ThinkPad T43 Gentoo installation

Table of content

Introduction

A while ago I decided to get myself a new laptop. Having waded through a plethora of of reviews, I decided to get myself an Lenovo ThinkPad, reliability being the main selling point. The choice fell on a ThinkPad T43.

Bottom view Right side view Left side view Full inside view

In this guide I describe my experiences with installing a Linux distribution, while keeping both the preinstalled Windows XP and IBM's rescue and recovery systems more or less intact.

Please note that the guide has been through several rounds of reviews, and a considerable number of the initial hick-ups have been fixed in later drivers, kernels, and so forth.

Hardware

ThinkWiki, an excellent web resource for ThinkPad owners, has a very nice list of models, mine among those on this list. The specific model number is 2669-CTO (CTO stands for configure to order), which is a nicely revamped model based on 2669-VRA. You might want to look at IBM's product documentation (look for twbook.pdf, tabook.pdf or tawbook.pdf).

Since the machine is snappy enough, I decided to run Gentoo, as I am a bit familiar with this distribution. Unfortunately, the T43-line has some disadvantages compared to the T42-product line:

  • It is based on PCIe. Although PCIe might be a step into the future, it drains more power, than PCI. You might want to take a look at one and another story regarding the power consumption.
  • It uses a SATA-controller, with a PATA hard drive, which has a few issues (replacement hdds and linux support).
  • My model features ATI X300, which has a few support issues of its own.

Preliminaries

Before we set off, it is important to identify the objectives for the installation. The goal was to have a dualboot setup and be able to do as much under Linux as under Windows under average "business workload" conditions. Specifically, the following items should work:

I do not care about the fingerprint reader or the TCPA chip. Visit ThinkWiki for information about these (I consider TCPA utterly useless for my purposes and I do not trust a fingerprint reader in general and a fingerprint reader with closed source drivers in particular). I will deal with security elsewhere.

In the end I did not see any reason to use hibernation, as suspend-to-ram provided sufficient flexibility for my average workday.

Warnings

Before you proceed with anything at all, please take a copy of your factory state. IBM's rescue & recovery allows one to make as many DVD/CD copies of the factory state as you wish (that is true for T43. However, recent models are more restrictive. An x60s allowed me to make one copy only. All the others can be made with other suitable software :)). If you break something really badly, then you can always rollback to the factory state and start a new. In fact I encourage you to test the restoration before doing anything else. The process takes a long time (around 3 hours on my 2669), but this way you know that you can afford a mistake. ThinkWiki has an information page on the matter.

Also, another warning: the rescue and recovery software (plus a number of other IBM tools dependent on the information in the HPA) are very sensitive to alterations to the HPA partition. Although the partition is in fact a FAT-derivative, changing its type to e.g. 0xb (FAT32) breaks certain functionality, such as creating recovery CDs. The type of this partition must remain set to 0x12 (compaq diagnostics in fdisk) on my T43.

If you overwrite the MBR (e.g. by overzealous grub usage), IBM has released a "fixer" bootable floppy/ISO image for that. See Setting grub for dual-boot for instructions.

Furthermore, BIG FAT WARNING! If you set the BIOS supervisor password, beware that it cannot be reset. If you forget/lose the password, you cannot reset it, bar some hardcore voodoo that involves soldering and gutting your laptop. In fact, IBM requires a motherboard replacement if you lose/forget the supervisor password. This is NOT covered by any warranties (the accompanying manual for the laptop has this information). BIOS password offers no protection or whatsoever against an attacker who wants to extract the information from the hard drive (the ATA hard drive password can be circumvented by hard drive recovery companies like IBAS. Heise ran an article on this subject).

OS-unrelated upgrades

  1. Upgrading BIOS. This is easiest through WindowsXP, but linux-based solutions are also possible.
  2. Upgrading embedded controller software. Same story here. Check on IBM's web page as to whether you should update EC or BIOS first.
  3. I decided not to screw around with BIOS settings too much. As WindowsXP keeps synchronizing its clock with BIOS on reboot, the easiest way is to configure both WindowsXP and Gentoo to do just that. Set the clock for you time zone. Tell your Linux distribution to respect that, since WindowsXP is brain-dead on this matter.

BIOS

  1. Set performance to "maximum", at least for AC operation. Otherwise BIOS will unilaterally decide on stepping the CPU down when it sees fit. This is very annoying, as BIOS occasionally stepped CPU down amid compilation getting in the way of cpufreqd.

    For battery operation, I set BIOS to "maximum battery" settings. I do not need 2Ghz and full brightness on while on battery. The priorities are simply different.

  2. Security -> Flash over LAN -> Disabled. Sounds a bit dangerous otherwise.

  3. Security -> IBM Predesktop area -> Secure. This depends on what you really want. If you want to keep the R&R partition, then no one should touch it. If you want to reclaim this space for other purposes, set the status to Disabled in BIOS. Also, in Windows you might want to hide the R&R partition altogether.

  4. There are ample password/fingerprint possibilities here. Remember, a biometric key, such as an iris- or a fingerprint, is irrevocable once it is compromised.

Windows XP

IBM comes with all the drivers installed. The laptop is operational out of the box.

Initial cleanup

However, I needed a few initial/additional steps to make the windows experience acceptable. Generally, XP is set up with a lots of bells and whistles that I neither want nor require. Additionally, IBM/Lenovo have installed a wide range of extras, which are a bit cumbersome to remove, if not done at once.

  1. Remove norton antivirus 2005. It is very annoying, the version installed is trial only and I had access to full-fledged f-secure. Restart windows.

  2. When restoring to factory state from DVDs:

    1. Remove PC-Doctor (otherwise I got two incarnations of it)
    2. Remove Access IBM (same story here)
    3. Remove SoundMAX. Restart windows (... and here)
    4. Remove thinkpad integrated bluetooth IV software (... and here)
    5. Install adobe acrobat reader 7.0 (just double clock the icon in programs). Then remove adobe acrobat reader 7.0 (this gets rid of all the gunk it comes with).
  3. Install F-secure. Restart windows. Then update F-secure.

  4. Fetch windows updates (WGA in the first round). Restart windows.

  5. Fetch the rest of windows updates. Apply. Restart windows.

  6. Launch ThinkVantage software installer. It upgrades itself.

  7. Launch ThinkVantage software installer. It downloads a bunch of drivers and programs. Restart windows.

  8. The ThinkVantage software is broken in the sense that it does not clean up the downloads after itself. You may want to delete:

    • C:\IBMTOOLS\APPS
    • C:\IBMTOOLS\DRIVERS
    • C:\IBMTOOLS\OSFIXES
    • C:\DRIVERS

    ... periodically, as the updates are pretty big in size (this folder easily grows to more than 1GB in size). If you do not like to reboot into windows to clean up the mess, you can use ntfs-3g to access the windows partition from linux. Works quite nicely, actually.

Once this has been completed, I proceeded to de-uglyfying windows and installing additional software.

