Hardened Gentoo with Full Disk Encryption on the Star Labs StarBook Mk VI
A brief guide on installing Gentoo Linux with Full Disk Encryption and the hardened profile, with SELinux, on the Star Labs StarBook Mk VI.
As mentioned in the past update, as well as in my StarBook review, I went ahead with trimming down my personal infrastructure and got myself a 14" StarBook Mv VI Ryzen to replace my custom-built SFFPC workstation with.
In this brief write-up I’m going to describe the basics of a hardened Gentoo installation with Full Disk Encryption and SELinux on the Star Labs StarBook Mk VI with AMD Ryzen processor.
Note: I upgraded my StarBook with a 2 TB SSD and 64 GB of RAM. In addition, I used a USB-C Ethernet adapter that was configured using DHCP, to connect to my network, for the sake of not having to deal with WiFi configuration during installation. I would advice in doing the same.
This setup will use OpenRC and not Systemd! It will also utilize NetworkManager for all things networking. Also please bear in mind that this setup is just a brief overview of a bare minimums encrypted installation and will not cover topics like encrypted boot partitions or cryptographic verification of system integrity. However, as installation of especially a solid Gentoo system is a gradual process, those topics are best to be approached step by step, as soon as the base system had been set up and configured to a minimum degree. At the end of this write-up you will find a list of advanced topics with links to further information, so you can gradually improve the security of your base system.
Hardware
First off, here is some information on the hardware and modules used for the StarBook with Ryzen CPU. In case you’re looking to build your own kernel, this will help significantly with including the correct modules and firmware.
You can find a hardware probe here.
lspci
00:00.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne Root Complex
00:00.2 IOMMU: Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne IOMMU
00:01.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir PCIe Dummy Host Bridge
00:02.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir PCIe Dummy Host Bridge
00:02.1 PCI bridge: Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne PCIe GPP Bridge
00:02.4 PCI bridge: Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne PCIe GPP Bridge
00:08.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir PCIe Dummy Host Bridge
00:08.1 PCI bridge: Advanced Micro Devices, Inc. [AMD] Renoir Internal PCIe GPP Bridge to Bus
00:14.0 SMBus: Advanced Micro Devices, Inc. [AMD] FCH SMBus Controller (rev 51)
00:14.3 ISA bridge: Advanced Micro Devices, Inc. [AMD] FCH LPC Bridge (rev 51)
00:18.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Cezanne Data Fabric; Function 0
00:18.1 Host bridge: Advanced Micro Devices, Inc. [AMD] Cezanne Data Fabric; Function 1
00:18.2 Host bridge: Advanced Micro Devices, Inc. [AMD] Cezanne Data Fabric; Function 2
00:18.3 Host bridge: Advanced Micro Devices, Inc. [AMD] Cezanne Data Fabric; Function 3
00:18.4 Host bridge: Advanced Micro Devices, Inc. [AMD] Cezanne Data Fabric; Function 4
00:18.5 Host bridge: Advanced Micro Devices, Inc. [AMD] Cezanne Data Fabric; Function 5
00:18.6 Host bridge: Advanced Micro Devices, Inc. [AMD] Cezanne Data Fabric; Function 6
00:18.7 Host bridge: Advanced Micro Devices, Inc. [AMD] Cezanne Data Fabric; Function 7
01:00.0 Non-Volatile memory controller: SK hynix Gold P31/BC711/PC711 NVMe Solid State Drive
02:00.0 Network controller: Intel Corporation Wi-Fi 6 AX210/AX211/AX411 160MHz (rev 1a)
03:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Cezanne [Radeon Vega Series / Radeon Vega Mobile Series] (rev c1)
03:00.1 Audio device: Advanced Micro Devices, Inc. [AMD/ATI] Renoir Radeon High Definition Audio Controller
03:00.2 Encryption controller: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 10h-1fh) Platform Security Processor
03:00.3 USB controller: Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne USB 3.1
03:00.4 USB controller: Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne USB 3.1
03:00.5 Multimedia controller: Advanced Micro Devices, Inc. [AMD] ACP/ACP3X/ACP6x Audio Coprocessor (rev 01)
03:00.6 Audio device: Advanced Micro Devices, Inc. [AMD] Family 17h/19h HD Audio Controller
lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 05e3:0608 Genesys Logic, Inc. Hub
Bus 001 Device 003: ID 0c45:636b Microdia USB 2.0 Camera
Bus 001 Device 004: ID 05e3:0761 Genesys Logic, Inc. Genesys Mass Storage Device
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 002: ID 8087:0032 Intel Corp. AX210 Bluetooth
Bus 003 Device 003: ID 27c6:6584 Shenzhen Goodix Technology Co.,Ltd. Goodix USB2.0 MISC
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 004 Device 002: ID 0bda:8153 Realtek Semiconductor Corp. RTL8153 Gigabit Ethernet Adapter
Firmware
/lib/firmware/regulatory.db
/lib/firmware/regulatory.db.p7s
/lib/firmware/rtl_nic/rtl8153a-3.fw
/lib/firmware/intel/ibt-0041-0041.sfi
/lib/firmware/iwlwifi-ty-a0-gf-a0-72.ucode
/lib/firmware/iwlwifi-ty-a0-gf-a0.pnvm
/lib/firmware/amdgpu/green_sardine_asd.bin
