00_EFI_Gentoo_End_to_End_Install

<!-- Page: Sakaki's_EFI_Install_Guide -->
<!-- {{Metadata|abstract=Detailed tutorial showing how to install a dual secure-boot Gentoo system (on a Windows 10 or 8 UEFI PC), including full instructions for LUKS, LVM, systemd and GNOME3.}} -->
If you have a Windows 10 (or 8) machine that you'd like to dual-boot with Gentoo Linux and GNOME 3, you've come to the right place! 
[[File:Dual_boot_cfax3_2.jpg|thumb|right|400px|CF-AX3 Ultrabook, Running Windows 10 / Gentoo Linux]]

This detailed (and tested) tutorial shows how to set up just such a dual-boot system, where the Gentoo component:
* is fully encrypted on disk (LVM over LUKS, with dual-factor protection);
* uses UEFI secure boot;
* runs systemd & GNOME 3 (on Wayland);
** ''or'' OpenRC & GNOME 3 (ditto);
* can properly suspend and hibernate;
* has working drivers for touchscreen, webcam etc.;
* has (where appropriate) the Intel Management Engine disabled;<ref>As the ME is disabled via an (optional) system firmware modification, it will remain inactive even when booted into Windows.</ref>
* and even has a graphical boot splash!

To keep things concrete, I'll be walking {{Highlight|line-by-line}} through the setup of a particular machine, namely the Panasonic CF-AX3 [[:Wikipedia:Ultrabook|Ultrabook]]; however, these instructions should be usable (with minor alterations) for many modern PCs (including desktops) which have a [[:Wikipedia:Unified_Extensible_Firmware_Interface|UEFI]] BIOS.

{{Highlight|All}} commands that you'll need to type in are listed, and an ebuild repository (aka 'overlay') with some useful installation utilities is also provided.

While best read in tandem with the official [[Handbook:Main_Page|Gentoo Handbook]], this manual can also be used standalone.

These instructions may also be easily adapted for those wishing to use Gentoo Linux as their sole OS, rather than dual booting.