Additional software

  1. NHC. Useful for setting CPU voltages and system information. The support for core2duo seems sketchy, though.

  2. Adobe acrobat reader

  3. OpenOffice

  4. Gnumeric

  5. Google sketchup 3D modelling software.

  6. TweakUI. TweakUI has a lot of neat functionality easy accessible (such as focus follows mouse)

  7. Windows server 2003 resource kit tools. I downloaded this primarily for the remapkey tool, which provides a nice GUI for key remapping. Specifically, I mapped Control to CapsLock.

  8. CD/DVD software:

    • CD burner xp pro. A free tool for creating CDDA and ISO9660 CD/DVD. Does not support DL DVDs (yet). Does not support UDF.
    • DVD Decrypter. A CSS decryption tool. This software is no longer actively developed.
    • DVD Shrink. A tool for backing up DVDs. It allows among other things to shrink DVDs to fit onto a single-layer disk (removing menus, subs, etc.).
    • ImgBurn. A tool similar to DVD Decrypter above, but more feature rich.
    • RipIt4Me which is a tool that streamlines the process of backing up DVDs. It works in conjunction with some of the tools above.
    • Active @ iso burner.
    • CDmage

    Additionally, you may want to consider AnyDVD, which allegedly is very helpful with region-free DVD-playback.

  9. Webtools:

  10. GIMP, a powerful image processing tool.

  11. Video players

    • MPlayer. It does not integrate particularly well with windows, even taking the GUI part into consideration.
    • VLC media player. A touch more streamlined than MPlayer.
  12. putty. 'Nuff said.

  13. updatestar to keep track of installed software and the latest version.

  14. 7-zip to unpack just about everything.

  15. Avira AntiVir.

  16. CCleaner to poke around in the registry.

  17. nLite to streamline windows installations.

  18. Notepad++ is powerful editor for windows.

  19. Revo uninstaller to really really uninstall software.

  20. TrueCrypt is a cross-platform encryption solution.

  21. Unlocker is fuser's equivalent.

  22. Sunbelt personal firewall is an alternative to windows' firewall.

  23. SIW displays everything about well... the entire system.

  24. Spybot search & destroy is a tool to track spyware.

  25. SequoiaView displays a nice graphical overview of disk usage.

  26. Sumatra PDF reader is a snappy PDF reader. Much better than Adobe's behemoth if all you need is reading.

  27. Foxit reader is a snappy PDF reader.

  28. Produkey to recover license keys for windows/office

  29. Processexplorer, processmonitor, handle from <http://technet.microsoft.com/en-us/sysinternals/bb795533.aspx>.

  30. TCPview, whois from <http://technet.microsoft.com/en-us/sysinternals/bb795532.aspx>.

  31. accessCHK, accessenum, diskmon from <http://technet.microsoft.com/en-us/sysinternals/bb545046.aspx>.

  32. explore2fs to access ext2/ext3 from windows.

  33. hash to calculate md5 and sha.

  34. hddscan tool for testing/checking hdds.

  35. restoration to restore deleted files.

  36. MS VS Pro. I want to play with visual studio.

  37. LaTeX "bundle":

De-uglyfying windows

Unfortunately, windows comes with a lot of bells and whistles turned on. They drain resources and I have not really asked for any of them to be turned on. Therefore:

  1. Stop system restore service. control panel -> system -> system restore control panel -> administrative tools -> services -> system restore service
  2. Stop the indexing service control panel -> administrative tools -> services -> indexing service.
  3. Remove remote assistance and remote desktop sharing control panel -> system -> remote
  4. Fixed page file / no page file control panel -> system -> advanced -> performance -> settings -> advanced Restart windows. Whether you want it fixed or at all depends on your workload and the amount of memory your laptop has.
  5. Remove the visual eye candy stuff so the desktop is a bit more snappy: control panel -> system -> advanced -> performance -> settings -> visual effects -> custom:
    • turn on: show shadows under mouse pointer, smooth edges of screen fonts, use common tasks in folders
    • stop the themes service: control panel -> administrative tools -> services -> theme service.
  6. taskbar tweaks:
    • start -> properties -> taskbar turn on: lock taskbar, keep on top, show quicklaunch
    • start -> properties -> start menu -> classic -> customize turn on: administrative tools, run, dragging & dropping, small icons, personalized menus.
  7. themes tweaking, control panel -> display:
    • themes => classic
    • desktop => none, black
    • screensaver => blank
    • appearance: menus & tooptips => scroll, font smoothing => cleartype
  8. Sounds off control panel -> sounds and audio -> sounds -> no sounds.
  9. Folder looks. control panel -> tools -> folder options:
    • general: show common tasks
    • view: display content of system folder, show hidden files
    • turn off hide extensions, hide protected
    • turn off "remember each folder's ..."
  10. volume control -> adjust audio properties -> uncheck place volume icon in the taskbar. No one asked it to be there in the first place.
  11. Fix recycle bin Properties: do not move files to recycle bin, don't display delete confirmation dialog.
  12. Tweak startup (which programs get launched on startup).

There are many more ninja tricks you can do with the stock windows installation. Some tips:

  1. There are some neat software recommendations at dailycupoftech. SequoiaView is for instance quite nice to visualise disk usage.
  2. Free windows goodies from Microsoft at bhandler.
  3. You may also want to have a look at ext2/3 driver for windows from fs-driver, if you want to access your linux partitions from windows.
  4. A whole bunch of free utilities for windows.

Windows ninja tricks

  • I think it's very useful to have one admin account only. Unfortunately the default user management thingy will not let you do that. Thus, use: Control Panel ==> Administrative Tools ==> Computer Management ==> Local Users and Groups ==> Users and fix the group memberships (remove all the users you don't want to from Administrators group).
  • I also think that the "Administrator" account should be displayed on the login screen. TweakUI lets one do that pretty easy.

Linux

However, the linux installation requires a bit more effort. In general, I followed Gentoo's handbook chapter 1 pretty closely. LiveCD recognised bluetooth, NIC, wireless NIC, UltraNav (both the touchpad and the "joystick"). With the kernel 2.6.12-r10 distributed with 2005.1-r1 profile and generated by genkernel all, the laptop booted up without any issues.

It has been more than 2 years, since I have purchased the laptop. 2.6.12 is antique nowadays, and the current kernel I am running is 2.6.24. A lot has happened, and it's all for the better, it seems. Some of the comments below applied to the original kernel, but have since been changed.

Repartitioning

I decided to keep the HPA and the Windows installation. However, the NTFS partition (with WindowsXP) needed shrinking. I booted from Knoppix 4.0.2 DVD and used ntfsresize and fdisk as described elsewhere (in short -- ntfsresize sda1 to 25,000MB, fdisk delete and recreate sda1, just smaller. This left about 70,000MB available for other purposes).

