Simplified Option Icon 255 on Gentoo

I have an Option Icon 255 from work to use when I'm out of the office. It is a 3G USB pen. I've used many outside scripts and graphical user interfaces but I never liked them. They crashed a lot and never seemed natural. Also I wanted a script that actually worked all the time instead of failing sometimes because it took the device a couple more seconds to register in the network.

My solution: a mix of udev and shell scripts.

First I made udev rules for the device. I want it to always have the same name on the /dev file system and that as soon as I connect it to the laptop it should validate the PIN and register in the network.I created a "49-hso.rules" (hso is the name of the kernel driver for the device) in the "/etc/udev/rules.d" folder as follows:
ACTION!="add", GOTO="hso_end"

SUBSYSTEM=="tty", SUBSYSTEMS=="usb", ATTR{hsotype}=="Control", SYMLINK+="wctrl0"
SUBSYSTEM=="tty", SUBSYSTEMS=="usb", ATTR{hsotype}=="Application", SYMLINK+="wapp0"
SUBSYSTEM=="tty", SUBSYSTEMS=="usb", ATTR{hsotype}=="Application", SYMLINK+="wappa0"
SUBSYSTEM=="tty", SUBSYSTEMS=="usb", ATTR{hsotype}=="Application2",SYMLINK+="wappb0"
SUBSYSTEM=="tty", SUBSYSTEMS=="usb", ATTR{hsotype}=="Diagnostic", SYMLINK+="wdiag0"
SUBSYSTEM=="tty", SUBSYSTEMS=="usb", ATTR{hsotype}=="Diagnostic", SYMLINK+="wdiaga0"
SUBSYSTEM=="tty", SUBSYSTEMS=="usb", ATTR{hsotype}=="Diagnostic2", SYMLINK+="wdiagb0"
SUBSYSTEM=="tty", SUBSYSTEMS=="usb", ATTR{hsotype}=="Modem", SYMLINK+="wmodem0"
SUBSYSTEM=="tty", SUBSYSTEMS=="usb", ATTR{hsotype}=="GPS", SYMLINK+="wgps0"
SUBSYSTEM=="tty", SUBSYSTEMS=="usb", ATTR{hsotype}=="GPS_Control", SYMLINK+="wgpsc0"
SUBSYSTEM=="tty", SUBSYSTEMS=="usb", ATTR{hsotype}=="PCSC", SYMLINK+="wpcsc0"

KERNEL=="ttyHS[0-9]*", NAME="%k", GROUP="plugdev", MODE="0660"

ATTRS{idVendor}=="0af0", ATTRS{idProduct}=="6971", RUN+="/etc/hso/setPin"

I copied these rules from here. They should work with other hso devices, but I never tested it.

The magic is all in "/etc/hso" (I created this folder to hold all the scripts). First I created the "setPin" script as follows:


( /usr/sbin/chat -E -s -V -f /etc/hso/pin-chat < /dev/wctrl0 > /dev/wctrl0 ) 2> $OUTPUTFILE
I leave the tmp file as I might want to debug it. The "chat-pin" chat script is the following (remember to put your PIN where "PIN-HERE" is written since I removed mine):
"" ATZ
OK "\d\d\d\d\d\d\dAT+COPS=?^m"
OK "AT+CGDCONT=1,,\"internet\"^m"
Yes, the "^m" are on the spot. You may need to adapt the apn name (mine is internet). If you have a user and password will have to add it to the AT+CGDCONT command. Just check the wiki for it. With these steps you should be able to plug the device and notice that it registers with the network. To connect to the network I created a "/etc/hso/connect" script as follows:


while [ -z "$PIP" -a "$COUNTER" != "------" ]
echo "trying$COUNTER"
sleep 2
( /usr/sbin/chat -E -s -V -f /etc/hso/con-chat <$DEVICE > $DEVICE ) 2> $OUTPUTFILE
if [ -z "$ISERROR" ]
PIP="`grep '^_OWANDATA' $OUTPUTFILE | cut -d, -f2`"
NS1="`grep '^_OWANDATA' $OUTPUTFILE | cut -d, -f4`"
NS2="`grep '^_OWANDATA' $OUTPUTFILE | cut -d, -f5`"



if [ -z "$PIP" ]
echo "We did not get an IP address from the provider, bailing ..."

echo "Setting IP address to $PIP"
ifconfig $NETDEV $PIP netmask up

echo "Adding route"
route add default dev $NETDEV

echo "Adding name servers"
( echo nameserver $NS1 ; echo nameserver $NS2 ) | resolvconf -a $NETDEV

echo "Done!"

