Waffelo/waffelo.net
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
waffelo.net/articles/thinkpad-gentoo-install.html
Jakub Heger c7a0420970 .
2024-09-22 13:11:59 +02:00

392 lines
21 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html>
<head>
<title>Encrypted Gentoo install</title>
<link rel="stylesheet" href="../style.css">
<link rel="icon" type="image/x-icon" href="../../../assets/favicon.ico">
<meta charset="utf-8">
<meta name="description" content="My printer is Creality Ender 3 v2, I bought it because it is a classic well known printer brand and because
it is the newer and apperently better version of the good old Ender 3 which almost everyone has.">
<meta name="keywords" content="linux, free software, foss, 3d printing, free, open, furry, dragon, waffelo, heger, jakub, 3d printer">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=0">
</head>
<body>
<div class="c-main">
<a href="/index.html">Return Home</a>
<h1 style="margin-bottom: 0px;">Encrypted Gentoo install on ThinkPad</h1>
<i>(6th June 2024)</i>
<br>
<p>
This is a small guide on how to do encrypted Gentoo install. This isn't really an all purpose article for all
cases, I just wrote this while I was installing Gentoo on my Thinkpad T430 laptop and wanted to make a article
that maybe could help someone a bit.
</p>
<br>
<h2>Preparing disks</h2>
<p>
First you will have to prepare your disk for the Gentoo installation. This will be the base for your entire system.
You will have to create four partitions <i>(bios boot, boot, swap and root)</i> using the program <span class="cdblk-m">gdisk</span>
and then use the <span class="cdblk-m">cryptsetup</span> command on the root partition to create encrypted luks container.
</p>
<br>
<h4>Creating an encrypted container</h4>
<p class="cdblk">cryptsetup -yv luksFormat /dev/sda4</p>
<br>
<h4>Opening the encrypted container</h4>
<p>Note that the pharse at the end of the command is the mapper name, you can choose any.</p>
<p class="cdblk">cryptsetup open /dev/sdb4 root</p>
<p>After opening the encrypted container, you can notice that it is located in the <span class="cdblk-m">/dev/mapper/root</span>.</p>
<br>
<h4>Formatting the partitions</h4>
<p>Now format the boot partition to ext4 and root to btrfs. And don't forget to format swap parition.</p>
<p class="cdblk">mkfs.ext4 /dev/sda2</p>
<p class="cdblk">mkfs.btrfs /dev/mapper/root</p>
<p class="cdblk">mkswap /dev/sda3</p>
<br>
<h2>Preparing the system</h2>
<p>
In this step you will need to download the stage3 tarball from the <a href="">Gentoo website</a> and extract it installation
<span class="cdblk-m">/mnt/gentoo/</span>. In my case <u>I will be using amd64 desktop profile with OpenRC</u>.
</p>
<h4>Mounting the disk</h4>
<p>
First you will need to create <span class="cdblk-m">/mnt/gentoo/</span> and <span class="cdblk-m">/mnt/gentoo/boot/</span>
</p>
<p class="cdblk">mkdir -p /mnt/gentoo/boot</p>
<p>And then mount the partitions</p>
<p class="cdblk">mount /dev/mapper/root /mnt/gentoo</p>
<p class="cdblk">mount /dev/sda2 /mnt/gentoo/boot</p>
<br>
<h4>Downloading and extracting the stage3 tarball</h4>
<p>
Go to the <a href="">Gentoo download website</a> and copy the download link of the selected tarball and download it into
<span class="cdblk-m">/mnt/gentoo/</span>.
</p>
<p class="cdblk">cd /mnt/gentoo</p>
<p class="cdblk">wget [tarball link]</p>
<p>After downloading the tarball, extract it using this command:</p>
<p class="cdblk">tar xpvf stage3-*.tar.xz --xattrs-include='*.*' --numeric-owner</p>
<p>After it is done extracting the tarball, you can delete the .tar.xz file.</p>
<br>
<h4>Configuring compile options</h4>
<p>
This is very important thing to set, most of your packages will be compiled with the settings you set in the
<span class="cdblk-m">/mnt/gentoo/etc/portage/make.conf</span>. I will show you some important things to set
for this guide. Use this <a href="https://wiki.gentoo.org/wiki//etc/portage/make.conf">wiki page</a>
for your invididual configuration as an help guide.
</p>
<br>
<p>
Most importantly don't forget to set your <span class="cdblk-m">-march=</span> to your CPU architecture. If you are
compiling on the computer that will the Gentoo used on then just set <span class="cdblk-m">-march=native</span> and
if not then go to this <a href="https://wiki.gentoo.org/wiki/Safe_CFLAGS">wiki page</a> and find the code for the CPU
that you will use this Gentoo installation on. In my case I will be setting <span class="cdblk-m">-march=westmere</span>.
</p>
<p>
You should also set your <span class="cdblk-m">CPU_FLAGS_X86</span> to your CPU flags. You can do it by booting into Gentoo
liveiso from an usb flash drive on the computer you will use this Gentoo installation on and running the
<span class="cdblk-m">cpuid2cpuflags</span> command to list all the tags.
</p>
<p>
Rust software is spreading like COVID-19 few years ago, so I would advise you to include
<span class="cdblk-m">RUSTFLAGS="${COMMON_FLAGS}"</span> in your make.conf.
</p>
<p>
You should also include this quality of life option that will automatically append these flags when you will go compile
something. <span class="cdblk-m">EMERGE_DEFAULT_OPTS="--ask --verbose"</span>
</p>
<p>
You will want to have faster downloads from the Gentoo mirrors. So you should set the <span class="cdblk-m">GENTOO_MIRRORS</span>
to the closest mirror there is to you. You can find mirrors by going to this <a href="https://www.gentoo.org/downloads/mirrors/">wiki page</a>.
</p>
<p>
You also will want to set the <span class="cdblk-m">VIDEO_CARD</span> option so your video drivers get compiled. I will use
the <span class="cdblk-m">VIDEO_CARDS="intel"</span> on my ThinkPad because it has an integeated GPU. If you don't know which
flag to set, go to this <a href="https://wiki.gentoo.org/wiki//etc/portage/make.conf#VIDEO_CARDS">wiki page</a> to find the
GPU flag you need.
</p>
<p>
For the Grub bootloader you will want to set <span class="cdblk-m">GRUB_PLATFORMS="pc"</span> since this guide is focused on
installation with legacy boot.
</p>
<p>
If you compile on a better CPU than the installation will be used on, you can set the <span>MAKE_OPTS="-j"</span> to the availabile
resources you have. I am compiling this installation on AMD Ryzen 7 so I will be using <span class="cdblk-m">MAKEOPTS="-j16"</span>.
Make sure you will adjust the -j number to the CPU your installation will be used on after you are done with installing Gentoo.
</p>
<p>
This is optional, but if you want to use only Free Software, you could opt to set <span class="cdblk-m">ACCEPT_LICENSE="-* @FREE"</span>.
I personally set this on all my machines.
</p>
<p>The last thing we will set are the USE flags. You can put there any compile options you want, but make sure you include these few
flags: <i>device-mapper, crypt, elogind</i>. You can add your flags that can be found on this
<a href="https://www.gentoo.org/support/use-flags/">wiki page</a>. </p>
<br>
<p>Here is an example of what I have:</p>
<pre style="white-space: pre-wrap;" class="cdblk">
COMMON_FLAGS="-O2 -march=westmere -pipe"
CFLAGS="${COMMON_FLAGS}"
CXXFLAGS="${COMMON_FLAGS}"
FCFLAGS="${COMMON_FLAGS}"
FFLAGS="${COMMON_FLAGS}"
RUSTFLAGS="${COMMON_FLAGS}"
CPU_FLAGS_X86="aes mmx mmxext pclmul popcnt sse sse2 sse3 sse3 sse4_1 sse4_2 ssse3"
EMERGE_DEFAULT_OPTS="--ask --verbose"
GENTOO_MIRRORS="https://mirror.wheel.sk/gentoo"
VIDEO_CARDS="intel"
GRUB_PLATFORMS="pc"
MAKEOPTS="-j16"
ACCEPT_LICENSE="-* @FREE"
USE="device-mapper crypt elogind eme-free bluetooth wifi X wayland pipewire sound-server pulseaudio screencast cdda dvd dvdr -ppp -systemd -telemetry -gnome"
LC_MESSAGES=C.utf8
</pre>
<br>
<h2>Installing the base system</h2>
<h4>Chrooting into the system</h4>
<p>Before chrooting into your system, you should copy the DNS info to your new installation so you can connect to internet.</p>
<p class="cdblk">cp --dereference /etc/resolv.conf /mnt/gentoo/etc/</p>
<p>Then create a temporary chrooting script <span class="cdblk-m">chroot.sh</span> which will contain these lines:</p>
<p class="cdblk">vim /mnt/gentoo/chroot.sh</p>
<pre class="cdblk">
mount --types proc /proc /mnt/gentoo/proc
mount --rbind /sys /mnt/gentoo/sys
mount --make-rslave /mnt/gentoo/sys
mount --rbind /dev /mnt/gentoo/dev
mount --make-rslave /mnt/gentoo/dev
mount --bind /run /mnt/gentoo/run
mount --make-slave /mnt/gentoo/run
# Uncomment three lines below if you are installing from non-gentoo installation media.
#test -L /dev/shm && rm /dev/shm && mkdir /dev/shm
#mount --types tmpfs --options nosuid,nodev,noexec shm /dev/shm
#chmod 1777 /dev/shm /run/shm
chroot /mnt/gentoo /bin/bash
source /etc/profile
export PS1="(chroot) ${PS1}"</pre>
<p>And run the script:</p>
<p class="cdblk">sh /mnt/gentoo/chroot.sh</p>
<p>After running this script, you should be chrooted in your new gentoo installation enviroment.</p>
<br>
<h4>Configuring portage</h4>
<p>We already have done some steps for configuring portage earlier, so we will skip them. Now, run these
two commands to configure the Gentoo ebuild repository:</p>
<p class="cdblk">mkdir --parents /etc/portage/repos.conf</p>
<p class="cdblk">cp /usr/share/portage/config/repos.conf /etc/portage/repos.conf/gentoo.conf</p>
<p>Now you have to download the Gentoo ebuild repository.</p>
<p class="cdblk">emerge-webrsync</p>
<br>
<h4>Selecting a profile</h4>
<p>
A profile is a set of specific use flags, variables and version ranges. You need to choose a profile that will
suit your use case. This installation is intended for desktop use, so I will select the
<span class="cdblk-m">default/linux/amd64/23.0/desktop</span> profile. To view profiles, you need to run this command:</p>
<p class="cdblk">eselect profile list</p>
<p>Output example: (my output)</p>
<pre class="cdblk">
[21] default/linux/amd64/23.0 (stable)
[22] default/linux/amd64/23.0/systemd (stable)
[23] default/linux/amd64/23.0/desktop (stable) *
[24] default/linux/amd64/23.0/desktop/systemd (stable)
[25] default/linux/amd64/23.0/desktop/gnome (stable)
</pre>
<p>It is most likely that the desktop profile is already selected if you have downloaded the desktop stage3 tarball.
If not, then run the command below with the option number at the end. Then the blue asterisk should move to your
selected option. For example, in my case I selected the number 23.</p>
<p class="cdblk">eselect profile set (your number)</p>
<br>
<h4>Updating the packages</h4>
<p>After doing changes to the use flags in make,conf, we will want to update our current packages so they are built in the
way we wanted to.</p>
<p class="cdblk">emerge --ask --verbose --update --deep --newuse @world</p>
<p>Now get rid of obsolete packages.</p>
<p class="cdblk">emerge --ask --depclean</p>
<br>
<h3>Setting the timezone</h3>
<p>If you want your system time to be correct, you should set your system's timezone. You can look at all the timezones availabile
by running this command:</p>
<p class="cdblk">ls -l /usr/share/zoneinfo</p>
<p>You can also ls deeper into the directory of your continent to see the availabile timezones.</p>
<p class="cdblk">ls -l /usr/share/zoneinfo/Europe</p>
<p>And then echo the timezone into the timezone file. For example, I will use <span class="cdblk-m">Europe/Bratislava</span>.</p>
<p class="cdblk">echo "(your timezone)" > /etc/timezone</p>
<p>And finally, finish it by emerging timezone-data.</p>
<p class="cdblk">emerge --config sys-libs/timezone-data</p>
<br>
<h3>Installing vim</h3>
<p>This is optional, but if you want to edit files using vim instead of nano, then emerge vim.</p>
<p class="cdblk">emerge vim</p>
<br>
<h3>Generating locale</h3>
<p>Now you will want to generate the locale by editing locale.gen. Just simply uncomment a line with your locale.</p>
<p class="cdblk">vim /etc/locale.gen</p>
<p>If you don't know how to type in locale code of your language, run this command to view supported locales:</p>
<p class="cdblk">less /usr/share/i18n/SUPPORTED</p>
<p>And now just generate the locale.</p>
<p class="cdblk">locale-gen</p>
<br>
<h3>Selecting locale</h3>
<p>Now list your locales with eselect. It is likely that your locale is already selected.</p>
<p class="cdblk">eselect locale list</p>
<p>And set your locale</p>
<p class="cdblk">eselect locale set (number of your option)</p>
<p>And now finally reload your enviroment using following command:</p>
<p class="cdblk">env-update && source /etc/profile && export PS1="(chroot) ${PS1}"</p>
<br>
<h2>Installing the kernel</h2>
<p>
Now it is time to install the core of the operating system, the kernel. It will have to be installed bit differently
than it is being done normally. You will have to use the <span class="cdblk-m">genkernel</span> command with few use
flags.<br>
You might want to use the <span class="cdblk-m">linux-firmware</span> package if you use proprietary drivers for wifi,
bluetooth, etc.. But even if you don't need it like me since I have atheros wifi card, you will need to set a
<span class="cdblk-m">-firmware</span> in the <span class="cdblk-m">/etc/portage/package.use/sys-kernel</span> file.
</p>
<br>
<h4>I need linux firmware</h4>
<p>If you use proprietary drivers, you will need the firmware. You need to add <span class="cdblk-m">~amd64</span>
keyword to the <span class="cdblk-m">package.accept_keywords</span> file. </p>
<p>Adding <span class="cdblk-m">~amd64</span> to the <span class="cdblk-m">/etc/portage/package.accept_keywords/sys-kernel</span> </p>
<p class="cdblk">echo "sys-kernel/linux-firmware ~amd64" &gt;&gt; /etc/portage/package.accept_keywords/sys-kernel</p>
<br>
<p><u>Only with @FREE ACCEPT_LICENSE option:</u> Adding license of the package to portage config. </p>
<p class="cdblk">echo "linux-fw-redistributable license(s)" &gt;&gt; /etc/portage/package.license/package.license</p>
<br>
<p>And then you just install the package.</p>
<p class="cdblk">emerge sys-kernel/linux-firmware</p>
<br>
<h4>I don't need linux firmware</h4>
<p>If you are based and you use devices with free drivers, then you will need to put <span class="cdblk-m">-firmware</span>
flag to the package.use. </p>
<p class="cdblk">echo "sys-kernel/genkernel -firmware" &gt;&gt; /etc/portage/package.use/sys-kernel</p>
<br>
<h4>Installing the kernel</h4>
<p>To install kernel, you will need to download two packages. The <span class="cdblk-m">genkernel</span> which is a tool
that automates building the kernel. And <span class="cdblk-m">gentoo-sources</span> which includes the kernel source.</p>
<p class="cdblk">emerge genkernel gentoo-sources</p>
<p>Before you can compile the kernel, you need to select it with the <span class="cdblk-m">eselect</span> command.
Do this command to list the availabile kernels:</p>
<p class="cdblk">eselect kernel list</p>
<p>And then select the kernel. In most cases it will be 1 in new installation.</p>
<p class="cdblk">eselect kernel set 1</p>
<p>After selecting the kernel, run this command that will start the compiltion of the kernel. The command contains
necessary flags for encrypted installation.<br><b>note:</b> this might take a long time.</p>
<p class="cdblk">genkernel --luks --lvm --busybox all</p>
<br>
<h2>Generating fstab</h2>
<p>All of your partitions that will be used in your system must be in the <span class="cdblk-m">/etc/fstab</span> file
where are all the mount points and options on how they should be mounted set.</p>
<p>Run the command <span class="cdblk-m">blkid</span> to find the UUIDs of your partitions.</p>
<p>Output example (my output):</p>
<pre class="cdblk" style="overflow-x: scroll;">
/dev/sdb4: UUID="52121e1c-c51c-4ffc-92bc-eb6423e736c8" TYPE="crypto_LUKS" PARTLABEL="Linux filesystem" PARTUUID="389956c6-89c7-4122-b45f-17e6256be3c9"
/dev/sdb2: UUID="8bee939e-50f2-41ba-b359-2070ec1511f1" BLOCK_SIZE="4096" TYPE="ext4" PARTLABEL="Linux filesystem" PARTUUID="eccfcd37-5a98-4e4b-ac18-f1194a9679b9"
/dev/sdb3: UUID="75fca4da-eb35-47f7-8696-ae9bbcf1c75c" TYPE="swap" PARTLABEL="Linux swap" PARTUUID="c99f141c-3cea-440c-beb6-cf7fa9c74a89"
/dev/sdb1: PARTLABEL="BIOS boot partition" PARTUUID="b1db83bd-94f0-452a-86bc-bf22a3277873"
/dev/mapper/root: UUID="1e0b2067-8937-47c0-9a5c-f200fe4607b8" UUID_SUB="1ff8b4f2-f1bb-4916-aea9-bdb7f0111584" BLOCK_SIZE="4096" TYPE="btrfs"
</pre>
<p>You will want to put your LUKS parition as root partition in the fstab, in my case it is <span class="cdblk-m">/dev/sdb4</span></p>
<p>Fill in the fstab file so it looks like the example below, just input your own UUIDs instead of the one shown in
example.</p>
<pre class="cdblk" style="overflow-x: scroll;">
# /dev/sdb4 (root)
UUID=52121e1c-c51c-4ffc-92bc-eb6423e736c8 / btrfs rw,relatime 0 0
# /dev/sdb2 (boot)
UUID=8bee939e-50f2-41ba-b359-2070ec1511f1 /boot ext4 rw,relatime 0 2
# Swap
UUID=75fca4da-eb35-47f7-8696-ae9bbcf1c75c none swap defaults 0 0
</pre>
<br>
<h2>Setting a hostname</h2>
<p>Setting a name of your device which is viewable on your local network.</p>
<p class="cdblk">echo ThinkPaw > /etc/hostname </p>
<br>
<h2>Installing DHCP</h2>
<p>If you want to use internet on your device, you will need to install this dhcp server and set startup of the
service on the system boot.</p>
<p class="cdblk">emerge --ask net-misc/dhcpcd</p>
<p class="cdblk">emerge --ask net-misc/dhcpcd</p>
<p class="cdblk">rc-service dhcpcd start</p>
<br>
<!-- hosts file here -->
<h2>Root password</h2>
<p>To set your root password, use the <span class="cdblk-m">passwd</span> command.</p>
<br>
<!-- rc config here -->
<h2>Installing useful tools</h2>
<p>You can skip this step, but it is pretty useful to install some of these packages. Especially these progs packages
</p>
<p class="cdblk">emerge --ask sys-fs/btrfs-progs sys-fs/e2fsprogs net-misc/chrony app-shells/bash-completion sys-apps/mlocate sys-process/dcron</p>
<p>Now enable the chrony service if you have installed it.</p>
<p class="cdblk">rc-update add chronyd default</p>
<p>If you want to use wifi on your computer, you should also install this package.</p>
<p class="cdblk">emerge --ask net-wireless/iw net-wireless/wpa_supplicant</p>
<br>
<h2>Installing bootloader</h2>
<p>After succesfuly finishing all the previous steps, you shall proceed to the installation of
grub. Grub is a software that helps you boot your system upon pressing the power button on your
pc.</p>
<p>Install the grub package and make sure you have <span class="cdblk-m">GRUB_PLATFORMS="pc"</span> in your
emerge configs.</p>
<p class="cdblk">emerge --ask --verbose sys-boot/grub</p>
<br>
<h4>Configuring grub</h4>
<p>Now you will need to configure your grub to work with encryption. You can find the configuration file at
<span class="cdblk-m">/etc/default/grub/grub</span>.</p>
<p>Your grub config should look something like this, change only the shown parameters. Make sure to put your LUKS partition instead of the one in my
example. It is the same UUID as in fstab root parition.</p>
<pre class="cdblk" style="overflow-x: scroll;">
...
GRUB_PRELOAD_MODULES='part_gpt part_msdos luks lvm'
GRUB_CMDLINE_LINUX='dolvm crypt_root=UUID=52121e1c-c51c-4ffc-92bc-eb6423e736c8 root_trim=yes rootfstype=btrfs'
GRUB_ENABLE_CRYPTODISK=y
...
</pre>
<p>Now generate grub config.</p>
<p class="cdblk">grub-mkconfig -o /boot/grub/grub.cfg</p>
<br>
<h2>Leaving the chroot</h2>
<p>Now that you are done, you will need to exit your installation enviroment safely.</p>
<p class="cdblk">exit</p>
<p class="cdblk">cd</p>
<p class="cdblk">umount -l /mnt/gentoo/dev{/shm,/pts,}</p>
<p class="cdblk">umount -R /mnt/gentoo</p>
<p>Now you can reboot your system.</p>
<p class="cdblk">reboot</p>
<center><h1>🚧UNDER CONSTRUCTION🚧</h1><p>The article is not finished</p></center>
</div> <!-- c-main end -->
</body>
</html>
Reference in a new issue View git blame Copy permalink