Slackware Linux 15 with FDE on UEFI laptop

  2022-02-09      2519 words, 12 minutes

• thinkpad
• linux
• slackware
• fde
• encryption
• uefi
• luks

Slackware Linux was my first Linux distribution. I can’t recall if it was 1.x or 2.x. Anyway, I’ve always loved that distrib. Since Slackware 15.0 has recently been released and I’ve not been using Linux as a desktop since decades, let’s experiment with it.

I’ll install it on my ThinkPad T460s using Full Disk Encryption.

Pre-installation steps

Grab the slackware64-15.0-install-dvd.iso ISO file from the nearest mirror.

Plug a USB stick in the computer and write the ISO content:

# dd if=slackware64-15.0-install-dvd.iso of=/dev/rsd2c bs=10m

Take a moment to read a few documentation.

• README
• README_UEFI
• README_CRYPT
• Slackware installation
• Beginner’s Guide
• Slackware package management

Time to reboot and select the USB stick from the BIOS/UEFI menu.

Installation

When the boot process is done, you have the opportunity to setup a custom keyboard layout. I chose azerty/fr.

Log in as root. There is no password.

I have an HiDPI screen on that laptop. So let’s get a bigger font to actually see what we’re doing:

# setfont /usr/share/kbd/consolefonts/ter-732b.psf.gz

We’ll configure what’s referenced in the README as “combining luks and lvm”.

Prepare the disk

Check what disks are available:

# fdisk -l

The disk I’m looking for is /dev/nvme0n1.

The disk had stuff on it, so let’s nuke it:

# dd if=/dev/zero of=/dev/nvme0n1 bs=10M

Check that the disk is clean:

# gdisk -l /dev/nvme0n1
(...)
Partition table scan:
  MBR: not present
  BSD: not present
  APM: not present
  GPT: not present
(...)

Depending on wether you run dd on the whole disk or only a small part of it, it may not be cleaned. In this case, wipe the disk layout:

# gdisk /dev/nvme0n1
Command (? for help): x

Expert command (? for help): z
About to wipe out GPT on /dev/nvme0n1. Proceed? (Y/N): Y
GPT data structures destroyed!
Blank out MBR? (Y/N): Y

Build the basic partitionning

Create the required partitions:

# cgdisk /dev/nvme0n1
(...)
Press any key to continue...

Within cgdisk, the steps are:

• EFI System Partition
  • Select [New].
  • Hit “Enter” to accept default first sector.
  • Enter “100M” as the partition size.
  • Enter “ef00” as the partition Hex code.
  • Enter “EFI System” as a partition name.
• Select the biggest free space part.
• Unencrypted boot partition
  • Select [New].
  • Hit “Enter” to accept default first sector.
  • Enter “512M” as the partition size.
  • Enter “8300” as the partition Hex code.
  • Enter “boot” as a partition name.
• Select the biggest free space part.
• Encrypted partition
  • Select [New].
  • Hit “Enter” to accept default first sector.
  • Hit “Enter” as the partition size.
  • Hit “Enter” as the partition Hex code to set “8300”.
  • Enter “luks” as a partition name.
• Select [ Write ] and confirm with “yes”.
• Select [ Quit ].

Format the EFI partition:

# mkfs.vfat -n "EFI System" /dev/nvme0n1p1

Prepare the partition for encryption:

# cryptsetup -y luksFormat /dev/nvme0n1p3

Confirm with “YES"and enter the passphrase when asked.

Prepare the encrypted partitions

Open the encrypted partition:

# cryptsetup luksOpen /dev/nvme0n1p3 luks

Enter the passphrase to unlock the disk.

Create the encrypted partitions for the OS using LVM incantations:

# pvcreate /dev/mapper/luks
# vgcreate cryptvg /dev/mapper/luks
# lvcreate -L 64G -n root cryptvg
# lvcreate -L 32G -n swap cryptvg
# lvcreate -l 100%FREE -n home cryptvg

Review the storage information

# fdisk -l /dev/nvme0n1
Disk /dev/nvme0n1: 953.87 GiB, 1024209543168 bytes, 2000409264 sectors
Disk model: Sabrent                                 
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
(...)
Device           Start        End    Sectors   Size Type
/dev/nvme0n1p1    2048     206847     204800   100M EFI System
/dev/nvme0n1p2  206848    1255423    1048576   512M Linux filesystem
/dev/nvme0n1p3 1255424 2000409230 1999153807 953.3G Linux filesystem

# pvdisplay
  --- Physical volume ---
  PV Name               /dev/mapper/luksnvme0n1p3
  VG Name               cryptvg
  PV Size               <953.26 GiB / not usable <1.32 MiB
(...)

