Panasonic Toughbook Fedora Linux Install; Part Ii Fedora Core 15 on CF-29 and CF-30

Panasonic Toughbook CF-29 and CF-30 Fedora Linux install; Part II

 

This is a draft. I need to make an editorial pass and fix the links I have stubbed out.

 

With recent Linux versions, there are no special flags needed for Toughbooks to boot and run the install. Just boot your chosen media (CD/DVD) and install as usual. If you are simply deleting windows, you can keep things fairly simple by letting the installer erase the disk and lay out partitions for you. Otherwise, you need to delete the second partition and put together a basic layout.

 

Since this is a laptop, thought needs to be given to security. Laptops are meant to be portable. That makes it easy for you but also makes it easy for someone else to pick it up and go. The cost of the lost hardware is one thing (and maybe you have insurance which will cover it), but criminals don't tend to take privacy very seriously either and you probably have data you don't want them to have: banking information, emails about where your child goes after school, passwords and so forth. If you are using a Toughbook in the first place, in a law enforcement, medical, disaster relief, context, etc., you probably have to worry about protecting other people's data as well. So a good bit of this tutorial is going to cover some ways you can set them up to be secure--- or as reasonably secure as can be expected. I am going to assume you have basic knowledge of Linux installations in general (outside of Toughbooks).

 

Full Disk Encryption

 

The first step is going to be Full Disk Encryption (FDE). Linux makes it very easy to encrypt the entire contents of the hard drive. This serves two basic purposes: 1) you do not need to selectively figure out what things are "important enough" to be encrypted and then miss something obvious 2) you ensure that an attacker cannot easily misuse incidental data such as system logs, contents of swap space or file names to figure out what you are protecting and how to get at it. Whenever your laptop is off, its contents are effectively useless to criminals of modest resources. The important thing to realize is that whenever your computer is left on, like when you get up from the table to get your coffee order, FDE does you know good whatsoever, even if your screen is locked. A criminal that takes your laptop while on or suspended can bypass the encryption. Sophisticated criminals can recover information from RAM even if it was just very recently on.

 

Start by creating a /boot partition. It has to be unencrypted and big enough to hold the kernel and libraries needed to bring the system up and decrypt the rest of the hard drive. My /boot partitions end up being about 500 MB just as a nice round number.

 

Next create an LVM Physical Volume and let it fill the rest of the disk, checking the box to encrypt the volume. Now create a Logical Volume Group in the Physical Volume. Create a swap partition (usually about the same size as your RAM, so for the CF-29, I create a swap about 768 MB). Create a root partition ("/") for your system files. Since I have plenty of HD space, I set these at ~50GB to make sure I have plenty of space to install packages and applications. Create a home directory for your data and documents. Do not check "encrypt" for these partitions since the container, the "Physical Volume" they are in, is already encrypted. Link to Fedora LVM chapter.

 

I tend to not let the home directory fill the entire disk. 50 GB is more than adequate to start out and the Linux Logical Volume Manager lets you add space to a file system later on. It is a bit more tricky to shrink one on the fly. By leaving unallocated free space, you have something to play with if you run out of room somewhere or want to create a new partition. If you continue the install from here, you will be asked for a password for the encrypted volume. This password will be required every time you boot and every time you recover from hibernation, so it has to be something you can type and remember, but it should also be a good password of probably 8+ characters, mixed punctuation, not a dictionary word, and with digits or symbols thrown in. It is possible to brute force a bad password and then the rest of your protection can be unravelled.

 

NTFS (Windows)	60 GB (or whatever)	/boot		500 MB	[Physical Volume (encrypted)]		swap		768 MB		/		50 GB		/home		50 GB		Free Space	XXX GB

This leaves you with an unencrypted /boot, an encrypted swap, root filesystem and home directories. An attacker who takes your laptop powered off will have access to your Windows partition and /boot. They cannot readily access your LVM physical volume (AES encryption by default and reasonably hard to crack if you have a good password). Your swap space, which might contain encryption keys for the physical volume, is also protected. System logs which might have information about your documents and habits, systems you connect to and so forth, are encrypted along with everything else.

 

If your data is important enough or if you have pissed off a computer nerd, someone could modify your /boot data, install a keylogger, and record your encryption password (or something equally sneaky). The Toughbooks have quite a few options for locking the laptop at the BIOS level. The easiest way is to simply turn on the BIOS password and require it at boot and at access to the BIOS. You can also set a Supervisor password to lock the BIOS and system setup menus and a separate User password to boot the laptop (say, if you set up the computer but someone else uses it). This keeps someone from easily booting up, tampering with your software and shutting back down.

 

Your nemesis could remove your hard drive and try to get at your data that way (protected by the encryption) or tamper with /boot, but they are not going to do that while you pick up your coffee at the Starbucks counter. The CF-30's have a TPM processor, a system-security chip which can be used to thwart even that: telling you at bootup that your system software has not been tampered with or encrypting the entire contents of your drive with the internal crypto system. I may cover TPM configuration in a later post, but it should be mentioned that there is a simpler method: put /boot on a USB dongle and carry it with you. This is inconvenient with the CF-29 and its single USB connector, but easy with the CF-30. Insert link to article on removable /boot and TPM. The DOD method I have witnessed is also low-tech and effective: pull the removable hard drive and drop it in a safe when not in use. This is the reason Toughbooks have easily removable hard drives.

 

The rest of the install

 

After all of that, the rest of the install proper is pretty simple. I selected the Desktop and Software Development package categories. We will need the software development tools to build tools to set up the touchscreen properly, which I will cover in the post-install. You might as well just check to box now and get it out of the way.

 

Oh, and by the way, if you choose to set up the network during the install, remember to flip the CF-30's wireless cut-off switch to "On" before you spend thirty minutes trying to figure out why the network isn't working. A green LED will light up to tell you it is activated.

 

Post install

 

Fedora Linux will bring you into a setup program on your first successful boot. Here you will set up the network (if you have not already), set a root password, and create a non-root user. The root password will be very rarely used, except critical system maintenance, and if you hose your normal account. Make it a good password and then write it down somewhere safe (like in your key safe or a document safe). Your user account password will be used for every day logins and through the "sudo" tool for routine system maintenance. Make at least one of your user accounts an "administrator" so that this will work properly. If you are truly paranoid, you will have a normal user account you use every day and another with the administrator flag checked. This means that after visiting a malicious web site which takes over your browser, they won't be able to install a boot sector virus. I'll leave that decision up to you and will present another option further on. I often set the administrator flag on a new system and once I have it set up the way I like it, remove it from my normal user and create a separate administrator account for routine maintenance.

 

Updates

 

After you finish the setup and get to the login screen for the first time, you will want to run the Software Update program to get all of the security patches and updates. Since FC-15 has been out for a while, expect to spend some time even with a good network connection.

 

There seems to be a common bug in FC-15 where you get an error message involving "fedora-release-rawhide" in your first update. I solved this by opening a terminal and running "sudo yum update fedora-release-rawhide" and when that finished, "sudo yum update" to do the updates manually (which is always an alternative to the GUI Software Update program). Your mileage may vary.

 

Gnome

 

If you have not used Gnome 3 before (the graphical desktop used by FC-15), it may take some getting used to. I have found that I like it OK on the CF-30 and it is reasonably snappy. On the CF-29, in Gnome's "fallback mode" for those of us in technological backwaters, it is actually quite painful since most of the new ways to get to the applications and settings you need are not there and the old ways are not there either. Reading a short Gnome-3 tutorial is worth the time and things will not make much sense if you don't. On the CF-29, I install a package called "Gnome Do". This allows me to hit Command-Spacebar and pop up a search prompt. I can then start typing the file or program I want, hit tab when it comes up with the right answer, and then run or open it. So, I can start typing "Terminal," about when I get to the r, it pops up the correct program, I hit Tab and Enter and have a terminal window--- much faster than trying to get through the menus, especially before I get the mouse working properly. I intend to figure out how to get WindowMaker (another desktop option) working on FC-15 but have not yet done so.

 

Touchpad/Touchscreen

 

On the CF-29, you will notice that the touchpad is painfully slow. It may take you about a thousand years to move the mouse cursor from one corner to the other. The touchscreen won't work at this point, either. If you tap on a spot on the screen, the mouse cursor will jump but won't go quite where you want it. On the CF-30, the touchscreen will misfunction the same as the CF-29 but the touchpad will work. If the CF-30 touchpad is slow for you, you can adjust it from System Settings->Mouse and Touchpad. System Settings can be gotten to a few different ways, one of which is by going to your account name in the upper right corner of the screen and clicking to pull down that menu.

 

The CF-29 touchpad cannot be adjusted so easily. After much frustration and trial and error, I fixed it by adding the following to a file called .xinputrc in my home directory:

 

~/bin/fixtouchpad

Create this file, add that line, and the save it. Make it executable ("chmod u+x ~/.xinputrc"). Now create a directory called /bin, and create a file called "fixtouchpad" with the following:

 

#!/bin/bashxinput ----set-ptr-feedback 10 1.5 10 1

Make this one executable as well. I tend to add ~/bin to my path in my .bashrc and put various little tools in it. Now, in case this does not work for you, let me explain what it does. "xinput" is a tool for tweaking the behavior of various X Windows input devices: mice, trackpads, trackballs, etc. This line sets the acceleration (ptr-feedback) for a device numbered 10 which happens to be the builtin trackpad for me. It sets the acceleration to 1.5 starting after 10 pixels of movement and counting by 1 px at a time thereafter. Play with these numbers to find what works for you. According to the documentation, "1.5" should not work--- it is supposed to be a whole number--- but it does work and seems to behave better than using "2" for me. You can run xinput in terminal with different settings as many times as you need and then copy the numbers into fixtouchpad. "xinput --get-feedbacks 10" might also be useful to you. When you log out and back in, your .xinputrc should be run automatically and the touchpad should work.

 

If this does not work at all for you, you may need to figure out the device number. xinput has a manpage ("man xinput"). "xinput --list" will give you information on all the input devices:

 

⎡ Virtual core pointer id=2 [master pointer (3)]

⎜ ↳ Virtual core XTEST pointer id=4 [slave pointer (2)]

⎜ ↳ PS/2 Touchpad id=10 [slave pointer (2)]

⎜ ↳ LBPS/2 Fujitsu Lifebook TouchScreen id=11 [slave pointer (2)]

⎣ Virtual core keyboard id=3 [master keyboard (2)]

↳ Virtual core XTEST keyboard id=5 [slave keyboard (3)]

↳ Power Button id=6 [slave keyboard (3)]

↳ Video Bus id=7 [slave keyboard (3)]

↳ Power Button id=8 [slave keyboard (3)]

↳ AT Translated Set 2 keyboard id=9 [slave keyboard (3)]

↳ Panasonic Laptop Support id=12 [slave keyboard (3)]

You are looking for the "PS/2 Touchpad". .xinputrc will run fixtouchpad for you every time you log in, but your trackpad settings will go away when you hibernate and thaw. That is why I put the settings in a separate script. When I come back from hibernate, I run fixtouchpad and go (Actually, I type "fixt|TAB|", the shell autocompletes the command, I hit Enter and go. I'm lazy. As soon as I find out how to run this automatically every time I come back from hibernate, I will.)

 

OK, so now the system is relatively usable. Let's fix the touchscreen. As it turns out, the touchscreen works fine, unlike previous version of Linux. The problem is that each touchscreen is just a little different from every other, and it needs to be calibrated using a tool called xinput_calibrator. The normal Gnome tool will not work. Download the "source tarball" of xinput calibrator from Find link. Unpack it, configure, compile, and install. e.g.:

 

mkdir buildcd buildtar -xzf ~/downloads/xinput_calibrator.whatever.the.filename.iscd xinput_calibrator./configure <<--- this isn't right, check it!!!makesudo make install

Now you can run "xinput_calibrator --output-type xorg.conf.d". It will ask you to tap in various places (best to do with the stylus so it is precise) and then will spit out the settings you need. Cut and paste them into a file called "/etc/X11/xorg.conf.d/99-calibration" . You will need to edit the file using sudo, as it will be owned by root. Mine looks like this:

 

# Calibration values generated by xinput_calibrator for CF-29 TouchscreenSection "InputClass"		Identifier	  "calibration"		MatchProduct	"LBPS/2 Fujitsu Lifebook TouchScreen"		Option  "Calibration"   "271 3995 317 3869"EndSection

Log out and restart. Your touchscreen should now work. It is fine-grained enough in Linux to do some handwriting recognition and sketching using the stylus, though the screen is akward to write on.

 

Stay tuned for Part III with even more Toughbook-tweaking madness!