Differences

This shows you the differences between two versions of the page.

--- os:openbsd:x230t [2021/12/29 21:03] – ↷ Page moved from openbsd:x230t to os:openbsd:x230t warnaud
+++ os:openbsd:x230t [2021/12/29 21:03] (current) – ↷ Links adapted because of a move operation warnaud
@@ Line 1: / Line 1: @@
+====== Introduction ======
+:!: outdated, new installations [[os:openbsd:x230t2|here]]:!:
+Tired of Systemd and some other layers in Linux, I will try to install OpenBSD my x230 Tablet, encrypting partitions with a key stored on a SD card. (hello NSA)\\
+I will use an openBSD59 (snapshot of 27th of March 2016).\\
+The x230 is modified, I added a mSATA drive (sd1).\\
+I removed totally Windows as I don't use it.
+====== Downloads ======
+[[http://www.openbsd.org/ftp.html#http|Install59.iso]]
+====== disk Layout ======
+I will use the following schema:
+  * mSATA (sd1) 256GB for /
+  * SATA (sd0) 500GB for swap/var/home
+^ Disk      ^ Partition       ^ Format          ^ Size     ^ Mount Point ^
+|1      | 1         | RAID   | 230GB | / |
+|1 | 2 | none | 26GB | fake trim |
+|0 | 1 | swap | 16GB | OpenBSD swap |
+|0 | 2 | RAID | 480GB | /var, /tmp and /home |
+====== Installation ======
+Boot from the iso/usb key\\
+Select the shell (by type 's') when arriving on the following:\\
+(I)nstall, (U)pgrade, (A)utoinstall, (S)hell?\\
+===== Disk partitionning =====
+We will create the above partitions using fdisk/disklabel tools.\\
+\\
+<code bash>fdisk -iy sd1</code>
+the output is
+<code>fdisk ; sd1: No such file or directory</code>
+Let's create the device
+<code bash>cd /dev
+sh ./MAKEDEV sd1
+</code>
+An run again:
+<code bash>fdisk -iy sd1</code>
+the output is largely nicer:
+<code>Writing MBR at offset 0.</code>
+Let's partition sd0 and sd1
+<code bash>disklabel -E sd1
+> a
+partition: [a]
+offset: [64]
+size: [500103386] 95%
+FS type: [4.2BSD] RAID
+> w
+> q
+</code>
+Done for sd1 (I leave 5% free for TRIM as I got no clear details whether or not I need it or not if it is working or not and well 95% of 256GB should be enough for / :-) )\\
+Let's partition sd0
+<code bash>disklabel -E sd0
+> a
+partition: [a]
+offset: [0]
+size: [976773168] 16g
+FS type: [4.2BSD] swap
+> a
+partition: [b]
+offset: [33559785]
+size: [943213383]
+FS type: [swap] RAID
+> w
+> q
+</code>
+Here we do 2 partitions, swap (already encrypted) and a RAID one that will contained /var /tmp and /home)
+===== SDcard/USBkey partitioning =====
+Plug in your SD card/ USB stick, here it is named sd3
+<code bash>cd /dev
+sh ./MAKEDEV sd3
+</code>
+Don't forget to create the MBR
+<code bash> fdisk -iy sd3 </code>
+We just need around 1MB for the key so I will just create two very small partitions (d and e).
+<code bash>disklabel -E sd3
+> a
+partition: [a]d
+offset: [64]
+size: [124735488] 2m
+FS type: [4.2BSD] RAID
+> a
+partition: [a]e
+offset: [16065]
+size: [124735488] 2m
+FS type: [4.2BSD] RAID
+> w
+> q
+</code>
+===== Let's encrypt =====
+So for now we have sd1(m-sata)/sd0(sata)/sd2(sdcard)\\
+Next step is an all-in-one step: we will encrypt sd1a and sd0b as softraid0 and save the key on the SD card.
