Installing Liberté Linux

Installation on removable media

In order to install Liberté on a FAT/FAT32-forma�ed, or ext[234]-forma�ed USB key, SD card, or

any other kind of bootable media:

Download liberte-201X.Y.zip from the SourceForge project site. Latest version is

always the default download, so just click the green bu�on. Note that the top-level

liberte folder in all installation package types (.zip / .iso / .ova) is exactly the same.

1.

Extract the archive into the top directory of the media you want to use (including the

liberte archive root) — i.e., in Windows put D: or similar into the “Extract to …” dialog.

This is all thatʹs needed when upgrading; however, to upgrade a running Liberté instance,

add toram to the boot menu options first.

2.

Make the media bootable (unnecessary when upgrading or when booting using (U)EFI):

Windows: Launch setup.bat in liberte folder. You will likely need to right-click and

select Run as administrator in Vista and in Windows 7. Watch out for errors in the console

messages. Do not permit antivirus software like Avast to run the installer in a sandbox, since

the bootloader will fail to install in that case.

Linux: Run sh /media/…/liberte/setup.sh auto as root.

3.

For virtualized environments, download liberte-201X.Y.ova and import it into the virtual

machine (Import Appliance in VirtualBox, Open in VMware, etc.). On Linux, it is also possible to

immediately test-drive Liberté in QEMU / QEMU-KVM by running liberte/qemulate.shfrom an extracted .zip archive; persistence support will be disabled (similarly to .iso).

See Secure Boot section below wrt. booting writable media that are unsupported as boot devices on

given hardware (e.g., SD cards).

When upgrading, it is recommended to reset the user configuration after booting: add

nosettings to the boot menu options, remove ~/persist/settings/config.tar.xz,

and reboot. Upgrading will migrate old cables communication certificates on first boot, and

should not cause any usability issues.

NOTE: Older computers might be able to boot only FAT(16)-forma�ed USB keys — the

corresponding BIOS boot option is typically USB RMD-FDD. For such computers, installing on an

HDD partition is likely a be�er option: use nombr option of setup.sh (or remove -m -aoptions from setup.bat), and chain-load the partition from your bootloader.

DE(E)SU - Installing Liberté Linux http://dee.su/liberte-install

1 di 3 30/03/2013 23:30

Authenticity

Liberté Linux releases are signed with a designated PGP key:

Liberté Linux (Release Signing Key) <liberte@dee.su>6FDD D756 110C 1B07 249F D07E 9B02 7FCD 81DE 1001

You are encouraged to verify the downloaded files using, e.g., GNU Privacy Assistant or PGP

Desktop, after fetching the key from a keyserver (or downloading it using the link above), by

providing the associated *.asc file as input:

¤ gpg --verify liberte-2010.1.zip.asc gpg: Signature made Fri 19 Nov 2010 03:48:36 MSK gpg: using DSA key 0x9B027FCD81DE1001 gpg: Good signature from "Liberté Linux (Release Signing Key) <liberte@dee.su>"

Secure Boot

(U)EFI bootloader binaries are signed for Secure Boot, establishing a trusted boot chain starting

with a KEK / DB certificate (located in EFI directory). The procedure for enrolling the certificate in

TianoCore OVMF is as follows:

Navigate to Device Manager → Secure Boot Configuration → Secure Boot Mode, and select

Custom Mode.

1.

Navigate to Device Manager → Secure Boot Configuration → Custom Secure Boot Options → DB

Options → Enroll Signature, load EFI/Liberte-SecureBoot-CA.der, and commit the

changes.

2.

For real hardware, the procedure should be similar — e.g., for Dell Latitude firmware, navigate to

Secure Boot → Expert Key Management → Enable Custom Mode → db: Append from File. It is also

possible to add the bootloader signature directly (by selecting, e.g., EFI/BOOT/BOOTx64.EFIinstead of the certificate above), but this step will need to be done after each Liberté update.

Adding the certificate to KEK database (instead of DB above) will let Liberté modify authenticated

EFI variables at runtime — such functionality is not used at present.

If you donʹt want to customize Secure Boot se�ings, and your UEFI firmware has Microsoftʹs UEFI

CA certificate already enrolled (which is probably the case), you can use shim instead (this

assumes a .zip install):

Drop shim.efi and MokManager.efi into EFI/BOOT.1.

Rename BOOTx64.EFI to grubx64.efi, and then rename shim.efi to

BOOTx64.EFI.

2.

After booting, use shimʹs interface to enroll EFI/Liberte-SecureBoot-CA.der key,

or EFI/BOOT/BOOTx64.EFI signature, similarly to OVMF instructions above. Note that

3.

DE(E)SU - Installing Liberté Linux http://dee.su/liberte-install

2 di 3 30/03/2013 23:30

such whitelisting is visible to shim only.

With regular BIOS-based boot, only the last stage of trusted boot chain is performed: root

filesystem image verification. However, a minimal bootstrap .iso image (lacking a compressed

root filesystem) is now shipped, which can be burned to read-only media and used to boot a

regular install of Liberté on writable media. Such image is also useful for booting writable media

that are unsupported as boot devices on given hardware (e.g., SD cards).

Support

Bug reports, suggestions, and generic discussion are always welcome. Donʹt forget to rate this

project on SourceForge!

Contribute and discuss

E-mail: Maxim Kammerer <mk@dee.su>

If you are interested in having specific customizations implemented, please contact me by e-mail.

DE(E)SU - Installing Liberté Linux http://dee.su/liberte-install

3 di 3 30/03/2013 23:30