== <span id="introduction">Introduction</span> ==

The install described in this tutorial attempts to follow the 'stock' process from the [[Handbook:AMD64|Gentoo Handbook]] where possible, but differs in a number of important respects. Specifically:
* The kernel will be configured to {{Highlight|self-boot}} under UEFI; no separate bootloader is needed.
* For security, we will {{Highlight|boot the kernel off of an external USB key}} (which can be removed once the boot has completed). If the USB key is absent on power-up, Windows will start automatically instead.
* {{Highlight|Secure boot}} will be enabled. The kernel will be signed with our own, generated key (and the original Windows keys will be retained too).
* Gentoo's root, swap and home partitions will reside on {{Highlight|LVM}} logical volumes, which themselves will live on a single {{Highlight|LUKS}} (encrypted) partition on the GPT-formatted hard drive of the machine. We'll shrink the Windows C: NTFS partition to provide space for this.
* The LUKS partition will be {{Highlight|unlocked by a keyfile}} at boot. The keyfile will be stored on the USB key together with the Gentoo kernel, and will ''itself'' be {{Highlight|GPG-encrypted}}, so that both the file ''and'' its passphrase will be needed to access the (Gentoo) data on the hard drive. This provides a degree of dual-factor security against e.g., having the machine stolen with the USB key still in it, or even the existence of a keylogger on the PC itself (although not both at the same time!). (Using a provided utility, you can subsequently migrate the kernel onto the Windows EFI system partition on the main drive if desired, and also relax the security to use just a typed-in passphrase, so once installed you won't need to use a USB key at all if you don't want to.)
* We will create an {{Highlight|initramfs}} to allow the GPG / LUKS / LVM stuff to happen in early userspace, and this RAM disk will be stored inside the kernel itself, so it will work under EFI with secure boot (we'll also, for reasons that will become clear later, build a custom version of {{c|gpg}} to use in this step).
* For all you source-code paranoiacs, the {{Highlight|Gentoo toolchain and core system will be bootstrapped}} during the install (simulating an old-school stage-1) and we'll validate that all binary executables and libraries have indeed been rebuilt from source when done. The {{Highlight|licence model will be set to accept free software only}} (and although I don't deblob the kernel, instructions for how to do so are provided - assuming your hardware will actually work without uploaded firmware!).
* All Gentoo repository syncs (including the initial {{c|emerge-webrsync}}) will be performed with {{Highlight|{{c|gpg}} signature authentication}}. Unauthenticated protocols such as {{c|rsync}} will ''not'' be used.
* The {{Highlight|latest (3.20+) ''stable'' version of GNOME}} will be installed, using {{Highlight|systemd}} for init (the existing handbook is quite [[OpenRC]]-centric). Incidentally, this will ''not'' require an interim GNOME 2 deployment.
** An alternative track is also provided, for those wishing to install GNOME 3 under OpenRC, via Dantrell B.'s patchset (this is, essentially, how Funtoo avoids having to use systemd for GNOME,<ref>Funtoo Linux Discussion Forums: [http://forums.funtoo.org/topic/111-gnome-312-is-here/ "GNOME 3.12 is HERE..."]</ref> and now his patchset is available for use with Gentoo too). Most of this tutorial is common to both tracks, and a short guide is provided at the appropriate point in the text, to help you choose which route is better for you.
** GNOME will be deployed on the modern [[:Wikipedia:Wayland_(display_server_protocol)|Wayland]] platform (including [https://wayland.freedesktop.org/xserver.html XWayland] support for legacy applications) &mdash; this is [[/Sandboxing_the_Firefox_Browser_with_Firejail#x11_vulnerability|more secure]] than deploying over X11, as it enforces application isolation at the GUI level.
* I'll provide {{Highlight|simple scripts to automate the EFI kernel creation process and keep your system up-to-date.}} The first of these ({{c|buildkernel}}) handles conforming the kernel config for EFI encrypted boot (including setting the kernel command line correctly), creating the initramfs, building and signing the kernel, and installing it on the EFI system partition. The second ({{c|genup}}) automates the process of updating your system software via {{c|emerge}} and associated tools. The scripts are shipped in an ebuild repository (aka 'overlay'), for easy deployment.
* Lastly, detailed (optional) instructions for {{Highlight|disabling the Intel Management Engine}}<ref>For avoidance of doubt, in this guide 'disabled' has the same meaning as 'neutralized and disabled' in the Purism Inc. Blog: [https://puri.sm/posts/deep-dive-into-intel-me-disablement/ "Deep Dive into Intel Management Engine Disablement"]</ref> will be provided (for those with Intel-CPU-based PCs who find this out-of-band coprocessor an unacceptable security risk), as will instructions for {{Highlight|fully sandboxing the popular {{c|firefox}} web browser, using {{c|firejail}}}}.

{{Note|Tutorials covering various elements of the above can be found in one or more places online, but it's difficult to get an end-to-end overview - hence the reason this guide was created.}}

As mentioned, although this tutorial follows the format of the [[Handbook:AMD64|Gentoo Handbook]] in places (particularly at the beginning), it's structured so as to be self-contained - you should be able to walk though this process and, using only these instructions, end up with a fully functional, relatively secure dual-boot Windows 10 (or 8) + Gentoo / GNOME 3 machine when you're done.

{{Warning|Backup '''all''' of your data before doing anything else, particularly if you have a lot of work stored on Windows already. The install process described here has been tested end-to-end, ''but'' is provided 'as is' and without warranty. Proceed at your own risk.}}
{{Warning|Tools like {{c|parted}}, {{c|dd}} and {{c|cryptsetup}}, which we'll be using, can vaporize data easily if misused. Please always double check that you are ''applying operations to the correct device / partition''. We've all been there...}}
{{Warning|We will be using strong cryptography to protect your system. If you lose the LUKS keyfile, or forget the passphrase to unlock it, '''all your data will be gone''', and even the NSA (probably!) won't be able to get it back.<ref>TechCrunch: [http://techcrunch.com/2013/06/17/encrypting-your-email-works-says-nsa-whistleblower-edward-snowden/ "Encrypting Your Email Works, Says NSA Whistleblower Edward Snowden"]</ref> So keep backups of these critical elements too (in a safe place, of course)!}}

== <span id="chapters">Chapters</span> ==

The chapters of this tutorial are listed below, together with a brief summary of each.

