Installing an accessible OpenBSD laptop

This page explains how to set up my friend Maurice's laptop.

For context, see my talk at BSDcan 2019 (slides, video).

Devices used

Initial setup

disable SecureBoot, set the time to UTC

copy install65.fs to a USB boot stick.

Plug AC power (left hand side) and Matedock (right hand side) into laptop.

Insert USB boot stick laptop MateDock (any USB format).

Power on laptop and press F12 to enter boot selection menu. Boot from USB stick.

Install OpenBSD

Set up a softraid crypto volume before starting the installation script:
Welcome to the OpenBSD/amd64 6.5 installation program.
(I)nstall, (U)pgrade, (A)utoinstall, (S)hell? s

Prepare system disk:
fdisk -i -y -g -b 960 sd0
disklabel -E sd0
> D
> a
partition: [a]
offset: [1024]
size: [500117105]
FS type: [4.2BSD]: RAID
> w
> q

Insert key disk into laptop or Matedock:

sd2 at scsibus3 targ 1 lun 0: <...> SCSI4 0/direct removable serial ...

Prepare key disk:

# cd /dev/
# sh MAKEDEV sd2
# fdisk -i -y sd2
# disklabel -E sd2
> a
partition: [a]
offset: [64]
size: [30298526] 1M
FS type: [4.2BSD] RAID
> w
> q

Create softraid crypto disk:

# bioctl -cC -Cforce -l /dev/sd0a -k /dev/sd2a softraid0
sd3 at scsibus2 targ 1 lun 0:  SCSI2 0/direct fixed
sd: 244197MB 512 bytes/sector, 500116577 sectors
softraid0: CRYPTO volume attached as sd3

See also faq14.html#softraid

exit the shell:

# exit
Welcome to the OpenBSD/amd64 6.5 installation program.
(I)nstall, (U)pgrade, (A)utoinstall, (S)hell? i

Follow faq4.html#Install; the following items need special consideration:

Accepting the default partition layout should be fine unless you have special needs (and you know what you're doing ;)

Install sets from the boot disk (should be sd1):

Location of sets? (disk http or 'done') [http] disk
Is the disk partition already mounted? [yes] no
Which disk contains the install media? (or 'done'): sd1
Which sd1 partition has the install sets? (or 'done'): [a]
Pathname to the sets? (or 'done'): [6.5/amd64]

Directory does not contain SHA256.sig. Continue without verification? [no] y

When the installatioin has completed, reboot the laptop.

Login as root.

Create a backup image of the key disk:

# dd bs=8192 skip=1 if=/dev/rsd2a of=/root/backup-keydisk.img
# chmod 400 /root/backup-keydisk.img
# gzip /root/backup-keydisk.img

Copy the backup image to a safe place outside the laptop.

We need firmware for the iwm(4) wifi driver. On another machine, download iwm-firmware, e.g. iwm-firmware-0.20170105.tgz and put it on a USB stick. Plug this USB stick into Matedock, then mount the partition which contains the firmware file and install iwm firmware:

# mount -o ro /dev/sd1i /mnt
# fw_update -p /mnt iwm
iwm-firmware-0.2017105: ok
# umount /mnt

Configure wifi networks by editing /etc/hostname.iwm0:

lladdr random
join greatstay wpakey greatstay
join ""
dhcp

See faq6.html#Wireless for details.

Enable unwind(8) for captive portal support:

rcctl enable unwind
rcctl start unwind
echo "prepend domain-name-servers 127.0.0.1;" >> /etc/dhclient.conf

Start wifi:

sh /etc/netstart iwm0

Now that we're online, run fw_update again to install remaining missing firmware files:

# fw_update
inteldrm-firmware-20181218: ok
intel-firmware-20180807p0v0: ok
uvideo-firmware-v1.2p2: ok
vmm-firwmare-1.11.0p1: ok

Enable apmd for more battery life and suspend/resume:

# rcctl enable apmd
# rcctl set apmd flags -A
# rcctl start apmd

Add a new user account for the desktop:

# adduser maurice

Install packages

# pkg_add gnome firefox thunderbird textsuggest ffmpeg toad vlc

Configure gnome (with automatic login)

Gnome needs higher resource limits than the defaults. Edit /etc/login.conf to add the following lines:

gnome:\
	:datasize-cur=1024M:\
	:tc=default:
Set the user account's login class to 'gnome':
# usermod -L gnome maurice
# rcctl enable multicast messagebus avahi_daemon gdm

Edit /etc/gdm/custom.conf, and add these lines to the '[daemon]' section:

TimedLoginEnable=True
TimedLogin=maurice
TimedLoginDelay=5

Reboot and wait for gnome to start up.

Disable screen lock in Gnome Settings: Privacy → Screen lock → Off

Configure textsuggest

Add textsuggest-server as a startup application in Gnome Tweaks under Startup Applications → +; Choose "TextSuggest Server"

In Gnome Settings, add a shortcut for textsuggest under 'Devices' → 'Keyboard' (scroll to the bottom of shortcut list and click +).

  Name: textsuggest
  Command: textsuggest --auto-selection=end
  Shorcut: Insert (F12 key on Matebook X)

Configure toad for auto-mount of removable disk drives. Toad works out of the box once hotplugd is running:

rcctl enable hotplugd
rcctl start hotplugd

Disable middle-button paste

Run xinput to disbable the middle-button on the touchpad. Adding the command to ~/.profile will cause gdm to run the command when it executes its Xsession script.
echo xinput --set-button-map /dev/wsmouse0 1 1 3 4 5 6 7 >> /home/maurice/.profile

Making the webcam work in gnome

Edit file /etc/gdm/PreSession/Default and append the lines:

if [ -c /dev/video0 ]; then
    /sbin/chown $USER /dev/video0
fi

Edit file /etc/gdm/PostSession/Default and add these lines before 'exit 0':

if [ -c /dev/video0 ]; then
    /sbin/chown root /dev/video0
    /bin/chmod 600 /dev/video0
fi

Automatic display brightness adjustment

The Matebook X has an illuminance sensor which can be used to control display brightness automatically. Setting display brightness to an optimal low level saves a lot of battery, and this is most effective when done automatically.

We can poll the sensor and set display brightness with a simple shell script:

#!/bin/sh

brightness=100
cur=100

while sleep 10; do
	illum=`sysctl -n hw.sensors.acpials0.illuminance0 | cut -d. -f1`

	[ $illum -gt 0 ] && brightness=5
	[ $illum -gt 10 ] && brightness=10
	[ $illum -gt 20 ] && brightness=15
	[ $illum -gt 80 ] && brightness=20
	[ $illum -gt 200 ] && brightness=30
	[ $illum -gt 400 ] && brightness=40
	[ $illum -gt 600 ] && brightness=60
	[ $illum -gt 800 ] && brightness=80
	[ $illum -gt 1000 ] && brightness=100

	if [ $brightness -ne $cur ]; then
		/sbin/wsconsctl -n display.brightness=$brightness
		cur=$brightness
	fi
done

Save the above script as /root/bin/backlight.sh.

Create the file /etc/rc.local with this line to start the script on boot:

/root/bin/backlight.sh &

Configure the audio mixer

Create the file /etc/mixerctl.conf with the content:

outputs.master=250
record.volume=250
record.adc-0:1_source=mic

The last line makes the internal microphone work.

Prevent time resetting to the year 2016

Needed only in 6.5 release, no longer needed in -current (future 6.6)!

When the Matebook X battery is completely discharged, the BIOS clock resets to the first of January 2016. To fix this automatically when it happens, disable ntpd constrains and enable the -s flag for ntpd:

Edit the file /etc/ntpd.conf and remove this line: constraints from "https://www.google.com"

rcctl set ntpd flags -s

Enable firefox accceleration

In Firefox, go to about:config and double-click the configuration option layers.acceleration.force-enable so that it gets set to true.

HTML5 audio/video should be working out of the box because the ffmpeg package was installed alongside the firefox package.

Back up user files

pkg_add deja-dup

Open 'Backups' Gnome application and schedule regular backup of home folder to a folder on a nextcloud server.

Allow remote administration

To help Maurice remotely if there is a problem with the machine, we need SSH access to the laptop. We want a setup where such access can be granted by Maurice on demand by clicking a button, and which works regardless of whether the laptop is sitting in a network with NAT.

Log into maurice's user account and Create an ssh key: ssh-keygen Do not set a passphrase.

Pick a dedicated SSH jump host with a public IP address. Add a regular user on this machine which may authenticate with above SSH key.

Test login manually:

ssh maurice@ssh.example.com

On the laptop, configure ssh to set up a reverse-tunnel to the laptop's SSH server:

Host jumphost
        Hostname ssh.example.com
	RemoteForward 2222 127.0.0.1:22

Create a .desktop file in ~/.local/share/applications which open an SSH connection to the jump host:

[Desktop Entry]
Encoding=UTF-8
Version=1.0
Type=Application
Terminal=True
Exec=gnome-terminal -- ssh jumphost
Name=Allow Remote Administration
Comment=Allow remote administration
Icon=utilities-terminal-symbolic
Categories=Application;System

While Maurice is logged into the ssh jump host, other users logged into the jump host may in turn connect to the laptop with: ssh -p 2222 127.0.0.1

On the jumphost, put a message like this into /etc/motd:

  Welcome to remote administration!
  Please close this window when administration is done.

Restoring key disk from backup

To restore a key disk to 'sd1', do the following (all data on the key disk drive will be lost):

# fdisk -iy sd1
# disklabel -E sd1
> D
> a
partition: [a] 
offset: [64] 
size: [60050906] 1M
FS type: [4.2BSD] RAID
> w
> q
# dd bs=8192 seek=1 if=/root/backup-keydisk.img of=/dev/rsd1a