User:Sakaki/Sakaki's EFI Install Guide/Using Your New Gentoo System under OpenRC

In this (final) section, we'll consider a number of miscellaneous (but important) topics regarding your new system. Although this final part of the tutorial has no precise analogue in the Gentoo manual, it logically relates to Chapter 11.

The topics we'll briefly cover are:
 * recapping how to boot to Linux from Windows (and vice versa);
 * keeping your machine up to date;
 * migrating your kernel to the internal hard drive (optional);
 * and how to dispense with the USB key entirely (also optional);
 * tweaking GNOME; and
 * installing a firewall, and other applications; plus
 * links to some additional 'mini-guides', that don't fit naturally within the rest of the tutorial, e.g.:
 * how to disable the Intel Management Engine on your PC, and;
 * how to sandbox the browser with.

Let's go!

Booting into Linux or Windows (Recap)
With the setup you have just carried out, you can easily boot your target PC into either Gentoo Linux or Windows, as desired. Here's a brief recap of how to go about it (with links back to the more detailed explanations in the body of the text, where relevant):
 * If you power up the machine without the boot USB key inserted, Windows will always load automatically. You can do this safely even if you hibernated your Linux session last time (assuming you had no Windows partitions mounted in Linux!).
 * All your Linux data is ultimately held within an encrypted LUKS partition, and so cannot be 'snooped' by malware running in Windows. Nor can Windows software read your keyfile or kernel, as the boot USB key is not physically present when Windows is running.
 * Windows updates etc. should leave the LUKS partition entirely unaffected (and cannot access the boot USB key either, assuming you don't insert it mid-session).
 * If you are running Windows, and wish to reboot into Linux instead, be sure to restart the machine from Windows (not shut it down - unless you have disabled hybrid shutdown as was recommended at the start of the tutorial). Insert the boot USB key while the system is closing down prior to the reboot. Then, immediately the machine commences restarting, enter the BIOS (the key combination needed to do this varies from machine to machine, it is on the CF-AX3). If you set one earlier, you'll need to enter your BIOS password at this point. Then, choose   as the highest priority EFI boot entry, save changes and restart (if the BIOS does not immediately recognize the USB key, you may need to do the 'save changes and restart' cycle twice). A more detailed exposition of how to do this on the CF-AX3 was presented earlier in the text. The machine should then restart into Linux as usual.
 * Now, if you are running Linux, and then power down the machine, then power it back up with the USB key inserted, it should start up Linux again automatically (you'll have to enter your LUKS keyfile passphrase (the one you created earlier) to gain access of course). It is entirely safe to remove the boot USB key once you get to the GNOME login screen (and indeed, it is recommended that you do so, for security). You can do any work you like under Linux, power the machine down, suspend or hibernate it, without needing to re-insert the boot USB key. Then:
 * If you suspend (sleep) the machine from Linux, you can come back out of suspend without needing to re-insert the key (just slide the power button).
 * If you hibernate the machine from Linux, insert the boot USB key immediately before powering up again. Upon restart, you'll have to enter the GPG-encrypted LUKS keyfile passphrase, and should then be presented with a GNOME login prompt (as before, you can remove the boot USB key at this point). Log in, and you'll find your desktop the way you left it on hibernation.
 * If you power the machine off from Linux, simply remember to insert the USB key before sliding the power key again (otherwise you'll reboot into Windows, as above).
 * Similarly, if you have hibernated from Linux, and power back up without re-inserting the boot USB key, your machine will come up in Windows. This isn't a problem (unless you had any of the Windows partitions deliberately mounted in your Linux session!), because you can use Windows as necessary and then, when done, follow the process above to restart back into Linux again (it'll remember that you hibernated, and come back into your old session).

The whole process is easier to do in practice than it is to describe! It has the advantage of not requiring multiple EFI system partitions on the machine's main drive (something which Microsoft specifically cautions is unsupported under Windows ), nor a separate bootloader. Furthermore, Windows will sometimes overwrite the EFI boot list anyway, even when a bootloader is used, so taking that approach doesn't necessary buy you anything.

If you would like to use Windows' EFI system partition (the one on the internal drive) to store your kernel (or even dispense with the need for a USB key during boot altogether), instructions for doing so will be provided later in this chapter.

Keeping Your Machine Up to Date
The tool makes it easy to keep your machine (kernel and packages) up to date. To perform a full update at any time, first open a root terminal in GNOME (if you don't already have one open): press the, and type 'terminal', then press. A standard-issue terminal window should open. Become root:

The password required here is the one you set up earlier in the tutorial (and have used when -ing in).

Ensure that your boot USB key is inserted (this will be required if there is a kernel upgrade). Then, in this terminal, issue:

and the update will proceed automatically (the option means that, although not running in interactive mode per se, you will be prompted to resolve clashing changes to configuration files, should any arise, and the  will copy over any new kernel to the boot USB key, once built). When the process completes (you get the message ""), remove the boot USB key again, and close out the terminal.

If the output of informed you that a new kernel has been built, you should reboot your machine at this point to start using it.

Automating (Optional)
To ensure you don't forget updates, you can schedule to run automatically (this is entirely optional, of course). One simple approach is to use to have it executed every night (at around 3am on most systems; check  for details ).

To set this up, first open a root terminal in GNOME (if you don't already have one available): press the, and type 'terminal', then press. A standard-issue terminal window should open. Become root:

The password required here is the one you set up earlier in the tutorial (and have used when -ing in).

Then issue:

Then put the following text in the file:

Save and exit the editor, and make the file executable:

(You can now close out the root terminal if you have no further use for it.)

That's it! Your system will now attempt to update each night, without requiring any input from you. Also, because you have not specified  here, there's no need to have your boot USB key inserted when the process runs (any new kernel will still be built, but then simply retained in the staging area at, until you issue  , as described shortly).

Although this is automatic, you do need to do a bit of checking periodically that this worked OK (each morning, say). To do this, open a root terminal in GNOME (as just described), and issue:

If the tail of the log just printed contains text similar to the below:

then, as instructed, you need to run ; so do so now:

See the explanation earlier in this tutorial for how to use.

Next, if the tail of the log contains text similar to the below:

then you need to copy it across (it has already been built in the staging area). Insert your boot USB key, then issue:

When this completes (it shouldn't take long), remove the boot USB key, and close out the root terminal if you have no further use for it (or, alternatively, leave the key inserted and reboot, to start using your new kernel immediately).

Migrating Off the Boot USB Key (Optional)
Up until now, we have been using a boot USB key to hold your (stub EFI) kernel and GPG-encrypted LUKS keyfile. This approach has a number of advantages:
 * It let us get around the 'EFI chicken and egg' problem - namely that it is only possible to modify the EFI boot list when already booted under EFI - by exploiting the exception that most UEFI BIOSes will boot specially named EFI images on removable drives. Of course, now we have an EFI system running, this advantage is moot.
 * It provides dual factor security - you need both the keyfile and its passphrase to access the LUKS partition. This confers a degree of protection against hardware keyloggers etc., which a 'passphrase only' (or, indeed, 'keyfile only') LUKS approach would lack.
 * Similarly, if you physically destroy the USB key and all backups, your LUKS data will be gone forever. Even someone with your GPG passphrase would be unable to recover it. Of course, this is a double-edged sword!
 * If the system is booted without the key inserted, it will automatically come up in Windows.
 * When Windows is running, malware is unable to see your kernel image (assuming you leave the USB key unplugged) nor can it copy your GPG-encrypted keyfile.
 * Similarly, there is no risk of Windows accidentally (during an upgrade, for example) overwriting your kernel, or experiencing problems because your kernel has consumed too much space in the (internal hard drive) EFI system partition.
 * You can use a large-capacity USB key, with plenty of room for snapshot backups etc.

Nevertheless, some users may prefer to use their internal hard drive's EFI system partition to store the kernel (retaining the USB key for GPG-encrypted keyfile only, to preserve dual-factor security). Others may like to go even further, and remove the need for the USB key altogether on boot (relying on a passphrase only, Ubuntu-style ). While there are six logical possibilities here (and all are simple to achieve via ), not all make sense, as the table below demonstrates:

Accordingly, instructions are provided below for migration from option 1 (which you have now) to options 4 and 6, below.

Using the Internal Drive EFI System Partition for the Kernel (Option 4)
This is a somewhat attractive option. By using the (Windows) EFI system partition to store the kernel, boot times are reduced, and you can perform full upgrades (including any kernel deployment) without having to insert the USB key. However, you may experience issues due to the lack of space in the internal drive EFI system partition, particularly if you have not slimmed down your kernel configuration (as described earlier).

When using the internal drive EFI system partition, Windows malware can read your kernel (and configuration), although it is protected against tampering by its cryptographic signature (of course, malware with access to the Microsoft private keys could modify your kernel and resign it...).

A final point to bear in mind is that, whenever you wish to restart from Linux to Windows, you will have to change the EFI boot list explicitly, using the tool (the use of which was described previously). You can no longer simply restart the machine without the boot key present (as you can with 'option 1').

With all that in mind, if you still wish to migrate to an 'option 4' configuration, proceed as follows.

First, open a root terminal in GNOME (if you don't already have one available): press the, and type 'terminal', then press. A standard-issue terminal window should open. Become root:

The password required here is the one you set up earlier in the tutorial (and have used when -ing in).

Next, use the  tool to make the necessary changes to.

Issue (the following session is an example only; the values output will obviously vary for your machine):

Now rebuild the kernel (it will attempt to save the result to the internal EFI system partition now, not to the boot USB key):

Once the build completes (make sure it works successfully, and that you get the prompt  at the end), ensure your USB (boot) key is inserted, and restart your machine (you can do this from within GNOME, by clicking on the 'power' icon (in the top right of the screen), clicking on the 'power' button in the dropdown menu that then appears, and then clicking on the 'Restart' button in the dialog).

The machine should then power cycle (you will be cleanly logged out of GNOME first). When it restarts, as before, you will need to enter your LUKS keyfile passphrase (the one you created earlier), directly at the target machine keyboard to unlock the LUKS partition. You should then be able to log into GNOME as usual.

Completely Removing the Need for a Boot USB Key (Option 6)
This is the most convenient option for everyday use, since no USB key is required at all: the backup LUKS passphrase is prompted for at boot time, and the kernel is contained on the internal drive (Windows) EFI system partition. However, dual-factor security is lost with this approach. It is otherwise similar to option 4 above, so please read through the comments there before continuing.

If you still wish to migrate to an 'option 6' configuration, proceed as follows.

First, open a root terminal in GNOME (if you don't already have one available): press the, and type 'terminal', then press. A standard-issue terminal window should open. Become root:

The password required here is the one you set up earlier in the tutorial (and have used when -ing in).

Next, use the  tool to make the necessary changes to.

Issue (the following session is an example only; the values output will obviously vary for your machine):

Now rebuild the kernel (it will attempt to save the result to the internal EFI system partition now, not to the boot USB key):

Once the build completes (make sure it works successfully, and that you get the prompt  at the end), remove your USB (boot) key (you won't need it any more!), and restart your machine (you can do this from within GNOME, by clicking on the 'power' icon (in the top right of the screen), clicking on the 'power' button in the dropdown menu that then appears, and then clicking on the 'Restart' button in the dialog).

The machine should then power cycle (you will be cleanly logged out of GNOME first). When it restarts, as before, you will need to enter your LUKS fallback passphrase (the one you created earlier), directly at the target machine keyboard to unlock the LUKS partition. You should then be able to log into GNOME as usual.

Tweaking GNOME
One of the saving graces of the GNOME 3 shell interface (the desktop GUI) is its extensibility. By using JavaScript-based plug-ins known as shell extensions, you can modify the behaviour of your system considerably (changing the way window placement works, adding things like weather and system performance applets, changing app search options etc.).

The simplest way to get plugins is via the application. From within your GNOME desktop, press, then type  and press. The tool that appears allows you to change many of the default GNOME behaviours that you may find annoying (such as attached modal dialogs!), add startup applications, etc., so it's well worth browsing through the options.

To install extensions, however, click on the 'Extensions' tab on the left side of the app, and then navigate to the extension you want on the right (simply move the slider to "ON" for any you wish to enable).

To get other extensions, point your web browser to https://extensions.gnome.org.

Miscellaneous GNOME Points
The following are a few GNOME setup questions that come up frequently by email (but which don't really fit into the main flow of this guide). For any other GNOME issues, your first point of call should be the gnome.org website (and failing that, the Gentoo Desktop Environments discussion forum).

Using a Printer in GNOME
Depending on what version of GNOME you have, and which other applications you have installed, you may find that you are initially unable to print from GNOME, and cannot use the 'Printers' control panel.

To enable printing, you need to install the package, and then start the  service in.

To set this up, first open a root terminal in GNOME (if you don't already have one available): press the, and type , then press. A standard-issue terminal window should open. Become root:

The password required here is the one you set up earlier in the tutorial (and have used when -ing in).

Then issue:

Next, enter:

after which you should be able to go to the 'Printers' control panel, click on the 'plus' icon, and setup your printer. You can also close out the terminal if you have no further need for it.

Using a VPN in GNOME
To be able to use a Virtual Private Network (VPN) with in GNOME, you have to install the package.

To do this, open a terminal (per the instructions above), and then issue:

Once this completes, you should now be able to go to the 'Network' control panel, click on the 'plus' icon, and add a new VPN connection. (As before, close out the terminal now, if you have no further need for it.)

<span id="play_mp4_in_gnome">Playing MP4 Videos (using ) in GNOME
If you find that you are unable to play MP4 videos using GNOME's default media player (and it complains about a missing H264 codec), then you'll need to install the  package.

To do this, open a terminal (per the instructions above), and then issue:

Once this completes, the problem should be fixed. (As before, close out the terminal now, if you have no further need for it.)

<span id="install_firewall_etc">Installing Other Applications, Including a Firewall etc.
As currently configured, your machine is not running a firewall - but I'd definitely recommend installing one! Configuring a firewall is beyond the scope of this tutorial, but a good place to start is Chapter 1 of Michael Rash's book Linux Firewalls. The ArchLinux wiki also has some useful information on using Iptables (the Linux kernel firewall based on ) (albeit under ).

Other than that, what you install on your machine is now up to you! It's worth reading this introduction in the Gentoo handbook regarding searching for and installing software. The basic process, of course, is straightforward. Suppose, for example, that you'd like to install the Firefox web browser...

To do this, first, open a root terminal in GNOME (if you don't already have one available): press the, and type , then press. A standard-issue terminal window should open. Become root:

The password required here is the one you set up earlier in the tutorial (and have used when -ing in).

Next, search for the application. You can use to do this: for example:

Reviewing 's output, you can see that the package you want is. To install it, use the familiar rubric:

If there are any USE flag problems or license issues reported, edit or  accordingly (see text earlier for a description of these), then try again.

Note that if you are planning to use as your daily web browser, it is well worth sandboxing it for security. A full mini-guide covering this topic is now available (see list, immediately below).

<span id="additional_mini_guides">Additional Mini-Guides
Listed below is a short set of 'mini-guides', covering additional set-up topics that may be of interest to some users, but which do not fit within the main flow of the text:
 * Extending LUKS to Protect an Additional Drive (NB, this particular mini-guide is currently -specific)
 * Disabling the Intel Management Engine (For both and  users)
 * Sandboxing the Firefox Browser with Firejail (For both and  users)
 * Booting Legacy Images on EFI using (For both  and  users)

Sayonara ^-^
Well, that's it! You now have a fully operational Gentoo dual-boot system, with and !

Enjoy!

(Click here to go back up to the top-level page.)