====== Introduction ======
:!: outdated, new installations [[os:openbsd:x230t2|here]]:!:
Tired of Systemd and some other layers in Linux, I will try to install OpenBSD my x230 Tablet, encrypting partitions with a key stored on a SD card. (hello NSA)\\
I will use an openBSD59 (snapshot of 27th of March 2016).\\
The x230 is modified, I added a mSATA drive (sd1).\\
I removed totally Windows as I don't use it.
====== Downloads ======
[[http://www.openbsd.org/ftp.html#http|Install59.iso]]
====== disk Layout ======
I will use the following schema:
* mSATA (sd1) 256GB for /
* SATA (sd0) 500GB for swap/var/home
^ Disk ^ Partition ^ Format ^ Size ^ Mount Point ^
|1 | 1 | RAID | 230GB | / |
|1 | 2 | none | 26GB | fake trim |
|0 | 1 | swap | 16GB | OpenBSD swap |
|0 | 2 | RAID | 480GB | /var, /tmp and /home |
====== Installation ======
Boot from the iso/usb key\\
Select the shell (by type 's') when arriving on the following:\\
(I)nstall, (U)pgrade, (A)utoinstall, (S)hell?\\
===== Disk partitionning =====
We will create the above partitions using fdisk/disklabel tools.\\
\\
fdisk -iy sd1
the output is
fdisk ; sd1: No such file or directory
Let's create the device
cd /dev
sh ./MAKEDEV sd1
An run again:
fdisk -iy sd1
the output is largely nicer:
Writing MBR at offset 0.
Let's partition sd0 and sd1
disklabel -E sd1
> a
partition: [a]
offset: [64]
size: [500103386] 95%
FS type: [4.2BSD] RAID
> w
> q
Done for sd1 (I leave 5% free for TRIM as I got no clear details whether or not I need it or not if it is working or not and well 95% of 256GB should be enough for / :-) )\\
Let's partition sd0
disklabel -E sd0
> a
partition: [a]
offset: [0]
size: [976773168] 16g
FS type: [4.2BSD] swap
> a
partition: [b]
offset: [33559785]
size: [943213383]
FS type: [swap] RAID
> w
> q
Here we do 2 partitions, swap (already encrypted) and a RAID one that will contained /var /tmp and /home)
===== SDcard/USBkey partitioning =====
Plug in your SD card/ USB stick, here it is named sd3
cd /dev
sh ./MAKEDEV sd3
Don't forget to create the MBR
fdisk -iy sd3
We just need around 1MB for the key so I will just create two very small partitions (d and e).
disklabel -E sd3
> a
partition: [a]d
offset: [64]
size: [124735488] 2m
FS type: [4.2BSD] RAID
> a
partition: [a]e
offset: [16065]
size: [124735488] 2m
FS type: [4.2BSD] RAID
> w
> q
===== Let's encrypt =====
So for now we have sd1(m-sata)/sd0(sata)/sd2(sdcard)\\
Next step is an all-in-one step: we will encrypt sd1a and sd0b as softraid0 and save the key on the SD card.
bioctl -C force -c C -l /dev/sd1a -k /dev/sd3d softraid0
bioctl -C force -c C -l /dev/sd0b -k /dev/sd3e softraid0
Note: http://www.tedunangst.com/flak/post/OpenBSD-softraid-crypto-boot \\
Maybe it would be good to put on top:
bioctl -c C -l /dev/sd1a -r 98765 softraid0
bioctl -c C -l /dev/sd0b -r 98765 softraid0
Output will be something like:
sd4 at scsibus2 targ 1 lun 0: SCSI2 0/direct fixed
sd4: 231988MB,512 bytes/sector, 475111754 sectors
and
sd5 at scsibus2 targ 2 lun 0: SCSI2 0/direct fixed
sd5: 460553MB,512 bytes/sector, 943212855 sectors
We create the devices:
cd /dev
sh ./MAKEDEV sd4
sh ./MAKEDEV sd5
Good practice, erase first MegaByte:
dd if=/dev/zero of=/dev/rsd4c bs=1m count=1
dd if=/dev/zero of=/dev/rsd5c bs=1m count=1
So now we have sd4 and sd5 which we will use during the installation.
===== Install =====
Let's go back to the installation
/install
Select layout, timezone, passwords, user(s)…\\
When at the partitioning point, select the 2 new device (sd4 and sd5 in my case).\\
Which disk is the root disk? [sd0] sd4
Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole]W
[… auto partitions schema …]
Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout? [a] c
> a
partition: [a]a
offset: [64]
size: [475106246]
FS type: [4.2BSD]
mount point: [none] /
> w
> q
We do the same for sd5 (/var /tmp and /home)
which disk do you wish to initialize? [done] sd5
Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole]W
> a
partition: [a]a
offset: [64]
size: [943208216] 20g
FS type: [4.2BSD]
mount point: [none] /var
> a
partition: [b]
offset: [41945696]
size: [901262584] 10g
FS type: [swap] 4.2BSD
mount point: [none] /tmp
> a
partition: [d]
offset: [62910528]
size: [880297752]
FS type: [4.2BSD]
mount point: [none] /home
> w
> q
And voilà.
which disk do you wish to initialize? [done]
Install the sets\\
Installation should finish with a success, but **__DO NOT REBOOT YET__**
===== Final touch =====
We will tweak quickly the fstab to add the swap partition as well as some parameters:
sed 's/rw/rw,softdep,noatime/g' /mnt/etc/fstab > /mnt/a
echo '/dev/sd0a none swap sw 0 0' >> /mnt/a
mv /mnt/a /mnt/etc/fstab
Done, everything is ready! ready to reboot
reboot
====== Backup of the Keys ======
dd if=/dev/rsd2d of=key1.img bs=1m
dd if=/dev/rsd2e of=key2.img bs=1m
====== Switching to -current ======
Optional, but thrilling!
cd /
mv /bsd.rd /bsd.rd.sav
wget http://mirror.switch.ch/ftp/pub/OpenBSD/snapshots/amd64/bsd.rd
Reboot
reboot
At boot prompt type:
boot> boot bsd.rd
Then use the "upgrade" method, give your keyboard layout, your root device/partition.\\
When upgrade is done, type again "reboot".\\
Once reboot use sysmerge to merge/check modifications
sysmerge
And voilà ! you are in -current
====== Laptop tweaks ======
===== apm =====
In order to keep some battery:
vi /etc/rc.conf.local
add
apmd_flags="-A" # Set apmd(8) to automatic performance adjustment mode.
apmd_enable="YES"
===== desktop reactivity =====
In /etc/rc.conf.local add:
multicast_host=YES
ntpd_flags="-s"
hotplugd_flags=""
In /etc/login.conf change:
:datasize-max=512M:\
:datasize-cur=512M:\
by (at least)
:datasize-max=1024M:\
:datasize-cur=1024M:\
Reference: http://www.bsdnow.tv/tutorials/the-desktop-obsd
====== Xorg ======
xorg.conf to put in /etc/X11
Section "ServerLayout"
Identifier "X.org Configured"
Screen 0 "Screen0" 0 0
InputDevice "Mouse0" "CorePointer"
InputDevice "Keyboard0" "CoreKeyboard"
Option "AllowEmptyInput" "off"
Option "AutoAddDevices" "off"
Option "DontZap" "false"
EndSection
Section "Files"
ModulePath "/usr/X11R6/lib/modules"
FontPath "/usr/X11R6/lib/X11/fonts/misc/"
FontPath "/usr/X11R6/lib/X11/fonts/TTF/"
FontPath "/usr/X11R6/lib/X11/fonts/OTF/"
FontPath "/usr/X11R6/lib/X11/fonts/Type1/"
FontPath "/usr/X11R6/lib/X11/fonts/100dpi/"
FontPath "/usr/X11R6/lib/X11/fonts/75dpi/"
EndSection
Section "Module"
Load "dbe"
Load "dri"
Load "dri2"
Load "extmod"
Load "glx"
Load "record"
EndSection
Section "InputDevice"
Identifier "Keyboard0"
Driver "kbd"
Option "XkbLayout" "us"
Option "XkbVariant" "intl"
# Option "XkbOptions "compose:prsc"
EndSection
Section "InputDevice"
Identifier "Touchpad0"
Driver "synaptics"
Option "Device" "/dev/wsmouse0"
Option "AutoServerLayout" "True"
EndSection
Section "InputDevice"
Identifier "Mouse0"
Driver "mouse"
Option "Protocol" "wsmouse"
Option "Device" "/dev/wsmouse"
Option "ZAxisMapping" "4 5 6 7"
Option "EmulateWheel" "true"
Option "EmulateWheelButton" "2"
Option "AutoServerLayout" "True"
EndSection
Section "Monitor"
Identifier "Monitor0"
VendorName "Monitor Vendor"
ModelName "Monitor Model"
EndSection
Section "Device"
### Available Driver options are:-
### Values: : integer, : float, : "True"/"False",
### : "String", : " Hz/kHz/MHz",
### : "%"
### [arg]: arg optional
#Option "NoAccel" # []
#Option "SWcursor" # []
#Option "ColorKey" #
#Option "CacheLines" #
#Option "Dac6Bit" # []
#Option "DRI" # []
#Option "NoDDC" # []
