ampel/blog
2
0
Fork 0
Code Issues Pull requests Activity
blog/docs/desktop-os/posts/01-void-install.md

353 lines
No EOL
9 KiB
Markdown
Raw Blame History

---
title: A simple Void Linux base installation
slug: simple-void-base-install
date: 2022-08-10
draft: false
authors:
- luc
- nils
tags:
- Void Linux
categories:
- Base installation
---
This blog entry will demonstrate how to install a `luks` encrypted `x86_64` [Void Linux](https://voidlinux.org/) `musl`/`UEFI signed UKI` operating system on a `ext4` filesystem. This entry is based on the [Void Handbook](https://docs.voidlinux.org/about/index.html) and the [Void man pages](https://man.voidlinux.org/man-pages.7).
<!-- more -->
## Provisioning
Flash the Void Linux `musl` ISO. After booting the ISO, partition the disk with either `fdisk` or `cfdisk`. Create an `EFI System` partition (ESP) and a `Linux Filesystem` partition (LFP).
It should look something like this:
| Partition | Size | Type |
| :-------: | :--: | :--: |
| 1 | 512MB | EFI System |
| 2 | Rest | Linux filesystem |
Format the ESP with a `FAT 32` filesystem:
``` shell-session
sh# mkfs.fat -F 32 -n esp /dev/<disk>1
```
Encrypt the LFP with `luks`:
``` shell-session
sh# cryptsetup luksFormat /dev/<disk>2 --type luks2
```
Open the encrypted partition and format it with a `ext4` filesystem:
``` shell-session
sh# cryptsetup open --type luks /dev/<disk2> root
sh# mkfs.ext4 -L root /dev/mapper/root
```
## Installation
To install Void Linux on the system, the ESP and LFP have to be mounted to the live (ISO) environment:
``` shell-session
sh# mount -t ext4 /dev/mapper/root /mnt
sh# mkdir /mnt/efi
sh# mount -t vfat /dev/disk/by-label/esp /mnt/efi
```
Now we may install Void Linux `musl` with `xbps-install`:
``` shell-session
sh# xbps-install -Sy -R https://repo-default.voidlinux.org/current/musl -r /mnt base-system cryptsetup openntpd
```
To have a functional chroot into the system, copy `resolv.conf` and bind the system process directories:
``` shell-session
sh# cp /etc/resolv.conf /mnt/etc/
sh# for dir in dev proc sys run; do
> mount --rbind --make-rslave /$dir /mnt/$dir
> done
sh# chroot /mnt
```
Configure some key aspects of the system:
``` shell-session
sh# echo <hostname> > /etc/hostname
sh# ln -sf /usr/share/zoneinfo/<area>/<subarea> /etc/localtime
sh# ln -s /etc/sv/dhcpcd /var/service/
sh# ln -s /etc/sv/opennptd /var/service/
sh# ln -s /etc/sv/acpid /var/service/
sh# passwd root #(1)!
```
1. The root password does not really matter because it is going to be locked after a user has been created.
Add the encrypted partition to the `crypttab`:
``` shell title="/etc/crypttab"
root /dev/disk/by-uuid/<uuid> none #(1)!
```
1. The simplest way to add the `uuid` into `/etc/crypttab` is by performing:
``` shell-session
sh# blkid -o value -s UUID /dev/<disk>2 >> /etc/crypttab
```
and enable the `crypttab` module for `dracut`:
``` shell title="/etc/dracut.conf.d/crypt.conf"
install_items+=" /etc/crypttab "
```
Edit the `fstab` to set the correct mounts:
``` shell title="/etc/fstab"
/dev/disk/by-label/root / ext4 defaults,noatime 0 1
/dev/disk/by-label/esp /efi vfat defaults,nodev,nosuid,noexec,umask=0077 0 2
tmpfs /tmp tmpfs rw,nodev,nosuid,noexec,mode=1777 0 0
proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0
```
Configure the kernel command-line:
``` shell title="/etc/dracut.conf.d/cmdline.conf"
hostonly="yes"
kernel_cmdline="rw rd.luks.name=<uuid>=root root=/dev/mapper/root quiet splash" #(1)!
```
1. The simplest way to add the `uuid` into `/etc/default/dracut-uefi-hook` is by performing:
``` shell-session
sh# blkid -o value -s UUID /dev/<disk>2 >> /etc/dracut.conf.d/uki.conf
```
Install the bootloader `systemd-boot` and some hooks for `dracut` (1) necessary for building and signing the Unified Kernel Image (UKI):
{ .annotate }
1. The initramfs builder.
``` shell-session
sh# xbps-install systemd-boot dracut-uefi sbctl sbsigntool
```
> Verify that secureboot mode is in `setup mode` with `sbctl status`.
Replace the default `dracut` kernel hooks with those provided by `dracut-uefi`:
``` shell-session
sh# xbps-alternatives -s dracut-uefi
```
and set the directory where the UKI will be deposited:
``` shell title="/etc/default/dracut-uefi-hook"
UEFI_BUNDLE_DIR="/efi/EFI/Linux"
```
Create and enroll the secureboot keys into the system:
``` shell-session
sh# sbctl create-keys
sh# sbctl enroll-keys #(1)!
