Difference between pages "UEFI Install Guide" and "Package:OpenSSL"

(Difference between pages)
(Configuring GRUB)
 
 
Line 1: Line 1:
This tutorial will show you how to install Funtoo on a UEFI system. UEFI, also known as the [[Wikipedia:Unified Extensible Firmware Interface|Unified Extensible Firmware Interface]], is a new firmware interface that is used on some newer computers as a replacement for the traditional PC BIOS. It has an integrated boot loader, so setting up booting is different.
+
{{Ebuild
 
+
|Summary=Full-strength general purpose cryptography library (including SSL and TLS.)
This tutorial is meant to be an "overlay" over the Regular Funtoo Installation. Follow the normal installation and only follow steps in this tutorial when dealing with partitioning and configuring the boot loader (GRUB). All steps are otherwise identical to the regular installation process.
+
|CatPkg=dev-libs/openssl
 
+
|Homepage=http://www.openssl.org
== What Are We Doing? ==
+
 
+
This guide will show you how to set up your UEFI system to load the GRUB boot loader, which will then load your Funtoo Linux kernel and initramfs. This is the "UEFI + GRUB" method as described on the [[Boot Methods]] page.
+
 
+
== First Steps ==
+
 
+
To install Funtoo Linux on a UEFI system, first you need to boot SysRescueCD in UEFI mode. To do this, enable UEFI in your BIOS, and if necessary disable legacy booting. After some fiddling, you should be able to boot SysRescueCD and get a black and white text menu instead of the traditional aqua/cyan-colored menu. The black and white menu indicates that you booted SysRescueCD in UEFI mode. Once you've accomplished this, you're ready to continue with your Funtoo Linux installation and partition your drive. See below for details.
+
 
+
'''If the <tt>/sys/firmware/efi</tt> directory exists, then you have successfully booted in EFI mode and will be able to configure your Funtoo system to boot in EFI mode. If the directory doesn't exist, fix this first. It is a requirement for setting up EFI booting.'''
+
 
+
== Partitioning ==
+
 
+
To set up your partitions for UEFI booting, you will create a ~500MB FAT32 partition on <tt>/dev/sda1</tt>, and set it to type <tt>EF00</tt> using <tt>gdisk</tt>.
+
 
+
<console>
+
Command: ##i##n ↵
+
Partition Number: ##i##1 ↵
+
First sector: ##i##↵
+
Last sector: ##i##+500M ↵
+
Hex Code: ##i##EF00
+
</console>
+
 
+
This partition will serve as your Funtoo <tt>/boot</tt> filesystem as well as the partition that the UEFI firmware can read to load GRUB. Then you will set up swap on <tt>/dev/sda2</tt> and your root filesystem on <tt>/dev/sda3</tt>. To create the FAT32 filesystem, type:
+
 
+
<console>
+
# ##i##mkfs.vfat -F 32 /dev/sda1
+
</console>
+
 
+
Your <tt>/etc/fstab</tt> entry for this filesystem will also differ, and will look like this:
+
 
+
<pre>
+
/dev/sda1 /boot vfat noatime 1 2
+
</pre>
+
 
+
== Kernel ==
+
 
+
=== VFAT ===
+
 
+
Make sure you add VFAT support to your kernel if you are building it manually.
+
 
+
=== EFI Framebuffer ===
+
 
+
If you have the following option enabled in your kernel, then uvesafb and efifb will not be able to detect the framebuffer:
+
 
+
{{kernelop|title=Bus options (PCI etc.)|desc=
+
    [*] Mark VGA/VBE/EFI FB as generic system framebuffer (NEW)
+
 
}}
 
}}
 +
{{PageNeedsUpdates}}
 +
OpenSSL is a cryptography package used with {{Package|net-misc/openssh}}, web servers, and more.  ftps, https, smtps, imaps, etc use SSL/TLS.  SSL/TLS is used to prevent man in the middle attacks on plain text streams of data.  As this is a security package it is frequently cycled from testing, & bug repairs.
 +
{{note|ssl is old, tls is new.  If you have the option to run tls, run tls rather than ssl}}
  
If you have that option enabled, ''you must also enable'':
+
=== Installation ===
 +
{{console|body=###i## emerge dev-libs/openssl}}
  
{{kernelop|title=Device Drivers,Graphics support,Frame buffer Devices,Support for frame buffer devices|desc=
+
=== Usage ===
    [*]  Simple framebuffer support
+
ssl uses several certificates with differing coverage, and use cases.  Certificates are obtained by 3rd party sites.  go-daddy, namecheap, and verisign are popular ssl certificate providers, though several others exist.
}}
+
  
This is the preferred method of using the EFI framebuffer, the efifb and uvesafb drivers will be used as a fallback if the above is not compatible.
+
The general overview is buy certificate, send private files, send extra information if required, get files back, insert files into openssl configs, change program configs ports to S version of the protocol, (as in for web port 80, now listens to port 443, and i address the server as https instead of http now.) reorder the cert next year.
  
== Boot Loader ==
+
==== Self Signed Certificates ====
 +
Free:
 +
Self signed certificates are free, self made, quick, easy to setup, and insecure.  They are great for lab experiments, and testing out new technologies that you're not familiar with.
  
=== Emerging GRUB ===
+
==== Free Certificates ====
 +
Free:  (with restrictions)
 +
You can get free certificates from places like StartSSL.com.  The free certificates from them are not recommended if you are a company or doing E-Commerce as they only validate that you own the domain, not anything beyond that.  However, for personal sites, you can't beat the cost.
  
You will still use GRUB as a boot loader, but before emerging grub, you will need to enable EFI booting. To do this,
+
==== Single Domain Certificates ====
add the following line to <tt>/etc/portage/make.conf</tt>:
+
Generally $10/yr:
 
+
Single domain certificates are probably the cheapest ssl certificate you will find on the web. This certificate does not cover subdomains.
<pre>
+
GRUB_PLATFORMS="efi-64"
+
</pre>
+
 
+
Then, <tt>emerge grub</tt>. You will notice <tt>efibootmgr</tt> getting pulled in as a dependency. This is expected and good.
+
 
+
=== Installing GRUB ===
+
 
+
Now, for the magic of getting everything in place for booting. You should copy your kernel and initramfs (if you have one -- you will if you are following the default install) to <tt>/boot</tt>. GRUB will boot those. But how do we get UEFI to boot GRUB? Well, we need to run the following command:
+
 
+
<console>
+
# ##i##grub-install --target=x86_64-efi --efi-directory=/boot /dev/sda
+
</console>
+
This command will simply install all the stuff to <tt>/boot/EFI</tt> and <tt>/boot/grub</tt> that your system needs to boot. In particular, the <tt>/boot/EFI/grub/grubx64.efi</tt> file will be created. This is the GRUB boot image that UEFI will load and start.
+
=== Configuring GRUB ===
+
 
+
OK, now UEFI has the GRUB image it needs to boot. But we still need to configure GRUB itself so it finds and boots your kernel and initramfs. This is done by performing the following steps. Since boot-update doesn't yet support UEFI, we will not use boot-update directly and will create a <tt>/boot/grub/grub.cfg</tt> file manually that looks like this:
+
 
+
{{file|name=/boot/grub/grub.cfg|desc= |body=
+
set timeout=3
+
set gfxmode=auto
+
insmod efi_gop
+
insmod efi_uga
+
 
+
menuentry "Funtoo Linux genkernel - kernel-debian-sources-x86_64-3.2.35-2" { 
+
    insmod part_gpt
+
    insmod fat 
+
    set root=(hostdisk//dev/sda,gpt1) 
+
    search --no-floppy --fs-uuid --set __REPLACE_UUID_OF_SDA1__
+
    linux /kernel-debian-sources-x86_64-3.2.35-2 real_root=/dev/sda3
+
    initrd /initramfs-debian-sources-x86_64-3.2.35-2 
+
    set gfxpayload=keep
+
}
+
set default=0
+
}}
+
  
Note the <tt>search</tt> line where it says '''<tt>__REPLACE_UUID_OF_SDA1__</tt>''' above. You will need to run '''<tt>blkid /dev/sda1</tt>''' and use the UUID value that is displayed. For example, on my system, I need to use '''<tt>C34B-19CF</tt>'''. You can also change the <tt>menuentry</tt> line text in quotes to say whatever you want, and the <tt>linux</tt> and <tt>initrd</tt> lines should reference your kernel versions in <tt>/boot</tt>. As above, use the path <tt>/</tt> instead of <tt>/boot</tt> as the path should be relative to the root of the VFAT filesystem.
+
==== Unified Communications Certificate ====
 +
Generally $300/yr
 +
This certificate is meant for small businesses. This type of certificate will generally cover 20-30 domains, sites, or subdomains.
  