# lvdisplay
  --- Logical volume ---
  LV Path                /dev/cryptvg/root
  LV Name                root
  VG Name                cryptvg
(...)
  LV Size                64.00 GiB
   
  --- Logical volume ---
  LV Path                /dev/cryptvg/swap
  LV Name                swap
  VG Name                cryptvg
(...)
  LV Size                32.00 GiB
   
  --- Logical volume ---
  LV Path                /dev/cryptvg/home
  LV Name                home
  VG Name                cryptvg
(...)
  LV Size                857.25 GiB

Prepare the swap partition:

# mkswap /dev/cryptvg/swap

Follow the installation wizard

Run setup and answer the questions:

• (A)dd swap, selecting /dev/cryptvg/swap.
• Select /dev/cryptvg/root as the root (/) partition, formatting it as “ext4”.
• Select /dev/cryptvg/home, format it (ext4) and assign it the “/home” mount point.
• Select /dev/nvme0n1p2, format it (ext4) and assign it the “/boot” mount point.
• Select <continue>.

Note the message that says “EFI SYSTEM PARTITION RECOGNIZED”. It explains that /dev/sda2 has been mounted on /boot/efi. Which means the USB stick will be updated during installation. And that’s not what we want.

Press Ctrl-Z to switch to a shell and mount the proper partition:

# umount /mnt/boot/efi

# mount -t vfat /dev/nvmen0p1 /mnt/boot/efi

# mkdir /tmp/usbefi
# mount -t vfat /dev/sda2 /tmp/usbefi
# cd /tmp/usbefi
# tar cpf - . | tar xpf - -C /mnt/boot/efi/
# cd /; umount /tmp/usbefi; fg

Installation can then continue. Those were my options.

• Select the source media using “2 … USB stick”.
• Select the packages to install. I kept the default selection. And selected the “terse” prompting mode.
• (S)kip making a USB boot stick.
• (s)kip installing LILO and proceed to ELILO installation. Because this is an UEFI laptop.
• (i)install ELILO on the EFI System Partition.
• (i)nstall a boot menu entry.
• Select “YES” when asked if you want to remove the old slackware entry from the EFI boot.
• Select the imps2 Microsoft PS/2 Intellimouse configuration. I don’t care about mouse on console. So don’t run gpm at boot time.
• Configure the network. Entering a hostname, a domain, no VLAN ID.
• Select (N)etworkManager to autoconfigure network with wired & wireless interfaces.
• Select the services to run. I only added rc.ntpd to the default selection.
• I selected a custom screen font. Because the resolution is high and my eyes are old, I chose “ter-932b.psf.gz” ; 932b provides accented characters.
• Set the clock to local time.
• Select the timezone, I used Europe/Paris.
• Select the defaut editor. I went for (v)im.
• Select the defaut Window Manager. I chose XFCE.
• Set up a root password.

Now that setup is completed, select (E)xit. But don’t reboot. Select the (S)hell option to fix the bootloader. Remove the USB stick.

We need a special kernel configuration to have a French keyboard layout at boot (to enter the LUKS passphrase) and be able to hibernate using the encrypted swap:

# chroot /mnt

# /usr/share/mkinitrd/mkinitrd_generator.sh -r -a "-l fr -h /dev/cryptvg/swap"

# eval $(/usr/share/mkinitrd/mkinitrd_generator.sh -r -a "-l fr -h /dev/cryptvg/swap")

Reconfigure the bootloader to apply our changes:

# eliloconfig

• Select (i)nstall ELILO on the EFI System Partition.
• Select (i)nstall a boot menu entry.
• Accept to remove the old Slackware EFI boot entry.

When done, time to reboot

#exit
exit
#reboot

First boot

Linux boots and asks for the passphrase. It can be entered with the configured keyboard layout. When the boot process is done, log in as root to continue the adventure.

Post installation

Configure sudo to be able to run high-privileged commands without logging in as root:

# visudo
(...)
%wheel ALL=(ALL:ALL) ALL

Create the user that we’ll use to log in:

# adduser

Don’t forget to add the user to wheel when the option appears.

Configure the global french localization:

# vi /etc/profile.d/lang.sh
(...)
export LANG=fr_FR.UTF-8

I noticed that NTP is not setting the date & time properl. Let’s correct this:

# /etc/rc.d/rc.ntpd stop

# ntpdate fr.pool.ntp.org

# vi /etc/ntp.conf
(...)
# NTP server (list one or more) to synchronize with:
server fr.pool.ntp.org iburst
server fr.pool.ntp.org iburst
server fr.pool.ntp.org iburst
server fr.pool.ntp.org iburst

# /etc/rc.d/rc.ntpd start

# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
+x.ns.gin.ntt.ne 204.2.140.74     2 u  634 1024  377    3.322   -0.409   0.299
*ip139.ip-5-196- 145.238.203.14   2 u  608 1024  377    6.897   -0.213   0.556
-ntp19.kashra-se 90.187.148.77    2 u  730 1024  353    7.651   -2.585   1.140
+time.cloudflare 10.19.12.255     3 u   84 1024  377    3.729   +0.919   0.274

