From abb8c1db38c7a8e1cd298c5fb75bdf8da9c4c4a7 Mon Sep 17 00:00:00 2001 From: Alyssa Rosenzweig Date: Thu, 25 May 2017 16:55:18 -0700 Subject: Manual typographic fixes --- docs/gnulinux/configuring_parabola.md | 79 ++++++++++++++++++----------------- docs/gnulinux/encrypted_debian.md | 44 ++++++++++--------- docs/gnulinux/encrypted_parabola.md | 10 ++--- docs/gnulinux/grub_boot_installer.md | 32 +++++++------- docs/gnulinux/grub_cbfs.md | 59 +++++++++++++------------- docs/gnulinux/grub_hardening.md | 16 +++---- docs/gnulinux/index.md | 4 +- 7 files changed, 122 insertions(+), 122 deletions(-) (limited to 'docs/gnulinux') diff --git a/docs/gnulinux/configuring_parabola.md b/docs/gnulinux/configuring_parabola.md index 2aef3624..af6e18d3 100644 --- a/docs/gnulinux/configuring_parabola.md +++ b/docs/gnulinux/configuring_parabola.md @@ -19,9 +19,9 @@ likely to become obsolete at a later date (due to the volatile 'rolling-release' model that Arch/Parabola both use), but attempts will be made to maintain it. -**This guide was valid on 2014-09-21. If you see any changes that should +*This guide was valid on 2014-09-21. If you see any changes that should to be made at the present date, please get in touch with the libreboot -project!** +project!* You do not necessarily have to follow this guide word-for-word; *parabola* is extremely flexible. The aim here is to provide a common @@ -35,18 +35,18 @@ Paradoxically, as you get more advanced Parabola can actually become compared to what most distributions provide. You will find over time that other distributions tend to *get in your way*. -**This guide assumes that you already have Parabola installed. If you +*This guide assumes that you already have Parabola installed. If you have not yet installed Parabola, then [this -guide](encrypted_parabola.md) is highly recommended!** +guide](encrypted_parabola.md) is highly recommended!* A lot of the steps in this guide will refer to the Arch wiki. Arch is the upstream distribution that Parabola uses. Most of this guide will also tell you to read wiki articles, other pages, manuals, and so on. In general it tries to cherry pick the most useful information but -nonetheless you are encouraged to learn as much as possible. **It might +nonetheless you are encouraged to learn as much as possible. *It might take you a few days to fully install your system how you like, depending on how much you need to read. Patience is key, especially for new -users**. +users*. The Arch wiki will sometimes use bad language, such as calling the whole system Linux, using the term open-source (or closed-source), and it will @@ -69,7 +69,7 @@ your network then you should setup your network connection first:\ Configure pacman {#pacman_configure} ---------------- -pacman (**pac**kage **man**ager) is the name of the package management +pacman (*pac*kage *man*ager) is the name of the package management system in Arch, which Parabola (as a deblobbed parallel effort) also uses. Like with 'apt-get' on Debian or Devuan, this can be used to add/remove and update the software on your computer. @@ -95,8 +95,8 @@ Then, update the system: # pacman -Syu -**Before installing packages with 'pacman -S', always update first, -using the notes above.** +*Before installing packages with 'pacman -S', always update first, +using the notes above.* Keep an eye out on the output, or read it in /var/log/pacman.log. Sometimes, pacman will show messages about maintenance steps that you @@ -143,13 +143,13 @@ re-install it or install the distro on another computer, for example). ### Cleaning the package cache {#pacman_cacheclean} -**The following is very important as you continue to use, update and +*The following is very important as you continue to use, update and maintain your Parabola system:\ . Essentially, this guide talks about a directory that has to be cleaned once in a while, to prevent it from growing too big (it's a cache of old package information, updated automatically when you do anything in -pacman).** +pacman).