Forewords
This document is far from complete. It was last updated on 9 June 2007. Don’t expect updates.
This document describes my adventures with installing Debian sid (3.1) GNU/Linux on an IBM (or Lenovo if you prefer) ThinkPad T43 using crypted root filesystem. It also tries to document one way to install hardware device drivers and configure power saving features to fit the particular laptop for writer’s personal preferences and environment. Some of the stuff have been tested with Debian etch as well.
For Debian and non-Debian alike, TuxMobil has plenty of links to pages (more of less) similar to this.
Disclaimer
I take no responsibility for what you do with your computer. This stuff works for me and that’s pretty much all I care about. If it breaks your installation, you’re on your own. (“If it breaks, you get to keep both pieces.”)
Introduction
When I started an on-site assignment at [NDA] I was given an IBM/Lenovo ThinkPad T43 to do my work with. It came with Windows XP Professional pre-installed, but I was allowed – and in fact, supposed – to install Linux on it. The only requirement was that if I ever wanted to take the thing outside the walls of [NDA], I had to have a crypted filesystem.
Until then, I had only experimented with crypted disk images, which was rather trivial with cryptoloop. The problem was how to do this automatically with the root filesystem. How can I do it with minimal manual work?
Installation and setting up crypted root
- Debian Testing installer on USB-stick.
- Create three partitions
/dev/sda1
as/boot
, ext3, 64 MiB/dev/sda2
(unmounted), ext3 (unmounted with no filesystem created), 57 GiB/dev/sda3
as/
, ext3, 2 GiB (intended to be swap)
- Install base system
- Install GRUB on MBA
- Reboot to freshly installed OS
apt-get install cryptsetup initrd-tools
- Apply patches against initrd-files (I’ve got them right here on my harddrive)
- Download kernel, patch, configure, create package, install
- Create initrd, install, configure GRUB
- Follow instructions at …
- Reboot to crypted root
Installing hardware drivers
First of all, http://linux.spiney.org/debian_gnu_linux_on_an_ibm_thinkpad_t43p is your best friend! Use that guide instead. Feel adventurous? Feel free to read ahead.
Hardware 3D-acceleration (FGLRX)
Download drivers from ATI and compile kernel and modules with make-kpkg
. All
done!
WLAN
Umm… It works, though. See http://www.thinkwiki.org/wiki/Ipw2200.
Fingerprint reader
See http://linux.spiney.org/debian_gnu_linux_on_an_ibm_thinkpad_t43p_fingerprint_reader.
Here’s what I ended up doing:
- Download the Debian package for bioapi, version
1.2.1 and
1.2.3 from
http://www.qrivy.net/~michael/.
If 1.2.1 is not available for your copy of Debian, try getting package that
contains
QSample
. You are going to need it later. - Install bioapi 1.2.1
- Download BSP from
UPEK, Inc..
The one I used was
TFMESS_BSP_LIN_1.0.zip
. - Extract to new directory
- Run
install.sh /usr/lib
(as root). This will install necessary libraries and screw up your package management. Be sure to save the directory or at leastuninstall.sh
the installer creates. - Download pam_bioapi.
I used
pam_bioapi-0.2.1.tar.bz2
. - Install
libpam0g-dev
(and all the other packages you could be missing). - Extract, create directory
/tmp/pam_bioapi
, run./configure --prefix /tmp/pam_bioapi
andmake install
. - Download my fancy directory-structure-into-debian-package -script.
- Run the script with a bunch of parameters like…
~/makedeb.sh --maintainer "myname <user@host.com>" \ --package "libpam-bioapi" --description "PAM-module for BioAPI" \ --version "0.2.1-1" --section admin --rootdir /tmp/pam_bioapi
- Install created package (
libpam-bioapi_0.2.1-1_i386.deb
) - Remove
/tmp/pam_bioapi
- Resolve your fingerprint reader’s module ID. You can use the following
command (as root).
BioAPITest | sed -ne "/Fingerprint/{n;n;s/^.*: \ \(.\{9\}\)\(.\{4\}\)\(.\{4\}\)\(.\{4\}\)\(.*\)/\1-\2-\3-\4-\5/gp}"
In my case this id is
{5550454b-2054-464d-2f45-535320425350}
. Create directory/etc/bioapi/pam/{5550454b-2054-464d-2f45-535320425350}
. - Run
QSample
(as root) to create fingerprint data for users that are allowed to authenticate with a fingerprint. Copy the created files (such aswnd.bir
) to/etc/bioapi/pam/{5550454b-2054-464d-2f45-535320425350}/
(again as root). QSample writes those files to current working directory, if you’re wondering. - Install the latest bioapi (1.2.3 as of 15 March 2006). You may want to consider copying QSample somewhere safe first.
Configure GDM to authenticate with a fingerprint
- Insert the following row to
/etc/pam.d/gdm
right above@include common-auth
:auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
Allow luser-applications to use fingerprint reader
ll you need to do is to allow lusers to read and write the fingerprint
reader device. I created group bsp
and added myself there. Then I
wrote this script (to be copied to
/etc/init.d
) to set the permissions at start up. It probably doesn’t
work after suspend; I haven’t tried that yet. One the file is in place, run
update-rc.d bsp defaults
(as root). Finally run invoke-rc.d bsp
start
(as root).
Configure xscreensaver to authenticate with a fingerprint
- Make sure lusers can access the reader
- Download patched xscreensaver (or the patch and compile it yourself) from your best friend and install it. Consider putting the package to hold.
- Add
alternativeAuth: True
to your~/.xscreensaver
. - Create
/etc/pam.d/xscreensaver-alternative
with the following content:auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/ @include common-auth
- Restart xscreensaver
If authentication doesn’t work, check /var/log/auth.log
. If you get BioAPI
error #194d
the permissions are not properly set. If you are asked for a
fingerprint after your password, you have edited the wrong file (like I
did).
Configuring powersave
- Install
laptop-mode-tools
,hdparm
,radeontool
, andhibernate
- Configure
- Tweak
Scripts for ACPI
Stuff implemented:
- Dimming the display backlight with Fn+F3
- Locking the screen (and turning of the backlight) when lid is closed
- Activating xscreensaver-prompt and turning on the backlight when lid is opened
Working, but not enabled here:
- Suspend-to-RAM wit Fn+F4
- Toggle WLAN
- Toggle Bluetooth (works by default anyway)
First of all my scripts assume certain ACPI-events are caught as
ibm/hotkey
and not as button/lid
that laptop-mode-tools
already catch. This can be changed by giving ibm-acpi
the parameter
hotkey=enable,0x0fef
. Also make sure the module is loaded at startup.
See /etc/modprobe.d/ibm-acpi
.
The next thing would be to catch those events and have my script handle them. It should be easy to add other handlers there.
Finally, the actual scripts to Do Stuff(tm).
/usr/local/sbin/ibm-ati-powerstate.sh
/usr/local/sbin/ibm-common.sh
/usr/local/sbin/ibm-screen-backlight.sh
/usr/local/sbin/ibm-x-lock.sh
Remember the x-bit.
Acknowledgements
- Without http://linux.spiney.org/debian_gnu_linux_on_an_ibm_thinkpad_t43p this page would probably never exist.
- http://www.thinkwiki.org/ was also a great help.
- My co-worker, Tuomas Kulve. Nice working with you. Thanks for testing the stuff on Debian etch.