To be able to mount remote NFS shares, simply enable the RPC services:

# chmod 755 /etc/rc.d/rc.rpc
# /etc/rc.d/rc.rpc start

Configure X Window System

We’ll need to setup a localized keyboard layout. And also add a feature to be able to switch to US layout from time to time:

# cp /usr/share/X11/xorg.conf.d/90-keyboard-layout-evdev.conf /etc/X11/xorg.conf.d/
# vi /etc/X11/xorg.conf.d/90-keyboard-layout-evdev.conf
Section "InputClass"
    Identifier "keyboard-all"
    MatchIsKeyboard "on"
    MatchDevicePath "/dev/input/event*"
    Driver "evdev"
    Option "XkbLayout" "fr,us"
    Option "XkbOptions" "terminate:ctrl_alt_bksp,grp:shifts_toggle"
EndSection

I don’t want to use sddm(1) ; I’d rather use xdm(1):

echo 'exec /usr/bin/xdm -nodaemon' > /etc/rc.d/rc.4.local
chmod 0755 /etc/rc.d/rc.4.local

You may want to run startx to test if X11 works properly. But running it as root is not great. Either switch to the normal user, test and come back to root. Or run the test as root ; maybe using xwmconfig(1) to configure a minimal X environment for root rather than starting KDE or such.

To have the login Manager starting automatically, set the default runlevel to 4:

# vi /etc/inittab
(...)
# Default runlevel. (Do not set to 0 or 6)
id:4:initdefault:

Issue init 4 && exit to have xdm start and the root session terminated. Logging in with a user will start the default desktop environment configured during installation. One can use xwmconfig in console or xterm to setup a different DE. This will create an ~/.xsession file that can also be customized by hand. Mine goes like this:

source $HOME/.bashrc

export QT_AUTO_SCREEN_SCALE_FACTOR=0 QT_SCREEN_SCALE_FACTORS=1.5

exec /usr/bin/startxfce4

In XFCE, I also configure a custom DPI, set to 144, to get decent font size ; and match the 1.5 QT factor.

While in X11, wifi configuration can be done using the NetworkManager Applet.

Packages and applications

All the official Slackware packages are available from the DVD and/or the web repository. To obtain any other (unofficial) software, either find a binary package repository or compile from sources.

By default, you get pkgtools, which is the set of package management tools (installpkg, removepkg….). Those work with installed packages or locally available package archives (*.tgz *.txz). You also get slackpkg, which goes on top of pkgtools and allows install/removal/update from remote official Slackware package repositories.

slackpkg

Configure the package manager to use a near mirror:

# vi /etc/slackpkg/mirrors
(...)
https://mirrors.slackware.com/slackware/slackware64-15.0/

# slackpkg update gpg
# slackpkg update

The general routine goes:

# slackpkg update
# slackpkg install-new
# slackpkg upgrade-all
# slackpkg clean-system

Beware that slackpkg clean-system will offer you to remove old packages but also those not known as official.

slackpkg+

If you’d like to add some extra binary package repository while using slackpkg, you can install slackpkg+. This utility will extend the stock slackpkg by providing extra packages storage while maintaining the usual commands.

To get, install and configure slackpkg+, simply:

# wget -O slackpkg+-1.8.0-noarch-1mt.txz  \
  https://sourceforge.net/projects/slackpkgplus/files/slackpkg%2B-1.8.0-noarch-1mt.txz/download
# installpkg slackpkg+-1.8.0-noarch-1mt.txz
(...)
Executing install script for slackpkg+-1.8.0-noarch-1mt.txz.
Package slackpkg+-1.8.0-noarch-1mt.txz installed.

# man slackpkgplus.conf
# vim /etc/slackpkg/slackpkgplus.conf
(...)
MIRRORPLUS['alienbob']=http://nephtys.lip6.fr/pub/linux/distributions/slackware/people/alien/sbrepos/15.0/x86_64
MIRRORPLUS['slackpkgplus']=https://slakfinder.org/slackpkg+15/

# slackpkg update gpg
# slackpkg update

You can now benefits from the official and additionnal binary packages.

Install new packages

Here’s how to check if KeePassXC is available:

# slackpkg search keepassxc

Looking for keepassxc in package list. Please wait... DONE

The list below shows all packages with name matching "keepassxc".

[unin] alienbob : keepassxc-2.6.6-x86_64-1alien

You can search specific files using "slackpkg file-search file".

To install it, simply run:

# slackpkg install keepassxc

Note that using the Secret Service feature of KeePassXC requires disabling gnome-keyring ; which is started by default in XFCE session. In the autostart XFCE dialog box, look for, and disable, Polkit Authentication Agent.