/lib/firmware/amdgpu/green_sardine_ta.bin
/lib/firmware/amdgpu/green_sardine_dmcub.bin
/lib/firmware/amdgpu/green_sardine_pfp.bin
/lib/firmware/amdgpu/green_sardine_me.bin
/lib/firmware/amdgpu/green_sardine_ce.bin
/lib/firmware/amdgpu/green_sardine_rlc.bin
/lib/firmware/amdgpu/green_sardine_mec.bin
/lib/firmware/amdgpu/green_sardine_sdma.bin
/lib/firmware/amdgpu/green_sardine_vcn.bin
lsmod
ac97_bus 12288 1 snd_soc_core
amdgpu 10866688 0
amdxcp 12288 1 amdgpu
binfmt_misc 24576 1
bluetooth 884736 6 btrtl,btmtk,btintel,btbcm,btusb
btbcm 20480 1 btusb
btintel 49152 1 btusb
btmtk 12288 1 btusb
btrtl 28672 1 btusb
btusb 73728 0
ccp 126976 1 kvm_amd
cdc_ether 24576 1 r8153_ecm
cec 73728 1 drm_display_helper
cfg80211 1105920 3 iwlmvm,iwlwifi,mac80211
crc32c_intel 16384 3
crc32_pclmul 12288 0
crct10dif_pclmul 12288 1
dm_crypt 53248 1
drm_buddy 16384 1 amdgpu
drm_display_helper 192512 1 amdgpu
drm_exec 12288 1 amdgpu
drm_suballoc_helper 12288 1 amdgpu
drm_ttm_helper 12288 1 amdgpu
edac_mce_amd 40960 0
ghash_clmulni_intel 12288 0
gpu_sched 49152 1 amdgpu
hid_multitouch 28672 0
i2c_algo_bit 16384 1 amdgpu
i2c_hid 36864 1 i2c_hid_acpi
i2c_hid_acpi 12288 0
i2c_piix4 28672 0
intel_rapl_common 36864 1 intel_rapl_msr
intel_rapl_msr 16384 0
irqbypass 12288 1 kvm
iwlmvm 630784 0
iwlwifi 425984 1 iwlmvm
jc42 12288 0
joydev 24576 0
k10temp 12288 0
kvm 1146880 1 kvm_amd
kvm_amd 172032 0
ledtrig_audio 12288 1 snd_hda_codec_generic
libarc4 12288 1 mac80211
mac80211 1347584 1 iwlmvm
mc 73728 4 videodev,videobuf2_v4l2,uvcvideo,videobuf2_common
mii 12288 2 usbnet,r8152
Module Size Used by
nvme 53248 4
nvme_common 20480 1 nvme_core
nvme_core 184320 5 nvme
pcspkr 12288 0
polyval_clmulni 12288 0
polyval_generic 12288 1 polyval_clmulni
qrtr 49152 4
r8152 139264 1 r8153_ecm
r8153_ecm 12288 0
rapl 16384 0
rfkill 32768 4 iwlmvm,bluetooth,cfg80211
serio_raw 16384 0
sha1_ssse3 32768 0
sha256_ssse3 28672 0
sha512_ssse3 53248 0
snd 126976 11 snd_hda_codec_generic,snd_hda_codec_conexant,snd_hda_codec_hdmi,snd_hwdep,snd_hda_intel,snd_hda_codec,snd_sof,snd_timer,snd_compress,snd_soc_core,snd_pcm
snd_acp_config 16384 7 snd_rn_pci_acp3x,snd_pci_acp6x,snd_pci_acp5x,snd_sof_amd_rembrandt,snd_sof_amd_vangogh,snd_pci_ps,snd_sof_amd_renoir
snd_compress 24576 1 snd_soc_core
snd_hda_codec 180224 4 snd_hda_codec_generic,snd_hda_codec_conexant,snd_hda_codec_hdmi,snd_hda_intel
snd_hda_codec_conexant 28672 1
snd_hda_codec_generic 98304 1 snd_hda_codec_conexant
snd_hda_codec_hdmi 77824 1
snd_hda_core 122880 5 snd_hda_codec_generic,snd_hda_codec_conexant,snd_hda_codec_hdmi,snd_hda_intel,snd_hda_codec
snd_hda_intel 49152 0
snd_hwdep 16384 1 snd_hda_codec
snd_intel_dspcfg 36864 2 snd_hda_intel,snd_sof
snd_intel_sdw_acpi 16384 1 snd_intel_dspcfg
snd_pci_acp3x 16384 0
snd_pci_acp5x 16384 0
snd_pci_acp6x 16384 0
snd_pci_ps 24576 0
snd_pcm 151552 12 snd_sof_amd_acp,snd_hda_codec_hdmi,snd_pci_acp6x,snd_hda_intel,snd_hda_codec,snd_sof,snd_compress,snd_soc_core,snd_sof_utils,snd_hda_core,snd_pci_ps,snd_pcm_dmaengine
snd_pcm_dmaengine 16384 1 snd_soc_core
snd_rn_pci_acp3x 20480 0
snd_rpl_pci_acp6x 16384 0
snd_soc_acpi 16384 2 snd_sof_amd_acp,snd_acp_config
snd_soc_core 372736 1 snd_sof
snd_sof 331776 2 snd_sof_amd_acp,snd_sof_pci
snd_sof_amd_acp 57344 3 snd_sof_amd_rembrandt,snd_sof_amd_vangogh,snd_sof_amd_renoir
snd_sof_amd_rembrandt 12288 0
snd_sof_amd_renoir 12288 0
snd_sof_amd_vangogh 12288 0
snd_sof_pci 20480 3 snd_sof_amd_rembrandt,snd_sof_amd_vangogh,snd_sof_amd_renoir
snd_sof_utils 16384 1 snd_sof
snd_sof_xtensa_dsp 16384 1 snd_sof_amd_acp
snd_timer 45056 1 snd_pcm
soundcore 12288 1 snd
sp5100_tco 16384 0
ttm 86016 2 amdgpu,drm_ttm_helper
uas 28672 0
usbnet 53248 2 r8153_ecm,cdc_ether
usb_storage 81920 1 uas
uvc 12288 1 uvcvideo
uvcvideo 143360 0
video 69632 1 amdgpu
videobuf2_common 73728 4 videobuf2_vmalloc,videobuf2_v4l2,uvcvideo,videobuf2_memops
videobuf2_memops 16384 1 videobuf2_vmalloc
videobuf2_v4l2 36864 1 uvcvideo
videobuf2_vmalloc 16384 1 uvcvideo
videodev 319488 2 videobuf2_v4l2,uvcvideo
wmi 36864 2 video,wmi_bmof
wmi_bmof 12288 0
Prerequisites
You will need a USB stick with the minimal installation CD
image dded onto it. Depending on the operating system that
you’re using to download and write the image onto the USB stick instructions
might differ. It is best to follow the official guide here.
Generally, if things in this write-up might be unclear, cross-check with the
official Gentoo installation guide.
Installation
After booting into the minimal installation environment make sure that network
connectivity is available (ping gentoo.org) and set the correct date and time:
livecd ~ # chronyd -q
2022-01-09T05:21:45Z chronyd version 4.5 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER -SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG)
2022-01-09T05:21:45Z Wrong owner of /run/chrony (UID != 0)
2022-01-09T05:21:45Z Disabled command socket /run/chrony/chronyd.sock
2022-01-09T05:21:46Z Running with root privileges
2022-01-09T05:21:52Z System clock wrong by 63712322.719608 seconds (step)
2024-01-16T15:13:55Z chronyd exiting
livecd ~ # date
Tue Jan 16 15:13:56 UTC 2024
Next, prepare the partition table.