{{Highlight|You need to work though the chapters sequentially, in order to complete the install successfully.}}

{{Note| Don't worry if you don't immediately understand everything in the chapter summaries below: the concepts involved will be described in detail in the main body of the text.}}

# '''[[/Installation_Prerequisites|Installation Prerequisites]]'''. First, we'll briefly review the things you'll need in order to carry out the install.
# '''[[/Preparing_Windows_for_Dual-Booting|Preparing Windows for Dual-Booting]]'''. Next, we'll reduce the amount of space Windows takes up on the target machine's hard drive, so there is room for our Gentoo system (and user data). We'll use tools already present in Windows to do this.
# '''[[/Creating_and_Booting_the_Minimal-Install_Image_on_USB|Creating and Booting the Minimal-Install Image on USB]]'''. Then, per [[Handbook:AMD64/Installation/Media|Chapter 2]] of the Gentoo handbook, we'll download a minimal Gentoo image onto a USB key, and boot into it on our target PC (in legacy / {{c|OpenRC}} mode).
# '''[[/Setting_Up_Networking_and_Connecting_via_ssh|Setting Up Networking and Connecting via ssh]]'''. Next, per [[Handbook:AMD64/Installation/Networking|Chapter 3]] of the handbook, we'll setup network access for our minimal system, and connect in to it from a second, 'helper' PC via {{c|ssh}} (to ease installation).
# '''[[/Preparing_the_LUKS-LVM_Filesystem_and_Boot_USB_Key|Preparing the LUKS-LVM Filesystem and Boot USB Key]]'''. After that, we'll create a GPG-protected keyfile on a second USB key, create a LUKS (encrypted) partition on the machine's hard drive protected with this key, and then create an LVM structure (root, home and swap) on top of this (achieving the goals of [[Handbook:AMD64/Installation/Disks|Chapter 4]] of the handbook). 
# '''[[/Installing_the_Gentoo_Stage_3_Files|Installing the Gentoo Stage 3 Files]]'''. Then, per [[Handbook:AMD64/Installation/Stage|Chapter 5]] of the handbook, we'll download a Gentoo 'stage 3' minimal filesystem, and install it into the LVM root. We'll also set up your Portage build configuration.
# '''[[/Building_the_Gentoo_Base_System_Minus_Kernel|Building the Gentoo Base System Minus Kernel]]'''. Next, per [[Handbook:AMD64/Installation/Base|Chapter 6]] of the handbook, we'll complete some final preparations, then {{c|chroot}} into the stage 3 filesystem, update our Portage tree, and set a base profile, timezone and locale. We'll setup the {{c|sakaki-tools}} ebuild repository (which contains utilities to assist with the build), and install the first of these, {{c|showem}} (a program to monitor parallel {{c|emerge}}s). Then, we'll bootstrap the toolchain (simulating an old-school stage 1 install), rebuild everything in the {{c|@world}} set, and verify that all libraries and executables have, in fact, been rebuilt. (Instructions are also provided for those who wish to skip bootstrapping). We'll then set the 'real' GNOME profile (users on the OpenRC track will first add Dantrell B.'s ebuild repositories here), and then update the {{c|@world}} set to reflect this.
# '''[[/Configuring_and_Building_the_Kernel|Configuring and Building the Kernel]]'''. Next, (loosely following [[Handbook:AMD64/Installation/Kernel|Chapter 7]] of the handbook), we'll setup necessary licenses, then download the Linux kernel sources and firmware. We'll then install (from the {{c|sakaki-tools}} ebuild repository) the {{c|buildkernel}} utility, configure it, and then use ''this'' to automatically build our (EFI-stub) kernel ({{c|buildkernel}} ensures our kernel command line is filled out properly, the initramfs contains a static version of {{c|gpg}}, that the kernel has all necessary {{c|systemd}} options set, etc.). 
# '''[[/Final_Preparations_and_Reboot_into_EFI|Final Preparations and Reboot into EFI]]'''. Then, following [[Handbook:AMD64/Installation/System|Chapter 8]] of the handbook, we'll set up {{Path|/etc/fstab}}, install a few other packages, set up a root password, then dismount the {{c|chroot}} and reboot (in EFI / {{c|systemd}} mode, or EFI / {{c|OpenRC}} mode, depending on the track) into our new system (secure boot will be off at this stage). Users on the OpenRC track will [[#alternative_track|branch off]] at the conclusion of this chapter.
