Sakaki's EFI Install Guide/Creating and Booting the Minimal-Install Image on USB

From Gentoo Wiki
Jump to: navigation, search

We can now proceed to download, verify and use the Gentoo minimal install image. This is a bootable, self-contained Linux system ISO disk image, updated regularly by Gentoo Release Engineering. As the name suggests, you can boot your target PC with it and, assuming you have internet access, parlay from there to a full Gentoo installation.

This section shadows Chapter 2 of the Gentoo handbook.

For simplicity, I'll assume you're doing this on your secondary, helper PC, which is running Linux. I'll denote that machine as pc2 in the command prompts.

Downloading and Verifying the ISO Image

Firstly, identify the name of the current release of the minimal install ISO (we'll refer to it using the generic form install-amd64-minimal-YYYYMMDDThhmmssZ.iso below). New versions come out multiple times per year. Open the link in a browser to determine the current name.

The variant part of the name is a timestamp — the first component of which is a date, then a 'T' separator, then a time, then finally a 'Z' (to denote UTC, or 'zero hours offset'). So for example, a real filename might be install-amd64-minimal-20180107T214502Z.iso, indicating that it was written at 9:45pm (and 2 seconds), on the 7th of January 2018.
We'll be using the amd64 architecture (processor family) in what follows. The reference to 'amd' is an historical artefact; all modern 64-bit x86 CPUs (including those from Intel) should use this architecture in Gentoo.

Open a terminal window on the helper PC, and download the necessary files (the ISO, a contents list for that ISO, and a signed digest list):

Of course, substitute the correct release timestamp (which you just looked up) for YYYYMMDDThhmmssZ in the above commands.

This may take a little time to complete, depending on the speed of your Internet link.

We next need to check the integrity of the ISO, before using it. The install-amd64-minimal-YYYYMMDDThhmmssZ.iso.DIGESTS.asc file contains cryptographically signed digests (using various hash algorithms) for two other files you have downloaded.

As such, to verify the ISO we must:

  1. download the public key used for Gentoo automated weekly releases (if you don't already have this on your helper PC);
  2. check the signature of the install-amd64-minimal-YYYYMMDDThhmmssZ.iso.DIGESTS.asc file using this key; and then
  3. check that the hashes (digests) contained in that file agree with values that we compute independently.
For a brief primer on digital signatures, see the "Configuring Secure Boot" chapter of this tutorial.

The fingerprint of the automated weekly release public key may be found on the Gentoo Release Engineering page. When requesting the key from a keyserver, you don't need to cite the whole fingerprint, just enough of it to be unambiguous. For example, at the time of writing, the automated release key fingerprint was 13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E 2D18 2910, so to download it (step 1 in the above list), issue:

user@pc2 $gpg --keyserver --recv-key 2D182910
If this command fails, ensure you have enabled outbound access on your firewall for port 11371/tcp to allow HKP communication, along with the usual state-tracking input rule.
Alternatively, you can use the following command, to fetch the key over port 80 (which should be open on most firewalls):
user@pc2 $gpg --keyserver hkp:// --recv-key 2D182910
If the above keyserver is unavailable for some reason, you should be able to use any other one, such as for example.
If the fingerprint has changed, substitute the correct value for 2D182910 in the above.

You should next verify that the key's full fingerprint matches that listed on the Release Engineering page:

user@pc2 $gpg --fingerprint 2D182910
pub   rsa4096 2009-08-25 [SC] [expires: 2019-08-22]
      13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E 2D18 2910
uid           [ unknown] Gentoo Linux Release Engineering (Automated Weekly Release Key) <>
Although correct at the time of writing, the key ID you need to enter in the above command may differ from 2D182910, as may the fingerprint data shown. Always use the Release Engineering page data as your primary reference.

If all looks good, use the gpg program to verify the digest file (step 2):

user@pc2 $gpg --verify install-amd64-minimal-YYYYMMDDThhmmssZ.iso.DIGESTS.asc
Substitute the correct release timestamp for YYYYMMDDThhmmssZ in the above command.
You can ignore gpg output such as:
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

This is normal since you have just imported the public key, and not yet 'trusted' it.[1]

Assuming that worked (the output reports 'Good signature'), next check the digests themselves (step 3); we'll use the SHA512 variants here:

user@pc2 $awk '/SHA512 HASH/{getline;print}' install-amd64-minimal-YYYYMMDDThhmmssZ.iso.DIGESTS.asc | sha512sum --check
Substitute the correct release timestamp for YYYYMMDDThhmmssZ in the above command.

If this outputs:

install-amd64-minimal-YYYYMMDDThhmmssZ.iso: OK
install-amd64-minimal-YYYYMMDDThhmmssZ.iso.CONTENTS: OK

then continue, all is well.

Copying the ISO Image to USB

Next, we need to copy the ISO onto a USB key (the image is already hybrid[2]).

Just before inserting the USB key (the larger one) into the helper pc, issue:

user@pc2 $lsblk

Note the output, then insert the USB key, and issue:

user@pc2 $lsblk

again. The change in output will show you the key's device path (note that the initial /dev/ prefix is not shown in the lsblk output). We will refer to this path in these instructions as /dev/sdX, but in reality on your system it will be something like /dev/sdb, /dev/sdc etc.

If the device has automounted, and lsblk shows that the device has a non-blank mountpoint for one or more of its partitions, you must unmount these, using umount, before proceeding.

For example, suppose the USB key showed up as /dev/sdb on your system, and its first partition /dev/sdb1 automounted (at /var/run/media/user/myusbkey or some similar path). Then you would issue:

user@pc2 $umount --verbose /dev/sdb1

to unmount it.

If you have problems, you may need to run the umount as the root user.

Next, we will write the ISO image to the USB key. This will require root access, so issue:

user@pc2 $su --login root
Password: <enter root password (on helper PC)>

Now you can write the ISO image to the USB key (note, we use a larger than default block size here, for efficiency). Issue:

root@pc2 #dd if=/tmp/install-amd64-minimal-YYYYMMDDThhmmssZ.iso of=/dev/sdX bs=8192k status=progress && sync

Wait for the process to complete before continuing.

This will wipe everything on the USB key. Double check that there is nothing on there you want before proceeding. Make sure you have the correct device path! Note also that we need to target the device itself, and not a partition within it, so for /dev/sdX in the above command, use e.g. /dev/sdb and not /dev/sdb1; /dev/sdc and not /dev/sdc1, etc.
Substitute the correct release timestamp for YYYYMMDDThhmmssZ in the above command.
You can safely omit the status=progress option, if it not supported in your version of dd.

Booting the ISO Image

Although the minimal install image does include an EFI directory, the .efi images within it are unusable for booting.[3] As such, we'll proceed by first booting the USB key we just created using the UEFI's 'legacy' / CSM mode. (Of course, the kernel we'll ultimately create will (secure) boot under EFI.)

So, to proceed, take the USB key from the helper PC (where we just dd'd it) and insert it into the target PC. The latter is still running Windows, and you need to reboot it into the BIOS setup GUI. There are two ways to do this; choose the one that suits you:

Either: Use Windows boot options menu.
This is the easier method (particularly if your target machine is using the 'fast boot' option with Windows).[4] In Windows, hit CtrlAltDelete, then click on the power icon at the bottom right of the screen, and then while holding down Shift, click 'Restart' from the pop-up menu. This will pass you into the Windows boot options menu. Once this comes up (and asks you to 'Choose an option'), click on the 'Troubleshoot' tile, which brings up the 'Advanced options' panel (in Windows 10, you have to click on the 'Advanced options' tile to show this): from this, click on 'UEFI Firmware Settings', and confirm if prompted. Your machine will then restart into the BIOS GUI directly (no hotkeys required) and you can proceed.
Or: Use the BIOS hotkey.
This is a less reliable method, since you are racing the OS loading process. To use it, hit CtrlAltDelete from within Windows, then click on the power icon at the bottom right of the screen, and choose 'Restart' from the pop-up menu to perform a regular restart. Then, immediately the target PC starts to come back up, press the appropriate hotkey to enter the BIOS setup GUI. Unfortunately, the required hotkey varies greatly from machine to machine (as does the BIOS user interface itself). On the Panasonic CF-AX3, press F2 during startup (you may need to press it repeatedly).

Once you have the BIOS configuration GUI up, you need to perform the following steps:

  1. disable EFI boot mode;
  2. enable legacy / CSM boot mode;
  3. set the machine to look first at any inserted USB keys, when searching for a bootloader.

The precise steps to achieve this will depend on your BIOS. On the CF-AX3, use the arrow keys to move to the 'Boot' tab, then, as shown below, navigate down to the 'UEFI Boot' item, and press Enter. In the popup that appears, select 'Disabled' using the arrow keys, and press Enter. This switches the system out of UEFI mode and into legacy / CSM boot (steps 1 and 2 in the list above).

Next, move down using the arrow keys to the 'Boot Option #1' item (as shown below). Press Enter and select 'USB KEY' from the pop-up menu that appears, then press Enter. This ensures that any inserted USB key will be searched for a bootable system before the internal hard drive (step 3). (If you don't do this, you'll simply be dumped back into Windows when you restart.)

Switching Back to Legacy Boot...
...And Setting Boot Order Under the AMT BIOS

Finally, instruct the BIOS to save these changes and restart (with the USB key still inserted). Again, the method varies from machine to machine; on the Panasonic CF-AX3, hit F10, and confirm when prompted.

Hopefully, you'll now see ISOLINUX boot prompt (and the machine will beep at you). Unless you want to enter custom boot options, simply press Enter to proceed. After a few seconds (and before you are provided with a command prompt), you'll be asked to choose a keymap. It's important, particularly on a machine with non-standard keyboard layout such as the CF-AX3, to get this right, otherwise you may have problems with passwords and so forth. Again, the correct map to choose will obviously depend on your machine but, on the Panasonic CF-AX3, press 22Enter to select the Japanese keymap.

A few seconds later, you should have a Gentoo Linux root command prompt. Now, we'll set-up a root password (this is only for use during the install, it will not persist across into the final system).

livecd ~ #passwd root
New password: <enter your new password>
Retype new password: <enter your new password again>
passwd: password updated successfully

Make a note of the password, as you will require it shortly.

Setting the Date and Time

It's important to ensure that you have the correct time and date on your target machine. Check it with:

livecd ~ #date

Per the handbook, you should stick with UTC for now (the real timezone specification will come later in the install). If necessary, set the date and time, in MMDDhhmmYYYY format (Month, Day, hour, minute, year):

livecd ~ #date MMDDhhmmYYYY
Substitute MMDDhhmmYYYY in the above with the correct date/time string. For example, to set the UTC date/time to 5:12pm on February 9th 2017, you would issue
livecd ~ #date 020917122017

Next Steps

Next, we'll setup the network and get an SSH daemon running. Click here to go to the next chapter, "Setting Up Networking and Connecting via ssh".


< Previous Home Next >