+<code bash>bioctl -C force -c C -l /dev/sd1a -k /dev/sd3d softraid0
+bioctl -C force -c C -l /dev/sd0b -k /dev/sd3e softraid0
+</code>
+Note: http://www.tedunangst.com/flak/post/OpenBSD-softraid-crypto-boot \\
+Maybe it would be good to put on top:
+<code bash>
+bioctl -c C -l /dev/sd1a -r 98765 softraid0
+bioctl -c C -l /dev/sd0b -r 98765 softraid0
+</code>
+Output will be something like:
+<code>sd4 at scsibus2 targ 1 lun 0: <OPENBSD, SR CRYPTO, 005> SCSI2 0/direct fixed
+sd4: 231988MB,512 bytes/sector, 475111754 sectors</code>
+and
+<code>sd5 at scsibus2 targ 2 lun 0: <OPENBSD, SR CRYPTO, 005> SCSI2 0/direct fixed
+sd5: 460553MB,512 bytes/sector, 943212855 sectors</code>
+We create the devices:
+<code bash>cd /dev
+sh ./MAKEDEV sd4
+sh ./MAKEDEV sd5
+</code>
+Good practice, erase first MegaByte:
+<code bash>dd if=/dev/zero of=/dev/rsd4c bs=1m count=1
+dd if=/dev/zero of=/dev/rsd5c bs=1m count=1</code>
+So now we have sd4 and sd5 which we will use during the installation.
+===== Install =====
+Let's go back to the installation
+<code bash>/install</code>
+Select layout, timezone, passwords, user(s)…\\
+When at the partitioning point, select the 2 new device (sd4 and sd5 in my case).\\
+<code>Which disk is the root disk? [sd0] sd4
+Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole]W
+[… auto partitions schema …]
+Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout? [a] c
+> a
+partition: [a]a
+offset: [64]
+size: [475106246]
+FS type: [4.2BSD]
+mount point: [none] /
+> w
+> q
+</code>
+We do the same for sd5 (/var /tmp and /home)
+<code bash>which disk do you wish to initialize? [done] sd5
+Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole]W
+> a
+partition: [a]a
+offset: [64]
+size: [943208216] 20g
+FS type: [4.2BSD]
+mount point: [none] /var
+> a
+partition: [b]
+offset: [41945696]
+size: [901262584] 10g
+FS type: [swap] 4.2BSD
+mount point: [none] /tmp
+> a
+partition: [d]
+offset: [62910528]
+size: [880297752]
+FS type: [4.2BSD]
+mount point: [none] /home
+> w
+> q
+</code>
+And voilà.
+<code bash>which disk do you wish to initialize? [done]</code>
+Install the sets\\
+Installation should finish with a success, but **__DO NOT REBOOT YET__**
+===== Final touch =====
+We will tweak quickly the fstab to add the swap partition as well as some parameters:
+<code bash>
+sed 's/rw/rw,softdep,noatime/g' /mnt/etc/fstab > /mnt/a
+echo '/dev/sd0a none swap sw 0 0' >> /mnt/a
+mv /mnt/a /mnt/etc/fstab
+</code>
+Done, everything is ready! ready to reboot
+<code bash>reboot</code>
+====== Backup of the Keys ======
+<code bash>dd if=/dev/rsd2d of=key1.img bs=1m
+dd if=/dev/rsd2e of=key2.img bs=1m
+</code>
+====== Switching to -current ======
+Optional, but thrilling!
+<code bash>
+cd /
+mv /bsd.rd /bsd.rd.sav
+wget http://mirror.switch.ch/ftp/pub/OpenBSD/snapshots/amd64/bsd.rd
+</code>
+Reboot
+<code bash>
+reboot
+</code>
+At boot prompt type:
+<code>
+boot> boot bsd.rd
+</code>
+Then use the "upgrade" method, give your keyboard layout, your root device/partition.\\
+When upgrade is done, type again "reboot".\\
+Once reboot use sysmerge to merge/check modifications
+<code bash>
+sysmerge
+</code>
+And voilà ! you are in -current
+====== Laptop tweaks ======
+===== apm =====
+In order to keep some battery:
+<code bash>vi /etc/rc.conf.local</code>
+add
+<code>
+apmd_flags="-A"         # Set apmd(8) to automatic performance adjustment mode.
