In order to install Liberté on a FAT/FAT32-formatted, or ext[234]-formatted USB key, SD card, or any other kind of bootable media:
Download liberte-201X.Y.zip from the
SourceForge project site.
Latest version is always the default download, so just click the green button.
Note that the top-level liberte folder in all installation package types
(.zip / .iso / .ova) is exactly the same.
Extract the archive into the top directory of the media you want to use
(including the liberte archive root) — i.e., in Windows put D: or
similar into the “Extract to …” dialog. This is all that’s needed when
upgrading; however, to upgrade a running Liberté instance, add toram to
the boot menu options first.
Make the media bootable (unnecessary when upgrading or when booting using (U)EFI):
Windows: Launch setup.bat in liberte folder. You will likely
need to right-click and select Run as administrator in Vista and in
Windows 7. Watch out for errors in the console messages. Do not permit
antivirus software like Avast
to run the installer in a sandbox, since the bootloader will fail to install
in that case.
Linux: Run sh /media/…/liberte/setup.sh auto as root.
For virtualized environments, download liberte-201X.Y.ova and
import it into the virtual machine (Import Appliance in
VirtualBox, Open in
VMware, etc.).
On Linux, it is also possible to immediately test-drive Liberté in
QEMU / QEMU-KVM
by running liberte/qemulate.sh from an extracted .zip archive;
persistence support will be disabled (similarly to .iso).
See Secure Boot section below wrt. booting writable media that are unsupported as boot devices on given hardware (e.g., SD cards).
When upgrading, it is recommended to reset the user configuration after
booting: add nosettings to the boot menu options, remove
~/persist/settings/config.tar.xz, and reboot. Upgrading will migrate old
cables communication certificates on first boot, and should not cause any
usability issues.
NOTE: Older computers might be able to boot only FAT(16)-formatted USB
keys — the corresponding BIOS boot option is typically USB RMD-FDD. For
such computers, installing on an HDD partition is likely a better option: use
nombr option of setup.sh (or remove -m -a options from
setup.bat), and chain-load the partition from your bootloader.
Liberté Linux releases are signed with a designated PGP key:
Liberté Linux (Release Signing Key) <liberte@dee.su>
6FDD D756 110C 1B07 249F D07E 9B02 7FCD 81DE 1001
You are encouraged to verify the downloaded files using, e.g.,
GNU Privacy Assistant or
PGP Desktop,
after fetching the key from a keyserver (or downloading it using the link above),
by providing the associated *.asc file as input:
$ gpg --verify liberte-2010.1.zip.asc
gpg: Signature made Fri 19 Nov 2010 03:48:36 MSK
gpg: using DSA key 0x9B027FCD81DE1001
gpg: Good signature from "Liberté Linux (Release Signing Key) <liberte@dee.su>"
(U)EFI bootloader binaries are signed for Secure Boot, establishing a trusted boot chain starting with a KEK / DB certificate (located in EFI directory). The procedure for enrolling the certificate in TianoCore OVMF is as follows:
EFI/Liberte-SecureBoot-CA.der, and commit the changes.For real hardware, the procedure should be similar — e.g., for Dell Latitude
firmware, navigate to Secure Boot → Expert Key Management → Enable Custom
Mode → db: Append from File. It is also possible to add the bootloader
signature directly (by selecting, e.g., EFI/BOOT/BOOTx64.EFI instead of
the certificate above), but this step will need to be done after each Liberté
update. Adding the certificate to KEK database (instead of DB above) will let
Liberté modify authenticated EFI variables at runtime — such functionality is
not used at present.
If you don’t want to customize Secure Boot settings, and your UEFI firmware
has Microsoft’s UEFI CA certificate already enrolled (which is probably the
case), you can use shim instead
(this assumes a .zip install):
shim.efi and MokManager.efi
into EFI/BOOT.BOOTx64.EFI to grubx64.efi, and then rename shim.efi to
BOOTx64.EFI.EFI/Liberte-SecureBoot-CA.der key, or EFI/BOOT/BOOTx64.EFI signature,
similarly to OVMF instructions above. Note that such whitelisting is visible
to shim only.With regular BIOS-based boot, only the last stage of trusted boot chain is
performed: root filesystem image verification. However, a minimal bootstrap
.iso image (lacking a compressed root filesystem) is now shipped, which
can be burned to read-only media and used to boot a regular install of Liberté
on writable media. Such image is also useful for booting writable media that
are unsupported as boot devices on given hardware (e.g., SD cards).
Bug reports, suggestions, and generic discussion are always welcome. Don’t forget to rate this project on SourceForge!
If you are interested in having specific customizations implemented, please contact me by e-mail.