Vaio Pro 11 part 2

How to dual boot OpenBSD & Linux when using UEFI and an
encrypted slice

Advertisements

Dualbooting with UEFI is easy enough with an unencrypted drive, but if it’s encrypted, you need an extra step: Since there can be only one bootloader, you need to let GRUB2 load to stage 2, then chainload the OpenBSD bootloader so you get the boot: prompt to enter the decryption passphrase. Of course the BOOTX64.EFI has to be copied to the EFI partition for this to work.

Part 1: Install Linux

Simply install Linux the usual way, but leave enough diskspace for OpenBSD. Half the drive is good enough… Linux will create the EFI partition and add the parts required to make GRUB2 work in there. Specifically with Ubuntu we’re looking at the EFI/ubuntu folder that contains shimx64.efi. Once the install has finished, switch to a root console, then you need to mount the EFI partition, and copy shimx64.efi from the EFI/ubuntu directory to EFI/boot/bootx64.efi :

mount /dev/sda1 /mnt
 mkdir /mnt/EFI/boot
 cp /mnt/EFI/ubuntu/shimx64.efi /mnt/EFI/boot/bootx64.efi
 umount /mnt

Part 2: Configure GRUB2

WARNING: This assumes your OpenBSD slice is the 4th partition on the drive!

Once you’ve booted Linux, login as root, then edit /etc/default/grub.d/40_custom :

menuentry 'OpenBSD/amd64 normal kernel' {
 insmod part_gpt
 insmod search_fs_uuid
 insmod chain
 chainloader (hd0,gpt1)/EFI/boot/BSD.BOOTX64.EFI
 }
 menuentry 'OpenBSD/amd64 ramdisk kernel' --class os {
 set root='(hd0,gpt3)'
 kopenbsd /bsd.rd
 }

Next, grab BOOTX64.EFI off the mirror install site’s amd64 dir, and mount the EFI partition then copy the BOOTX64.EFI into place. Also, while we’re at it, let’s grab the bsd.rd and stick it in the unencrypted /boot partition (sda3 in this case):

cd /boot
wget http://ftp.ch.openbsd.org/pub/OpenBSD/snapshots/amd64/bsd.rd
wget http://ftp.ch.openbsd.org/pub/OpenBSD/snapshots/amd64/BOOTX64.EFI
 mount /dev/sda1 /mnt
 cp BOOTX64.EFI /mnt/EFI/boot/BSD.BOOTX64.EFI
 umount /mnt

And finally:

update-grub

You can now install OpenBSD!

Part 3: Install OpenBSD

The only difference with Part 1 of this guide is that instead of manually creating EFI & OpenBSD partitions after doing fdisk -igy sd0, you need to simply add the OpenBSD slice after the Linux partitions:

fdisk sd0
 print
 e 3 (if there are only two linux partitions, say /boot and / as is likely if encrypting the linux side of things too)
 A6
 defaults
 defaults
 quit

And you can now go on to encrypting the slice and following the guide as normal.

Welcome (and Vaio Pro 11 part 1 )

Welcome to BSD Laptops, where I show how to get the most out of modern (ie, with UEFI) laptops running various instances of modern BSDs. Basic Linux/UNIX knowledge is prerequisite.

WARNING, this covers release 5.9, which won’t be published till 1st of May 2016. Use a snapshot if you need UEFI boot!

I run OpenbSD 5.9 on my Vaio Pro 11, with encrypted root. All hardware works apart from Bluetooth, which is currrently unsupported. In the first chapter I’ll guide you in setting up UEFI boot, encrypting the BSD slice, and enabling services once the system tarballs have unpacked.

Part 0: Preparation

You’ll need a usbstick or blank CD/DVD, a laptop with supported hardware, and preferably a working internet connection.

Download from your local mirror either the install59.fs or install59.iso and either burn the iso to disc with your favourite program (there are too many to list, but Brasero works in Linux) or do the following for the usb stick:

dd if=/pathtoyourimg/install59.fs of=/dev/sdb bs=1M

About UEFI: You’ll need to turn on booting on the external device in the CSM module / BIOS and change the boot order so the first device is the external one, or alternatively use the boot menu (F12) of your system. Insert the CD or the USB stick, then turn on the laptop. The OpenBSD boot screen flashes up in blue & white and the bsd.rd ramdisk kernel loads. You’ll end up with a prompt asking you to (I)nstall, (A)utoinstall, (U)pgrade, and (S)hell: enter S for shell.

