User:Brendlefly62/Radxa x4 N100 sbc with RP2040/Assemble a Gentoo System

Find or create a new Gentoo LiveUSB boot device

Gentoo LiveUSB

Mount X4 board on cooler and insert bootable "LiveUSB" device. Apply power via USB-C PSU

Boot up using the LiveUSB (liveCD iso image)
verify that ethernet network is started, or start it as instructed
set root password and start sshd

LiveCD #passwd

LiveCD #

/etc/init.d/sshd start

connect via ssh

user $ssh root@liveCD

Layout media and install base system

use lsblk or blkid to verify the availability of the target block device (e.g. /dev/nvme0n1)
use fdisk to create a new gpt partition table and lay out as needed
for broad interoperability, this system was set up with -
- 4M bios boot partition
- 250M EFI System partition
- 500M Linux /boot partition
- device remainder (119GB) luks encrypted root file system built with lvm

The resulting layout is

liveCD #fdisk -l /dev/nvme0n1

Disk model: KBG40ZNS128G NVMe KIOXIA 128GB          
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 2E29CDD5-2BD7-8047-868B-05BFA27F25E9

Device           Start       End   Sectors   Size Type
/dev/nvme0n1p1    2048     10239      8192     4M BIOS boot
/dev/nvme0n1p2   10240    522239    512000   250M EFI System
/dev/nvme0n1p3  522240   1546239   1024000   500M Linux filesystem
/dev/nvme0n1p4 1546240 250068991 248522752 118.5G Linux LVM

use mkfs to format and label the efi and boot partitions

liveCD #mkfs.vfat -nefi_fs /dev/nvme0n1p2

liveCD #mkfs.ext4 -Lboot_fs /dev/nvme0n1p3

use dd to prepare the root_fs partition for luks encryption

liveCD #dd if=/dev/urandom of=/dev/nvme0n1p4 bs=4M status=progress

...(this may take a while)

use cryptsetup and lvm to lay out the rest of the system's block device storage

liveCD #cryptsetup luksFormat /dev/nvme0n1p4

...(provide a passphrase)

mount external device holding additional encryption key

mount external keying device

liveCD #mount /dev/sda1 /mnt/thumb

...

add external key to next key slot in luks device

liveCD #cryptsetup luksAddKey /dev/nvme0n1p4 /mnt/thumb/<path-to-keyfile>

...(provide passphrase to add the key)

open the new luks device

now use the external keying device to open the newly formatted luks device (note: example creates new device "evp4," but the name is arbitrary - choose one that suits the project)

liveCD #cryptsetup luksOpen -d /mnt/thumb/<path-to-keyfile> /dev/nvme0n1p4 evp4

...

create pv, vg, and lvs

use lvm to create a physical volume (pv), volume group (vg) and several logical volumes (lv). (name and size as appropriate for the project)

liveCD #

pvcreate /dev/mapper/evp4

liveCD #

vgcreate vg_x401 /dev/mapper/evp4

liveCD #

lvcreate -L40G    -nusr     vg_x401

liveCD #

lvcreate -L40G    -nvar     vg_x401

liveCD #

lvcreate -L5G      -nhome vg_x401

liveCD #

lvcreate -L4G      -nopt     vg_x401

liveCD #

lvcreate -L6G      -nswap  vg_x401

liveCD #

lvcreate -L10G    -ntmp    vg_x401

liveCD #

lvcreate -L13.5G -nroot   vg_x401

format logical volumes

liveCD #

yes | for x in /dev/mapper/vg_x401-*; do fs=$(echo $x | sed 's|/dev/mapper/vg_x401-||'); mkfs.ext4 -L"${fs}_fs" $x; done

liveCD #

mkswap /dev/mapper/vg_x401-swap

liveCD #

swapon /dev/mapper/vg_x401-swap

now mount the new file system's devices, install base system, and chroot

liveCD #

mount /dev/mapper/vg_x401-root /mnt/gentoo

liveCD #

cd /mnt/gentoo

liveCD #nano mount-the-rest.new

FILE /mnt/gentoo/mount-the-rest.new

#!/bin/bash
# mount-the-rest.new - makes re-mounting system devices easier when this needs to be iterated
root_vg=vg_x401
mountpoint=/mnt/gentoo
boot_partuuid=&lt;paste-from-blkid&gt;
efi_partuuid=&lt;paste-from-blkid&gt;

for x in $(lvs | grep ${root_vg} | grep -v 'root\|swap\|extra' | awk '{print $1}')
do
  # if the mount point doesn't exist, create it, then mount it
  [ ! -d ${mountpoint%/}/$x ] && echo "mkdir ${mountpoint%/}/$x..." && mkdir ${mountpoint%/}/$x
  mount /dev/mapper/${root_vg&#125;-$x ${mountpoint%/}/$x
done

echo "here is what I mounted..."
mount | grep ${mountpoint}
echo
echo "mount /boot and /efi as below (or AFTER chroot)(see fstab)"
echo "   # mount PARTUUID=${efi_partuuid} ${mountpoint%/}/efi"
echo "   # mount PARTUUID=${boot_partuuid} ${mountpoint%/}/boot"

liveCD #chmod +x mount-the-rest.new

liveCD #./mount-the-rest.new

copy/paste to mount the efi and boot partitions
install stage 3^[1] per Gentoo handbook
continue per handbook, with compile configuration (make.conf)
prepare to chroot, per handbook
- (resolv.conf)
- mount necessary file systems (make this easily repeatable)

liveCD #nano /mnt/gentoo/chroot-prep

FILE /mnt/gentoo/chroot-prep

mount -t proc proc /mnt/gentoo/proc
mount --rbind /sys /mnt/gentoo/sys
mount --make-rslave /mnt/gentoo/sys
mount --rbind /dev /mnt/gentoo/dev
mount --make-rslave /mnt/gentoo/dev
mount --bind /run /mnt/gentoo/run
mount --make-rslave /mnt/gentoo/run

rm -r /dev/shm && mkdir /dev/shm
mount -t tmpfs -o nosuid,nodev,noexec shm /dev/shm
chmod 1777 /dev/shm

liveCD #chmod +x /mnt/gentoo/chroot-prep

liveCD #./chroot-prep

now execute the chroot (again, make this easily repeatable)

liveCD #nano /mnt/gentoo/chroot-commands

FILE /mnt/gentoo/chroot-commands

chroot /mnt/gentoo /bin/bash
source /etc/profile
export PS1="(chroot) $PS1"

liveCD #cat /mnt/gentoo/chroot-commands

Tip
copy the three output lines and "paste" them back to stdin (command line) to execute them, to save on typing them out

Continue Installation, per handbook

emerge-sync, read news, set profile
configure timezone, locales, etc

Install joetoo repository

install git, eselect-repository, and the joetoo repo

(chroot) LiveCD #

emerge -av dev-vcs/git app-eselect/eselect-repository

(chroot) LiveCD #

eselect repository add joetoo git https://github.com/JosephBrendler/joetoo.git

(chroot) LiveCD #emerge --sync joetoo

set up binhost peers if applicable

FILE /etc/portage/binrepos.conf/joetoo_n100_binhosts.conf

[peer1]
priority = 9999
sync-uri = https://peer1.domain/packages/x86_64-pc-linux-gnu-n100-packages/

[peer2]
priority = 9999
sync-uri = https://peer2.domain/packages/x86_64-pc-linux-gnu-n100-packages/

# caution: verify same compiler (-march, etc) settings in make.conf 
# and same CPU_FLAGS_X86 in /etc/portage/package.use/00cpu-flags
# before adding binhosts for binary package sharing like this

# also note that it may be necessary to load CA certificate for each of these binhosts

Prepare to install software

Configure system USE flags and accept_keywords

Tip
the meta package joetoo-base/joetoo-meta will install template configuration files. If desired, the basic USE and accept_keywords files can be tailored prior to the installation of joetoo-meta. They can be found in the files directory of the joetoo-meta ebuild

root #nano /etc/portage/package.use/joetoo

Expand

# This package.use file enables the tailored configuration of a joetoo system
# This package.use file enables the tailored configuration of a joetoo system
#
#-----[ USE specific to joetoo-meta ]------------------------
# The main point of meta-package USE flags is to reduce
#   what you have to manually install/specify in your @world set (/var/lib/portage/world)
#
# joetoolkit .................: Pull in joetoo's joetollkit package
# headless ...................: Configure joetoo for use as a headless server
# plasma .....................: (to do) Configure joetoo for use with a plasma desktop
# gnome ......................: (to do) Configure joetoo for use with a gnome desktop
# innercore ..................: Pull in baseline packages required by the headless meta
# lamp .......................: Pull in packages required for a LAMP server
# mysql ......................: (default) Pull in the mysql database and required components
# mariadb ....................: Pull in the mariadb database and required components
# nextcloud ..................: Pull in the nextcloud package and its dependencies
# ntp ........................: Pull in ntp to sync with time source
# samba ......................: Pull in samba for wins, file service, etc.
# chrony .....................: Pull in chrony to sync with time source
# sysklogd ...................: Pull in sysklogd as system logger
# syslog-ng ..................: Pull in syslog-ng as system logger
# netifrc ....................: Pull in netifrc to manage network
# networkmanager .............: Pull in networkmanager to manage network
# mkinitramfs ................: Pull in joetoo's initramfs builder and required components
# jus ........................: Pull in the joetoo update sequence script and dependencies
# script_header_brendlefly ...: Pull in the joetoo script header
# compareConfigs .............: Pull in the joetoo's initramfs builder and required componen>
# Terminal ...................: Pull in the joetoo Terminal c++ shared obj library and test program
# cloudsync ..................: Cron script to sync content, scripts, binary packages across multiple servers
# domU........................: Pull in joetoo's sys-kernel/linux-domU_oetoo_kernelimage
# sbc ........................: Tailor for single board computer (SBC) system, require board model sele>
# Note: with USE "sbc", you must also set USE for exactly one of the supported board model names
#   bcm2708-rpi-b ..............: Tailor for Raspberry Pi B  (armv7/32)
#   bcm2709-rpi-2-b ............: Tailor for Raspberry Pi 2 B  (armv7/32)
#   bcm2710-rpi-3-b ............: Tailor for Raspberry Pi 3 B v1.2 (armv7/32)
#   bcm2710-rpi-3-b-plus .......: Tailor for Raspberry Pi 3 B Plus (armv8/64)
#   bcm2711-rpi-4-b ............: Tailor for Raspberry Pi 4 B (armv8/64)
#   bcm2712-rpi-5-b ............: Tailor for Raspberry Pi 5 B (armv8/64)
#   rk3288-tinker-s ............: Tailor for Tinkerboard s (armv7/32)
#   rk3399-rock-pi-4c-plus .....: Tailor for Rock Pi 4c Plus (armv8/64)
#   rk3399-tinker-2 ............: Tailor for Tinkerboard 2/2s (armv8/64)
#   rk3588s-orangepi-5 .........: Tailor for OrangePi 5/5b (armv8/64)
#   rk3588s-rock-5c... .........: Tailor for Rock 5c (armv8/64)
#
# The default for >=joetoo-base/joetoo-meta-0.0.1::joeto (below) should be good for a new amd64 install
#   start point with no USE flags specified; add more later.  The default will currently resolve to --
#    +innercore
#    +joetoolkit
#    +headless -plasma -gnome
#    -lamp -nextcloud -mysql -mariadb
#    +cloudsync
#    +mkinitramfs +jus
#    +netifrc -networkmanager
#    -ntp +chrony
#    +sysklogd -syslog-ng
#    +script_header_brendlefly
#    -compareConfigs -Terminal
#    -domU
#    -samba
#    -sbc
#      -bcm2712-rpi-5-b -bcm2711-rpi-4-b -bcm2710-rpi-3-b
#      -bcm2710-rpi-3-b-plus -bcm2709-rpi-2-b bcm2708-rpi-b
#      -rk3288-tinker-s -rk3399-rock-pi-4c-plus -rk3399-tinker-2
#      -rk3588s-orangepi-5 -rk3588s-rock-5c
#
#>=joetoo-base/joetoo-meta-0.0.1::joetoo
>=joetoo-base/joetoo-meta-0.0.1::joetoo plasma -headless lamp mkinitramfs mysql netifrc -networkmanager nextcloud ntp sysklogd -sbc -chrony

