User:Sakaki/Sakaki's EFI Install Guide/Final Preparations and Reboot into EFI

In this section, we'll be following along with Chapter 8 of the Gentoo handbook. However, we'll defer some of the configuration tasks until the next chapter, when you have rebooted (because configuring systemd is most easily done from within a system actually running systemd). The steps we'll be undertaking are:
 * 1) Setting up the mountpoint tables  and ;
 * 2) Concluding preparations, viz.:
 * 3) Emerging some necessary packages (which it will be useful to have in place before a reboot);
 * 4) Taking note of networking information;
 * 5) Setting up a root password for the new system; then
 * 6) Cleanly dismounting the chroot, and restarting;
 * 7) Before the OS boots, modifying the BIOS settings so that non-secure UEFI mode is used, then restarting again.

Instructions are also provided at the end of this chapter to recover back to a chroot environment, should things not go as planned.

So let's get started!

Setting up the Mountpoint Tables
Per the Gentoo handbook, we first need to setup, so that the system knows the location, mount point, filesystem type and mount options for the key system partitions. There are three such partitions (which we created earlier):
 * 1) the root partition, which holds the system software, configuration files, and the superuser's home directory (device file path );
 * 2) the swap partition, which is used to extend the system's available memory, and can also be used for hibernation (device file path ); and
 * 3) the home partition, which holds the home directories of normal users (device file path ).

We need to add entries for each of these to fstab; so issue:

and then edit the file, so that the only uncommented lines (those not starting with a # symbol), are as follows:

If you have a cd-rom drive on your machine (the Panasonic CF-AX3 does not), you can also add the following additional line:

Save and exit nano.

In the file:
 * The first field describes the path to the partition's device file (NB - when this file is referenced, the initramfs-based init script will already have unlocked the LUKS partition and activated the LVM logical volumes, so we can safely use the device-mapper paths, as above).
 * The second field shows the mount point.
 * The third field shows the filesystem type. I have assumed (per the tutorial instructions) that you have used ext4 for the root and home partitions; if you chose something different, make sure to reflect it here. The use of auto</tt> for the optional cd-rom makes the operating system guess the filesystem type, which is useful with removable media.
 * The fourth field contains the mount options; these choices here are described in more detail below.
 * The fifth field is used by the dump</tt> command to denote which filesystems require dumping. It's generally fine to leave this as '0' (do not dump) in all cases.
 * The sixth field is used by fsck</tt> to determine the order filesystems are integrity checked at boot time. A 0</tt> indicates no check. The root filesystem should have (as here) a 1</tt> to force it to be checked first, and then all other persistent filesystems can have 2</tt> specified (so they are checked together, but after the root filesystem).

Here are the specific mount options selected above, and their meaning:

<span id="symlink_etc_mtab">Per the Gentoo wiki article on systemd</tt>, the mounted file systems table must be a symlink to , so issue:

<span id="concluding_prep">Some Concluding Preparations
It <span id="emerge_additionals">will be useful to have the DHCP daemon, wpa_supplicant</tt> and screen</tt> software available immediately upon reboot. They're not yet installed on the chroot</tt> operating system, only on the 'outer' host, so let's emerge them now. Issue:

Next, <span id="note_if_name">take note of your current network interface name - this will be the same after a reboot, and knowing it will be useful during systemd</tt> configuration. Issue:

and look for a record name similar in format to enp0s25</tt> (your system will most likely have a different name - in this particular case it refers to a ethernet card on PCI (p) bus 0, slot 25).

Next, we must <span id="setup_new_root_password">set up a root password. Yes, we did indeed set up a root password earlier, but that was for the host operating system on the target machine, and we are about to discard that and boot directly into the new (currently chroot</tt>-ed) one. As such, we need to set a fresh root password within the chroot</tt>. Issue:

<span id="exit_chroot_and_restart">Cleanly Dismounting the chroot</tt> and Restarting
Almost there! Now we have to exit the chroot</tt> in both our <tt>screen</tt> virtual consoles, quit both of those consoles (thereby exiting <tt>screen</tt>), unmount the various logical volumes, deactivate the LVM volume group, and close out the LUKS partition. Issue:

then:

The first <tt>exit</tt> exits the <tt>chroot</tt> in the first <tt>screen</tt> virtual console, the second exits that console itself. Now do the same for the second virtual console (which you'll automatically be dropped out to):

then:

Unmount everything (and turn off swap), deactivate LVM, and close LUKS:

Now we're ready to restart. Ensure your boot USB key is still inserted into the target machine (as well as the minimal install USB key, at this point), and issue:

Your <tt>ssh</tt> session will exit. Immediately your target machine starts to come back up again, enter the BIOS setup screen.

<span id="set_uefi_mode_in_bios">Selecting UEFI Boot Mode in the BIOS and Restarting!
As mentioned earlier, the exact method of entering the BIOS varies greatly from machine to machine (as does the BIOS user interface itself). On the Panasonic CF-AX3, press during startup (you may need to press it repeatedly, and you do this directly on the target machine's keyboard).

