Step 0: Build environment

The standard build environment assumes you have three computers more or less dedicated to managing your DeityGuard installation (in addition to the actual client machines that will be running DeityGuard). In the network diagram below, the exterior machine is your main workstation (where you edit configuration files and such), the interior machine is the build host (notice the lack of Internet connection), the httpserv machine is used to serve DeityGuard output files to the LAN segment, and the client machine is an example client (you would connect each client machine to the interior machine in turn for flashing).

                            /(DVD reader)          /(DVD burner)
                           /                      /
    |                     | |                     |
    |                     |F|                     |
    |                     |L|                     |
    |                     |A|                     |
    |                     |S|                     |
    |                   \ |H| /                   |
    |                    \| |/                    |
    |                     \ /                     |
    |                      |                      |
    |                   [client]                  |
    |                      |                      |
    |                      |                      |
    |                      |                      |
    \--------------------------------------------------- LAN (DHCP + Internet)

The links labelled ithird in the diagram should be unidirectional ethernet cables that are connected to the machines with a USB ethernet adapter at each end. If you don’t have (and don’t want to make) unidirectional ethernet cables (see Third Idea), you can use regular ethernet cable for the ithird links (with a reduction in the security factor).

The interior machine must also have a USB DVD (reader) drive, and the exterior machine must have the capability to burn a DVD. The DVD reader pictured in the diagram is in addition to the built-in drive used to boot the LiveCD. The DVD is just used once (per boot of the interior machine) to bootstrap the ithird link that will be used to transfer more data.

The 4-deploy script fully manages the interior and httpserv machines. Boot up the Ubuntu 7.10 LiveCD (link here) on these machines and select Try Ubuntu. This guide assumes that these machines have exactly one hard disk that appears as /dev/sda in the OS.

The exterior machine is not fully managed; since it is assumed that the exterior machine is a multi-purpose workstation, dg-setup does not take the liberty of installing software on it. The exterior machine must be able to run debootstrap and xorriso so install the appropriate packages in your OS (yes, debootstrap is available on at least some non-Debian distributions; e.g., Gentoo).

Step 1: exterior machine

Starting on the exterior machine, let’s unpack the 4-deploy directory from the DeityGuard source archive into the current directory. (Don’t just cd into 4-deploy as the script will expect ./deityguard.tar.xz to exist).

tar -xf ./deityguard.tar.xz --strip-components=2 deityguard/4-deploy/

Next, you must create a configuration file for ./

nano -w ./

And write in:


Fill in the dots as appropriate. DG_SETUP_EXTERIOR_ISO_DEV must point to the DVD burner drive on the exterior machine; use ls -alh /dev/disk/by-id to discover the appropriate device name. The DG_SETUP_..._ITHIRD_INTERFACE_... variables must be network interface names; use busybox ifconfig -a on the appropriate machines to discover these.

Also, you may have to tune the following file:

nano -w ./overlay/2-fingen/config/

Change to an address on your LAN segment that will never be assigned by DHCP (for example, on my LAN the DHCP server is configured to assign only addresses in the range to If you don’t know how to configure your LAN’s DHCP server, you can just pick a random address and hope there won’t be a conflict, or that conflicts will be avoided by some form of duplicate address detection at some level. Further on this guide, you will later have to configure httpserv to use the same address as that set in

Finally, edit the following file:

nano -w ./overlay/2-fingen/local/

Set the ITHIRD_INTERFACE variable to the network interface name corresponding to the httpserv side of the ithird link to the interior machine. As before, you can use busybox ifconfig -a on the httpserv machine to determine the interface name.

Now, the interior machine needs to have some additional packages installed that aren’t present on the LiveCD. The “no Internet” security rule prevents us from simply using apt-get install. Instead, we will have the exterior machine prepare a DVD disc with the required packages (and additional needed DeityGuard-related files). First, let’s build the package:


Next, insert a blank DVD+/-R disc or an erasable DVD+/-RW disc into the DVD burner of the external machine and do:

./ isowren

Step 2: interior machine

Switching to the interior machine, insert the above written DVD in the external drive, wait for it to automount, open a terminal, and do:

cd /media/ubuntu/ISOIMAGE

After installing some packages, the script should drop you to a shell instructing you to “format /dev/sda”. These steps are considered too dangerous to automate, so, the first time only, enter the following:

sudo cryptsetup luksFormat /dev/sda
sudo cryptsetup luksOpen /dev/sda sda
sudo mkfs.ext4 /dev/mapper/sda
sudo cryptsetup luksClose sda

The passphrase must be literally a single x character (unless you update GLOBAL_STORAGE_PASSPHRASE in the script as well). Encryption is mainly used here to prevent things like automount, and not for any real security benefit – though if you are concerned about malicious drive firmwares tampering with the build data, then using a strong passphrase may help with that. Once you are finished, type Control-D to exit the shell. On subsequent invocations of you should not reformat and just type Control-D to continue the script (unless you really want to start the build over from a blank slate).

Next, the script should configure the “third idea” receiver and pop up a dg_ithird xterm window that allows you to view third idea transfer progress. It will then drop you to a shell instructing you to “wait for transfer completion”.

