User:Sakaki/Sakaki's EFI Install Guide

If you have a Windows 8 machine that you'd like to dual-boot with Gentoo Linux and GNOME 3, you've come to the right place!

This detailed (and tested) tutorial shows how to set up just such a dual-boot system, where the Gentoo component:
 * is fully encrypted on disk (LVM over LUKS, with dual-factor protection);
 * uses UEFI secure boot;
 * runs systemd & GNOME 3.12+;
 * can properly suspend and hibernate;
 * has working drivers for touchscreen, webcam etc.;
 * and even has a graphical boot splash!

To keep things concrete, I'll be walking line-by-line through the setup of a particular machine, namely the Panasonic CF-AX3 Ultrabook; however, these instructions should be usable (with minor alterations) for many modern PCs (including desktops) which have a UEFI BIOS.

All commands that you'll need to type in are listed, and an overlay with some useful installation utilities is also provided.

While best read in tandem with the official Gentoo Handbook, this manual can also be used standalone.

Introduction
The install described in this tutorial attempts to follow the 'stock' process from the Gentoo Handbook where possible, but differs in a number of important respects. Specifically:
 * The kernel will be configured to self-boot under UEFI; no separate bootloader is needed.
 * For security, we will boot the kernel off of an external USB key (which can be removed once the boot has completed). If the USB key is absent on power-up, Windows 8 will start automatically instead.
 * Secure boot will be enabled. The kernel will be signed with our own, generated key (and the original Windows keys will be retained too).
 * Gentoo's root, swap and home partitions will reside on LVM logical volumes, which themselves will live on a single LUKS (encrypted) partition on the GPT-formatted hard drive of the machine. We'll shrink the Windows 8 C: NTFS partition to provide space for this.
 * The LUKS partition will be unlocked by a keyfile at boot. The keyfile will be stored on the USB key together with the Gentoo kernel, and will itself be GPG-encrypted, so that both the file and its passphrase will be needed to access the (Gentoo) data on the hard drive. This provides a degree of dual-factor security against e.g., having the machine stolen with the USB key still in it, or even the existence of a keylogger on the PC itself (although not both at the same time!). (Using a provided utility, you can subsequently migrate the kernel onto the Windows EFI system partition on the main drive if desired, and also relax the security to use just a typed-in passphrase, so once installed you won't need to use a USB key at all if you don't want to.)
 * We will create an initramfs to allow the GPG / LUKS / LVM stuff to happen in early userspace, and this RAM disk will be stored inside the kernel itself, so it will work under EFI with secure boot (we'll also, for reasons that will become clear later, build a custom version of gpg to use in this step).
 * For all you source-code paranoiacs, the Gentoo toolchain and core system will be bootstrapped during the install (simulating an old-school stage-1) and we'll validate that all binary executables and libraries have indeed been rebuilt from source when done. The licence model will be set to accept free software only (and although I don't deblob the kernel, instructions for how to do so are provided - assuming your hardware will actually work without uploaded firmware!).
 * The latest (3.12+) stable version of Gnome will be installed, which will necessitate using systemd for init (the existing handbook is quite OpenRC-centric). Incidentally, this will not require an interim Gnome 2 deployment.
 * Lastly, I'll provide simple scripts to automate the EFI kernel creation process and keep your system up-to-date. The first of these (buildkernel) handles conforming the kernel config for EFI encrypted boot (including setting the kernel command line correctly), creating the initramfs, building and signing the kernel, and installing it on the EFI system partition. The second (genup) automates the process of updating your system software via emerge and associated tools. The scripts are shipped in an overlay, for easy deployment.

As mentioned, although this tutorial follows the format of the Gentoo Handbook in places (particularly at the beginning), it's structured so as to be self-contained - you should be able to walk though this process and, using only these instructions, end up with a fully functional, relatively secure dual-boot Windows 8 + Gentoo / Gnome 3.12+ machine when you're done.

Chapters
The chapters of this tutorial are listed below, together with a brief summary of each.

You need to work though the chapters sequentially, in order to complete the install successfully.


 * 1) Installation Prerequisites. First, we'll briefly review the things you'll need in order to carry out the install.
 * 2) Preparing Windows 8 for Dual-Booting. Next, we'll reduce the amount of space Windows 8 takes up on the target machine's hard drive, so there is room for our Gentoo system (and user data). We'll use tools already present in Windows 8 to do this.
 * 3) Creating_and_Booting_the_Minimal-Install_Image_on_USB. Then, per Chapter 2 of the Gentoo handbook, we'll download a minimal Gentoo image onto a USB key, and boot into it on our target PC (in legacy / OpenRC mode).
 * 4) Setting Up Networking and Connecting via ssh. Next, per Chapter 3 of the handbook, we'll setup network access for our minimal system, and connect in to it from a second, 'helper' PC via ssh (to ease installation).
 * 5) 'Preparing the LUKS-LVM Filesystem and Boot USB Key. After that, we'll create a GPG-protected keyfile on a second USB key, create a LUKS (encrypted) partition on the machine's hard drive protected with this key, and then create an LVM structure (root, home and swap) on top of this (achieving the goals of Chapter 4 of the handbook).
 * 6) Installing the Gentoo Stage 3 Files. Then, per Chapter 5 of the handbook, we'll download a Gentoo 'stage 3' minimal filesystem, and install it into the LVM root. We'll also set up your Portage build configuration.
 * 7) Building the Gentoo Base System Minus Kernel. Next, per Chapter 6 of the handbook, we'll complete some final preparations, then chroot into the stage 3 filesystem, update our Portage tree, and set a profile, timezone and locale. We'll setup the sakaki-tools overlay (which contains utilities to assist with the build), and install the first of these, showem</tt> (a program to monitor parallel emerge</tt>s). Then, we'll bootstrap the toolchain (simulating an old-school stage 1 install), rebuild everything in the @world</tt> set, and verify that all libraries and executables have, in fact, been rebuilt. (Instructions are also provided for those who wish to skip bootstrapping).
 * 8) Configuring and Building the Kernel. Next, (loosely following Chapter 7 of the handbook), we'll setup necessary licenses, then download the Linux kernel sources and firmware. We'll then install (from the overlay) the buildkernel</tt> utility, configure it, and then use this to automatically build our (EFI-stub) kernel (buildkernel</tt> ensures our kernel command line is filled out properly, the initramfs contains a static version of gpg</tt>, that the kernel has all necessary systemd</tt> options set, etc.).
 * 9) Final Preparations and Reboot into EFI. Then, following Chapter 8 of the handbook, we'll set up, install a few other packages, set up a root password, then dismount the chroot</tt> and reboot (in EFI / systemd</tt> mode) into our new system (secure boot will be off at this stage).
 * 10) Configuring systemd and Installing Necessary Tools. With the machine restarted, we'll re-establish networking and the ssh</tt> connection, then complete the setup of systemd</tt>'s configuration. Per Chapter 9 of the Gentoo handbook, we'll then install some additional system tools (such as cron</tt>). Next, we'll install (from the overlay) the genup</tt> utility, and use it to perform a precautionary update of the @world</tt> set. Then, we'll reboot to check our systemd</tt> configuration. If successful, we'll invoke buildkernel</tt> again, to enable the <tt>plymouth</tt> graphical boot splash, and restart once more to test it.
 * 11) Configuring Secure Boot. Next, we'll set up secure boot. First, we'll save off the existing state of the secure boot variables (containing Microsoft's public key-exchange-key, etc.). Then, we'll create our own platform, key-exchange and kernel-signing keypairs, and then reboot, en route using the BIOS GUI to enter setup mode (thereby clearing the variables, and enabling us to write to them). We'll then re-upload the saved keys, append our own set, and finally lock the platform with our new platform key. We'll then run <tt>buildkernel</tt> again, which will now be able to automatically sign our kernel. We'll reboot, enable secure boot in the BIOS, and verify that our signed kernel is allowed to run. Then, we'll reboot into Windows, and check we haven't broken its secure boot operation! Finally, we'll reboot back to Linux again (optionally setting a BIOS password as we do so).
 * 12) Setting up the GNOME 3 Desktop. Next, we'll setup your graphical desktop environment. We'll begin by creating a regular (non-root) user, per Chapter 11 of the handbook. Then, we'll install X11, and try running it with a simple window manager (<tt>twm</tt>), to check if all necessary display drivers are present. If they aren't, we'll modify the kernel configuration accordingly, and rebuild using <tt>buildkernel</tt>. Once working, we'll remove the temporary window manager, install GNOME 3 (and a few key applications), and configure and test it.
 * 13) Final Configuration Steps. Next, we'll configure your kernel to properly handle all your target PC's devices. Although this setup will necessarily differ from machine to machine, a general methodology is provided, together with a concrete set of steps required for the Panasonic CF-AX3 (covering setup of its integrated WiFi, Bluetooth, touchscreen, audio and SD card reader). Thereafter, we'll cover some final setup points - namely, how to: prune your kernel configuration to remove bloat; get suspend and hibernate working properly; ensure that the correct <tt>python</tt> interpreter is set as the system default; and disable <tt>sshd</tt> (as the helper PC is no longer needed from this point).
 * 14) Using Your New Gentoo System. Now your dual-boot system is up and running, in this last chapter we'll cover a few miscellaneous (but important) topics (and options) regarding day-to-day use. We'll first recap how to boot from Linux to Windows (and vice versa), then discuss how to ensure your machine is kept up to date (using <tt>genup</tt>). We'll also show cover how to migrate your kernel to the internal drive (Windows) EFI system partition if desired (and also, how to dispense with the USB key entirely, if single-factor passphrase security is sufficient). Finally, we'll briefly review how to tweak GNOME, and (per Chapter 12 of the handbook) where to go next (should you wish to install other applications, a firewall, etc.).

<span id="get_started">Let's Get Started!
Ready? Then click here to go to the first chapter, "Installation Prerequisites".

Acknowledgements
We would like to thank the following authors and editors for their contributions to this guide: