From c9f3d7853265ff7c72001f41c80f358e2735e09c Mon Sep 17 00:00:00 2001 From: Gianni Ceccarelli Date: Tue, 30 Nov 2021 16:26:39 +0000 Subject: update luks guide --- src/SW/gentoo-luks-secureboot/document.en.rest.txt | 34 ++++++++++++++++++---- 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/src/SW/gentoo-luks-secureboot/document.en.rest.txt b/src/SW/gentoo-luks-secureboot/document.en.rest.txt index 3756ad5..39c4595 100644 --- a/src/SW/gentoo-luks-secureboot/document.en.rest.txt +++ b/src/SW/gentoo-luks-secureboot/document.en.rest.txt @@ -51,6 +51,11 @@ Install new machine * one partition for the rest, ``ext4``, label ``root`` name ``root`` * set root password +* disable the firewall:: + + iptables -F + iptables -P INPUT ACCEPT + * ssh in from a better machine * ``cryptsetup benchmark`` to check crypto speed * create encrypted volume:: @@ -64,7 +69,7 @@ Install new machine * make filesystem, mount it:: cryptsetup open /dev/disk/by-partlabel/root root - mkfs.ext4 -L root -E discard /dev/mapper/root + mkfs.ext4 -L root /dev/mapper/root mkdir /mnt/gentoo mount /dev/disk/by-label/root /mnt/gentoo @@ -128,9 +133,10 @@ Install new machine built-in kernel command line:: - root_trim=yes crypt_roots=UUID=??? rootfstype=ext4 + crypt_root=UUID=??? rootfstype=ext4 - for ``crypt_roots``: take UUID from ``blkid -t PARTLABEL=root -o export`` + for ``crypt_root``: take ``UUID`` (*not* ``PARTUUID``) from + ``blkid -t PARTLABEL=root -o export`` will probably fail, no pre-existing initramfs during kernel compilation (use correct version for initramfs filename):: @@ -188,7 +194,7 @@ Install new machine * final checks: ``/etc/fstab``:: LABEL=BOOT /boot vfat noauto,noatime,utf8=1 0 2 - LABEL=root / ext4 relatime,discard 0 1 + LABEL=root / ext4 relatime 0 1 none /var/tmp/portage tmpfs size=75%,defaults 0 0 ``/etc/hostname``, ``/etc/conf.d/net``, ``/etc/wpa_supplicant/*`` @@ -201,8 +207,24 @@ Install new machine passwd dakkar emerge -av1 sudo -* reboot, tell UEFI to use our kernel (or use ``efibootmgr`` before - rebooting!), go +* set EFI booting options:: + + # remove existing boot options, one at a time + efibootmgr -b 0 -B + + # create new options + efibootmgr -c -d /dev/nvme0n1 -p 1 -L gentoo -l EFI\\gentoo.efi + efibootmgr -c -d /dev/nvme0n1 -p 1 -L gentoo-old -l EFI\\gentoo-old.efi + + # set boot order + efibootmgr -o 0,1 + +* unmount (from outside the chroot):: + + umount -R /mnt/gentoo + +* reboot, tell UEFI to use our kernel (if you didn't use + ``efibootmgr``), go * log in as ``dakkar`` via ssh, copy ``world`` from old machine, install everything:: -- cgit v1.2.3