1 (edited by jim 2024-02-01 09:00:54)

Topic: Install Hyperbola (encryption without /boot)Libreboot T440P

Hello everyone. I wanted to share my experience of installing HyperbolaGNU on a Thinkpad T440P laptop with Libreboot 2023 version

I used information from this forum as well as https://gist.github.com/Psycosy/dbe9bcf … aa6a188e17
user with the nickname ΙΧΘΥΣ as well as the ARCH wiki https://wiki.archlinux.org/title/GRUB#Encrypted_/boot  https://wiki.archlinux.org/title/Dm-cry … re_system, which I consider the standard in terms of presentation of information and my previous posts.

Don't use Luks1 it is not safe, use Luks2+argon2id today!
Since version 2.4.0 (released August 18, 2021), cryptsetup uses Argon2id by default. You can read why in detail in this article.
https://mjg59.dreamwidth.org/66429.html

I didn’t write in detail from the very beginning, it was well described by other users (better than me), my task was just to check it in a test format.

I checked, everything works!

Insert your USB from Hyperbola Media Live into your PC. Turn on your PC and press ESC until the menu appears,
press the number corresponding to your USB with Hyperbola Media Live, then you will be taken to Hyperbola Media Live


Enlarge the text to make it easier to see)

root@hyperiso # cd /usr/share/kbd/consolefonts

root@hyperiso # setfonts sun12X22.psfu.gz

Now the font size is normal, you can move on.

#lsblk

use dd for erase data.

# dd if=/dev/urandom  of=/dev/sdb bs=1M status=progress 

Create partitions

# cfdisk /dev/sdb

/dev/sdb1 -> 300MB boot partition # Hex code 8300
/dev/sdb2 -> The rest of the disk (LVM) # To be encrypted, hex code 8e00

Connect internet

#i p -c a

# dhcpd enp0s35

# pacman -Syy cryptsetup 

# rc-update add lvm boot

# rc-update add dmcrypt boot 

# modprobe dm-mod

Configuring LUKS

Someone asked for this option Luks2)) please))


# cryptsetup --cipher aes-xts-plain64   --hash sha512   --iter-time 5000   --key-size 512   --pbkdf argon2id   --use-urandom  --verify-passphrase luksFormat --type luks2 /dev/sdb2

Unlock the LUKS partition

# cryptsetup open /dev/sdb2 lvm

Create a physical volume on top of the opened LUKS container

pvcreate /dev/mapper/lvm
# pvs  (check) 

Create the volume group, adding the physical volume to it

vgcreate  matrix /dev/mapper/lvm
# vgs (check) 

Create logical volumes on the volume group (the size of the volumes are meant as examples)

# lvcreate -L 10G -n root  matrix
# lvcreate -l 100%FREE -n home  matrix

Format the filesystems on each logical volume

# mkfs.ext4 /dev/mapper/matrix-root
# mkfs.ext4 /dev/mapper/matrix-home

Mount the filesystems

# mount /dev/mapper/matrix-root /mnt
# mkdir /mnt/home
# mount /dev/mapper/matrix-home /mnt/home
 
# lsblk (check)

Prepare the boot partition

# mkfs.ext4 /dev/sdb1
# mkdir /mnt/boot
# mount /dev/sdb1 /mnt/boot

# lsblk (check)

Select installation mirror by editing the mirrorlist

# nano /etc/pacman.d/mirrorlist

Install the base system using pacstrap

# pacstrap /mnt

Generate a fstab file

# genfstab -U -p /mnt >> /mnt/etc/fstab
# cat /mnt/etc/fstab  (check)

Enter the new system

# arch-chroot /mnt

Configure /etc/mkinitcpio.conf for encryption and LVM

# nano /etc/mkinitcpio.conf 

MODULES=i915

HOOKS="base udev autodetect modconf block keyboard keymap consolefont encrypt lvm2 filesystems fsck shutdown" 

Update Kernel

# mkinitcpio -p linux-libre-lts

==>ERROR Hook 'encrypt'...
==>WARNING missing isci..

OK,

# pacman -S cryptsetup 
# pacman -S core/isci-lts-firmware
# mkinitcpio -p linux-libre-lts 

Set the hostname

# echo "hyperbola" > /etc/hostname
# nano /etc/hosts

127.0.0.1   localhost.localdomain     localhost   hyperbola
::1         localhost.localdomain     localhost   hyperbola

Set password for root

# passwd

****************************
****************************

Install and configure GRUB

# pacman -S grub 
# grub-install /dev/sdb
# grub-mkconfig -o /boot/grub/grub.cfg
# nano /boot/grub/grub.cfg    

I think that not a single user would have guessed what place we were talking about)) if you had not looked at the GRUB config.

I found this comment here on the site:

Add "cryptdevice=/dev/sda2:lvmvg" between "root=..." and "rw" in the line that starts with linux ???? )))


You will find these two lines in the configuration file:

nano /boot/grub/grub.cfg
linux /vmlinuz-linux-libre-lts root=/dev/mapper/matrix-root rw quiet

This is what they should look like after correction:

linux /vmlinuz-linux-libre-lts root=/dev/mapper/matrix-root cryptdevice=/dev/sdb2:matrix rw quiet

Save.

Add a user

# useradd -m -g users -G wheel -s /bin/bash jim
passwd jim

Exit from chroot, unmount the partitions, and close the device

# exit

# umount -R /mnt

#lvchange -an /dev/matrix/root
#lvchange -an /dev/matrix/home

# cryptsetup close lvm

Reboot into the new system (don't forget to remove the CD/USB/ISO image)

# reboot

After turning it on, you need to again select your disk where you installed HyperbolaGNU (click the number next to the disk)

I have two drives installed, so I choose if you have one, you don't need to do this.

When the T440P boots up, Welcome GRUB! below the menu and for some time (probably 7-10 seconds), after that you need to enter
your password about volume.

Use T400, it is freer than T440P))

2

Re: Install Hyperbola (encryption without /boot)Libreboot T440P

What about the time setup, curious why nothing is mentioned about that here.

HyperbolaBSD: The Future of Secure Libre Lightweight Operating Systems!

3

Re: Install Hyperbola (encryption without /boot)Libreboot T440P

Hello. You can use the information from the link that I attached  https://gist.github.com/Psycosy/dbe9bcf … aa6a188e17

# Set up system clock

# ln -s /usr/share/zoneinfo/Europe/Oslo /etc/localtime
# hwclock --systohc --utc

4

Re: Install Hyperbola (encryption without /boot)Libreboot T440P

Good news though, this guide installation process worked pretty well. So I thank you.

HyperbolaBSD: The Future of Secure Libre Lightweight Operating Systems!

5

Re: Install Hyperbola (encryption without /boot)Libreboot T440P

Hello Zapper .Thank you very much for your feedback. I'm glad that it helped you, as soon as I receive equipment from China and I can fix my PC, I will write more instructions. It takes a very long time))