Installing an accessible OpenBSD laptop
This page explains how to set up my friend Maurice's laptop.
For context, see my talk at BSDcan 2019
(slides,
video).
Devices used
- Matebook X
- MateDock
- temporary USB stick for install65.fs (boot media + install sets)
- dedicated USB-C stick (key disk)
- temporary USB stick to transfer wifi firmware
Initial setup
disable SecureBoot, set the time to UTC
copy install65.fs to a USB boot stick.
Plug AC power (left hand side) and Matedock (right hand side) into laptop.
Insert USB boot stick laptop MateDock (any USB format).
Power on laptop and press F12 to enter boot selection menu.
Boot from USB stick.
Install OpenBSD
Set up a softraid crypto volume before starting the installation script:
Welcome to the OpenBSD/amd64 6.5 installation program.
(I)nstall, (U)pgrade, (A)utoinstall, (S)hell? s
Prepare system disk:
fdisk -i -y -g -b 960 sd0
disklabel -E sd0
> D
> a
partition: [a]
offset: [1024]
size: [500117105]
FS type: [4.2BSD]: RAID
> w
> q
Insert key disk into laptop or Matedock:
sd2 at scsibus3 targ 1 lun 0: <...> SCSI4 0/direct removable serial ...
Prepare key disk:
# cd /dev/
# sh MAKEDEV sd2
# fdisk -i -y sd2
# disklabel -E sd2
> a
partition: [a]
offset: [64]
size: [30298526] 1M
FS type: [4.2BSD] RAID
> w
> q
Create softraid crypto disk:
# bioctl -cC -Cforce -l /dev/sd0a -k /dev/sd2a softraid0
sd3 at scsibus2 targ 1 lun 0: SCSI2 0/direct fixed
sd: 244197MB 512 bytes/sector, 500116577 sectors
softraid0: CRYPTO volume attached as sd3
See also faq14.html#softraid
exit the shell:
# exit
Welcome to the OpenBSD/amd64 6.5 installation program.
(I)nstall, (U)pgrade, (A)utoinstall, (S)hell? i
Follow faq4.html#Install;
the following items need special consideration:
-
The installer offers to create a non-root user. This user can be used for
remote administration. The user account for Maurice will be created later.
-
skip network configuration:
Which network interface do you wish to configure? (or 'done') [iwm0] done
-
Don't enable xenodm:
Do you want the X Window System to be started by xenodm(8)? [no] no
-
Use crypto volume as root disk:
Which disk is the root disk? ('?' for details) [sd0] sd3
-
Use MBR on the crypto volume:
Use (W)hole disk MBR, whole disk (G)PT, or (E)dit? [gpt] w
Accepting the default partition layout should be fine unless you
have special needs (and you know what you're doing ;)
Install sets from the boot disk (should be sd1):
Location of sets? (disk http or 'done') [http] disk
Is the disk partition already mounted? [yes] no
Which disk contains the install media? (or 'done'): sd1
Which sd1 partition has the install sets? (or 'done'): [a]
Pathname to the sets? (or 'done'): [6.5/amd64]
Directory does not contain SHA256.sig. Continue without verification? [no] y
When the installatioin has completed, reboot the laptop.
Login as root.
Create a backup image of the key disk:
# dd bs=8192 skip=1 if=/dev/rsd2a of=/root/backup-keydisk.img
# chmod 400 /root/backup-keydisk.img
# gzip /root/backup-keydisk.img
Copy the backup image to a safe place outside the laptop.
We need firmware for the iwm(4) wifi driver.
On another machine, download iwm-firmware, e.g.
iwm-firmware-0.20170105.tgz
and put it on a USB stick. Plug this USB stick into Matedock, then mount
the partition which contains the firmware file and install iwm firmware:
# mount -o ro /dev/sd1i /mnt
# fw_update -p /mnt iwm
iwm-firmware-0.2017105: ok
# umount /mnt
Configure wifi networks by editing /etc/hostname.iwm0:
lladdr random
join greatstay wpakey greatstay
join ""
dhcp
See faq6.html#Wireless for details.
Enable unwind(8) for captive portal support:
rcctl enable unwind
rcctl start unwind
echo "prepend domain-name-servers 127.0.0.1;" >> /etc/dhclient.conf
Start wifi:
sh /etc/netstart iwm0
Now that we're online, run fw_update again to install remaining missing
firmware files:
# fw_update
inteldrm-firmware-20181218: ok
intel-firmware-20180807p0v0: ok
uvideo-firmware-v1.2p2: ok
vmm-firwmare-1.11.0p1: ok
Enable apmd for more battery life and suspend/resume:
# rcctl enable apmd
# rcctl set apmd flags -A
# rcctl start apmd
Add a new user account for the desktop:
# adduser maurice
Install packages
# pkg_add gnome firefox thunderbird textsuggest ffmpeg toad vlc
Configure gnome (with automatic login)
Gnome needs higher resource limits than the defaults.
Edit /etc/login.conf to add the following lines:
gnome:\
:datasize-cur=1024M:\
:tc=default:
Set the user account's login class to 'gnome':
# usermod -L gnome maurice
# rcctl enable multicast messagebus avahi_daemon gdm
Edit /etc/gdm/custom.conf, and add these lines to the '[daemon]' section:
TimedLoginEnable=True
TimedLogin=maurice
TimedLoginDelay=5
Reboot and wait for gnome to start up.
Disable screen lock in Gnome Settings: Privacy → Screen lock → Off
Configure textsuggest
Add textsuggest-server as a startup application in Gnome Tweaks under
Startup Applications → +; Choose "TextSuggest Server"
In Gnome Settings, add a shortcut for textsuggest under 'Devices' →
'Keyboard' (scroll to the bottom of shortcut list and click +).
Name: textsuggest
Command: textsuggest --auto-selection=end
Shorcut: Insert (F12 key on Matebook X)
Configure toad for auto-mount of removable disk drives.
Toad works out of the box once hotplugd is running:
rcctl enable hotplugd
rcctl start hotplugd
Disable middle-button paste
Run xinput to disbable the middle-button on the touchpad.
Adding the command to ~/.profile will cause gdm to run the command
when it executes its Xsession script.
echo xinput --set-button-map /dev/wsmouse0 1 1 3 4 5 6 7 >> /home/maurice/.profile
Making the webcam work in gnome
Edit file /etc/gdm/PreSession/Default and append the lines:
if [ -c /dev/video0 ]; then
/sbin/chown $USER /dev/video0
fi
Edit file /etc/gdm/PostSession/Default and add these lines before 'exit 0':
if [ -c /dev/video0 ]; then
/sbin/chown root /dev/video0
/bin/chmod 600 /dev/video0
fi
Automatic display brightness adjustment
The Matebook X has an illuminance sensor which can be used to control
display brightness automatically. Setting display brightness to an
optimal low level saves a lot of battery, and this is most effective
when done automatically.
We can poll the sensor and set display brightness
with a simple shell script:
#!/bin/sh
brightness=100
cur=100
while sleep 10; do
illum=`sysctl -n hw.sensors.acpials0.illuminance0 | cut -d. -f1`
[ $illum -gt 0 ] && brightness=5
[ $illum -gt 10 ] && brightness=10
[ $illum -gt 20 ] && brightness=15
[ $illum -gt 80 ] && brightness=20
[ $illum -gt 200 ] && brightness=30
[ $illum -gt 400 ] && brightness=40
[ $illum -gt 600 ] && brightness=60
[ $illum -gt 800 ] && brightness=80
[ $illum -gt 1000 ] && brightness=100
if [ $brightness -ne $cur ]; then
/sbin/wsconsctl -n display.brightness=$brightness
cur=$brightness
fi
done
Save the above script as /root/bin/backlight.sh.
Create the file /etc/rc.local with this line to start the script on boot:
/root/bin/backlight.sh &
Configure the audio mixer
Create the file /etc/mixerctl.conf with the content:
outputs.master=250
record.volume=250
record.adc-0:1_source=mic
The last line makes the internal microphone work.
Prevent time resetting to the year 2016
Needed only in 6.5 release, no longer needed in 6.6
When the Matebook X battery is completely discharged, the BIOS clock resets
to the first of January 2016. To fix this automatically when it happens,
disable ntpd constrains and enable the -s flag for ntpd:
Edit the file /etc/ntpd.conf and remove this line:
constraints from "https://www.google.com"
rcctl set ntpd flags -s
Enable firefox accceleration
In Firefox, go to about:config and double-click the configuration option
layers.acceleration.force-enable so that it gets set to true.
HTML5 audio/video should be working out of the box because the ffmpeg
package was installed alongside the firefox package.
Back up user files
pkg_add deja-dup
Open 'Backups' Gnome application and schedule regular backup of home
folder to a folder on a nextcloud server.
Allow remote administration
To help Maurice remotely if there is a problem with the machine,
we need SSH access to the laptop. We want a setup where such access
can be granted by Maurice on demand by clicking a button, and which
works regardless of whether the laptop is sitting in a network with NAT.
Log into maurice's user account and Create an ssh key: ssh-keygen
Do not set a passphrase.
Pick a dedicated SSH jump host with a public IP address.
Add a regular user on this machine which may authenticate with above SSH key.
Test login manually:
ssh maurice@ssh.example.com
On the laptop, configure ssh to set up a reverse-tunnel to the laptop's
SSH server:
Host jumphost
Hostname ssh.example.com
RemoteForward 2222 127.0.0.1:22
Create a .desktop file in ~/.local/share/applications which open an
SSH connection to the jump host:
[Desktop Entry]
Encoding=UTF-8
Version=1.0
Type=Application
Terminal=True
Exec=gnome-terminal -- ssh jumphost
Name=Allow Remote Administration
Comment=Allow remote administration
Icon=utilities-terminal-symbolic
Categories=Application;System
While Maurice is logged into the ssh jump host, other users logged into
the jump host may in turn connect to the laptop with: ssh -p 2222 127.0.0.1
On the jumphost, put a message like this into /etc/motd:
Welcome to remote administration!
Please close this window when administration is done.
Restoring key disk from backup
To restore a key disk to 'sd1', do the following (all data on the key
disk drive will be lost):
# fdisk -iy sd1
# disklabel -E sd1
> D
> a
partition: [a]
offset: [64]
size: [60050906] 1M
FS type: [4.2BSD] RAID
> w
> q
# dd bs=8192 seek=1 if=/root/backup-keydisk.img of=/dev/rsd1a