172 lines
5.1 KiB
Markdown
172 lines
5.1 KiB
Markdown
# Installation
|
|
|
|
To install the Alpine Linux distribution on the system, the encrypted partition and the efi partition have to be mounted to the main system.
|
|
|
|
```
|
|
# mount /dev/vg<m>/root<n> /mnt -t ext4
|
|
# mkdir /mnt/boot/efi -p
|
|
# mount /dev/<disk1> /mnt/boot/efi -t vfat
|
|
```
|
|
|
|
Then set up the base system using `setup-disk`:
|
|
|
|
```
|
|
# setup-disk -m sys /mnt
|
|
```
|
|
|
|
This will also add grub as bootloader which is going to be replaced on this system but for now it will reside on the boot partition.
|
|
|
|
Now the other directories are going to be mounted so that it's possible to chroot into the system:
|
|
|
|
```
|
|
# for i in dev proc sys run; do
|
|
> mount --rbind --make-rslave /$i /mnt/$i
|
|
> done
|
|
# mount /dev/vg<m>/var<n> /mnt/var
|
|
# mount /dev/vg<m>/tmp<n> /mnt/tmp
|
|
# chroot /mnt
|
|
```
|
|
|
|
The other "setup" scripts can be used to configure key aspects of the system.
|
|
|
|
```
|
|
# setup-hostname <hostname>
|
|
# setup-keymap us us-euro
|
|
# setup-timezone -i <area>/<subarea>
|
|
# setup-ntp openntpd
|
|
# rc-update add acpid default
|
|
# passwd root
|
|
```
|
|
|
|
Set the `hwclock` to use `localtime` instead of `UTC` in `/etc/conf.d/hwclock`:
|
|
|
|
```
|
|
clock="local"
|
|
clock_hctosys="NO"
|
|
clock_systohc="NO"
|
|
```
|
|
|
|
Edit `/etc/fstab` for correct mounts:
|
|
|
|
```
|
|
/dev/disk/by-label/efi /boot/efi vfat defaults,nodev,nosuid,noexec 0 2
|
|
/dev/vg<m>/root<n> / ext4 defaults,noatime 0 1
|
|
/dev/vg<m>/home<n> /home ext4 defaults,noatime,nosuid,nodev 0 2
|
|
/dev/vg<m>/tmp<n> /tmp ext4 defaults,nodev,nosuid,noexec 0 2
|
|
/dev/vg<m>/var<n> /var ext4 defaults,nodev,nosuid,noexec 0 2
|
|
/dev/vg<m>/nix<n> /nix ext4 defaults,noatime,nodev,nosuid 0 2
|
|
proc /proc proc nosuid,nodev,noexec,hidepid=2 0 0
|
|
```
|
|
|
|
By default Alpine Linux uses `mkinitfs` to create initramfs, although it is minimal that also means that it lacks some functionality which is needed for a proper setup. Because of this `mkinitfs` and `grub-efi `will be replaced with `booster` and `secureboot-hook`.
|
|
|
|
```
|
|
# apk add booster secureboot-hook sbctl
|
|
# apk del mkinitfs grub-efi
|
|
```
|
|
|
|
To configure booster edit `/etc/booster.yaml`:
|
|
|
|
```
|
|
busybox: false
|
|
modules: vfat,nls_cp437,nls_iso8859_1
|
|
enable_lvm: true
|
|
```
|
|
|
|
The most important step is the creation of uki's using `secureboot-hook` which also automatically signs them. First the hook itself will have to be tweaked to use `booster` instead of `mkinitfs`, edit `/etc/kernel-hooks.d/50-secureboot.hook` and change the line:
|
|
|
|
```
|
|
/sbin/mkinitfs -o "$tmpdir"/initramfs "$NEW_VERSION-$FLAVOR"
|
|
```
|
|
|
|
To:
|
|
|
|
```
|
|
/usr/bin/booster build "$tmpdir"/initramfs --kernel-version "$NEW_VERSION-$FLAVOR"
|
|
```
|
|
|
|
And configure `/etc/kernel-hooks.d/secureboot.conf` for cmdline and secureboot.
|
|
|
|
```
|
|
cmdline="rw rd.luks.name=<uuid>=luks root=/dev/vg<m>/root<n> modules=ext4 quiet splash rd.lvm.vg=vg<m>"
|
|
|
|
signing_cert="/usr/share/secureboot/keys/db/db.pem"
|
|
signing_key="/usr/share/secureboot/keys/db/db.key"
|
|
|
|
output_dir="/boot/efi/EFI/Linux"
|
|
|
|
output_name="alpine-linux-{flavor}.efi"
|
|
```
|
|
|
|
Here `<uuid>` has to be replaced with the uuid of the partition which contains our volume group:
|
|
|
|
```
|
|
# blkid /dev/<disk2> >> /etc/kernel-hooks.d/secureboot.conf
|
|
```
|
|
|
|
All that's left for booting is secureboot which `sbctl` will be used for to create keys, and sign some executables with.
|
|
|
|
```
|
|
# sbctl create-keys
|
|
# sbctl enroll-keys
|
|
...
|
|
```
|
|
|
|
> Whilst enrolling the keys it might be necessary to add the `--microsoft` flag if you are unable to use custom keys.
|
|
|
|
Now to see if everything went succesfully run:
|
|
|
|
```
|
|
# apk fix kernel-hooks
|
|
```
|
|
|
|
And it should give no warnings if done properly.
|
|
|
|
To make our lives easier we'll also install `gummiboot` as a bootloader.
|
|
|
|
```
|
|
# apk add gummiboot
|
|
# gummiboot install --path=/boot/efi
|
|
# sbctl sign -s /boot/efi/EFI/gummiboot/gummibootx64.efi
|
|
# sbctl sign -s /boot/efi/EFI/Boot/BOOTX64.EFI
|
|
```
|
|
|
|
And also remove some junk left over by grub.
|
|
|
|
```
|
|
# rm -rf /boot/efi/EFI/alpine
|
|
# rm -rf /boot/grub
|
|
# rm -rf /etc/default
|
|
# unlink /boot/boot
|
|
```
|
|
|
|
You can also install `os-prober` which can find operating systems and add them to your bootloader. Besides that `gummiboot` can also be configured with the file `/boot/efi/loader/loader.conf` in which you can specify the timeout and what OS it should load into by default.
|
|
|
|
```
|
|
default alpine
|
|
timeout 2
|
|
editor no
|
|
```
|
|
|
|
Before finishing up the installation `networkmanager` will be installed for networking.
|
|
|
|
```
|
|
# apk add networkmanager
|
|
# setup-devd udev
|
|
# rc-update add networkmanager default
|
|
```
|
|
|
|
Wifi will not yet work but this is will be done later on.
|
|
|
|
> If internet doesn't work after reboot follow the instructions in the [network section](https://docs.bijl.us/alpine-desktop-setup/post-install/network/).
|
|
|
|
Now exit out of the chroot and you should be able to reboot into a working Alpine system.
|
|
|
|
```
|
|
# exit
|
|
# umount -lf /mnt
|
|
# reboot
|
|
```
|
|
|
|
> Do note that "Linux Boot Manager" will have to be set to load first in your bios.
|
|
> When booting up your screen might appear blank but you will have to enter the password you added for encryption and press enter.
|