a3nm's blog

Debian on Raspberry Pi 3

— updated

I have a Raspberry Pi 3 and I wanted to install Debian on it. I know about Debian derivatives for the Raspberry Pi, such as Raspbian, but what I don't like about them is that I have to use a special APT repository, and have to trust images generated by these people. I already trust Debian, so why not install Debian on my Raspberry Pi as well?

Debian has a wiki page about the Raspberry Pi 3, but it looked pretty experimental. I tried it out, and I'm happy to report that I got it to work: generating the image myself, booting it up, and using the resulting system.

To generate the image, I just followed the instructions here. I fell into some traps, but @stapelberg just accepted my pull request to document them, so you can just follow the instructions and hopefully they should work.

Once the image is successfully generated in raspi3.img, you can simply write it to the SD card as explained in the instructions. For the last step, if your local network doesn't resolve the rpi3 hostname (mine didn't), you can simply use nmap to find its IP. Of course, don't do this if the administrator of your local network could be worried about a network scan, and adapt it to your IP range:

sudo nmap -p0

Then you can use the system. What I didn't test:

  • HDMI: there was no HDMI signal (i.e., no video display), I don't know whether this is a known limitation or a bug, and whether the system can be made to use the video. I didn't need it, so I didn't investigate. Testing again, there seems to be a video signal after all: you can see the TTY prompt. However, while booting, there is no information displayed about what happens during the boot process, so you can't hope to debug anything from the display if booting fails.
  • Bluetooth and Wifi: there are comments about it here, but I didn't investigate either.
  • CSI, DSI, GPIO, sound, composite, etc.

What I did test:

  • Booting the system, network, SD card
  • Moving to non-snapshotted repositories for buster, doing apt-get update, apt-get dist-upgrade and rebooting (it still works)
  • USB port: mounting an USB mass storage device (USB key).
  • Reading the CPU temperature: this does not work currently, I get an error when trying to cat /sys/devices/virtual/thermal/thermal_zone0/temp, but it seems that a patch was checked in so it should work eventually.
  • Running stress -c 4 -i 10 -m 2 -d 10 --timeout 300, which worked OK.
  • Running cryptsetup. The results of cryptsetup benchmark are below. They are not great (probably due to the lack of hardware crypto support on the Raspberry Pi?). They probably mean that the CPU will be the bottleneck when reading/writing to an encrypted hard drive.
PBKDF2-sha1        92564 iterations per second for 256-bit key
PBKDF2-sha256     138115 iterations per second for 256-bit key
PBKDF2-sha512      96946 iterations per second for 256-bit key
PBKDF2-ripemd160   75155 iterations per second for 256-bit key
PBKDF2-whirlpool   33505 iterations per second for 256-bit key
#     Algorithm | Key |  Encryption |  Decryption
        aes-cbc   128b    14.7 MiB/s    16.1 MiB/s
    serpent-cbc   128b    12.8 MiB/s    13.6 MiB/s
    twofish-cbc   128b    15.3 MiB/s    16.3 MiB/s
        aes-cbc   256b    11.1 MiB/s    12.3 MiB/s
    serpent-cbc   256b    12.8 MiB/s    13.6 MiB/s
    twofish-cbc   256b    15.2 MiB/s    16.3 MiB/s
        aes-xts   256b    15.7 MiB/s    16.3 MiB/s
    serpent-xts   256b    13.9 MiB/s    14.0 MiB/s
    twofish-xts   256b    16.9 MiB/s    17.1 MiB/s
        aes-xts   512b    11.6 MiB/s    12.4 MiB/s
    serpent-xts   512b    13.9 MiB/s    14.0 MiB/s
    twofish-xts   512b    16.9 MiB/s    17.1 MiB/s

I just noticed that there are some default iptables rules (v4, v6) which prevent remote SSH connections. Hence, if you want to connect to your Raspberry Pi remotely, once you have made sure that it is secure to do so (in particular, changed the default password), you can issue:

sudo iptables -D INPUT 6
sudo ip6tables -D INPUT 4

You should also update /etc/iptables/rules.v4 and /etc/iptables/rules.v6 accordingly (remove the line with REJECT in each file).

comments welcome at a3nm<REMOVETHIS>@a3nm.net