* To clean out all old packages that are cached: @@ -217,8 +217,8 @@ This is the name of the system used for managing services in Parabola. It is a good idea to become familiar with it. Read and to -gain a full understanding. **This is very important! Make sure to read -them.** +gain a full understanding. *This is very important! Make sure to read +them.* An example of a 'service' could be a webserver (such as lighttpd), or sshd (openssh), dhcp, etc. There are countless others. @@ -403,8 +403,8 @@ System Maintenance {#system_maintain} Read before continuing. Also read -. **This -is important, so make sure to read them!** +. *This +is important, so make sure to read them!* Install smartmontools (it can be used to check smart data. HDDs use non-free firmware inside, but it's transparent to you but the smart @@ -451,25 +451,28 @@ driver is needed. By default, Xorg will revert to xf86-video-vesa which is a generic driver and doesn't provide true hardware acceleration. Other drivers (not just video) can be found by looking at the -*xorg-drivers* group: +`xorg-drivers` group: # pacman -Sg xorg-drivers -Mostly you will rely on a display manager, but in case you ever want to -start X without one: +Mostly you will rely on a display manager, but in case you ever want to start X +without one: # pacman -S xorg-xinit -\ -   Arch wiki recommends installing these, for testing that X works:\ -   \# **pacman -S xorg-twm xorg-xclock xterm**\ -   Refer to . and test X:\ -   \# **startx**\ -   When you are satisfied, type ***exit*** in xterm, inside the X -session.\ -   Uninstall them (clutter. eww): \# **pacman -S xorg-xinit xorg-twm -xorg-xclock xterm**\ - +Optionally, to test X, install these: + +   # pacman -S xorg-twm xorg-xclock xterm + +Refer to . and test X: + +   # startx + +When you are satisfied, type `exit` in xterm, inside the X session. + +Uninstall them (clutter. eww): + + # pacman -S xorg-xinit xorg-twm xorg-xclock xterm ### Xorg keyboard layout {#desktop_kblayout} @@ -566,22 +569,22 @@ Open LXterminal: $ cp /etc/skel/.xinitrc \~ Open .xinitrc and add the following plus a line break at the bottom of -the file.\ -*\# Probably not needed. The same locale info that we set before\ -\# Based on advice from the LXDE wiki export LC\_ALL=en\_GB.UTF-8\ -export LANGUAGE=en\_GB.UTF-8\ -export LANG=en\_GB.UTF-8\ - -\# Start lxde desktop\ -exec startlxde\ +the file. + + export LC_ALL=en_GB.UTF-8 + export LANGUAGE=en_GB.UTF-8 + export LANG=en_GB.UTF-8 + + exec startlxde + * Now make sure that it is executable: $ chmod +x .xinitrc ### LXDE - clock {#lxde_clock} -In **Digital Clock Settings** (right click the clock) I set the Clock -Format to *%Y/%m/%d %H:%M:%S* +In *Digital Clock Settings* (right click the clock) I set the Clock +Format to `%Y/%m/%d %H:%M:%S` ### LXDE - font {#lxde_font} diff --git a/docs/gnulinux/encrypted_debian.md b/docs/gnulinux/encrypted_debian.md index 2a1e2e79..71129950 100644 --- a/docs/gnulinux/encrypted_debian.md +++ b/docs/gnulinux/encrypted_debian.md @@ -39,28 +39,26 @@ If you are on a 32-bit system (e.g. X60): [This guide](grub_boot_installer.md) shows how to create a boot USB drive with the Debian ISO image. -**This guide is \*only\* for the GRUB payload. If you use the -depthcharge payload, ignore this section entirely.** +*This guide is only for the GRUB payload. If you use the depthcharge payload, +ignore this section entirely.* -Note: on some thinkpads, a faulty DVD drive can cause the cryptomount -a -step during boot to fail. If this happens to you, try removing the -drive. +Note: on some thinkpads, a faulty DVD drive can cause the cryptomount -a step +during boot to fail. If this happens to you, try removing the drive. -Set a strong user password (lots of lowercase/uppercase, numbers and -symbols). +Set a strong user password (lots of lowercase/uppercase, numbers and symbols). -Use of the *diceware method* is recommended, for generating secure -passphrases (instead of passwords). +Use of the *diceware method* is recommended, for generating secure passphrases +(instead of passwords). -when the installer asks you to set up encryption (ecryptfs) for your -home directory, select 'Yes' if you want to: **LUKS is already secure -and performs well. Having ecryptfs on top of it will add noticeable -performance penalty, for little security gain in most use cases. This is -therefore optional, and not recommended. Choose 'no'.