+apmd_enable="YES"
+</code>
+===== desktop reactivity =====
+In /etc/rc.conf.local add:
+<code>
+multicast_host=YES
+ntpd_flags="-s"
+hotplugd_flags=""
+</code>
+In /etc/login.conf change:
+<code>
+       :datasize-max=512M:\
+       :datasize-cur=512M:\
+</code>
+by (at least)
+<code>
+       :datasize-max=1024M:\
+       :datasize-cur=1024M:\
+</code>
+Reference: http://www.bsdnow.tv/tutorials/the-desktop-obsd
+====== Xorg ======
+xorg.conf to put in /etc/X11
+<code perl>
+Section "ServerLayout"
+	Identifier     "X.org Configured"
+	Screen      0  "Screen0" 0 0
+	InputDevice    "Mouse0" "CorePointer"
+	InputDevice    "Keyboard0" "CoreKeyboard"
+   Option         "AllowEmptyInput" "off"
+	Option			"AutoAddDevices" "off"
+   Option         "DontZap" "false"
+EndSection
+Section "Files"
+	ModulePath   "/usr/X11R6/lib/modules"
+	FontPath     "/usr/X11R6/lib/X11/fonts/misc/"
+	FontPath     "/usr/X11R6/lib/X11/fonts/TTF/"
+	FontPath     "/usr/X11R6/lib/X11/fonts/OTF/"
+	FontPath     "/usr/X11R6/lib/X11/fonts/Type1/"
+	FontPath     "/usr/X11R6/lib/X11/fonts/100dpi/"
+	FontPath     "/usr/X11R6/lib/X11/fonts/75dpi/"
+EndSection
+Section "Module"
+	Load  "dbe"
+	Load  "dri"
+	Load  "dri2"
+	Load  "extmod"
+	Load  "glx"
+	Load  "record"
+EndSection
+Section "InputDevice"
+	Identifier  "Keyboard0"
+	Driver      "kbd"
+        Option "XkbLayout" "us"
+        Option "XkbVariant" "intl"
+#	Option "XkbOptions "compose:prsc"
+EndSection
+Section "InputDevice"
+	Identifier	"Touchpad0"
+	Driver		"synaptics"
+	Option		"Device" "/dev/wsmouse0"
+	Option		"AutoServerLayout" "True"
+EndSection
+Section "InputDevice"
+	Identifier  "Mouse0"
+	Driver      "mouse"
+	Option	    "Protocol" "wsmouse"
+	Option	    "Device" "/dev/wsmouse"
+	Option	    "ZAxisMapping" "4 5 6 7"
+	Option	    "EmulateWheel" "true"
+	Option	    "EmulateWheelButton" "2"
+	Option	    "AutoServerLayout" "True"
+EndSection
+Section "Monitor"
+	Identifier   "Monitor0"
+	VendorName   "Monitor Vendor"
+	ModelName    "Monitor Model"
+EndSection
+Section "Device"
+        ### Available Driver options are:-
+        ### Values: <i>: integer, <f>: float, <bool>: "True"/"False",
+        ### <string>: "String", <freq>: "<f> Hz/kHz/MHz",
+        ### <percent>: "<f>%"
+        ### [arg]: arg optional
+        #Option     "NoAccel"            	# [<bool>]
+        #Option     "SWcursor"           	# [<bool>]
+        #Option     "ColorKey"           	# <i>
+        #Option     "CacheLines"         	# <i>
+        #Option     "Dac6Bit"            	# [<bool>]
+        #Option     "DRI"                	# [<bool>]
+        #Option     "NoDDC"              	# [<bool>]
+        #Option     "ShowCache"          	# [<bool>]
+        #Option     "XvMCSurfaces"       	# <i>
+        #Option     "PageFlip"           	# [<bool>]
+	Identifier  "Card0"
+	Driver      "intel"
+	BusID       "PCI:0:2:0"
+EndSection
+Section "Screen"
+	Identifier "Screen0"
+	Device     "Card0"
+	Monitor    "Monitor0"
+	SubSection "Display"
+		Viewport   0 0
+		Depth     16
+	EndSubSection
+	SubSection "Display"
+		Viewport   0 0
+		Depth     24
+	EndSubSection
+EndSection
+</code>
+===== Touchpad =====
+See xorg.conf above but basically:
+<code perl>
+Section "InputDevice"
+	Identifier	"Touchpad0"
+	Driver		"synaptics"
+	Option		"Device" "/dev/wsmouse0"
+	Option		"AutoServerLayout" "True"
+EndSection
+Section "InputDevice"
+	Identifier  "Mouse0"
+	Driver      "mouse"
+	Option	    "Protocol" "wsmouse"
+	Option	    "Device" "/dev/wsmouse"
+	Option	    "ZAxisMapping" "4 5 6 7"
+	Option	    "EmulateWheel" "true"
+	Option	    "EmulateWheelButton" "2"
+	Option	    "AutoServerLayout" "True"
+EndSection
+</code>
+In your ~/.xsession
+<code bash>
+#!/bin/sh
+# deactivate touchpad