Partition table
We’re going to be using Btrfs for the root file system. Btrfs (B-tree file system) is a modern file system for Linux that offers several advantages, especially when it comes to subvolumes, which we are going to use in this setup. The subvolumes will offer benefits such as snapshotting, independent hierarchies and hence management, quotas and limits, atomic changes, ease of cloning, efficient backups and dynamic resizing.
While I’m generally a fan of OpenZFS and I’ve been successfully
using it on my NAS, as well as my workstation for the past
few years, it would slightly over-complicate the setup due to the modules not
being available as part of the Linux kernel. Also, since the StarBook does
neither have two NVMe drives for a mirrored ZFS setup, nor huge amounts of
storage to deal with, Btrfs will do just fine. ZFS would however spare the need
for LUKS/cryptsetup, as it supports native encryption – with
caveats.
First, prepare the NVMe using a GPT:
root #fdisk /dev/nvme0n1
...
Command (m for help): g
Created a new GPT disklabel (GUID: 3768DF7F-22A1-F34A-B53F-92CA7B5820BD).
Check the disk information:
Command (m for help): p
Disk /dev/nvme0n1: 1.82 TiB, 2000398934016 bytes, 3907029168 sectors
Disk model: SHGP31-2000GM
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 3768DF7F-22A1-F34A-B53F-92CA7B5820BD
Next, create the EFI partition:
Command (m for help): n
Partition number (1-128, default 1):
First sector (2048-3907029134, default 2048):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-3907029134, default 3907028991): +1G
Created a new partition 1 of type 'Linux filesystem' and of size 1 GiB.
Command (m for help): t
Selected partition 1
Partition type or alias (type L to list all): 1
Changed type of partition 'Linux filesystem' to 'EFI System'.
Then, create the Boot partition:
Command (m for help): n
Partition number (2-128, default 2):
First sector (2099200-3907029134, default 2099200):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2099200-3907029134, default 3907028991): +4G
Created a new partition 2 of type 'Linux filesystem' and of size 4 GiB.
Command (m for help): t
Partition number (1,2, default 2):
Partition type or alias (type L to list all): 136
Changed type of partition 'Linux filesystem' to 'Linux extended boot'.
Then, create the Swap partition:
Command (m for help): n
Partition number (3-128, default 3):
First sector (10487808-3907029134, default 10487808):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (10487808-3907029134, default 3907028991): +64G
Created a new partition 3 of type 'Linux filesystem' and of size 64 GiB.
Command (m for help): t
Partition number (1-3, default 3):
Partition type or alias (type L to list all): 19
Changed type of partition 'Linux filesystem' to 'Linux swap'.
Last but not least, create the root partition:
Command (m for help): n
Partition number (4-128, default 4):
First sector (144705536-3907029134, default 144705536):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (144705536-3907029134, default 3907028991):
Created a new partition 4 of type 'Linux filesystem' and of size 1.8 TiB.
Command (m for help): t
Partition number (1-4, default 4):
Partition type or alias (type L to list all): 23
Changed type of partition 'Linux filesystem' to 'Linux root (x86-64)'.
Check the partition table:
Command (m for help): p
Disk /dev/nvme0n1: 1.82 TiB, 2000398934016 bytes, 3907029168 sectors
Disk model: SHGP31-2000GM
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 3768DF7F-22A1-F34A-B53F-92CA7B5820BD
Device Start End Sectors Size Type
/dev/nvme0n1p1 2048 2099199 2097152 1G EFI System
/dev/nvme0n1p2 2099200 10487807 8388608 4G Linux extended boot
/dev/nvme0n1p3 10487808 144705535 134217728 64G Linux swap
/dev/nvme0n1p4 144705536 3907028991 3762323456 1.8T Linux root (x86-64)
If everything looks good, write the partition table to the NVMe:
Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.
Next format every partition with the proper filesystem.
Formatting
First, the EFI partition, using VFAT:
livecd ~ # mkfs.vfat -F 32 /dev/nvme0n1p1
mkfs.fat 4.2 (2021-01-31)
Next, the boot partition using EXT4:
livecd ~ # mkfs.ext4 -L boot /dev/nvme0n1p2
mke2fs 1.47.0 (5-Feb-2023)
Discarding device blocks: done
Creating filesystem with 1048576 4k blocks and 262144 inodes
Filesystem UUID: fcd6ba64-b316-4a5e-86bb-b1f322255b57
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736
Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done
Next, the Swap partition using mkswap:
livecd ~ # mkswap -L swap /dev/nvme0n1p3
mkswap: /dev/nvme0n1p3: warning: wiping old swap signature.
Setting up swapspace version 1, size = 64 GiB (68719472640 bytes)
LABEL=swap, UUID=495e798c-fb70-4854-932a-3bc4f8f9cea7
livecd ~ # swapon /dev/nvme0n1p3
Last the root partition. Since the StarBook is going to run full disk
encryption, use cryptsetup for the root partition.
First, check the LUKS defaults:
livecd ~ # cryptsetup luksFormat --help | tail -n 16
Default compiled-in metadata format is LUKS2 (for luksFormat action).
LUKS2 external token plugin support is compiled-in.
LUKS2 external token plugin path: /usr/lib64/cryptsetup.
Default compiled-in key and passphrase parameters:
Maximum keyfile size: 8192kB, Maximum interactive passphrase length 512 (characters)
Default PBKDF for LUKS1: pbkdf2, iteration time: 2000 (ms)
Default PBKDF for LUKS2: argon2id
Iteration time: 2000, Memory required: 1048576kB, Parallel threads: 4
Default compiled-in device cipher parameters:
loop-AES: aes, Key 256 bits
plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160
LUKS: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/random
LUKS: Default keysize with XTS mode (two internal keys) will be doubled.
Feel free to adjust these if needed. Then create the LUKS formatting using
luksFormat:
Note: There are different ways to create the encrypted partition, e.g. by using a password-protected key, and by detaching the LUKS headers and putting them on a dedicated device. However, these topics are out of scope but could be performed at this stage. If you’re interested in doing any of that, refer to other resources on the Gentoo wiki for more information and come back here after finalizing the
luksFormatstage.
livecd ~ # cryptsetup luksFormat --key-size 512 /dev/nvme0n1p4
WARNING!
========
This will overwrite data on /dev/nvme0n1p4 irrevocably.
Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p4:
Verify passphrase:
Next, open the LUKS partition:
livecd ~ # cryptsetup luksOpen /dev/nvme0n1p4 root
Enter passphrase for /dev/nvme0n1p4:
Now, create the filesystem on the mapper device:
Note: You could use any other filesystem at this point and skip the Btrfs subvolume part. If you’d rather want to use EXT4, XFS or any other supported filesystem, feel free to do so now.
livecd ~ # mkfs.btrfs -L rootfs /dev/mapper/root
btrfs-progs v6.6.2
See https://btrfs.readthedocs.io for more information.
NOTE: several default settings have changed in version 5.15, please make sure
this does not affect your deployments:
- DUP for metadata (-m dup)
- enabled no-holes (-O no-holes)
- enabled free-space-tree (-R free-space-tree)
Label: rootfs
UUID: c6e224d6-8c22-49a5-a31f-99e735838e8a
Node size: 16384
Sector size: 4096
Filesystem size: 1.75TiB
Block group profiles:
Data: single 8.00MiB
Metadata: DUP 1.00GiB
System: DUP 8.00MiB
SSD detected: yes
Zoned device: no
Incompat features: extref, skinny-metadata, no-holes, free-space-tree
Runtime features: free-space-tree
Checksum: crc32c
Number of devices: 1
Devices:
ID SIZE PATH
1 1.75TiB /dev/mapper/root
Create a few Btrfs subvolumes:
Note: This step is optional but beneficial in long-term. You are free to create other/more subvolumes.
livecd ~ # mount LABEL=rootfs /mnt/gentoo
livecd ~ # btrfs subvolume create /mnt/gentoo/etc
Create subvolume '/mnt/gentoo/etc'
livecd ~ # btrfs subvolume create /mnt/gentoo/home
Create subvolume '/mnt/gentoo/home'
livecd ~ # btrfs subvolume create /mnt/gentoo/var
Create subvolume '/mnt/gentoo/var'
Next, install the stage3 file.
Stage 3
First, download the stage file:
livecd ~ # cd /mnt/gentoo/
livecd /mnt/gentoo # wget https://distfiles.gentoo.org/releases/amd64/autobuilds/20240114T164819Z/stage3-amd64-hardened-selinux-openrc-20240114T164819Z.tar.xz
--2024-01-16 15:16:21-- https://distfiles.gentoo.org/releases/amd64/autobuilds/20240114T164819Z/stage3-amd64-hardened-selinux-openrc-20240114T164819Z.tar.xz
Resolving distfiles.gentoo.org... 89.187.177.17, 156.146.36.23, 2a02:6ea0:c400::12, ...
Connecting to distfiles.gentoo.org|89.187.177.17|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 302966768 (289M) [application/x-xz]
Saving to: 'stage3-amd64-hardened-selinux-openrc-20240114T164819Z.tar.xz'
stage3-amd64-hardened-selinux-open 100%[==============================================================>] 288.93M 22.9MB/s in 12s
2024-01-16 15:16:34 (24.4 MB/s) - 'stage3-amd64-hardened-selinux-openrc-20240114T164819Z.tar.xz' saved [302966768/302966768]
Next, download the checksum file:
livecd /mnt/gentoo # wget https://distfiles.gentoo.org/releases/amd64/autobuilds/20240114T164819Z/stage3-amd64-hardened-selinux-openrc-20240114T164819Z.tar.xz.sha256
--2024-01-16 15:20:47-- https://distfiles.gentoo.org/releases/amd64/autobuilds/20240114T164819Z/stage3-amd64-hardened-selinux-openrc-20240114T164819Z.tar.xz.sha256
Resolving distfiles.gentoo.org... 156.146.36.23, 89.187.177.17, 2a02:6ea0:c400::11, ...
Connecting to distfiles.gentoo.org|156.146.36.23|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 678 [application/x-xz]
Saving to: 'stage3-amd64-hardened-selinux-openrc-20240114T164819Z.tar.xz.sha256'
stage3-amd64-hardened-selinux-open 100%[==============================================================>] 678 --.-KB/s in 0s
2024-01-16 15:20:48 (328 MB/s) - 'stage3-amd64-hardened-selinux-openrc-20240114T164819Z.tar.xz.sha256' saved [678/678]
Verify the stage file:
livecd /mnt/gentoo # sha256sum --check stage3-amd64-hardened-selinux-openrc-20240114T164819Z.tar.xz.sha256
stage3-amd64-hardened-selinux-openrc-20240114T164819Z.tar.xz: OK
sha256sum: WARNING: 12 lines are improperly formatted
livecd /mnt/gentoo # gpg --import /usr/share/openpgp-keys/gentoo-release.asc
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: key A13D0EF1914E7A72: 1 signature not checked due to a missing key
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key A13D0EF1914E7A72: public key "Gentoo repository mirrors (automated git signing key) <repomirrorci@gentoo.org>" imported
gpg: key DB6B8C1F96D8BF6D: 1 signature not checked due to a missing key
gpg: key DB6B8C1F96D8BF6D: public key "Gentoo ebuild repository signing key (Automated Signing Key) <infrastructure@gentoo.org>" imported
gpg: key 9E6438C817072058: 2 signatures not checked due to missing keys
gpg: key 9E6438C817072058: public key "Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <releng@gentoo.org>" imported
gpg: key BB572E0E2D182910: 1 signature not checked due to a missing key
gpg: key BB572E0E2D182910: public key "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" imported
gpg: Total number processed: 4
gpg: imported: 4
gpg: no ultimately trusted keys found
livecd /mnt/gentoo # gpg --verify stage3-amd64-hardened-selinux-openrc-20240114T164819Z.tar.xz.sha256
gpg: Signature made Tue Jan 16 09:01:09 2024 UTC
gpg: using RSA key 534E4209AB49EEE1C19D96162C44695DB9F6043D
gpg: Good signature from "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E 2D18 2910
Subkey fingerprint: 534E 4209 AB49 EEE1 C19D 9616 2C44 695D B9F6 043D
Next, unpack the stage file:
livecd /mnt/gentoo # tar xpvf stage3-amd64-hardened-selinux-openrc-20240114T164819Z.tar.xz --xattrs-include='*.*' --numeric-owner
Now, configure the make.conf:
Note: This is an example configuration already containing many USE flags. If you’d rather want to start from scratch, check the Gentoo USE flag index and configure
USE=""the way you prefer it.
GENTOO_MIRRORScan also be adjusted to the mirrors that work best for you. Refer tomirrorselectfor more info.
livecd /mnt/gentoo # cat /mnt/gentoo/etc/portage/make.conf
COMMON_FLAGS="-O2 -pipe -march=znver3 -mshstk --param=l1-cache-line-size=64 --param=l1-cache-size=32 --param=l2-cache-size=512"
CFLAGS="${COMMON_FLAGS}"
CXXFLAGS="${COMMON_FLAGS}"
FCFLAGS="${COMMON_FLAGS}"
FFLAGS="${COMMON_FLAGS}"
LC_MESSAGES=C.utf8
MAKEOPTS="-j16"
VIDEO_CARDS="amdgpu radeonsi"
EMERGE_DEFAULT_OPTS="--with-bdeps=y --keep-going=y --quiet-build=y"
GRUB_PLATFORMS="efi-64"
ACCEPT_LICENSE="*"
USE="-systemd acpi udev cryptsetup udev -php -perl -gnome -gnome-keyring -qt4
-qt5 qt6 -kde wayland alsa bluetooth gif git idn dbus dvb lm-sensors man ncurses
ogg openal gd bzip2 v4l xvid theora svg -plasma sound -emacs ffmpeg flac mp3 mp4
pipewire truetype vorbis webp x264 -java jpeg -xemacs zsh-completion man cxx
fontconfig lcms png postscript raw zip zlib unicode ipv6 usb xml elogind syslog
seccomp -xscreensaver -xv -osdmenu egl -X vaapi vulkan"
GENTOO_MIRRORS="http://distfiles.gentoo.org/ https://gentoo.c3sl.ufpr.br/ https://ftp.belnet.be/pub/rsync.gentoo.org/gentoo/ https://mirror.bytemark.co.uk/gentoo/ https://mirror.leaseweb.com/gentoo/"
Next, copy the DNS info into the future chroot environment:
livecd /mnt/gentoo # cp --dereference /etc/resolv.conf /mnt/gentoo/etc/
Next, mount all necessary filesystems:
livecd /mnt/gentoo # mount --types proc /proc /mnt/gentoo/proc
livecd /mnt/gentoo # mount --rbind /sys /mnt/gentoo/sys
livecd /mnt/gentoo # mount --make-rslave /mnt/gentoo/sys
livecd /mnt/gentoo # mount --rbind /dev /mnt/gentoo/dev
livecd /mnt/gentoo # mount --make-rslave /mnt/gentoo/dev
livecd /mnt/gentoo # mount --bind /run /mnt/gentoo/run
livecd /mnt/gentoo # mount --make-slave /mnt/gentoo/run
Now, chroot into new environment:
livecd /mnt/gentoo # chroot /mnt/gentoo /bin/bash
bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
livecd / # source /etc/profile
livecd / # export PS1="(chroot) ${PS1}"
(chroot) livecd / #
Next, mount the EFI and boot partitions:
(chroot) livecd / # mkdir /efi
(chroot) livecd / # mount /dev/nvme0n1p1 /efi
(chroot) livecd / # mount /dev/nvme0n1p2 /boot
Then, prepare the ebuild repository:
(chroot) livecd / # mkdir --parents /etc/portage/repos.conf
(chroot) livecd / # cp /usr/share/portage/config/repos.conf /etc/portage/repos.conf/gentoo.conf
Next, install a repository snapshot:
(chroot) livecd / # emerge-webrsync
...
(chroot) livecd / # emerge --sync --quiet
...
(chroot) livecd / # eselect news read
Verify that the profile is correct:
(chroot) livecd / # eselect profile show
Current /etc/portage/make.profile symlink:
default/linux/amd64/17.1/hardened/selinux
Install and configure CPU_FLAGS_* with cpuid2cpuflags:
(chroot) livecd / # emerge --ask app-portage/cpuid2cpuflags
These are the packages that would be merged, in order:
Calculating dependencies... done!
Dependency resolution took 0.63 s (backtrack: 0/20).
[ebuild N ] app-portage/cpuid2cpuflags-12
Would you like to merge these packages? [Yes/No] yes
>>> Verifying ebuild manifests
>>> Emerging (1 of 1) app-portage/cpuid2cpuflags-12::gentoo
>>> Installing (1 of 1) app-portage/cpuid2cpuflags-12::gentoo
>>> Recording app-portage/cpuid2cpuflags in "world" favorites file...
>>> Completed (1 of 1) app-portage/cpuid2cpuflags-12::gentoo
>>> Jobs: 1 of 1 complete Load avg: 0.24, 0.07, 0.03
* GNU info directory index is up-to-date.
(chroot) livecd / # cpuid2cpuflags
CPU_FLAGS_X86: aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt rdrand sha sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3
Set the CPU flags accordingly in /etc/portage/make.conf:
(chroot) livecd / # grep -i CPU_FLAGS_X86 /etc/portage/make.conf
CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt rdrand sha sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3"
Quickly fix the locale:
(chroot) livecd / # grep -v '^#' /etc/locale.gen
en_US.UTF-8 UTF-8
(chroot) livecd / # locale-gen
* Generating 2 locales (this might take a while) with 16 jobs
* (2/2) Generating C.UTF-8 ... [ ok ]
* (1/2) Generating en_US.UTF-8 ... [ ok ]
* Generation complete
* Adding locales to archive ...
Optional: Set up distcc in case you have a znver3 machine on the network
that could help with emerge-ing:
(chroot) livecd / # emerge --ask sys-devel/distcc
setlocale: unsupported locale setting
setlocale: unsupported locale setting
These are the packages that would be merged, in order:
Calculating dependencies... done!
Dependency resolution took 0.42 s (backtrack: 0/20).
