|
1 | 1 | # Installing on a physical machine |
| 2 | + |
| 3 | +## Getting and preparing the install media |
| 4 | + |
| 5 | +Follow the instructions to [get an IncusOS image](../download.md). |
| 6 | + |
| 7 | +If installing the machine using a virtual CD-ROM drive, use the ISO format. |
| 8 | +If installing using a USB stick or a virtual USB drive, use the raw image format. |
| 9 | + |
| 10 | +When using the raw image, make sure it's written directly to the device, |
| 11 | +no changes should be made to the built-in partitions or data. |
| 12 | + |
| 13 | +Once ready, connect the USB stick or attach the virtual media and reboot the server into its firmware menu (BIOS). |
| 14 | + |
| 15 | +## Configuring the BIOS |
| 16 | + |
| 17 | +Every vendor uses a different firmware configuration layout, but in general, there are three things to configure: |
| 18 | + |
| 19 | +- Enable the TPM 2.0 device (if not already enabled) |
| 20 | +- Turn on and configure Secure Boot |
| 21 | +- Change the boot order to boot from the install media |
| 22 | + |
| 23 | + |
| 24 | + |
| 25 | +Secure Boot is the trickiest one of those and exact options vary between vendors. |
| 26 | + |
| 27 | +There are two main options when it comes to Secure Boot: |
| 28 | + |
| 29 | +- Manually clear some of the existing keys and enroll the IncusOS ones |
| 30 | +- Clear everything and put the system in Setup Mode |
| 31 | + |
| 32 | +Secure Boot Setup Mode is the easiest as it's often just one option to |
| 33 | +select and the system will then boot with an empty Secure Boot state, |
| 34 | +allowing the IncusOS install media to enroll the keys directly. |
| 35 | + |
| 36 | +The downside to this approach is that all preexisting keys get removed. |
| 37 | +This is fine in most situations, but in some scenarios you may have |
| 38 | +hardware which requires firmware components to be loaded during boot, |
| 39 | +this includes some network cards and storage controllers. |
| 40 | + |
| 41 | +In those scenarios, you'll want to instead manually enroll the IncusOS |
| 42 | +KEK and DB keys, assuming your firmware provides an option for this. |
| 43 | + |
| 44 | + |
| 45 | + |
| 46 | +The install media contains a `keys` folder which has the `.der` version |
| 47 | +of all three keys that need to be enrolled. Exact mechanism for manual |
| 48 | +enrollment varies widely between vendors. |
| 49 | + |
| 50 | +Once the Secure Boot configuration is complete, go to the boot order |
| 51 | +page and make sure that the system will boot from the install media, |
| 52 | +then finally save all settings and reboot the system. |
| 53 | + |
| 54 | +## IncusOS installation |
| 55 | + |
| 56 | +Depending on Secure Boot settings, the system will now either directly |
| 57 | +boot into the installer, or it will first handle key import, then reboot |
| 58 | +and boot into the installer. |
| 59 | + |
| 60 | +When handling key import (when using Setup Mode), a countdown will show |
| 61 | +up, at the end of which the system will import the keys and reboot. |
| 62 | + |
| 63 | +At the end of the installation, you will be prompted to disconnect the |
| 64 | +install media, the system will then reboot into the installed IncusOS |
| 65 | +system. |
| 66 | + |
| 67 | +## IncusOS is ready for use |
| 68 | + |
| 69 | +After reboot, IncusOS will perform its first boot configuration. Once complete, follow the instructions for [accessing the system](../access.md). |
| 70 | + |
| 71 | + |
0 commit comments