#Option "ShowCache" # []
#Option "XvMCSurfaces" #
#Option "PageFlip" # []
Identifier "Card0"
Driver "intel"
BusID "PCI:0:2:0"
EndSection
Section "Screen"
Identifier "Screen0"
Device "Card0"
Monitor "Monitor0"
SubSection "Display"
Viewport 0 0
Depth 16
EndSubSection
SubSection "Display"
Viewport 0 0
Depth 24
EndSubSection
EndSection
===== Touchpad =====
See xorg.conf above but basically:
Section "InputDevice"
Identifier "Touchpad0"
Driver "synaptics"
Option "Device" "/dev/wsmouse0"
Option "AutoServerLayout" "True"
EndSection
Section "InputDevice"
Identifier "Mouse0"
Driver "mouse"
Option "Protocol" "wsmouse"
Option "Device" "/dev/wsmouse"
Option "ZAxisMapping" "4 5 6 7"
Option "EmulateWheel" "true"
Option "EmulateWheelButton" "2"
Option "AutoServerLayout" "True"
EndSection
In your ~/.xsession
#!/bin/sh
# deactivate touchpad
synclient TouchpadOff=1
===== Scrolling =====
Still in ~/.xsession
# activate scroll wheel button
xinput set-prop "/dev/wsmouse" "WS Pointer Wheel Emulation" 0
xinput set-prop "/dev/wsmouse" "WS Pointer Wheel Emulation Axes" 6 7 4 5
xinput set-prop "/dev/wsmouse" "WS Pointer Wheel Emulation Button" 2
xinput set-prop "/dev/wsmouse" "WS Pointer Wheel Emulation Timeout" 50
xinput set-prop "/dev/wsmouse" "WS Pointer Wheel Emulation Inertia" 3
# increase pointer speed
xinput set-prop "/dev/wsmouse" "Device Accel Constant Deceleration" 0.4
====== Locales ======
Still in ~/.xsession
# set locale
export LC_CTYPE="en_US.UTF-8"
export LC_MESSAGES="en_US.UTF-8"
====== Network ======
ifconfig is your friend!\\
Simple example:
ifconfig iwn0 nwid "my nice wifi" wpakey "4m4z1ngP4$$" up
then if all is ok:
dhclient iwn0
You can scan networks (wifi)
ifconfig iwn0 scan
===== Failover network =====
===== local DNS =====
====== Security ======
===== PF =====
Basic rules in your /etc/pf.conf
# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
set skip on lo
block return # block stateless traffic
pass # establish keep-state
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
set block-policy drop
match in all scrub (no-df random-id max-mss 1440)
antispoof quick for (egress)
block in quick on egress from { no-route urpf-failed } to any
block in all
pass out quick inet keep state
References: http://www.bsdnow.tv/tutorials/the-desktop-obsd
====== Additional Packages ======
Time to play with pkg_add to put some useful tools:
pkg_add -Uu
pkg_add -iv firefox
pkg_add -iv ImageMagick irssi vim zsh rxvt-unicode fvwm2 xscreensaver rdesktop iftop rsync wget curl figlet dfc git subversion ranger emelfm2
====== Ports ======
You can install ports using a snapshot made for you!
cd /usr
wget http://mirror.switch.ch/ftp/pub/OpenBSD/snapshots/ports.tar.gz
tar xvzf ports.tar.gz
====== Finding packages ======
Two ways:
pkg_info yourpackage
or
cd /usr/ports
make search key=what_you_search
Reference: http://www.bsdnow.tv/tutorials/ports-obsd
====== Thing went wrong when ======
===== bootblocks are not installed =====
→ installboot: no OpenBSD partition
Failed to install bootblocks
You will not be able to boot OpenBSD from sd4
I had this issue when sd0 didn't had a MBR nor sd3 … dd saved the days :)
====== References ======
* http://unix.stackexchange.com/questions/9527/how-should-one-set-up-full-disk-encryption-on-openbsd
* https://ryanak.ca/planet-ubuntu/2013/03/26/Setting-up-full-disk-encryption-in-OpenBSD-5.3.html
* http://geekyschmidt.com/2011/01/19/configuring-openbsd-softraid-fo-encryption
* http://brycv.com/blog/2012/encrypted-root-filesystem-using-softraid-4-on-openbsd-with-an-slc-ssd/
* http://www.bsdnow.tv/tutorials/fde
* http://man.openbsd.org/OpenBSD-current/man8/bioctl.8
* http://geodsoft.com/howto/harden/OpenBSD/no_changes.htm
* http://fsfe.soup.io/post/669752294/emergency-exit-OpenBSD-on-the-Thinkpad-X250
* http://www.openbsd.org/faq/faq4.html
* http://undeadly.org/cgi?action=article&sid=20110530221728
* https://github.com/jhautefeuille/obsdnfo
* http://www.openbsd.org/faq/faq14.html
* http://geekyschmidt.com/2011/03/27/openbsd-laptop-mini-howto
* http://www.tumfatig.net/20150215/bind-nsd-unbound-openbsd-5-6/
* http://www.openbsd.org/faq/faq6.html