libreboot

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README

commit 733d54e7fb07874c35b3f099ea1ff065ab9b2a78
parent 9b876fbc483fd169dae581bbcaaadd99eac469bd
Author: Leah Rowe <info@minifree.org>
Date:   Tue, 13 Jun 2017 07:06:16 +0000

Merge branch 'master' of esmith1412/libreboot into master

Diffstat:
docs/gnulinux/configuring_parabola.md | 872+++++++++++++++++++++++++++++++++++--------------------------------------------
docs/gnulinux/encrypted_parabola.md | 1107+++++++++++++++++++++++++++++--------------------------------------------------
docs/gnulinux/grub_cbfs.md | 569+++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------
docs/gnulinux/index.md | 45+++++++++++++++++++++++++--------------------
4 files changed, 1223 insertions(+), 1370 deletions(-)

diff --git a/docs/gnulinux/configuring_parabola.md b/docs/gnulinux/configuring_parabola.md @@ -1,679 +1,586 @@ +#Configuring Parabola (Post-Install) + +[**Edit this Page**](https://libreboot.org/git.html#editing-the-website-and-documentation-wiki-style) -- [Back to Previous Index](https://libreboot.org/docs/gnulinux/) + +* [Configure pacman](#configure_pacman) +* [Updating Parabola](#updating_parabola) +* [Maintaining Parabola](#maintaining_parabola) + * [Cleaning the Package Cache](#cleaning_cache) + * [pacman Command Equivalents](#command_equivalents) +* [your-freedom](#your_freedom) +* [Add a User](#add_user) + * [Configure sudo](#configure_sudo) +* [systemd](#systemd) +* [Interesting Repositories](#interesting_repositories) +* [Set Up a Network Connection in Parabola](#set_network_connection) + * [Set Hostname](#set_hostname) + * [Network Status](#network_status) + * [Network Device Names](#device_names) + * [Network Setup](#network_setup) +* [Configuring the Graphical Desktop Environment](#configure_desktop) + * [Installing Xorg](#installing_xorg) + * [Xorg keyboard layout](#xorg_layout) + * [Installing MATE](#installing_mate) + * [Configuring Network Manager in MATE](#mate_network_manager) + --- -title: Configuring Parabola (post-install) -x-toc-enable: true -... - -Post-installation configuration steps for Parabola GNU+Linux-libre. -Parabola is extremely flexible; this is just an example. This example -uses LXDE because it's lightweight, but we recommend the *MATE* desktop -(which is actually about as lightweight as LXDE). - -While not strictly related to the libreboot project, this guide is -intended to be useful for those interested in installing Parabola on -their libreboot system. - -It details configuration steps that I took after installing the base -system, as a follow up to -[encrypted\_parabola.md](encrypted_parabola.md). This guide is -likely to become obsolete at a later date (due to the volatile -'rolling-release' model that Arch/Parabola both use), but attempts -will be made to maintain it. - -*This guide was valid on 2014-09-21. If you see any changes that should -to be made at the present date, please get in touch with the libreboot -project!* - -You do not necessarily have to follow this guide word-for-word; -*parabola* is extremely flexible. The aim here is to provide a common -setup that most users will be happy with. While Parabola can seem -daunting at first glance (especially for new GNU+Linux users), with a -simple guide it can provide all the same usability as Debian or Devuan, + +This is the guide for setting up Parabola GNU+Linux-Libre, after completing +the installation steps outlined in [Installing Parabola or Arch GNU+Linux-Libre with Full-Disk Encryption (including /boot)](encrypted_parabola.md). +It will cover installing and configuring a graphical desktop environment, +as well as some applications that make the system more user friendly. + +For this example, we chose the *MATE Desktop Environment* as our graphical interface. + +*This guide was valid on 2017-06-02. If you see any changes that should +to be made at the present date, please get in touch with the Libreboot +project (or [make those changes yourself](https://libreboot.org/git.html#editing-the-website-and-documentation-wiki-style))!* + +While Parabola can seem daunting at first glance (especially for new GNU+Linux users), +with a simple guide, it can provide all the same usability +as any Debian-based GNU+Linux distribution (e.g., Trisquel, Debian, and Devuan), without hiding any details from the user. -Paradoxically, as you get more advanced Parabola can actually become -*easier to use* when you want to set up your system in a special way +Paradoxically, as you get more advanced, Parabola can actually become +*easier to use*, when you want to set up your system in a special way, compared to what most distributions provide. You will find over time that other distributions tend to *get in your way*. -*This guide assumes that you already have Parabola installed. If you -have not yet installed Parabola, then [this -guide](encrypted_parabola.md) is highly recommended!* - A lot of the steps in this guide will refer to the Arch wiki. Arch is the upstream distribution that Parabola uses. Most of this guide will also tell you to read wiki articles, other pages, manuals, and so on. In -general it tries to cherry pick the most useful information but -nonetheless you are encouraged to learn as much as possible. *It might -take you a few days to fully install your system how you like, depending -on how much you need to read. Patience is key, especially for new -users*. +general, it tries to cherry-pick the most useful information, but +nonetheless, you are encouraged to learn as much as possible. + +>**NOTE: It might take you a few days to fully install your system how you like, +>depending on how much you need to read. Patience is key, especially for new users.** The Arch wiki will sometimes use bad language, such as calling the whole -system Linux, using the term open-source (or closed-source), and it will -sometimes recommend the use of proprietary software. You need to be -careful about this when reading anything on the Arch wiki. +system Linux, using the term **open-source**/**closed-source**, +and it will sometimes recommend the use of proprietary software. +You need to be careful about this when reading anything on the Arch wiki. -Some of these steps require internet access. I'll go into networking -later but for now, I just connected my system to a switch and did: +Some of these steps require internet access. To get initial access +for setting up the system (I'll go into networking later), +just connect your system to a router, via an ethernet cable, +and run the following command: - # systemctl start dhcpcd.service +> # systemctl start dhcpcd.service -You can stop it later by running: +You can stop it later (if needed), by using systemd's **`stop`** option: - # systemctl stop dhcpcd.service\ +> # systemctl stop dhcpcd.service -For most people this should be enough, but if you don't have DHCP on -your network then you should setup your network connection first:\ -[Setup network connection in Parabola](#network) +For most people, this should be enough, but if you don't have DHCP enabled +on your network, then you should setup your network connection first: +[Set Up Network Connection in Parabola](#network). -Configure pacman {#pacman_configure} ----------------- +--- -pacman (*pac*kage *man*ager) is the name of the package management -system in Arch, which Parabola (as a deblobbed parallel effort) also -uses. Like with 'apt-get' on Debian or Devuan, this can be used to -add/remove and update the software on your computer. +##Configure pacman <a name="configure_pacman"></a> -Based on -<https://wiki.parabolagnulinux.org/Installation_Guide#Configure_pacman> -and from reading <https://wiki.archlinux.org/index.php/Pacman> (make -sure to read and understand this, it's very important) and -<https://wiki.parabolagnulinux.org/Official_Repositories> +**`pacman`** (*pac*kage *man*ager) is the name of the package management system +in Arch, which Parabola (as a deblobbed, parallel effort) also uses. +Like with **`apt-get`** on Trisquel, Debian, or Devuan, this can be used to +add, remove, and update the software on your computer. -Updating Parabola {#pacman_update} ------------------ +For more information related to **`pacman`**, review the following articles on the Arch Wiki: -In the end, I didn't change my configuration for pacman. When you are -updating, resync with the latest package names/versions: +* [Configuring pacman](https://wiki.parabolagnulinux.org/Installation_Guide#Configure_pacman) +* [Using pacman](https://wiki.archlinux.org/index.php/Pacman) +* [Additional Repositories](https://wiki.parabolagnulinux.org/Official_Repositories>) + +--- - # pacman -Syy +##Updating Parabola <a name="updating_parabola"></a> -(according to the wiki, -Syy is better than Sy because it refreshes the -package list even if it appears to be up to date, which can be useful -when switching to another mirror).\ -Then, update the system: +Parabola is kept up-to-date, using **`pacman`**. When you are updating Parabola, +make sure to refresh the package list, *before* installing any new updates: - # pacman -Syu +> # pacman -Syy -*Before installing packages with 'pacman -S', always update first, -using the notes above.* +>NOTE: According to the Wiki, **`-Syy`** is better than **`-Sy`**, because it refreshes +>the package list (even if it appears to be up-to-date), which can be useful +>when switching to another mirror. -Keep an eye out on the output, or read it in /var/log/pacman.log. -Sometimes, pacman will show messages about maintenance steps that you +Then, actually update the system: + +> # pacman -Syu + +**NOTE: Before installing packages with** `pacman -S`, **always update first, +using the two commands above.** + +Keep an eye out on the output, or read it in **/var/log/pacman.log**. +Sometimes, **`pacman`** will show messages about maintenance steps that you will need to perform with certain files (typically configurations) after -the update. Also, you should check both the Parabola and Arch home pages -to see if they mention any issues. If a new kernel is installed, you -should also update to be able to use it (the currently running kernel -will also be fine). It's generally good enough to update Parabola once -every week, or maybe twice. As a rolling release distribution, it's a -good idea never to leave your install too outdated; update regularly. -This is simply because of the way the project works; old packages are -deleted from the repositories quickly, once they are updated. A system -that hasn't been updated for quite a while will mean potentially more -reading of previous posts through the website, and more maintenance -work. - -The Arch forum can also be useful, if others have the same issue as you -(if you encounter issues, that is). The *Parabola* IRC channel -(\#parabola on freenode) can also help you. - -Due to this and the volatile nature of Parabola/Arch, you should only -update when you have at least a couple hours of spare time in case of +the update. Also, you should check both the [Parabola home page](https://www.parabola.nu/) and [Arch home page](https://www.archlinux.org/), +to see if they mention any issues. If a new kernel is installed, you should also +update to be able to use it (the currently running kernel will also be fine). + +It's generally good enough to update Parabola once every week, or maybe twice. +As a rolling release distribution, it's a never a good idea to leave your installation +too outdated. This is simply because of the way the project works; +old packages are deleted from the repositories quickly, once they are updated. +A system that hasn't been updated for quite a while will mean potentially more +reading of previous posts through the website, and more maintenance work. + +The Arch forum can also be useful, if others have the same issue as you. +The *Parabola* IRC channel ([**\#parabola**](https://webchat.freenode.net/) on freenode) can also help you. + +Due to this, and the volatile nature of Parabola/Arch, you should only +update when you have at least a couple hours of spare time, in case of issues that need to be resolved. You should never update, for example, -if you need your system for an important event, like a presentation or +if you need your system for an important event, like a presentation, or sending an email to an important person before an allocated deadline, and so on. -Relax - packages are well-tested regularly when new updates are made to -the repositories. Separate 'testing' repositories exist for this exact -reason. Despite what many people will tell you, Parabola is fairly +Relax! Packages are well-tested, when new updates are made to +the repositories; separate 'testing' repositories exist for this exact +reason. Despite what many people may tell you, Parabola is fairly stable and trouble-free, so long as you are aware of how to check for -issues, and are willing to spend some time fixing issues in the rare -event that they do occur. +issues, and are willing to spend some time fixing issues, in the rare +event that they do occur (this is why Arch/Parabola provide such extensive documenatation). + +--- -Maintaining Parabola {#pacman_maintain} --------------------- +##Maintaining Parabola <a name='maintaining_parabola'></a> Parabola is a very simple distro, in the sense that you are in full -control and everything is made transparent to you. One consequence is +control, and everything is made transparent to you. One consequence is that you also need to know what you are doing, and what you have done before. In general, keeping notes (such as what I have done with this -page) can be very useful as a reference in the future (if you wanted to -re-install it or install the distro on another computer, for example). +page) can be very useful as a reference in the future (e.g, if you wanted to +re-install it, or install the distro on another computer). -### Cleaning the package cache {#pacman_cacheclean} +You should also read the Arch wiki article on [System Maintenance](https://wiki.archlinux.org/index.php/System_maintenance), +before continuing. Also, read their article on [enhancing system stability](https://wiki.archlinux.org/index.php/Enhance_system_stability). +This is important, so make sure to read them both!* -*The following is very important as you continue to use, update and -maintain your Parabola system:\ -<https://wiki.archlinux.org/index.php/Pacman#Cleaning_the_package_cache>. -Essentially, this guide talks about a directory that has to be cleaned -once in a while, to prevent it from growing too big (it's a cache of -old package information, updated automatically when you do anything in -pacman).* +Install **`smartmontools`**; it can be used to check smart data. HDDs use +non-free firmware inside; it's transparent to you, but the smart +data comes from it. Therefore, don't rely on it too much), and then read +the Arch wiki [article](https://wiki.archlinux.org/index.php/S.M.A.R.T.) on it, to learn how to use it: + +> # pacman -S smartmontools + +###Cleaning the Package Cache <a name=cleaning_cache'></a> + +*This section provides a brief overview of how to manage the directory that stores +a cache of all downloaded packages. For more information, +check out the Arch Wiki guide for [Cleaning the Package Cache](https://wiki.archlinux.org/index.php/Pacman#Cleaning_the_package_cache).* To clean out all old packages that are cached: - # pacman -Sc +> # pacman -Sc -The wiki cautions that this should be used with care. For example, since -older packages are deleted from the repo, if you encounter issues and -want to revert back to an older package then it's useful to have the -caches available. Only do this if you are sure that you won't need it. +The Wiki cautions that this should be used with care. For example, since +older packages are deleted from the repository, if you encounter issues +and want to revert back to an older package, then it's useful to have the +caches available. Only do this ,if you are sure that you won't need it. -The wiki also mentions this method for removing everything from the +The Wiki also mentions this method for removing everything from the cache, including currently installed packages that are cached: - # pacman -Scc +> # pacman -Scc -This is inadvisable, since it means re-downloading the package again if +This is inadvisable, since it means re-downloading the package again, if you wanted to quickly re-install it. This should only be used when disk space is at a premium. -### pacman command equivalents {#pacman_commandequiv} +###pacman Command Equivalents <a name='command_equivalents'></a> + +If you are coming from another GNU+Linux distribution, you probably want to know +the command equivalents for the various **`apt-get`**-related commands that you often use. +For that information, refer to [Pacman/Rosetta](https://wiki.archlinux.org/index.php/Pacman/Rosetta), +so named, because it serves as a Rosetta Stone to the esoteric pacman language. -The following table lists other distro package manager commands, and -their equivalent in pacman:\ -<https://wiki.archlinux.org/index.php/Pacman_Rosetta> +--- -your-freedom {#yourfreedom} ------------- +##your-freedom <a name='your_freedom'></a> -your-freedom is a package specific to Parabola, and it is installed by +**`your-freedom`** is a package specific to Parabola, and it is installed by default. What it does is conflict with packages from Arch that are known to be non-free (proprietary) software. When migrating from Arch (there -is a guide on the Parabola wiki for migrating - converting - an existing -Arch system to a Parabola system), installing your-freedom will also -fail if these packages are installed, citing them as conflicts; the +is a guide on the Parabola wiki for migrating (i.e,. converting) an existing +Arch system to a Parabola system), installing it will also +fail, if these packages are installed, citing them as conflicts; the recommended solution is then to delete the offending packages, and -continue installing *your-freedom*. +continue installing **`your-freedom`**. + +--- -Add a user {#useradd} ----------- +##Add a User <a name='add_user'></a> -Based on <https://wiki.archlinux.org/index.php/Users_and_Groups>. +This is based on the Arch Wiki guide to [Users and Groups](https://wiki.archlinux.org/index.php/Users_and_Groups). It is important (for security reasons) to create and use a non-root -(non-admin) user account for everyday use. The default 'root' account +(non-admin) user account for everyday use. The default **root** account is intended only for critical administrative work, since it has complete access to the entire operating system. Read the entire document linked to above, and then continue. -Add your user: - - # useradd -m -G wheel -s /bin/bash *yourusername* - -Set a password: +Add your user with the **`useradd`** command (self explanatory): - # passwd *yourusername* +> # useradd -m -G wheel -s /bin/bash *your_user_name* -Use of the *diceware method* is recommended, for generating secure -passphrases (instead of passwords). +Set a password, using **`passwd`**: -systemd -------- +> # passwd *your_user_name* -This is the name of the system used for managing services in Parabola. -It is a good idea to become familiar with it. Read -<https://wiki.archlinux.org/index.php/systemd> and -<https://wiki.archlinux.org/index.php/systemd#Basic_systemctl_usage> to -gain a full understanding. *This is very important! Make sure to read -them.* +Like with the installation of Parabola, use of the [*diceware method*](http://world.std.com/~reinhold/diceware.html) is recommended, +for generating secure passphrases. -An example of a 'service' could be a webserver (such as lighttpd), or -sshd (openssh), dhcp, etc. There are countless others. +###Configure sudo <a name='configure_sudo'></a> -<https://bbs.archlinux.org/viewtopic.php?pid=1149530#p1149530> explains -the background behind the decision by Arch (Parabola's upstream -supplier) to use systemd. +Now that we have a normal user account, we'll want to configure **`sudo`**, +so that user is able to run commands as **root** (e.g., installing software); +this will be necessary to flash the ROM later on. Refer to the Arch wiki's [sudo](https://wiki.archlinux.org/index.php/Sudo) documentation. -The manpage should also help: +The first step is to install the **`sudo`** package: - # man systemd +> # pacman -S sudo -The section on 'unit types' is especially useful. +After installation, we must configure it. To do so, we must modify **/etc/sudoers**. +This file must *always* be modified with the **`visudo`** command. **`visudo`** can be +difficult for beginners to use, so we'll want to edit the file with **`nano`**, +but the trick is that we just can't do this: -According to the wiki, systemd 'journal' keeps logs of a size up to -10% of the total size your / partition takes up. on a 60GB root this -would mean 6GB. That's not exactly practical, and can have performance -implications later when the log gets too big. Based on instructions from -the wiki, I will reduce the total size of the journal to 50MiB (the wiki -recommends 50MiB). +> # nano /etc/sudoers -Open /etc/systemd/journald.conf and find the line that says:\ -*\#SystemMaxUse=*\ -Change it to say:\ -*SystemMaxUse=50M* +Because, this will cause us to edit the file directly, which is not the way +it was designed to be edited, and could lead to problems with the system. +Instead, to temporarily allow us to use **`nano`** to edit the file, +we need to type this into the terminal: -The wiki also recommended a method for forwarding journal output to TTY -12 (accessible by pressing ctrl+alt+f12, and you use ctrl+alt+\[F1-F12\] -to switch between terminals). I decided not to enable it. +> # EDITOR=nano visudo -Restart journald: +This will open the **/etc/sudoers** file in **`nano`**, and we can now safely make changes to it. - # systemctl restart systemd-journald - -The wiki recommends that if the journal gets too large, you can also -simply delete (rm -Rf) everything inside /var/log/journald/\* but -recommends backing it up. This shouldn't be necessary, since you -already set the size limit above and systemd will automatically start to -delete older records when the journal size reaches it's limit -(according to systemd developers). - -Finally, the wiki mentions 'temporary' files and the utility for -managing them. +To give the user we created earlier to ability to use **`sudo`**, we need to navigate +to the end of the file, and add this line on the end: - # man systemd-tmpfiles +> your_username ALL=(ALL) ALL -The command for 'clean' is: +Obviously, type in the name of the user you created, instead of **your_username**. +Save the file, and exit **`nano`**; your user now has the ability to use **`sudo`**. - # systemd-tmpfiles --clean - -According to the manpage, this *"cleans all files and directories with -an age parameter"*. According to the Arch wiki, this reads information -in /etc/tmpfiles.d/ and /usr/lib/tmpfiles.d/ to know what actions to -perform. Therefore, it is a good idea to read what's stored in these -locations to get a better understanding. - -I looked in /etc/tmpfiles.d/ and found that it was empty on my system. -However, /usr/lib/tmpfiles.d/ contained some files. The first one was -etc.conf, containing information and a reference to this manpage: - - # man tmpfiles.d - -Read that manpage, and then continue studying all the files. - -The systemd developers tell me that it isn't usually necessary to touch -the systemd-tmpfiles utility manually at all. - -Interesting repositories {#interesting_repos} ------------------------- - -Parabola wiki at -<https://wiki.parabolagnulinux.org/Repositories#kernels> mentions about -a repository called \[kernels\] for custom kernels that aren't in the -default base. It might be worth looking into what is available there, -depending on your use case. - -I enabled it on my system, to see what was in it. Edit /etc/pacman.conf -and below the 'extra' section add:\ -*\[kernels\]\ -Include = /etc/pacman.d/mirrorlist* - -Now sync with the repository: - - # pacman -Syy - -List all available packages in this repository: - - # pacman -Sl kernels - -In the end, I decided not to install anything from it but I kept the -repository enabled regardless. - -Setup a network connection in Parabola {#network} --------------------------------------- - -Read <https://wiki.archlinux.org/index.php/Configuring_Network>. - -### Set the hostname {#network_hostname} - -This should be the same as the hostname that you set in /etc/hostname -when installing Parabola. You can also do it with systemd (do so now, if -you like): - - # hostnamectl set-hostname *yourhostname* - -This writes the specified hostname to /etc/hostname. More information -can be found in these manpages: - - # man hostname - # info hostname - # man hostnamectl - -Add the same hostname to /etc/hosts, on each line. Example:\ -*127.0.0.1 localhost.localdomain localhost myhostname\ -::1 localhost.localdomain localhost myhostname* - -You'll note that I set both lines; the 2nd line is for IPv6. More and -more ISPs are providing this now (mine does) so it's good to be -forward-thinking here. - -The *hostname* utility is part of the *inetutils* package and is in -core/, installed by default (as part of *base*). - -### Network Status {#network_status} - -According to the Arch wiki, -[udev](https://wiki.archlinux.org/index.php/Udev) should already detect -the ethernet chipset and load the driver for it automatically at boot -time. You can check this in the *"Ethernet controller"* section when -running this command: - - # lspci -v - -Look at the remaining sections *'Kernel driver in use'* and *'Kernel -modules'*. In my case it was as follows:\ -*Kernel driver in use: e1000e\ -Kernel modules: e1000e* - -Check that the driver was loaded by issuing *dmesg | grep module\_name*. -In my case, I did: - - # dmesg | grep e1000e - -### Network device names {#network_devicenames} - -According to -<https://wiki.archlinux.org/index.php/Configuring_Network#Device_names>, -it is important to note that the old interface names like eth0, wlan0, -wwan0 and so on no longer apply. Instead, *systemd* creates device names -starting with en (for enternet), wl (for wifi) and ww (for wwan) with a -fixed identifier that systemd automatically generates. An example device -name for your ethernet chipset would be *enp0s25*, where it is never -supposed to change. +--- -If you want to enable the old names (eth0, wlan0, wwan0, etc), the Arch -wiki recommends adding *net.ifnames=0* to your kernel parameters (in -libreboot context, this would be accomplished by following the -instructions in [grub\_cbfs.md](grub_cbfs.md)). +##systemd <a name='systemd'></a> -For background information, read [Predictable Network Interface -Names](http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/) +**`systemd`** is the name of the program for managing services in Parabola; +It is a good idea to become familiar with it. Read the Arch Wiki article on [systemd](https://wiki.archlinux.org/index.php/systemd), +as well as their [Basic systemctl usage](https://wiki.archlinux.org/index.php/systemd#Basic_systemctl_usage) article, +to gain a full understanding. *This is very important! Make sure to read them.* -Show device names: +An example of a **service** could be a VPN (allowing you to connect to an outside network), +an applet in the system tray that tells you the weather for your city, +a sound manager (to make sure you can hear sound through speakers or headphones), +or DHCP (which allows you to get an IP address, to connect to the internet). +These are just a few examples; there are countless others. - # ls /sys/class/net +**`systemd`** is a controversial init system; [here](https://bbs.archlinux.org/viewtopic.php?pid=1149530#p1149530) +is an explanation behind the Arch development team's decision to use it. -Changing the device names is possible (I chose not to do it):\ -<https://wiki.archlinux.org/index.php/Configuring_Network#Change_device_name> +The **manpage** should also help: -### Network setup {#network_setup} +> # man systemd -I actually chose to ignore most of Networking section on the wiki. -Instead, I plan to set up LXDE desktop with the graphical -network-manager client. Here is a list of network managers:\ -<https://wiki.archlinux.org/index.php/List_of_applications/Internet#Network_managers>. -If you need to, set a static IP address (temporarily) using the -networking guide and the Arch wiki, or start the dhcpcd service in -systemd. NetworkManager will be setup later, after installing LXDE. +The section on **unit types** is especially useful. -System Maintenance {#system_maintain} ------------------- +According to the wiki, **`systemd's`** journal keeps logs of a size up to 10% of the +total size that your root partition takes up. On a 60GB root, this would mean 6GB. +That's not exactly practical, and can have performance implications later, +when the log gets too big. Based on instructions from the wiki, +I will reduce the total size of the journal to 50MiB (that's what the wiki recommends). -Read <https://wiki.archlinux.org/index.php/System_maintenance> before -continuing. Also read -<https://wiki.archlinux.org/index.php/Enhance_system_stability>. *This -is important, so make sure to read them!* +Open **/etc/systemd/journald.conf**, and find this line: -Install smartmontools (it can be used to check smart data. HDDs use -non-free firmware inside, but it's transparent to you but the smart -data comes from it. Therefore, don't rely on it too much): +> #SystemMaxUse= - # pacman -S smartmontools +Change it to this: -Read <https://wiki.archlinux.org/index.php/S.M.A.R.T.> to learn how to -use it. +> SystemMaxUse=50M -Configuring the desktop {#desktop} ------------------------ +Restart **`journald`**: -Based on steps from [General -Recommendations](https://wiki.archlinux.org/index.php/General_recommendations#Graphical_user_interface) -on the Arch wiki. The plan is to use LXDE and LXDM/LightDM, along with -everything else that you would expect on other distributions that -provide LXDE by default. +> # systemctl restart systemd-journald -### Installing Xorg {#desktop_xorg} +The wiki recommends that if the journal gets too large, you can also +simply delete (**`rm -Rf`**) everything inside **/var/log/journald**, but +recommends backing it up. This shouldn't be necessary, since you +already set the size limit above, and **`systemd`** will automatically start +to delete older records, when the journal size reaches it's limit (according to systemd developers). -Based on <https://wiki.archlinux.org/index.php/Xorg>. +Finally, the wiki mentions **temporary files**, and the utility for +managing them. -Firstly, install it! +> # man systemd-tmpfiles - # pacman -S xorg-server +To delete the temporary files, you can use the **`clean`** option: -I also recommend installing this (contains lots of useful tools, -including *xrandr*): +> # systemd-tmpfiles --clean - # pacman -S xorg-server-utils +According to the **manpage**, this *"cleans all files and directories with +an age parameter"*. According to the Arch wiki, this reads information +in **/etc/tmpfiles.d** and **/usr/lib/tmpfiles.d**, to know what actions to perform. +Therefore, it is a good idea to read what's stored in these locations, to get a better understanding. -Install the driver. For me this was *xf86-video-intel* on the ThinkPad -X60. T60 and macbook11/21 should be the same. +I looked in **/etc/tmpfiles.d/** and found that it was empty on my system. +However, **/usr/lib/tmpfiles.d** contained some files. The first one was +**etc.conf**, containing information and a reference to this **manpage**: - # pacman -S xf86-video-intel +> # man tmpfiles.d -For other systems you can try: +Read that **manpage**, and then continue studying all the files. - # pacman -Ss xf86-video- | less +The **`systemd`** developers tell me that it isn't usually necessary +to manually touch the **`systemd-tmpfiles utility`**, at all. -Combined with looking at your *lspci* output, you can determine which -driver is needed. By default, Xorg will revert to xf86-video-vesa which -is a generic driver and doesn't provide true hardware acceleration. +--- -Other drivers (not just video) can be found by looking at the -`xorg-drivers` group: +##Interesting Repositories <a name='interesting_repositories'></a> - # pacman -Sg xorg-drivers +In their [kernels](https://wiki.parabolagnulinux.org/Repositories#kernels) article, +the Parabola wiki mentions a repository called **`\[kernels\]`**, for custom kernels +that aren't in the default **`base`**. It might be worth looking into what is available there, +depending on your use case. -Mostly you will rely on a display manager, but in case you ever want to start X -without one: +I enabled it on my system, to see what was in it. Edit **/etc/pacman.conf**, +and below the **`extra`** section add: - # pacman -S xorg-xinit +> [kernels] +> Include = /etc/pacman.d/mirrorlist* -Optionally, to test X, install these: +Now, sync with the newly-added repository: -   # pacman -S xorg-twm xorg-xclock xterm +> # pacman -Syy -Refer to <https://wiki.archlinux.org/index.php/Xinitrc>. and test X: +Lastly, list all available packages in this repository: -   # startx +> # pacman -Sl kernels -When you are satisfied, type `exit` in xterm, inside the X session. +In the end, I decided not to install anything from it, +but I kept the repository enabled regardless. -Uninstall them (clutter. eww): +--- - # pacman -S xorg-xinit xorg-twm xorg-xclock xterm +##Setup a Network Connection in Parabola <a name='set_network_connection'></a> -### Xorg keyboard layout {#desktop_kblayout} +Read the Arch wiki guide to [Configuring the Network](https://wiki.archlinux.org/index.php/Configuring_Network). -Refer to -<https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg>. +###Set the Hostname <a name='set_hostname'></a> -Xorg uses a different configuration method for keyboard layouts, so you -will notice that the layout you set in /etc/vconsole.conf earlier might -not actually be the same in X. +This should be the same as the hostname that you set in **/etc/hostname**, +when installing Parabola. You should also do it with **`systemd`**. +If you chose the hostname *parabola*, do it this way: -To see what layout you currently use, try this on a terminal emulator in -X: +> # hostnamectl set-hostname parabola - # setxkbmap -print -verbose 10 +This writes the specified hostname to **/etc/hostname**. +More information can be found in these **manpages**: -In my case, I wanted to use the Dvorak (UK) keyboard which is quite -different from Xorg's default Qwerty (US) layout. +> # man hostname +> # info hostname +> # man hostnamectl -I'll just say it now: *XkbModel* can be *pc105* in this case (ThinkPad -X60, with a 105-key UK keyboard). If you use an American keyboard -(typically 104 keys) you will want to use *pc104*. +Check **/etc/hosts**, to make sure that the hostname that you put in there +during installation is still on each line: -*XkbLayout* in my case would be *gb*, and *XkbVariant* would be -*dvorak*. +> 127.0.0.1 localhost.localdomain localhost parabola +> ::1 localhost.localdomain localhost parabola -The Arch wiki recommends two different methods for setting the keyboard -layout:\ -<https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_X_configuration_files> -and\ -<https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_localectl>. +You'll note that I set both lines; the second line is for IPv6. Since more and +more ISPs are providing this now, it's good to be have it enabled, just in case. -In my case, I chose to use the *configuration file* method:\ -Create the file /etc/X11/xorg.conf.d/10-keyboard.conf and put this -inside:\ -*Section "InputClass"\ -        Identifier "system-keyboard"\ -        MatchIsKeyboard "on"\ -        Option "XkbLayout" "gb"\ -        Option "XkbModel" "pc105"\ -        Option "XkbVariant" "dvorak"\ -EndSection* +The **`hostname`** utility is part of the **`inetutils`** package, and is in the **`core`** repository, +installed by default (as part of the **`base`** package). -For you, the steps above may differ if you have a different layout. If -you use a US Qwerty keyboard, then you don't even need to do anything -(though it might help, for the sake of being explicit). +###Network Status <a name='network_status'></a> -### Install LXDE {#desktop_lxde} +According to the Arch wiki, [udev](https://wiki.archlinux.org/index.php/Udev) should already detect +the ethernet chipset, and automatically load the driver for it at boot time. +You can check this in the **`Ethernet controller`** section, when running the **`lspci`** command: -Desktop choice isn't that important to me, so for simplicity I decided -to use LXDE. It's lightweight and does everything that I need. If you -would like to try something different, refer to -<https://wiki.archlinux.org/index.php/Desktop_environment> +> # lspci -v -Refer to <https://wiki.archlinux.org/index.php/LXDE>. +Look at the remaining sections **`Kernel driver in use`** and **`Kernel modules`**. +In my case, it was as follows: -Install it, choosing 'all' when asked for the default package list: +> Kernel driver in use: e1000e +> Kernel modules: e1000e - # pacman -S lxde obconf +Check that the driver was loaded, by issuing **`dmesg | grep module_name`**. +In my case, I did: -I didn't want the following, so I removed them: +> # dmesg | grep e1000e - # pacman -R lxmusic lxtask +###Network Device Names <a name='device_names'></a> -I also lazily installed all fonts: +According to the Arch wiki guide on [Configuring Network Device Names](https://wiki.archlinux.org/index.php/Configuring_Network#Device_names), +it is important to note that the old interface names that you might be used to +(e.g., **`eth0`**, **`wlan0`**, **`wwan0`**, etc.), if you come from a distribution like Debian or Trisquel, +are no longer applicable. Instead, **`systemd`** creates device names +starting with **`en`** (for ethernet), **`wl`** (for wi-fi), and **`ww`** (for wwan), +with a fixed identifier that it automatically generates. +An example device name for your ethernet chipset would be **`enp0s25`**, +and is never supposed to change. - # pacman -S \$(pacman -Ssq ttf-) +If you want to enable the old names, the Arch wiki recommends adding **`net.ifnames=0`** +to your kernel parameters (in Libreboot context, this would be accomplished by following +the instructions in [How to replace the default GRUB configuration file](grub_cbfs.md)). -And a mail client: +For background information, read [Predictable Network Interface Names](http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/). - # pacman -S icedove +To show what the device names are for your system, run the following command: -In IceCat, go to *Preferences :: Advanced* and disable *GNU IceCat -Health Report*. +> # ls /sys/class/net -I also like to install these: +[Changing the device names](https://wiki.archlinux.org/index.php/Configuring_Network#Change_device_name) is possible, +but for the purposes of this guide, there is no reason to do it. - # pacman -S xsensors stress htop +###Network Setup <a name='network_setup'></a> -Enable LXDM (the default display manager, providing a graphical login): +Aside from the steps mentioned above, I choose to ignore most of Networking section on the wiki; +this is because I will be installing the *MATE Desktop Environment*, and thus will +be using the **`NetworkManger`** client (with its accompanying applet) to manage the network. - # systemctl enable lxdm.service +If you wish to choose a different program, here are some other +[network manager options](https://wiki.archlinux.org/index.php/List_of_applications/Internet#Network_managers) +that you could use. -It will start when you boot up the system. To start it now, do: +--- - # systemctl start lxdm.service +##Configuring the Graphical Desktop Environment <a name='configure_desktop'></a> -Log in with your standard (non-root) user that you created earlier. It -is advisable to also create an xinitrc rule in case you ever want to -start lxde without lxdm. Read -<https://wiki.archlinux.org/index.php/Xinitrc>. +Since we are going with the *MATE Desktop Environment*, we will primarily be following +the instructions on the [Arch Linux Package Repository](https://wiki.mate-desktop.org/archlinux_custom_repo) page, +but will also refer to the [General Recommendations](https://wiki.archlinux.org/index.php/General_recommendations#Graphical_user_interface) +on the Arch wiki. -Open LXterminal: +###Installing Xorg <a name='installing_xorg'></a> - $ cp /etc/skel/.xinitrc \~ +The first step is to install [**Xorg**](https://wiki.archlinux.org/index.php/Xorg); +this provides an implementation of the **`X Window System`**, which is used to provide +a graphical intefrace in GNU+Linux: -Open .xinitrc and add the following plus a line break at the bottom of -the file. +> # pacman -S xorg-server - export LC_ALL=en_GB.UTF-8 - export LANGUAGE=en_GB.UTF-8 - export LANG=en_GB.UTF-8 +We also need to install the driver for our hardware. Since I am using a Thinkpad X200, +I will use **`xf86-video-intel`**; it should be the same on the other Thinkpads, +as well as the Macbook 1,1 and 2,1. - exec startlxde +> # pacman -S xf86-video-intel -* Now make sure that it is executable: +For other systems, you can try: - $ chmod +x .xinitrc +> # pacman -Ss xf86-video- | less -### LXDE - clock {#lxde_clock} +When this is combined with looking at your **`lspci`** output, you can determine which +driver is needed. By default, **`Xorg`** will revert to **`xf86-video-vesa`**, +which is a generic driver, and doesn't provide true hardware acceleration. -In *Digital Clock Settings* (right click the clock) I set the Clock -Format to `%Y/%m/%d %H:%M:%S` +Other drivers (not just video) can be found by looking at the **`xorg-drivers`** group: -### LXDE - font {#lxde_font} +> # pacman -Sg xorg-drivers -NOTE TO SELF: come back to this later. +###Xorg Keyboard Layout <a name='xorg_layout'></a> -### LXDE - screenlock {#lxde_screenlock} +**`xorg`** uses a different configuration method for keyboard layouts than Parabola, +so you will notice that the layout you set in **/etc/vconsole.conf** earlier might +not actually be the same in **`xorg`**. -Arch wiki recommends to use *xscreensaver*: +Check the Arch wiki's article on [Xorg's keyboard configuration](https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg), for more information. - # pacman -S xscreensaver +To see what layout you currently use, try this on a terminal emulator in **`xorg`**: -Under *Preferences :: Screensaver* in the LXDE menu, I chose *Mode: -Blank Screen Only*, setting *Blank After*, *Cycle After* and *Lock -Screen After* (checked) to 10 minutes. +> # setxkbmap -print -verbose 10 -You can now lock the screen with *Logout :: Lock Screen* in the LXDE -menu. +I'm simply using the default Qwerty (US) keyboard, so there isn't anything I need +to change here; if you do need to make any changes, the Arch wiki recommends two ways +of doing it: manually updating [configuration files](https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_X_configuration_files) or using the [localectl](https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_localectl) command. -### LXDE - automounting {#lxde_automount} +###Installing MATE <a name='installing_mate'></a> +Now we have to install the desktop environment itself. According to the Arch Linux Package Repository, +if we want all of the MATE Desktop, we need to install two packages: -Refer to -<https://wiki.archlinux.org/index.php/File_manager_functionality>. +> # pacman -Syy mate mate-extra -I chose to ignore this for now. NOTE TO SELF: come back to this later. +The last step is to install a Display Manager; for MATE, we will be using **`lightdm`** +(it's the recommended Display Manager for the MATE Desktop); for this, we'll follow the insructions [here](https://wiki.mate-desktop.org/archlinux_custom_repo#display_manager_recommended), +with one small change: the **`lightdm-gtk3-greeter`** package doesn't exist in Parabola's repositories. +So, instead we will install the **`lightdm-gtk-greeter`** package; it performs the same function. -### LXDE - disable suspend {#lxde_suspend} +We'll also need the **`accountsservice`** package, which gives us the login window itself: -When closing the laptop lid, the system suspends. This is annoying at -least to me. NOTE TO SELF: disable it, then document the steps here. +> # pacman -Syy lightdm-gtk3-greeter accountsservice -### LXDE - battery monitor {#lxde_battery} +After installing all the required packages, we need to make it so that the MATE Desktop Environment +will start automatically, whenever we boot our computer; to do this, we have to enable the display manager, **`lightdm`**, +as well as the service that will prompt us with a login window, **`accounts-daemon`**: -Right click lxde panel and *Add/Remove Panel Items*. Click *Add* and -select *Battery Monitor*, then click *Add*. Close and then right-click -the applet and go to *Battery Monitor Settings*, check the box that says -*Show Extended Information*. Now click *Close*. When you hover the -cursor over it, it'll show information about the battery. +> # systemctl enable lightdm +> # systemctl enable accounts-daemon -### LXDE - Network Manager {#lxde_network} +Now you have installed the *MATE Desktop Environment*,If you wanted +to install another desktop environment, check out some [other options](https://wiki.archlinux.org/index.php/Desktop_environment) on the the Arch wiki. -Refer to <https://wiki.archlinux.org/index.php/LXDE#Network_Management>. -Then I read: <https://wiki.archlinux.org/index.php/NetworkManager>. +###Configuring Network Manager in MATE <a name='mate_network_manager'></a> +Now that we have installed the Mate Desktop environment, and booted into it, +we need to set up the network configuration in our graphical environment. -Install Network Manager: +The MATE Desktop wiki recommends that we use Network Manager; the Arch wiki article +about it can be found [here](https://wiki.archlinux.org/index.php/NetworkManager). - # pacman -S networkmanager +We need to install the Network Manager packages: -You will also want the graphical applet: +> # pacman -S networkmanager - # pacman -S network-manager-applet +We will also need the Network Manager applet, which will allow us to manage our +networks from the system tray: -Arch wiki says that an autostart rule will be written at -*/etc/xdg/autostart/nm-applet.desktop* +> # pacman -S network-manager-applet -I want to be able to use a VPN at some point, so the wiki tells me to -do: +Finally, we need to start the service (if we want to use it now), or enable it, +(so that it will activate automatically, at startup). - # pacman -S networkmanager-openvpn +> # systemctl enable NetworkManager.service -LXDE uses openbox, so I refer to:\ -<https://wiki.archlinux.org/index.php/NetworkManager#Openbox>. +If you need VPN support, you will also want to install the **`networkmanager-openvpn`** package. -It tells me for the applet I need: +>**NOTE: You do not want multiple networking services running at the same time; +>they will conflict, so, if using Network Manager, you want to stop/disable any +>others from running. Examples of other services that will probably intefere +>with Network Manager are** `dhcpcd` **and** `wifi-menu`**.** - # pacman -S xfce4-notifyd gnome-icon-theme +You can see all currently-running services with this command: -Also, for storing authentication details (wifi) I need: +> # systemctl --type=service - # pacman -S gnome-keyring +And you can stop them using this command: -I wanted to quickly enable networkmanager: +> # systemctl stop service_name.service - # systemctl stop dhcpcd - # systemctl start NetworkManager +If you want to disable those services, meaning that you no longer want them to start +when the computer boots up, you will need to use **`systemctl's`** **`disable`** option, +instead of **`stop`**. -Enable NetworkManager at boot time: +Now you have a fully-functional graphical environment for your Parabola installation, +including networking. All you have to do is reboot, and you will be prompted to log in, +with a familiar graphical login prompt. You can also now, more easily [modify the GRUB configuration](grub_cbfs.md), +install new applications, and/or make whatever other changes you want to your system. - # systemctl enable NetworkManager +--- -Restart LXDE (log out, and then log back in). +Copyright © 2014, 2015 Leah Rowe <info@minifree.org> -I added the volume control applet to the panel (right click panel, and -add a new applet). I also later changed the icons to use the gnome icon -theme, in *lxappearance*. +Copyright © 2017 Elijah Smith <esmith1412@posteo.net> -Copyright © 2014, 2015 Leah Rowe <info@minifree.org>\ +--- Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License Version 1.3 or any later version published by the Free Software Foundation with no Invariant Sections, no Front Cover Texts, and no Back Cover Texts. -A copy of this license is found in [../fdl-1.3.md](../fdl-1.3.md) +A copy of this license is found in [../fdl-1.3.md](../fdl-1.3.md)+ \ No newline at end of file diff --git a/docs/gnulinux/encrypted_parabola.md b/docs/gnulinux/encrypted_parabola.md @@ -1,849 +1,559 @@ ---- -title: Installing Parabola or Arch GNU+Linux with full disk encryption (including /boot) -... - -Libreboot on x86 uses the GRUB -[payload](http://www.coreboot.org/Payloads#GRUB_2) by default, which -means that the GRUB configuration file (where your GRUB menu comes from) -is stored directly alongside libreboot and it's GRUB payload -executable, inside the flash chip. In context, this means that -installing distributions and managing them is handled slightly -differently compared to traditional BIOS systems. - -On most systems, the /boot partition has to be left unencrypted while -the others are encrypted. This is so that GRUB, and therefore the -kernel, can be loaded and executed since the firmware can't open a LUKS -volume. Not so with libreboot! Since GRUB is already included directly -as a payload, even /boot can be encrypted. This protects /boot from -tampering by someone with physical access to the system. - -*This guide is \*only\* for the GRUB payload. If you use the -depthcharge payload, ignore this section entirely.* - -This guide is intended for the Parabola distribution, but it should also -work (with some adaptation) for *Arch*. We recomend using Parabola, -which is a version of Arch that removes all proprietary software, both -in the default installation and in the package repositories. It usually -lags behind Arch by only a day or two, so it is still usable for most -people. See [Arch to Parabola migration -guide](https://wiki.parabola.nu/index.php?title=Migration_from_the_GNU+Linux_distribution_of_Arch&redirect=no). - -Note: on some thinkpads, a faulty DVD drive can cause the cryptomount -a -step during boot to fail. If this happens to you, try removing the -drive. - -Boot Parabola's install environment. [How to boot a GNU+Linux -installer](grub_boot_installer.md). - -For this guide I used the 2015 08 01 image to boot the live installer -and install the system. This is available at [this -page](https://wiki.parabola.nu/Get_Parabola#Main_live_ISO). - -This guide will go through the installation steps taken at the time of -writing, which may or may not change due to the volatile nature of -Parabola (it changes all the time). In general most of it should remain -the same. If you spot mistakes, please say so! This guide will be ported -to the Parabola wiki at a later date. For up to date Parabola install -guide, go to the Parabola wiki. This guide essentially cherry picks the -useful information (valid at the time of writing: 2015-08-25). - -This section deals with wiping the storage device on which you plan to -install Parabola GNU+Linux. Follow these steps, but if you use an SSD, -also: - -- beware there are issues with TRIM (not enabled through luks) and -security issues if you do enable it. See [this -page](https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Discard.2FTRIM_support_for_solid_state_drives_.28SSD.29) -for more info. - -- make sure it's brand-new (or barely used). Or, otherwise, be sure -that it never previously contained plaintext copies of your data. - -- make sure to read [this -article](https://wiki.archlinux.org/index.php/Solid_State_Drives). Edit -/etc/fstab later on when chrooted into your install. Also, read the -whole article and keep all points in mind, adapting them for this guide. - -Securely wipe the drive: - - # dd if=/dev/urandom of=/dev/sda; sync - -NOTE: If you have an SSD, only do this the first time. If it was already -LUKS-encrypted before, use the info below to wipe the LUKS header. Also, -check online for your SSD what the recommended erase block size is. For -example if it was 2MiB: - - # dd if=/dev/urandom of=/dev/sda bs=2M; sync - -If your drive was already LUKS encrypted (maybe you are re-installing -your distro) then it is already 'wiped'. You should just wipe the LUKS -header. -<https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/> -showed me how to do this. It recommends doing the first 3MiB. Now, that -guide is recommending putting zero there. I'm going to use urandom. Do -this: - - # head -c 3145728 /dev/urandom > /dev/sda; sync - -(Wiping the LUKS header is important, since it has hashed passphrases -and so on. It's 'secure', but 'potentially' a risk). - -Change keyboard layout ----------------------- - -Parabola live shell assumes US Qwerty. If you have something different, -list the available keymaps and use yours: - - # localectl list-keymaps - # loadkeys LAYOUT - -For me, LAYOUT would have been dvorak-uk. - -Establish an internet connection --------------------------------- - -Refer to [this -guide](https://wiki.parabola.nu/Beginners%27_guide#Establish_an_internet_connection). -Wired is recommended, but wireless is also explained there. - -Getting started ---------------- - -The beginning is based on -<https://wiki.parabolagnulinux.org/Installation_Guide>. Then I referred -to <https://wiki.archlinux.org/index.php/Partitioning> at first. - -dm-mod ------- - -device-mapper will be used - a lot. Make sure that the kernel module is -loaded: - - # modprobe dm-mod - -Create LUKS partition ---------------------- - -Note that the default iteration time is 2000ms (2 seconds) if not -specified in cryptsetup. You should set a lower time than this, -otherwise there will be an approximate 20 second delay when booting your -system. We recommend 500ms (0.5 seconds), and this is included in the -prepared cryptsetup command below. Note that the iteration time is for -security purposes (mitigates brute force attacks), so anything lower -than 5 seconds is probably not ok. - -I am using MBR partitioning, so I use cfdisk: - - # cfdisk /dev/sda - -I create a single large sda1 filling the whole drive, leaving it as the -default type 'Linux' (83). - -Now I refer to -<https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#Partitioning>:\ -I am then directed to -<https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption>. - -Parabola forces you to RTFM. Do that. - -To populate the list below, it tells me to run: - - # cryptsetup benchmark - -Then: - - # cat /proc/crypto - -This gives me crypto options that I can use. It also provides a -representation of the best way to set up LUKS (in this case, security is -a priority; speed, a distant second). To gain a better understanding, I -am also reading: - - # man cryptsetup - -Following that page, based on my requirements, I do the following based -on -<https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode>. -Reading through, it seems like Serpent (encryption) and Whirlpool (hash) -is the best option. - -I am initializing LUKS with the following: - - # cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash - -whirlpool --iter-time 500 --use-random --verify-passphrase luksFormat -/dev/sda1 - - Choose a *secure* passphrase here. Ideally lots of -lowercase/uppercase numbers, letters, symbols etc all in a random -pattern. The password length should be as long as you are able to handle -without writing it down or storing it anywhere. - -Use of the *diceware method* is recommended, for generating secure -passphrases (instead of passwords). - -Create LVM ----------- +# Installing Parabola or Arch GNU+Linux-Libre, with Full-Disk Encryption (including /boot) -Now I refer to <https://wiki.archlinux.org/index.php/LVM>. - -Open the LUKS partition at /dev/mapper/lvm: - - # cryptsetup luksOpen /dev/sda1 lvm - -Create LVM partition: - - # pvcreate /dev/mapper/lvm - -Show that you just created it: - - # pvdisplay - -Now I create the volume group, inside of which the logical volumes will -be created: - - # vgcreate matrix /dev/mapper/lvm - -(volume group name is 'matrix' - choose your own name, if you like) -Show that you created it: - - # vgdisplay - -Now create the logical volumes (2G swap parittion named swapvol): - - # lvcreate -L 2G matrix -n swapvol - -Again, choose your own name if you like. Also, make sure to choose a swap size -of your own needs. It basically depends on how much RAM you have installed. I -refer to -<http://www.linux.com/news/software/applications/8208-all-about-linux-swap-space>. -This creates a single large partition in the rest of the space, named root: - - # lvcreate -l +100%FREE matrix -n root - -You can also be flexible here, for example you can specify a /boot, a /, -a /home, a /var, a /usr, etc. For example, if you will be running a -web/mail server then you want /var in its own partition (so that if it -fills up with logs, it won't crash your system). For a home/laptop -system (typical use case), a root and a swap will do (really). - -Verify that the logical volumes were created, using the following -command: - - # lvdisplay - -Create / and swap partitions, and mount ---------------------------------------- - -For the swapvol LV I use: - - # mkswap /dev/mapper/matrix-swapvol - -Activate swap: - - # swapon /dev/matrix/swapvol - -For the root LV I use: - - # mkfs.btrfs /dev/mapper/matrix-root - -Mount the root (/) partition: - - # mount /dev/matrix/root /mnt - -Continue with Parabola installation ------------------------------------ - -This guide is really about GRUB, Parabola and cryptomount. I have to -show how to install Parabola so that the guide can continue. - -Now I am following the rest of -<https://wiki.parabolagnulinux.org/Installation_Guide>. I also cross -referenced <https://wiki.archlinux.org/index.php/Installation_guide>. - -Create /home and /boot on root mountpoint: - - # mkdir -p /mnt/home - # mkdir -p /mnt/boot - -Once all the remaining partitions, if any, have been mounted, the -devices are ready to install Parabola. - -In `/etc/pacman.d/mirrorlist`, comment out all lines except the Server -line closest to where you are (I chose the UK Parabola server (main -server)) and then did: - - # pacman -Syy - # pacman -Syu - # pacman -Sy pacman - -In my case I did the steps in the next paragraph, and followed the steps -in this paragraph again. - -Troubleshooting ---------------- +--- -The following is based on 'Verification of package signatures' in -the Parabola install guide. +[**Edit this Page**](https://libreboot.org/git.html#editing-the-website-and-documentation-wiki-style) -- [Back to Previous Index](https://libreboot.org/docs/gnulinux/) + +1. [Minimum system requirements](#minumum_requirements) +2. [Preparation](#preparation) + * [Download the Parabola ISO](#download_iso) + * [Choose Installation Device](#installation_device) + * [Boot Parabola's Installation Environment](#boot_install_environment) +3. [Setting Up Keyboard Layout](#setting_keyboard_layout) +4. [Establish an Internet Connection](#establish_internet_connection) +5. [Prepare the Storage Device for Installation](#prepare_device) + * [Wipe Storage Device](#wipe_device) + * [Formatting the Storage Device](#format_device) + * [Create LUKS Partition](#create_luks_partition) + * [Create the Volume Group and Logical Volumes](#create_logical_volumes) + * [Make the root and swap Partitions Ready for Installation](#make_root_and_swap) + * [Create the /boot and /home Directories](#create_boot_and_home) +6. [Select a Mirror](#select_mirror) +7. [Install the Base System](#install_base_system) +8. [Generate an fstab](#generate_fstab) +9. [Chroot into and Configure the System](#chroot_and_configure) + * [Setting up the Locale](#locale) + * [Setting up the Consolefont and Keymap](#consolefont_keymap) + * [Setting up the Time Zone](#time_zone) + * [Setting up the Hardware Clock](#hardware_clock) + * [Setting up the Kernel Modules](#kernel_modules) + * [Setting up the Hostname](#set_up_hostname) + * [Configure the Network](#configure_network) + * [Set the root Password](#root_password) + * [Extra Security Tweaks](#security_tweaks) + * [Key Strengthening](#key_strengthening) + * [Restrict Access to Important Directories](#restrict_directory_access) + * [Lockout User After Three Failed Login Attempts](#lockout_user) +10. [Unmount All Partitions and Reboot](#unmount_reboot) +11. [Booting the New Installation, from GRUB](#grub_boot) +12. [Follow-Up Tutorial: Configuring Parabola](#follow_up) + +This guide covers how to install Parabola GNU+Linux-Libre, with full disk encryption +(including the boot directory): **/boot**. On most systems, **/boot** has +to be left unencrypted, while the other partition(s) are encrypted. +This is so that GRUB (and therefore the kernel) can be loaded and executed, +because most firmware can’t open a LUKS volume; however, with libreboot, +GRUB is already included as a [payload](http://www.coreboot.org/Payloads#GRUB_2), +so even **/boot** can be encrypted; this protects **/boot** from tampering +by someone with physical access to the system. + +>**NOTE: This guide is *only* for the GRUB payload. +>If you use the depthcharge payload, ignore this section entirely.** + +This guide borrows heavily from the Parabola wiki, and will constantly link to it. +For those new to Parabola GNU+Linux-Libre, check their [Beginner section](https://wiki.parabola.nu/Beginners%27_guide#Beginners) for an overview. -Check there first to see if steps differ by now. +--- -Now you have to update the default Parabola keyring. This is used for -signing and verifying packages: -   # pacman -Sy parabola-keyring -It says that if you get GPG errors, then it's probably an expired -key and, therefore, you should do: +## Minumum Requirements <a name="minumum_requirements"></a> +You can find the minimum requirements to run Parabola GNU+Linux [here](https://wiki.parabola.nu/Beginners%27_guide#Minimum_system_requirements). -   # pacman-key --populate parabola -   # pacman-key --refresh-keys -   # pacman -Sy parabola-keyring +--- -To be honest, you should do the above anyway. Parabola has a lot of -maintainers, and a lot of keys. Really! -If you get an error mentioning dirmngr, do: +## Preparation <a name="preparation"></a> -   # dirmngr < /dev/null +###Download the latest ISO <a name="download_iso"></a> +For this guide, I used the *2016.11.03* ISO; the most current image is available [here](https://wiki.parabola.nu/Get_Parabola#Main_live_ISO). -Also, it says that if the clock is set incorrectly then you have to manually -set the correct time +If you are a complete beginner with GNU+Linux, choose the *Mate Desktop ISO*. +it is easier to install Parabola with this version, because it allows you +access to a web browser, so you can copy and paste commands right into the terminal, +without worrying about typos. -   # date MMDDhhmm\[\[CC\]YY\]\[.ss\] +>**NOTE: You should never blindly copy-and-paste any commands. In this guide, +>copying and pasting is to ensure that no errors are made when entering the commands, +>so that you don't effectively "brick" your installation, and have to start over. +>It's important to understand what each command does before you use it, +>so be sure to read the Parabola/Archi Wiki documentation on the command, +>as well as its** `man` **page.** -I also had to install: +If you are not a beginner, choose the *Main Live ISO*. -   # pacman -S archlinux-keyring -   # pacman-key --populate archlinux +Only choose the *TalkingParabola ISO*, if you are blind or visually impaired. -In my case I saw some conflicting files reported in pacman, stopping -me from using it. -I deleted the files that it mentioned and then it worked. -Specifically, I had this error: +###Choose the Installation Device <a name="installation_device"></a> +Refer to the Parabola wiki, for finding and choosing the proper installation device, +whether you are using an [Optical Disk](https://wiki.parabola.nu/Beginners%27_guide#Optical_Disks), +or a [USB drive](https://wiki.parabola.nu/Beginners%27_guide#USB_flash_drive). -   licenses: /usr/share/licenses/common/MPS exists in filesystem +###Boot Parabola's Install Environment <a name="boot_install_environment"></a> +After downloading the ISO, and creating some kind of bootable media, +you will need to boot into the Live image. If you are unsure of how to do so, +see [How to boot a GNU+Linux installer](grub_boot_installer.md), +and move on to the next step; otherwise, just go to the next step. -I rm -Rf'd the file and then pacman worked. I'm told that the -following would have also made it work: +Once booted into the environment, either open the **`MATE Terminal`** application +(if using the MATE Desktop ISO), or simply just enter the commands listed below +(if using any of the other ISO's). - # pacman -Sf licenses +--- -More packages --------------- +## Setting Up Keyboard Layout <a name="setting_keyboard_layout"></a> +To begin the installation, you must first select the proper [keyboard layout](https://wiki.parabola.nu/Beginners%27_guide#Changing_Keyboard). -I also like to install other packages (base-devel, compilers and so on) -and wpa\_supplicant/dialog/iw/wpa\_actiond are needed for wireless after -the install: +--- - # pacstrap /mnt base base-devel wpa_supplicant dialog iw +## Establish an Internet Connection <a name="establish_internet_connection"></a> +You will also need to [set up a network connection](https://wiki.parabola.nu/Beginners%27_guide#Establish_an_internet_connection), +to install packages. -wpa\_actiond +--- -Configure the system --------------------- +##Preparing the Storage Device for Installation <a name="prepare_device"></a> + +You need to prepare the storage device that we will use to install the operating system. +You can use same [device name](https://wiki.parabola.nu/Beginners%27_guide#USB_flash_drive) +that you used earlier, to determine the installation device for the ISO. + +###Wipe Storage Device <a name="wipe_device"></a> +You want to make sure that the device you're using doesn't contain any plaintext +copies of your personal data. If the drive is new, then you can skip the rest of this section; +if it's not new, then there are two ways to handle it: + +1. If the drive were not previously encrypted, securely wipe