#-----[ specific to joetoo system setup ]------------------------
# This section allows you to configure packages that exist only in the joetoo github overlay
app-portage/jus eix distcc
dev-util/mkinitramfs -bogus
dev-util/compareConfigs scripts testdata
dev-util/script_header_brendlefly extended niopt
dev-util/Terminal examples

dev-util/joetoolkit iptools -xenvmfiles backup_utilities -utility_archive

sys-kernel/kernelupdate dom0

#-----[ standardized for baseline joetoo setup ]------------------------
# This section allows you to configure packages that joetoo developers have chosen as joetoo baseline
dev-libs/openssl tls-heartbeat zlib -bindist
net-misc/openssh pam pie ssl -bindist -hpn -security-key
sys-apps/busybox mdev math -static
sys-fs/cryptsetup openssl udev urandom
sys-fs/lvm2 lvm readline thin -udev
# use below instead for a xen pv domU
#sys-apps/busybox -pam -static -debug -ipv6 -livecd -make-symlinks -math -mdev -savedconfig -sep-usr -syslog -systemd

#-----[ standardized for additional joetoo setup ]------------------------
# This section establishes the defaults for joetoo and allows you to configure packages in ways that
# differ from those default choices that joetoo developers have made
app-emulation/qemu bzip2 lzo ncurses pin-upstream-blobs seccomp threads usb vhost-net vnc xattr -xen -debug gtk -pulseaudio -test doc keyutils nls plugins sdl-image smartcard ssh vte zstd
app-emulation/xen -custom-cflags -debug -efi -flask
app-emulation/xen-tools api -custom-cflags -debug -doc -flask hvm ocaml -ovmf pam -pygrub -python qemu qemu-traditional screen -sdl -static-libs -system-qemu -xend
>=app-eselect/eselect-php-0.9.5 apache2 fpm
app-misc/pax-utils python
app-portage/gemato blake2 bzip2 gpg lzma sha3
dev-lang/php acl apache2 bcmath bzip2 cgi cli crypt ctype curl enchant fileinfo filter flatfile fpm gd gdbm gmp hash iconv intl ipv6 jit json ldap mysql mysqli odbc opcache pdo phar posix readline session simplexml sockets spell sqlite ssl sysvipc threads tokenizer truetype unicode xml xmlreader xmlwriter xpm zip zlib -snmp
>=dev-lang/python-2.7.17-r1:2.7 sqlite
dev-libs/boost threads python tools
>=dev-libs/libpcre2-10.39-r1 jit pcre32
>=dev-libs/libxml2-2.9.9-r3 python
>=media-gfx/imagemagick-7.0.10.46 bzip2 cxx perl png tiff truetype xml zlib -openmp -svg
media-libs/freetype harfbuzz
>=media-libs/tiff-4.6.0-r1 jpeg
net-firewall/iptables conntrack netlink
net-fs/samba acl aio caps client examples fam gnutls netapi pam readline server smbclient smbsharemodes syslog winbind -cups
>=net-misc/curl-7.21.5 -gnutls
net-nds/openldap crypt cxx gnutls ipv6 odbc perl samba sasl sha2 ssl syslog
net-vpn/openvpn ssl
net-wireless/wpa_supplicant dbus gnutls readline ssl -qt5
sys-apps/kmod lzma tools zlib
sys-apps/portage gentoo-dev ipc native-extensions rsync-verify xattr
>=sys-block/parted-3.4 readline device-mapper
sys-boot/grub device-mapper efiemu fonts ncurses sdl themes truetype
sys-devel/binutils multitarget
sys-devel/distcc crossdev hardened
>=sys-devel/gcc-11.2.1_p20220115 fortran hardened go rust objc objc++ default-stack-clash-protection default-znow
sys-kernel/gentoo-sources symlink
virtual/linux-sources firmware
www-apache/mod_security fuzzyhash geoip
www-apps/nextcloud curl -imagemagick mysql vhosts
www-servers/apache threads
sys-kernel/installkernel -dracut
sys-kernel/linux-firmware -initramfs

