Skip to content

Instantly share code, notes, and snippets.

@jirutka

jirutka/arch-linux-installation.md

Last active December 13, 2023 01:09
Show Gist options
  • Save jirutka/a914c442f42f78a8a22847d57ba3900d to your computer and use it in GitHub Desktop.
Save jirutka/a914c442f42f78a8a22847d57ba3900d to your computer and use it in GitHub Desktop.
Download ZIP
My notes for installing Arch Linux on encrypted Btrfs with UEFI Secure Boot on ThinkPad T14s
Raw
arch-linux-installation.md

Arch Linux Installation

1. Securely erase drive

cryptsetup open --type plain -d /dev/urandom /dev/nvme0n1 to-be-wiped
dd if=/dev/zero of=/dev/mapper/to-be-wiped bs=1M status=progress
cryptsetup close to-be-wiped
wipefs -a /dev/nvme0n1

References

2. Create partition table

Kernel will be stored on EFI System Partition.

Number  Size       Name  Flags
1       1024 MiB   efi   boot, esp
3        -1   MiB  data

3. Create filesystems

  1. Format EFI partition with FAT32:

     mkfs.fat -F 32 -n EFI /dev/nvme0n1p1

  2. Format data partition with LUKS:

     cryptsetup luksFormat -i 5000 --label system-luks /dev/nvme0n1p2
 cryptsetup --allow-discards --perf-no_read_workqueue --perf-no_write_workqueue --persistent open /dev/nvme0n1p2 system

  3. Create Btrfs on LUKS:

     mkfs.btrfs -L system /dev/mapper/data

  4. Mount Btrfs:

     mount -t btrfs -o autodefrag,compress=zstd:1,noatime,space_cache,ssd /dev/mapper/system /mnt

  5. Create subvolumes:

     cd /mnt
 btrfs subvolume create @
 btrfs subvolume create @home

  6. Prepare mount points:

     mkdir /mnt/@/boot
 chmod 000 /mnt/@/boot
 mkdir /mnt/@/home
 chmod 000 /mnt/@/home

  7. (Re)mount filesystems:

     umount /mnt
 mount -t btrfs -o autodefrag,compress=zstd:1,noatime,space_cache,ssd,,subvol=@ /dev/mapper/system /mnt
 mount -t btrfs -o autodefrag,compress=zstd:1,noatime,space_cache,ssd,,subvol=@home /dev/mapper/system /mnt/home
 mount /dev/nvme0n1p1 /mnt/boot

Considerations:

  • The default and recommended cipher is AES-XTS.
  • AMD Ryzen 7 4750U has SHA extension that accelerates SHA-1 and SHA-256, but not SHA-512 – better to use SHA-256 (which is also LUKS default).
  • The default key size is 512b for XTS, which is effectively 256b due to key splitting. Fedora uses 512b as well.
  • Iteration time is recommended 5000 in the articles above, default is 2000.
  • My Samsung NVMe disk supports only 512 bytes block size.

References

4. Install and configure Arch

  1. Install essential packages:

     pacstrap /mnt base linux linux-firmware btrfs-progs amd-ucode efibootmgr vim

  2. Generate fstab:

     genfstab -U /mnt >> /mnt/etc/fstab

  3. chroot into:

     arch-chroot /mnt

  4. Configure time:

     ln -sf /usr/share/zoneinfo/Europe/Prague /etc/localtime
 hwclock --systohc

  5. Configure locale:

     # edit `/etc/locale.gen` and uncomment `en_US.UTF-8 UTF-8`
 locale-gen
 echo "LANG=en_US.UTF-8" > /etc/locale.conf

  6. Configure hostname and hosts:

     echo your-hostname > /etc/hostname
 printf "127.0.0.1\tlocalhost\n::1\tlocalhost\n" >> /etc/hosts
 printf "127.0.0.1\tyour-hostname.local your-hostname\n::1\tyour-hostname.local your-hostname\n" >> /etc/hosts

  7. Edit /etc/mkinitcpio.conf and regenerate initramdisk:

    • add vfat to MODULES
    • remove fsck from HOOKS, move keyboard after udev and add ecrypt after block
    • mkinitcpio -P

5. Setup EFI boot

Create boot entry:

efibootmgr --disk /dev/nvme0n1 --part 1 --create --label 'Arch Linux' --load /vmlinuz-linux --unicode 'cryptdevice=UUID=<LUKS-UUID>:system root=/dev/mapper/system rw rootflags=autodefrag,compress=zstd:1,noatime,space_cache,ssd,subvol=@ initrd=\amd-ucode.img initrd=\initramfs-linux.img' --verbose

efibootmgr --bootnum 0000 --active

References

6. Reboot

exit
umount /mnt/boot
umount /mnt/home
umount /mnt
cryptsetup close system
reboot

7. Install kernel module for WiFi card

  1. Install base-devel:

     pacman -S base-devel

  2. Clone, build and install rtw89-dkms-git from AUR:

     $ mkdir ~/pkgbuilds
 $ git clone https://aur.archlinux.org/packages/rtw89-dkms-git pkgbuilds/rtw89-dkms-git
 $ cd pkgbuilds/rtw89-dkms-git
 # Fix PKGBUILD to copy dkms.conf *after* copying files from rtw89 repository
 $ makepkg -si
 root# modprobe rtw89pci

Secure Boot – Part 1

  1. Install package efitools.

  2. Prepare directory for keys: install -d -m 700 /etc/efi-keys

  3. Backup vendor keys:

     mkdir -p /etc/efi-keys/vendor
 cd /etc/efi-keys/vendor
 for i in PK KEK db dbx; do efi-readvar -v $i -o $i.esl; done

  4. Download efi-mkkeys script:

     curl -o efi-mkkeys https://raw.githubusercontent.com/jirutka/efi-mkkeys/v0.1.0/efi-mkkeys
 chmod +x efi-mkkeys

  5. Generate self-signed PK, KEK and db key, including .esl and .auth files:

     ./efi-mkkeys -s "Your Name" -o /etc/efi-keys

  6. Clone, build and install sbupdate-git from AUR:

     $ git clone https://aur.archlinux.org/sbupdate-git.git pkgbuilds/sbupdate-git
 $ cd pkgbuilds/sbupdate-git
 $ makepkg -si

  7. Edit /etc/sbupdate.conf:

     BACKUP=1
 CMDLINE_DEFAULT="cryptdevice=UUID=<LUKS-UUID>:system root=/dev/mapper/system rw rootflags=autodefrag,compress=zstd:1,noatime,space_cache,ssd,subvol=@"
 CONFIGS["linux"]="linux linux-fallback"

  8. Sign kernel: sbupdate

  9. Add boot entry:

     efibootmgr --disk /dev/nvme0n1 --part 1 --create --label 'Arch Linux (default)' --load /EFI/Arch/linux-signed.efi --verbose

  10. Reboot system and verify that it boots.

SecureBoot – Part 2

  1. Reboot system and enter ThinkPad Setup (F1).
  2. Go to Security > Secure Boot
  3. Change Secure Boot to Enabled
  4. Reset to Setup Mode
  5. Go to Key Management
  6. Authorized Signature Database (DB)
    • Enroll DB > select your Flash Drive > select db.auth
    • Delete DB > delete Microsoft certificates
  7. Key Exchange Key (KEK)
    • Enroll KEK > select your Flash Drive > select KEK.auth
    • Delete KEK > delete Microsoft certificates
  8. Platform Key (PK) > Enroll PK > select your Flash Drive > select PK.auth
  9. Go to top, Restart > Exit Saving Changes

SecureBoot – Part 3

  1. Move /boot/* to encrypted Btrfs and keep only /boot/EFI/Arch on the EFI partition:

     umount /boot
 mount LABEL=EFI /mnt
 chmod 755 /boot
 mv /mnt/*.img /mnt/vmlinuz-linux /boot/
 install -d -m 000 /boot/EFI
 mv /mnt/EFI/Arch /mnt/
 rmdir /mnt/EFI

  2. Change mountpoint for EFI partition in /etc/fstab from /boot to /boot/EFI.

  3. Edit /etc/sbupdate.conf:

     ESP_DIR="/boot/EFI"
 OUT_DIR="Arch"

  4. Delete and re-create boot entries:

     efibootmgr -b 0000 --delete-bootnum
 efibootmgr -b 0001 --delete-bootnum    
 efibootmgr --disk /dev/nvme0n1 --part 1 --create --label 'Arch Linux (default)' --load /Arch/linux-signed.efi --verbose
 efibootmgr --disk /dev/nvme0n1 --part 1 --create --label 'Arch Linux (fallback)' --load /Arch/linux-fallback-signed.efi --verbose

  5. Regenerate initramdisks:

     mkinitcpio -P
 sbupdate

References

@vutunganh
Copy link

One can use umount -R /mnt to unmount all of them at once.

@jirutka
Copy link
Author

jirutka commented Aug 9, 2021

One can use umount -R /mnt to unmount all of them at once.

This is not portable, BSD and Busybox umount doesn’t support -R option, that’s why I’m not used to it. However, Arch is GNU-based, so yeah, I could use that.

@shadow-asd
Copy link

failed at mkfs.btrfs -L system /dev/mapper/data
something about small size on mapper/data

@DamonLane
Copy link

Thanks for this, I found it very helpful! I appreciate starting with secure erase. I followed this so closely, with the official installation guide open in the background, that i neglected to set the root password before reboot.

I'm new to any kind of volumes, but shouldn't the path in step 3.3 match step 3.4? I used /dev/mapper/system for both.

My other suggestion would be to include "amd_pstate=passive" in the boot command. Apparently that has been needed since kernel 6 for the system to use the amd_pstates, My T14s uses quite a bit less power with that and I've seen using amd_pstates also gives higher performance per watt.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment