-ROM media
- Does read DVD-R media
- Does write DVD-R media
- Does read DVD-RAM media
- Does write DVD-RAM media
- Does support test writing
-
- Does read Mode 2 Form 1 blocks
- Does read Mode 2 Form 2 blocks
- Does read digital audio blocks
- Does restart non-streamed digital audio reads accurately
- Does support Buffer-Underrun-Free recording
- Does read multi-session CDs
- Does read fixed-packet CD media using Method 2
- Does not read CD bar code
- Does not read R-W subcode information
- Does read raw P-W subcode data from lead in
- Does return CD media catalog number
- Does return CD ISRC information
- Does support C2 error pointers
- Does not deliver composite A/V data
-
- Does play audio CDs
- Number of volume control levels: 256
- Does support individual volume control setting for each channel
- Does support independent mute setting for each channel
- Does not support digital output on port 1
- Does not support digital output on port 2
-
- Loading mechanism type: tray
- Does support ejection of CD via START/STOP command
- Does not lock media on power up via prevent jumper
- Does allow media to be locked in the drive via PREVENT/ALLOW command
- Is not currently in a media-locked state
- Does not support changing side of disk
- Does not have load-empty-slot-in-changer feature
- Does not support Individual Disk Present feature
-
- Maximum read speed: 4234 kB/s (CD 24x, DVD 3x)
- Current read speed: 4234 kB/s (CD 24x, DVD 3x)
- Maximum write speed: 4234 kB/s (CD 24x, DVD 3x)
- Current write speed: 4234 kB/s (CD 24x, DVD 3x)
- Rotational control selected: CLV/PCAV
- Buffer size in KB: 1024
- Copy management revision supported: 1
- Number of supported write speeds: 4
- Write speed # 0: 4234 kB/s CLV/PCAV (CD 24x, DVD 3x)
- Write speed # 1: 2822 kB/s CLV/PCAV (CD 16x, DVD 2x)
- Write speed # 2: 1764 kB/s CLV/PCAV (CD 10x, DVD 1x)
- Write speed # 3: 706 kB/s CLV/PCAV (CD 4x, DVD 0x)
-
-Supported CD-RW media types according to MMC-4 feature 0x37:
- Does write multi speed CD-RW media
- Does write high speed CD-RW media
- Does write ultra high speed CD-RW media
- Does not write ultra high speed+ CD-RW media
-
-
-
-
- Copyright © 2015 Jeroen Quint <jezza@diplomail.ch>
- Permission is granted to copy, distribute and/or modify this document
- under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license
- or any later version published by Creative Commons;
-
- A copy of the license can be found at ../cc-by-sa-4.0.txt
- How to install OpenBSD on a libreboot system
- Prepare the USB drive (in OpenBSD)
-
-
- $ dmesg | tail
-
- Check to confirm which drive it is, for example, if you think its sd3:
- $ disklabel sd3
-
- $ doas umount /dev/sdXz
-
- $ doas dd if=install60.iso of=/dev/rsdXz bs=1M; sync
- Installing OpenBSD without full disk encryption
-
- Installing OpenBSD with full disk encryption
-
- Booting
-
- Configuring Grub
-
- Troubleshooting
-
- won't boot...something about file not found
-
- Permission is granted to copy, distribute and/or modify this document
- under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license
- or any later version published by Creative Commons;
-
- A copy of the license can be found at ../cc-by-sa-4.0.txt
- How to replace the default GRUB configuration file on a libreboot system
- Table of Contents
-
-
-
- Introduction
-
-
If you downloaded from git, refer to
- ../git/index.html#build_meta before continuing.
- 1st option: don't re-flash
-
- 2nd option: re-flash
-
- Acquire the necessary utilities
-
-
- # pacman -S flashrom
- Acquiring the correct ROM image
-
-
- $ sudo flashrom -p internal -r libreboot.rom
- # flashrom -p internal -r libreboot.rom
- If you are told to specify the chip, add the option -c {your chip} to the command, for example:
- # flashrom -c MX25L6405 -p internal -r libreboot.rom
- Extract grubtest.cfg from the ROM image
-
-
- $ cd .../libreboot_util/cbfstool
- $ ./cbfstool libreboot.rom print
-
- $ ./cbfstool libreboot.rom extract -n grubtest.cfg -f grubtest.cfg
- Re-insert the modified grubtest.cfg into the ROM image
-
-
- $ ./cbfstool libreboot.rom remove -n grubtest.cfg
-
- $ ./cbfstool libreboot.rom add -n grubtest.cfg -f grubtest.cfg -t raw
- Testing
-
-
- $ cd /libreboot_util
- # ./flash update libreboot.rom
- Ocassionally, coreboot changes the name of a given board. If flashrom complains about a board mismatch, but you are sure that you chose the correct ROM image, then run this alternative command:
- # ./flash forceupdate libreboot.rom
- You should see "Verifying flash... VERIFIED." written at the end of the flashrom output.
- Once you have done that, shut down and then boot up with your new test configuration.
-
- Final steps
-
-
- $ sed -e 's:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g' -e 's:Switch to grub.cfg:Switch to grubtest.cfg:g' < grubtest.cfg > grub.cfg
-
- $ ./cbfstool libreboot.rom remove -n grub.cfg
-
- $ ./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw
-
- Copyright © 2015 Jeroen Quint <jezza@diplomail.ch>
- Permission is granted to copy, distribute and/or modify this document
- under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license
- or any later version published by Creative Commons;
-
- A copy of the license can be found at ../cc-by-sa-4.0.txt
-
+ This section relates to preparing, booting and installing a + OpenBSD distribution on your libreboot system, using nothing more than a USB flash drive (and dd). They've only been tested on a Lenovo ThinkPad x200. +
+ + ++ This section is only for the GRUB payload. For depthcharge (used on CrOS devices in libreboot), instructions + have yet to be written in the libreboot documentation. +
+
+ Connect the USB drive. Check dmesg:
+ $ dmesg | tail
+
+ Check to confirm which drive it is, for example, if you think its sd3:
+ $ disklabel sd3
+
+ Check that it wasn't automatically mounted. If it was, unmount it. For example:
+ $ doas umount /dev/sd3i
+
+ dmesg told you what device it is. Overwrite the drive, writing the OpenBSD installer to it with dd. For example:
+ $ doas dd if=install60.fs of=/dev/rsdXc bs=1M; sync
+
+ You should now be able to boot the installer from your USB drive. Continue reading, for + information about how to do that. +
+ ++ Back to top of page. +
+ ++ Press C in GRUB to access the command line: +
++ grub> kopenbsd (usb0,openbsd1)/6.0/amd64/bsd.rd +
++ It will start booting into the OpenBSD installer. Follow the normal process for installing OpenBSD. +
+ ++ Back to top of page. +
+ ++ Not working. You can modify the above procedure (installation w/o encryption) to install OpenBSD using full disk encryption, and it appears to work, except that its not yet clear how to actually boot an OpenBSD+FDE installation using libreboot+Grub2. If you get it working, please let us know. +
+ ++ Back to top of page. +
+ ++ Press C in GRUB to access the command line: +
++ grub> kopenbsd -r sd0a (ahci0,openbsd1)/bsd +
++ OpenBSD will start booting. Yay! +
+ ++ Back to top of page. +
+ ++ If you don't want to drop to the GRUB command line and type in a command to boot OpenBSD every time, you can create a GRUB configuration that's aware of your OpenBSD installation and that will automatically be used by libreboot. +
++ On your OpenBSD root partition, create the /grub directory and add the file libreboot_grub.cfg to it. Inside the libreboot_grub.cfg add these lines: +
+ default=0
+ timeout=3
+ menuentry "OpenBSD" {
+ kopenbsd -r sd0a (ahci0,openbsd1)/bsd
+ }
+
The next time you boot, you'll see the old Grub menu for a few seconds, then you'll see the a new menu with only OpenBSD on the list. After 3 seconds OpenBSD will boot, or you can hit enter to boot. +
+ Back to top of page. +
+ ++ Most of these issues occur when using libreboot with coreboot's 'text mode' instead of the coreboot framebuffer. + This mode is useful for booting payloads like memtest86+ which expect text-mode, but for OpenBSD distributions + it can be problematic when they are trying to switch to a framebuffer because it doesn't exist. +
+ ++ In most cases, you should use the vesafb ROM images. Example filename: libreboot_ukdvorak_vesafb.rom. +
+ ++ You device names (i.e. usb0, usb1, sd0, sd1, wd0, ahci0, hd0, etc) and numbers may differ. Use TAB completion. +
+ ++ Back to top of page. +
+ +
+ Copyright © 2014, 2015 Leah Rowe <info@minifree.org>
+ Permission is granted to copy, distribute and/or modify this document
+ under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license
+ or any later version published by Creative Commons;
+
+ A copy of the license can be found at ../cc-by-sa-4.0.txt
+
+ Updated versions of the license (when available) can be found at + https://creativecommons.org/licenses/by-sa/4.0/legalcode +
+ ++ UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE + EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS + AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF + ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, + IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, + WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR + PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, + ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT + KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT + ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. +
++ TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE + TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, + NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, + INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, + COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR + USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN + ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR + DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR + IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. +
++ The disclaimer of warranties and limitation of liability provided + above shall be interpreted in a manner that, to the extent + possible, most closely approximates an absolute disclaimer and + waiver of all liability. +
+ +