Then I re-partitioned the drive. Since sda1 (NTFS) and sda2 (HPA) were already taken, this is how the rest of the disk was partitioned: sda3 and sda5 are /boot and /. It is easiest NOT to have / under LVM (if you have experience with initramfs, go right ahead):

sda3 /boot 32MB ext2
sda5 / 512MB ext3
usr /usr 12,000MB ext3
var /var 2,000MB ext3
home /home 10,000MB dm-crypt + ext3
tmp /var/tmp 8,000MB xfs
opt /opt 2,000MB ext3
swap   1,512MB dm-crypt + swapfs

The extended partition that hosts / and LVM occupied the rest of the hdd. Here is what fdisk says about it:

Command (m for help): p

Disk /dev/sda: 100.0 GB, 100030242816 bytes
240 heads, 63 sectors/track, 12921 cylinders
Units = cylinders of 15120 * 512 = 7741440 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1               1        3230    24418768+   7  HPFS/NTFS
/dev/sda2           12376       12921     4127760   12  Compaq diagnostics
/dev/sda3   *        3231        3235       37800   83  Linux
/dev/sda4            3236       12375    69098400    5  Extended
/dev/sda5            3236        3302      506488+  83  Linux
/dev/sda6            3303       12375    68591848+  8e  Linux LVM

sda2 is actually a FAT32 deep inside, but its id must not be altered. You may want to write down the partition table somewhere, since restoring laptop to the factory state deletes the partition table as well. Actually, windows will grab the entire hard drive when you restore to factory state. However, it does not seem that it writes to anything but the first few gigabytes (8? 10? or thereabout). This means that you can most likely resize the ntfs after windows is done restoring, and have you Linux partitions back unaltered.

Gentoo-specific

I had to make a few gentoo related adjustments. If you do not use Gentoo, this section is irrelevant for you.

  • Since gcc changes from 3.3 to 3.4, I upgraded it before emerging world, to avoid recompiling all packages. This applies even for later versions, as some discrepancy is to be expected between the LiveCD and the most recent gcc in portage. If you are using gcc-4.1, you may want to skip -Os, as some packages do not like that option. The same applies to the kernel.

    This is probably no longer relevant in 2008. But overall, when upgrading between binary incompatible gccs, you may want to do that before emerging world.

  • I configured several minor things:

    • locales. I run utf-8.

    • hostname (lapdance)

    • gpm (You can disable touchpad/trackpoint in BIOS, if you do not like either)

    • clock (CLOCK="LOCAL"). It's very difficult to be happy with dualboot otherwise.

    • make.conf

      • CFLAGS="-O2 -march=pentium-m -fomit-frame-pointer -pipe" for >=gcc-3.4
      • CFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -pipe"" for >=gcc-3.3
    • console fonts (in rc.conf). If you are using utf-8, make sure that the font supports the national characters of your locale (the ones outside ascii).

Kernel

Originally, I used 2.6.15, which contains a lot of the required functionality. gentoo-sources-2.6.16-r9 has most of the functionality need. Some patches are still necessary, though:

  • ibm-acpi-fan patch for fine grained fan control. This would allow among other things to manually set a fan level or even turn it off (use with extreme caution!). Check out Whoopie's repository for up to date patches.
  • ibm-acpi-thermal patch for more thermal readings for certain thinkpad models. There are up to 16 sensors on recent thinkpads (at least on T43 and R52). The same advice applies here -- check Whoopie's web page.
  • undervolting patch. It provides a sysfs interface to CPU voltage settings and allows to lower core voltage of the pentium-m cpu. Although the cpu would be operating outside its normal specification, the CPU stays at much lower temperature (provided that you find a stable voltage level). Visit <http://linux-phc.sf.net/> for the most recent patches.

2.6.15 and earlier might need several SATA patches (for suspend to memory and the like). ThinkWiki has more information.

The current kernel, 2.6.24-gentoo-r1, requires some patching as well. In no particular order:

The high resolution timer has already been merged into the 2.6.24 patch. If you want to check whether the HPET is actually enabled, look here:

lapdance # cat /sys/devices/system/clocksource/clocksource0/current_clocksource
hpet

Broadcom NIC

Simply works with in-kernel tg3 module. I have not tested 1000Mbps performance, but 10Mbps and 100Mbps work as expected.

HDAPS

Works with the hdaps module, which provides accelerometer data, temperature, and mouse-esque devices. One still needs userspace tools (hdaps exports the accelerometer data only).

As of 2.6.14 kernels, the protection system can be activated by:

  1. Applying a disk-freeze patch
  2. Compiling hdapsd daemon

I am opting to wait a while until the functionality stabilises. Currently, there is also support for 2.6.15 and 2.6.16 kernels, PATA and SATA alike. I have not yet tested this functionality. ThinkWiki has the scoop.

However, I did test the joystick-like hdaps interface with neverball. Although a 2.8kg joystick is not going to do wonders for you carpal tunnel syndrome, it is an awesome proof of concept :)

Skipping forward some time, the HDAPS is up and running. hdapsd detects the accelerometer changes (via sysfs) and issues the proper commands by writing into the proper sysfs files, then the disk-freeze patch freezes the IO queue temporarily until the 'unfreeze' command is issued.

As of relative tp-smapi-0.32), there is a new sysfs device that hdapsd should talk to. This new interface reduces the polling frequency for hdapsd thereby reducing the power drain. I used the following udev rule to create the device (tp-smapi docs have more information):

KERNEL=="event[0-9]*", ATTRS{phys}=="hdaps/input1", ATTRS{modalias}=="input:b0019v1014p5054e4801-*", SYMLINK+="input/hdaps/accelerometer-event"

The rule can be appended to the rest of the local rules in /etc/udev/rules.d. Recent hdapsd expects this device to exist in order to run.

Hardware-wise, the hard drive itself needs to support the ATA UNLOAD IMMEDIATE command. Thinkwiki has some information about which hdd models support it. You can check the state of your hdd by issuing:

lapdance ~ # hdparm -I /dev/sda| grep UNLOAD
         *    IDLE_IMMEDIATE with UNLOAD

... shows that the hard drive itself supports head unloading and:

lapdance ~ # cat /sys/block/sda/queue/protect_method
auto [unload] standby

... shows that the kernel can unload the heads upon request.

SMAPI

Works with the tp_smapi module from Shem Multinymous. You can fetch it from the tpctl page. tp_smapi version 0.28 and later come with three modules -- thinkpad_ec (to broker access to accelerometer/smapi), tp_smapi (to access SMAPI) and hdaps patch (to access accelerometer).

Version 0.30 is the latest as of yet (2007-02-23) and has more interface files that tell interesting info about battery's time/capacity. There is a tp_smapi package in gentoo (you want to compile it with the hdaps flag), so there is no need to hunt around and compile things manually.

Take a look here for usage tips.

Gentoo has currently tp-smapi 0.33 in portage. I am using tp-smapi 0.36 with 2.6.24. There is a version bump bug report pending in gentoo's bugzilla, but simply renaming the official 0.33 ebuild in the local portage overlay does the trick.

IBM-ACPI / THINKPAD-ACPI

Works with the ibm-acpi module. Some of the information overlaps with tp_smapi. You may need to patch for finer grain fan control and more thermal readings. Also, I needed to issue:

# echo enable,0x0878 > /proc/acpi/ibm/hotkey

to actually enable the keys. The thinkpad-acpi docs explain the meaning of the mask. This particular value enables acpi event sending for Fn + F4, F5, F6, F7 and F12. I am using these hotkeys for suspending to memory, toggling bluetooth, toggling wifi kill switch, offering a menu for choosing the video output and suspending to disk.

