void linux - installation
I won’t restate the already-well-documented-elsewhere. if you want a basic system steup, no fancy efistub or FDE or whatnot, the manual and installer script are both very powerful and go a very long way
full disk encryption + efistub
efistub essentially just means that the kernel image becomes its own bootable device, removing the need for something like GRUB or other intermediary bootloaders. this, of course, is only supported by systems that can boot uefi, which you can check by going into your BIOS or running efibootmgr in a live image. refer to your own computer documentation if needed; everything is different.
full disk encryption means that most of your disk (except the boot partition except in certain circumstances) is encrypted and as such can’t be accessed to read data without a key or passphrase. the void manual has section on installing fde with GRUB, and this allows for an encrypted boot partition. however, the manual does not cover efistub at all, let alone with encryption, so this will serve as a guide. I figured this out from other blog posts for different systems and whatnot, but changed some stuff to fit my liking
you can probably remove all the cryptsetup-related stuff and have a perfectly fine and working efistub system. I am too lazy to make a completely separate guide for this right at this moment, e-mail or DM me if you want me to guide you through it and if I get even one person doing this I’ll make a separate guide
setup
boot a live image and login to root:voidlinux. run void-installer to setup your keymap, internet connection, and (optionally) your user (this is just the simplest way to do this initial setup)
check which drive you want to install void on with lsblk and run cfdisk -z /dev/<device>. select gpt as the label type. make a partition at least 128M in size (I HIGHLY recommend 256M though) and set its type to EFI System. make another partition with the remaining space of type Linux Filesystem
now set up the actual encrypted partition with an lvm volume. in this example, /dev/nvme0n1 is the disk, p1 is the boot partition, and p2 is the other partition
also, a note for this entire guide: words following a # way off to the right are comments, and should not be entered
# mkfs.vfat /dev/nvme0n1p1 # because this is an efi system
# cryptsetup luksFormat \--type luks2 \--label luks /dev/nvme0n1p2
Enter passphrase and all that jazz...
# cryptsetup luksOpen /dev/nvme0n1p2 cryptroot
Enter passphrase for /dev/nvme0n1p2:
# vgcreate voidvm /dev/mapper/cryptroot
Volume group "voidvm" successfully created
now we need to make our actual filesystems. I like having a separate /home partition because… I don’t know really. I don’t “distrohop”, but I guess it’s better for backups and migration. 16G as root should be more than enough enough for most systems, but you might want more. refer to the manual for how much swap you should put in. the cool thing about using lvm is that these can easily be resized later in case you need to change something
# lvcreate \--name root -L 16G voidvm
Logical volume "root" created.
# lvcreate \--name swap -L 8G voidvm
Logical volume "swap" created.
# lvcreate \--name home -l 100%FREE voidvm # note the lowercase l here
Logical volume "home" created.
# mkfs.ext4 -L root /dev/voidvm/root # replace with your desired filesystem
# mkfs.ext4 -L home /dev/voidvm/home
# mkswap /dev/voidvm/swap
now time to mount and install the actual system; this is standard procedure
# mount /dev/voidvm/root /mnt
# for dir in dev proc sys run; do mkdir -p /mnt/$dir ; mount \--rbind \--make-rslave /$dir /mnt/$dir ; done
# mkdir -p /mnt/home
# mount /dev/voidvm/home /mnt/home
# mkdir -p /mnt/boot
# mount /dev/nvme0n1p1 /mnt/boot # N.B: *not* /boot/efi
# mkdir -p /mnt/var/db/xbps/keys
# cp /var/db/xbps/keys/* /mnt/var/db/xbps/keys/
important note: use the correct repository path for your system. the following example is for glibc systems
# xbps-install -Sy -R https://repo-default.voidlinux.org/current -r /mnt base-system lvm2 cryptsetup efibootmgr
time to set up the chroot environment
# chroot /mnt
# chown root:root /
# chmod 755 /
# passwd root # changing root password
# echo your_hostname > /etc/hostname
N.B: glibc systems only
# echo "LANG=en_US.UTF-8" > /etc/locale.conf
# echo "en_US.UTF-8 UTF-8" >> /etc/default/libc-locales
# xbps-reconfigure -f glibc-locales
now you need to configure /etc/fstab. I recommend installing nano (via xbps-install nano) for editing these files right now, unless you’re already comfortable with editing files in vi(m). for our current config, fstab will look like the following:
# <file system> <dir> <type> <options> <dump> <pass>
/dev/nvme0n1p1 /boot vfat defaults 0 2
/dev/voidvm/root / ext4 defaults 0 1
/dev/voidvm/home /home ext4 defaults 0 2
/dev/voidvm/swap swap swap defaults 0 0
tmpfs /tmp tmpfs defaults,nosuid,nodev,noexec 0 0
# note: noexec on /tmp is optional. this *can* break some very specific things
# notably, minecraft LWJGL 3.3.1 extracts its library to /tmp, which you can change with a JVM arg
# you could omit noexec from /tmp. honestly, it's less useful for one-user systems anyway
# but there's no harm in including noexec, so I do so
now we need to create the directory /etc/dracut.conf.d and edit 10-cryptoverride.conf in it. honestly I don’t know if the second line is needed for this config but you might as well include it
hostonly=yes
install_items+=" /etc/crypttab " # N.B: the spaces between the quotes
the final thing we need to change is /etc/default/efibootmgr-kernel-hook. in here, you need to replace <UUID> with the UUID of the LUKS filesystem. you can find this by running blkid -o value -s UUID /dev/nvme0n1p2 (replacing /dev/nvme0n1p2 with your LUKS partition of course). unfortunately, you’ll have to manually type it in
MODIFY_EFI_ENTRIES=1
OPTIONS="loglevel=4 rd.luks.uuid=<UUID> rd.lvm.vg=voidvm root=/dev/voidvm/root"
DISK="/dev/nvme0n1"
PART=1 # the EFI system partition, *not* root
now reconfigure dracut and the kernel to ensure everything gets updated. replace linux6.1 with your current kernel version. you can check this by running xbps-query -s linux
# xbps-reconfigure -f dracut linux6.1
finally, exit the chroot and reboot the system
# exit # might need to do this twice if you entered bash
# umount -R /mnt
# reboot
hopefully everything went well. if something didn’t go well and you don’t reboot successfully, don’t panic. don’t go through the entire installation process again unless you fucked up something with the encrypted disk and cannot unlock it at all. otherwise, look at rescuing a system
addendum: if you want to make this setup basically as secure as possible, you also need to use secure boot and sign your own kernel. this varies wildly from system to system, so I cannot give any specific instructions here. I also haven’t done it yet. oops