Tag: gentoo

Gentoo full disc encrypted on a modern UEFI notebook

Posted on By Felix No Comments on Gentoo full disc encrypted on a modern UEFI notebook
Linux

Installing Gentoo Linux always introduces some pitfalls, this time we focus on EFI. We install it in a full disc encryption setup. If you are interested in installing Gentoo in general, check out the tutorial on how to install it in a virtual machine: https://www.blog.cocacoding.com/setting-up-a-gentoo-vm-for-linux-kernel-development

Prerequisites:

Get the installation image on an USB drive or a disc:

dd if=Downloads/install-amd64-minimal-20201206T214503Z.iso of=/dev/sdh bs=4M status=progress

Then activate the network connection on the live installation OS, e.g.:

dhcpcd eth0

ifconfig

Then activate ssh to keep it simple and print the keys on the screen you can check for the connection from your master operating OS:

/etc/init.d/sshd restart

ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub

Now connect from your master operating system to the installation environment:

passwd

ssh root@livecd.lan

Now you are ready for the installation.

Formatting the disk:

We use fdisk to format the disk like this:

/dev/sda1     2048       6143      4096     2M Linux filesystem
/dev/sda2     6144     268287    262144   128M Linux filesystem
/dev/sda3   268288    1316863   1048576   512M Linux filesystem
/dev/sda4  1316864 1000215182 998898319 476.3G Linux filesystem

We need a small space for the bootloader, a little larger space (128M probably not necessary) for the EFI partition in vfat (FAT32) and enough space for a possible boot partition (can come handy). The rest will be our encrypted luks environment where we keep the partitions and swap.

Now we still need to format the partitions:

mkfs.fat -vvv -F32 /dev/sda2

cryptsetup luksFormat -c aes-xts-plain64 -s 256 /dev/sda4
cryptsetup luksOpen /dev/sda4 lvm


lvm pvcreate /dev/mapper/lvm  
vgcreate vg0 /dev/mapper/lvm  
lvcreate -L 120G -n root vg0  
lvcreate -L 50G -n var vg0  
lvcreate -l 100%FREE -n home vg0


mkfs.ext4 /dev/mapper/vg0-root  
mkfs.ext4 /dev/mapper/vg0-home
mkfs.ext4 /dev/mapper/vg0-var

mkdir /mnt/gentoo
mount /dev/mapper/vg0-root /mnt/gentoo

mkdir /mnt/gentoo/home
mount /dev/mapper/vg0-home /mnt/gentoo/home

mkdir /mnt/gentoo/var
mount /dev/mapper/vg0-var /mnt/gentoo/var
cd /mnt/gentoo/

Install the root file system:

Find the current hardened stage3 on the gentoo downloads menu, copy the link and get it using wget inside the live installation system:

wget https://mirror.bytemark.co.uk/gentoo//releases/amd64/autobuilds/current-stage3-amd64/hardened/stage3-amd64-hardened+nomultilib-20201206T214503Z.tar.xz

Then unpack it:

tar xpvf stage3-*.tar.xz --xattrs-include='*.*' --numeric-owner

Then we edit the following file:

nano -wc /mnt/gentoo/etc/portage/make.conf

We add the line to the end:

MAKEOPTS="-j13"

EMERGE_DEFAULT_OPTS="--jobs 8 --load-average 5.2 --quiet-build=n"

Then we continue:

mirrorselect -i -o >> /mnt/gentoo/etc/portage/make.conf

mkdir --parents /mnt/gentoo/etc/portage/repos.conf

cp /mnt/gentoo/usr/share/portage/config/repos.conf /mnt/gentoo/etc/portage/repos.conf/gentoo.conf

Get into the chroot


cp --dereference /etc/resolv.conf /mnt/gentoo/etc/
mount --types proc /proc /mnt/gentoo/proc
mount --rbind /sys /mnt/gentoo/sys  
mount --make-rslave /mnt/gentoo/sys  
mount --rbind /dev /mnt/gentoo/dev  
mount --make-rslave /mnt/gentoo/dev  
chroot /mnt/gentoo /bin/bash

source /etc/profile
export PS1="(chroot) ${PS1}"

Don’t forget to mount boot (yes, the vfat formatted second partition) now:

mount /dev/sda2 /boot

make sure your partitions look like this:

(chroot) livecd / # lsblk -f
NAME           FSTYPE      FSVER LABEL                         UUID                                   FSAVAIL FSUSE% MOUNTPOINT
loop0          squashfs                                                                                               
sda                                                                                                                   
├─sda1                                                                                                                
├─sda2         vfat                                            C98F-1027                                 126M     0% /boot
├─sda3                                                                                                                
└─sda4         crypto_LUKS                                     556886ca-16fd-4934-9f11-7273969df178                   
 └─lvm        LVM2_member                                     2Ra93y-9vBX-GX8Y-Jvym-qgUM-agF8-hA65Ix                 
   ├─vg0-root ext4                                            f3a85b65-2a40-40d6-9497-412c78fe1edd    110.5G     1% /
   ├─vg0-var  ext4                                            7ad1868c-80f7-47b5-ba82-4290ef0d3789     46.4G     0% /var
   └─vg0-home ext4                                            9a4218ac-4554-4412-8bf9-31d41a69cc1f    285.1G     0% /home
sdb            iso9660           Gentoo amd64 20201206T214503Z 2020-12-07-00-06-00-82                                 
├─sdb1         iso9660           Gentoo amd64 20201206T214503Z 2020-12-07-00-06-00-82                                 
└─sdb2         vfat              GENTOOLIVE                    1E88-646E                                             

Download the latest portage tree:

emerge-webrsync

Select a profile:

eselect profile list

eselect profile set 12 #default/linux/amd64/17.1/no-multilib/hardened

To configure the system with the optimal CPU flags we need to know them. If you are not sure which one you should use, leave them either empty or choose them via cpuid2cpuflags

emerge --ask app-portage/cpuid2cpuflags

Then run the tool and copy the output to paste it in the make.conf file:

cpuid2cpuflags

Now configure the system via make.conf file:

nano -wc /etc/portage/make.conf

Add these lines to your config, change them according to your setup:

# These settings were set by the catalyst build script that automatically
# built this stage.
# Please consult /usr/share/portage/config/make.conf.example for a more
# detailed example.
COMMON_FLAGS="-O2 -pipe"
CFLAGS="${COMMON_FLAGS}"
CXXFLAGS="${COMMON_FLAGS}"
FCFLAGS="${COMMON_FLAGS}"
FFLAGS="${COMMON_FLAGS}"

# NOTE: This stage was built with the bindist Use flag enabled
PORTDIR="/var/db/repos/gentoo"
DISTDIR="/var/cache/distfiles"
PKGDIR="/var/cache/binpkgs"

# This sets the language of build output to English.
# Please keep this setting intact when reporting bugs.
LC_MESSAGES=C

MAKEOPTS="-j13"

EMERGE_DEFAULT_OPTS="--jobs 8 --load-average 5.2 --quiet-build=n"

GENTOO_MIRRORS="https://ftp.halifax.rwth-aachen.de/gentoo/"

USE="-bindist X a52 aac acl acpi alsa bzip2 cdr cli -consolekit cracklib crypt cups dbus dts dvd dvdr elogind exif fam ffmpeg firefox flac
gdbm gif glamor gpm hardened iconv icu ipv6 java jack jpeg kde kipi lcms ldap libnotify mad mng modules mp3 mp4 mpeg multitarget ncurses
networkmanager nls nptl ogg opengl openmp pam pango pcre pdf phonon plasma png policykit ppds pulseaudio qml -qt4 qt5 readline sdl seccomp
semantic-desktop session spell sse sse2 ssl startup-notification svg -systemd tcpd threads tiff truetype udev udisks unicode upower usb v
orbis widgets wifi wxwidgets x264 xattr xcb xcomposite xinerama xml xscreensaver xv xvid zlib"
CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt rdrand sse sse2 sse3 sse4_1 sse4_2 ssse3"

ACCEPT_KEYWORDS="~amd64"

VIDEO_CARDS="intel i965 iris"
LINGUAS="en de"
L10N="en en-GB de"

#
# For Developing in C, valgrind against libc, split debug infos in seperate files:
#
FEATURES="$FEATURES splitdebug"

Before we start we pull some admin tools which start logging the stats while doing the first large system build:

emerge -av metalog eix genlop gentoolkit portage-utils genkernel grub

Now we have a useful system configuration. Next, we update our system to make use of all USE-flags we enabled and disabled:

emerge --ask --verbose --update --deep --newuse @world

This can take some time and now is a good time to get some coffee or to do something else.

Now you can create a root password (the current is auto-scrambled and you won’t be able to login without a new one):

passwd root

Then you build a kernel you can use:

genkernel --luks --lvm --symlink all

Then you run should have a working kernel in /boot. Then you should run grub to make the system and kernel bootable:

grub-install /dev/sda && grub-mkconfig -o /boot/grub/grub.cfg

Then you can reboot the system.

Further Information

[1] https://wiki.gentoo.org/wiki/Handbook:AMD64

[2] https://wiki.gentoo.org/wiki/Dm-crypt_full_disk_encryption

Setting up a Gentoo VM for Linux Kernel Development

Posted on By Felix No Comments on Setting up a Gentoo VM for Linux Kernel Development
Linux, Development

For decent Linux Kernel development I needed a virtual machine and a Kernel I can control easily. Since I use Gentoo for almost every system it was a clear choice I want to use Gentoo again, even though it might be a bit time consuming to set the VM up. To install Gentoo Linux on your daily hardware check our other post: https://www.blog.cocacoding.com/installing-gentoo-encrypted-on-a-modern-uefi-notebook/

For the start I will run Gentoo inside VirtualBox to set it up, but I choose settings that allow me to run it in QEMU later.

So lets install Gentoo. First, I get an installation medium. I use the Gentoo minimal CD: https://www.gentoo.org/downloads/

Setting up the Kernel development Virtual Machine:

We set up the VM by creating it in VirtualBox and add a hard drive in qcow format QCOW (QEMU Copy-on-Write), I choose 128 GB disk space and added 4 Cores plus 16 GiB RAM to the machine. We boot the image (install-amd64-minimal-*.iso) as live CD and start the VM. Inside the VM you will be asked for the key map settings.

Setting up the empty Linux machine

We begin with the installation of our Gentoo VM. Run inside the terminal:

fdisk /dev/sda

Then create the partitions accordingly. I chose two primary partitions, the first with 500 MB for /boot and the remaining space for / (root file system)

Then we create a file system:

mkfs.ext4 /dev/sda1
mkfs.ext4 /dev/sda2

Next, we need to mount the directories to a mount point of our choice. I chose /mnt/gentoo, just like described in the handbook.

mount /dev/sda2 /mnt/gentoo
mkdir /mnt/gentoo/boot
mount /dev/sda1 /mnt/gentoo/boot

Now we can begin with the stage3 download:

links startpage.com

Search for “gentoo amd64 stage3” and follow the a site. Alternatively just go to http://distfiles.gentoo.org/releases/amd64/autobuilds I search for the hardened stage3 since I am interested in a hardened user land and tool chain and usually there are no reasons not to use it. We download the stage3 file we found for our architecture amd64 by clicking enter on the file in our command line web browser “links”.

Now you should have all the stage3 files: The stage3 archive, the content file, and a DIGEST file we use for signature verification. Import the PGP key from the signatures page keys https://www.gentoo.org/downloads/signatures/

gpg --keyserver hkps://hkps.pool.sks-keyservers.net --recv-keys 0xBB572E0E2D182910

Then we can check if the files are valid:

gpg --verify *DIGEST.asc

If we get a “Good signature from Gentoo Linux Release Engineering […]” then it looks pretty good. Then we check the files:

sha512sum -c *DIGEST.ASC

If the stage3-amd64-hardened-*.tar.xz is okay we unpack it:

cd /mnt/gentoo
tar xpvf stage3-*.tar.bz2 --xattrs-include='*.*' --numeric-owner

Enter the new system

No we have a gentoo system on our hard drive. This is good because now we are able to change into the system:

cp --dereference /etc/resolv.conf /mnt/gentoo/etc/
mount --types proc /proc /mnt/gentoo/proc
mount --rbind /sys /mnt/gentoo/sys
mount --make-rslave /mnt/gentoo/sys
mount --rbind /dev /mnt/gentoo/dev
mount --make-rslave /mnt/gentoo/dev
chroot /mnt/gentoo /bin/bash
source /etc/profile
export PS1="(chroot) ${PS1}"

We are now in our future gentoo system. We need to remount /boot (Which was on /boot on the outer system) to /boot (/mnt/gentoo/boot from the outer system’s view). We also update our system:

mount /dev/sda2 /boot
emerge-webrsync

And we update the complete system:

emerge -av --deep --with-bdeps=y --newuse --update @world

Then I install some standard software:

emerge -av gentoolkit genlop genkernel grub lvm2 cryptsetup pciutils gentoo-sources eix

Configuration

Set the host name to your host name:

nano /etc/conf.d/hostname

Change the key map if you want to:

nano /etc/conf.d/keymaps

Configure timezone and locales:

echo "Europe/Brussels" > /etc/timezone
emerge --config sys-libs/timezone-data
nano -w /etc/locale.gen
locale-gen
echo "LANG="de_DE.UTF-8" > /etc/env.d/02locale
echo "LC_COLLATE="C" >> /etc/env.d/02locale
env-update && source /etc/profile && export PS1="(chroot) ${PS1}"

Change the login and make ssh appear during startup:

passwd root
rc-update add sshd default

And then add networking support, I choose DHCP and config my DHCP server for static IPs, if you need another setup check out the gentoo networking manual in the wiki.

nano /etc/conf./net

Add the Line:

config_eth0="dhcp".

Then add it as a init service:

cd /etc/init.d
ln -s net.lo net.eth0
rc-update add net.eth0 default

Then we install some basic services:

emerge -av fcron metalog

Next we need to adjust the virtual machine for kernel development.

Kernel Debugging Configuration

First we need to get the sources directly from the kernel development branch:

mkdir ~/src
cd ~/src
git clone git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git
ln -s linux-stable linux

# Get the releases
cd linux
git pull --tags origin

# Use the kernel config from live cd or use your own template
zcat /proc/config.gz > config_file
make menuconfig

Load the file config_file from menuconfig and update it. I want to change the Kernel to support our virtual hardware, so according to the gentoo wiki page I enable all these features:

<*> Bus options (PCI etc.)  --->
    [*] Mark VGA/VBE/EFI FB as generic system framebuffer
<*> Device Drivers  --->
    <*> Serial ATA and Parallel ATA drivers (libata)  --->
        [*] AHCI SATA support
        [*] ATA SFF support (for legacy IDE and PATA)
        [*]   ATA BMDMA support
        [*]     Intel ESB, ICH, PIIX3, PIIX4 PATA/SATA support
    <*> Network device support  --->
        <*> Ethernet driver support  --->
            [*] Intel devices
            [*]   Intel(R) PRO/1000 Gigabit Ethernet support
    <*> Input device support  --->
        <*> Keyboards  --->
            [*] AT keyboard
        <*> Mice  --->
            [*] PS/2 mouse
    <*> Graphics support  --->
        <*> Direct Rendering Manager (XFree86 4.1.0 and higher DRI support)  --->
            [*] Enable legacy fbdev support for your modesetting driver
        <*> Virtio GPU driver
        <*> Frame buffer Devices  --->
            <*> Support for frame buffer devices  --->
                [*] Enable Firmware EDID
            [*] Simple framebuffer support
        <*> Console display driver support  --->
            [*] Framebuffer Console support
            [*]   Map the console to the primary display device
    <*> Sound card support  --->
        <*> Advanced Linux Sound Architecture  --->
            <*> PCI sound devices  --->
                [*] Intel/SiS/nVidia/AMD/ALi AC97 Controller
    <*> USB support  --->
        [*] xHCI HCD (USB 3.0) support
        [*] EHCI HCD (USB 2.0) support

Additionally for the debugging when doing Linux Kernel development:

CONFIG_DEBUG_KERNEL=y
CONFIG_DEBUG_INFO=y

Then your should be able to build your kernel with genkernel or using make and make sure you have mounted /boot properly:

# Use make
make -j8 all
make modules_install
make install

# or use genkernel
genkernel --kernel-config=config_file --kernel-dir=src --install --symlink initramfs

Configure the boot loader:

nano /etc/default/grub

Change the Linux command line to this to avoid renaming eth0 to some crazy device name (although unique identification fixes some problems this is still not useful if you have only one interface, for instance):

GRUB_CMDLINE_LINUX_DEFAULT=net.ifnames=0

Then install grub:

grub-install /dev/sda
grub-mkconfig -o /etc/grub/grub.cfg

Now you should be able to reboot and start your next kernel development project.

Further Lecture:

[1] https://wiki.gentoo.org/wiki/Genkernel
[2] https://github.com/rafaelnp/llkdd/wiki/Configuring,-compiling-and-installing-the-Linux-kernel
[3] https://www.andreasch.com/2019/01/28/Linux-kernel-debugging/