# '''[[/Configuring_systemd_and_Installing_Necessary_Tools|Configuring systemd and Installing Necessary Tools]]'''. With the machine restarted, we'll re-establish networking and the {{c|ssh}} connection, then complete the setup of {{c|systemd}}'s configuration. Per [[Handbook:AMD64/Installation/Tools|Chapter 9]] of the Gentoo handbook, we'll then install some additional system tools (such as {{c|cron}}). Next, we'll install (from the {{c|sakaki-tools}} ebuild repository) the {{c|genup}} utility, and use it to perform a precautionary update of the {{c|@world}} set. Then, we'll reboot to check our {{c|systemd}} configuration. If successful, we'll invoke {{c|buildkernel}} again, to enable the {{c|plymouth}} graphical boot splash, and restart once more to test it.
# '''[[/Configuring_Secure_Boot|Configuring Secure Boot]]'''. Next, we'll set up secure boot. First, we'll save off the existing state of the secure boot variables (containing Microsoft's public key-exchange-key, etc.). Then, we'll create our own platform, key-exchange and kernel-signing keypairs, and then reboot, ''en route'' using the BIOS GUI to enter setup mode (thereby clearing the variables, and enabling us to write to them). We'll then re-upload the saved keys, append our own set, and finally lock the platform with our new platform key. We'll then run {{c|buildkernel}} again, which will now be able to automatically sign our kernel. We'll reboot, enable secure boot in the BIOS, and verify that our signed kernel is allowed to run. Then, we'll reboot into Windows, and check we haven't broken ''its'' secure boot operation! Finally, we'll reboot back to Linux again (optionally setting a BIOS password as we do so).
# '''[[/Setting_up_the_GNOME_3_Desktop|Setting up the GNOME 3 Desktop]]'''. Next, we'll setup your graphical desktop environment. We'll begin by creating a regular (non-root) user, per [[Handbook:AMD64/Installation/Finalizing#Adding_a_user_for_daily_use|Chapter 11]] of the handbook. Then, we'll activate the {{c|wayland}} USE flag globally, and update your system to reflect this, after which we'll install X11 and a simple window manager ({{c|twm}}) (for test purposes). Using {{c|buildkernel}}, we'll then reconfigure and rebuild the kernel to include an appropriate [[:Wikipedia:Direct_Rendering_Manager|DRM]] graphics driver, and then reboot. Upon restart, we'll verify that the new DRM driver (which {{c|wayland}} requires) has been activated, and then test-run X11 (and a few trivial applicators) under {{c|twm}}. Once working, we'll remove the temporary window manager, install GNOME 3 (and a few key applications), and configure and test it under X11. Then, we'll test it again under {{c|wayland}}, refine a few settings (network, keyboard etc.), and then restart the machine and proceed with the install, working natively within GNOME thereafter.
# '''[[/Final_Configuration_Steps|Final Configuration Steps]]'''. Next, we'll configure your kernel to properly handle all your target PC's devices. Although this setup will necessarily differ from machine to machine, a general methodology is provided, together with a concrete set of steps required for the Panasonic CF-AX3 (covering setup of its integrated WiFi, Bluetooth, touchscreen, audio and SD card reader). Thereafter, we'll cover some final setup points - namely, how to: prune your kernel configuration to remove bloat; get suspend and hibernate working properly; ensure that the correct {{c|python}} interpreter is set as the system default; and disable {{c|sshd}} (as the helper PC is no longer needed from this point).
# '''[[/Using_Your_New_Gentoo_System|Using Your New Gentoo System]]'''. Now your dual-boot system is up and running, in this last chapter we'll cover a few miscellaneous (but important) topics (and options) regarding day-to-day use. We'll first recap how to boot from Linux to Windows (and vice versa), then discuss how to ensure your machine is kept up to date (using {{c|genup}}). We'll also show how to migrate your kernel to the internal drive (Windows) EFI system partition if desired (and also, how to dispense with the USB key entirely, if single-factor passphrase security is sufficient). In addition, we'll briefly review how to tweak GNOME, and (per [[Handbook:AMD64/Installation/Finalizing#Where_to_go_from_here|Chapter 11]] of the handbook) where to go next (should you wish to install other applications, a firewall, etc.). Finally, a number of addendum "mini-guides" are provided, covering how to ''e.g.'', [[/Disabling_the_Intel_Management_Engine|disable the Intel Management Engine]] on your target PC, and [[/Sandboxing_the_Firefox_Browser_with_Firejail|fully sandbox the {{c|firefox}} web browser, using {{c|firejail}}]].

<span id="alternative_track">As mentioned, an 'alternative track' is now also provided</span> for chapters 10-14, for those users who wish to use GNOME with {{c|OpenRC}}, rather than {{c|systemd}}:
<ol start="10">
<li>'''[[/Completing_OpenRC_Configuration_and_Installing_Necessary_Tools|Alternative Track: Completing OpenRC Configuration and Installing Necessary Tools]]'''</li>
<li>'''[[/Configuring_Secure_Boot_under_OpenRC|Alternative Track: Configuring Secure Boot under OpenRC]]'''</li>
<li>'''[[/Setting_up_the_GNOME_3_Desktop_under_OpenRC|Alternative Track: Setting up the GNOME 3 Desktop under OpenRC]]'''</li>
<li>'''[[/Final_Configuration_Steps_under_OpenRC|Alternative Track: Final Configuration Steps under OpenRC]]'''</li>
<li>'''[[/Using_Your_New_Gentoo_System_under_OpenRC|Alternative Track: Using Your New Gentoo System under OpenRC]]'''</li>
</ol>


{{Note|The decision about which init system ({{c|systemd}} or {{c|OpenRC}}) to use does not need to be made until Chapter 7 (where a brief summary of the pros and cons of each will be provided, to help you decide).}}

== <span id="get_started">Let's Get Started!</span> ==

Ready? Then [[/Installation_Prerequisites|click here]] to go to the first chapter, "Installation Prerequisites".

{{Note|As is hopefully clear from the above, this tutorial covers a detailed, end-to-end installation walkthrough.<br>If you are searching for more concise, topic-based {{c|EFI}}, {{c|systemd}} or {{c|GNOME}} installation information, the following Wiki pages may be of use to you instead:
* [[UEFI_Gentoo_Quick_Install_Guide{{!}}UEFI Gentoo Quick Install Guide]]
* [[EFI_stub_kernel|EFI stub kernel]]
* [[systemd|systemd]]
* [[systemd/Installing_Gnome3_from_scratch{{!}}systemd/Installing Gnome3 from scratch]]
* [[GNOME/GNOME_Without_systemd{{!}}GNOME/GNOME without systemd]]}}

{{Note|If you have recently upgraded {{Package|dev-libs/libgcrypt}} to version >{{=}} 1.6, and found yourself thereby locked out of your (Whirlpool-hashed) LUKS partition, please see [[/Migrating_from_Whirlpool_Hash_on_LUKS|this short guide]] on how to recover.}}

{{Note|Comments, suggestions and feedback about this guide are welcomed! You can use the "Discussion" tab (of whatever is the most relevant page) for this purpose. On most browsers, you can use {{Key|Shift}}{{Key|Alt}}{{Key|t}} as a shortcut to access this.}}

== <span id="notes">Notes</span> ==
{{reflist}}

[[Category:Core system]]