** +When the installer asks you to set up encryption (ecryptfs) for your home +directory, select 'Yes' if you want to: *LUKS is already secure and performs +well. Having ecryptfs on top of it will add noticeable performance penalty, for +little security gain in most use cases. This is therefore optional, and not +recommended. Choose 'no'.* -**Your user password should be different from the LUKS password which +*Your user password should be different from the LUKS password which you will set later on. Your LUKS password should, like the user -password, be secure.** +password, be secure.* Partitioning ============ @@ -91,15 +89,15 @@ Choose 'Manual' partitioning: - Configure the logical volume manager: - Keep settings: Yes - Create volume group: - - Name: **matrix** (use this exact name) + - Name: `matrix` (use this exact name) - Select crypto partition - Create logical volume - - select **matrix** (use this exact name) - - name: **rootvol** (use this exact name) + - select `matrix` (use this exact name) + - name: `rootvol` (use this exact name) - size: default, minus 2048 MB - Create logical volume - - select **matrix** (use this exact name) - - name: **swap** (user this exact name) + - select `matrix` (use this exact name) + - name: `swap` (user this exact name) - size: press enter Further partitioning @@ -132,8 +130,8 @@ something else. If you want debian-testing, then you should only select barebones options here and change the entries in /etc/apt/sources.list after -install to point to the new distro, and then run **apt-get update** and -**apt-get dist-upgrade** as root, then reboot and run **tasksel** as +install to point to the new distro, and then run `apt-get update` and +`apt-get dist-upgrade` as root, then reboot and run `tasksel` as root. This is to avoid downloading large packages twice. NOTE: If you want the latest up to date version of the Linux kernel, diff --git a/docs/gnulinux/encrypted_parabola.md b/docs/gnulinux/encrypted_parabola.md index deb0ba4e..d2f77482 100644 --- a/docs/gnulinux/encrypted_parabola.md +++ b/docs/gnulinux/encrypted_parabola.md @@ -17,8 +17,8 @@ volume. Not so with libreboot! Since GRUB is already included directly as a payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical access to the system. -**This guide is \*only\* for the GRUB payload. If you use the -depthcharge payload, ignore this section entirely.** +*This guide is \*only\* for the GRUB payload. If you use the +depthcharge payload, ignore this section entirely.* This guide is intended for the Parabola distribution, but it should also work (with some adaptation) for *Arch*. We recomend using Parabola, @@ -174,7 +174,7 @@ I am initializing LUKS with the following: whirlpool --iter-time 500 --use-random --verify-passphrase luksFormat /dev/sda1 - Choose a **secure** passphrase here. Ideally lots of + Choose a *secure* passphrase here. Ideally lots of lowercase/uppercase numbers, letters, symbols etc all in a random pattern. The password length should be as long as you are able to handle without writing it down or storing it anywhere. @@ -269,7 +269,7 @@ Create /home and /boot on root mountpoint: Once all the remaining partitions, if any, have been mounted, the devices are ready to install Parabola. -In **/etc/pacman.d/mirrorlist**, comment out all lines except the Server +In `/etc/pacman.d/mirrorlist`, comment out all lines except the Server line closest to where you are (I chose the UK Parabola server (main server)) and then did: @@ -353,7 +353,7 @@ Check the created file: # cat /mnt/etc/fstab -(If there are any errors, edit the file. Do **NOT** run the genfstab +(If there are any errors, edit the file. Do *NOT* run the genfstab command