== Known Issues ==
+
==== Wildcard Certificates ====
With pure UEFI boot mode, with legacy mode disabled, following error expected:
+
Generally $300/yr
* video driver not supported, boot hangs, hard reboot required.
+
Wildcard certificates are expensive, however they cover every subdomain name you add.
Choose UEFI first, next legacy driver. It depends on motherboard vendor and efi bios version.
+
In UEFI bios choose grub option, if your succeeded with above guide, additional menu should appear in Boot Menu, otherwise it boots into EFI shell:
+
* grub:NAME of you hard drive
+
  
=== Done! ===
+
==== Other Misc Certs ====
 +
*domain validated SSL Certificates
 +
*organization validated SSL Certificates
 +
*Extended Validation SSL Certificates
  
Remember to follow all other steps in the regular Funtoo Install Guide. Assuming you did everything correctly, your system should now boot via UEFI! We will be adding UEFI support to boot-update soon to make this process easier.
+
=== Using SSL With Nginx or Tengine ===
 +
See this page:  [[HOWTO:WebServer_SSL]]
  
[[Category:HOWTO]]
+
=== External Resources ===
 +
https://wiki.archlinux.org/index.php/OpenSSL
 +
{{EbuildFooter}}

Latest revision as of 05:58, July 9, 2015

dev-libs/openssl


Source Repository:Repository:Funtoo Overlay

http://www.openssl.org

Summary: Full-strength general purpose cryptography library (including SSL and TLS.)

Use Flags

bindist
Disable EC/RC5 algorithms (as they seem to be patented)
ec_nistp_64_gcc_128
Enable 64-bit optimized implementations of elliptic curves NIST-P224, NIST-P256 and NIST-P521
rfc3779
Enable support for RFC 3779 (X.509 Extensions for IP Addresses and AS Identifiers)

News

Drobbins

IP Space Migration Continues

All Funtoo user containers in the 8.28 IP space will be moving into our new IP space (172.97) over the next few days. If you have DNS set up -- be sure to watch your container and update to the new IP! container.host.funtoo.org DNS will be updated after the move.
2015-08-27 by Drobbins
Drobbins

Funtoo Hosting IP Move

Funtoo user containers with IPs in the 72.18.x.x range will be gradually migrating to new IP addresses this week. If you have DNS entries for your containers, please be aware that your DNS will need to be updated.
2015-08-11 by Drobbins
Drobbins

New ARM Stages

New ARM Stages, built with a new toolchain, are now hitting mirrors. Existing ARM users should re-install using these stages (dated Aug 3, 2015 or later,) rather than upgrade using emerge.
2015-08-06 by Drobbins
More...

OpenSSL

Tip

We welcome improvements to this page. To edit this page, Create a Funtoo account. Then log in and then click here to edit this page. See our editing guidelines to becoming a wiki-editing pro.

OpenSSL is a cryptography package used with Package:OpenSSH, web servers, and more. ftps, https, smtps, imaps, etc use SSL/TLS. SSL/TLS is used to prevent man in the middle attacks on plain text streams of data. As this is a security package it is frequently cycled from testing, & bug repairs.

Note

ssl is old, tls is new. If you have the option to run tls, run tls rather than ssl

Installation

# emerge dev-libs/openssl


Usage

ssl uses several certificates with differing coverage, and use cases. Certificates are obtained by 3rd party sites. go-daddy, namecheap, and verisign are popular ssl certificate providers, though several others exist.

The general overview is buy certificate, send private files, send extra information if required, get files back, insert files into openssl configs, change program configs ports to S version of the protocol, (as in for web port 80, now listens to port 443, and i address the server as https instead of http now.) reorder the cert next year.

Self Signed Certificates

Free: Self signed certificates are free, self made, quick, easy to setup, and insecure. They are great for lab experiments, and testing out new technologies that you're not familiar with.

Free Certificates

Free: (with restrictions) You can get free certificates from places like StartSSL.com. The free certificates from them are not recommended if you are a company or doing E-Commerce as they only validate that you own the domain, not anything beyond that. However, for personal sites, you can't beat the cost.

Single Domain Certificates

Generally $10/yr: Single domain certificates are probably the cheapest ssl certificate you will find on the web. This certificate does not cover subdomains.

Unified Communications Certificate

Generally $300/yr This certificate is meant for small businesses. This type of certificate will generally cover 20-30 domains, sites, or subdomains.

Wildcard Certificates

Generally $300/yr Wildcard certificates are expensive, however they cover every subdomain name you add.

Other Misc Certs

  • domain validated SSL Certificates
  • organization validated SSL Certificates
  • Extended Validation SSL Certificates

Using SSL With Nginx or Tengine

See this page: HOWTO:WebServer_SSL

External Resources

https://wiki.archlinux.org/index.php/OpenSSL