SlackBuilds

When there is no available packages, you need to compile from sources. The most complicated way is to get each source code, compile it and install it. But this leaves you with a bunch of non-packages resources that may be difficult to maintain and clean.

SlackBuilds dot org provides a bunch of resources that will guide you through building Slackware packages, ready to be managed by pkgtools. You basically get a ready-to-compile archive, read the provided documentation, get the software source and launch a process script.

For example, to get redshift compiled and packaged:

# wget https://slackbuilds.org/slackbuilds/14.2/desktop/redshift.tar.gz
# wget https://slackbuilds.org/slackbuilds/14.2/desktop/redshift.tar.gz.asc
# gpg --verify redshift.tar.gz
# tar xzf redshift.tar.gz
# cd redshift

# grep DOWNLOAD redshift.info 
DOWNLOAD="https://github.com/jonls/redshift/releases/download/v1.12/redshift-1.12.tar.xz"
DOWNLOAD_x86_64=""
# wget https://github.com/jonls/redshift/releases/download/v1.12/redshift-1.12.tar.xz

# less README
# ./redshift.SlackBuild
(...)
Slackware package /tmp/redshift-1.12-x86_64-2_SBo.tgz created.

# installpkg /tmp/redshift-1.12-x86_64-2_SBo.tgz

In reality, there may be dependencies that need to be compiled before redshift can be. The information is described in the redshift.info file. And the process is recursive. To be able to compile and run redshift from a stock Slackware installation, you would have to run the previous process for the following software :

• json-glib
• libdaemon
• avahi
• geoclue2
• pyxdg
• redshift

Note that the whole process has to be done as root.

SlackBuilds.org tools

To automate the building process described above, one can use sbotools . This provides a set of tools to search for, compile and install packages automatically based on the SlackBuils.org repository.

Install sbotools:

# wget http://slackbuilds.org/slackbuilds/14.2/system/sbotools.tar.gz
# tar xzf sbotools.tar.gz
# cd sbotools
# grep DOWNLOAD sbotools.info 
DOWNLOAD="https://pink-mist.github.io/sbotools/downloads/sbotools-2.7.tar.gz"
DOWNLOAD_x86_64=""
# wget https://pink-mist.github.io/sbotools/downloads/sbotools-2.7.tar.gz

# ./sbotools.SlackBuild
(...)
Slackware package /tmp/sbotools-2.7-noarch-1_SBo.tgz created.

# installpkg /tmp/sbotools-2.7-noarch-1_SBo.tgz
(...)
Package sbotools-2.7-noarch-1_SBo.tgz installed.

Start with fetching the repository:

# sbosnap fetch
(...)

# ls /usr/sbo/repo/
ChangeLog.txt    audio/        gis/        misc/        python/
README           business/     graphics/   multimedia/  ruby/
SLACKBUILDS.TXT  desktop/      ham/        network/     system/
academic/        development/  haskell/    office/      thirdparty/
accessibility/   games/        libraries/  perl/

Then, regularly update the repository:

# sbocheck
Updating SlackBuilds tree...
Updating files: 100% (27631/27631), done.
(...)
A copy of the above result is kept in /var/log/sbocheck.log

To install redshift, we would run:

# sbofind redshift
SBo:    redshift 1.12
Path:   /usr/sbo/repo/desktop/redshift

# sboinstall redshift
(...)
Proceed with geoclue2? [y] y
geoclue2 added to install queue.
(...)
Proceed with redshift? [y] y
redshift added to install queue.

Install queue: geoclue2 redshift

Are you sure you wish to continue? [y] y
(...)
Slackware package /tmp/redshift-1.12-x86_64-2_SBo.tgz created.
(...)
Installing package redshift-1.12-x86_64-2_SBo.tgz:
(...)
Executing install script for redshift-1.12-x86_64-2_SBo.tgz.
Package redshift-1.12-x86_64-2_SBo.tgz installed.
Cleaning for redshift-1.12...

All packages are left in /tmp and may be saved to apply later on.

Final thoughts

What’s really great is that Slackware is still Slackware. Even after 27 years. The installation process and wizard looks the same. The way of doing things is still the same. It has no systemd and it still ships with BSD-style and System V compatible init scripts.

The UEFI + LUKS stuff is not straight-forward but reading the proper documentation makes it not that hard. AND you learn about the boot process of x86_64.

Everything works out of the box. No real tweaking is required. And the distribution comes with a whole set of decent software. On a server configuration, I would probably only install A, AP and N packages. Then add some more things manually with slackpkg.

The only thing that does not really suit me is the need to compile the extra-packages. I’ve stopped compiling stuff a long time ago and only do it when I have no other choice. I’d rather use binary packages when it’s possible.

To me, Slackware is a great distribution. It’s clean and easy to use. And it’s well designed to learn about the ?N*X world. Great job Pat and the Slackware crew!