The fan control can be left on "auto", but if you are annoyed by fan noise, you might want to hammer a certain value (NB! be careful not to overheat):

# echo level 0 > /proc/acpi/ibm/fan

ibm-acpi offers a whole bunch of various controls to play around with.

Since ibm-acpi and tpb have overlapping functionality, you may want to enable the hotkeys selectively. Also, remember to pass experimental=1 to ibm-acpi to enable all the goodies.

There is an effort at present (headed by Henrique de Moraes Holschuh) to integrate all these neat experimental feature into mainline. Part of this effort is migrating ibm-acpi to the sysfs-interface.

This effort is progressing ahead. The ibm-acpi package has been rendered obsolete and superseded by thinkpad-acpi. There is a lot of functionality there, so check thinkwiki on this topic. Caveat! Some of the hotkey events have been migrated to the input layer infrastructure. If this is enabled, these special keys will be reported as input layer events or as input layer and ACPI events:

$ cat /sys/devices/platform/thinkpad_acpi/hotkey_report_mode
1

... tells you which is the case. 1 means that input layer AND acpi events are being sent. Also, please note that certain hotkey events (S3 and S4) have a delay between two successive entries. On my T43, Fn-F4 and Fn-F12 is NOT repeated until 60 seconds have elapsed.

tpb

tpb is not really a kernel-related daemon, but it needs the nvram device (nvram in the kernel). You might want to fix your udev permissions, so that the device is readable for the regular user:

$ cat /etc/udev/rules.d/10-local.rules
KERNEL="nvram" NAME="nvram" GROUP="nvram" MODE="0660"
$ ls -l /dev/nvram
crw-rw----  1 root nvram 10, 144 Jan  7 13:48 /dev/nvram

Create the nvram group, add your users and you are good to go. /etc/tpbrc should be self-explanatory.

ACPI

Just works. Launching acpid at boot gives access to ACPI functionality. Suspend-to-ram just worked. I keep around a few scripts for handling key presses, associating suspend-to-ram with an ACPI event (lid) and the like.

Actually, the suspent-to-ram is always a bit complicated. It is true that with the right kernel, fglrx, and xorg combinations things just work. But there is always a bit of dancing involved in finding the right combination. More on this in X11 configuration . Furthermore, although sus2ram does work, figuring out the cause of the high power drain is not always obvious.

Wireless NIC

Works with ipw2200, ipw2200-firmware, ieee80211 and, if you want WPA, wpa_supplicant packages. All of them are in portage.

  • Unencrypted wireless are supported.
  • WEP-encrypted networks are supported.
  • WPA-encrypted networks are supported. I needed to pass hwcrypto=0 to the module, though. WPA-PEAP/WPA-TKIP/WPA2-PSK have been tested (I presume that whatever wpa_supplicant supports would work)

Gentoo has decided to deprecate these ipw2200 and ieee80211 packages in favour of the in-kernel modules as of December 2006. The in-kernel modules work fine (at least in kernel 2.6.20 they do).

The firmware error message mentioned earlier seems to be fixable by the described patch.

DVD-burner

There is an issue with DMA on that drive, look at this SATA article. libata.atapi_enabled=1 did the trick for me, though. As of 2.6.17 (and probably earlier), libata.atapi_enabled option is no longer necessary. You may want to completely disable PATA support in the kernel (T43 and presumably more recent T-series simply do not have a PATA controller in them).

With 2.6.20 and later there were no needs to patch anything to get DMA on the optical drive.

The drive is not awfully fast, but fast enough for DVD playback and the like. The speed settings can be changed with some versions of tp_smapi module (the operation is a bit dangerous and might hang your computer if something accesses the drive at that time), hdparm or 3rd party software. ThinkWiki has the information. Recent versions of tp_smapi have recalled the optical drive speed interface (it was too dangerous/unstable).

I tried CD-RW, DVD+R (Verbatim and Samsung), DVD-R and "regular" movie DVDs (region 2, although it should not matter). They all worked as expected. The Matshita drive (Matshita UJ-822S to be exact) has an unfortunate feature -- it implements DVD region encoding. A virgin drive has 4 attempts before locking the region in firmware. Kind of a bummer. More on this later.

Modem

Connexant hsf driver for linux is rumoured to work. With some 2.6.15 kernels, a patch is needed prior to running /usr/sbin/hsfconfig. Specifically, keep the sources around (ebuild hsfmodem-<...>.ebuild unpack) and run:

# /usr/sbin/hsfconfig --patch

... and choose the 2.6.15-rc1 patch. As of gentoo-sources-2.6.15-r1 this is no longer necessary (note the difference between rc1 and r1).

I have not actually tested the software. The more time passes by, the less relevant the modem becomes. I could not care less at the moment whether the modem works or not.

Bluetooth

In-kernel hci_usb/bluetooth and a few more modules. Also, enable RFCOMM and USB_HID/HOTPLUG. Use bluez-utils to play with it. Can be turned on/off either via Fn-F5 or through ibm-acpi (/proc/acpi/ibm/bluetooth). Also, note that once you enable hotkeys with ibm-acpi / thinkpad-acpi, you will not be able to use the Fn-F5 combo, without defining an appropriate event (/etc/acpi/events/).

My Palm Tungsten T3 synchronises quite nicely following the recipe from <http://howto.pilot-link.org/bluesync/index.html> over BlueTooth (the communication is terribly slow (around 5x slower than over Palm universal connector to USB cable), but it is a fully functional solution). I have not tested other BlueTooth gadgets, but there is no reason to suspect it would be any different from the T3.

X11 configuration

ATI fglrx driver

The fglrx drivers are very fragile, unfortunately, and a lot of time certain things do not work as expected. Nowadays with the proliferation of nVidia and Intel cards, you would probably be better off without ATI. Intel X3100 performs fast enough <http://www.phoronix.com/scan.php?page=article&item=730&num=5> for beryl and such.

Some patching is usually necessary (kernel or driver side). The patches may already be included in your distribution (as of 8.21.* all the patches are in fact included in ati-drivers in gentoo). Earlier versions of the driver were very flaky (raptor2 crashed X pretty badly every now and then; and gdm did not want to restart on 2.6.15 kernels). However tuxracer, glxgears, neverball and BZflag run quite smoothly (BZflag with texturing is quite awesome. Give it a try). The graphics card gets a bit hot though (60-70 degrees Celsius). This was somewhat remedied by undervolting the processor (I have not seen the X300 card pass 61C since I have started undervolting, even after prolonged 3D "workouts"). Suspend-to-memory works, but in certain combinations only.

ati-drivers-8.25.17 has problems with xorg-server-1.0.99 and later, so try not to combine these two.

ati-drivers-8.27.10 is finally starting to look like something. On the fly display switching does not work, but this version plays nicely with xorg-x11-7.1/>xorg-server-1.0.99. On the fly display switching is rumoured to appear in the 8.28 driver series.

Powersave features work as well with the aticonfig tool. No dynamic management with this driver, though.

16 bit mode does not work (24 bits only), which is not that much of a loss, at least not for me.

The dualhead setup works, but only to a certain extent:

  1. Power management is off in dual head mode. The card is locked in highest power consumption mode. The external VGA port draws around 500mW regardless of whether an external output unit is connected or not. Recent ati-drivers (8.28 and later?) can turn the external vga output on and off on demand.
  2. There is no possibility for "on the fly" switching. Either X is started with external display on or off. There is no way to toggle external output without restarting the server. 8.25.17 rectified this somewhat, and it is possible to dynamically switch output from lvds to crt1, but only for resolutions of crt1 lower than lvds. Same applies for drivers up to and including 8.27.10. As of 8.28.8, glxgears displays completely non-sensible frame rate information (it does not affect the performance in 3D games though). Further, as of 8.28.8 (?) it is in fact possible to switch external output on demand to any resolution supported by the card, provided that the X server was started with the screen with the highest desired resolution plugged in. I.e. in order to get 1920x1200, a screen capable of 1920x1200 must be plugged into the VGA port when X starts. After that the external output can be turned off and xrandr can be used to adjust the resolution. This is hardly "on the fly", but it is a functioning workaround.

Also, 8.22.5 crashes my kernel with gdm. The X server restarts fine, but gdm locks the machine up. This has been fixed with 8.25.17.

A number of versions of this driver cannot be loaded under the 2.6.16 kernel. This is a known issue and there is a somewhat hackish workaround. This has been fixed in 8.25.17.

As of 8.28.8 some cards currently found in e.g. T42 line are no longer supported. Be sure to check ATI's web page for support information.

ati-drivers-8.32.5 broke my suspend-to-ram (the laptop started to randomly hang or corrupt the visual output upon waking up). I reverted back to ati-drivers-8.30.3 (suspend-to-ram works fine there, and so does 3D acceleration, although glxgears shows completely non-sense numbers). This driver requires <xorg-server-1.2 and <kernel-2.6.20. 8.32.5 can work with any xorg, but requires kernel 2.6.20. ati-drivers-8.32.5 and later work with xorg-7.2 and suspend-to-ram works as well. However, in combination with xorg-server-1.2, ati-drivers 8.32.5-8.34.8 result in garbled text lines in emacs while scrolling with touchpad/mousewheel and the console is blanked if I stop the X server.

ati-drivers-8.35.5 fixed the console blanking issue. All else remains the same (glxgears displays reasonable values).

The most stable combination right now (2007-04-09) seems to be ati-drivers 8.35.5, kernel-2.6.20 and xorg-7.1 + xorg-server-1.1.4. I have working suspend-to-ram, sort-of-"on the fly" display switching, power management, and the console is not blanked when X is stopped.

As of 8.37 suspend-to-ram is broken. I got tired of constant breakages and switched to radeon.

The very latest ati-drivers, ati-drivers-8.455.2.ebuild (2008-02), amazingly enough works with 2.6.24. Specifically:

  • suspend-to-ram works
  • on-the-fly display switching works
  • power management works

Unfortunately there is no support for the RandR 1.2 extension, which does nice things such as DPI changes and dualhead setups.

Open source radeon driver

Works out of the box, but without 3D support with xorg-x11-6.8.2. However, modular xorg is reported to support the X300-family with 3D acceleration as well (however, you'd have to tweak things manually). Powersave features work with rovclock. 16 and 24 bit modes work. Suspend-to-memory works.

It is rumoured that the situation will improve in xorg-7.0 (i.e. the radeon driver would support 3D acceleration for the X300-family (by merging in the works of the <http://r300.sf.net> project)). xorg-x11-7.0-r1 on gentoo does NOT provide this functionality.

The dualhead operation is possible, but with some quirks of its own. See thinkwiki for inspiration.

With xorg-7.3 (gentoo: xorg-server-1.4, xorg-x11-7.3) and xf86-video-ati-6.7.195, there is 3D acceleration, true on the fly display switching (thanks to Alex Deucher's work) and suspend to ram is functioning properly (regardless of vesafb). The 3D performance is nowhere near fglrx (e.g. neither googlearth nor BZflag are usable), but quite frankly I'd rather have a stable driver, than quenching an occasional bzflagging desire. Additionally, with radeon the laptop drains more power. About 1.8W compared to fglrx's manual power management. DynamicTicks does not seem to help. rovclock hangs some xorg-server/kernel combinations.

The latest xorg-server (1.4.0.90) and rovclock work quite nicely. For the time being (2008-02) I am using radeon with xrandr, since they give most flexibility.

Synaptics

The synaptics (x11-drivers/synaptics) package works fine (allowing you to scroll with the touchpad plus other finer elements of control) provided that you create devices for it. I had so supplement my udev.rules with:

KERNEL=="input*", NAME="input/%k", MODE="0600"

... so that the appropriate event/mouse devices would be created by udev. Be careful as to which devices are core devices, and which ones just send additional core events.

Setting grub for dual-boot

Gentoo has two guides on the matter -- from windows-centric and grub-centric views. I opted for grub-centric. Try not to hose the MBR in the process (i.e. issue something like setup (hd0,2) rather than setup (hd0)). If you leave the MBR intact, you will be able to use the "Access IBM" button during bootup. Unfortunately I had some trouble with this, as Windows kept overwriting partition id of my /boot to 0x93 (Amoeba) in this setup. I have never found out why. IBM has released a bootable floppy that repairs the MBR, which did help in the end (I installed grub onto sda and had that setup working for a few weeks; then I used the MBR fixer floppy to fix the MBR and re-installed grub onto sda3).

Now I can boot from grub into WinXP, gentoo and IBM rescue & recovery from grub and the Access IBM button works while in BIOS.

Consult this thread for more inspiration.

I use the following boot parameters:

kernel /vmlinuz-2.6.15 acpi_sleep=s3_bios pci=noacpi libata.atapi_enabled=1

... and:

kernel /vmlinuz-2.6.20-gentoo acpi_sleep=s3_bios pci=noacpi

If you want bootsplash and the like, consult the documentation for you distribution. The very latest kernel boots up like this:

kernel /vmlinuz-2.6.24-gentoo-r1 acpi_sleep=s3_bios,s3_mode acpi_osi="Linux"

acpi_osi="Linux" has been suggested by Henrique de Moraes Holschuh. Since I have migrated to tuxonice and suspend to disk, initramfs came into the picture and the grub.conf-entry looks like:

title=Gentoo Linux 2.6.24-gentoo-r1 (tuxonice)
root (hd0,2)
kernel /vmlinuz-2.6.24-gentoo-r1 acpi_sleep=s3_bios,s3_mode acpi_osi="Linux" root=/dev/sda5 resume="swap:/dev/mapper/swap-crypt" real_resume=/dev/mapper/vg-swap
initrd /my-initramfs.cpio.gz

Bootsplashing

It is nice to have a larger than 80x26 characters console and hopefully be able to have a background image, or run mplayer in console. Thus, bootsplashing.

media-gfx/splashutils provides a few helper scripts/libraries for console bootsplashing. There are several ways of accomplishing bootsplashing. I chose uvesafb (CONFIG_FB_UVESA). The kernel has to be patched too, iirc, but gentoo-sources contains all the necessary stuff. sys-apps/v86d is also a necessary component for the uvesafb.

After I have compiled the kernel, I changed the kernel parameter line to:

kernel /vmlinuz-2.6.24-gentoo-r1 acpi_sleep=s3_bios,s3_mode acpi_osi="Linux" root=/dev/sda5 resume="swap:/dev/mapper/swap-crypt" resume_real=/dev/mapper/vg-swap splash=verbose,fadein,theme:GNU video=uvesafb:1400x1050-24@60 quiet CONSOLE=/dev/tty1

splash=-parameters control how the splash is displayed. video= controls the console resolution, colours and such. The image size in the theme specified by splash= should probably fit into the console size. quiet CONSOLE=/dev/tty1 (or console=tty1) is required for splashing to work. GNU is one of the themes in /etc/splash/.

Naturally, initramfs needs a little bit of fixing as well:

file /sbin/v86d /sbin/v86d 0755 0 0
file /sbin/fbcondecor_helper /sbin/fbcondecor_helper 0755 0 0
slink /sbin/splash_helper /sbin/fbcondecor_helper 777 0 0

... for console decorations and such. Remember that bootsplashing will NOT work unless you pass splash=verbose or silent or some such. By default splashing is off.

Problems

Power-saving

Undervolting

You may consider undervolting, not so much as a power-saving strategy, but more of a temperature reducing measure. It appears that a number of Pentium-Ms are manufactured with a considerable tolerance for voltage. That means that you can reduce the core voltage on your CPU without any adverse effects.

There is an article on gentoo-wiki on the subject. I'd suggest using the sysfs interface, as it would allow adjusting voltage on demand. There is a project on SourceForge that provides patches for a number of kernels.

I used WindowsXP and notebook hardware control to find stable voltages. Currently, the table is:

* Changing CPU voltages table ...
* Current table:     2000000:1308,1600000:1196,1333000:1132,1066000:1052,800000:988
* Configured table:  800000:748,1066000:764,1333000:844,1600000:940,2000000:1084
* Applied table:     2000000:1084,1600000:940,1333000:844,1066000:764,800000:748      [ ok ]

The numbers are frequency:millivolts. The numbers for your CPU will be different. Do not expect the above numbers to function for you; however, you may try them as a starting point (I have seen reports of 1068mV as a stable voltage for 15x and 700mV as a stable voltage for 6x). Testing for stable voltage levels is likely to involve frequent reboots. Be sure not to loose any important data. Also, make sure you run stability tests for a considerable period of time (I discovered some of the instabilities after around 4 hours of continuously running mprime).

The net effect of undervolting is difficult to gauge objectively, as there are many variables involved. I believe my laptop is a touch (2-3C) cooler when running on 6x, and around 7-9C cooler when running at full throttle (the CPU stays at 51C-55C (depending on the ambient temperature) after prolonged BZflagging or compiling).

Also, the high-pitched noise that used to come from the laptop when on batteries is gone with the voltage table above.

Recent versions of linux-phc have changed from using volts in voltage tables to VIDs. The package contains a tool to convert between the two and my current VID setup is:

* Changing CPU voltages table ...
* Current table:     15:38 12:32 10:27 8:23 6:18
* Configured table:  15:24 12:15 10:9 8:4 6:3
* Applied table:     15:24 12:15 10:9 8:4 6:3                                               [ ok ]

The first number is the multiplier (15x == 2Ghz, 6x == 800Mhz), the second is the VID count.

Security

I like my $HOME encrypted. Before making any more users, I ran dm-crypt on /home. <http://forums.gentoo.org/viewtopic.php?t=143301&highlight=> is a nice thread on the subject. cryptsetup-luks is the package of choice. Alternatively, truecrypt has received considerable publicity, is open-source, supports a few additional features and truecrypt containers can be mounted on windows and mac as well as on unix.

Using these packages may require interactive booting (i.e. the home partition will not be mounted unless you provide the password). Incidentally, if you are going to suspend to disk and you use encrypted partitions, make sure that wherever you suspend to is encrypted as well (encrypted swap).

Here are the salient parts of my setup:

  • crypsetup luksFormat -y -c aes-cbc-essiv:sha256 /dev/vg/home

    ... creates a LUKS volume on /dev/vg/home. This is where my $HOME will be. It will ask for a password. With -y, you'd have to type the password twice.

  • cryptsetup luksOpen /dev/vg/home home-crypt

    ... creates a decryption "virtual" device. This operation will ask for password that you supplied in luksFormat (or that you added later through cryptsetup-luks' key management facilities).

  • mkfs.ext3 /dev/mapper/home-crypt

    ... creates a file system, where I subsequently place my $HOME.

  • Gentoo supports mounting of the encrypted file systems during bootup. Modify /etc/conf.d/cryptfs to include:

    swap=swap-crypt
    source='/dev/vg/swap'
    options='-c aes-cbc-essiv:sha256 -d /dev/urandom -h sha512'
    
    target=home-crypt
    source='/dev/vg/home'
    

    The first bulk will help automatically create an encrypted swap (with a random key). The second bulk is used to ask for the encryption password when the laptop is booting. This means non-interactive boot, but for laptop this should not be a problem.

The entire setting can be graphically represented like this:

+----------+             +----------+             +---------+
| physical |  encrypted  |encryption|  plaintext  |file     |
|          | <=========> |decryption| <=========> |  system | <==> applications
|   device |    data     |  device  |    data     | (ext3)  |
+----------+             +----------+             +---------+
/dev/vg/home         /dev/mapper/home-crypt

crypsetup luksOpen establishes the en/decryption "virtual device".

There are other options for information encryption (loop-aes, truecrypt, crypto-fs, enc-fs) just to mention a view. The linux magazine issue 72 of November 2006 has a nice round-up of the choices involved and a couple of HOWTOs for the curious.

You may also consider encrypting the entire hard drive and boot with a USB key. With a good password, no information at all will be leaked, in case your laptop is lost/stolen.

Please not that cryptsetup-luks has been deprecated and renamed back to cryptsetup (way earlier than 2008-02, but it is irrelevant).

While many thinkpads feature a fingerprint reader, which is touted as a security enhancement by Lenovo, it offers very little actual security. As demonstrated during the 23C3 conference, the thinkpad fingerprint sensor is susceptible to a number of attacks. Given how many fingerprints an average person leaves around, and how easy the sensor is to fool, it is utterly useless for protecting your information. Additionally, if the information on the laptop is valuable enough to the attacker, I'd much rather part with the password, than with my finger under threat of physical violence.

Suspend-to-disk and encryption

The objective here is to make suspend-to-disk work with encrypted swap and home. The combination I am looking for is:

  • swap in lvm
  • /home in lvm
  • encrypted swap (cryptsetup)
  • encrypted /home
  • suspending to the encrypted swap partition

Recently, Princeton researchers have found out that the keys stored in memory can be retrieved even after the power has been cut to RAM for a considerable amount of time. The research information is located <http://citp.princeton.edu/memory/>. Essentially this means that suspend-to-ram could expose the crypto keys stored in RAM used for decrypting one's partition. This is really bad news for suspend-to-ram.