Part 1: Prepare the drive for installation

I assume a blank drive here, but lower down you’ll find indications on how to dualboot with GRUB2. First, add the sd* devices:

cd /dev && sh ./MAKEDEV sd1 && sh ./MAKEDEV sd2

Second, initialize the disk with a GPT label using :

fdisk -igy sd0

then we edit the label:

fdisk -e sd0

You need to add the EFI partition outside of the crypto slice or the OS won’t boot. Resize the OpenBSD slice (type A6) to start from block 1024 instead of 64, then add an EFI System partition:

e 3
A6
1024
(use the size default-960 )
e 0
EF (the EFI System type)
64
960
quit (this saves the changes)

Next add a disklabel to sd0, with the swap partition and the partition that’ll be used by softraid:

disklabel -E sd0
a b
(default value)
2G

(this depends on how much ram you have, if less than 4G you might need up to 8G)

swap
a a
(default value)
(default value)
RAID
p m
w
q

Next we setup the crypto drive:

bioctl -c C -l /dev/sd0a softraid0

You’ll be prompted for a pass phrase twice, and then sd(1 or 2, depending if you booted via CD or usbstick) will be created. You now have a encrypted OpenBSD slice!

Part 2: Installation

Now type install in the shell prompt, and the installer kicks in. Choose a keyboard layout, hostname but don’t configure the network (just type done) if you’re using wifi as without firmware the installation will probably crash. You can configure networking after the first reboot. Enter twice the root password, choose or not to run sshd (usually not necessary on a laptop), choose to have X run at boot, NTP too, then add your user. Next come the choice of drive to install on, it’s sd2 if you booted off the USB stick. You can follow the defaults here for the fdisk part, and same again for the disklabel, although if you are planning on building lots of ports, you need to do a custom disklabel to allow for a large enough /usr. I often just have a / and /home partition. Type w to write then q to quit. The partitions will be setup and formated.

Now comes the choice of media for the tarballs, choose CD or Disk as appropriate, and just go with the defaults. Ignore any SHA256 errors and let the installer do it’s job. Type done when it’s finished, then give it your timezone, and you’re done. Don’t reboot yet though!

You need to mount the sd0 EFI partition & the crypto one and copy the bootloader over:

mkdir /mnt3
mkdir /mnt/boot
mount_msdos /dev/sd0i /mnt3
mount_msdos /dev/sd2i /mnt/boot
cp -r /mnt/boot/* /mnt3/
umount /mnt3
umount /mnt/boot

Now reboot by issuing the reboot command and you should see the system do the final changes and reboot. If the OS prints that the disks are synced and it is shutdown, just hold down the power button for 5 secs to power off.

Part 3: First Blood Boot

a) Booting

Simply turn on the laptop and the OpenBSD boot loader will show up and prompt for the passphrase. Enter it, press return, and watch the splendor of an OpenBSD boot, especially if you have a Radeon or Intel gpu, as that gives you DRM fullscreeen dmesg. As we selected to run XDM at boot, you should now be in front of it’s prompt. Do a Ctrl-Alt-F1 to get back to a console prompt and login as root.

b) Firmware

You should now plug in to an ethernet network so you can get the files for WiFi to work. Do this and issue :

dhclient yourif0

(where yourif0 is what dmesg prints as your ethernet driver)
You’ll get a dhcp lease. Next download the firmware:

fw_update

This will automagically detect what chips needed the non-free blobs and add them to

/etc/firmware

as well as actvating the said devices. In my case this activates the WiFi chip iwm0 (Intel 7260) and the webcam uvideo0.

You can unplug the ethernet cable if you want now.

c) WiFi Network setup

We’re going to use trunking, so you can plug into Ethernet or usb connections and the stack will switch over to the appropriate device. First edit

/etc/myname

with your FQDN :

bla.foobar.local

Now edit with

vi /etc/hostname.iwm0

for wifi configuration and add the requisite options:

nwid yourNWID
wpakey yourpasskey 

Next the axe0 and urndis0 interfaces:

echo up >>/etc/hostname.axe0
echo up >>/etc/hostname.urndis0

And finally the trunk interface:

vi /etc/hostname.trunk0
trunkproto failover trunkport axe0 
trunkport iwm0
trunkport urndis0
dhcp

save upon exit and issue :

sh /etc/netstart

Your networking is now operational!

d) Package setup and installation :

The installer should have setup

/etc/pkg.conf

so you’re setup to download packages off one of the project’s mirrors. If it hasn’t, go here for the list of them and choose one in yours or a neighbouring country and add it to

pkg.conf

like so:

installpath = http://yourmirror/pub/OpenBSD/%c/%a

Next, we add the packages to build up a proper desktop environment. I use GNOME 3 with Firefox, Thunderbird, and Chromium, so I issue this command:

pkg_add -v gnome gnome-extras firefox thunderbird chromium hotplug-diskmount dconf-editor

This deals with all dependencies, but can take a while to install depending on your disk, cpu and network speed.

In the meantime…

e) Customization

We can make some ajustments for being on a laptop. First of all, change the mixerctl defaults from half to full volume by editing

/etc/mixerctl.conf

:

outputs.master=255,255

To make X work properly with my touchpad, I edit

/etc/X11/xorg.conf

to add this:

Section "InputClass"
 Identifier "touchpad"
 Driver "synaptics"
 MatchIsTouchpad "on"
 #Device "wsmouse"
 # Enable clickpad/multitouch support
 Option "ClickPad" "true"
 # Middle-button emulation is not supported
 Option "EmulateMidButtonTime" "0"
 # Define right soft button at the bottom
 Option "SoftButtonAreas" "50% 0 82% 0 0 0 0 0"
 Option "TapButton1" "1"
 Option "TapButton2" "2"
 Option "TapButton3" "3"
 Option "VertEdgeScroll" "on"
 Option "VertTwoFingerScroll" "on"
 Option "HorizEdgeScroll" "on"
 Option "HorizTwoFingerScroll" "on"
 Option "CircularScrolling" "on"
 Option "CircScrollTrigger" "2"
 Option "EmulateTwoFingerMinZ" "40"
 Option "EmulateTwoFingerMinW" "8"
 Option "CoastingSpeed" "0"
 Option "FingerLow" "35"
 EndSection

This makes two finger scrolling, tap to click, and two finger tap paste, work.

Next we enable the services required for GDM and GNOME 3 to work, and make laptop life better:

 rcctl enable messagebus
 rcctl enable avahi_daemon
 rcctl enable avahi_dnsconfd
 rcctl enable cupsd
 rcctl enable samba
 rcctl enable gdm
 rcctl disable xdm
 rcctl enable hotplugd
 rcctl enable apmd
 rcctl set apmd flags -A

This gets DBUS and AVAHI working for dynamic config, gets the printer daemon ready for config on localhost port 631 via browser, get the Windows filesharing going and switch from xdm to gdm as a login manager. Hotplug is enabled to be able to automount usb drives, and apmd set up to keep the laptop running cool.

Let’s make hotplug work even better, now we have

hotplug-diskmount

installed, by editing

/etc/hotplug/attach
#!/bin/sh
 DEVCLASS=${1}
 DEVNAME=${2}
 LOGIN=youruser
 case ${DEVCLASS} in
 2)
 /usr/local/libexec/hotplug-diskmount attach -u ${LOGIN} -m 700 ${DEVNAME}
 ;;
 esac

f) Keep it safe

We need to edit /etc/pf.conf next so the firewall is configured sanely (ie, sharing and autoconf works, but the bad stuff doesn’t get in):

 #macros
 
#interfaces
ext_if="iwm0"
trunk_if="trunk0"
eth_if="axe0"
usb_if="urndis0"
vpn_if="tap0"
ppp_if="ppp0"
enc_if="enc0"
 
#protocols
protos="{tcp, udp, icmp, icmp6}"
tcp_ports="{135:139,445,5353,10050,46411}"
udp_ports="{135:139,isakmp,ipsec-nat-t,5353}"
icmp_types="{echoreq}"
icmp6_types="{neighbradv,neighbrsol,routeradv,routersol,echoreq}"

#policies
set block-policy drop
set loginterface $trunk_if
set skip on {lo, $enc_if}
set state-policy if-bound
 
block in log
pass quick on {$ext_if, $eth_if, $usb_if, $ppp_if}
pass out keep state
pass proto 41 from any to any keep state
pass in on $trunk_if proto {esp, ah, gre}
 
pass in on $trunk_if proto tcp to ($trunk_if) port $tcp_ports flags S/SA keep state
pass in on $trunk_if inet6 proto tcp to ($trunk_if) port $tcp_ports flags S/SA keep state
pass in on $trunk_if proto udp to ($trunk_if) port $udp_ports keep state
pass in on $trunk_if inet6 proto udp to ($trunk_if) port $udp_ports keep state
pass in on $trunk_if inet proto icmp all icmp-type $icmp_types keep state
pass in on $trunk_if inet6 proto icmp6 to ($trunk_if) keep state
 
 
pass on $vpn_if proto $protos keep state

 

Once we’re done with the package installation it’s time to reboot and check that everything works as it should. Part 2 will cover getting GNOME to a better condition, dualbooting with Linux, and general gotchas.