Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Advanced Partitioning
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
FOSSilized_Daemon
n00b
n00b


Joined: 08 Mar 2019
Posts: 14

PostPosted: Thu Mar 14, 2019 10:35 pm    Post subject: Advanced Partitioning Reply with quote

Hello everyone, I am working on my Gentoo installation and am currently setting up my partition scheme. My goal for this installation is to focus on security, privacy, minimalism and overall efficiency. I have been reading a lot of different material on partitioning, Gentoo Handbook, Archwiki and many different guides. I also watched a few different videos to see the different schemes people use and how they actually set them up. After watching Irish Luck's tutorial I went through and using his example wrote out a base for my partition scheme. A lot of it clicked really quick from back when I did my Void Linux, Arch Linux and other system installs. I, however, want to ask for some help doing a few things. The questions I have are as follows.

* Is my current scheme correct? If not, what is incorrect and why?

* How can I secure this more? What are more secure encryption options as well as partitioning schemes? (I have looked at the Gentoo Handbook page on dm-encrypt, but am just curious as to what you all recommed)

* I really want to break this up more. For example, I want to move all root directories such as /etc/, /usr/ etc. to their own logical partition (using LVM). How would I do this? I have done this with /var/, /home/ and /swap/, but am not sure how to do it with all of these. I know /usr/ and /etc/ for example require more work than simply making them with LVM.

I am wanting to make a nice and secure system, I would love nothing more to have a setup where I do something like below.

* Move the keys needed to boot to a boot partition stored on a USB, do the same LVM setup (with all directories setup as logical volumes) and still require a passphrase in order to finally decrypt the system.

The reason I can not to that is that I A) don't have a proper USB to dedicate to that and B) would like a more compact laptop before I do that (Also one without any closed source firmware such as IME, which sadley can't be removed from my T420 completly). Speaking of laptops, I should outline my setup a bit for better understanding. My main laptop is a Thinkpad T420 which currently runs OpenBSD and I have a spare laptop which is an OLD Toshiba. I am installing Gentoo to my old Toshiba right now as I need my T420 for work and school and am waiting to install Gentoo to my T420 unti I am more confident on it. With all this said here is my current partitioning scheme.

Code:


# start partitioning on /dev/sda:

   parted -a optimal /dev/sda

# use GPT for the partition table:

   mklabel gpt

# use mebibytes for unit size:

   unit mib

# create a new partition (primary):

   mkpart primary 1 3

# name partition 1 "bios_grub":

   name 1 bios_grub

# set partiton one on:

   set 1 bios_grub on

# create a new partition (primary):

   mkpart primary 3 515

# name partition 2 boot:

   name 2 boot

# set partition 2 on:

   set 2 BOOT on

# create a parition (primary):

   mkpart primary 515 -1

# name partition 3 "lvm":

   name 3 lvm

# set partition 3 on:

   set 3 lvm on

# print the partition scheme:

   print (make sure boot and esp is there)

# format partiton one in FAT32:

   mkfs.vfat /dev/sda1

# format partition two in ext2:

   mkfs.ext2 /dev/sda2

# encrypt partition three with luks:

   cryptsetup -v -y -c aes-xts-plain64 -s 512 -h sha512 -i 5000 --use-random luksFormat /dev/sda3

# verify the encryption:

   YES

# eneter decrypt passphrase:

   type in passphrase

# dump LUKS header to /dev/sda3:

   cryptsetup luksDump /dev/sda3

# initialize the volume set an initial key/passphrase:

   cryptsetup luksOpen /dev/sda3 gentoolv

# initialize partition for LVM:

   pvcreate /dev/mapper/gentoolv

# display attributes of the physical volume:

   pvdisplay

# create a volume group named "gentoovg":

   vgcreate gentoovg /dev/mapper/gentoolv

# display attributes of volume group "gentoovg":

   vgdisplay

## create logical volumes in existing group "gentoovg":

   # create logical volume swap:

      lvcreate -C y -L 4G gentoovg -n swap

   # create logical volume root:

      lvcreate -C y -L 70G gentoovg -n root

   # create logical volume var:

      lvcreate -C y -L 20G gentoovg -n var

   # create logical volume home:

      lvcreate -C y -L +100%FREE gentoovg -n home

# display attributes of a logical volumes:

      lvdisplay

# scan all disks for volume groups and rebuild caches:

   vgscan

# change attributes of a volume group and make the volume group known to the kernal:

   vgchange -ay

# set up a Linux swap area:

   mkswap /dev/mapper/gentoovg-swap

# enable device for paging and swapping:

   swapon /dev/mapper/gentoovg-swap

# display amount of free and used memory in the system in mebibytes:

   free -m

# format gentoovg-root in ext4:

   mkfs.ext4 /dev/mapper/gentoovg-root

# format gentoovg-var in ext4:

   mkfs.ext4 /dev/mapper/gentoovg-var

# format gentoovg-home in ext4:

   mkfs.ext4 /dev/mapper/gentoovg-home

# mount gentoovg-root to /mnt:

   mount /dev/mapper/gentoovg-root /mnt

# make boot directory on /mnt/gentoo:

   mkdir /mnt/gentoo/boot

# make home directory on /mnt/gentoo:

   mkdir /mnt/gentoo/home

# make var directory on /mnt/gentoo:

   mkdir /mnt/gentoo/var

# mount /dev/sda2 on /mnt/gentoo/boot:

   mount /dev/sda2 /mnt/gentoo/boot

# mount gentoovg-home on /mnt/gentoo/home:

   mount /dev/mapper/gentoovg-home /mnt/gentoo/home

# mount gentoovg-var on /mnt/gentoo/var:

   mount /dev/mapper/gentoovg-var /mnt/gentoo/var

# list block devices:

   lsblk


Let me explain some parts of this a bit more. I am using GPT as I want to get use to using GPT for when I get a bigger drive. The Toshiba system I am using to test out Gentoo and learn Gentoo does not support UEFI and only supports classic BIOS booting. I am using (or going to use) Grub2 as my bootloader and runit as my init system (only Grub2, no Plymoth and only runit no OpenRC). I am only wanting to ask about partitioning in this part however. Thank you all so much in advance, I am excited to get this partition scheme setup. I am also writting a little guide for myself as I work through the install. So far I only have setting up networking, looking forward to adding this. Thank you for reading.


edit: This has stop working randomly and I have zero idea how or why. After I did: mount /dev/mapper/gentoovg-root /mnt, no commands are found (so I can't proceed), the only command that works is cd which doesn't help. I am really confused why this is, does anyone see what is causing the issue?


Last edited by FOSSilized_Daemon on Sun Mar 17, 2019 3:15 am; edited 1 time in total
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42592
Location: 56N 3W

PostPosted: Sat Mar 16, 2019 7:43 pm    Post subject: Reply with quote

FOSSilized_Daemon,

Its a really bad idea to put all the bits of the root filesystem in their own filesystems.
/usr is no more difficult than /var.
Paranoid sysadmins can then mount it read only most of the time.

All the other bit of the root filesystem are needed to boot.

e.g. /sbin contains your initscript, its difficult to boot without that.
/etc contains fstab, boot will fail if fstab cannot be read.

You will end up mounting all the bits in the initrd anyway, so no need to put them on their own filesystem.
These directories are only writable by root anyway and if an intruder has root, they can do anything.

Look at mount options. I'm reasonably paranoid.
Consider what the options ro,nosuid,nodev,noexec can do for you.

This is all putting the cart before the horse. What is your threat model?
Once you have determined the threats you need to defend against, the defences follow. Never forget this xkcd when you think about security.

Lastly, mixing BIOS and GPT is not always possible on the boot drive. Some systems won't boot that way.

No closed source firmware makes it hard. No BIOS/UEFI ... well, coreboot.
No WiFi, no HDD over 4GB to list a few things that include closed source firmware.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
FOSSilized_Daemon
n00b
n00b


Joined: 08 Mar 2019
Posts: 14

PostPosted: Sun Mar 17, 2019 2:17 am    Post subject: Reply with quote

Thank you so much for your response, I hadn't considered all of these things when planning out how I intent to partition my system. With this in mind I will likely cut out putting /var on it's own partition as well. I believe this partition scheme should work and will start the installation again tonight (have been busy with C homework). This information was extremely helpful and thank you so much for your time in assessing it. I look forward to next part of the guide and learning more about Gentoo. Thank you again :)
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42592
Location: 56N 3W

PostPosted: Sun Mar 17, 2019 11:05 am    Post subject: Reply with quote

FOSSilized_Daemon,

My desktop, which is physically secure and behind a paranoid firewall has
Code:
$ mount
/dev/mapper/static-root on / type ext4 (rw,noatime,discard)
/dev/mapper/static-usr on /usr type ext4 (rw,noatime,discard)
/dev/mapper/static-var on /var type ext4 (rw,noatime,discard)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run type tmpfs (rw,nodev,relatime,size=1639892k,mode=755)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime)
configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
/dev/mapper/vg-home on /home type ext4 (rw,noatime)
/dev/shm on /tmp type tmpfs (rw,nosuid,nodev,noexec,noatime)
/dev/mapper/static-opt on /opt type ext4 (rw,noatime,discard)
/dev/mapper/static-local on /usr/local type ext4 (rw,noatime,discard)
/dev/mapper/static-portage on /usr/portage type ext4 (rw,noatime,block_validity,discard,delalloc,barrier,user_xattr,stripe=4)
/dev/mapper/vg-distfiles on /usr/portage/distfiles type ext4 (rw,noatime)
/dev/shm on /var/tmp/portage type tmpfs (rw,nosuid,nodev,noatime)
/dev/mapper/vg-var on /mnt/oldvar type ext4 (rw,noatime)
192.168.100.55:/mnt/mediatomb on /mnt/media type nfs (ro,relatime,sync,
  vers=3,rsize=131072,wsize=131072,namlen=255,hard,nolock,
  proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=192.168.100.55,
  mountvers=3,mountport=51966,mountproto=udp,local_lock=all,addr=192.168.100.55)
gvfsd-fuse on /home/roy/.gvfs type fuse.gvfsd-fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=1001)
/dev/sde1 on /boot type ext4 (rw,noatime,block_validity,delalloc,barrier,user_xattr,stripe=4)

Thats /usr and /var separate and in their own logical volumes. Since you are going encrypted, you will have an initrd anyway. The extra complexity for mounting /usr and /var there are minimal.

/home is its own filesystem. I can't use nodev,noexec there as I have a chroot or two, that need both those options.
/opt being its own thing is for licencing. With some of my system, I publish a stage4. Unmouting /opt lets me leave Oracles Java behind.

/usr/portage and /usr/portage/distfiles (what, no /usr/portage/packages?) lets me copy the working parts of the install to a small SSD, leaving behind most of the things not needed to run Gentoo. It fits in 6.5G, with Firefox, Libreoffice etc. that way.
The SSD is only 8G but I need 1.5G to hibernate.

/mnt/media is my media collection on a server in the garage, hence the nfs mount.

This system is 10 years old, its grown like topsy over the years.

You could actually boot from USB. Put the kernel, initrd and crypto keys there. Fit the USB stick to boot.
Once the system in up, remove the USB stick. /boot is never mounted by the kernel in the boot process.

Wrapped a long line to make the forum layout behave.Chiitoo
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13509

PostPosted: Sun Mar 17, 2019 4:17 pm    Post subject: Reply with quote

NeddySeagoon wrote:
/home is its own filesystem. I can't use nodev,noexec there as I have a chroot or two, that need both those options.
Although it adds complexity, there is a way around this (which may or may not be useful, depending on circumstances). Bind mounts can have their own settings for dev/nodev and exec/noexec. I keep my /home mounted nodev,noexec, but on those special occasions where I need that relaxed, I bind mount the to-be-relaxed subdirectory onto itself, then relax the restrictions just for that bind. (You can also flip ro on a bind mount, so I sometimes have a setup where the main mount is rw,nodev,noexec, but a subdirectory is remounted as ro,nodev,exec, allowing content in that directory to be run, but not changed.)

At a cost of even further complexity, you can unshare the mount namespace and apply the alternate options inside the inner namespace, so that only processes in the inner namespace see the effect at all.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42592
Location: 56N 3W

PostPosted: Sun Mar 17, 2019 4:21 pm    Post subject: Reply with quote

Hu,

Thank you. As I'm the only user on this system, its not worth the extra complexity here.
However this isn't my only system, so I'll add to my list of things to play with.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
FOSSilized_Daemon
n00b
n00b


Joined: 08 Mar 2019
Posts: 14

PostPosted: Sun Mar 17, 2019 10:42 pm    Post subject: Reply with quote

I am very very confused. Even with what I have this doesn't work. After I do mount /dev/mapper/gentoovg-root /mnt this breaks. I can't finish my partitioning or install because all the commands aren't found. The only command found is cd. I can't mount anything else, create any of the directories needed. Nothing.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42592
Location: 56N 3W

PostPosted: Sun Mar 17, 2019 11:16 pm    Post subject: Reply with quote

FOSSilized_Daemon,

What are you using to perform your install?

Code:
mount /dev/mapper/gentoovg-root /mnt
does not look correct.
The handbook says to mount your root for your install at /mnt/gentoo
If you are using a non gentoo boot media, you may need to
Code:
mkdir /mnt/gentoo
before
Code:
mount /dev/mapper/gentoovg-root /mnt/gentoo
can work.

At this point, you stray from the handbook.
After
Code:
mount /dev/mapper/gentoovg-root /mnt/gentoo
works, you need to make mount points for your extra separate filesystems inside /mnt/gentoo
Code:
mkdir /mnt/gentoo/home
mkdir /mnt/gentoo/var
mkdir /mnt/gentoo/usr

Now mount your filesystems on these mountpoints.
This puts your filesystem tree together, branch by branch.

Order is important.
If you are going to put portage on its own filesystem, you need to mount /usr first, before you
Code:
mkdir /mnt/gentoo/usr/portage
and so on.

Once your filesystem tree is assembled under /mnt/gentoo you can fetch and install the stage3 tarball.
The filesystem tree structure is transparent to all applications. The kernel hides it.

Its not an error to mount one filesystem over the top of another.
If you mistakenly did
Code:
mount /dev/mapper/gentoovg-root /
The mount would work but your install media root would be replaced by your own empty filesystem.
You would be left with the shell and its built in commands.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
FOSSilized_Daemon
n00b
n00b


Joined: 08 Mar 2019
Posts: 14

PostPosted: Wed Mar 27, 2019 2:06 am    Post subject: Reply with quote

I apologize for the extremely late response, studying has kept me very busy especially C code work. Thank you so much for your notes, I corrected every issue I could spot with my current configuration however haven't found time to test. I also added some better hardening to the LUKS encryption. Prior to making any new changes I did want to see if there were any po-pas in my partition scheme. After looking through the notes you gave I have made changes and now have the following notes:

Code:


##
## Pre Installation
##

# download the gentoo iso:

   wget http://distfiles.gentoo.org/releases/amd64/autobuilds/20190226T214503Z/install-amd64-minimal-20190226T214503Z.iso


##
## Installation
##

# wipe drive and clear the dead space (if your previous installation was encrypted, then you do not need to do this as the key will be lost anyway):

   dd if=/dev/urandom of=/dev/sda


# configure network

## figure wireless network interface

### run ifconfig and find wireless interface (example: wlp7s0):

   ifconfig

### check the current wireless settings:

   iw dev wlp7s0 info

### check for a current connection:

   iw dev wlp7s0 link

### setup wireless with wpa_supplicant for WPA network:


#### setup wpa_supplicant with SSID and Passphrase:

   wpa_passphrase MYSSID PASSPHRASE

#### start wpa_supplicant:

   wpa_supplicant -B -i INTERFACE -c <(wpa_passphrase MYSSID PASSPHRASE)

#### test network connection:

   ping gentoo.org


# setup the disk

# start partitioning on /dev/sda:

   parted -a optimal /dev/sda

# use GPT for the partition table:

   mklabel gpt

# use mebibytes for unit size:

   unit mib

# create a new partition (primary):

   mkpart primary 1 3

# name partition 1 "bios_grub":

   name 1 bios_grub

# set partiton one on:

   set 1 bios_grub on

# create a new partition (primary):

   mkpart primary 3 515

# name partition 2 boot:

   name 2 boot

# set partition 2 on:

   set 2 BOOT on

# create a parition (primary):

   mkpart primary 515 -1

# name partition 3 "lvm":

   name 3 lvm

# set partition 3 on:

   set 3 lvm on

# print the partition scheme:

   print (make sure boot and esp is there)

# format partiton one in FAT32:

   mkfs.vfat /dev/sda1

# format partition two in ext2:

   mkfs.ext2 /dev/sda2

# encrypt partition three with luks:

   cryptsetup --verbose --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool luksFormat /dev/sda3

# verify the encryption:

   YES

# eneter decrypt passphrase:

   type in passphrase

# dump LUKS header to /dev/sda3:

   cryptsetup luksDump /dev/sda3

# initialize the volume set an initial key/passphrase:

   cryptsetup luksOpen /dev/sda3 gentoolv

# initialize partition for LVM:

   pvcreate /dev/mapper/gentoolv

# display attributes of the physical volume:

   pvdisplay

# create a volume group named "gentoovg":

   vgcreate gentoovg /dev/mapper/gentoolv

# display attributes of volume group "gentoovg":

   vgdisplay

## create logical volumes in existing group "gentoovg":

   # create logical volume swap:

      lvcreate -C y -L 4G gentoovg -n swap

   # create logical volume root:

      lvcreate -C y -L 70G gentoovg -n root

   # create logical volume home:

      lvcreate -C y -L +100%FREE gentoovg -n home

# display attributes of a logical volumes:

      lvdisplay

# scan all disks for volume groups and rebuild caches:

   vgscan

# change attributes of a volume group and make the volume group known to the kernal:

   vgchange -ay

# set up a Linux swap area:

   mkswap /dev/mapper/gentoovg-swap

# enable device for paging and swapping:

   swapon /dev/mapper/gentoovg-swap

# display amount of free and used memory in the system in mebibytes:

   free -m

# format gentoovg-root in ext4:

   mkfs.ext4 /dev/mapper/gentoovg-root

# format gentoovg-home in ext4:

   mkfs.ext4 /dev/mapper/gentoovg-home

# mount gentoovg-root to /mnt/gentoo:

   mount /dev/mapper/gentoovg-root /mnt/gentoo

# make boot directory on /mnt/gentoo:

   mkdir /mnt/gentoo/boot

# make home directory on /mnt/gentoo:

   mkdir /mnt/gentoo/home

# mount /dev/sda2 on /mnt/gentoo/boot:

   mount /dev/sda2 /mnt/gentoo/boot

# mount gentoovg-home on /mnt/gentoo/home:

   mount /dev/mapper/gentoovg-home /mnt/gentoo/home

# list block devices:

   lsblk


thank you so much again. As a side note I love that I can browse here via w3m!

Enabled bbcode, since there were already tags in use. -- desultory
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42592
Location: 56N 3W

PostPosted: Wed Mar 27, 2019 1:16 pm    Post subject: Reply with quote

FOSSilized_Daemon,

Don't use 20190226T214503Z/install-amd64-minimal-20190226T214503Z That's a specfic date ISO.
There should be a latest or current. Then the link works for all time.

Code:
dd if=/dev/urandom of=/dev/sda

Use at least a 1MB block size with dd. There are faster and equally good pseudo random number generators around but not on the liveCD.

Think long and hard if you want to do this to a SSD. Writes will be very slow an the drive will always appear to be full to the trim logic in the drive.
That means you have to wait for the erase cycle.

Quote:
find wireless interface (example: wlp7s0)

Unless the liveCD now includes WiFi firmware, it didn't used to, very few WiFi interfaces will work from the liveCD.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13509

PostPosted: Thu Mar 28, 2019 2:02 am    Post subject: Reply with quote

Regarding writing the disk from random data: does your threat model require this? If your threat model is to defend against (1) theft of the drive and (2) misappropriation of data in the event of warranty RMA, you may not need to write random data. Random data is primarily desirable if you think an adversary, upon encountering an encrypted drive, will try to defeat the encryption to recover the data. The basic threat model says that the average thief (or RMA technician) will give up and move on if the drive requires more than a few minutes to break into.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum