Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
EFI Stub, Systemd, Wireless [SOLVED]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
zongo
n00b
n00b


Joined: 25 Dec 2013
Posts: 21

PostPosted: Wed Jan 01, 2014 11:07 am    Post subject: EFI Stub, Systemd, Wireless [SOLVED] Reply with quote

Hi all,

happy new year! I wish you all a great 2014! :D

After some learning and with the help of the community I managed to get a tuxonice, systemd, efi stubbed version of gentoo to boot on a uefi-gpt machine with secureboot off. My current problem is that, at boot, I get a message:

4.927839 TuxOnIce no image found

which freezes for about 20 long seconds, before continuing and yielding me the password prompt. Now, I don't think this is normal -systemd is supposed to be fast, after all- so what does anybody has any idea on what I might have done wrong?

On a second note, I suppose I must leave secureboot set to off. Just to know, is there any way around this? What consequences might this have for security, if any?

EDIT:

I am also having problems with the wireless configuration. I configured support in the kernel, I copied the firmware iwlwifi-7260-7.ucode into /lib/firmware, I emerged dhcp and wpa-supplicant, I edited /etc/conf.d/net to:

modules = "wpa_supplicant"
wpa_supplicant_eth0="-Diwlwifi"
config_eth0="dhcp"

but still have no network - ifconfig does not show anything besides lo.

I realized that conf.d might be meaningless for a systemd configuration, and I entered:

ln -s /usr/lib/systemd/wpa_supplicant@.service /etc/systemd/system/multi-user.targe.wants/wpa_supplicant@.service

again, no effect. No wlan, no eth0, nothing. I must be doing something stupidly wrong - I am a newbie after all. Does anybody have any ideas?


Last edited by zongo on Tue Jan 07, 2014 9:03 pm; edited 1 time in total
Back to top
View user's profile Send private message
srs5694
Guru
Guru


Joined: 08 Mar 2004
Posts: 420
Location: Woonsocket, RI

PostPosted: Thu Jan 02, 2014 10:04 pm    Post subject: Re: EFI Stub and Systemd, Wireless Reply with quote

I'm afraid I can't help you with your most immediate problems, but I can say something about this....

zongo wrote:
On a second note, I suppose I must leave secureboot set to off. Just to know, is there any way around this? What consequences might this have for security, if any?


Assuming your firmware supports Secure Boot, you can enable it with just about any Linux distribution, including Gentoo. (In theory; my Gentoo system's firmware doesn't support Secure Boot.) For information, I recommend you check:



In brief, the process will be:


  1. Install with Secure Boot disabled and be sure everything works.
  2. Place a signed copy of PreLoader.efi or shim.efi file on the ESP, in the directory that holds your boot loader/manager. Also place the HashTool.efi or MokManager.efi binary in that directory.
  3. If you use shim:

    1. Prepare your personal Secure Boot key.
    2. Sign your kernels and your boot loader(s) with your Secure Boot key. Note that, because of Gentoo's binary nature, you must sign these components. (If you were using a binary distribution like Fedora, these items could be signed by the distribution maintainer, which would simplify things.)
    3. Copy your public key to the ESP.

  4. Use efibootmgr (or bcfg in an EFI shell or bcdedit in Windows) to register PreLoader.efi or shim.efi with the firmware and set it as the default boot program.
  5. Reboot into the firmware setup utility and activate Secure Boot support.
  6. Reboot. You should see HashTool.efi or MokManager.efi appear. Use it to register your boot loader(s), and perhaps your kernel(s) (PreLoader.efi/HashTool.efi) or load your Secure Boot public key into the MOK list (shim.efi/MokManager.efi).
  7. Exit from HashTool.efi or MokManager.efi. At this point, the computer may reboot, hang, or continue into your boot loader/manager. When you reboot (automatically or manually), though, Secure Boot should be active and Linux should boot with it.


Note that this procedure is the simpler one that involves shim or PreLoader. It's also possible to replace the Microsoft keys in your firmware with your own local keys, in which case you can probably do away with shim/PreLoader. This task is more complex to set up, but it gives you extra protection in that if malware signed with the Microsoft key is ever released, and if you're using your own key instead, such malware won't run on your computer.

Note that there are differences in how the various boot loaders/managers work. For instance, the last I checked, gummiboot was useless with shim, but it worked fine with PreLoader. (This may have changed with post-0.2 versions of shim, though.) Some versions of GRUB 2 will boot only signed kernels, but other versions will boot anything, which partially defeats the purpose of Secure Boot. ELILO and (AFAIK) SYSLINUX will load any kernel, but rEFInd honors Secure Boot (and will work with either shim or PreLoader).

As to the security issues, Secure Boot is intended mainly to protect against pre-boot malware. Such malware can theoretically affect any platform -- for instance, it could set up a virtual environment (similar to Xen) that would be very difficult for an OS running in it to detect, then intercept I/O to gather data or damage the system. As a practical matter, though, I don't know how common such malware is, or whether any of it can be installed from Linux, so it could be that Linux-only computers are relatively safe. You might want to check with a security site to get an idea of how important this threat is. Of course, even if Linux is unaffected by such things today, that might not be true next week, next month, or next year.

Secure Boot's benefits can extend up the software chain, if the kernel and subsequent tools care to take advantage of it. For instance, a signed kernel might choose to load only signed kernel modules, which can protect the computer against malware in kernel modules. (An unsigned kernel could do the same thing, of course, but you can't trust an unsigned kernel, so what's the point?) I don't know of any real-world attacks on Linux that use compromised kernel modules, though. The last I heard, Fedora was taking steps to harden itself against such attacks, but most other distributions aren't doing this. AFAIK, there's no explicit support for this in Gentoo. I expect that such hardening will become more common as all the kinks get ironed out of the Linux Secure Boot support, but for the moment it's pretty rare.
Back to top
View user's profile Send private message
zongo
n00b
n00b


Joined: 25 Dec 2013
Posts: 21

PostPosted: Thu Jan 02, 2014 10:38 pm    Post subject: Reply with quote

Wow. 8O You just blew me away. I need some time to fetch me the necessary background and chew on this. It is great to know that Secure Boot can actually be so useful. Oh, and thank you for your very detailed answer!
Back to top
View user's profile Send private message
DONAHUE
Watchman
Watchman


Joined: 09 Dec 2006
Posts: 6254
Location: Goose Creek SC

PostPosted: Thu Jan 02, 2014 11:08 pm    Post subject: Reply with quote

two things: not tux on ice but my gentoo stub kernel is significantly slower starting systemd compared to openrc with a long pause that provokes fearful expletives.
I was a coward and caved in and used networkmanager instead of gentoo scripts. Never tried the scripts with systemd.
_________________
Defund the FCC.
Back to top
View user's profile Send private message
zongo
n00b
n00b


Joined: 25 Dec 2013
Posts: 21

PostPosted: Fri Jan 03, 2014 11:01 am    Post subject: Reply with quote

DONAHUE wrote:
two things: not tux on ice but my gentoo stub kernel is significantly slower starting systemd compared to openrc with a long pause that provokes fearful expletives.
I was a coward and caved in and used networkmanager instead of gentoo scripts. Never tried the scripts with systemd.


After some lateral digging on the forums, I found here https://forums.gentoo.org/viewtopic-t-979628.html the commands to investigate the systemd logs:
Code:

journalctl -b -x


and I noticed that, after the message "TuxOnIce No Image Found" (which, according to the non-threatening color, is apparently not an error) there is an error message (bold, red, looking at me like Sauron's eye) regarding my wireless setup: "iwlwifi request for firmware file iwlwifi-7260-7.ucode failed".

So I am actually suspecting that this other message was the cause of the long boot delay, and connected with my other problem, the wireless setup. Now I will try to understand why the firmware, which I downloaded from here http://wireless.kernel.org/en/users/Drivers/iwlwifi iwlwifi-7260-ucode-22.1.7.0.tgz, unzipped and copied into /lib/firmware, is not detected. Maybe I have simply to change the name of the file?

EDIT
The firmware file name is correct. Do I have to set permissions in certain way?

I also considered using networkmanager, but then I still have to emerge gnome, for which I need an Internet connection. Which means that I would have to do that from a chrooted environment, but for some reason that does not feel kosher to me.
Back to top
View user's profile Send private message
DONAHUE
Watchman
Watchman


Joined: 09 Dec 2006
Posts: 6254
Location: Goose Creek SC

PostPosted: Fri Jan 03, 2014 4:15 pm    Post subject: Reply with quote

Code:
ls -al /lib64/firmware/iwlwifi-7260-7.ucode
here yields
Quote:
-rw-r--r-- 1 root root 682892 Sep 26 01:19 /lib64/firmware/iwlwifi-7260-7.ucode
Code:
ls -al /lib64/firmware/LICENCE.iwlwifi_firmware
yields
Quote:
-rw-r--r-- 1 root root 2046 Sep 26 01:19 /lib64/firmware/LICENCE.iwlwifi_firmware
I use
Code:
emerge linux-firmware
to get firmware and licenses.
Code:
 emerge -uND world
then keeps me up to date. I don't edit the firmware this installs which wastes some megabytes but caters to a tendency to experiment with hardware. Do you have the license?

Code:
ifconfig -a
what interface names appear? eth0 is the legacy (kernel) name for wired interfaces; wlan0 is the legacy (kernel) name for wireless interfaces; systemd/udev renames interfaces unless prevented from doing so
Code:
ifconfig
what interfaces are up?
best wpa_supplicant driver is -Dnl80211
_________________
Defund the FCC.
Back to top
View user's profile Send private message
zongo
n00b
n00b


Joined: 25 Dec 2013
Posts: 21

PostPosted: Sat Jan 04, 2014 11:00 am    Post subject: Reply with quote

Thanks DONAHUE.

I did not copy the license (according to the wireless.kernel.org site I had the impression that this was redundant), and I used a wrong driver name - (-Diwlwifi... I misunderstood something there). Still, after the corrections, nothing.
Code:
ifconfig -a

yields lo and sit0.

I have no leads now. I will try to change the kernel from TuxOnIce to vanilla, in order to get the kernel version 3.13 and fetch the higher version of the drivers from http://wireless.kernel.org/en/users/Drivers/iwlwifi. I hope this changes something...

EDIT:

changing to vanilla would be meaningless - it is a 3.12 kernel like TuxOnIce, and the new version of the drivers is only available for 3.13, but I am not ready to install a git kernel yet...

any ideas? I am chrooting from Ubuntu in order to fetch packages with portage, it is possible to get useful information about what to du in gentoo from the ubuntu environment?
Back to top
View user's profile Send private message
srs5694
Guru
Guru


Joined: 08 Mar 2004
Posts: 420
Location: Woonsocket, RI

PostPosted: Sat Jan 04, 2014 4:37 pm    Post subject: Reply with quote

zongo, please post the output of:

Code:
lsmod | grep iwl


It could be that one of the necessary drivers is not loading. I just realized that my newest laptop uses the same Wi-Fi chipset as yours. It's running Ubuntu, and I needed to compile a 3.12.6 kernel, include certain modules, and add the firmware file you mentioned. The output of that command on my system is:

Code:
iwlmvm                174485  0
mac80211              620136  1 iwlmvm
iwlwifi               169393  1 iwlmvm
cfg80211              493383  3 iwlmvm,mac80211,iwlwifi


If yours is lacking any of these modules, perhaps they haven't been built -- I had to activate one kernel module that wasn't being built by default. (I don't recall which one it was, though.) If that doesn't help, maybe you'll see some clues in dmesg, as in:

Code:
$ dmesg | grep iwl
[   14.603346] iwlwifi 0000:02:00.0: irq 63 for MSI/MSI-X
[   14.635243] iwlwifi 0000:02:00.0: loaded firmware version 22.0.7.0 op_mode iwlmvm
[   14.714998] iwlwifi 0000:02:00.0: Detected Intel(R) Wireless N 7260, REV=0x144
[   14.715138] iwlwifi 0000:02:00.0: L1 Disabled; Enabling L0S
[   14.715385] iwlwifi 0000:02:00.0: L1 Disabled; Enabling L0S
[   15.004517] ieee80211 phy0: Selected rate control algorithm 'iwl-mvm-rs'
[   18.571912] iwlwifi 0000:02:00.0: L1 Disabled; Enabling L0S
[   18.572056] iwlwifi 0000:02:00.0: L1 Disabled; Enabling L0S


If you see something significantly different -- particularly any error messages -- then that may set you on the track to figuring it out.
Back to top
View user's profile Send private message
zongo
n00b
n00b


Joined: 25 Dec 2013
Posts: 21

PostPosted: Sat Jan 04, 2014 6:01 pm    Post subject: Reply with quote

Thank you srs5694, my lsmod (without grepping) only returns
Code:
x86_pkg_temp_thermal 4693 0

By checking my kernel's menuconfig, I see
Code:
Networking Support -> Wireless
<*> cfg80211 - wireless configuration API
[*] enable powersave by default
<*> Generix IEEE 802.11 Networking Stack (mac80211)
-*- Enable LED triggers
Device Drivers -> Network device support -> Wireless LAN
<*> Intel Wireless WiFi Gen AGN - Wireless/Advanced-N/Ultimate-N (iwlwifi)
<*> Intel Wireless WIFi DVM Firmware support
<*> Intel Wireless WIFi MVM Firmware support
<*> Realtek rtlwifi family of devices --->

all the rest is unticked. From which I conclude that I have the iwlwifi, mac80211 and cfg80211 built in the kernel (and not as loadable modules) while iwlmvm, being the submodule required from the wireless chip we have, should shadow iwlwifi in kernel/module behaviour. Or at least I hope.

On the other hand,
Code:
dmesg | grep iwl

yields
Code:
iwlwifi enabling device (0000 -> 0002)
iwlwifi irq 58 for MSI/MSI-X
iwlwifi request for firmware 'iwlwifi-7620-7.ucode' failed
iwlwifi no suitable firmware found!

which is why I am puzzled - I manually copied the firmware file myself in order to get the latest available, because I read somewhere that the earlier version were appeared to be buggy.

I will try to compile the drivers as modules, and see what happens...

EDIT

ok, so I am flapping my penguin chick's wings in the right direction, albeit very clumsily (for a penguin).
After recompiling the kernel with the aforementioned drivers as modules, my boot process - which took ages before, because of the iwlwifi problem - now is blindingly fast. On the other hand, my lsmod did NOT change, and the dmesg | grep iwl is not returning ANYTHING at all. So I conclude that I am not loading those modules at all. Why?

My
Code:
make && make modules-install
now ends with
Code:
MODPOST 16 modules
make: *** No rule to make target 'modules-install'. Stop.

Is that a problem?
Back to top
View user's profile Send private message
DONAHUE
Watchman
Watchman


Joined: 09 Dec 2006
Posts: 6254
Location: Goose Creek SC

PostPosted: Sat Jan 04, 2014 9:57 pm    Post subject: Reply with quote

from a boot cd/usb that gives you a wifi connection run
Code:
 lspci -nnk
and post the output for the wifi NIC (presuming a pci device). else
Code:
 lsusb
and post the output for the wifi NIC.
_________________
Defund the FCC.
Back to top
View user's profile Send private message
zongo
n00b
n00b


Joined: 25 Dec 2013
Posts: 21

PostPosted: Sun Jan 05, 2014 5:04 pm    Post subject: Reply with quote

Hallo DONAHUE,

Code:
lspci -nnk

in standalone gentoo yields
Code:
06:00.0 Network controller [0280]: Intel Corporation Wireless 7260 [8086:08b1] (rev 6b)
Subsystem: Intel Corporation Dual Band Wireless-AC 7260 [8086:c470]

while in the chrooted gentoo this becomes
Code:
06:00.0 Network controller [0280]: Intel Corporation Wireless 7260 [8086:08b1] (rev 6b)
Subsystem: Intel Corporation Dual Band Wireless-AC 7260 [8086:c470]
Kernel driver in use: iwlwifi

So in standalone Gentoo the hardware is detected, but the driver module is not loaded. Why? Am I supposed to load it manually? If so, how?
Back to top
View user's profile Send private message
DONAHUE
Watchman
Watchman


Joined: 09 Dec 2006
Posts: 6254
Location: Goose Creek SC

PostPosted: Mon Jan 06, 2014 4:36 am    Post subject: Reply with quote

typo:modules-install should be modules_install, suggest build the modules using
Code:
cd /usr/src/linux; make modules_install
or tweak the menuconfig to
Quote:
-*- Networking support --->
-*- Wireless --->
--- Wireless
<M> cfg80211 - wireless configuration API
[*] nl80211 testmode command
[ ] enable developer warnings
[ ] cfg80211 regulatory debugging
[ ] enable powersave by default
[ ] cfg80211 DebugFS entries
[*] cfg80211 wireless extensions compatibility
<M> Generic IEEE 802.11 Networking Stack (mac80211)
Default rate control algorithm (Minstrel) --->
[ ] Enable mac80211 mesh networking (pre-802.11s) support
-*- Enable LED triggers
[ ] Export mac80211 internals in DebugFS
[ ] Trace all mac80211 debug messages
[ ] Select mac80211 debugging features ----
<M> RF switch subsystem support ----
Device Drivers --->
[*] Network device support --->
--- Network device support
[*] Wireless LAN --->
<M> Intel Wireless WiFi Next Gen AGN - Wireless-N/Advanced-N/Ultimate-N (iwlwifi)
< > Intel Wireless WiFi DVM Firmware support
<M> Intel Wireless WiFi MVM Firmware support
then rebuild everything using
Code:
make && make modules_install && make install
'<M > Intel Wireless WiFi DVM Firmware support' may cause confusion; '[* ] enable powersave by default' was a problem years ago, may still be; '[*] cfg80211 wireless extensions compatibility' may be needed even though nl80211 is in use; rfkill may prove useful.
after building modules run
Code:
lsmod | wgetpaste
post the url returned. The results should fit with those reported by srs :
Quote:
iwlmvm
mac80211
iwlwifi
cfg80211
mac80211
if different, interesting ..
in the installed gentoo; run through modprobing each; if any are not present ... ;
Code:
modprobe -r iwlmvm
modprobe iwlmvm
modprobe -r mac80211
modprobe mac80211
modprobe -r iwlwifi
modprobe iwlwifi
modprobe -r cfg80211
modprobe cfg80211
modprobe -r mac80211
modprobe mac80211
try
Code:
ifconfig -a

_________________
Defund the FCC.
Back to top
View user's profile Send private message
DONAHUE
Watchman
Watchman


Joined: 09 Dec 2006
Posts: 6254
Location: Goose Creek SC

PostPosted: Mon Jan 06, 2014 4:45 am    Post subject: Reply with quote

A kernel config with
Quote:
Device Drivers --->
Generic Driver Options --->
() path to uevent helper
-*- Maintain a devtmpfs filesystem to mount at /dev
[*] Automount devtmpfs at /dev, after the kernel mounted the rootfs
[*] Select only drivers that don't need compile-time external firmware
[*] Prevent firmware from being built
-*- Userspace firmware loading support
[*] Include in-kernel firmware blobs in kernel binary
(iwlwifi-7260-7.ucode) External firmware blobs to build into the kernel binary
(/lib/firmware) Firmware blobs root directory
[*] Fallback user-helper invocation for firmware loading
[ ] Driver Core verbose debug messages
[ ] Managed device resources verbose debug messages
should provide for building the firmware into the kernel. Should not be necessary or desirable though.
_________________
Defund the FCC.
Back to top
View user's profile Send private message
zongo
n00b
n00b


Joined: 25 Dec 2013
Posts: 21

PostPosted: Mon Jan 06, 2014 3:31 pm    Post subject: Reply with quote

Thanks DONAHUE.

Reading your post I realized, with dread, that I did a very basic mistake, that is I forgot "make install".
Now, after doing it, I have a wlp6s0:
Code:
wlp6s0 no wireless extensions.

The "no wireless" part makes me uneasy...
I immediately replaced eth0 with wlp6s0 in /etc/conf.d/net and as the target of wpa_supplicant:
Code:
ln -s /usr/lib/systemd/system/wpa_supplicant@.serice /etc/systemd/system/multi-user.target.wants/wpa_supplicant@wlp6s0.service

Now I get the same name even in ifconfig, but still no working network.
My /etc/wpa_supplicant/wpa_supplicant.conf has an entry:

Code:
network={
ssid="the name of my network"
#psk="the 16 digit long WPA-network code of my network"
psk=generated by wpa_passphrase
}


My network is a WPA+WPA2. Trying to force
Code:

key_mgmt=WPA_PSK
pairwise=CCMP

within the above supplicant.conf network block produces no output on ifconfig anymore...

what am I doing wrong this time?
Back to top
View user's profile Send private message
DONAHUE
Watchman
Watchman


Joined: 09 Dec 2006
Posts: 6254
Location: Goose Creek SC

PostPosted: Mon Jan 06, 2014 4:51 pm    Post subject: Reply with quote

suggest adding "[*] cfg80211 wireless extensions compatibility" to menuconfig and recompiling kernel
_________________
Defund the FCC.
Back to top
View user's profile Send private message
zongo
n00b
n00b


Joined: 25 Dec 2013
Posts: 21

PostPosted: Tue Jan 07, 2014 9:02 pm    Post subject: Reply with quote

That was it DONAHUE!
Quote:
[*] cfg80211 wireless extension compatibility
did the trick!

Thanks to everybody who helped me with this. I am a newbie and the way is still long, but I can already say the satisfaction of achieving through understanding and with the help of the community is sweet. :) Now I can emerge natively and just have to compile GNOME...

EDIT

That was too early. Dhcp works, but resolv.conf does not get updated.
I see my gentoo machine on the wireless hot spot status, with an alleged ipv4 address, while ifconfig returns an ipv6 address.
Resolv.conf reads:
Code:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

Which sounds like "ALL YOUR BASES ARE BELONG TO US". Dang, I supposed the DNS info would automatically fetched by the dhcp (I emerged dhclient). Is this a trivial mistake on my part, or a new systemd feature?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum