Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
New Gentoo Installation with some focus on security
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
alogim
Tux's lil' helper
Tux's lil' helper


Joined: 21 Aug 2015
Posts: 124

PostPosted: Fri Sep 07, 2018 9:29 pm    Post subject: New Gentoo Installation with some focus on security Reply with quote

Good evening everyone.
I just bought a new laptop (HP EliteBook 850 G5).

I would like to wipe Windows 10 out of it and perform a clean installation of Gentoo. I would like to at securely encrypt my disk. Since I am going to boot in EFI mode, this is the partition schema that I thought (keep in mind it is the first time I use LVM, and that I am reading the Gentoo Handbook, the wiki page of LVM and this guide about full disk encryption, so there might be even serious errors, please correct any mistake I made):
  • /dev/sda1, with no filesystem (bootloader), a size of 2M and used as BIOS boot partition;
  • /dev/sda2, formatted as fat32, a size of 128M and used as Boot/EFI system partition;
  • /dev/sda3, formatted as LVM, with a size of what remains of the disk and used as LVM Volume Group.
I would like to mount the Portage TMPDIR on tmpfs with a size of 10G since it is the recommended size in order to build Chromium, but I honestly do not know how to do that on an encrypted system. As far as I know, you need to create a LVM Volume Group which can then be divided into several partitions: in my case, there would be /home and / (root), maybe even /tmp mounted on tmpfs with a size of 1G could be useful. I usually assign 32G to the root partition on my desktop PC and I think that is the perfect size (I have about 8G free, with /usr/share/portage/distfiles being ~5G alone).

Here is what I plan to do:
  • CREATE PARTITIONS
    • Fire up parted against the disk (in my example, I use /dev/sda). It is recommended to ask parted to use optimal partition alignment:
      Code:
       parted -a optimal /dev/sda

    • Tell parted to use mebibytes as unit of measure:
      Code:
       unit mib

    • Create a GPT partition table:
      Code:
       mklabel gpt

    • Create the BIOS partition (/dev/sda1). This partition will be used as BIOS boot partition and will have a size of 2 MiB:
      Code:
       mkpart primary 1 3
       name 1 grub
       set 1 bios_grub on

    • Create the boot partition (/dev/sda2). This partition will contain grub files, plain (unencrypted) kernel and kernel initrd and will have a size of 128 MiB:
      Code:
       mkpart primary fat32 3 131
       name 2 boot
       set 2 BOOT on

    • Create the LVM partition, which will contain - among others - the root and home partitions and will have an approximate size of 500 GiB:
      Code:
       mkpart primary 131 -1
       name 3 lvm
       set 3 lvm on

    • Exit parted:
      Code:
       quit

  • CREATE THE BOOT FILESYSTEM
    • Format the /boot (/dev/sda2) partition as FAT32:
      Code:
       mkfs.vfat -F32 /dev/sda2

  • PREPARE THE ENCRYPTED PARTITION
    • Load the dm-crypt module just in case:
      Code:
       modprobe dm-crypt

    • Crypt the LVM partition /dev/sda3 with LUKS:
      Code:
       cryptsetup luksFormat -c aes-xts-plain64:sha256 -s 256 /dev/sda3

    • Enter YES and choose a passphrase
  • CREATE LVM INSIDE THE ENCRYPTED BLOCK
    • LVM creation
      • Open the encrypted device:
        Code:
        cryptsetup luksOpen /dev/sda3 lvm

      • It is now time to create the LVM structure for partition mapping (/root and /home). First, create the physical volume group:
        Code:
         lvm pvcreate /dev/mapper/lvm

      • Then, create a volume group and call it vg0:
        Code:
         vgcreate vg0 /dev/mapper/lvm

      • Finally, create a logical volume for each partition (here I create a 32 GiB root partition and the rest of the disk is assigned to the home partition):
        Code:
         lvcreate -L 32G -n root vg0
         lvcreate -l 100%FREE -n home vg0

    • File systems
      • Create a filesystem for each partition (in this case, ext4 for both /home and /root):
        Code:
         mkfs.ext4 /dev/mapper/vg0-root
         mkfs.ext4 /dev/mapper/vg0-home

  • GENTOO INSTALLATION
    • Create a mount point for permanent Gentoo:
      Code:
       mkdir /mnt/gentoo

    • Mount the root filesystem from the encrypted LVM partition on /mnt/gentoo:
      Code:
       mount /dev/mapper/vg0-root /mnt/gentoo

    • Enter into /mnt/gentoo:
      Code:
       cd /mnt/gentoo

  • ROOTFS INSTALL
    • Stage 3 install
      • Download the stage3 to /mnt/gentoo
      • Unzip the downloaded archive:
        Code:
         tar xvjpf stage3-*.tar.bz2 --xattrs --numeric-owner

    • Configuring compile options
      • Fire up nano to alter the optimization variables in /mnt/gentoo/etc/portage/make.conf:
        Code:
         CFLAGS="-march=native -O2 -pipe"
         CPU_FLAGS_X86="specific CPU flags, such as aes, avx, etc. which can be get via cpuid2cpuflags"
         CXXFLAGS="${CFLAGS}"
         MAKEOPTS="-j8" # I have 4 physical cores and 8 logical cores
         USE="X consolekit gtk gtk3 networkmanager -pulseaudio -gnome -kde -qt4 -qt5 -plasma -systemd"
         LINGUAS="en-GB"
         L10N="en-GB"
         INPUT_DEVICES="libinput keyboard mouse"
         VIDEO_CARDS="intel"
         XFCE_PLUGINS="clock"
         ...
         FEATURES="ccache"
         CCACHE_SIZE="2G"

    • Chroot prepare
      • Copy the DNS information:
        Code:
         cp --dereference /etc/resolv.conf /mnt/gentoo/etc/

      • Mount the necessary filesystems:
        Code:
         mount -t proc /proc /mnt/gentoo/proc
         mount --rbind /sys /mnt/gentoo/sys 
         mount --rbind /dev /mnt/gentoo/dev

      • Make /dev/shm/ a proper tmpfs mount up front:
        Code:
         test -L /dev/shm && rm /dev/shm && mkdir /dev/shm 
         mount --types tmpfs --options nosuid,nodev,noexec shm /dev/shm

      • Also ensure that mode 1777 is set:
        Code:
         chmod 1777 /dev/shm

      • Enter chroot:
        Code:
         chroot /mnt/gentoo /bin/bash
         source /etc/profile
         export PS1="(chroot) ${PS1}"

      • Mount the /boot partition:
        Code:
         mount /dev/sda2 /boot

      • Synchronize Gentoo repository:
        Code:
         emerge --sync

      • Choose and install correct profile (default/linux/amd64/17.0/desktop (stable)):
        Code:
         eselect profile set 16

      • Setup correct timezone:
        Code:
         echo Europe/Rome > /etc/timezone
         emerge --config sys-libs/timezone-data

      • Configure locales:
        Code:
         echo "en_GB.UTF-8 UTF-8" >> /etc/locale.gen
         locale-gen

      • Set default locale (en_GB):
        Code:
         eselect locale set 

      • Reload the environment:
        Code:
         env-update && source /etc/profile && export PS1="(chroot) $PS1"

    • CONFIGURE FSTAB
      • Run blkid and get the partition IDs:
        Code:
         blkid

      • Use those IDs to configure /etc/fstab:
        Code:
         
         # <fs>    <mountpoint>        <type>          <opts>             <dump/pass>
         UUID=abc  /boot               vfat            noauto,noatime     1 2
         UUID=def  /                   ext4            defaults           0 1
         UUID=jkl  /home               ext4            defaults           0 1
         # tmps
         tmpfs     /tmp                tmpfs           size=1G            0 0
         tmpfs     /var/tmp/portage    tmpfs           size=10G,uid=portage,gid=portage,mode=775,noatime  0 0

         # shm
         shm       /dev/shm            tmpfs           nodev,nosuid,noexec 0 0

  • CONFIGURE THE LINUX KERNEL
    • Install the kernel sources, genkernel and cryptsetup packages:
      Code:
       emerge sys-kernel/gentoo-sources
       emerge sys-kernel/genkernel
       emerge sys-fs/cryptsetup

    • Configure and install the kernel as needed
    • Build genkernel:
      Code:
       genkernel --luks --lvm initramfs
  • INSTALL GRUB2

    • Emerge grub:
      Code:
       emerge -av grub

    • Change GRUB_CMDLINE_LINUX in /etc/default/grub to
      Code:
       GRUB_CMDLINE_LINUX="dolvm crypt_root=UUID=UID returned by blkid for /dev/sda3 root=/dev/mapper/vg0-root"

    • Mount the /boot partition:
      Code:
       mount /boot

    • Install GRUB with EFI:
      Code:
       grub-install --target=x86_64-efi --efi-directory=/boot

    • For older motherboards, run:
      Code:
       mkdir -p /boot/efi/efi/boot
       cp /boot/efi/efi/gentoo/grubx64.efi /boot/efi/efi/boot/bootx64.efi

    • Generate the GRUB configuration file:
      Code:
       grub-mkconfig -o /boot/grub/grub.cfg

  • SSD tricks
    • Add the trim command to GRUB_CMDLINE_LINUX:
      Code:
       GRUB_CMDLINE_LINUX="...root_trim=yes"

    • Edit /etc/lvm/lvm.conf and set:
      Code:
       issue_discards = 1


_________________
Desktop: i5-3570k - 2x4 GB - Sapphire HD 7950 Dual-X - 500 GB WD Caviar Black - Dell SE2717H 27"
Laptop: HP EliteBook 850 G5 - i7-8550U - 1x16GB - Intel UHD 620 - 512 GB Samsung NVMe SSD
Phone: OnePlus 5T - SD835 - 8 GB - Adreno 540 - 128 GB
Back to top
View user's profile Send private message
msst
Apprentice
Apprentice


Joined: 07 Jun 2011
Posts: 215

PostPosted: Sun Sep 09, 2018 11:48 am    Post subject: Reply with quote

Quite possible and this sure can be done. But having done similar things on both a desktop and a server running gentoo, I can tell you that the thing which will bother you most and require some tweaking is the initramfs and getting this to boot into the cryptoroot. There are several guides, but inherently there is always something outdated and that does not work as described. In no case it worked out of the box for me. Neither grub, not mkinitramfs nor dracut are good in probing and recognizing these crypto settings reliably.
With some persistence and manual tweaking you will get it going though.

A few hints / recommendations:
1) I prefer to use btrfs instead of adding an additional layer of complexity with lvm (which will require additions configuration for boot). As long as you use a single partition (no raid) setup for btrfs, it works out of the box without requiring extra attention at boot (well you need to have the relevant stuff compiled into kernel, but that applies to ext4 as well). It does provide most of the features lvm has integrated in the filesytem at lower user complexity.

2) Probably better to keep efi and the boot partition separate. You can use ext4 for the boot partition holding grub and the kernels e.g.. Then mount the efi partition under /boot/efi.

3) It is possible to move the /boot into the cryptoroot. But it requires configuring grub so that it unlocks this and then you need to either enter the password twice or jump through some loops with an integrated keyfile inside the initramfs, which makes the setup much more complicated. I would at first stay away from this and keep the separate boot partition open.

4) Familiarize yourself with the extra options required for the initramfs you intend to use before trying this. This is sometimes surprisingly badly documented.

5) Have a bootable gentoo live stick ready that boots in UEFI mode and know the grub console commands. There is a likelyhood you will need it. There is a hen-and egg problem with UEFI. You can only manipulate efi boot stuff easily when you are booted in UEFI environment.
Back to top
View user's profile Send private message
Christian99
Veteran
Veteran


Joined: 28 May 2009
Posts: 1176

PostPosted: Thu Sep 13, 2018 3:00 pm    Post subject: Reply with quote

about partitioning:
1) You dont need a bios boot partition if you want to boot via UEFI. It's only required whenn booting in legacy BIOS mode a disk with a GPT.
If you plan to exclusively boot via UEFI, you can leave this out (all my systems, that are UEFI capable don't have it and never had problems with this)

2) I wouldn't recommend using the efi boot partition as /boot. mount it as /boot/efi or similar.
Personally, I don't have a seperate partition for /boot, but if you want you can create it.

3) I never saw the point of splitting a disk in partitions for /, /home, /boot, but if you like, you can do it. But it is not needed.
But note: partitions are fixed size, so allocating space to them is lost for the otheres, even when not used.
I have a laptop running with this partioning/volumes:
sda
├─sda1 -> efi system partition (mounted to /boot/efi)
└─sda2 -> encrypted with luks
└─luks-xxx -> split in two with lvm to have swap space inside encrypted container
├─vg0-root -> /
└─vg0-swap -> swap

Initrd:
I use dracut, it supports this setup without any hazzles. Can recommend it.
it also allows you to add a key file to the initrd, which saves you from the need to enter your disk password twice (once fro grub, once for initrd)

about /var/tmp/portage on tmpfs:
this doesn't have to do anything with your encrypted disk, since a tmpfs is only stored in RAM. so it isn't encrypted and doesn't need any special setup, just moount tmpfs to /var/tmp/portage.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum