User:Sakaki/Sakaki's EFI Install Guide

If you have a Windows 10 (or 8) machine that you'd like to dual-boot with Gentoo Linux and GNOME 3, you've come to the right place!

This detailed (and tested) tutorial shows how to set up just such a dual-boot system, where the Gentoo component:
 * is fully encrypted on disk (LVM over LUKS, with dual-factor protection);
 * uses UEFI secure boot;
 * runs systemd & GNOME 3 (on Wayland);
 * or OpenRC & GNOME 3 (ditto);
 * can properly suspend and hibernate;
 * has working drivers for touchscreen, webcam etc.;
 * has (where appropriate) the Intel Management Engine disabled;
 * and even has a graphical boot splash!

To keep things concrete, I'll be walking line-by-line through the setup of a particular machine, namely the Panasonic CF-AX3 Ultrabook; however, these instructions should be usable (with minor alterations) for many modern PCs (including desktops) which have a UEFI BIOS.

All commands that you'll need to type in are listed, and an ebuild repository (aka 'overlay') with some useful installation utilities is also provided.

While best read in tandem with the official Gentoo Handbook, this manual can also be used standalone.

These instructions may also be easily adapted for those wishing to use Gentoo Linux as their sole OS, rather than dual booting.

Introduction
The install described in this tutorial attempts to follow the 'stock' process from the Gentoo Handbook where possible, but differs in a number of important respects. Specifically:
 * The kernel will be configured to self-boot under UEFI; no separate bootloader is needed.
 * For security, we will boot the kernel off of an external USB key (which can be removed once the boot has completed). If the USB key is absent on power-up, Windows will start automatically instead.
 * Secure boot will be enabled. The kernel will be signed with our own, generated key (and the original Windows keys will be retained too).
 * Gentoo's root, swap and home partitions will reside on LVM logical volumes, which themselves will live on a single LUKS (encrypted) partition on the GPT-formatted hard drive of the machine. We'll shrink the Windows C: NTFS partition to provide space for this.
 * The LUKS partition will be unlocked by a keyfile at boot. The keyfile will be stored on the USB key together with the Gentoo kernel, and will itself be GPG-encrypted, so that both the file and its passphrase will be needed to access the (Gentoo) data on the hard drive. This provides a degree of dual-factor security against e.g., having the machine stolen with the USB key still in it, or even the existence of a keylogger on the PC itself (although not both at the same time!). (Using a provided utility, you can subsequently migrate the kernel onto the Windows EFI system partition on the main drive if desired, and also relax the security to use just a typed-in passphrase, so once installed you won't need to use a USB key at all if you don't want to.)
 * We will create an initramfs to allow the GPG / LUKS / LVM stuff to happen in early userspace, and this RAM disk will be stored inside the kernel itself, so it will work under EFI with secure boot (we'll also, for reasons that will become clear later, build a custom version of to use in this step).
 * For all you source-code paranoiacs, the Gentoo toolchain and core system will be bootstrapped during the install (simulating an old-school stage-1) and we'll validate that all binary executables and libraries have indeed been rebuilt from source when done. The licence model will be set to accept free software only (and although I don't deblob the kernel, instructions for how to do so are provided - assuming your hardware will actually work without uploaded firmware!).
 * All Gentoo repository syncs (including the initial ) will be performed with signature authentication. Unauthenticated protocols will not be used.
 * The latest (3.24+) stable version of GNOME will be installed, using systemd for init (the existing handbook is quite OpenRC-centric). Incidentally, this will not require an interim GNOME 2 deployment.
 * An alternative track is also provided, for those wishing to install GNOME 3 under OpenRC, via Dantrell B.'s patchset (this is, essentially, how Funtoo avoids having to use systemd for GNOME, and now his patchset is available for use with Gentoo too). Most of this tutorial is common to both tracks, and a short guide is provided at the appropriate point in the text, to help you choose which route is better for you.
 * GNOME will be deployed on the modern Wayland platform (including XWayland support for legacy applications) &mdash; this is more secure than deploying over X11, as it enforces application isolation at the GUI level.
 * I'll provide simple scripts to automate the EFI kernel creation process and keep your system up-to-date. The first of these handles conforming the kernel config for EFI encrypted boot (including setting the kernel command line correctly), creating the initramfs, building and signing the kernel, and installing it on the EFI system partition. The second  automates the process of updating your system software via  and associated tools. The scripts are shipped in an ebuild repository (aka 'overlay'), for easy deployment.
 * Lastly, detailed (optional) instructions for disabling the Intel Management Engine will be provided (for those with Intel-CPU-based PCs who find this out-of-band coprocessor an unacceptable security risk), as will instructions for fully sandboxing the popular web browser, using.

As mentioned, although this tutorial follows the format of the Gentoo Handbook in places (particularly at the beginning), it's structured so as to be self-contained - you should be able to walk though this process and, using only these instructions, end up with a fully functional, relatively secure dual-boot Windows 10 (or 8) + Gentoo / GNOME 3 machine when you're done.

Chapters
The chapters of this tutorial are listed below, together with a brief summary of each.

You need to work though the chapters sequentially, in order to complete the install successfully.


 * 1) Installation Prerequisites. First, we'll briefly review the things you'll need in order to carry out the install.
 * 2) Preparing Windows for Dual-Booting. Next, we'll reduce the amount of space Windows takes up on the target machine's hard drive, so there is room for our Gentoo system (and user data). We'll use tools already present in Windows to do this.
 * 3) Creating and Booting the Minimal-Install Image on USB. Then, per Chapter 2 of the Gentoo handbook, we'll download a minimal Gentoo image onto a USB key, and boot into it on our target PC (in EFI /  mode, with secure boot temporarily turned off).
 * 4) Setting Up Networking and Connecting via ssh. Next, per Chapter 3 of the handbook, we'll setup network access for our minimal system, and connect in to it from a second, 'helper' PC via  (to ease installation).
 * 5) Preparing the LUKS-LVM Filesystem and Boot USB Key. After that, we'll create a GPG-protected keyfile on a second USB key, create a LUKS (encrypted) partition on the machine's hard drive protected with this key, and then create an LVM structure (root, home and swap) on top of this (achieving the goals of Chapter 4 of the handbook).
 * 6) Installing the Gentoo Stage 3 Files. Then, per Chapter 5 of the handbook, we'll download a Gentoo 'stage 3' minimal filesystem, and install it into the LVM root. We'll also set up your Portage build configuration.
 * 7) Building the Gentoo Base System Minus Kernel. Next, per Chapter 6 of the handbook, we'll complete some final preparations, then  into the stage 3 filesystem, update our Portage tree, and set a base profile, timezone and locale. We'll setup the  ebuild repository (which contains utilities to assist with the build), and install the first of these,  (a program to monitor parallel s). Then, we'll bootstrap the toolchain (simulating an old-school stage 1 install), rebuild everything in the  set, and verify that all libraries and executables have, in fact, been rebuilt. (Instructions are also provided for those who wish to skip bootstrapping). We'll then set the 'real' GNOME profile (users on the OpenRC track will first add Dantrell B.'s ebuild repositories here), and then update the  set to reflect this.
 * 8) Configuring and Building the Kernel. Next, (loosely following Chapter 7 of the handbook), we'll setup necessary licenses, then download the Linux kernel sources and firmware. We'll then install (from the  ebuild repository) the  utility, configure it, and then use this to automatically build our (EFI-stub) kernel ( ensures our kernel command line is filled out properly, the initramfs contains a static version of, that the kernel has all necessary  options set, etc.).
 * 9) Final Preparations and Reboot into EFI. Then, following Chapter 8 of the handbook, we'll set up, install a few other packages, set up a root password, then dismount the  and reboot (in EFI /  mode, or EFI /  mode, depending on the track) into our new system (secure boot will still be off at this stage). Users on the OpenRC track will branch off at the conclusion of this chapter.
 * 10) Configuring systemd and Installing Necessary Tools. With the machine restarted, we'll re-establish networking and the  connection, then complete the setup of 's configuration. Per Chapter 9 of the Gentoo handbook, we'll then install some additional system tools (such as ). Next, we'll install (from the  ebuild repository) the  utility, and use it to perform a precautionary update of the  set. Then, we'll reboot to check our  configuration. If successful, we'll invoke  again, to enable the  graphical boot splash, and restart once more to test it.
 * 11) Configuring Secure Boot. Next, we'll set up secure boot. First, we'll save off the existing state of the secure boot variables (containing Microsoft's public key-exchange-key, etc.). Then, we'll create our own platform, key-exchange and kernel-signing keypairs, and then reboot, en route using the BIOS GUI to enter setup mode (thereby clearing the variables, and enabling us to write to them). We'll then re-upload the saved keys, append our own set, and finally lock the platform with our new platform key. We'll then run  again, which will now be able to automatically sign our kernel. We'll reboot, enable secure boot in the BIOS, and verify that our signed kernel is allowed to run. Then, we'll reboot into Windows, and check we haven't broken its secure boot operation! Finally, we'll reboot back to Linux again (optionally setting a BIOS password as we do so).
 * 12) Setting up the GNOME 3 Desktop. Next, we'll setup your graphical desktop environment. We'll begin by creating a regular (non-root) user, per Chapter 11 of the handbook. Then, we'll activate the  USE flag globally, and update your system to reflect this, after which we'll install X11 and a simple window manager  (for test purposes). Using, we'll then reconfigure and rebuild the kernel to include an appropriate DRM graphics driver, and then reboot. Upon restart, we'll verify that the new DRM driver (which  requires) has been activated, and then test-run X11 (and a few trivial applicators) under . Once working, we'll remove the temporary window manager, install GNOME 3 (and a few key applications), and configure and test it under X11. Then, we'll test it again under , refine a few settings (network, keyboard etc.), and then restart the machine and proceed with the install, working natively within GNOME thereafter.
 * 13) Final Configuration Steps. Next, we'll configure your kernel to properly handle all your target PC's devices. Although this setup will necessarily differ from machine to machine, a general methodology is provided, together with a concrete set of steps required for the Panasonic CF-AX3 (covering setup of its integrated WiFi, Bluetooth, touchscreen, audio and SD card reader). Thereafter, we'll cover some final setup points - namely, how to: prune your kernel configuration (and initramfs firmware) to remove bloat; get suspend and hibernate working properly; ensure that the correct  interpreter is set as the system default; and disable  (as the helper PC is no longer needed from this point).
 * 14) Using Your New Gentoo System. Now your dual-boot system is up and running, in this last chapter we'll cover a few miscellaneous (but important) topics (and options) regarding day-to-day use. We'll first recap how to boot from Linux to Windows (and vice versa), then discuss how to ensure your machine is kept up to date (using ). We'll also show how to migrate your kernel to the internal drive (Windows) EFI system partition if desired (and also, how to dispense with the USB key entirely, if single-factor passphrase security is sufficient). In addition, we'll briefly review how to tweak GNOME, and (per Chapter 11 of the handbook) where to go next (should you wish to install other applications, a firewall, etc.). Finally, a number of addendum "mini-guides" are provided, covering how to e.g., disable the Intel Management Engine on your target PC, and fully sandbox the  web browser, using.

As mentioned, an 'alternative track' is now also provided for chapters 10-14, for those users who wish to use GNOME with, rather than : Alternative Track: Completing OpenRC Configuration and Installing Necessary Tools Alternative Track: Configuring Secure Boot under OpenRC Alternative Track: Setting up the GNOME 3 Desktop under OpenRC Alternative Track: Final Configuration Steps under OpenRC Alternative Track: Using Your New Gentoo System under OpenRC 

Let's Get Started!
Ready? Then click here to go to the first chapter, "Installation Prerequisites".