The "/etc/hso/con-chat" script referenced is as follows:
"" ATZ
OK "AT_OWANCALL=1,1,0^m"
OK "\d\d\d\d\dAT_OWANDATA=1^m"
OK ""
And with this it should work. Notice that I'm using openresolv to manage my name servers. If you aren't then you probably are better of changing the "connect" script to copy the previous resolv.conf and replace it with another. I just prefer to have openresolv since it takes care of things such as restarting the nscd (Naming Service Cache Daemon, if you are wondering). My end goal is to use dnsmasq and to route only the DNS requests to the company VPN. For that I'm better off using openresolv.

Now that you are connected you need to be able to disconnect :-). The script is very simple:


ifconfig $NETDEV down

/usr/sbin/chat -V -f /etc/hso/dis-chat <$DEVICE >$DEVICE 2> /dev/null

resolvconf -d $NETDEV
And you also need a chat script in "/etc/hso/dis-chat" as follows:
"" ATZ
OK "AT_OWANCALL=1,0,0^m"
OK ""
And that should do it. At least it works for me :-)


Gentoo with LUKS and LVM

My company has security policy that forces us to encrypt the hard drive of the computer and any other media. Well, not the whole hard drive, but 99% of it: the 1% is what is required for the PC to boot and ask for a password to decrypt the rest of the drive. The good news is that I'm allowed to use Linux. The bad news is that they have red hat enterprise linux and I like Gentoo. For a long time I've been using kubuntu. It is not bad, but it is too easy to use that it borks some time and I like the control Gentoo gives. Since I only installed Gentoo 2 times, one in 2003 and another in 2007 I decided to write all the steps for a bare minimum Gentoo installation. I have tested these steps on a Virtual Machine using KVM. Next step is to make it on the real laptop. It should take something like 35 minutes to do this on a Core 2 Duo at 2.2ghz.

Notice: This works for me. Use it at your own risk and remember that these commands wipe your hard drive so, if you want something special read the commands and adapt.

The list of steps is optimized. For more information you should read the gentoo handbook.

Partition the hard Drive

I used a simple partition scheme: 200mb for the boot (the 1% that is not encyrpted) and the rest for the crypted part. The crypted part is 512mb for the swap and the rest for the root file system. Everything is using ext4.

Using fdisk delete all the partitions on the harddrive and create two partitions: one with 200Mb (+200M in fdisk) and another with the rest.

Crypt and Open the Crypted Parition

Execute the following command:
cryptsetup -y --cipher serpent-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda2
I'm using serpent because it has no patent issues and it is one of the fastest according to a benchmark I saw on the web.

You will have to answer YES (in upper case) and then enter and verify the pass-phrase.
If for some reason you loose this pass-phrase then you loose your data. You have backups don't you? If not, good luck trying to crack it :-)

After creating the crypted mapping you need to open it with the command:
cryptsetup luksOpen /dev/sda2 sda2_crypt
LVM Setup

This is quite easy: just do the following (I'm calling internalhd to the volume, but you can choose another name).
   pvcreate /dev/mapper/sda2_crypt
   vgcreate internalhd /dev/mapper/sda2_crypt
   lvcreate -L512m -nswap internalhd
   lvcreate -L7G -nroot internalhd
Next step is to create the swap and all the file systems. I chose ext4 and created all file systems and swap with labels. This allows me to use the label in the fstab later.
   mkswap -L SWAP /dev/mapper/internalhd-swap
   swapon /dev/mapper/internalhd-swap
   mkfs.ext4 -j /dev/mapper/internalhd-root -L ROOT
   mount /dev/mapper/internalhd-root /mnt/gentoo
   mkfs.ext4 -j /dev/sda1 -L BOOT
   mount /dev/sda1 /mnt/gentoo/boot
Gentoo Install

If you need to setup a proxy now is the time ("export http_proxy=..."). Just remember that you need to configure it also in links.

Use links and download the stage3 tarball and portage snapshot. You can do "links http://www.gentoo.org/main/en/mirrors.xml", choose a mirror and navigate.

Next you extract all the things:
    cd /mnt/gentoo
    tar xvjpf stage3-*.tar.bz2
    tar xvjf /mnt/gentoo/portage-latest.tar.bz2 -C /mnt/gentoo/usr
Now its time to configure the portage. I opted to do it the easy way. Editing /mnt/gentoo/etc/make.conf and changing CLFAGS to "-O2 -march=native -pipe" and making CXXFLAGS="${CFLAGS}". I also aded MAKEOPTS="-j" and FEATURES="fixpackages sandbox". Later on I added the test features, but for now it is off to avoid a bug in the glib ebuild file. I need to check it and report it back to gentoo.

