1 files changed, 31 insertions, 9 deletions

diff --git a/src/SW/gentoo-luks-secureboot/document.en.rest.txt b/src/SW/gentoo-luks-secureboot/document.en.rest.txt
index 3756ad5..5c526b4 100644
--- a/src/SW/gentoo-luks-secureboot/document.en.rest.txt
+++ b/src/SW/gentoo-luks-secureboot/document.en.rest.txt
@@ -39,7 +39,7 @@ Install new machine
 
 * disable secureboot
 * boot on `system rescue cd usb stick
-  <http://www.system-rescue-cd.org/Installing-SystemRescueCd-on-a-USB-stick/>`_
+  <https://www.system-rescue.org/Installing-SystemRescue-on-a-USB-memory-stick/>`_
 * ``startx``
 * connect to WiFi
 * terminal
@@ -51,6 +51,11 @@ Install new machine
   * one partition for the rest, ``ext4``, label ``root`` name ``root``
 
 * set root password
+* disable the firewall::
+
+    iptables -F
+    iptables -P INPUT ACCEPT
+
 * ssh in from a better machine
 * ``cryptsetup benchmark`` to check crypto speed
 * create encrypted volume::
@@ -64,7 +69,7 @@ Install new machine
 * make filesystem, mount it::
 
     cryptsetup open /dev/disk/by-partlabel/root root
-    mkfs.ext4 -L root -E discard /dev/mapper/root
+    mkfs.ext4 -L root /dev/mapper/root
     mkdir /mnt/gentoo
     mount /dev/disk/by-label/root /mnt/gentoo
 
@@ -73,7 +78,7 @@ Install new machine
   is small)::
 
     cd /mnt/gentoo
-    wget http://distfiles.gentoo.org/releases/amd64/autobuilds/20190707T214502Z/stage3-amd64-20190707T214502Z.tar.xz
+    wget https://distfiles.gentoo.org/releases/amd64/autobuilds/20190707T214502Z/stage3-amd64-20190707T214502Z.tar.xz
     tar xvpf /mnt/gentoo/stage3*.tar.xz --xattrs-include='*.*' --numeric-owner
 
 * copy some configuration over, while you're at it
@@ -128,9 +133,10 @@ Install new machine
 
   built-in kernel command line::
 
-    root_trim=yes crypt_roots=UUID=??? rootfstype=ext4
+    crypt_root=UUID=??? rootfstype=ext4
 
-  for ``crypt_roots``: take UUID from ``blkid -t PARTLABEL=root -o export``
+  for ``crypt_root``: take ``UUID`` (*not* ``PARTUUID``) from
+  ``blkid -t PARTLABEL=root -o export``
 
   will probably fail, no pre-existing initramfs during kernel
   compilation (use correct version for initramfs filename)::
@@ -188,7 +194,7 @@ Install new machine
 * final checks: ``/etc/fstab``::
 
     LABEL=BOOT  /boot             vfat   noauto,noatime,utf8=1  0 2
-    LABEL=root  /                 ext4   relatime,discard       0 1
+    LABEL=root  /                 ext4   relatime               0 1
     none        /var/tmp/portage  tmpfs  size=75%,defaults      0 0
 
   ``/etc/hostname``, ``/etc/conf.d/net``, ``/etc/wpa_supplicant/*``
@@ -201,8 +207,24 @@ Install new machine
     passwd dakkar
     emerge -av1 sudo
 
-* reboot, tell UEFI to use our kernel (or use ``efibootmgr`` before
-  rebooting!), go
+* set EFI booting options::
+
+    # remove existing boot options, one at a time
+    efibootmgr -b 0 -B
+
+    # create new options
+    efibootmgr -c -d /dev/nvme0n1 -p 1 -L gentoo -l EFI\\gentoo.efi
+    efibootmgr -c -d /dev/nvme0n1 -p 1 -L gentoo-old -l EFI\\gentoo-old.efi
+
+    # set boot order
+    efibootmgr -o 0,1
+
+* unmount (from outside the chroot)::
+
+    umount -R /mnt/gentoo
+    
+* reboot, tell UEFI to use our kernel (if you didn't use
+  ``efibootmgr``), go
 * log in as ``dakkar`` via ssh, copy ``world`` from old machine,
   install everything::
 
@@ -251,7 +273,7 @@ reboot, then from the UEFI setup:
 Info from:
 
 http://www.kroah.com/log/blog/2013/09/02/booting-a-self-signed-linux-kernel/
-http://www.rodsbooks.com/efi-bootloaders/controlling-sb.html
+https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html
 
 Signed modules
 --------------