gentoo-desktop: update provisioning

docs/gentoo-desktop-setup/provisioning.md

@@ -1,4 +1,4 @@
-To install Gentoo this guide will be using the Alpine Extended Iso. It provides all of the necessary utilities for bootstrapping Gentoo and is overal pleasant to work with. Make sure to boot with Secureboot in setup mode or to already have keys ready to deploy.
+To install Gentoo this guide will be using the Alpine Extended ISO. It provides all of the necessary utilities for bootstrapping Gentoo. Make sure to boot with secureboot in setup mode or to already have keys ready to deploy.
 
 After booting the Alpine Linux extended ISO, partition the disks. For this action internet is required since `zfs`, `sgdisk` and various other necessary packages are not included on the extended ISO, therefore they need to be obtained from the alpine package repository.
 
@@ -11,19 +11,21 @@ sh# setup-apkrepos -c1
 
 > To use Wi-Fi simply run `setup-interfaces -r` and select `wlan0` or similar.
 
-A few packages will have to be installed first,
+A few packages will have to be installed first:
 
 ``` shell-session
-sh# apk add zfs lsblk sgdisk wipefs dosfstools
+sh# apk add zfs lsblk sgdisk wipefs dosfstools zlevis
 ```
 
-and load the ZFS kernel module
+> The `zlevis` package is as of this moment not yet in the alpine package repository. Try to get it into the `bin` via a different method and add its dependencies `tpm2-tools` and `jose`. 
+
+and load the ZFS kernel module:
 
 ``` shell-session
 sh# modprobe zfs
 ```
 
-Wipe the existing disk partitions
+Wipe the existing disk partitions:
 
 ``` shell-session
 sh# zpool labelclear -f /dev/<disk>
@@ -31,20 +33,20 @@ sh# wipefs -a /dev/<disk>
 sh# sgdisk --zap-all /dev/<disk>
 ```
 
-Create on the disk an `EFI system` partition (ESP) and a `Linux filesystem` partition
+Create on the disk an `EFI system` partition (ESP) and a `Linux filesystem` partition:
 
 ``` shell-session
 sh# sgdisk -n 1:1m:+512m -t 1:ef00 /dev/<disk>
 sh# sgdisk -n 2:0:-10m -t 2:8300 /dev/<disk>
 ```
 
-Reload the device nodes
+Reload the device nodes:
 
 ``` shell-session
 sh# mdev -s
 ```
 
-Then, format the ESP with a FAT32 filesystem
+Then, format the ESP with a FAT32 filesystem:
 
 ``` shell-session
 sh# mkfs.fat -F 32 -n esp /dev/<disk>1
@@ -58,7 +60,7 @@ The ZFS system pool is going to be encrypted. First generate an encryption key a
 sh# cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1 > /tmp/rpool.key && cat /tmp/rpool.key
 ```
 
-> Later on in the guide `zlevis` will be used for automatic decryption, so this key only has to be entered a few times. However, if any changes are made to the bios or secureboot then this key will be needed again, so make sure to save it.
+> While `zlevis` is used for automatic decryption, this key is required when making changes are made to the BIOS or secureboot, so make sure to save it.
 
 Create the system pool:
 
@@ -87,6 +89,19 @@ sh# zfs create -o mountpoint=/home -o atime=off -o setuid=off -o devices=off -o
 
 > Setting the `<home-quota>` depends on the total size of the pool, generally try to reserve some empty space in the pool.
 
+Write the encryption key to TPM with `zlevis`:
+
+``` shell-session
+sh# zlevis encrypt rpool '{}' < /tmp/rpool.key
+```
+
+> We are using the default configuration settings for `zlevis encrypt` but a different configuration is possible by setting `'{}'` accordingly.
+
+
+> To check if it worked, perform `zlevis decrypt rpool`.
+
+Finally, export the zpool:
+
 ``` shell-session
 sh# zpool export rpool
-```
+```