#-----[ standardized TARGETS for joetoo ]-------------------------------
# This section is self-explanatory.  Note that default CPU flags are set in the included file
# /etc/portage/package.use/00cpu_flags and are commented out by default because they depend on arch
# Note that many other standardized configuration choices are provided in the included default
# make.conf file
*/* PYTHON_TARGETS: -python2_7
*/* APACHE2_MPMS: event
app-text/mandoc -cgi

Verify CPU_FLAGS and COMMON_FLAGS with cpuid2cpuflags and resolve-march-native

root #nano /etc/portage/make.conf

COMMON_FLAGS=" -O2 -pipe"
COMMON_FLAGS=${COMMON_FLAGS}" -march=alderlake -mabm -mno-cldemote -mno-hreset -mno-kl -mno-pconfig -mno-sgx -mno-widekl -mshstk --param=l1-cache-line-size=64 --param=l1-cache-size=32 --param=l2-cache-size=6144"

root #nano /etc/portage/package.use/00cpu-flags

*/* CPU_FLAGS_X86: aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt rdrand sha sse sse2 sse3 sse4_1 sse4_2 ssse3 vpclmulqdq

Install dev-embedded/sbc-headless-meta::joetoo with USE including "joetoo rk3588s-rock-5c" (also opt out of getting kernel and boot firmware, for now)

root #emerge -av joetoo-base/joetoo-meta

This will install standard software according to USE flags, and basic joetoo .conf files for these software packages. ==> configure those

root #dispatch-conf

Install tools

Install dev-util/joetoolkit::joetoo and use get_my_cflags.sh to double-check

build a custom kernel and initramfs and reboot

build the kernel

Follow the handbook to build a kernel. Note that while chrooted from the LiveCD, it is possible to use localmodconfig or localyesconfig

(chroot) LiveCD #

emerge -av1 gentoo-sources # if not already done

(chroot) LiveCD #

eselect kernel list

(chroot) LiveCD #

eselect kernel set n

(chroot) LiveCD #

cd /usr/src/linux

(chroot) LiveCD #

make localyesconfig    ## see note

(chroot) LiveCD #

make menuconifg

(chroot) LiveCD # make && make modules_install install

Note
* localyesconfig will build into the new kernel all drivers currently running on the chrooted system. This means that if any of those drivers depend on firmware, that may also need to be built into the kernel, or it may be better/easier to build the driver as a module. See for example the firmware section of Gentoo Wiki - Intel.

this system will require an initramfs to decrypt the luks device and mount system root and usr partitions, etc. So, the initramfs will depend on DM_CRYPT and CRYPTO settings in the kernel. joetoo's sys-kernel/check-config package will check .config for these and other kernel configurations commonly needed in joetoo systems

build the initramfs

(chroot) LiveCD #

emerge -av1 mkinitramfs   ## if not already done

(chroot) LiveCD #

nano /etc/mkinitramfs/mkinitramfs.conf

(chroot) LiveCD #

nano /etc/mkinitramfs/init.conf

(chroot) LiveCD #

cd /usr/src/mkinitramfs

(chroot) LiveCD #

./mkinitramfs

install and configure grub

Follow the gentoo handbook's instructions to install and configure grub

(chroot) LiveCD #grub-install /dev/nvme0n1 --efi-directory=/efi

and/or

(chroot) LiveCD #grub-install --target=x86_64-efi --efi-directory=/efi --removable

and

(chroot) LiveCD #grub-mkconfig -o /boot/grub/grub.cfg

if no errors reboot (don't forget to remove the LiveUSB device), else consult handbook and other documentation

Finalize

update with app-portage/jus::joetoo (joetoo update sequence)
rebuild the entire system with rus (rebuild update sequence) script from app-portage/jus

Referemces

↑ Stage3

[1] Stage3

[1]