So, the prerequisites in this section are:

  • the tuxonice patch from <http://www.tuxonice.net/>. This patch has already been mentioned.
  • tuxonice-userui (sys-apps/tuxonice-userui)
  • static busybox (USE="static -pam -readline" emerge -v sys-apps/busybox)
  • static e2fsprogs (not necessary but may be useful)
  • static cryptsetup (sys-fs/cryptsetup)

Essentially, this is what I did:

  1. Make sure that all static prerequisites are built as static.

  2. Built sys-apps/busybox with my config file:

    # USE="static -readline -pam savedconfig" emerge -v busybox
    
  3. Set up a config file for gen_init_cpio.

  4. Set up an init file for the initramfs. The absolutely critical part here is to reestablish the crypto mappings for all encrypted partitions before passing the job over to the real init.

  5. Generated the initramfs:

    $ /usr/src/linux/usr/gen_init_cpio ./gen_init_cpio-config.txt \
        | gzip -c > my-initramfs.cpio.gz
    

    This archive contains all the tools listed in gen_init_cpio-config.txt.

  6. Copy the initramfs archive to /boot:

    # cp my-initramfs.cpio.gz /boot/
    
  7. Make sure the grub.conf has the proper entry. I am using:

    title=Gentoo Linux 2.6.24-gentoo-r1 (tuxonice)
    root (hd0,2)
    kernel /vmlinuz-2.6.24-gentoo-r1 acpi_sleep=s3_bios,s3_mode acpi_osi="Linux" root=/dev/sda5 resume="swap:/dev/mapper/swap-crypt" real_resume=/dev/mapper/vg-swap
    initrd /my-initramfs.cpio.gz
    

    The critical point here is to make sure that resume, root and such point to the proper partitions.

  8. make sure /etc/hibernate/{common.conf,suspend2.conf} contain sane settings.

The final movement is to strap a hotkey to a proper action. Calling hibernate should be sufficient (package sys-power/hibernate-script).

You may want to read up on <http://www.disciplina.net/howto/HOWTO-lvm_dm-crypt_suspend2.html>.

Suspend-to-disk and splash

It would be nice to have a splash while suspending and resuming. Gentoo has a package for tuxonice to interface with to report the progress of the suspend. The application is configured in /etc/hibernate/suspend2.conf:

ProcSetting userui_program /sbin/tuxoniceui_fbsplash

/sbin/tuxoniceui_fbsplash belongs to sys-apps/tuxonice-userui (albeit a non-patched one in my case).

Naturally, you have to download at least one theme that you want to use. In gentoo you have media-gfx/splash-themes-gentoo, media-gfx/bootsplash-themes and media-gfx/splash-themes-livecd. The themes are installed in /etc/splash and tuxonice-userui uses whichever theme the symlink /etc/splash/suspend2 points to (I have seen /etc/splash/tuxonice symlink as well -- not sure which one I really needed, so I created both).

In order to resume from disk with splash, you'd need to embed the programs and the themes into the initramfs. In my case I added this section to gen_init_cpio-config.txt from earlier:

file /sbin/tuxoniceui_text /sbin/tuxoniceui_text 0755 0 0
file /sbin/tuxoniceui_fbsplash /sbin/tuxoniceui_fbsplash 0755 0 0

# The theme has to be merged into the initramfs, if *resuming* is to work
# properly
dir /etc/splash 755 0 0
dir /etc/splash/GNU 755 0 0
dir /etc/splash/GNU/images 755 0 0
file /etc/splash/GNU/1400x1050.cfg /etc/splash/GNU/1400x1050.cfg 0644 0 0
file /etc/splash/GNU/images/verbose-1400x1050.jpg /etc/splash/GNU/images/verbose-1400x1050.jpg 0644 0 0
slink /etc/splash/tuxonice /etc/splash/GNU 777 0 0
slink /etc/splash/suspend2 /etc/splash/GNU 777 0 0

There are plenty of things to tweak in /sys/power/tuxonice/. Have fun.

External drives and encryption

Recently I have purchased several external hdds. Naturally, storing the data unencrypted is out of the question and it would be nice if an external drive could be swapped between windows, mac and my gentoo installation AND support encryption.

So, truecrypt to the rescue. The setup is much like with the home partition. The virtual encryption/decryption device is established and mounted by the truecrypt command:

lapdance ~ # tail -n 1 /etc/sudoers
%truecrypt ALL=(root) PASSWD:/usr/bin/truecrypt

... allows members of truecrypt to use truecrypt (among other things to mount partitions). Then:

lapdance ~ # tail -n 1  /etc/udev/rules.d/10-local.rules
BUS=="usb", ATTRS{idVendor}=="0d49", ATTRS{idProduct}=="7310", ATTRS{product}=="OneTouch        ", SYMLINK+="maxtor"

... sets up the symlink, /dev/maxtor -> /dev/sd<whatever>. Once the drive is plugged in, udevd creates the device node and establishes the symlink to it. All we need now is to mount it:

$ type -a maxtor
maxtor is aliased to `sudo truecrypt -t --filesystem=ntfs-3g /dev/maxtor /mnt/maxtor --fs-options=uid=<my user>,gid=<my group>,noatime'

After that, issuing maxtor as a member of the truecrypt group allows to mount the external drive under /mnt/maxtor with permissions of <my user>. The ntfs-3g package (available in gentoo as well) provides the r/w interface to the data. To summarise, read/write, win+mac+linux and encryption.

Now it is type to setup the disk itself. First initialise the disk for truecrypt usage:

# truecrypt -t -c /dev/<device> --quick --filesystem=none --encryption=aes --volume-type=normal --hash=sha-512

This will establish a normal (not hidden) truecrypt container with aes/sha-512/xts. The password (and the random "pool") are supplied interactively. Now, to create a file system, first open the container:

# truecrypt -t --filesystem=none /dev/<device>

This will open the container, but no attempts will be made to mount it. Look for a suitable entry under /dev/mapper (they are called "truecryptN" for a suitable number N), and create a file system:

# mkfs.ntfs -f -v /dev/mapper/truecrypt1

If you have multiple truecrypt containers open, make sure you pick the right one! Now that you have a file system on the truecrypt volume, you can decrypt and mount that in one operation:

# truecrypt -t --filesystem=ntfs-3g /dev/<physical device> /mnt/<mountpoint> --fs-options=uid=something,gid=suitable,noatime

This will grab a physical device /dev/<physical device>, establish a decryption block device (/dev/mapper/truecryptN) and mount it under /mnt/<mountpoint>.

Incidentally, you may want to emerge truecrypt with USE="-X", since running GUI-stuff with encryption software is a weird choice.

