A simple Void Linux base installation

This blog entry will demonstrate how to install a luks encrypted x86_64 Void Linux musl/UEFI signed UKI operating system on a ext4 filesystem. This entry is based on the Void Handbook and the Void man pages.

Provisioning

Flash the Void Linux musl ISO. After booting the ISO, partition the disk with either fdisk or cfdisk. Create an EFI System partition (ESP) and a Linux Filesystem partition (LFP).

It should look something like this:

Partition	Size	Type
1	512MB	EFI System
2	Rest	Linux filesystem

Format the ESP with a FAT 32 filesystem:

sh# mkfs.fat -F 32 -n esp /dev/<disk>1

Encrypt the LFP with luks:

sh# cryptsetup luksFormat /dev/<disk>2 --type luks2

Open the encrypted partition and format it with a ext4 filesystem:

sh# cryptsetup open --type luks /dev/<disk2> root
sh# mkfs.ext4 -L root /dev/mapper/root

Installation

To install Void Linux on the system, the ESP and LFP have to be mounted to the live (ISO) environment:

sh# mount -t ext4 /dev/mapper/root /mnt
sh# mkdir /mnt/efi
sh# mount -t vfat /dev/disk/by-label/esp /mnt/efi

Now we may install Void Linux musl with xbps-install:

sh# xbps-install -Sy -R https://repo-default.voidlinux.org/current/musl -r /mnt base-system cryptsetup openntpd

To have a functional chroot into the system, copy resolv.conf and bind the system process directories:

sh# cp /etc/resolv.conf /mnt/etc/
sh# for dir in dev proc sys run; do
> mount --rbind --make-rslave /$dir /mnt/$dir
> done
sh# chroot /mnt

Configure some key aspects of the system:

sh# echo <hostname> > /etc/hostname
sh# ln -sf /usr/share/zoneinfo/<area>/<subarea> /etc/localtime
sh# ln -s /etc/sv/dhcpcd /var/service/
sh# ln -s /etc/sv/opennptd /var/service/
sh# ln -s /etc/sv/acpid /var/service/
sh# passwd root #(1)!

1. The root password does not really matter because it is going to be locked after a user has been created.

Add the encrypted partition to the crypttab:

/etc/crypttab

root /dev/disk/by-uuid/<uuid> none #(1)!

1. The simplest way to add the uuid into /etc/crypttab is by performing:

   sh# blkid -o value -s UUID /dev/<disk>2 >> /etc/crypttab
   

and enable the crypttab module for dracut:

/etc/dracut.conf.d/crypt.conf

install_items+=" /etc/crypttab "

Edit the fstab to set the correct mounts:

/etc/fstab

/dev/disk/by-label/root     /       ext4    defaults,noatime                            0 1
/dev/disk/by-label/esp      /efi    vfat    defaults,nodev,nosuid,noexec,umask=0077     0 2
tmpfs                       /tmp    tmpfs   rw,nodev,nosuid,noexec,mode=1777            0 0
proc                        /proc   proc    nodev,nosuid,noexec,hidepid=2               0 0

Configure the kernel command-line:

/etc/dracut.conf.d/cmdline.conf

hostonly="yes"
kernel_cmdline="rw rd.luks.name=<uuid>=root root=/dev/mapper/root quiet splash" #(1)!

1. The simplest way to add the uuid into /etc/dracut.conf.d/cmdline.conf is by performing:

   sh# blkid -o value -s UUID /dev/<disk>2 >> /etc/dracut.conf.d/cmdline.conf
   

Install the bootloader systemd-boot and some hooks for dracut (1) necessary for building and signing the Unified Kernel Image (UKI):

1. The initramfs builder.

sh# xbps-install systemd-boot dracut-uefi sbctl sbsigntool

Verify that secureboot mode is in setup mode with sbctl status.

Replace the default dracut kernel hooks with those provided by dracut-uefi:

sh# xbps-alternatives -s dracut-uefi

and set the directory where the UKI will be deposited:

/etc/default/dracut-uefi-hook

UEFI_BUNDLE_DIR="/efi/EFI/Linux"

Create and enroll the secureboot keys into the system:

sh# sbctl create-keys
sh# sbctl enroll-keys #(1)!