[ebuild N ] acct-group/distcc-1-r1
[ebuild N ] acct-user/distcc-1-r1
[ebuild N ] dev-util/shadowman-3
[ebuild N ] sec-policy/selinux-distcc-2.20231002-r2
[ebuild N ] sys-libs/binutils-libs-2.41-r3 USE="cet nls -64-bit-bfd -multitarget -static-libs -test" ABI_X86="(64) -32 (-x32)"
[ebuild N ] sys-devel/distcc-3.4-r2 USE="hardened ipv6 (selinux) -gssapi -gtk -xinetd -zeroconf" PYTHON_SINGLE_TARGET="python3_11 -python3_10"
Would you like to merge these packages? [Yes/No] yes
>>> Verifying ebuild manifests
>>> Running pre-merge checks for acct-group/distcc-1-r1
Warning: distcc requested but no masquerade dir can be found in /usr/lib*/distcc/bin
Warning: distcc requested but no masquerade dir can be found in /usr/lib*/distcc/bin
>>> Running pre-merge checks for acct-user/distcc-1-r1
>>> Emerging (1 of 6) acct-group/distcc-1-r1::gentoo
>>> Installing (1 of 6) acct-group/distcc-1-r1::gentoo
>>> Completed (1 of 6) acct-group/distcc-1-r1::gentoo
>>> Emerging (2 of 6) acct-user/distcc-1-r1::gentoo
>>> Installing (2 of 6) acct-user/distcc-1-r1::gentoo
>>> Completed (2 of 6) acct-user/distcc-1-r1::gentoo
>>> Emerging (3 of 6) dev-util/shadowman-3::gentoo
>>> Installing (3 of 6) dev-util/shadowman-3::gentoo
>>> Completed (3 of 6) dev-util/shadowman-3::gentoo
>>> Emerging (4 of 6) sec-policy/selinux-distcc-2.20231002-r2::gentoo
>>> Installing (4 of 6) sec-policy/selinux-distcc-2.20231002-r2::gentoo
>>> Completed (4 of 6) sec-policy/selinux-distcc-2.20231002-r2::gentoo
>>> Emerging (5 of 6) sys-libs/binutils-libs-2.41-r3::gentoo
>>> Installing (5 of 6) sys-libs/binutils-libs-2.41-r3::gentoo
>>> Completed (5 of 6) sys-libs/binutils-libs-2.41-r3::gentoo
>>> Emerging (6 of 6) sys-devel/distcc-3.4-r2::gentoo
>>> Installing (6 of 6) sys-devel/distcc-3.4-r2::gentoo
>>> Recording sys-devel/distcc in "world" favorites file...
>>> Completed (6 of 6) sys-devel/distcc-3.4-r2::gentoo
>>> Jobs: 6 of 6 complete Load avg: 1.75, 0.59, 0.21
* Messages for package acct-group/distcc-1-r1:
* Adding group distcc
* Messages for package acct-user/distcc-1-r1:
* Adding user distcc
* Messages for package sys-devel/distcc-3.4-r2:
*
* Tips on using distcc with Gentoo can be found at
* https://wiki.gentoo.org/wiki/Distcc
*
* distcc-pump is known to cause breakage with multiple packages.
* Do NOT enable it globally.
*
* To use the distccmon programs with Gentoo you should use this command:
* # DISTCC_DIR="/var/tmp/portage/.distcc" distccmon-text 5
* Regenerating GNU info directory index...
Adjust /etc/distcc/hosts to add the other machine:
(chroot) livecd / # cat /etc/distcc/hosts
192.168.0.2
Add the other machine to distcc-config as well:
(chroot) livecd / # /usr/bin/distcc-config --set-hosts "192.168.0.2,cpp,lzo"
Done, distcc for emerge is ready to be used.
Additional software
Next, install some additional packages:
Note: This configuration will use OpenRC with NetworkManager.
(chroot) livecd / # emerge --ask --tree --changed-use --deep sys-fs/cryptsetup sys-fs/btrfs-progs sys-apps/nvme-cli sys-block/io-scheduler-udev-rules net-misc/chrony sys-process/cronie app-admin/sysklogd app-editors/neovim net-misc/networkmanager sys-apps/util-linux app-shells/zsh
Set up daemons in the default runlevel:
(chroot) livecd / # rc-update add sysklogd default
(chroot) livecd / # rc-update add cronie default
(chroot) livecd / # rc-update add chronyd default
(chroot) livecd / # rc-update add NetworkManager default
Kernel
Allow newer kernels to be installed:
(chroot) livecd / # cat /etc/portage/package.accept_keywords/gentoo-source
sys-kernel/gentoo-sources ~amd64
Install firmware, kernel sources, and pciutils:
Note: If you don’t happen to have a Kernel config ready or not looking forward to build your own kernel, you can use the Gentoo distribution kernel and skip the following steps. If you would like to build your own Kernel but don’t know where to start, you can
zcat /proc/config.gzin the installation environment to get the distribution Kernel config, copy it to/usr/src/linux/.config(zcat /proc/config.gz > /usr/src/linux/.config) and performmake oldconfig, followed bymake menuconfig.
emerge --ask sys-kernel/linux-firmware sys-kernel/gentoo-sources sys-apps/pciutils
Next, install dracut to generate initramfs. Use the latest dracut version
due to a bug in regard to microcode loading with kernel 6.7 in the stable
dracut version:
(chroot) livecd / # cat /etc/portage/package.accept_keywords/dracut
sys-kernel/dracut ~amd64
(chroot) livecd / # emerge --ask sys-kernel/dracut
Configure dracut:
Note: Use your specific UUIDs that you can find via
lsblkcommand, e.g.lsblk -o name,uuid,label.
(chroot) livecd / # mkdir /etc/dracut.conf.d
(chroot) livecd / # cat /etc/dracut.conf.d/general.conf
hostonly="yes"
early_microcode="yes"
(chroot) livecd / # cat /etc/dracut.conf.d/modules.conf
add_dracutmodules+=" crypt dm rootfs-block "
(chroot) livecd / # cat /etc/dracut.conf.d/cmdline.conf
kernel_cmdline+=" rd.luks.uuid=57b6d768-41d0-4e7c-8712-dbd7edf132a3 "
(chroot) livecd / # cat /etc/dracut.conf.d/firmware.conf
install_items+=" /lib/firmware/regulatory.db /lib/firmware/regulatory.db.p7s /lib/firmware/rtl_nic/rtl8153a-3.fw /lib/firmware/intel/ibt-0041-0041.sfi /lib/firmware/iwlwifi-ty-a0-gf-a0-72.ucode /lib/firmware/iwlwifi-ty-a0-gf-a0.pnvm /lib/firmware/amdgpu/green_sardine_asd.bin /lib/firmware/amdgpu/green_sardine_ta.bin /lib/firmware/amdgpu/green_sardine_dmcub.bin /lib/firmware/amdgpu/green_sardine_pfp.bin /lib/firmware/amdgpu/green_sardine_me.bin /lib/firmware/amdgpu/green_sardine_ce.bin /lib/firmware/amdgpu/green_sardine_rlc.bin /lib/firmware/amdgpu/green_sardine_mec.bin /lib/firmware/amdgpu/green_sardine_sdma.bin /lib/firmware/amdgpu/green_sardine_vcn.bin "
Select the kernel:
(chroot) livecd / # eselect kernel set 1
(chroot) livecd / # ls -la /usr/src/linux
lrwxrwxrwx 1 root root 18 Jan 16 17:02 /usr/src/linux -> linux-6.7.0-gentoo
Import a kernel config:
Note: I have imported my own kernel config from cbrspc7 as a basis.
(chroot) livecd / # mv /config /usr/src/linux/.config
(chroot) livecd / # cd /usr/src/linux
(chroot) livecd /usr/src/linux # make oldconfig
Adjust the kernel:
(chroot) livecd /usr/src/linux # make menuconfig
Build and install the kernel:
(chroot) livecd /usr/src/linux # make && make modules_install && make install
fstab
Get the partition info required for fstab:
(chroot) livecd / # lsblk -o name,uuid,label
NAME UUID LABEL
loop0
sda 2024-01-07-20-42-17-00 ISOIMAGE
├─sda1
├─sda2 45C5-744C
├─sda3 ISOIMAGE
└─sda4
sdb
zram0
nvme0n1
├─nvme0n1p1 C116-8CAD
├─nvme0n1p2 fcd6ba64-b316-4a5e-86bb-b1f322255b57 boot
├─nvme0n1p3 495e798c-fb70-4854-932a-3bc4f8f9cea7 swap
└─nvme0n1p4 57b6d768-41d0-4e7c-8712-dbd7edf132a3
└─root c6e224d6-8c22-49a5-a31f-99e735838e8a rootfs
Create /etc/fstab and populate:
(chroot) livecd / # tail -n 4 /etc/fstab
UUID=C116-8CAD /efi vfat noauto,noatime 0 1
LABEL=boot /boot ext4 defaults 1 2
LABEL=swap none swap sw 0 0
LABEL=rootfs / btrfs defaults 0 1
Network
Configure the hostname:
(chroot) livecd / # echo f0g6 > /etc/hostname
(chroot) livecd / # tail -n 2 /etc/hosts
127.0.0.1 f0g6 localhost
::1 f0g6 localhost
Bootloader
Emerge Grub:
(chroot) livecd / # emerge --ask --update --newuse --verbose sys-boot/grub
Install Grub into the EFI partition:
(chroot) livecd / # grub-install --efi-directory=/efi
Configure Grub:
(chroot) livecd / # grep '^GRUB*' /etc/default/grub
GRUB_DISTRIBUTOR="Gentoo"
GRUB_DISABLE_OS_PROBER=false
GRUB_CMDLINE_LINUX="rd.luks.allow-discards rd.luks.uuid=luks-57b6d768-41d0-4e7c-8712-dbd7edf132a3 initcall_blacklist=acpi_cpufreq_init amd_pstate.shared_mem=1 cpufreq.default_governor=schedutil amd_pstate=passive"
GRUB_ENABLE_CRYPTODISK=y
GRUB_DISABLE_LINUX_PARTUUID=false
Generate the configuration under boot:
(chroot) livecd / # grub-mkconfig -o /boot/grub/grub.cfg
Finishing up
Set a password for the root account and optionally change shell to Zsh:
(chroot) livecd / # passwd
(chroot) livecd / # chsh -s /bin/zsh
Exit and reboot:
(chroot) livecd / # umount /efi
(chroot) livecd / # umount /boot
(chroot) livecd / # exit
livecd /mnt/gentoo # cd
livecd ~ # umount -l /mnt/gentoo/dev{/shm,/pts,}
livecd ~ # umount -R /mnt/gentoo
livecd ~ # reboot
In case of emergency
In case your device should not boot – maybe due to a malconfigured kernel – you can always boot from the same installation USB stick and perform the following commands to get back into the system and retry configuration:
Note: Code blocks without prompts for easier copy and paste.
cryptsetup luksOpen /dev/nvme0n1p4 root
mount LABEL=rootfs /mnt/gentoo
mount --types proc /proc /mnt/gentoo/proc
mount --rbind /sys /mnt/gentoo/sys
mount --make-rslave /mnt/gentoo/sys
mount --rbind /dev /mnt/gentoo/dev
mount --make-rslave /mnt/gentoo/dev
mount --bind /run /mnt/gentoo/run
mount --make-slave /mnt/gentoo/run
chroot /mnt/gentoo /bin/bash
source /etc/profile
export PS1="(chroot) ${PS1}"
mount /efi
mount /boot
Before rebooting, remember to unmount the partitions:
umount /boot
umount /efi
exit
umount -l /mnt/gentoo/dev{/shm,/pts,}
umount -R /mnt/gentoo
First boot
Upon the first boot a few things should be done.
fwupd
First install fwupd in order to be able to update the firmware:
f0g6# cat /etc/portage/package.use/fwupd
sys-apps/fwupd amdgpu blueooth flashrom gusb logitech nvme synaptics tpm uefi gnutls
f0g6# emerge --ask sys-apps/fwupd
f0g6# rc-service fwupd start
f0g6# rc-service add fwupd default
Now check for firmware updates and apply them:
f0g6# fwupdmgr refresh
f0g6# fwupdmgr get-updates
f0g6# fwupdmgr update
Adding a user
Add a regular system user:
f0g6# useradd -m -G users,wheel,audio,dialout,video,usb,input,plugdev,cron -s /bin/zsh mrus
Generate SSH key for user by logging in as the user and run:
f0g6$ ssh-keygen -t ed25519 -C "f0g6"
Alternatively, if you happen to have at least two FIDO U2F keys available, create two individual SSH keys, one for each of them.
First make sure that OpenSSH includes FIDO support and rebuild if necessary:
f0g6# cat /etc/portage/package.use/openssh
net-misc/openssh security-key
In case it is a YubiKey, make sure to install ykman and configure the YubiKey
beforehand:
f0g6# emerge -a app-crypt/yubikey-manager
f0g6# rc-update add pcscd default
f0g6# rc-service pcscd start
Next, log in as user.
Next, plug in your first U2F key. In case it’s a YubiKey, make sure to configure
the set-touch to cached:
f0g6$ ykman openpgp keys set-touch enc cached
f0g6$ ykman openpgp keys set-touch sig cached
f0g6$ ykman openpgp keys set-touch aut cached
Note: The default admin PIN is 12345678 for YubiKeys.
In case you don’t use the OTP feature of your YubiKey (Nano), and you are wondering why touching it would result in random characters being sent to the active window, you can disable the OTP feature:
f0g6$ ykman config usb -d OTP
Then, generate the SSH key with it:
f0g6$ ssh-keygen -t ed25519-sk -C "f0g6-sk1"
Note: In case you’re seeing something like invalid format or feature not supported it might be possible that your hardware key does not support
Ed25519. You could hence try instead with -t ecdsa-sk.
Then unplug the first key, plug in the second U2F key and generate the second
SSH key. If it’s a YubiKey repeat the set-touch configuration from before.
Then, generate the key:
f0g6$ ssh-keygen -t ed25519-sk -C "f0g6-sk2"
Always put both public keys into your remote server’s authorized_keys
file. Otherwise you will lock yourself out in case you lose/break one of the
keys.
Note: The same could be done using just a single hardware key plus a regular, password protected key. However, this sort of defeats the purpose, as the weakest link in the chain – the private key residing on your device – would break security in case of loss, regardless of the hardware U2F.
Laptop Mode Tools
Install and enable laptop-mode-tools, make sure to set
the acpi and optionally the bluetooth USE flags:
f0g6# emerge -a app-laptop/laptop-mode-tools
NOTE: Make sure to have the required features enabled in the Linux kernel, in case you built it yourself. See the docs.
Sysklogd
Adjust Sysklogd:
f0g6# cat /etc/syslog.conf
# /etc/syslog.conf Configuration file for syslogd.
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* /var/log/mail.log
user.* -/var/log/user.log
uucp.* -/var/log/uucp.log
local6.debug /var/log/imapd.log
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
daemon,mail.*;\
news.=crit;news.=err;news.=notice;\
*.=debug;*.=info;\
*.=notice;*.=warn /dev/tty8
*.emerg *
*.=alert *
Configure local mail
Install opensmtpd:
f0g6# emerge --ask mail-mta/opensmtpd
Configure opensmtpd:
f0g6# cat /etc/smtpd/smtpd.conf
table aliases file:/etc/mail/aliases
listen on localhost
action "local" mbox alias <aliases>
action "relay" relay
match for local action "local"
match from local for any action "relay"
Configure mailutils:
f0g6# cat /etc/mailutils.conf
mailbox {
mailbox-type mbox;
};
include /etc/mailutils.d/;
Enable and start opensmtpd:
f0g6# rc-update add smtpd default
f0g6# rc-service smtpd start
nftables & OpenSnitch
I’m assuming that you don’t have any existing iptables rules that would
require migration, hence we skip that part. Otherwise check the
nftables documentation.
Enable nftables support:
f0g6# rg -N nftables /etc/portage/package.use
/etc/portage/package.use/firewalld
net-firewall/firewalld nftables
/etc/portage/package.use/networkmanager
net-misc/networkmanager nftables
/etc/portage/package.use/iptables
net-firewall/iptables nftables
Rebuild packages if necessary:
f0g6# emerge --ask firewalld networkmanager iptables
Enable and start nftables, disable and stop iptables:
f0g6# rc-service iptables stop
f0g6# rc-update del iptables default
f0g6# rc-update add nftables default
f0g6# rc-service nftables start
Install OpenSnitch from the Pentoo repository:
f0g6# eselect repository enable pentoo
f0g6# cat /etc/portage/package.accept_keywords/opensnitch
app-admin/opensnitch ~amd64
dev-python/grpcio-tools ~amd64
f0g6# emerge -a app-admin/opensnitch
f0g6# rc-update add opensnitch default
f0g6# rc-service opensnitch start
You can now launch opensnitch-ui and find the OpenSnitch application running
in your tray. Ideally you would launch through your window-manager on login.
Wireguard
Configure a Wireguard VPN
Install wireguard-tools:
f0g6# emerge --ask net-vpn/wireguard-tools
You can now use nmcli and nmtui to set up/import Wireguard configuration.
Your favorite VPN service might have a web tool to export configurations for
Wireguard.
Intrusion Detection
Install Advanced Intrusion Detection Environment and chrootkit:
f0g6# cat /etc/portage/package.use/aide
app-forensics/aide zlib
f0g6# emerge --ask app-forensics/aide app-forensics/chkrootkit
Configure /etc/aide/aide.conf with values that make sense for you. Don’t
forget to set the database files:
database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new
Initialize the database:
f0g6# aide --init --config=/etc/aide/aide.conf
Next, copy the newly initialized database to the database location:
f0g6# cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
Then, do a check to see that scanning works properly:
f0g6# aide --check --config=/etc/aide/aide.conf
The check should finish with All files match AIDE database. Looks okay!. You
can now perform regular checks, e.g. using a cron job or manually. Whenever the
files change knowingly, a new database has to be initialized and copied over to
the database path, as done initially.
chkrootkit doesn’t require configuration. It can be enabled using e.g. a
weekly cron job:
f0g6# cat /etc/cron.weekly/chkrootkit
#!/bin/sh
exec /usr/sbin/chkrootkit -q
SELinux
SELinux will be enabled and running in permissive mode
with the hardened/selinux Gentoo profile. However, it requires some relabeling
and configuration of own rules (e.g. for OpenSnitch). The in-depth setup would
be too much for this write-up, nevertheless there are some important bits that
are worth mentioning.
First of all, make sure sys-process/audit is installed and enabled. tail -f /var/log/audit/audit.log is going to be your friend while setting up SELinux.
Other friends are audit2allow, audit2why, getsebool -a and setseboool,
restorecon, rlpkg, and semanage fcontext --list; See their respective man
pages.
In general, make sure you comprehend the concept of SELinux before trying
anything – especially before setting it to enforcing.
Further topics
This is a non-exhaustive list of further things you might want to do on your StarBook. I won’t be going in to the specifics, as there already is plenty of useful information on the Gentoo wiki and other places to help you with advancing on these topics.
- Enable Secure Boot and IMA
- Harden the boot loader
- Set up and test suspend and hibernate
- Secure PAM
- Set up DNSCrypt
Last but not least, emerge a graphical environment, ideally something running on
Wayland, e.g. Sway. If you must use X11, make sure to
adjust the USE flags if not done already. Don’t use X11, though. X11 was
designed in an era when security was not a primary consideration. It lacks
modern security features, making it susceptible to various vulnerabilities such
as eavesdropping, data manipulation, and unauthorized access. X11 also tends to
be relatively resource-intensive, leading to potential performance issues
particularly with high-resolution displays and demanding graphical tasks. I
would argue that we in fact are Wayland already, and if
you’re still using Xorg in 2024 you either have some oddly specific needs –
given that we’re talking about a Linux desktop – or you’re just backward and
should move on, grandpa.
I hope you found value in this write-up. If you’re interested in reading a general review of the StarBook, I have published one here.
Enjoyed this? Support me via Monero, Bitcoin, Lightning, or Ethereum! More info.