OpenBSD Desktop

Posted on Sat 15 March 2014 in english

This is just a reminder for me to set up my Lenovo x230 as an OpenBSD laptop (I'm running -current).

Full-disk encryption

For full-disk encryption choose the (S)hell option from the installation medium.

If your hard disk isn't available yet, change directory to /dev and enter

::: ksh
# /bin/sh MAKEDEV sd1

Change sdX to whatever your disk should be. To setup the MBR and write a label enter

# fdisk -i sd1
# disklabel -E sd1

When asked for the partitioning scheme choose the appropriate size for SWAP (b) and for the rest choose RAID as partition type. Now we can create the encrypted partition:

# bioctl -c C -l /dev/sd1a softraid0

"-c C" creates the crypto device and "-l" specifies the device itself.

To go on with the installation enter "exit", but be careful! When you have to choose the device for the installation, choose the one bioctl created (sd2 in my case). Furthermore delete SWAP as we already have /dev/sd1a.

EDIT: As of May 2016 W^X is mandatory in OpenBSD so you want to put /usr/local on a separate filesystem.

After first reboot you want to alter your file system table:

# echo 'xxxxxxxxxxxxx.b none swap sw' >> /etc/fstab

where xxxxxxxxxxxxx.b is specified by the following command: "sysctl hw.disknames". That should give you a disk name and its UUID in the following format:

hw.disknames=wd0:xxxxxxxxxxxxx,cd0:,rd0:yyyyyyyyyyyyyyyy,sd0:zzzzzzzzzzzzzzz

When you want to update from a snapshot create your hard disk and mount the encrypted device with the bioctl command above.

PF

/etc/pf.conf (taken from)

set block-policy drop
set skip on lo0
match in all scrub (no-df max-mss 1440)
antispoof quick for egress
block in quick on egress from urpf-failed to any
block in quick on egress from no-route to any
block in all
pass out quick inet keep state

Touchpad

If you want to disable the touchpad while typing and like "tap-click" add the following lines to your .xsession:

synclient TapButton1=1
syndaemon -t -k -i 2 -d

Power

Add APM daemon to your startup RC file

# echo 'apmd_flags=ā€-Cā€' >> /etc/rc.conf.local

To enable automatic suspend when the laptop lid is closed add 'machdep.lidsuspend=1' to your /etc/sysctl.conf.

Other Tweaks

# echo 'multicast_host=YES' >> /etc/rc.conf.local
# echo 'ntpd_flags="-s"' >> /etc/rc.conf.local
# echo 'kern.bufcachepercent=50' >> /etc/sysctl.conf
# echo 'net.inet.tcp.mssdflt=1440' >> /etc/sysctl.conf

and change the values "datasize-cur" and "datasize-max" from 512 to 1024 MB (/etc/login.conf) (also taken from the BSDNow tutorial).

Edit

I found this thread on the OpenBSD mailing list and found it useful:

# sudo sysctl kern.shminfo.shmall=536870912

and further:

staff:\
        :datasize-cur=infinity:\
        :datasize-max=infinity:\
        :datasize=infinity:\
        :openfiles-cur=1024:\
        :stacksize-cur=16M:\
        :maxproc-max=512:\
        :maxproc-cur=512:\
        :ignorenologin:\
        :requirehome@:\
        :tc=default:

Ready to rock!

OpenBSD

Previous Post Next Post

You might enjoy