Next you need to select a mirror for packages and for rsync. Jut do:
    mirrorselect -i -o >> /mnt/gentoo/etc/make.conf
    mirrorselect -i -r -o >> /mnt/gentoo/etc/make.conf
Final preparations and entering the gentoo installation using chroot:
    cp -L /etc/resolv.conf /mnt/gentoo/etc/
    mount -t proc none /mnt/gentoo/proc
    mount -o bind /dev /mnt/gentoo/dev
    chroot /mnt/gentoo /bin/bash
    source /etc/profile
    export PS1="(chroot) $PS1"
    cp /usr/share/zoneinfo/GMT /etc/localtime
The last command will change the shell prompt so we remember were we are doing things. Next you can select your profile. I choose the desktop profile:
    eselect profile list
    eselect profile set 2
You should also choose your locale by editing "/etc/locale.gen". I use 2 locales: en_GB and pt_PT. I do a little trick by doing the following:
    grep en_GB /usr/share/i18n/SUPPORTED >> /etc/locale.gen
    grep pt_PT /usr/share/i18n/SUPPORTED >> /etc/locale.gen

Then you should run "locale-gen" to generate the i18n information for the chosen locales.

Configuring the kernel

I'm going to use genkernel because it has support for lvm, luks and so forth. But it has a bug: although it builds lvm internally to use in its initrd image it does not do so for luks. The solution is to emerge cryptsetup before. Well, since I'm emerge the kernel I simply emerge all the packages that I'm going to need later on with the command:
    emerge -av gentoo-sources genkernel syslog-ng logroate dhcpcd lvm2 cryptsetup grub
I then add the log daemon to the default run level with:
    rc-update add syslog-ng default
You need to tune the "/etc/genkernel.conf" file. Here are the options you should change (the LUKS option must be added since it doesn't exist):
I chose no cleaning because I don't want it to clean on each attempt. Then you can issue "genkernel all" and make sure you have the following kernel options (of course you should have the kernel options tuned for your computer):
    Device Drivers  --->
      Multi-device support (RAID and LVM)  --->
       [*] Multiple devices driver support (RAID and LVM)
       < >   RAID support
       <*>   Device mapper support
         <*> Crypt target support
    File systems
      <*> The extended 4 (ext3) file system

    Cryptographic API
      <*> SHA224 and SHA256 digest algorithm
      <*> AES cipher algorithms (i586)
      <*> Serpent cipher algorithm
The cryptographic APIs can't be modules. It seems genkernel only includes storage modules in the initrd... I simply tried it and it didn't work and since the disk is always encrypted why have it as modules?

Configuring the System

First you need to change "/etc/fstab". You labels as follows:
    LABEL=BOOT   /boot  ext4  ...
    LABEL=ROOT   /      ext4  ...
    LABEL=SWAP   none   swap  ...
Set your hostname by editing "etc/hostname"

Change the root password by running "passwd". You can add a user for yourself now or after you boot.

Don't forget to set your keymap in "/etc/conf.d/keymaps" and to set your clock settings in "/etc/conf.d/clock".

Grub Configuration

Edit grubs configuration file "/boot/grub/grub.conf". Add something like the following (might need to be adapted if the kernel version is different):
    title Gentoo Linux 2.6.31-r6
    root (hd0,0)
    kernel /boot/kernel-genkernel-x86-2.6.31-gentoo-r6 root=/dev/ram0 crypt_root=/dev/sda2 real_root=/dev/mapper/internalhd-root dolvm quiet
    initrd /boot/initramfs-genkernel-x86-2.6.31-gentoo-r6
To install grub I do the following (a short cut from the gentoo handbook):
    grep -v rootfs /proc/mounts > /etc/mtab
    grub-install --no-floppy /dev/sda
Reboot into it

Now that everything is ready you can reboot into the system. Do the following:
    umount /mnt/gentoo/boot
    umount /mnt/gentoo/dev
    umount /mnt/gentoo/proc
    umount /mnt/gentoo
Next steps

Since the disk is encrypted and if you forget something in your kernel you won't be able to boot. What I did was to create a backup kernel like this:
    cp /boot/kernel-genkernel-x86-2.6.31-gentoo-r6 /boot/kernel-backup
    cp /boot/initramfs-genkernel-x86-2.6.31-gentoo-r6 /boot/initramfs-backup
And added its entry to grub:
    title Gentoo Backup Kernel
    root (hd0,0)
    kernel /boot/kernel-backup root=/dev/ram0 crypt_root=/dev/sda2 real_root=/dev/mapper/internalhd-root quiet
    initrd /boot/initramfs-backup
Even more steps

I advise you to emerge some utilities for network and portage as follows:
    emerge -av mirrorselect openresolv eix portage-utils gentoolkit
"eix" indexes portage and it is really fast. You should create the index and then do your first sync but using "eix" so it updates the index in the end.
Finally some tuning of "/etc/conf.drc" (to get a faster startup and, since this is a laptop, ensure it isn't waiting for eth0 to be available before starting other services):
Next you should check if your system is really secure:
    glsa-check -f all
And then you can have fun emerging packages, but since you synced recently and probably changed profile you should do something like:
    emerge -uDNav world
Have fun!!!