```
1. Whilst enrolling the keys it might be necessary to add the `--microsoft` flag if you are unable to use custom keys.
Set the key and certificate required for signing the UKI:
``` shell title="/etc/dracut.conf.d/uki.conf"
uefi_secureboot_cert="/var/lib/sbctl/keys/db/db.pem"
uefi_secureboot_key="/var/lib/sbctl/keys/db/db.key"
```
Install the bootloader:
``` shell-session
sh# bootctl install
```
Configure the bootloader:
``` shell title="/efi/loader/loader.conf"
timeout 3
editor no
```
Sign the bootloader with `sbctl`:
``` shell-session
sh# sbctl sign -s /efi/EFI/Boot/BOOTX64.efi
```
Finally, reconfigure the kernel to execute the `dracut-uefi` hook:
``` shell-session
sh# xbps-reconfigure -f linux<version>
```
> One may verify the signed files by running `sbctl verify`.
Now exit the chroot, unmount the filesystem and reboot:
``` shell-session
sh# exit
sh# umount -lf /mnt
sh# reboot
```
## Post installation
### Firmware and drivers
Install the device firmware for either AMD or Intel:
=== "AMD"
``` shell-session
sh# xbps-install linux-firmware-amd
```
=== "Intel"
``` shell-session
sh# xbps-install void-repo-nonfree
sh# xbps-install -S intel-ucode
```
### Swap
Add swap by creating a swapfile:
``` shell-session
sh# dd if=/dev/zero of=/swapfile bs=8m count=512 status=progress #(1)!
```
1. To create a swapfile of different size (now 4 GB), change the `count` to the desirable size.
Assign the correct permissions to the swapfile and make swap from the swapfile:
``` shell-session
sh# chmod 600 /swapfile
sh# mkswap /swapfile
```
Enable the swap:
``` shell-session
sh# swapon /swapfile
```
and make it persistent by adding it to the `fstab`:
``` shell title="/etc/fstab"
/swapfile none swap defaults 0 0
```
Reconfigure the kernel:
``` shell-session
sh# xbps-reconfigure -f linux<version>
```
### Users
To run processes securely, in an environment with fewer privileges, a user is necessary.
Before creating the user, install `doas`, to be able to "do as" root when it is required:
``` shell-session
sh# xbps-install opendoas
```
and configure `doas` by editing:
``` shell title="/etc/doas.conf"
permit persist :wheel as root
```
The alternative package `sudo` that is present in the `base-system` will be removed, since it is bloatware. To persist this, that is sudo will not be installed ever again on the system, insert:
``` shell title="/etc/xbps.d/nosudo.conf"
ignorepkg=sudo
```
and remove `sudo`:
``` shell-session
sh# xbps-remove -R sudo
```
Create a symbolic link from `doas` to `sudo` to impose backward compatiblility:
``` shell-session
sh# ln -s /bin/doas /bin/sudo
```
We can add a user, set its password and add it to the `wheel` group with:
``` shell-session
sh# useradd <user>
sh# passwd <user>
sh# usermod --append --groups wheel <user>
```
You may have to change the shell of the user in `/etc/passwd` from `/sbin/nologin` to a shell from `/etc/shells`. Void Linux comes with `/bin/bash` by default:
``` shell title="/etc/passwd"
<username>:x:1234:1234:<Full Name>:/home/<username>:/bin/<shell>
```
If you have checked that doas works with the user then you can lock the root account because it imposes security risks if it is kept open. This can be done with:
``` shell-session
sh# passwd -l root
```
and by changing its login shell to:
``` shell title="/etc/passwd"
root:x:0:0:root:/root:/sbin/nologin
```
### Networking
For desktop use `NetworkManager` is preferred over `dhcpcd` as network daemon, due to its versatility, i.e. Wi-Fi and VPN compatibility, MAC randomisation, et cetera. Install `NetworkManager` with:
``` shell-session
sh# xbps-install NetworkManager
```
Configure `NetworkManager` with MAC randomisation:
``` shell title="/etc/NetworkManager/NetworkManager.conf"
[main]
hostname-mode=none
plugins=ifupdown,keyfile
[ifupdown]
managed=true
[device]
wifi.scan-rand-mac-address=yes
[connection-mac-randomization]
ethernet.cloned-mac-address=random
wifi.cloned-mac-address=random
```
Disable `dhcpcd` and enable the `NetworkManager` daemon and its dependency, the `dbus` daemon:
``` shell-session
sh# rm -rf /var/service/dhcpcd
sh# ln -s /etc/sv/dbus /var/service/
sh# ln -s /etc/sv/NetworkManager /var/service/
```
For users to be able to modify connections on the system they will have to be added to the `network` group.
## Concluding remarks
This is the bare minimum for a Void Linux desktop system. Some additional features such as bluetooth, laptop battery management, printer compatiblity, et cetera, have been documented well in the [Void Handbook](https://docs.voidlinux.org/about/index.html), and can thus be found there. The next steps are the improvement of the security of the system and the configuration of the graphical user interface.
Reference in a new issue View git blame Copy permalink