Once the BIOS setup screen comes up, remove the minimal install USB key, so that only the boot USB key (the smaller capacity one) remains inserted. Then, using the same navigation techniques as before, perform the following steps:
 * 1) disable legacy / CSM boot mode;
 * 2) enable EFI boot mode;
 * 3) ensure any 'fast boot' / 'ultra fast boot' options (if present) are disabled (as these may cause USB to be disabled until the operating system comes up);
 * 4) turn off secure boot (our kernel is currently unsigned, and we have not yet updated the machine's key database in any event);
 * 5) select the USB boot key as the highest priority UEFI boot device; and
 * 6) restart your machine (saving changes).

It's impossible to be precise about the GUI actions required to achieve the above, as they will vary from BIOS to BIOS. However, to give you some idea, here's how you go about it on the Panasonic CF-AX3 (which has an AMT BIOS).

Using the arrow keys, navigate across to the 'Boot' tab. Then, navigate down to the 'UEFI Boot' item, and press. In the popup that appears, select 'Enabled' using the arrow keys, and press. This switches the system out of legacy / CSM boot and into standard UEFI mode (steps 1 and 2 in the list above):

Next (step 4), we'll <span id="turn_off_secure_boot">turn off secure boot, since we haven't yet signed our kernel (or installed our own keys into the BIOS). On the CF-AX3, use the arrow keys to select the 'Security' tab, then navigate down to the 'Secure Boot' item, and select it by pressing. This enters a 'Security' sub-page; navigate to the 'Secure Boot control' item, and press. In the popup that appears, select 'Disabled' using the arrow keys, and press :

Next, on the CF-AX3, it is necessary to restart the machine at this point (as it will not pick up valid UEFI boot devices immediately upon switching into UEFI boot mode). Press to restart, and confirm if prompted.

When the machine restarts, hit again, to re-enter BIOS setup. Now we can select a boot device (step 5). Using the arrow keys, navigate to the 'Boot' tab, and then down to the 'UEFI Priorities' item. Press, and a sub-page is displayed. Ensure the item 'UEFI Boot from USB' is enabled (if it isn't, enable it now, and then press to restart (confirming if prompted), and come back to this point). Navigate down to 'Boot Option #1' and press. In the pop-up menu that appears, select your (boot) USB key, and press to select it:

That's it! Now press to restart (step 6), and confirm if prompted.

If all that worked, your target system should restart, and boot the UEFI stub kernel off the boot USB key. After some initialization, you should be prompted for a passphrase to unlock the <tt>gpg</tt> keyfile for your LUKS partition (this is the passphrase you set up earlier). Type this in (directly at the target machine keyboard), and press. Shortly after, assuming that your passphrase is correct, you'll be presented with a login prompt. <span id="login_directly_to_new_system">Enter 'root' as the user (again, directly at the keyboard, without quotes), and then type the root password you set up above.

If all goes well, you should now be logged in! If this is the case, congratulations, you have a encrypted system which boots from UEFI and uses <tt>systemd</tt>, and you can now proceed to configure your <tt>systemd</tt> (and other) settings properly.

If, for some reason, you weren't able to boot, then read on.

<span id="if_things_go_wrong">How to Recover if Things Go Wrong
The following are short-form instructions to get you back into a <tt>chroot</tt> environment again, so that you can attempt to fix whatever problem prevented you from booting under UEFI. I have included backlinks throughout, so you can hop up to where these steps were first taken, and read in more detail about what is involved - the style of what follows is rather telegraphic.

First, re-insert your minimal install USB key into the target machine (leaving the boot USB key inserted as well, since we'll need it to unlock the LUKS partition), and restart the system. As the machine comes up, re-enter the BIOS and re-activate legacy / CSM booting, and set (if it is not already) the USB key to be the top boot priority device (original instructions here). Save the BIOS settings and exit, thereby rebooting into the Gentoo minimal install system (original instructions here). As before, hit when it beeps at you, remember to select the correct keymap etc. Then, since the boot image itself has no persistence, issue (directly on the target machine's keyboard):

Remember (original instructions here), you are setting up a password for the 'outer', host system here - root's password inside the <tt>chroot</tt> will be retained (and different), but we haven't remounted the <tt>chroot</tt> yet.

Next, ensure that your networking is up. Follow the appropriate instructions below.

If installing over wired Ethernet, simply wait for a little while (if necessary for address allocation to complete), and then note your IP address, using <tt>ifconfig</tt> (original instructions here):

Then click here to skip to the next step. If, instead, you are installing over WiFi, you need to re-create your configuration file (original instructions here). Issue:

Lock down the file's access permissions (to root only) and check that its contents look sane. Issue:

Assuming that looks OK, we can connect. Issue:

Then note your IP address:

<span id="restart_sshd">Now start <tt>sshd</tt> (original instructions here):

This will generate a new set of keys, so take a note of the RSA and ED25519 fingerprints for the host key, as shown with:

