Encrypted Ubuntu on the MacBook Air

Three general warnings:

• This isn't meant as a cookbook for non-experts. I actually made several false starts that are compressed out of the description below; it's likely that this compression omits some critical details that you won't be able to work around unless you have some problem-solving experience. I also didn't bother documenting Linux command-line basics. But maybe this is a useful starting point for people writing a cookbook.
• This doesn't include some of the add-on packages that I install, and it doesn't include various add-on packages that I know most people consider essential. It does include quite a few add-on packages, but without notes saying which packages are important and why. (Some of the packages are just things I'm temporarily experimenting with.)
• This doesn't include cloning: setting the laptop up to behave just like my previous laptop (including all my files, synchronized to my server).

Some things I knew, or at least thought I knew, before starting installation:

• I normally want to boot into Ubuntu. Booting should be easy and fast. I don't want Ubuntu running inside a virtual machine inside MacOS X.
• I want the option to boot into MacOS X instead. I don't expect to use MacOS X for anything in particular, but I'd feel awfully silly wiping it out and then discovering that I really need it.
• I'm willing to give 50GB to MacOS X (the system as shipped already uses 25GB), leaving 200GB for Ubuntu.
• I'd like block-level encryption for the Ubuntu partition, limiting the exposure of data if my laptop is stolen. My current impression is that encrypted LVM is the best choice available. (File-level home-directory encryption leaks more information, and the implementation doesn't seem robust: I've seen it corrupting files.) Ubuntu's "desktop" installer doesn't provide this option, so I need the "alternate" installer.

• The current Ubuntu Intel graphics driver has serious trouble with the built-in graphics hardware on the latest MacBook Air: the screen is blank, rendering the machine effectively unusable. Booting with "nomodeset" falls back to a working backup driver, although only at a fuzzy 1024x768 rather than the MacBook Air's native 1440x900. Workaround: patch the driver.
• The MacBook will boot off a USB stick, but not a partitioned USB stick. Ubuntu's all-in-one usb-creator tool creates a partitioned USB stick. Workaround: skip usb-creator and manually create an unpartitioned USB stick.
• The MacBook has a two-level boot structure, starting with "EFI" and continuing (for Linux) with "MBR". MacOS X needs to boot from EFI, so the option to boot into MacOS X has to be made by an EFI boot loader, not by an MBR boot loader. The usual Linux installation tools hook into MBR, not into EFI. Even worse, MBR and EFI have separate partition tables that can get out of sync. Workaround: there's a "rEFIt" tool for MacOS X that is supposed to deal with these problems.

Some notes on hardware selection: I bought this MacBook Air in July 2011 because I was worried about the continued health of the ThinkPad X301 that I had bought in September 2008. I couldn't, and still can't, find anything comparable to the X301. The X301 is the same weight as the MacBook Air, 1.3kg. The X301 has the same screen resolution and size as the MacBook Air, 1440x900 13.3"; and it has a matte screen, which I find readable in more situations than glossy. The X301 is marginally thicker than the MacBook Air (19mm vs. 17mm), but it uses this space to provide built-in VGA, built-in Ethernet, and a swappable battery; taking the Macbook Air + USB-to-VGA + USB-to-Ethernet + 12V-to-power + HyperJuice on a trip is clearly more volume than taking the X301 + USB-to-SD + battery. This MacBook Air does have some quantitative advantages that I appreciate (256GB SSD instead of 128GB SSD, 4GB RAM instead of 2GB RAM, better battery life, and somewhat lower cost) but this is hardly a surprise after three years of improvements in chip technology.

On the MacBook Air: use MacOS X to prepare for dual-boot

Select Finder (bottom left). Select Applications. Select Utilities. Select Disk Utility. Click on "251 GB" (and not on "Macintosh"). Select Partition. Drag bottom-right of partition picture upwards until it indicates 49.15GB for partition. Click, click, click. Fine: resized.

Start Safari. http://refit.sourceforge.net/doc/c1s1_install.html Click on rEFIt-0.14.dmg on the web page. Wait for download to finish. Click on Finder (bottom left again). Click on Downloads. Double-click on rEFIt-0.14.dmg (in the Finder window, not the browser window). Double-click on rEFIt.mpkg. Click Continue. Click Continue. Click Agree. Click Install. Type root password. See "The installation was successful." Click Close.

Push the Mute button (F10). (This will stop the system from making noise on each reboot.)

Push power button. Click Shut Down. Wait for screen to blank.

Push power button. Wait for boot. Hmmm, no rEFIt menu.

Try Restart. Aha, rEFIt menu. Select the rEFIt partition tool, and agree to resynchronization ("update MBR" etc.). Shut down.

On another Linux machine: create an Ubuntu boot disk

     ISO=ubuntu-11.10-alternate-amd64.iso
     USB=/dev/sdb
     cd /root
     wget http://mirror.pnl.gov/releases/oneiric/$ISO
     mkfs.vfat "$USB" -I
     mkdir iso
     mount -o loop "$ISO" ./iso
     mkdir usb
     mount "$USB" ./usb
     time rsync -ah ./iso/ ./usb/
     # 5 minutes on a typical laptop
     mv ./usb/isolinux ./usb/syslinux
     mv ./usb/syslinux/isolinux.cfg ./usb/syslinux/syslinux.cfg
     sed 's/quiet/nomodeset quiet/' < usb/syslinux/txt.cfg > usb/syslinux/txt.cfg.new
     mv usb/syslinux/txt.cfg.new usb/syslinux/txt.cfg
     time cp "$ISO" usb
     # 3 minutes on a typical laptop
     umount iso
     rmdir iso
     umount usb
     rmdir usb
     syslinux "$USB"
     dosfslabel "$USB" ubu1110alt

On the MacBook Air: install Ubuntu

Plug USB-to-Ethernet converter into MacBook Air, rightmost USB plug. Attach Ethernet cable connected somehow to the Internet (I used a DHCP server on another laptop).

Boot. At rEFIt menu, select "Boot Legacy OS from" (or "Boot Linux from"; unclear how this is triggered). SYSLINUX gives "Unknown keyword in configuration file" error; type "help" and press return. (If this error doesn't appear, don't worry about it; unclear how it's triggered.) Press return again (for alternate; desktop skips this). Wait for Ubuntu to boot.

"Select a language ... English" Press return.

"Select your location ... United States" Press return.

"Configure the keyboard ... Detect keyboard layout? No" Press return.

"Configure the keyboard ... English (US)" Press return.

"Configure the keyboard ... English (US)" Press return. Wait.

"Detect and mount CD-ROM ... Try again to mount the CD-ROM?" (This is a bug in the installation script, maybe related to the single partition on the USB stick.) Press fn-option-F2 and Enter. Type

     mkdir /mnt/usb
     # one of the following two should work:
     mount -t vfat /dev/sdb /mnt/usb
     mount -t vfat /dev/sdc /mnt/usb
     mount -t iso9660 -o loop /mnt/usb/ubuntu-11.10-alternate-amd64.iso /cdrom

     echo powersave > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor
     echo powersave > /sys/devices/system/cpu/cpu1/cpufreq/scaling_governor
     echo powersave > /sys/devices/system/cpu/cpu2/cpufreq/scaling_governor
     echo powersave > /sys/devices/system/cpu/cpu3/cpufreq/scaling_governor

"Detect and mount CD-ROM ... Try again to mount the CD-ROM?" Press Esc (this is important!), Enter, Enter.

"Loading additional components ..." ... "Configuring the network with DHCP ..." "Configure the network ... Hostname:" Press control-U. Type air.

"Configure the clock ... Is this time zone correct? Yes" Press fn-option-F2 and Enter. Type

     cd /usr/lib/apt-setup/generators
     sed 's/db_metaget/# db_metaget/' \
     < 50mirror.ubuntu \
     > 50mirror.ubuntu.new
     mv 50mirror.ubuntu.new 50mirror.ubuntu

"Configure the clock ... Is this time zone correct? Yes" Press return.

"Partition disks ... Unmount partitions that are in use? No" Press return.

"Partition disks" Select "Manual" and set up the partitions you want within the space made free by shrinking MacOS X. (No detailed keystrokes here, sorry.) Here's what I set up (with noatime on both /boot and /):

     LVM VG g1, LV v1 - 200.9 GB Linux device-mapper (linear)
        #1 200.9 GB K crypto (g1-v1_crypt)
     Encrypted volume (g1-v1_crypt) - 200.9 GB Linux device-mapper (crypt)
        #1 200.9 GB f ext3                                   /
     SCSI1 (0,0,0) (sda) - 251.0 GB ATA APPLE SSD SM256C
           3.1 kB FREE SPACE
        #1 209.7 MB B EFIboot  EFI system p
        #2  49.2 GB   hfs+     Customer
        #3 650.0 MB   hfs+     Recovery HD
        #4   1.0 MB K biosgrub
        #5 128.0 MB F ext3                                   /boot
        #6 200.9 GB K lvm

"Installing the base system" ... "Set up users and passwords ... Full name for the new user:" Type your full name.

"Set up users and passwords ... Username for your account:" Type your account name.

"Set up users and passwords ... Choose a password for the new user:" Type your password.

"Set up users and passwords ... Re-enter password to verify:" Type your password.

"Encrypt your home directory? No" Press return.

"Configure the package manager ... HTTP proxy ..." Press return.

"Configuring apt" ... "Select and install software" ...

"Configuring grub-pc ... Device for boot loader installation:" Type /dev/sda. (Some people say that you should instead use something like /dev/sda5, but so far I haven't had any trouble with /dev/sda.) If you receive an error message instead of "Device for boot loader installation" (unclear what triggers this), press fn-option-F2 and type the following:

     chroot /target/ bash
     mount -t proc proc /proc
     mount -t sysfs sysfs /sys
     echo deb http://us.archive.ubuntu.com/ubuntu/ \
     oneiric main restricted >> /etc/apt/sources.list
     aptitude update
     aptitude install grub-pc
     exit

"Installing GRUB boot loader" ... "Finishing the installation" ... "Finish the installation ... Is the system clock set to UTC? Yes" Press return.

"Finish the installation ... Installation complete ... Continue" Press return. When the screen goes black, remove the USB stick.

On the MacBook Air: configure Ubuntu

When a blinking cursor appears in the top left of the screen, quickly press e. Use arrow keys etc. to change "quiet" to "nomodeset quiet". Press F10. Wait.

"Enter passphrase:" Type the passphrase you set up for encrypting the disk. You'll have to do this again on every reboot. After you type the correct passphrase you'll see "crypt set up successfully" quickly go by. (If you see a purple and black screen instead of "Enter passphrase:", type fn-option-F1 and then fn-option-F7.)

Ubuntu presents graphical login screen. Press fn-control-option-F2.

"air login: " Type your account name and press return.

"Password: " Type your password and press return.

"$ " Type "sudo -s" and press return.

"[sudo] password for ...:" Type your password and press return.

Type the following:

     update-rc.d ondemand disable
     chmod 755 /etc/rc.local
     sed -i 's/exit 0//' /etc/rc.local
     (
       echo "echo powersave > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor"
       echo "echo powersave > /sys/devices/system/cpu/cpu1/cpufreq/scaling_governor"
       echo "echo 0 > /sys/devices/system/cpu/cpu2/online"
       echo "echo 0 > /sys/devices/system/cpu/cpu3/online"
     ) >> /etc/rc.local
     sh /etc/rc.local

And more (waiting for each command to finish, or merging commands if you know what you're doing; aptitude is uncivilized and consumes typeahead):

     # updates
     aptitude update
     aptitude dist-upgrade
     # networking
     aptitude remove network-manager network-manager-gnome
     aptitude purge avahi-daemon libnss-mdns avahi-utils telepathy-salut
     dhclient eth0
     aptitude install traceroute
     aptitude install aircrack-ng
     aptitude install iodine
     aptitude install httptunnel
     aptitude install ptunnel
     aptitude install sshuttle
     aptitude install ntp
     aptitude install dhcp3-server
     update-rc.d isc-dhcp-server disable
     # general administration
     aptitude install lm-sensors
     aptitude install edac-utils
     aptitude install acpi
     aptitude install alien
     # synchronization, backup, compression
     aptitude install unison unison2.27.57
     aptitude install git
     aptitude install tig
     aptitude install subversion
     aptitude install unrar
     aptitude install aria2
     # windowing
     aptitude install fvwm
     aptitude install xlockmore-gl
     aptitude install ttf-droid
     aptitude install xkbset
     # browsers
     aptitude install w3m
     aptitude install chromium-browser
     aptitude install -R mutt
     # documents
     aptitude install gv
     aptitude install xpdf
     aptitude install acroread
     aptitude install pdfedit
     aptitude install psutils
     aptitude install texlive-full
     # pictures
     aptitude install imagemagick
     aptitude install xloadimage
     aptitude install plotutils
     aptitude install gnuplot
     aptitude install graphviz
     aptitude install netpbm
     aptitude install xsane
     aptitude install sane-utils
     aptitude install brother-cups-wrapper-laser
     # video
     aptitude install vlc
     aptitude install mplayer
     aptitude install mencoder
     aptitude install ffmpeg
     # audio
     aptitude install sox
     aptitude install libsox-fmt-all
     aptitude install vorbis-tools
     aptitude install mpg321
     # math
     aptitude install bsdgames
     aptitude install pari-gp
     # text processing
     aptitude install vim
     aptitude install athena-jot
     aptitude install m4
     aptitude install gawk
     # perl development
     aptitude install libnet-dns-perl
     aptitude install libmime-base32-perl
     aptitude install libstring-crc32-perl
     # general development
     aptitude install build-essential
     aptitude install manpages-dev
     aptitude install gcc-multilib
     aptitude install libc6-dev-i386
     aptitude install gfortran
     aptitude install autoconf
     aptitude install libgmp-dev
     aptitude install libssl-dev
     aptitude install libncurses5-dev
     aptitude install flex
     # switch to the new kernel
     reboot

Again: When a blinking cursor appears in the top left of the screen, quickly press e. Use arrow keys etc. to change "quiet" to "nomodeset quiet". Press F10.

Again: "Enter passphrase:" Type the passphrase you set up for encrypting the disk.

Again: Ubuntu presents graphical login screen. Press fn-control-option-F2.

Again: "air login: " Type your account name and press return.

Again: "Password: " Type your password and press return.

Again: "$ " Type "sudo -s" and press return.

Again: "[sudo] password for ...:" Type your password and press return.

Type the following:

     cd /root
     dhclient eth0
     wget http://almostsure.com/mba42/post-install-oneiric.sh
     bash post-install-oneiric.sh

If you used ext3 (as I did): Edit /etc/fstab and eliminate "discard" (which was added by the post-install script); this isn't compatible with ext3.

Reboot, skipping the nomodeset step. The screen should now be a crisp 1440x900.