again!) Chroot into new system: diff --git a/docs/gnulinux/grub_boot_installer.md b/docs/gnulinux/grub_boot_installer.md index 6137b5b7..10158619 100644 --- a/docs/gnulinux/grub_boot_installer.md +++ b/docs/gnulinux/grub_boot_installer.md @@ -5,11 +5,11 @@ x-toc-enable: true This section relates to preparing, booting and installing a GNU+Linux distribution on your libreboot system, using nothing more than a USB -flash drive (and *dd*). +flash drive (and `dd`). -**This section is only for the GRUB payload. For depthcharge (used on +*This section is only for the GRUB payload. For depthcharge (used on CrOS devices in libreboot), instructions have yet to be written in the -libreboot documentation.** +libreboot documentation.* Prepare the USB drive (in GNU+Linux) ------------------------------------ @@ -144,20 +144,18 @@ If it did that, then you do: grub> cat (usb0)/isolinux/foo.cfg -And so on, until you find the correct menuentries for ISOLINUX. **The -file */isolinux/foo.cfg* is a fictional example. Do not actually use -this example, unless you actually have that file, if it is -appropriate.** - -For Debian or Devuan (and other debian-based distros), there are -typically menuentries listed in */isolinux/txt.cfg* or -*/isolinux/gtk.cfg*. For dual-architecture ISO images (i686 and -x86\_64), there may be separate files/directories for each architecture. -Just keep searching through the image, until you find the correct -ISOLINUX configuration file. NOTE: Debian 8.6 ISO only lists 32-bit boot -options in txt.cfg. This is important if you want 64-bit booting on your -system. Devuan versions based on Debian 8.x may also have the same -issue. +And so on, until you find the correct menuentries for ISOLINUX. *The file +`/isolinux/foo.cfg` is a fictional example. Do not actually use this example, +unless you actually have that file, if it is appropriate.* + +For Debian or Devuan (and other debian-based distros), there are typically +menuentries listed in */isolinux/txt.cfg* or */isolinux/gtk.cfg*. For +dual-architecture ISO images (i686 and x86\_64), there may be separate +files/directories for each architecture. Just keep searching through the +image, until you find the correct ISOLINUX configuration file. NOTE: Debian 8.6 +ISO only lists 32-bit boot options in txt.cfg. This is important if you want +64-bit booting on your system. Devuan versions based on Debian 8.x may also +have the same issue. Now look at the ISOLINUX menuentry. It'll look like: diff --git a/docs/gnulinux/grub_cbfs.md b/docs/gnulinux/grub_cbfs.md index 01e4d3de..d1c5428a 100644 --- a/docs/gnulinux/grub_cbfs.md +++ b/docs/gnulinux/grub_cbfs.md @@ -25,15 +25,15 @@ the libreboot GRUB payload will automatically search for. Here is an excellent writeup about CBFS (coreboot filesystem): . -**This guide is \*only\* for the GRUB payload. If you use the -depthcharge payload, ignore this section entirely.** +*This guide is only for the GRUB payload. If you use the depthcharge payload, +ignore this section entirely.* Introduction ------------ Download the latest release from [libreboot.org](/)\ -**If you downloaded from git, refer to -[../git/\#build\_meta](../git/#build_meta) before continuing.** +*If you downloaded from git, refer to +[../git/\#build\_meta](../git/#build_meta) before continuing.* There are several advantages to modifying the GRUB configuration stored in CBFS, but this also means that you have to flash a new libreboot ROM @@ -54,10 +54,10 @@ the main storage for /boot/grub/libreboot\_grub.cfg or partition), and then use it automatically. Simply create your custom GRUB configuration and save it to -**/boot/grub/libreboot\_grub.cfg** on the running system. The next time +`/boot/grub/libreboot_grub.cfg` on the running system. The next time you boot, GRUB (in libreboot) will automatically switch to this -configuration file. **This means that you do not have to re-flash, -recompile or otherwise modify libreboot at all!** +configuration file. *This means that you do not have to re-flash, +recompile or otherwise modify libreboot at all!* Ideally, your distribution should automatically generate a libreboot\_grub.cfg file that is written specifically under the @@ -73,13 +73,13 @@ If you want to adapt a copy of the existing *libreboot* GRUB configuration and use that for the libreboot\_grub.cfg file, then follow [\#tools](#tools), [\#rom](#rom) and [\#extract\_testconfig](#extract_testconfig) to get the -***grubtest.cfg***. Rename ***grubtest.cfg*** to -***libreboot\_grub.cfg*** and save it to ***/boot/grub/*** on the +`grubtest.cfg`. Rename `grubtest.cfg` to +`libreboot_grub.cfg` and save it to `/boot/grub/` on the running system where it is intended to be used. Modify the file at that location however you see fit, and then stop reading this guide (the rest -of this page is irrelevant to you); **in libreboot\_grub.cfg on disk, if +of this page is irrelevant to you); in `libreboot_grub.cfg` on disk, if you are adapting it based on grub.cfg from CBFS then remove the check -for libreboot\_grub.cfg otherwise it will loop.**. +for `libreboot_grub.cfg` otherwise it will loop. 2nd option: re-flash -------------------- @@ -90,7 +90,7 @@ on to find out how. Acquire the necessary utilities ------------------------------- -Use ***cbfstool*** and ***flashrom***. There are available in the +Use `cbfstool` and `flashrom`. There are available in the *libreboot\_util* release archive, or they can be compiled (see [../git/\#build\_flashrom](../git/#build_flashrom)). Flashrom is also available from the repositories: @@ -111,8 +111,8 @@ your current firmware, using flashrom: $ sudo flashrom -p internal -r libreboot.rom # flashrom -p internal -r libreboot.rom -If you are told to specify the chip, add the option **-c {your chip}** -to the command, for example: +If you are told to specify the chip, add the option `-c {your chip}` to the +command, for example: # flashrom -c MX25L6405 -p internal -r libreboot.rom @@ -121,9 +121,8 @@ Extract grubtest.cfg from the ROM image You can check the contents of the ROM image, inside CBFS: - $ cd .../libreboot\_util/cbfstool** $ ./cbfstool libreboot.rom - -print** + $ cd .../libreboot\_util/cbfstool + $ ./cbfstool libreboot.rom The files *grub.cfg* and *grubtest.cfg* should be present. grub.cfg is loaded by default, with a menuentry for switching to grubtest.cfg. In @@ -144,17 +143,19 @@ config from the ROM image: $ ./cbfstool libreboot.rom remove -n grubtest.cfg -Next, insert the modified version:\ -**\$ ./cbfstool libreboot.rom add -n grubtest.cfg -f grubtest.cfg -t -raw** +Next, insert the modified version: + + $ ./cbfstool libreboot.rom add -n grubtest.cfg -f grubtest.cfg -t raw Testing ------- -**Now you have a modified ROM. Refer back to +Now you have a modified ROM. Refer back to [../install/\#flashrom](../install/#flashrom) for information on how to flash it. - $ cd /libreboot\_util** \# **./flash update libreboot.rom\ + + $ cd /libreboot\_util + # ./flash update libreboot.rom Ocassionally, coreboot changes the name of a given board. If flashrom complains about a board mismatch, but you are sure that you chose the @@ -162,17 +163,17 @@ correct ROM image, then run this alternative command: # ./flash forceupdate libreboot.rom -You should see **"Verifying flash... VERIFIED."** written at the end +You should see `Verifying flash... VERIFIED.` written at the end of the flashrom output. Once you have done that, shut down and then boot -up with your new test configuration.** +up with your new test configuration. Choose (in GRUB) the menu entry that switches to grubtest.cfg. If it works, then your config is safe and you can continue below. -**If it does not work like you want it to, if you are unsure or +*If it does not work like you want it to, if you are unsure or sceptical in any way, then re-do the steps above until you get it right! -Do \*not\* proceed past this point unless you are 100% sure that your -new configuration is safe (or desirable) to use.** +Do not proceed past this point unless you are 100% sure that your +new configuration is safe (or desirable) to use.* Final steps ----------- @@ -199,10 +200,10 @@ Add the modified version that you just made: $ ./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw -**Now you have a modified ROM. Again, refer back to +*Now you have a modified ROM. Again, refer back to [../install/\#flashrom](../install/#flashrom) for information on how to flash it. It's the same method as you used before. Shut down and then -boot up with your new configuration.** +boot up with your new configuration.* Copyright © 2014, 2015 Leah Rowe \ Copyright © 2015 Jeroen Quint \ diff --git a/docs/gnulinux/grub_hardening.md b/docs/gnulinux/grub_hardening.md index c4843890..c32a0534 100644 --- a/docs/gnulinux/grub_hardening.md +++ b/docs/gnulinux/grub_hardening.md @@ -54,8 +54,8 @@ location. Note that this is not your LUKS password, but it's a password that you have to enter in order to use "restricted" functionality (such as console). This protects your system from an attacker simply booting a -live USB and re-flashing your firmware. **This should be different than -your LUKS passphrase and user password.** +live USB and re-flashing your firmware. *This should be different than +your LUKS passphrase and user password.* Use of the *diceware method* is recommended, for generating secure passphrases (as opposed to passwords). Diceware method involves using @@ -76,7 +76,7 @@ The GRUB password can be entered in two ways: - protected with [PBKDF2](https://en.wikipedia.org/wiki/Pbkdf2) We will (obviously) use the later. Generating the PBKDF2 derived key is -done using the **grub-mkpasswd-pbkdf2** utility. You can get it by +done using the `grub-mkpasswd-pbkdf2` utility. You can get it by installing GRUB version 2. Generate a key by giving it a password: grub-mkpasswd-pbkdf2 @@ -97,13 +97,13 @@ As enabling password protection as above means that you have to input it on every single boot, we will make one menu entry work without it. Remember that we will have GPG signing active, thus a potential attacker will not be able to boot an arbitrary operating system. We do this by -adding option **--unrestricted** to a menuentry definition: +adding option `--unrestricted` to a menuentry definition: menuentry 'Load Operating System (incl. fully encrypted disks) [o]' --hotkey='o' --unrestricted { ... Another good thing to do, if we chose to load signed on-disk GRUB -configurations, is to remove (or comment out) **unset superusers** in +configurations, is to remove (or comment out) `unset superusers` in function try\_user\_config: function try_user_config { @@ -133,7 +133,7 @@ GPG keys First generate a GPG keypair to use for signing. Option RSA (sign only) is ok. -**Warning:** GRUB does not read ASCII armored keys. When attempting to +Warning: GRUB does not read ASCII armored keys. When attempting to trust ... a key filename it will print error: bad signature mkdir --mode 0700 keys @@ -151,8 +151,8 @@ Now that we have a key, we can sign some files with it. We have to sign: by pressing ESC, but afterwards grubtest.cfg is not signed and it will not load. -Suppose that we have a pair of **my.kernel** and **my.initramfs** and an -on-disk **libreboot\_grub.cfg**. We sign them by issuing the following +Suppose that we have a pair of `my.kernel` and `my.initramfs` and an +on-disk `libreboot_grub.cfg`. We sign them by issuing the following commands: gpg --homedir keys --detach-sign my.initramfs diff --git a/docs/gnulinux/index.md b/docs/gnulinux/index.md index 4903d1c6..85777b95 100644 --- a/docs/gnulinux/index.md +++ b/docs/gnulinux/index.md @@ -5,8 +5,8 @@ title: GNU+Linux installation instructions This section relates to dealing with GNU+Linux distributions: preparing bootable USB drives, changing the default GRUB menu and so on. -**This section is only for the \*GRUB\* payload. For depthcharge, -instructions have yet to be written.** +*This section is only for the GRUB payload. For depthcharge, +instructions have yet to be written.* - [How to install GNU+Linux on a libreboot system](grub_boot_installer.md) -- cgit v1.2.3-70-g09d2