Now switch to your helper PC. Note that, if the target PC's IP address is the same as it was originally (quite likely, even with DHCP), then the helper will already have a note of its previous fingerprint, and will refuse to connect via <tt>ssh</tt> (since a mismatched fingerprint might suggest a man-in-the-middle attack). Therefore, we need to remove the old fingerprint record for the IP from. Issue:

and issue (original instructions here):

Check the key fingerprint and then, if it matches, continue as below:

Once you are connected, we need to get <tt>screen</tt> running. Via the <tt>ssh</tt> connection on the helper PC (which is how you should enter all subsequent commands, unless otherwise specified), issue (original instructions here):

Next, we must mount the USB boot key's EFI system partition, so that we can use the keyfile on it to unlock the LUKS partition. Find out the device file name for the EFI partition on the USB boot key, by issuing (original instructions here):

We will refer to this as in what follows, but of course on your machine it will be something like  or  (note that the initial  prefix is not shown in the <tt>lsblk</tt> output).

Next, create a temporary mountpoint, and mount it. Issue (original instructions here):

Now, we can open the LUKS volume. You'll need the passphrase (for the <tt>gpg</tt> keyfile) you set up earlier to do this:

Now we can bring up the LVM logical volumes, and mount them. Issue (original instructions here):

Next, unmount the USB boot key; issue (original instructions here):

Ensure the date and time is set correctly; issue (original instructions here):

Next, make sure that the DNS information will still be valid after we <tt>chroot</tt>. Issue (original instructions here):

Now, ensure that the various special files in, and  are available after a <tt>chroot</tt>. Issue (original instructions here):

Now we can actually enter the <tt>chroot</tt>. Issue (original instructions here):

Remember to source our profile correctly and set a prompt hint. Issue (original instructions here):

Finally, we can setup a second virtual console inside <tt>screen</tt> (just as we did before), which will be useful to e.g., monitor the status of long <tt>emerge</tt>s. Press then  to start a new console. Then in that new console (which is back outside the <tt>chroot</tt>, to begin with) enter:

followed by

Now hit then  to get back to the original console.

That's it! You can now proceed to edit your <tt>chroot</tt>-ed system (and hopefully, to fix it). It is impossible to be specific as to what may have caused a problem, but some likely candidates include:
 * Incorrect kernel configuration. In this case, run <tt>buildkernel --ask --verbose</tt>, enter the graphical kernel configuration editor when prompted, change the appropriate kernel settings, and then save and exit the editor. The build will continue with your modified configuration. (A problem of this sort is most likely to occur if you have already started to dabble with the configuration, since the standard flow in this tutorial assumes you have used the config from the running minimal install system kernel - which is therefore to some extent 'known good' - as a basis).
 * Missing packages. For example, you may have forgotten to install e.g., prior to reboot, preventing you from accessing the network properly. If this is the case, simply <tt>emerge</tt> the required software within the chroot, and then try again. There is no need to re-run <tt>buildkernel</tt> in this case.
 * Wrong keymapping causing mangled passwords. If the system would not accept your <tt>gpg</tt> keyfile passphrase on reboot, but you were able to successfully unlock it when re-entering the <tt>chroot</tt> above, or, if the system would not accept your root password after a restart, then you may have not setup the <tt>KEYMAP</tt> variable in correctly. See this earlier discussion for further details. (These issues can also generally be ameliorated (for most locales) through the use of only standard English letters in your passphrases, as mentioned previously.) Review, and if necessary, change your boot-time keymap by using <tt>buildkernel --easy-setup</tt>, and then re-run <tt>buildkernel --ask --verbose</tt>.
 * Problems with UUIDs. The <tt>buildkernel</tt> script tries to ensure that the UUIDs you have passed it (in above) are valid, but it is still possible to make a mistake (e.g. if you have more than one LUKS partition on your system, for example). Double check these values, and, if necessary, change them (by using <tt>buildkernel --easy-setup</tt>) and then re-run <tt>buildkernel --ask --verbose</tt>.
 * BIOS configuration problems. A total failure of your new system to even try to start (or if you get Windows 8 instead!) is likely to indicate some issue with your BIOS settings. Are you sure your USB boot key is at the top of the UEFI boot order? And that secure boot is disabled at this point? Run through the steps in the "Selecting UEFI Boot Mode in the BIOS and Restarting!" section once more, then try again. (You should also double-check that the first (and only) partition on your USB boot key is marked as an EFI system partition and is formatted <tt>fat32</tt>; see this discussion.) A very few EFI systems also do not look for a boot executable under the standard path, but instead will use . If that's the case for your target machine, change the EFI boot file path using <tt>buildkernel --easy-setup</tt>, then re-run <tt>buildkernel --ask --verbose</tt>.

Once you have made your changes and are ready to have another go at rebooting, simply proceed from the section "Cleanly Dismounting the <tt>chroot</tt> and Restarting" in the main text. Good luck!

<span id="next_steps">Next Steps
Now that you have successfully booted into Gentoo from UEFI, we can proceed to configure <tt>systemd</tt> and other settings properly! Click here to go to the next chapter, "Configuring <tt>systemd</tt> and Installing Necessary Tools".

Acknowledgements
We would like to thank the following authors and editors for their contributions to this guide: