Sakaki's EFI Install Guide
If you have a Windows 10 (or 8) machine that you'd like to dual-boot with Gentoo Linux and GNOME 3, you've come to the right place!
This detailed (and tested) tutorial shows how to set up just such a dual-boot system, where the Gentoo component:
- is fully encrypted on disk (LVM over LUKS, with dual-factor protection);
- uses UEFI secure boot;
- runs systemd & GNOME 3 (on Wayland);
- or OpenRC & GNOME 3 (ditto);
- can properly suspend and hibernate;
- has working drivers for touchscreen, webcam etc.;
- has (where appropriate) the Intel Management Engine disabled;
- and even has a graphical boot splash!
To keep things concrete, I'll be walking line-by-line through the setup of a particular machine, namely the Panasonic CF-AX3 Ultrabook; however, these instructions should be usable (with minor alterations) for many modern PCs (including desktops) which have a UEFI BIOS.
All commands that you'll need to type in are listed, and an ebuild repository (aka 'overlay') with some useful installation utilities is also provided.
While best read in tandem with the official Gentoo Handbook, this manual can also be used standalone.
These instructions may also be easily adapted for those wishing to use Gentoo Linux as their sole OS, rather than dual booting.
The install described in this tutorial attempts to follow the 'stock' process from the Gentoo Handbook where possible, but differs in a number of important respects. Specifically:
- The kernel will be configured to self-boot under UEFI; no separate bootloader is needed.
- For security, we will boot the kernel off of an external USB key (which can be removed once the boot has completed). If the USB key is absent on power-up, Windows will start automatically instead.
- Secure boot will be enabled. The kernel will be signed with our own, generated key (and the original Windows keys will be retained too).
- Gentoo's root, swap and home partitions will reside on LVM logical volumes, which themselves will live on a single LUKS (encrypted) partition on the GPT-formatted hard drive of the machine. We'll shrink the Windows C: NTFS partition to provide space for this.
- The LUKS partition will be unlocked by a keyfile at boot. The keyfile will be stored on the USB key together with the Gentoo kernel, and will itself be GPG-encrypted, so that both the file and its passphrase will be needed to access the (Gentoo) data on the hard drive. This provides a degree of dual-factor security against e.g., having the machine stolen with the USB key still in it, or even the existence of a keylogger on the PC itself (although not both at the same time!). (Using a provided utility, you can subsequently migrate the kernel onto the Windows EFI system partition on the main drive if desired, and also relax the security to use just a typed-in passphrase, so once installed you won't need to use a USB key at all if you don't want to.)
- We will create an initramfs to allow the GPG / LUKS / LVM stuff to happen in early userspace, and this RAM disk will be stored inside the kernel itself, so it will work under EFI with secure boot (we'll also, for reasons that will become clear later, build a custom version of gpg to use in this step).
- For all you source-code paranoiacs, the Gentoo toolchain and core system will be bootstrapped during the install (simulating an old-school stage-1) and we'll validate that all binary executables and libraries have indeed been rebuilt from source when done. The licence model will be set to accept free software only (and although I don't deblob the kernel, instructions for how to do so are provided - assuming your hardware will actually work without uploaded firmware!).
- All Gentoo repository syncs (including the initial emerge-webrsync) will be performed with gpg signature authentication. Unauthenticated protocols will not be used.
- The latest (3.24+) stable version of GNOME will be installed, using systemd for init (the existing handbook is quite OpenRC-centric). Incidentally, this will not require an interim GNOME 2 deployment.
- An alternative track is also provided, for those wishing to install GNOME 3 under OpenRC, via Dantrell B.'s patchset (this is, essentially, how Funtoo avoids having to use systemd for GNOME, and now his patchset is available for use with Gentoo too). Most of this tutorial is common to both tracks, and a short guide is provided at the appropriate point in the text, to help you choose which route is better for you.
- GNOME will be deployed on the modern Wayland platform (including XWayland support for legacy applications) — this is more secure than deploying over X11, as it enforces application isolation at the GUI level.
- I'll provide simple scripts to automate the EFI kernel creation process and keep your system up-to-date. The first of these (buildkernel) handles conforming the kernel config for EFI encrypted boot (including setting the kernel command line correctly), creating the initramfs, building and signing the kernel, and installing it on the EFI system partition. The second (genup) automates the process of updating your system software via emerge and associated tools. The scripts are shipped in an ebuild repository (aka 'overlay'), for easy deployment.
- Lastly, detailed (optional) instructions for disabling the Intel Management Engine will be provided (for those with Intel-CPU-based PCs who find this out-of-band coprocessor an unacceptable security risk), as will instructions for fully sandboxing the popular firefox web browser, using firejail.
Tutorials covering various elements of the above can be found in one or more places online, but it's difficult to get an end-to-end overview - hence the reason this guide was created.
As mentioned, although this tutorial follows the format of the Gentoo Handbook in places (particularly at the beginning), it's structured so as to be self-contained - you should be able to walk though this process and, using only these instructions, end up with a fully functional, relatively secure dual-boot Windows 10 (or 8) + Gentoo / GNOME 3 machine when you're done.
Backup all of your data before doing anything else, particularly if you have a lot of work stored on Windows already. The install process described here has been tested end-to-end, but is provided 'as is' and without warranty. Proceed at your own risk.
Tools like parted, dd and cryptsetup, which we'll be using, can vaporize data easily if misused. Please always double check that you are applying operations to the correct device / partition. We've all been there...
We will be using strong cryptography to protect your system. If you lose the LUKS keyfile, or forget the passphrase to unlock it, all your data will be gone, and even the NSA (probably!) won't be able to get it back. So keep backups of these critical elements too (in a safe place, of course)!
The chapters of this tutorial are listed below, together with a brief summary of each.
You need to work though the chapters sequentially, in order to complete the install successfully.
Don't worry if you don't immediately understand everything in the chapter summaries below: the concepts involved will be described in detail in the main body of the text.
- Installation Prerequisites. First, we'll briefly review the things you'll need in order to carry out the install.
- Preparing Windows for Dual-Booting. Next, we'll reduce the amount of space Windows takes up on the target machine's hard drive, so there is room for our Gentoo system (and user data). We'll use tools already present in Windows to do this.
- Creating and Booting the Minimal-Install Image on USB. Then, per Chapter 2 of the Gentoo handbook, we'll download a minimal Gentoo image onto a USB key, and boot into it on our target PC (in EFI / OpenRC mode, with secure boot temporarily turned off).
- Setting Up Networking and Connecting via ssh. Next, per Chapter 3 of the handbook, we'll setup network access for our minimal system, and connect in to it from a second, 'helper' PC via ssh (to ease installation).
- Preparing the LUKS-LVM Filesystem and Boot USB Key. After that, we'll create a GPG-protected keyfile on a second USB key, create a LUKS (encrypted) partition on the machine's hard drive protected with this key, and then create an LVM structure (root, home and swap) on top of this (achieving the goals of Chapter 4 of the handbook).
- Installing the Gentoo Stage 3 Files. Then, per Chapter 5 of the handbook, we'll download a Gentoo 'stage 3' minimal filesystem, and install it into the LVM root. We'll also set up your Portage build configuration.
- Building the Gentoo Base System Minus Kernel. Next, per Chapter 6 of the handbook, we'll complete some final preparations, then chroot into the stage 3 filesystem, update our Portage tree, and set a base profile, timezone and locale. We'll setup the sakaki-tools ebuild repository (which contains utilities to assist with the build), and install the first of these, showem (a program to monitor parallel emerges). Then, we'll bootstrap the toolchain (simulating an old-school stage 1 install), rebuild everything in the @world set, and verify that all libraries and executables have, in fact, been rebuilt. (Instructions are also provided for those who wish to skip bootstrapping). We'll then set the 'real' GNOME profile (users on the OpenRC track will first add Dantrell B.'s ebuild repositories here), and then update the @world set to reflect this.
- Configuring and Building the Kernel. Next, (loosely following Chapter 7 of the handbook), we'll setup necessary licenses, then download the Linux kernel sources and firmware. We'll then install (from the sakaki-tools ebuild repository) the buildkernel utility, configure it, and then use this to automatically build our (EFI-stub) kernel (buildkernel ensures our kernel command line is filled out properly, the initramfs contains a static version of gpg, that the kernel has all necessary systemd options set, etc.).
- Final Preparations and Reboot into EFI. Then, following Chapter 8 of the handbook, we'll set up /etc/fstab, install a few other packages, set up a root password, then dismount the chroot and reboot (in EFI / systemd mode, or EFI / OpenRC mode, depending on the track) into our new system (secure boot will still be off at this stage). Users on the OpenRC track will branch off at the conclusion of this chapter.
- Configuring systemd and Installing Necessary Tools. With the machine restarted, we'll re-establish networking and the ssh connection, then complete the setup of systemd's configuration. Per Chapter 9 of the Gentoo handbook, we'll then install some additional system tools (such as cron). Next, we'll install (from the sakaki-tools ebuild repository) the genup utility, and use it to perform a precautionary update of the @world set. Then, we'll reboot to check our systemd configuration. If successful, we'll invoke buildkernel again, to enable the plymouth graphical boot splash, and restart once more to test it.
- Configuring Secure Boot. Next, we'll set up secure boot. First, we'll save off the existing state of the secure boot variables (containing Microsoft's public key-exchange-key, etc.). Then, we'll create our own platform, key-exchange and kernel-signing keypairs, and then reboot, en route using the BIOS GUI to enter setup mode (thereby clearing the variables, and enabling us to write to them). We'll then re-upload the saved keys, append our own set, and finally lock the platform with our new platform key. We'll then run buildkernel again, which will now be able to automatically sign our kernel. We'll reboot, enable secure boot in the BIOS, and verify that our signed kernel is allowed to run. Then, we'll reboot into Windows, and check we haven't broken its secure boot operation! Finally, we'll reboot back to Linux again (optionally setting a BIOS password as we do so).
- Setting up the GNOME 3 Desktop. Next, we'll setup your graphical desktop environment. We'll begin by creating a regular (non-root) user, per Chapter 11 of the handbook. Then, we'll activate the wayland USE flag globally, and update your system to reflect this, after which we'll install X11 and a simple window manager (twm) (for test purposes). Using buildkernel, we'll then reconfigure and rebuild the kernel to include an appropriate DRM graphics driver, and then reboot. Upon restart, we'll verify that the new DRM driver (which wayland requires) has been activated, and then test-run X11 (and a few trivial applicators) under twm. Once working, we'll remove the temporary window manager, install GNOME 3 (and a few key applications), and configure and test it under X11. Then, we'll test it again under wayland, refine a few settings (network, keyboard etc.), and then restart the machine and proceed with the install, working natively within GNOME thereafter.
- Final Configuration Steps. Next, we'll configure your kernel to properly handle all your target PC's devices. Although this setup will necessarily differ from machine to machine, a general methodology is provided, together with a concrete set of steps required for the Panasonic CF-AX3 (covering setup of its integrated WiFi, Bluetooth, touchscreen, audio and SD card reader). Thereafter, we'll cover some final setup points - namely, how to: prune your kernel configuration to remove bloat; get suspend and hibernate working properly; ensure that the correct python interpreter is set as the system default; and disable sshd (as the helper PC is no longer needed from this point).
- Using Your New Gentoo System. Now your dual-boot system is up and running, in this last chapter we'll cover a few miscellaneous (but important) topics (and options) regarding day-to-day use. We'll first recap how to boot from Linux to Windows (and vice versa), then discuss how to ensure your machine is kept up to date (using genup). We'll also show how to migrate your kernel to the internal drive (Windows) EFI system partition if desired (and also, how to dispense with the USB key entirely, if single-factor passphrase security is sufficient). In addition, we'll briefly review how to tweak GNOME, and (per Chapter 11 of the handbook) where to go next (should you wish to install other applications, a firewall, etc.). Finally, a number of addendum "mini-guides" are provided, covering how to e.g., disable the Intel Management Engine on your target PC, and fully sandbox the firefox web browser, using firejail.
As mentioned, an 'alternative track' is now also provided for chapters 10-14, for those users who wish to use GNOME with OpenRC, rather than systemd:
- Alternative Track: Completing OpenRC Configuration and Installing Necessary Tools
- Alternative Track: Configuring Secure Boot under OpenRC
- Alternative Track: Setting up the GNOME 3 Desktop under OpenRC
- Alternative Track: Final Configuration Steps under OpenRC
- Alternative Track: Using Your New Gentoo System under OpenRC
The decision about which init system (systemd or OpenRC) to use does not need to be made until Chapter 7 (where a brief summary of the pros and cons of each will be provided, to help you decide).
Let's Get Started!
Ready? Then click here to go to the first chapter, "Installation Prerequisites".
As is hopefully clear from the above, this tutorial covers a detailed, end-to-end installation walkthrough.
If you are searching for more concise, topic-based EFI, systemd or GNOME installation information, the following Wiki pages may be of use to you instead:
If you have recently upgraded dev-libs/libgcrypt to version >= 1.6, and found yourself thereby locked out of your (Whirlpool-hashed) LUKS partition, please see this short guide on how to recover.
Comments, suggestions and feedback about this guide are welcomed! You can use the "Discussion" tab (of whatever is the most relevant page) for this purpose. On most browsers, you can use ShiftAltt as a shortcut to access this.
While the MediaWiki source for individual pages of this guide may most easily be edited or viewed on the Gentoo Wiki directly, for ease of download the full page set is also maintained on GitHub, here.
- As the ME is disabled via an (optional) system firmware modification, it will remain inactive even when booted into Windows.
- Funtoo Linux Discussion Forums: "GNOME 3.12 is HERE..."
- For avoidance of doubt, in this guide 'disabled' has the same meaning as 'neutralized and disabled' in the Purism Inc. Blog: "Deep Dive into Intel Management Engine Disablement"
- TechCrunch: "Encrypting Your Email Works, Says NSA Whistleblower Edward Snowden"