9 KiB
| title | slug | date | draft | authors | tags | categories | ||||
|---|---|---|---|---|---|---|---|---|---|---|
| A simple Void Linux base installation | simple-void-base-install | 2022-08-10 | false |
|
|
|
This blog entry will demonstrate how to install a luks encrypted x86_64 Void Linux musl/UEFI signed UKI operating system on a ext4 filesystem. This entry is based on the Void Handbook and the Void man pages.
Provisioning
Flash the Void Linux musl ISO. After booting the ISO, partition the disk with either fdisk or cfdisk. Create an EFI System partition (ESP) and a Linux Filesystem partition (LFP).
It should look something like this:
| Partition | Size | Type |
|---|---|---|
| 1 | 512MB | EFI System |
| 2 | Rest | Linux filesystem |
Format the ESP with a FAT 32 filesystem:
sh# mkfs.fat -F 32 -n esp /dev/<disk>1
Encrypt the LFP with luks:
sh# cryptsetup luksFormat /dev/<disk>2 --type luks2
Open the encrypted partition and format it with a ext4 filesystem:
sh# cryptsetup open --type luks /dev/<disk2> root
sh# mkfs.ext4 -L root /dev/mapper/root
Installation
To install Void Linux on the system, the ESP and LFP have to be mounted to the live (ISO) environment:
sh# mount -t ext4 /dev/mapper/root /mnt
sh# mkdir /mnt/efi
sh# mount -t vfat /dev/disk/by-label/esp /mnt/efi
Now we may install Void Linux musl with xbps-install:
sh# xbps-install -Sy -R https://repo-default.voidlinux.org/current/musl -r /mnt base-system cryptsetup openntpd
To have a functional chroot into the system, copy resolv.conf and bind the system process directories:
sh# cp /etc/resolv.conf /mnt/etc/
sh# for dir in dev proc sys run; do
> mount --rbind --make-rslave /$dir /mnt/$dir
> done
sh# chroot /mnt
Configure some key aspects of the system:
sh# echo <hostname> > /etc/hostname
sh# ln -sf /usr/share/zoneinfo/<area>/<subarea> /etc/localtime
sh# ln -s /etc/sv/dhcpcd /var/service/
sh# ln -s /etc/sv/opennptd /var/service/
sh# ln -s /etc/sv/acpid /var/service/
sh# passwd root #(1)!
- The root password does not really matter because it is going to be locked after a user has been created.
Add the encrypted partition to the crypttab:
root /dev/disk/by-uuid/<uuid> none #(1)!
-
The simplest way to add the
uuidinto/etc/crypttabis by performing:sh# blkid -o value -s UUID /dev/<disk>2 >> /etc/crypttab
and enable the crypttab module for dracut:
install_items+=" /etc/crypttab "
Edit the fstab to set the correct mounts:
/dev/disk/by-label/root / ext4 defaults,noatime 0 1
/dev/disk/by-label/esp /efi vfat defaults,nodev,nosuid,noexec,umask=0077 0 2
tmpfs /tmp tmpfs rw,nodev,nosuid,noexec,mode=1777 0 0
proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0
Configure the kernel command-line:
hostonly="yes"
kernel_cmdline="rw rd.luks.name=<uuid>=root root=/dev/mapper/root quiet splash" #(1)!
-
The simplest way to add the
uuidinto/etc/dracut.conf.d/cmdline.confis by performing:sh# blkid -o value -s UUID /dev/<disk>2 >> /etc/dracut.conf.d/cmdline.conf
Install the bootloader systemd-boot and some hooks for dracut (1) necessary for building and signing the Unified Kernel Image (UKI):
{ .annotate }
- The initramfs builder.
sh# xbps-install systemd-boot dracut-uefi sbctl sbsigntool
Verify that secureboot mode is in
setup modewithsbctl status.
Replace the default dracut kernel hooks with those provided by dracut-uefi:
sh# xbps-alternatives -s dracut-uefi
and set the directory where the UKI will be deposited:
UEFI_BUNDLE_DIR="/efi/EFI/Linux"
Create and enroll the secureboot keys into the system:
sh# sbctl create-keys
sh# sbctl enroll-keys #(1)!
- Whilst enrolling the keys it might be necessary to add the
--microsoftflag if you are unable to use custom keys.
Set the key and certificate required for signing the UKI:
uefi_secureboot_cert="/var/lib/sbctl/keys/db/db.pem"
uefi_secureboot_key="/var/lib/sbctl/keys/db/db.key"
Install the bootloader:
sh# bootctl install
Configure the bootloader:
timeout 3
editor no
Sign the bootloader with sbctl:
sh# sbctl sign -s /efi/EFI/Boot/BOOTX64.efi
Finally, reconfigure the kernel to execute the dracut-uefi hook:
sh# xbps-reconfigure -f linux<version>
One may verify the signed files by running
sbctl verify.
Now exit the chroot, unmount the filesystem and reboot:
sh# exit
sh# umount -lf /mnt
sh# reboot
Post installation
Firmware and drivers
Install the device firmware for either AMD or Intel:
=== "AMD"
``` shell-session
sh# xbps-install linux-firmware-amd
```
=== "Intel"
``` shell-session
sh# xbps-install void-repo-nonfree
sh# xbps-install -S intel-ucode
```
Swap
Add swap by creating a swapfile:
sh# dd if=/dev/zero of=/swapfile bs=8m count=512 status=progress #(1)!
- To create a swapfile of different size (now 4 GB), change the
countto the desirable size.
Assign the correct permissions to the swapfile and make swap from the swapfile:
sh# chmod 600 /swapfile
sh# mkswap /swapfile
Enable the swap:
sh# swapon /swapfile
and make it persistent by adding it to the fstab:
/swapfile none swap defaults 0 0
Reconfigure the kernel:
sh# xbps-reconfigure -f linux<version>
Users
To run processes securely, in an environment with fewer privileges, a user is necessary.
Before creating the user, install doas, to be able to "do as" root when it is required:
sh# xbps-install opendoas
and configure doas by editing:
permit persist :wheel as root
The alternative package sudo that is present in the base-system will be removed, since it is bloatware. To persist this, that is sudo will not be installed ever again on the system, insert:
ignorepkg=sudo
and remove sudo:
sh# xbps-remove -R sudo
Create a symbolic link from doas to sudo to impose backward compatiblility:
sh# ln -s /bin/doas /bin/sudo
We can add a user, set its password and add it to the wheel group with:
sh# useradd <user>
sh# passwd <user>
sh# usermod --append --groups wheel <user>
You may have to change the shell of the user in /etc/passwd from /sbin/nologin to a shell from /etc/shells. Void Linux comes with /bin/bash by default:
<username>:x:1234:1234:<Full Name>:/home/<username>:/bin/<shell>
If you have checked that doas works with the user then you can lock the root account because it imposes security risks if it is kept open. This can be done with:
sh# passwd -l root
and by changing its login shell to:
root:x:0:0:root:/root:/sbin/nologin
Networking
For desktop use NetworkManager is preferred over dhcpcd as network daemon, due to its versatility, i.e. Wi-Fi and VPN compatibility, MAC randomisation, et cetera. Install NetworkManager with:
sh# xbps-install NetworkManager
Configure NetworkManager with MAC randomisation:
[main]
hostname-mode=none
plugins=ifupdown,keyfile
[ifupdown]
managed=true
[device]
wifi.scan-rand-mac-address=yes
[connection-mac-randomization]
ethernet.cloned-mac-address=random
wifi.cloned-mac-address=random
Disable dhcpcd and enable the NetworkManager daemon and its dependency, the dbus daemon:
sh# rm -rf /var/service/dhcpcd
sh# ln -s /etc/sv/dbus /var/service/
sh# ln -s /etc/sv/NetworkManager /var/service/
For users to be able to modify connections on the system they will have to be added to the network group.
Concluding remarks
This is the bare minimum for a Void Linux desktop system. Some additional features such as bluetooth, laptop battery management, printer compatiblity, et cetera, have been documented well in the Void Handbook, and can thus be found there. The next steps are the improvement of the security of the system and the configuration of the graphical user interface.