If you have a Windows 10 (or 8) machine that you'd like to dual-boot with Gentoo Linux and GNOME 3, you've come to the right place!

CF-AX3 Ultrabook, Running Windows 10 / Gentoo Linux

This detailed (and tested) tutorial shows how to set up just such a dual-boot system, where the Gentoo component:

is fully encrypted on disk (LVM over LUKS, with dual-factor protection);

uses UEFI secure boot;

OpenRC & GNOME 3 (on Wayland); or runs systemd & GNOME 3 (ditto);

can properly suspend and hibernate;

has working drivers for touchscreen, webcam etc.;

has (where appropriate) the Intel Management Engine disabled; [1]

and even has a graphical boot splash!

To keep things concrete, I'll be walking line-by-line through the setup of a particular machine, namely the Panasonic CF-AX3 Ultrabook; however, these instructions should be usable (with minor alterations) for many modern PCs (including desktops) which have a UEFI BIOS.

All commands that you'll need to type in are listed, and an ebuild repository (aka 'overlay') with some useful installation utilities is also provided.

While best read in tandem with the official Gentoo Handbook, this manual can also be used standalone.

These instructions may also be easily adapted for those wishing to use Gentoo Linux as their sole OS, rather than dual booting.

Introduction

The install described in this tutorial attempts to follow the 'stock' process from the Gentoo Handbook where possible, but differs in a number of important respects. Specifically:

The kernel will be configured to self-boot under UEFI; no separate bootloader is needed.

under UEFI; no separate bootloader is needed. For security, we will boot the kernel off of an external USB key (which can be removed once the boot has completed). If the USB key is absent on power-up, Windows will start automatically instead.

(which can be removed once the boot has completed). If the USB key is absent on power-up, Windows will start automatically instead. Secure boot will be enabled. The kernel will be signed with our own, generated key (and the original Windows keys will be retained too).

will be enabled. The kernel will be signed with our own, generated key (and the original Windows keys will be retained too). Gentoo's root, swap and home partitions will reside on LVM logical volumes, which themselves will live on a single LUKS (encrypted) partition on the GPT-formatted hard drive of the machine. We'll shrink the Windows C: NTFS partition to provide space for this.

logical volumes, which themselves will live on a single (encrypted) partition on the GPT-formatted hard drive of the machine. We'll shrink the Windows C: NTFS partition to provide space for this. The LUKS partition will be unlocked by a keyfile at boot. The keyfile will be stored on the USB key together with the Gentoo kernel, and will itself be GPG-encrypted , so that both the file and its passphrase will be needed to access the (Gentoo) data on the hard drive. This provides a degree of dual-factor security against e.g., having the machine stolen with the USB key still in it, or even the existence of a keylogger on the PC itself (although not both at the same time!). (Using a provided utility, you can subsequently migrate the kernel onto the Windows EFI system partition on the main drive if desired, and also relax the security to use just a typed-in passphrase, so once installed you won't need to use a USB key at all if you don't want to.)

at boot. The keyfile will be stored on the USB key together with the Gentoo kernel, and will be , so that both the file its passphrase will be needed to access the (Gentoo) data on the hard drive. This provides a degree of dual-factor security against e.g., having the machine stolen with the USB key still in it, or even the existence of a keylogger on the PC itself (although not both at the same time!). (Using a provided utility, you can subsequently migrate the kernel onto the Windows EFI system partition on the main drive if desired, and also relax the security to use just a typed-in passphrase, so once installed you won't need to use a USB key at all if you don't want to.) We will create an initramfs to allow the GPG / LUKS / LVM stuff to happen in early userspace, and this RAM disk will be stored inside the kernel itself, so it will work under EFI with secure boot (we'll also, for reasons that will become clear later, build a custom version of gpg to use in this step).

to allow the GPG / LUKS / LVM stuff to happen in early userspace, and this RAM disk will be stored inside the kernel itself, so it will work under EFI with secure boot (we'll also, for reasons that will become clear later, build a custom version of to use in this step). For all you source-code paranoiacs, the Gentoo toolchain and core system will be bootstrapped during the install (simulating an old-school stage-1) and we'll validate that all binary executables and libraries have indeed been rebuilt from source when done. The licence model will be set to accept free software only (and although I don't deblob the kernel, instructions for how to do so are provided - assuming your hardware will actually work without uploaded firmware!).

during the install (simulating an old-school stage-1) and we'll validate that all binary executables and libraries have indeed been rebuilt from source when done. The (and although I don't deblob the kernel, instructions for how to do so are provided - assuming your hardware will actually work without uploaded firmware!). All Gentoo repository syncs (including the initial emerge-webrsync ) will be performed with gpg signature authentication . Unauthenticated protocols will not be used.

) will be performed with . Unauthenticated protocols will be used. The latest (3.30+) stable version of GNOME will be installed, using OpenRC for init (as GNOME is now officially supported under this init system, and no longer requires Dantrell B.'s patchset for this). An alternative track is also provided, for those wishing to install GNOME 3 under systemd. Most of this tutorial is common to both tracks, and a short guide is provided at the appropriate point in the text, to help you choose which route is better for you. GNOME will be deployed on the modern Wayland platform (including XWayland support for legacy applications) — this is more secure than deploying over X11, as it enforces application isolation at the GUI level.

will be installed, using OpenRC for init (as GNOME is now officially supported under this init system, and no longer requires Dantrell B.'s patchset for this). I'll provide simple scripts to automate the EFI kernel creation process and keep your system up-to-date. The first of these ( buildkernel ) handles conforming the kernel config for EFI encrypted boot (including setting the kernel command line correctly), creating the initramfs, building and signing the kernel, and installing it on the EFI system partition. The second ( genup ) automates the process of updating your system software via emerge and associated tools. The scripts are shipped in an ebuild repository (aka 'overlay'), for easy deployment.

The first of these ( ) handles conforming the kernel config for EFI encrypted boot (including setting the kernel command line correctly), creating the initramfs, building and signing the kernel, and installing it on the EFI system partition. The second ( ) automates the process of updating your system software via and associated tools. The scripts are shipped in an ebuild repository (aka 'overlay'), for easy deployment. Lastly, detailed (optional) instructions for disabling the Intel Management Engine [2] will be provided (for those with Intel-CPU-based PCs who find this out-of-band coprocessor an unacceptable security risk), as will instructions for fully sandboxing the popular firefox web browser, using firejail .

Note

Tutorials covering various elements of the above can be found in one or more places online, but it's difficult to get an end-to-end overview - hence the reason this guide was created.

As mentioned, although this tutorial follows the format of the Gentoo Handbook in places (particularly at the beginning), it's structured so as to be self-contained - you should be able to walk though this process and, using only these instructions, end up with a fully functional, relatively secure dual-boot Windows 10 (or 8) + Gentoo / GNOME 3 machine when you're done.

Warning

Backup all of your data before doing anything else, particularly if you have a lot of work stored on Windows already. The install process described here has been tested end-to-end, but is provided 'as is' and without warranty. Proceed at your own risk.

Warning

Tools like parted , dd and cryptsetup , which we'll be using, can vaporize data easily if misused. Please always double check that you are applying operations to the correct device / partition. We've all been there...

Warning

We will be using strong cryptography to protect your system. If you lose the LUKS keyfile, or forget the passphrase to unlock it, all your data will be gone, and even the NSA (probably!) won't be able to get it back.[3] So keep backups of these critical elements too (in a safe place, of course)! We will be using strong cryptography to protect your system. If you lose the LUKS keyfile, or forget the passphrase to unlock it,, and even the NSA (probably!) won't be able to get it back.So keep backups of these critical elements too (in a safe place, of course)!

Chapters

The chapters of this tutorial are listed below, together with a brief summary of each.

You need to work though the chapters sequentially, in order to complete the install successfully.

Note

Don't worry if you don't immediately understand everything in the chapter summaries below: the concepts involved will be described in detail in the main body of the text.



As mentioned, an 'alternative track' is also provided for chapters 10-14, for those users who wish to use GNOME with systemd, rather than OpenRC:

Note

The decision about which init system ( OpenRC or systemd ) to use does not need to be made until Chapter 7 (where a brief summary of the pros and cons of each will be provided, to help you decide).

Let's Get Started!

Ready? Then click here to go to the first chapter, "Installation Prerequisites".

Note

As is hopefully clear from the above, this tutorial covers a detailed, end-to-end installation walkthrough.

If you are searching for more concise, topic-based EFI , systemd or GNOME installation information, the following Wiki pages may be of use to you instead: UEFI Gentoo Quick Install Guide

EFI stub kernel

systemd

systemd/Installing Gnome3 from scratch

GNOME/GNOME without systemd As is hopefully clear from the above, this tutorial covers a detailed, end-to-end installation walkthrough.If you are searching for more concise, topic-basedorinstallation information, the following Wiki pages may be of use to you instead:

Note

If you have recently upgraded If you have recently upgraded dev-libs/libgcrypt to version >= 1.6, and found yourself thereby locked out of your (Whirlpool-hashed) LUKS partition, please see this short guide on how to recover.

Note

Comments, suggestions and feedback about this guide are welcomed! You can use the "Discussion" tab (of whatever is the most relevant page) for this purpose. On most browsers, you can use Shift Alt t as a shortcut to access this.

Tip

While the source for individual pages of this guide may most easily be edited or viewed on the Gentoo Wiki directly, for ease of download the full page set is also maintained on GitHub, While the MediaWiki for individual pages of this guide may most easily be edited or viewed on the Gentoo Wiki directly, for ease of download the full page set is also maintained on GitHub, here