1. Whilst enrolling the keys it might be necessary to add the --microsoft flag if you are unable to use custom keys.

Set the key and certificate required for signing the UKI:

/etc/dracut.conf.d/uki.conf

uefi_secureboot_cert="/var/lib/sbctl/keys/db/db.pem"
uefi_secureboot_key="/var/lib/sbctl/keys/db/db.key"

Install the bootloader:

sh# bootctl install

Configure the bootloader:

/efi/loader/loader.conf

timeout 3
editor no

Sign the bootloader with sbctl:

sh# sbctl sign -s /efi/EFI/Boot/BOOTX64.efi

Finally, reconfigure the kernel to execute the dracut-uefi hook:

sh# xbps-reconfigure -f linux<version>

One may verify the signed files by running sbctl verify.

Now exit the chroot, unmount the filesystem and reboot:

sh# exit
sh# umount -lf /mnt
sh# reboot

Post installation

Firmware and drivers

Install the device firmware for either AMD or Intel:

AMDIntel

sh# xbps-install linux-firmware-amd

sh# xbps-install void-repo-nonfree
sh# xbps-install -S intel-ucode

Swap

Add swap by creating a swapfile:

sh# dd if=/dev/zero of=/swapfile bs=8m count=512 status=progress #(1)!

1. To create a swapfile of different size (now 4 GB), change the count to the desirable size.

Assign the correct permissions to the swapfile and make swap from the swapfile:

sh# chmod 600 /swapfile
sh# mkswap /swapfile

Enable the swap:

sh# swapon /swapfile

and make it persistent by adding it to the fstab:

/etc/fstab

/swapfile none swap defaults 0 0

Reconfigure the kernel:

sh# xbps-reconfigure -f linux<version>

Users

To run processes securely, in an environment with fewer privileges, a user is necessary.

Before creating the user, install doas, to be able to "do as" root when it is required:

sh# xbps-install opendoas

and configure doas by editing:

/etc/doas.conf

permit persist :wheel as root

The alternative package sudo that is present in the base-system will be removed, since it is bloatware. To persist this, that is sudo will not be installed ever again on the system, insert:

/etc/xbps.d/nosudo.conf

ignorepkg=sudo

and remove sudo:

sh# xbps-remove -R sudo

Create a symbolic link from doas to sudo to impose backward compatiblility:

sh# ln -s /bin/doas /bin/sudo

We can add a user, set its password and add it to the wheel group with:

sh# useradd <user>
sh# passwd <user>
sh# usermod --append --groups wheel <user>

You may have to change the shell of the user in /etc/passwd from /sbin/nologin to a shell from /etc/shells. Void Linux comes with /bin/bash by default:

/etc/passwd

<username>:x:1234:1234:<Full Name>:/home/<username>:/bin/<shell>

If you have checked that doas works with the user then you can lock the root account because it imposes security risks if it is kept open. This can be done with:

sh# passwd -l root

and by changing its login shell to:

/etc/passwd

root:x:0:0:root:/root:/sbin/nologin

Networking

For desktop use NetworkManager is preferred over dhcpcd as network daemon, due to its versatility, i.e. Wi-Fi and VPN compatibility, MAC randomisation, et cetera. Install NetworkManager with:

sh# xbps-install NetworkManager

Configure NetworkManager with MAC randomisation:

/etc/NetworkManager/NetworkManager.conf

[main]
hostname-mode=none
plugins=ifupdown,keyfile

[ifupdown]
managed=true

[device]
wifi.scan-rand-mac-address=yes

[connection-mac-randomization]
ethernet.cloned-mac-address=random
wifi.cloned-mac-address=random

Disable dhcpcd and enable the NetworkManager daemon and its dependency, the dbus daemon:

sh# rm -rf /var/service/dhcpcd
sh# ln -s /etc/sv/dbus /var/service/
sh# ln -s /etc/sv/NetworkManager /var/service/

For users to be able to modify connections on the system they will have to be added to the network group.

Concluding remarks

This is the bare minimum for a Void Linux desktop system. Some additional features such as bluetooth, laptop battery management, printer compatiblity, et cetera, have been documented well in the Void Handbook, and can thus be found there. The next steps are the improvement of the security of the system and the configuration of the graphical user interface.