+synclient TouchpadOff=1
+</code>
+===== Scrolling =====
+Still in ~/.xsession
+<code bash>
+# activate scroll wheel button
+xinput set-prop "/dev/wsmouse" "WS Pointer Wheel Emulation" 0
+xinput set-prop "/dev/wsmouse" "WS Pointer Wheel Emulation Axes" 6 7 4 5
+xinput set-prop "/dev/wsmouse" "WS Pointer Wheel Emulation Button" 2
+xinput set-prop "/dev/wsmouse" "WS Pointer Wheel Emulation Timeout" 50
+xinput set-prop "/dev/wsmouse" "WS Pointer Wheel Emulation Inertia" 3
+# increase pointer speed
+xinput set-prop "/dev/wsmouse" "Device Accel Constant Deceleration" 0.4
+</code>
+====== Locales ======
+Still in ~/.xsession
+<code bash>
+# set locale
+export LC_CTYPE="en_US.UTF-8"
+export LC_MESSAGES="en_US.UTF-8"
+</code>
+====== Network ======
+ifconfig is your friend!\\
+Simple example:
+<code bash>ifconfig iwn0 nwid "my nice wifi" wpakey "4m4z1ngP4$$" up</code>
+then if all is ok:
+<code bash>dhclient iwn0</code>
+You can scan networks (wifi)
+<code bash>ifconfig iwn0 scan</code>
+===== Failover network =====
+===== local DNS =====
+====== Security ======
+===== PF =====
+Basic rules in your /etc/pf.conf
+<code>
+#       $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
+#
+# See pf.conf(5) and /etc/examples/pf.conf
+set skip on lo
+block return    # block stateless traffic
+pass            # establish keep-state
+# By default, do not permit remote connections to X11
+block return in on ! lo0 proto tcp to port 6000:6010
+set block-policy drop
+match in all scrub (no-df random-id max-mss 1440)
+antispoof quick for (egress)
+block in quick on egress from { no-route urpf-failed } to any
+block in all
+pass out quick inet keep state
+</code>
+References: http://www.bsdnow.tv/tutorials/the-desktop-obsd
+====== Additional Packages ======
+Time to play with pkg_add to put some useful tools:
+<code bash>
+pkg_add -Uu
+pkg_add -iv firefox
+pkg_add -iv ImageMagick irssi vim zsh rxvt-unicode fvwm2 xscreensaver rdesktop iftop rsync wget curl figlet dfc git subversion ranger emelfm2
+</code>
+====== Ports ======
+You can install ports using a snapshot made for you!
+<code bash>
+cd /usr
+wget http://mirror.switch.ch/ftp/pub/OpenBSD/snapshots/ports.tar.gz
+tar xvzf ports.tar.gz
+</code>
+====== Finding packages ======
+Two ways:
+<code bash>
+pkg_info yourpackage
+</code>
+or
+<code bash>
+cd /usr/ports
+make search key=what_you_search
+</code>
+Reference: http://www.bsdnow.tv/tutorials/ports-obsd
+====== Thing went wrong when ======
+===== bootblocks are not installed =====
+<code bash>
+→ installboot: no OpenBSD partition
+Failed to install bootblocks
+You will not be able to boot OpenBSD from sd4
+</code>
+I had this issue when sd0 didn't had a MBR nor sd3 … dd saved the days :)
+====== References ======
+  * http://unix.stackexchange.com/questions/9527/how-should-one-set-up-full-disk-encryption-on-openbsd
+  * https://ryanak.ca/planet-ubuntu/2013/03/26/Setting-up-full-disk-encryption-in-OpenBSD-5.3.html
+  * http://geekyschmidt.com/2011/01/19/configuring-openbsd-softraid-fo-encryption
+  * http://brycv.com/blog/2012/encrypted-root-filesystem-using-softraid-4-on-openbsd-with-an-slc-ssd/
+  * http://www.bsdnow.tv/tutorials/fde
+  * http://man.openbsd.org/OpenBSD-current/man8/bioctl.8
+  * http://geodsoft.com/howto/harden/OpenBSD/no_changes.htm
+  * http://fsfe.soup.io/post/669752294/emergency-exit-OpenBSD-on-the-Thinkpad-X250
+  * http://www.openbsd.org/faq/faq4.html
+  * http://undeadly.org/cgi?action=article&sid=20110530221728
+  * https://github.com/jhautefeuille/obsdnfo
+  * http://www.openbsd.org/faq/faq14.html
+  * http://geekyschmidt.com/2011/03/27/openbsd-laptop-mini-howto
+  * http://www.tumfatig.net/20150215/bind-nsd-unbound-openbsd-5-6/
+  * http://www.openbsd.org/faq/faq6.html