Step 3: exterior machine

Back to the exterior machine. It’s now necessary to prefetch the sources for DeityGuard. This essentially runs the world_dryrun target of DeityGuard:

./ prefetch

Now we’re ready to transfer the fetched source files to the interior machine:

./ transfer

Step 4: interior machine

Once you see the line “tar_exit_0” in the dg_ithird xterm window, you know that the transfer completed successfully. Hit Control-D in the shell to continue the script. It will then drop you to a shell instructing you to “interface with gengen”. Here you do:

. ./
dg_locally_gengen_gentoo_stage3 world-libressl
touch ./local/unikitmaybeyes
dg_locally_gengen_gentoo_world world-{purge,libressl,selfhost,anybase,netsurf,workstation,misc,firefox,chromium}

See the Recipe page for details on what these commands do. You can also chain them together into a single command with the && operator. This is great for letting the build complete unattended but may make it more difficult to determine what is going on if you do encounter an error.

Now hit Control-D in the shell to continue the script. It will then drop you to a shell instructing you to “interface with fingen”. However, fingen needs to be able to upload DeityGuard files to httpserv which we haven’t configured yet! On to …

Step 5: httpserv machine

Since there is Internet on this machine, you can download the DeityGuard archive. Then unpack the 4-deploy contents just like on the external machine:

tar -xf ./deityguard.tar.xz --strip-components=2 deityguard/4-deploy/

Next, you must create a configuration file for

nano -w ./

And write in:


By now, filling in the dots should be a walk in the park. You should also change the ADDRESS and NETMASK as appropriate for you LAN configuration. The script will create an interface alias with the given address, so the httpserv machine will end up with two addresses on the LAN - one assigned by DHCP and the “fixed” address used for communicating with DeityGuard clients.

Next, do:


It will then drop you to a shell instructing you to “format /dev/sda”. Same as above and hit Control-D. This should result in a pair of xterm windows - one for monitoring the “third idea” transfers from the interior machine and one for monitoring the busybox httpd output to see the requests made by DeityGuard clients. Now we’re ready for …

Step 6: interior machine


ls ./config

to see the available configurations. The test configurations helpfully begin with "test-". Attach the flashing apparature for a particular client and do:

./ ./config/... flash

When this completes, you should be ready to boot the DeityGuard client!

A few more tips …

Surprise! isn’t just for one-time automation a default installation of DeityGuard. Beyond that, it’s also designed to resume properly after you make your own changes/updates to DeityGuard.

The overlay directory is fully general mechanism for overriding any file in the DeityGuard source distribution - simply copy a source file to the corresponding place under overlay and edit it.

Here are some more tips on how to do all that. (This page focuses on the mechanics of using - for tips on how to actually make modifications to the DeityGuard code, see the Internals page).

How to rerun …

If you made changes that affected the portage world package selection or portage USE flags, do, on the external machine:

./ prefetch

This will update the source package cache on the external machine. Then:

./ transfer

This will (incrementally) transfer any new files to the internal machine. After the transfer completes, you’re ready to continue the script on the internal machine and interface with gengen and fingen as necessary. Whether it worked or not, rinse and repeat!

Faster debugging cycles

For the common case of debugging failures in the gengen phase, even spinning through can be too much work. Just run ./ transfer on the exterior machine to transfer in your new code and use the following alias on the internal machine to update the local copy of gengen in-place:

. ./

The equivalent update command for the fingen phase is:


Also, in the gengen phase, you can do:

. ./
dg_setup_reload both

to update both gengen and fingen in one command.

Alternating between gengen and fingen

Once you’ve run through dg-setup a few times and got the feel of things you can mostly forget about dg-setup. After the first run of dg-setup gets everything mounted and running you can just cd into the appropriate gengen and fingen directories in two separate terminals and take it from there without dg-setup. When entering the gengen directory without dg-setup about the only thing that you should need to do extra is:


It’s really only necessary to run dg-setup again if the “third idea” client loses sync (which should be extremely rarely now since the repeated transmission parameters have been tuned to extremely conservative values).

Running fingen only after a restart

If you restart the interior machine, and you don’t enter a gengen command, fingen won’t be able to run because the backing image that stores all of gengen’s build products will not have been mounted. So here’s how you can achieve a “nop” in the gengen interfacing phase that does nothing more than open up backing image properly:

. ./

By the way, “ex” stands for “exact” - because any appended arguments are passed through to gengen without any mediation by the aliases layer. Without arguments, gengen will just open the backing image and ensure that some subset of the source archives are present (specifically, those hardcoded into gengen and those required for building buildroot – but not those required for building Gentoo; only the world_dryrun target does that because emerge is so slow).

Upgrading the portage snapshot

Gentoo releases a new portage snapshot daily. DeityGuard never upgrades the portage snapshot of its own volition. Thus you must take action to upgrade the portage snapshot regularily or you will soon be running outdated software with known vulnerabilities. To upgrade the portage snapshot, do, on the exterior machine:

./ prefetch -kill-portage

As usual, this would be followed by:

./ transfer

to transfer any new/changed files. Then, on the interior machine, in the gengen interfacing phase, do:

. ./

The above command will unpack the new portage snapshot and also run the world target and thus rebuild everything that has newer versions in the fresh portage tree. You can also mutate the set of active wunst keywords by appending world- arguments to the portage target just the same as you can do using the world target directly.

Pruning unused files

By default, DeityGuard keeps any downloaded source files indefinitely (apart from portage snapshots, which are always overwritten). This is because you may sometimes want to drop certain targets from your build and later add them back and this should not necessitate downloading the sources of those targets again. So with DeityGuard you must explicitly specify when you want source file pruning to happen (and you should probably only do so at times when you have everything you want building properly).

To prune unused source files on the exterior machine, do:

./ prefetch prune

To prune unused source files on the interior machine, do, in the gengen interfacing phase:

. ./
dg_gengen_locally_gentoo_world_dryrun prune