it with the **`dd`** command; +you can either choose to fill it with zeroes or random data; I chose random data (e.g., **`urandom`**), +because it's more secure. Depending on the size of the drive, this could take a while to complete: + +>> # dd if=/dev/urandom of=/dev/sdX; sync + +2. If the drive were previously encrypted, all you need to do is wipe the LUKS header. +The size of the header depends upon the specific model of the hard drive; +you can find this information by doing some research online. +Refer to this [article](https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/), for more information about LUKS headers. + +>You can either fill the header with zeroes, or with random data; +>again, I chose random data, using **`urandom`**: + +>> # head -c 3145728 /dev/urandom > /dev/sdX; sync + +Also, if you're using an SSD, there are a two things you should keep in mind: + +- There are issues with TRIM; it's not enabled by default through LUKS, +and there are security issues, if you do enable it. See [this page](https://wiki.archlinux.org/index.php/Dm-cryptSpecialties#Discard.2FTRIM_support_for_solid_state_drives_.28SSD.29) for more info. +- Make sure to read [this article](https://wiki.archlinux.org/index.php/Solid_State_Drives), +for information on managing SSD's in Arch Linux (the information applies to Parabola, as well). + +###Formatting the Storage Device <a name="format_device"></a> +Now that all the personal data has been deleted from the disk, it's time to format it. +We'll begin by creating a single, large partition on it, and then encrypting it using LUKS. +>####Create the LUKS partition <a name="create_luks_partition"></a> +> +>You will need the **`device-mapper`** kernel module during the installation; +>this will enable us to set up our encrypted disk. To load it, use the following command: +> +>> # modprobe dm-mod +> +>We then need to select the **device name** of the drive we're installing the operating system on; +>see the above method, if needed, for figuring out device names. -Generate an fstab - UUIDs are used because they have certain advantages -(see <https://wiki.parabola.nu/Fstab#Identifying_filesystems>. If you -prefer labels instead, replace the -U option with -L): +>Now that we have the name of the correct device, we need to create the partition on it. +>For this, we will use the **`cfdisk`** command: +> +>> # cfdisk /dev/sdX +> +>1. Use the arrow keys to select your partition, and if there is already a partition +>on the drive, select **Delete**, and then **New**. +>2. For the partition size, leave it as the default, which will be the entire drive. +>3. You will see an option for **Primary** or **Logical**; choose **Primary**, +>and make sure that the partition type is **Linux (83)**. +>4. Select **Write**; it will ask you if you are sure that you want to overwrite the drive. +>5. Type **yes**, and press enter. A message at the bottom will appear, telling you that +>the partition table has been altered. +>6. Select **Quit**, to return you to the main terminal. +> +>Now that you have created the partition, it's time to create the encrypted volume on it, +>using the **`cryptsetup`** command, like this: +> +>> # cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool \ +>> >--iter-time 500 --use-random --verify-passphrase luksFormat /dev/sdXY +> +>These are just recommended defaults; if you want to use anything else, +>or to find out what options there are, run **`man cryptsetup`**. - # genfstab -U -p /mnt >> /mnt/etc/fstab +>>**NOTE: the default iteration time is 2000ms (2 seconds), +>>if not specified when running the cryptsetup command. You should set a lower time than this; +>>otherwise, there will be an approximately 20-second delay when booting your +>>system. We recommend 500ms (0.5 seconds), and this is included in the +>>prepared** `cryptsetup` **command above. Keep in mind that the iteration time +>>is for security purposes (it mitigates brute force attacks), so anything lower +>>than 5 seconds is probably not very secure.** -Check the created file: +>You will now be prompted to enter a passphrase; be sure to make it *secure*. +>For passphrase security, length is more important than complexity +>(e.g., **correct-horse-battery-staple** is more secure than **bf20$3Jhy3**), +>but it's helpful to include several different types of characters +>(e.g., uppercase/lowercase letters, numbers, special characters). +>The password length should be as long as you are able to remember, +>without having to write it down, or store it anywhere. - # cat /mnt/etc/fstab +>Use of the [**diceware**](http://world.std.com/~reinhold/diceware.html) method +>is recommended, for generating secure passphrases (rather than passwords). -(If there are any errors, edit the file. Do *NOT* run the genfstab -command again!) +>####Create the Volume Group and Logical Volumes <a name="create_logical_volumes"></a> +>The next step is to create two Logical Volumes within the LUKS-encrypted partition: +>one will contain your main installation, and the other will contain your swap space. -Chroot into new system: +>We will create this using, the [Logical Volume Manager (LVM)](https://wiki.archlinux.org/index.php/LVM). - # arch-chroot /mnt /bin/bash +>First, we need to open the LUKS partition, at **/dev/mapper/lvm**: -It's a good idea to have this installed: +>> # cryptsetup luksOpen /dev/sdXY lvm - # pacman -S linux-libre-lts +>Then, we create LVM partition: -It was also suggested that you should install this kernel (read up on -what GRSEC is): +>> # pvcreate /dev/mapper/lvm - # pacman -S linux-libre-grsec +>Check to make sure tha the partition was created: -This is another kernel that sits inside /boot, which you can use. LTS -means 'long-term support'. These are so-called 'stable' kernels that -can be used as a fallback during updates, if a bad kernel causes issues -for you. +>> # pvdisplay -Parabola does not have wget. This is sinister. Install it: +>Next, we create the volume group, inside of which the logical volumes will +>be created. For this example, we will call this group **matrix**. You can call +>yours whatever you would like; just make sure that you remember its name: - # pacman -S wget +>> # vgcreate matrix /dev/mapper/lvm -Locale: +>Check to make sure that the group was created: - # vi /etc/locale.gen +>> # vgdisplay -Uncomment your needed localisations. For example en\_GB.UTF-8 (UTF-8 is -highly recommended over other options). +>Lastly, we need to create the logical volumes themselves, inside the volume group; +>one will be our swap, cleverly named **swapvol**, and the other will be our root partition, +>equally cleverly named as **root**. - # locale-gen - # echo LANG=en_GB.UTF-8 > /etc/locale.conf - # export LANG=en_GB.UTF-8 +>1. We will create the **swapvol** first (again, choose your own name, if you like). +>Also, make sure to [choose an appropriate swap size](http://www.linux.com/news/software/applications/8208-all-about-linux-swap-space) +>(e.g., **2G** refers to two gigabytes; change this however you see fit): +>> # lvcreate -L 2G matrix -n swapvol -Console font and keymap: +>2. Now, we will create a single, large partition in the rest of the space, for **root**: +>> # lvcreate -l +100%FREE matrix -n root - # vi /etc/vconsole.conf +>You can also be flexible here, for example you can specify a **/boot**, a **/**, +>a **/home**, a **/var**, or a **/usr** volume. For example, if you will be running a +>web/mail server then you want **/var** (where logs are stored) in its own partition, +>so that if it fills up with logs, it won't crash your system. +>For a home/laptop system (typical use case), just a root and a swap will do. -In my case: +>Verify that the logical volumes were created correctly: - KEYMAP=dvorak-uk - FONT=lat9w-16 +>> # lvdisplay -Time zone: +>####Make the root and swap Partitions Ready for Installation <a name="make_root_and_swap"></a> - # ln -s /usr/share/zoneinfo/Europe/London /etc/localtime +>The last steps of setting up the drive for installation are turning **swapvol** +>into an active swap partition, and formatting **root**. -(Replace Zone and Subzone to your liking. See /usr/share/zoneinfo) +>To make **swapvol** into a swap partition, we run the **`mkswap`** (i.e., make swap) command: -Hardware clock: +>> # mkswap /dev/mapper/matrix-swapvol - # hwclock --systohc --utc +>Activate the **swapvol**, allowing it to now be used as swap, +>using **`swapon`** (i.e., turn swap on) command: -Hostname: Write your hostname to /etc/hostname. For example, if your -hostname is parabola: +>> # swapon /dev/matrix/swapvol - # echo parabola > /etc/hostname +>Now I have to format **root**, to make it ready for installation; +>I do this with the **`mkfs`** (i.e., make file system) command. +>I choose the **ext4** filesystem, but you could use a different one, +>depending on your use case: -Add the same hostname to /etc/hosts: +>> # mkfs.ext4 /dev/mapper/matrix-root - # vi /etc/hosts +>Lastly, I need to mount **root**. Fortunately, GNU+Linux has a directory +>for this very purpose: **/mnt**: - #<ip-address> <hostname.domain.org> <hostname> - 127.0.0.1 localhost.localdomain localhost parabola - ::1 localhost.localdomain localhost parabola +>> # mount /dev/matrix/root /mnt -Configure the network: Refer to -<https://wiki.parabola.nu/Beginners%27_guide#Configure_the_network>. +>####Create the /boot and /home Directories <a name="create_boot_and_home"></a> -Mkinitcpio: Configure /etc/mkinitcpio.conf as needed (see -<https://wiki.parabola.nu/Mkinitcpio>). Runtime modules can be found in -/usr/lib/initcpio/hooks, and build hooks can be found in -/usr/lib/initcpio/install. (\# **mkinitcpio -H hookname** gives -information about each hook.) Specifically, for this use case: +>Now that you have mounted **root**, you need to create the two most important +>folders on it: **/boot** and **/home**; these folder contain your boot files, +>as well as each user's personal documents, videos, etc.. - # vi /etc/mkinitcpio.conf +>Since you mounted **root** at **/mnt**, this is where you must create them; +>you will do so using **`mkdir`**: -Then modify the file like so: +>> # mkdir -p /mnt/home +>> # mkdir -p /mnt/boot -- MODULES="i915" -- This forces the driver to load earlier, so that the console font - isn't wiped out after getting to login). Macbook21 users will also - need **hid-generic, hid and hid-apple to have a working keyboard - when asked to enter the LUKS password.** -- HOOKS="base udev autodetect modconf block keyboard keymap - consolefont encrypt lvm2 filesystems fsck shutdown" -- Explanation: -- keymap adds to initramfs the keymap that you specified in - /etc/vconsole.conf -- consolefont adds to initramfs the font that you specified in - /etc/vconsole.conf -- encrypt adds LUKS support to the initramfs - needed to unlock your - disks at boot time -- lvm2 adds LVM support to the initramfs - needed to mount the LVM - partitions at boot time -- shutdown is needed according to Parabola wiki for unmounting devices - (such as LUKS/LVM) during shutdown) +>You could also create two separate partitions for **/boot** and **/home**, +>but such a setup would be for advanced users, and is thus not covered in this guide. +>For more information on how to do this, refer to the Parabola/Arch wiki on [partitions](https://wiki.parabola.nu/Beginners%27_guide#Create_new_partition_table). -Now using mkinitcpio, you can create the kernel and ramdisk for booting -with (this is different from Arch, specifying linux-libre instead of -linux): +>The setup of the drive and partitions is now complete; it's time to actually install Parabola. - # mkinitcpio -p linux-libre +--- -Also do it for linux-libre-lts: +## Select a Mirror <a name="select_mirror"></a> +The first step of the actual installation is to choose the server from where +we will need to download the packages; for this, we will again refer to the [Parabola Wiki](https://wiki.parabola.nu/Beginners%27_guide#Select_a_mirror). +For beginners, I recommend that the edit the file using **`nano`** (a command-line text editor); +you can learn more about it [here](https://www.nano-editor.org/); for non-beginners, +simply edit it with your favorite text editor. - # mkinitcpio -p linux-libre-lts +--- -Also do it for linux-libre-grsec: +## Install the Base System <a name="install_base_system"></a> +We need to install the essential applications needed for your Parabola installation to run; +refer to [Install the Base System](https://wiki.parabola.nu/Beginners%27_guide#Install_the_base_system), on the Parabola wiki. - # mkinitcpio -p linux-libre-grsec +--- -Set the root password: At the time of writing, Parabola used SHA512 by -default for its password hashing. I referred to -<https://wiki.archlinux.org/index.php/SHA_password_hashes>. +## Generate an fstab <a name="generate_fstab"></a> +The next step in the process is to generate a file known as an **fstab**; +the purpose of this file is for the operating system to identify the storage device +used by your installation. [Here](https://wiki.parabola.nu/Beginners%27_guide#Generate_an_fstab) are the instructions to generate that file. - # vi /etc/pam.d/passwd +--- -Add rounds=65536 at the end of the uncommented 'password' line. +##Chroot into and Configure the System <a name="chroot_and_configure"></a> +Now, you need to **`chroot`** into your new installation, to complete the setup +and installation process. **Chrooting** refers to changing the root directory +of an operating system to a different one; in this instance, it means changing your root +directory to the one you created in the previous steps, so that you can modify files +and install software onto it, as if it were the host operating system. - # passwd root +To **`chroot`** into your installation, follow the instructions [here](https://wiki.parabola.nu/Beginners%27_guide#Chroot_and_configure_the_base_system). -Make sure to set a secure password! Also, it must never be the same as -your LUKS password. +###Setting up the Locale <a name="locale"></a> +Locale refers to the language that your operating system will use, as well as some +other considerations related to the region in which you live. To set this up, +follow the instructions [here](https://wiki.parabola.nu/Beginners%27_guide#Locale). -Use of the *diceware method* is recommended, for generating secure -passphrases (instead of passwords). +###Setting up the Consolefont and Keymap <a name="consolefont_keymap"></a> +This will determine the keyboard layout of your new installation; follow the instructions [here](https://wiki.parabola.nu/Beginners%27_guide#Console_font_and_keymap). -Extra security tweaks ---------------------- +###Setting up the Time Zone <a name="time_zone"></a> +You'll need to set your current time zone in the operating system; this will enable applications +that require accurate time to work properly (e.g., the web browser). +To do this, follow the instructions [here](https://wiki.parabola.nu/Beginners%27_guide#Time_zone). -Based on <https://wiki.archlinux.org/index.php/Security>. +###Setting up the Hardware Clock <a name="hardware_clock"></a> +To make sure that your computer has the right time, you'll have to set the time in your computer's internal clock. +Follow the instructions [here](https://wiki.parabola.nu/Beginners%27_guide#Hardware_clock) to do that. -Restrict access to important directories: +###Setting up the Kernel Modules <a name="kernel_modules"></a> +Now we need to make sure that the kernel has all the modules that it needs +to boot the operating system. To do this, we need to edit a file called **mkinitcpio.conf**. +More information about this file can be found [here](https://wiki.parabola.nu/Mkinitcpio), +but for the sake of this guide, you simply need to run the following command. - # chmod 700 /boot /etc/{iptables,arptables} +> # nano /etc/mkinitcpio.conf -Lockout user after three failed login attempts:\ -Edit the file /etc/pam.d/system-login and comment out that line:\ -*\# auth required pam\_tally.so onerr=succeed file=/var/log/faillog*\ -Or just delete it. Above it, put:\ -*auth required pam\_tally.so deny=2 unlock\_time=600 onerr=succeed -file=/var/log/faillog*\ -To unlock a user manually (if a password attempt is failed 3 times), -do: +There are several modifications that we need to make to the file: - # pam_tally --user *theusername* --reset What the above +1. Change the value of the uncommented **`MODULES`** line to **`i915`**. -configuration does is lock the user out for 10 minutes, if they make 3 -failed login attempts. + * This forces the driver to load earlier, so that the console font you selected earlier + isn’t wiped out after getting to login. + * If you are using a **Macbook 2,1** you will also need to add **`hid-generic`**, + **`hid`**, and **`hid-apple`** inside the quotation marks, in order to have + a working keyboard when asked to enter the LUKS password. + Make sure to separate each module by one space. -Configure sudo - not covered here. Will be covered post-installation in -another tutorial, at a later date. If this is a single-user system, you -don't really need sudo. +2. Change the value of the uncommented **`HOOKS`** line to the following: + “**`base udev autodetect modconf block keyboard keymap consolefont encrypt lvm2 filesystems fsck shutdown`**”; + here's what each module does: -Unmount, reboot! ----------------- + * **`keymap`** adds to *initramfs* the keymap that you specified in **/etc/vconsole.conf** + * **`consolefont`** adds to *initramfs* the font that you specified in **/etc/vconsole.conf** + * **`encrypt`** adds LUKS support to the initramfs - needed to unlock your disks at boot time + * **`lvm2`** adds LVM support to the initramfs - needed to mount the LVM partitions at boot time + * **`shutdown`** is needed according to Parabola wiki, for unmounting devices (such as LUKS/LVM) during shutdown -Exit from chroot: +After modifying the file and saving it, we need to update the kernel(s) with the new settings. +Before doing this, we want to install a Long-Term Support (LTS) kernel as a backup, in the event +that we encounter problems with the default Linux-Libre kernel (which is continually updated). - # exit +We will also install the **`grub`** package, which we will need later, +to make our modifications to the GRUB configuration file: -unmount: +> # pacman -S linux-libre-lts grub - # umount -R /mnt - # swapoff -a +Then, we update both kernels like this: -deactivate the lvm lv's: +> # mkinitcpio -p linux-libre - # lvchange -an /dev/matrix/root - # lvchange -an /dev/matrix/swapvol +> # mkinitcpio -p linux-libre-lts -Lock the encrypted partition (close it): +###Setting up the Hostname <a name="set_up_hostname"></a> - # cryptsetup luksClose lvm +Now we need to set up the hostname for the system; this is so that our device +can be identified by the network. Refer to [this section](https://wiki.parabola.nu/Beginners%27_guide#Hostname) +of the Parabola wiki's Beginner's Guide. You can make the hostname anything you like; +for example, if you wanted to choose the hostname **parabola**, +you would run the **`echo`** command, like this: - # shutdown -h now +> # echo parabola > /etc/hostname -Remove the installation media, then boot up again. +And then you would modify **/etc/hosts** like this, adding the hostname to it: -Booting from GRUB ------------------ +> # nano /etc/hosts -Initially you will have to boot manually. Press C to get to the GRUB -command line. The underlined parts are optional (using those 2 -underlines will boot lts kernel instead of normal). +> #<ip-address> <hostname.domain.org> <hostname> +> 127.0.0.1 localhost.localdomain localhost parabola +> ::1 localhost.localdomain localhost parabola - grub> cryptomount -a - grub> set root='lvm/matrix-root'\ -grub> **linux /boot/vmlinuz-linux-libre-lts root=/dev/matrix/root -cryptdevice=/dev/sda1:root**\ - grub> initrd /boot/initramfs-linux-libre-lts.img - grub> boot\ +###Configure the Network <a name="configure_network"></a> -You could also make it load /boot/vmlinuz-linux-libre-grsec and -/boot/initramfs-linux-libre-grsec.img +Now that we have a hostname, we need to configure the settings for the rest of the network. +Instructions for setting up a wired connection are [here](https://wiki.parabola.nu/Beginners%27_guide#Wired), +and instructions for setting up a wireless connection are [here](https://wiki.parabola.nu/Beginners%27_guide#Wireless_2). -Follow-up tutorial: configuring Parabola ----------------------------------------- +###Set the root Password <a name="root_password"></a> +The **root** account has control over all the files in the computer; for security, +we want to protect it with a password. The password requirements given above, +for the LUKS passphrase, apply here as well. You will set this password with the **`passwd`** command: -We will modify grub.config inside the ROM and do all kinds of fun stuff, -but I recommend that you first transform the current bare-bones Parabola -install into a more useable system. Doing so will make the upcoming ROM -modifications MUCH easier to perform and less risky! -[configuring\_parabola.md](configuring_parabola.md) shows my own -notes post-installation. Using these, you can get a basic system similar -to the one that I chose for myself. You can also cherry pick useful -notes and come up with your own system. Parabola is user-centric, which -means that you are in control. For more information, read [The Arch -Way](https://wiki.archlinux.org/index.php/The_Arch_Way) (Parabola also -follows it). +> # passwd -Modify grub.cfg inside the ROM ------------------------------- +###Extra Security Tweaks <a name="security_tweaks"></a> -(Re-)log in to your system, pressing C, so booting manually from GRUB -(see above). You need to modify the ROM, so that Parabola can boot -automatically with this configuration. [grub\_cbfs.md](grub_cbfs.md) -shows you how. Follow that guide, using the configuration details below. -If you go for option 2 (re-flash), promise to do this on grubtest.cfg -first! We can't emphasise this enough. This is to reduce the -possibility of bricking your device! +There are some final changes that we can make to the installation, to make it +significantly more secure; these are based on the [Security](https://wiki.archlinux.org/index.php/Securit) section of the Arch wiki. -I will go for the re-flash option here. Firstly, cd to the -libreboot\_util/cbfstool/{armv7l i686 x86\_64} directory. Dump the -current firmware - where *libreboot.rom* is an example: make sure to -adapt: +>####Key Strengthening <a name="key_strengthening"></a> - # flashrom -p internal -r libreboot.rom +>We will want to open the configuration file for password settings, and increase +>the strength of our **root** password: -If flashrom complains about multiple flash chips detected, add a *-c* -option at the end, with the name of your chosen chip is quotes.\ -You can check if everything is in there (*grub.cfg* and *grubtest.cfg* -would be really nice): +>> # nano /etc/pam.d/passwd - $ ./cbfstool libreboot.rom print +>Add **`rounds=65536`** at the end of the uncommented 'password' line; in simple terms, +>this will force an attacker to take more time with each password guess, mitigating +>the threat of brute force attacks. -Extract grubtest.cfg: +>####Restrict Access to Important Directories <a name="restrict_directory_access"></a> - $ ./cbfstool libreboot.rom extract -n grubtest.cfg -f grubtest.cfg\ +>You can prevent any user, other than the root user, from accessing the most important +>directories in the system, using the **`chmod`** command; to learn more about this command, +>run **`man chmod`**: -And modify: +>> # chmod 700 /boot /etc/{iptables,arptables} - $ vi grubtest.cfg +>####Lockout User After Three Failed Login Attempts <a name="lockout_user"></a> -In grubtest.cfg, inside the 'Load Operating System' menu entry, change -the contents to: +>We can also setup the system to lock a user's account, after three failed login attempts. - cryptomount -a +>To do this, we will need to edit the file **/etc/pam.d/system-login**, +>and comment out this line: - set root='lvm/matrix-root' +>> auth required pam\_tally.so onerr=succeed file=/var/log/faillog*\ - linux /boot/vmlinuz-linux-libre-lts root=/dev/matrix/root cryptdevice=/dev/sda1:root +>You could also just delete it. Above it, put the following line: - initrd /boot/initramfs-linux-libre-lts.img +>> auth required pam\_tally.so deny=2 unlock\_time=600 onerr=succeed file=/var/log/faillog -Note: the underlined parts above (-lts) can also be removed, to boot the -latest kernel instead of LTS (long-term support) kernels. You could also -copy the menu entry and in one have -lts, and without in the other -menuentry. You could also create a menu entry to load -/boot/vmlinuz-linux-libre-grsec and -/boot/initramfs-linux-libre-grsec.img The first entry will load by -default. +>This configuration will lock the user out for ten minutes. +>You can unlock a user's account manually, using the **root** account, with this command: -Without specifying a device, the *-a* parameter tries to unlock all -detected LUKS volumes. You can also specify -u UUID or -a (device). +>> # pam_tally --user *theusername* --reset -[Refer to this guide](grub_hardening.md) for further guidance on -hardening your GRUB configuration, for security purposes. +--- -Save your changes in grubtest.cfg, then delete the unmodified config -from the ROM image: +##Unmount All Partitions and Reboot <a name="unmount_reboot"></a> - $ ./cbfstool libreboot.rom remove -n grubtest.cfg +Congratulations! You have finished the installation of Parabola GNU+Linux-Libre. +Now it is time to reboot the system, but first, there are several preliminary steps: -and insert the modified grubtest.cfg: +Exit from **`chroot`**, using the **`exit`** command: - # ./cbfstool libreboot.rom add -n grubtest.cfg -f grubtest.cfg -t +> # exit -raw +Unmount all of the partitions from **/mnt**, and "turn off" the swap volume: -Now refer to [../install/#flashrom](../install/#flashrom). Cd (up) to -the libreboot\_util directory and update the flash chip contents: +> # umount -R /mnt +> # swapoff -a - # ./flash update libreboot.rom +Deactivate the **root** and **swapvol** logical volumes: -Ocassionally, coreboot changes the name of a given board. If flashrom -complains about a board mismatch, but you are sure that you chose the -correct ROM image, then run this alternative command: +> # lvchange -an /dev/matrix/root +> # lvchange -an /dev/matrix/swapvol - # ./flash forceupdate libreboot.rom +Lock the encrypted partition (i.e., close it): -You should see "Verifying flash... VERIFIED." written at the end of -the flashrom output. +> # cryptsetup luksClose lvm -With this new configuration, Parabola can boot automatically and you -will have to enter a password at boot time, in GRUB, before being able -to use any of the menu entries or switch to the terminal. Let's test it -out: reboot and choose grubtest.cfg from the GRUB menu, using the arrow -keys on your keyboard. Enter the name you chose, the GRUB password, your -LUKS passphrase and login as root/your user. All went well? Great! +Shutdown the machine: -If it does not work like you want it to, if you are unsure or sceptical -in any way, don't despair: you have been wise and did not brick your -device! Reboot and login the default way, and then modify your -grubtest.cfg until you get it right! **Do \*not\* proceed past this -point unless you are 100% sure that your new configuration is safe (or -desirable) to use.** +> # shutdown -h now -Now, we can easily and safely create a copy of grubtest.cfg, called -grub.cfg. This will be the same except for one difference: the menuentry -'Switch to grub.cfg' is changed to 'Switch to grubtest.cfg' and, -inside it, all instances of grub.cfg to grubtest.cfg. This is so that -the main config still links (in the menu) to grubtest.cfg, so that you -don't have to manually switch to it, in case you ever want to follow -this guide again in the future (modifying the already modified config). -Inside libreboot\_util/cbfstool/{armv7l i686 x86\_64}, we can do this -with the following command: +After the machine is off, remove the installation media, and turn it on. - # sed -e 's:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g' -e +--- -'s:Switch to grub.cfg:Switch to grubtest.cfg:g' < grubtest.cfg > -grub.cfg +##Booting the New Installation, from GRUB <a name="grub_boot"></a> -Delete the grub.cfg that remained inside the ROM: +When starting your installation for the first time, you have to manually boot +the system by entering a series of commands into the GRUB command line. - $ ./cbfstool libreboot.rom remove -n grub.cfg +After the computer starts, Press **C** to bring up the GRUB command line. +You can either boot the normal kernel, or the LTS kernel we installed; +here are the commands for the normal kernel: -Add the modified version that you just made: +> grub> cryptomount -a +> grub> set root='lvm/matrix-root' +> grub> linux /boot/vmlinuz-linux-libre root=/dev/matrix/root cryptdevice=/dev/sda1:root +> grub> initrd /boot/initramfs-linux-libre.img +> grub> boot - $ ./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw +If you're trying to boot the LTS kernel, simply add **-lts** to the end +of each command that contains the kernel (e.g., **/boot/vmlinuz-linux-libre** +would be **/boot/vmlinuz/linux-libre-lts**). -Now you have a modified ROM. Once more, refer to -[../install/#flashrom](../install/#flashrom). Cd to the libreboot\_util -directory and update the flash chip contents: +**NOTE: on some Thinkpads, during boot, a faulty DVD drive can cause +the** `cryptomount -a` **command to fail, as well as the error** `AHCI transfer timed out` +**(when the Thinkpad X200 is connected to an UltraBase). For both issues, +the workaround was to remove the DVD drive (if using the UltraBase, +then the whole device must be removed).** - # ./flash update libreboot.rom +--- -And wait for the "Verifying flash... VERIFIED." Once you have done -that, shut down and then boot up with your new configuration. +##Follow-Up Tutorial: Configuring Parabola <a name="follow_up"></a> -When done, delete GRUB (remember, we only needed it for the -*grub-mkpasswd-pbkdf2* utility; GRUB is already part of libreboot, -flashed alongside it as a *payload*): +The next step of the setup process is to modify the configuration file that +GRUB uses, so that we don't have to manually type in those commands above, each time we want +to boot our system. - # pacman -R grub +To make this process much easier, we need to install a graphical interface, +as well as install some other packages that will make the system more user-friendly. +These additions will also sharply reduce the probability of "bricking" our computer. -If you followed all that correctly, you should now have a fully -encrypted Parabola installation. Refer to the wiki for how to do the -rest. +[Configuring Parabola (Post-Install)](configuring_parabola.md) provides an example setup, but don't feel +as if you must follow it verbatim (of course, you can, if you want to); +Parabola is user-centric and very customizable, which means that you have maximum control +of the system, and a near-limitless number of options for setting it up. For more information, +read [The Arch Way](https://wiki.archlinux.org/index.php/The_Arch_Way) (Parabola also follows it). -Bonus: Using a key file to unlock /boot/ ----------------------------------------- +After setting up the graphical interface, refer to [How to Modify GRUB Configuration](grub_cbfs.md), +for instructions on doing just that, as well as flashing the ROM (if necessary). -By default, you will have to enter your LUKS passphrase twice; once in -GRUB, and once when booting the kernel. GRUB unlocks the encrypted -partition and then loads the kernel, but the kernel is not aware of the -fact that it is being loaded from an encrypted volume. Therefore, you -will be asked to enter your passphrase a second time. A workaround is to -put a keyfile inside initramfs, with instructions for the kernel to use -it when booting. This is safe, because /boot/ is encrypted (otherwise, -putting a keyfile inside initramfs would be a bad idea).\ -Boot up and login as root or your user. Then generate the key file: +--- - # dd bs=512 count=4 if=/dev/urandom of=/etc/mykeyfile +Copyright © 2014, 2015, 2016 Leah Rowe <info@minifree.org> -iflag=fullblock +Copyright © 2015 Jeroen Quint <jezza@diplomail.ch> -Insert it into the luks volume: +Copyright © 2017 Elijah Smith <esmith1412@posteo.net> - # cryptsetup luksAddKey /dev/sdX /etc/mykeyfile - -and enter your LUKS passphrase when prompted. Add the keyfile to the -initramfs by adding it to FILES in /etc/mkinitcpio.conf. For example: - - # FILES="/etc/mykeyfile" - -Create the initramfs image from scratch: - - # mkinitcpio -p linux-libre - # mkinitcpio -p linux-libre-lts - # mkinitcpio -p linux-libre-grsec - -Add the following to your grub.cfg - you are now able to do that, see -above! -, or add it in the kernel command line for GRUB: - - # cryptkey=rootfs:/etc/mykeyfile - -You can also place this inside the grub.cfg that exists in CBFS: -[grub\_cbfs.md](grub_cbfs.md). - -Further security tips ---------------------- - -<https://wiki.archlinux.org/index.php/Security>.\ -<https://wiki.parabolagnulinux.org/User:GNUtoo/laptop> - -Troubleshooting -=============== - -A user reported issues when booting with a docking station attached on -an X200, when decrypting the disk in GRUB. The error *AHCI transfer -timed out* was observed. The workaround was to remove the docking -station. - -Further investigation revealed that it was the DVD drive causing -problems. Removing that worked around the issue. - - "sudo wodim -prcap" shows information about the drive: - Device was not specified. Trying to find an appropriate drive... - Detected CD-R drive: /dev/sr0 - Using /dev/cdrom of unknown capabilities - Device type : Removable CD-ROM - Version : 5 - Response Format: 2 - Capabilities : - Vendor_info : 'HL-DT-ST' - Identification : 'DVDRAM GU10N ' - Revision : 'MX05' - Device seems to be: Generic mmc2 DVD-R/DVD-RW. - - Drive capabilities, per MMC-3 page 2A: - - Does read CD-R media - Does write CD-R media - Does read CD-RW media - Does write CD-RW media - Does read DVD-ROM media - Does read DVD-R media - Does write DVD-R media - Does read DVD-RAM media - Does write DVD-RAM media - Does support test writing - - Does read Mode 2 Form 1 blocks - Does read Mode 2 Form 2 blocks - Does read digital audio blocks - Does restart non-streamed digital audio reads accurately - Does support Buffer-Underrun-Free recording - Does read multi-session CDs - Does read fixed-packet CD media using Method 2 - Does not read CD bar code - Does not read R-W subcode information - Does read raw P-W subcode data from lead in - Does return CD media catalog number - Does return CD ISRC information - Does support C2 error pointers - Does not deliver composite A/V data - - Does play audio CDs - Number of volume control levels: 256 - Does support individual volume control setting for each channel - Does support independent mute setting for each channel - Does not support digital output on port 1 - Does not support digital output on port 2 - - Loading mechanism type: tray - Does support ejection of CD via START/STOP command - Does not lock media on power up via prevent jumper - Does allow media to be locked in the drive via PREVENT/ALLOW command - Is not currently in a media-locked state - Does not support changing side of disk - Does not have load-empty-slot-in-changer feature - Does not support Individual Disk Present feature - - Maximum read speed: 4234 kB/s (CD 24x, DVD 3x) - Current read speed: 4234 kB/s (CD 24x, DVD 3x) - Maximum write speed: 4234 kB/s (CD 24x, DVD 3x) - Current write speed: 4234 kB/s (CD 24x, DVD 3x) - Rotational control selected: CLV/PCAV - Buffer size in KB: 1024 - Copy management revision supported: 1 - Number of supported write speeds: 4 - Write speed # 0: 4234 kB/s CLV/PCAV (CD 24x, DVD 3x) - Write speed # 1: 2822 kB/s CLV/PCAV (CD 16x, DVD 2x) - Write speed # 2: 1764 kB/s CLV/PCAV (CD 10x, DVD 1x) - Write speed # 3: 706 kB/s CLV/PCAV (CD 4x, DVD 0x) - - Supported CD-RW media types according to MMC-4 feature 0x37: - Does write multi speed CD-RW media - Does write high speed CD-RW media - Does write ultra high speed CD-RW media - Does not write ultra high speed+ CD-RW media - -Copyright © 2014, 2015, 2016 Leah Rowe <info@minifree.org>\ -Copyright © 2015 Jeroen Quint <jezza@diplomail.ch>\ +--- Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License Version 1.3 or any later version published by the Free Software Foundation with no Invariant Sections, no Front Cover Texts, and no Back Cover Texts. -A copy of this license is found in [../fdl-1.3.md](../fdl-1.3.md) +A copy of this license is found in [../fdl-1.3.md](../fdl-1.3.md)+ \ No newline at end of file diff --git a/docs/gnulinux/grub_cbfs.md b/docs/gnulinux/grub_cbfs.md @@ -1,215 +1,443 @@ +#Modifying the GRUB Configuration in Libreboot Systems + +--- + +[**Edit this Page**](https://libreboot.org/git.html#editing-the-website-and-documentation-wiki-style) -- [Back to Previous Index](https://libreboot.org/docs/gnulinux/) + +* [How to Get the GRUB Configuration File](#get_grub) + * [Download the Libreboot Utility Archive](#download_libreboot_util) + * [Get the Necessary Utilities](#get_utilities) + * [Get ROM Image](#get_rom) + * [Download a Pre-Compiled Image from the Libreboot Website](#pre_compiled) + * [Create an Image from the Current ROM](#create_from_current_rom) + * [Copy grubtest.cfg from ROM Image](#extract_grubtest) +* [How to Modify the GRUB Configuration File](#modify_grub_howto) +* [Change the GRUB Configuration that the Operating System Uses](#change_grub) + * [Without Re-Flashing ROM](#without_reflash) + * [With Flashing ROM](#with_reflash) + * [Change grubtest.cfg in ROM](#insert_modified_grubtest) + * [Change MAC Address in ROM](#change_mac) + * [Flash Updated ROM Image](#flash_updated_rom) + * [Reboot the Computer](#reboot) + * [Final Steps](#final_steps) + +This guide will go through all the steps to modify a GRUB configuration file +in Libreboot; this is so that the user doesn't have to manually boot +their operating system each time, by typing in commands at the GRUB command line. + +For the purposes of this guide, you can either modify the GRUB configuration file +that resides in the computer's ROM, or else you could modify the version that +exists within the operating system itself; both options will be explained here. + --- -title: How to replace the default GRUB configuration file -x-toc-enable: true -... - -Libreboot on x86 uses the GRUB -[payload](http://www.coreboot.org/Payloads#GRUB_2) by default, which -means that the GRUB configuration file (where your GRUB menu comes from) -is stored directly alongside libreboot and its GRUB payload executable, -inside the flash chip. In context, this means that installing -distributions and managing them is handled slightly differently compared -to traditional BIOS systems. - -A libreboot (or coreboot) ROM image is not simply "flat"; there is an -actual filesystem inside called CBFS (coreboot filesystem). A utility -called 'cbfstool' allows you to change the contents of the ROM image. -In this case, libreboot is configured such that the 'grub.cfg' and -'grubtest.cfg' files exist directly inside CBFS instead of inside the -GRUB payload 'memdisk' (which is itself stored in CBFS). - -You can either modify the GRUB configuration stored in the flash chip, -or you can modify a GRUB configuration file on the main storage which -the libreboot GRUB payload will automatically search for. - -Here is an excellent writeup about CBFS (coreboot filesystem): -<http://lennartb.home.xs4all.nl/coreboot/col5.html>. - -*This guide is only for the GRUB payload. If you use the depthcharge payload, -ignore this section entirely.* - -Introduction ------------- - -Download the latest release from [libreboot.org](/)\ -*If you downloaded from git, refer to -[../git/\#build\_meta](../git/#build_meta) before continuing.* - -There are several advantages to modifying the GRUB configuration stored -in CBFS, but this also means that you have to flash a new libreboot ROM -image on your system (some users feel intimidated by this, to say the -least). Doing so can be risky if not handled correctly, because it can -result in a bricked system (recovery is easy if you have the -[equipment](../install/bbb_setup.md) for it, but most people don't). -If you aren't up to that then don't worry; it is possible to use a -custom GRUB menu without flashing a new image, by loading a GRUB -configuration from a partition on the main storage instead. - -1st option: don't re-flash ---------------------------- - -By default, GRUB in libreboot is configured to scan all partitions on -the main storage for /boot/grub/libreboot\_grub.cfg or -/grub/libreboot\_grub.cfg(for systems where /boot is on a dedicated -partition), and then use it automatically. - -Simply create your custom GRUB configuration and save it to -`/boot/grub/libreboot_grub.cfg` on the running system. The next time -you boot, GRUB (in libreboot) will automatically switch to this -configuration file. *This means that you do not have to re-flash, -recompile or otherwise modify libreboot at all!* - -Ideally, your distribution should automatically generate a -libreboot\_grub.cfg file that is written specifically under the -assumption that it will be read and used on a libreboot system that uses -GRUB as a payload. If your distribution does not do this, then you can -try to add that feature yourself or politely ask someone involved with -or otherwise knowledgeable about the distribution to do it for you. The -libreboot\_grub.cfg could either contain the full configuration, or it -could chainload another GRUB ELF executable (built to be used as a -coreboot payload) that is located in a partition on the main storage. - -If you want to adapt a copy of the existing *libreboot* GRUB -configuration and use that for the libreboot\_grub.cfg file, then follow -[\#tools](#tools), [\#rom](#rom) and -[\#extract\_testconfig](#extract_testconfig) to get the -`grubtest.cfg`. Rename `grubtest.cfg` to -`libreboot_grub.cfg` and save it to `/boot/grub/` on the -running system where it is intended to be used. Modify the file at that -location however you see fit, and then stop reading this guide (the rest -of this page is irrelevant to you); in `libreboot_grub.cfg` on disk, if -you are adapting it based on grub.cfg from CBFS then remove the check -for `libreboot_grub.cfg` otherwise it will loop. - -2nd option: re-flash --------------------- - -You can modify what is stored inside the flash chip quite easily. Read -on to find out how. - -Acquire the necessary utilities -------------------------------- - -Use `cbfstool` and `flashrom`. There are available in the -*libreboot\_util* release archive, or they can be compiled (see -[../git/\#build\_flashrom](../git/#build_flashrom)). Flashrom is also -available from the repositories: - - # pacman -S flashrom - -Acquiring the correct ROM image -------------------------------- + +##How to Get the GRUB Configuration File <a name=get_grub></a> + +The first step of the process is to actually get a hold of the GRUB configuration file +that we need to modify. There are two ways to do this: + +1. We can extract the one that already exists within the ROM +2. We can use one of the pre-compiled ROMS supplied by the Libreboot project + +However, both ways will require us to download the Libreboot Utility Archive. + +###Download the Libreboot Utility Archive <a name=download_libreboot_util></a> + +The Libreboot Utility Archive contains the programs that we'll need +to get our **grubtest.cfg** file. The latest release of the Libreboot Utility Archive +can be downloaded from libreboot.org, [here](https://www.mirrorservice.org/sites/libreboot.org/release/stable/20160907/libreboot_r20160907_util.tar.xz). +The quickest way to download it would be to use the **`wget`** program, +which (if you don't know) allows you to download files from the internet. + +If you don't already have it installed, you can install it, +using the **`apt-get`** command (in Debian-based distributions): + +> $ sudo apt-get install wget + +You can install it in Arch-based systems, using **`pacman`**: + +> $ sudo pacman -S wget + +Once you've installed **`wget`**, use it to download the file, +simply by passing it the URL as an argument; you can save the file anywhere, +but for the purpose of this guide, save it in **~/Downloads** +(your **Home** directory's downloads folder). +First, change the current working directory to **~/Downloads**: + +> $ cd ~/Downloads + +This guide assumes you are using the **20160907** version of Libreboot; +if using a different version, modify the following commands accordingly: + +> $ wget https://www.mirrorservice.org/sites/libreboot.org/release/stable/20160907/\ +> >libreboot_r20160907_util.tar.xz + +After the file is downloaded, use the **`tar`** command to extract its contents: + +> $ tar -xf libreboot_r20160907_util.tar.xz + +After extraction, the folder will have the same name as the archive: in this case, +**libreboot\_r20160907\_util**. For simplicity's sake, we'll rename it **libreboot\_util**, +using the **`mv`** command: + +> $ mv "libreboot_r20160907_util" "libreboot_util" + +Now you have the folder with all the utilities necessary to read and modify the contents of the ROM. + +###Get the Necessary Utilities <a name=get_utilities></a> + +Once you have the **libreboot\_util** archive, you can find the **`cbfstool`** and **`flashrom`** +utilities in **libreboot\_util/cbfstools/x86\_64/cbfstool**, +and **libreboot\_util/flashrom/x86\_64/flashrom**, respectively. + +>NOTE: This guide assumes that you are using a device with the **x86_64** architecture; +>if you are using a device with a different architecture (e.g., **i686** or **armv7l**), +>the proper version of **`cbfstool`** and **`flashrom`** will be in that folder, +>inside their respective directories. + +You could also compile both of these utilities; see [How to Build flashrom](../git/#build_flashrom). + +**`flashrom`** is also available from the repositories; if using an Arch-based distribution, +use **`pacman`**: + +> $ sudo pacman -S flashrom + +Or, if you have a Debian-based distribution, use **`apt-get`**: + +> $ sudo apt-get install flashrom + +###Get the ROM Image <a name=get_rom></a> You can either work directly with one of the ROM images already included in the libreboot ROM archives, or re-use the ROM that you have currently -flashed. For the purpose of this tutorial it is assumed that your ROM -image file is named *libreboot.rom*, so please make sure to adapt. +flashed. For the purpose of this tutorial, it is assumed that your ROM +image file is named **libreboot.rom**, so please make sure to adapt. + +There are two ways to get a pre-compiled ROM image: +####1. Download a Pre-Compiled Image from the Libreboot Website <a name=pre_compiled></a> + +>For the current release, **20160907**, they can be found [here](https://www.mirrorservice.org/sites/libreboot.org/release/stable/20160907/rom/grub/); +>please adopt this guide, if using a different version of Libreboot. + +>You also need to make sure that you select both the correct ROM for the device you're using, +>as well as the correct flash chip size (if applicable): 4mb, 8mb, or 16mb; +>variable flash chip sizes only apply for the Thinkpads that Libreboot supports (excluding the X60 and T60). + +>You can find the flash chip size, by running the following command: + +>> # flashrom -p internal -V + +>Look for a line like this: + +>> Found Macronix flash chip "MX25L6406E/MX25L6408E" (8192 kB, SPI) \ +>> mapped at physical address 0x00000000ff800000. + +>Running this command on my Thinkpad X200 gives me the above result, so I know that +>my flash chip size is 8mb. + +>Once you've determined the correct ROMs and flash chip size, download them from the website. +>Since I'm currently using an X200 to write this guide, I'll demonstrate how +>to download the correct ROM images for that model. + +>First, we're going to navigate to the **libreboot\_util** folder: + +>> $ cd ~/Downloads/libreboot_util/ + +>Then, we will download the ROM images, using **`wget`**: + +>> $ wget https://www.mirrorservice.org/sites/libreboot.org/release/stable/\ +>> 20160907/rom/grub/libreboot_r20160907_grub_x200_8mb.tar.xz -ROM images are included pre-compiled in libreboot. You can also dump -your current firmware, using flashrom: +>Extract the archive, using **`tar`**: - $ sudo flashrom -p internal -r libreboot.rom - # flashrom -p internal -r libreboot.rom +>> $ tar -xf libreboot_r20160907_grub_x200_8mb.tar.xz -If you are told to specify the chip, add the option `-c {your chip}` to the -command, for example: +>Navigate to the directory that you just created: - # flashrom -c MX25L6405 -p internal -r libreboot.rom +>> $ cd libreboot_r20160907_grub_x200_8mb -Extract grubtest.cfg from the ROM image ---------------------------------------- +>Now that we are in the archive, we must choose the correct ROM image. +>To figure out the correct image, we must first parse the filenames for each ROM. +>For example, for the file named **x200_8mb_usqwerty_vesafb.rom**: -You can check the contents of the ROM image, inside CBFS: +>> Model Name: x200 +>> Flash Chip Size: 8mb +>> Country: us +>> Keyboard Layout: qwerty +>> ROM Type: vesafb or txtmode - $ cd .../libreboot\_util/cbfstool - $ ./cbfstool libreboot.rom +>Since I am using a QWERTY keyboard, I will ignore all the non-QWERTY options. +>Note that there are two types of ROMs: **`vesafb`** and **`txtmode`**; +>The **`vesafb`** ROM images are recommended, in most cases; **`txtmode`** ROM images +>come with **`MemTest86+`**, which requires text-mode, instead of the usual framebuffer +>used by coreboot native graphics initialization. -The files *grub.cfg* and *grubtest.cfg* should be present. grub.cfg is -loaded by default, with a menuentry for switching to grubtest.cfg. In -this tutorial, you will first modify and test *grubtest.cfg*. This is to -reduce the possibility of bricking your device, so DO NOT SKIP THIS! +>I'll choose **x200_8mb_usqwerty_vesafb.rom**; I'll copy the file (to the **`cbfstool`** directory), +>and rename it with one command: -Extract grubtest.cfg from the ROM image: +>> $ mv "x200_8mb_usqwerty_vesafb.rom" ../cbfstool/x86_64/cbfstool/x86_64/libreboot.rom - $ ./cbfstool libreboot.rom extract -n grubtest.cfg -f grubtest.cfg +####2. Create an Image from the Current ROM <a name=create_from_current_rom></a> -Modify the grubtest.cfg accordingly. +>The simpler way to get a ROM image is to just create it from your current ROM, +>using **`flashrom`**, making sure to save it in the **`cbfstool`** folder, inside **libreboot\_util**: -Re-insert the modified grubtest.cfg into the ROM image ------------------------------------------------------- +>> $ sudo flashrom -p internal -r ~/Downloads/libreboot_util/cbfstool/\ +>> x86_64/cbfstool/x86_64/libreboot.rom -Once your grubtest.cfg is modified and saved, delete the unmodified -config from the ROM image: +>If you are told to specify the chip, add the option **`-c {your chip}`** to the command, like this: + +>> $ sudo flashrom -c MX25L6405 -p internal -r ~/Downloads/libreboot_util/\ +>> cbfstool/x86_64/cbfstool/x86_64/libreboot.rom + +Now you are ready to extract the GRUB configuration files from the ROM, and modify them the way you want. + + +###Copy grubtest.cfg from the ROM Image <a name=extract_grubtest></a> + +You can check the contents of the ROM image, inside CBFS, using **`cbfstool`**. +First, navigate to the cbfstool folder: + +> $ cd ~/Downloads/libreboot_util/cbfstool/x86_64/cbfstool/x86_64/ + +Then, run the **`cbfstool`** commmand, with the **`print`** option; this will display +a list of all the files located in the ROM: + +> $ ./cbfstool libreboot.rom print + +You should see **grub.cfg** and **grubtest.cfg** in the list. **grub.cfg** is +loaded by default, with a menu entry for switching to **grubtest.cfg**. In +this tutorial, you will first modify and test **grubtest.cfg**. This is to +reduce the possibility of bricking your device, so *DO NOT SKIP THIS!* + +Extract (i.e., get a copy of ) **grubtest.cfg** from the ROM image: + +> $ ./cbfstool libreboot.rom extract -n grubtest.cfg -f grubtest.cfg + +By default **`cbfstool`** will extract files to the current working directory; +so, **grubtest.cfg** should appear in the same folder as **libreboot.rom**. + +--- - $ ./cbfstool libreboot.rom remove -n grubtest.cfg +##How to Modify the GRUB Configuration File <a name=modify_grub_howto></a> -Next, insert the modified version: +This section will instruct the user *how* to modify their GRUB configuration file; +whether they decide to use the version located in their operating system's **/** folder, +or the one located in the ROM, the modifications will be the same. - $ ./cbfstool libreboot.rom add -n grubtest.cfg -f grubtest.cfg -t raw +Once the file is open, look for the following line (it will be towards the bottom of the file): -Testing -------- +> menuentry 'Load Operating System [o]' --hotkey='o' --unrestricted -Now you have a modified ROM. Refer back to -[../install/\#flashrom](../install/#flashrom) for information on how to -flash it. +After this line, there will be an opening bracket **{**, followed by a several lines +of code, and then a closing bracket **}**; delete everything that is between those two brackets, +and replace it with the following code, if you're using an Arch-based disribution (e.g., Parabola GNU+Linux-Libre): - $ cd /libreboot\_util - # ./flash update libreboot.rom +> cryptomount -a +> set root='lvm/matrix-root' +> linux /boot/vmlinuz-linux-libre root=/dev/matrix/root cryptdevice=/dev/sda1:root \ +> cryptkey=rootfs:/etc/mykeyfile +> initrd /boot/initramfs-linux-libre.img -Ocassionally, coreboot changes the name of a given board. If flashrom +Or, replace it with this, if you are using a Debian-based distribution (e.g., Trisquel GNU+Linux): + +> cryptomount -a +> set root='lvm/matrix-rootvol' +> linux /vmlinuz root=/dev/mapper/matrix-rootvolcryptdevice=/dev/mapper/matrix-rootvol:root +> initrd /initrd.img + +Remember, that these names come from the instructions to install GNU+Linux +on Libreboot systems, located [here](index.md). If you followed different instructions, +(or for some other reason, used different names), simply put the names +of your **root** and **swap** volumes, in place of the ones used here. + +This covers the basic changes that we can make to GRUB; however, there are some more +changes that you could make, to increase the security of your GRUB configuration. +If you are interested in those modifications, see the Libreboot guide on [Hardening GRUB](grub_hardening.md). + +That's it for the modifications! Now all you need to do is follow the instructions below, +in order to use this new configuration to boot your system. + +--- + +##Change the GRUB Configuration File that the Operating System Uses <a name=change_grub></a> + +Now that we have explained *how* to modify the file itself, we need to explain +how to actually make our system *use* the new GRUB configuration file to boot. + +###Without Re-Flashing the ROM <a name=without_reflash></a> + +To change the GRUB Configuration that our system uses, without having to re-flash the ROM, +we need to take our **grubest.cfg** file, rename it to **libreboot\_grub**; +this is because that, by default, GRUB in Libreboot is configured to scan all partitions on +the main storage for **/boot/grub/libreboot\_grub.cfg** or **/grub/libreboot\_grub.cfg** +(for systems where **/boot** is on a dedicated partition), and then use it automatically. + +Therefore, we need to either copy **libreboot\_grub.cfg** to **/grub**, or to **/boot/grub**: + +> $ sudo cp ~/Downloads/libreboot_util/cbfstool/x86_64/cbfstool/x86_64/grubtest.cfg \ +> >/boot/grub # or /grub + +Now, the next time we boot our computer, GRUB (in Libreboot) will automatically switch +to this configuration file. *This means that you do not have to re-flash, +recompile, or otherwise modify Libreboot at all!* + +###With Re-Flashing the ROM <a name=with_reflash></a> + +Changing the GRUB configuration that resides in ROM is a bit more complicated +that the one in **/**, but most of the hard work is already done. + +####Change grubtest.cfg in ROM <a name=insert_modified_grubtest></a> + +Now that you have the modified **grubtest.cfg**, we need to remove +the old **grubtest.cfg** from the ROM, and put in our new one. To remove +the old one, we will use **`cbfstool`**: + +> $ ./cbfstool libreboot.rom remove -n grubtest.cfg + +Then, add the new one to the ROM: + +> $ ./cbfstool libreboot.rom add -n grubtest.cfg -f grubtest.cfg -t raw + +####Change MAC address in ROM <a name=change_macl></a> + +The last step before flashing the new ROM, is to change the MAC address inside it. +Every libreboot ROM image contains a generic MAC address; you want to make sure +that your ROM image contains yours, so as to not create any problems on your network +(say, for example, that multiple family members had libreboot computers, and used +the same ROM image to flash those computers). + +To do this, we will use the **`ich9gen`** utility, also located in **libreboot_util**. + +First, you need to find the current MAC address of your computer; there are +two ways to do this: + +1. Read the white label on the bottom of the case (however, this will only work, +if your motherboard has never been replaced). +2. Run **`ifconfig`**; look for your ethernet device (e.g., **`enpXXX`** +in Arch-based distributions, or **`eth0`** in Debian-based distributions), +and look for a set of characters like this: **`00:f3:f0:45:91:fe`**. + +Next, you need to move **libreboot.rom** to the following folder; this is where +the executable for **`ich9gen`** is located: + +> $ mv libreboot.rom ~/Downloads/libreboot_r20160907_util/ich9deblob/ + +Once there, run the following command, making sure to use your own MAC address, +instead of what's written below: + +> $ ./ich9gen --macaddress XX:XX:XX:XX:XX:XX + +Three new files will be created: + +* ich9fdgbe_4m.bin: this is for GM45 laptops with the 4MB flash chip. +* ich9fdgbe_8m.bin: this is for GM45 laptops with the 8MB flash chip. +* ich9fdgbe_16m.bin: this is for GM45 laptops with the 16MB flash chip. + +Look for the one that corresponds to the size of your ROM image; for example, +if your flash chip size is **`8mb`**, you'll want to use **ich9fdgbe_8m.bin**. + +Now, insert this file (called the **`descriptor+gbe`**) into the ROM image, using **`dd`**: + +> dd if=ich9fdgbe_8m.bin of=libreboot.rom bs=1 count=12k conv=notrunc + +Move **libreboot.rom** back to the **libreboot\_util** directory: + +> $ mv libreboot.rom ~/Downloads/libreboot_util + +You are finally ready to flash the ROM! + +####Flash Updated ROM Image <a name=flash_updated_rom></a> + +The last step of flashing the ROM requires us to change our current working directory +to **libreboot\_util**: + +> $ cd ~/Downloads/libreboot_util + +Now, all we have to do is use the **`flash`** script in this directory, +with the **`update`** option, using **libreboot.rom** as the argument: + +> $ sudo ./flash update libreboot.rom + +Ocassionally, coreboot changes the name of a given board. If **`flashrom`** complains about a board mismatch, but you are sure that you chose the correct ROM image, then run this alternative command: - # ./flash forceupdate libreboot.rom +> $ sudo ./flash forceupdate libreboot.rom + +You will see the **`flashrom`** program running for a little while, and you might see errors, +but if it says **`Verifying flash... VERIFIED`** at the end, then it’s flashed, +and should boot. If you see errors, try again (and again, and again). +The message **`Chip content is identical to the requested image`** is also +an indication of a successful installation. -You should see `Verifying flash... VERIFIED.` written at the end -of the flashrom output. Once you have done that, shut down and then boot -up with your new test configuration. +####Reboot the Computer <a name=reboot></a> -Choose (in GRUB) the menu entry that switches to grubtest.cfg. If it -works, then your config is safe and you can continue below. +Now that you have flashed the image, reboot the computer. Keep pressing **`spacebar`** +right after you turn it on, until you see the GRUB menu, to prevent libreboot +from automatically trying to load the operating system. -*If it does not work like you want it to, if you are unsure or -sceptical in any way, then re-do the steps above until you get it right! -Do not proceed past this point unless you are 100% sure that your -new configuration is safe (or desirable) to use.* +Scroll down with the arrow keys, and choose the **`Load test configuration (grubtest.cfg) inside of CBFS`** option; +this will switch the GRUB configuration to your test version. If all goes well, +it should prompt you for a GRUB username and password, and then your LUKS password. -Final steps ------------ +Once the operating system starts loading, it will prompt you for your LUKS password again. +If it continues, and loads into the OS without errors, then that means your flashing +attempt was a success. -When you are satisfied booting from grubtest.cfg, you can create a copy -of grubtest.cfg, called grub.cfg. This is the same except for one -difference: the menuentry 'Switch to grub.cfg' will be changed to -'Switch to grubtest.cfg' and inside it, all instances of grub.cfg to -grubtest.cfg. This is so that the main config still links (in the menu) -to grubtest.cfg, so that you don't have to manually switch to it, in -case you ever want to follow this guide again in the future (modifying -the already modified config). From /libreboot\_util/cbfstool, do: +####Final Steps <a name=final_steps></a> - # sed -e 's:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g' -e +When you are satisfied booting from **grubtest.cfg**, you can create a copy +of **grubtest.cfg**, called **grub.cfg**. -'s:Switch to grub.cfg:Switch to grubtest.cfg:g' < grubtest.cfg > -grub.cfg +First, go to the **`cbfstool`** directory: -Delete the grub.cfg that remained inside the ROM: +> $ cd ~/Downloads/libreboot_util/cbfstool/x86_64/cbfstool/x86_64/ - $ ./cbfstool libreboot.rom remove -n grub.cfg +Then, create a copy of **grubest.cfg**, named **grub.cfg**: -Add the modified version that you just made: +> $ cp grubtest.cfg ./grub.cfg - $ ./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw +Now you will use the **`sed`** command to make several changes to the file: +the menu entry **`'Switch to grub.cfg'`** will be changed to **`Switch to grubtest.cfg`**, +and inside it, all instances of **grub.cfg** to **grubtest.cfg**. +This is so that the main config still links (in the menu) to **grubtest.cfg**, +so that you don't have to manually switch to it, in case you ever want to follow +this guide again in the future (modifying the already modified config).: -*Now you have a modified ROM. Again, refer back to -[../install/\#flashrom](../install/#flashrom) for information on how to -flash it. It's the same method as you used before. Shut down and then -boot up with your new configuration.* +> $ sed -e 's:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g' -e \ +> >'s:Switch to grub.cfg:Switch to grubtest.cfg:g' < grubtest.cfg > \ +> >grub.cfg -Copyright © 2014, 2015 Leah Rowe <info@minifree.org>\ -Copyright © 2015 Jeroen Quint <jezza@diplomail.ch>\ +Move **libreboot.rom** from **libreboot\_util** to your current directory: + +> $ mv ~/Downloads/libreboot_util/libreboot.rom . + +Delete the **grub.cfg** that's already inside the ROM: + +> $ ./cbfstool libreboot.rom remove -n grub.cfg + +Add your modified **grub.cfg** to the ROM: + +> $ ./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw + +Move **libreboot.rom** back to **libreboot\_util**: + +> $ mv libreboot.rom ../.. + +If you don't remember how to flash it, refer back to [Flash Updated ROM Image](#flash_updated_rom); +it's the same method as you used before. Afterwards, reboot the machine with your new configuration. + +--- + +Copyright © 2014, 2015, 2016 Leah Rowe <info@minifree.org> + +Copyright © 2017 Elijah Smith <esmith61412@posteo.net> + +--- Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License Version 1.3 or any later version published by the Free Software Foundation with no Invariant Sections, no Front Cover Texts, and no Back Cover Texts. -A copy of this license is found in [../fdl-1.3.md](../fdl-1.3.md) +A copy of this license is found in [../fdl-1.3.md](../fdl-1.3.md)+ \ No newline at end of file diff --git a/docs/gnulinux/index.md b/docs/gnulinux/index.md @@ -1,31 +1,35 @@ +# GNU+Linux Installation Instructions + --- -title: GNU+Linux installation instructions -... -This section relates to dealing with GNU+Linux distributions: preparing -bootable USB drives, changing the default GRUB menu and so on. +This section explains how to deal with various GNU+Linux distributions +in Libreboot (e.g., Creating bootable USB drives, Installing Operating Systems, +Changing the default GRUB menu, etc.). + +**NOTE: This section is only for the GRUB payload. For depthcharge, +instructions have yet to be written.** + +- [How to Install GNU+Linux on a Libreboot System](grub_boot_installer.md) -*This section is only for the GRUB payload. For depthcharge, -instructions have yet to be written.* +- [Modifying the GRUB Configuration in Libreboot Systems](grub_cbfs.md) -- [How to install GNU+Linux on a libreboot - system](grub_boot_installer.md) +- [Installing Parabola or Arch Gnu+Linux-Libre, with Full-Disk Encryption (including /boot)](encrypted_parabola.md) + - Follow-Up Tutorial: [Configuring Parabola (Post-Install)](configuring_parabola.md) -- [How to replace the default GRUB configuration file on a libreboot - system](grub_cbfs.md) -- [Installing Parabola or Arch GNU+Linux-libre with full disk - encryption (including /boot)](encrypted_parabola.md) - - Follow-up tutorial: [Configuring Parabola - (post-install)](configuring_parabola.md) -- [Installing Debian or Devuan GNU+Linux-libre with full disk - encryption (including /boot)](encrypted_debian.md) -- [How to harden your GRUB configuration, for - security](grub_hardening.md) +- [Installing Debian or Devuan GNU+Linux-Libre, with Full-Disk Encryption (including /boot)](encrypted_debian.md) -Copyright © 2014, 2015 Leah Rowe <info@minifree.org>\ +- [How to Harden Your GRUB Configuration, for Security](grub_hardening.md) + +--- + +Copyright © 2014, 2015 Leah Rowe <info@minifree.org> + +Copyright © 2017 Elijah Smith <esmith1412@posteo.net> + +--- Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License Version 1.3 or any later version published by the Free Software Foundation with no Invariant Sections, no Front Cover Texts, and no Back Cover Texts. -A copy of this license is found in [../fdl-1.3.md](../fdl-1.3.md) +A copy of this license is found in [../fdl-1.3.md](../fdl-1.3.md)+ \ No newline at end of file