Full-disk encryption

Well, almost. After having used encrypted swap and home, I grew weary of using two passwords (swap and home) to accomplish logically the same task (unlock the sensitive data). Besides, /tmp is still in plain text, and in these we'll-probe-your-every-orifice-and-freeze-your-assets days, the less is exposed the better. So, off to full-disk encryption. There is a small caveat though -- the system has to boot off something. The most safe scenario is to boot off an external medium (live-CD or a USB pen). The next best thing is to leave /boot unencrypted, which is exactly what I am going to do. A possible attack vector is then to subvert the initramfs and/or the kernel image on /boot to report the passwords/crypto keys. However that requires a technically proficient attacker who has physical access to the laptop and who wants the information. A thief or the DA will not return the laptop with a subverted boot :)

In any event:

lapdance ~ # fdisk -l /dev/sdb

Disk /dev/sdb: 100.0 GB, 100030242816 bytes
255 heads, 63 sectors/track, 12161 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x082a1339

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1   *           1           6       48163+  83  Linux
/dev/sdb2               7       12161    97635037+   5  Extended
/dev/sdb5               7       12161    97635006   83  Linux

sdb1 is going to be the new /boot, and sdb5 will be encrypted in its entirety. On top of sdb5 (after the decryption layer), there will be a PV (called pvcrypt). On top of that PV there will be a VG (called vgcrypt). On top of that VG, there will be a bunch of LVs reflecting the original partitioning. Off we go, then:

# mkfs.ext2 /dev/sdb1
# mkdir /tmp/newboot
# mount /dev/sdb1 /tmp/newboot
# rsync -avP /boot/* /tmp/newboot

IMPORTANT This is insufficient, as /boot/grub/grub.conf on the new drive is probably different from the same file on the old drive. If you forget to fix up the difference, the new system will NOT come up properly.

Let's start with encryption (a short note, though. LRW mode of operation has a security issue with it, and it has been superseded by XTS. Thus, you are advised to use aes-xts-plain (aes-xts-essiv:sha512?) or something similar):

# lapdance ~ # cryptsetup luksFormat -y -c aes-cbc-essiv:sha256 /dev/sdb5

WARNING!
========
This will overwrite data on /dev/sdb5 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
lapdance ~ # cryptsetup luksOpen /dev/sdb5 pvcrypt
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
lapdance ~ # pvcreate /dev/mapper/pvcrypt
Physical volume "/dev/mapper/pvcrypt" successfully created
lapdance ~ # vgcreate vgcrypt /dev/mapper/pvcrypt
Volume group "vgcrypt" successfully created

Off we go with the LVs:

lapdance ~ # lvcreate -l 3012 -n usr vgcrypt
Logical volume "usr" created
lapdance ~ # lvcreate -l 2500 -n home vgcrypt
Logical volume "home" created
lapdance ~ # lvcreate -l 500 -n var vgcrypt
Logical volume "var" created
lapdance ~ # lvcreate -l 500 -n opt vgcrypt
Logical volume "opt" created
lapdance ~ # lvcreate -l 2000 -n tmp vgcrypt
Logical volume "tmp" created
lapdance ~ # lvcreate -l 384 -n swap vgcrypt
Logical volume "swap" created
lapdance tmp # lvcreate -L 500M -n root vgcrypt
Logical volume "root" created

And now the file systems:

lapdance tmp # history | grep mkfs | cut -b7-
 mkfs.ext3 /dev/mapper/vgcrypt-usr
 mkfs.ext3 /dev/mapper/vgcrypt-opt
 mkfs.ext3 /dev/mapper/vgcrypt-var
 mkfs.xfs /dev/mapper/vgcrypt-tmp
 mkfs.ext3 /dev/mapper/vgcrypt-home
 mkfs.ext3 /dev/mapper/vgcrypt-root

And don't forget the swap:

lapdance / # mkswap /dev/mapper/vgcrypt-swap

Okey, it's all there, time to mount the new partitions and clone (parts of) the existing drive:

lapdance ~ # mkdir /tmp/newroot
lapdance ~ # mount /dev/vgcrypt/root /tmp/newroot
lapdance ~ # mkdir /tmp/newroot/usr
lapdance ~ # mkdir /tmp/newroot/var
lapdance ~ # mkdir /tmp/newroot/opt
lapdance ~ # mkdir /tmp/newroot/boot
lapdance ~ # mkdir /tmp/newroot/home
lapdance ~ # mount /dev/mapper/vgcrypt-var /tmp/newroot/var
lapdance ~ # mkdir /tmp/newroot/var/tmp
lapdance ~ # mount /dev/mapper/vgcrypt-usr /tmp/newroot/usr/
lapdance ~ # mount /dev/mapper/vgcrypt-opt /tmp/newroot/opt
lapdance ~ # mount /dev/sdb1 /tmp/newroot/boot
lapdance ~ # mount /dev/mapper/vgcrypt-home /tmp/newroot/home
lapdance ~ # mount /dev/mapper/vgcrypt-tmp /tmp/newroot/var/tmp

Now, let's rsync all that prettiness (that takes a while):

# rsync -avP --exclude '/sys' --exclude '/proc' --exclude '/dev' --exclude 'lost+found' --exclude newroot --exclude '/mnt' /* /tmp/newroot/

IMPORTANT This is insufficient. At least these files are different between the two systems:

  • /etc/conf.d/dmcrypt, if you have it. Turn off dmcrypt too, if it is on.
  • /etc/fstab. If you screw this one up (like I did), the (new) system will NOT come up at all. Check this just before the final reboot.
  • /boot/grub/grub.conf. Same as above.
  • /etc/hibernate/suspend2.conf. The swap partition is probably different, so remember to fix it.
  • initramfs image. You need to build a special initramfs that takes care of opening the encrypted PV, scanning for devices and some such.

FAT ASS WARNING The files must be fixed on the new system before the first reboot, or you are up for a huge surprise.

Additionally, occasionally you will break down something in your setup. It happens, and it is not such a big deal. However, since the combo I am using has many different software packages, the live CD/rescue CD you are using has to support all of them. Gentoo's live CD 2008-r1 has cryptsetup and lvm2 on it. Many modern distributions should offer similar functionality as well.

Backup

It would be nice to have a backup for all this goodness. Therefore I got myself a brand spanking new Seagate drive, model ST9160821A, firmware 3.ALE. To my surprise the driver lists UNLOAD_IMMEDIATE as a supported command, so the drive actually works nicely with hdapsd. The new drive is rather snappy (almost 42MBps read from the raw disk block device), compared to its predecessors too.

The drive is different in size (160G), so the easiest backup option is to repeat the FDE steps outlined earlier and then simply rsync everything over. The backup's setup is identical to the original, so no further steps are necessary.

Additionally, it's wise to install grub as well:

grub> root (hd1,0)
grub> setup (hd1)
grub> quit

hd1, since I am using this on a running system that has already hd0 plugged in.

Furthermore, remember to create mount points for /sys, /proc, /dev, otherwise the boot process will be very unhappy.

The only problem of practical consequence is that the backup disk needs to have a VG with a different name than the on used on the primary hd. And since several setup files refer to the VG by name, the VG on the backup disk would have to be renamed, before the disk can be booted from.