Skip to content

Instantly share code, notes, and snippets.

@Defelo

Defelo/arch_install.md

Last active June 7, 2022 09:35
Show Gist options
  • Save Defelo/f8f60249d5065f7ed173eccf02e11215 to your computer and use it in GitHub Desktop.
Save Defelo/f8f60249d5065f7ed173eccf02e11215 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
arch_install.md

Arch Linux Installation Guide (UEFI + Secure Boot + Full Disk Encryption)

Download Arch Linux ISO

  1. Download *.iso and *.iso.sig from https://archlinux.org/download/
  2. Verify sha256
  3. Verify signature: gpg --keyserver-options auto-key-retrieve --verify *.iso.sig

Create Virtual Machine in virt-manager (optional)

  • Firmware: OVMF_CODE.secboot.fd
  • Add TPM v2

Installation

Set keyboard layout

loadkeys de

Verify boot mode

ls /sys/firmware/efi/efivars

Connect to wifi network

iwctl --passphrase $(gpg -d wifi_key.txt.gpg) station wlan0 connect-hidden <ssid>

Update system clock

timedatectl set-ntp true

Partition the disks

  1. cfdisk /dev/vda
  2. Select gpt
  3. Create a 300M EFI System partition (/dev/vda1/boot/efi)
  4. Create a 300M Linux filesystem partition (/dev/vda2/boot)
  5. Create a Linux filesystem partition (/dev/vda3/dev/mapper/root/)
  6. Write changes and exit

Format the partitions

# cryptsetup -y -v luksFormat /dev/vda3
# cryptsetup open /dev/vda3 root
# mkfs.ext4 /dev/mapper/root
# mount /dev/mapper/root /mnt

# mkfs.ext4 /dev/vda2
# mount -m /dev/vda2 /mnt/boot

# mkfs.fat -F32 /dev/vda1
# mount -m /dev/vda1 /mnt/boot/efi

Install essential packages

  1. Select mirrors in /etc/pacman.d/mirrorlist (optional)
  2. Enable ParallelDownloads in /etc/pacman.conf (optional)
  3. pacstrap /mnt base base-devel linux linux-firmware grub efibootmgr neovim git sudo networkmanager man-db wget sbsigntools

Configure the system

# genfstab -U /mnt >> /mnt/etc/fstab
# arch-chroot /mnt
# ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime
# hwclock --systohc
# nvim /etc/locale.gen  # uncomment your locales
# locale-gen
# echo LANG=en_US.UTF-8 > /etc/locale.conf
# echo KEYMAP=de-latin1 > /etc/vconsole.conf
# echo arch > /etc/hostname
# systemctl enable NetworkManager
# passwd

Configure mkinitcpio

Add the keyboard, keymap and encrypt hooks to /etc/mkinitcpio.conf:

HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt filesystems fsck)

Run mkinitcpio -P

Generate Secure Boot Keys

Setup Secure Boot in VM (optional)

# mkdir -p /root/SecureBoot/VM
# cd /root/SecureBoot/VM
# openssl req -newkey rsa:2048 -nodes -keyout PKpriv.key -x509 -days 3650 -out PK.crt
# openssl x509 -in PK.crt -outform der -out PK.der
# wget -Ux https://www.microsoft.com/pkiops/certs/Mic{CorKEKCA2011_2011-06-24,WinProPCA2011_2011-10-19,CorUEFCA2011_2011-06-27}.crt
# mkdir -p /boot/efi/SecureBoot/
# cp PK.der Mic*.crt /boot/efi/SecureBoot/

Generate Machine Owner Key

# mkdir -p /root/SecureBoot
# cd /root/SecureBoot
# openssl req -newkey rsa:4096 -nodes -keyout MOK.key -new -x509 -sha256 -days 3650 -subj "/CN=my Machine Owner Key/" -out MOK.crt
# openssl x509 -outform DER -in MOK.crt -out MOK.cer
# mkdir -p /boot/efi/SecureBoot/
# cp MOK.cer /boot/efi/SecureBoot/

Setup GRUB

  1. Get device uuid of /dev/vda3: blkid -s UUID -o value /dev/vda3
  2. Add kernel parameters in /etc/default/grub (replace device-UUID): 
    cryptdevice=UUID=device-UUID:root root=/dev/mapper/root
  3. Uncomment/add GRUB_DISABLE_OS_PROBER=false to /etc/default/grub
  4. Cd into /root/SecureBoot and create the file build_grub.sh: 
    #!/bin/bash

output=/boot/efi/EFI/shim/grubx64.efi

config=$(mktemp)
grub-mkconfig -o $config

grub-mkstandalone -O x86_64-efi -o $output --sbat /usr/share/grub/sbat.csv --modules="pgp part_gpt part_msdos fat ext2 configfile gcry_sha256 gcry_rsa password_pbkdf2 normal linux all_video search search_fs_uuid reboot sleep loadenv minicmd test echo font" boot/grub/grub.cfg=$config -v
rm $config

for file in /boot/vmlinuz-linux $output; do
    sbsign --key MOK.key --cert MOK.crt --output $file $file
done
  5. Build grub and add it to UEFI: 
    # chmod +x build_grub.sh
# mkdir -p /boot/efi/EFI/shim/
# ./build_grub.sh
# efibootmgr -v -d /dev/vda -c -L GRUB -l /EFI/shim/grubx64.efi
  6. Create the file /etc/pacman.d/hooks/999-sign_kernel_for_secureboot.hook: 
    [Trigger]
Operation = Install
Operation = Upgrade
Type = Package
Target = linux
Target = linux-lts
Target = linux-hardened
Target = linux-zen

[Action]
Description = Signing kernel with Machine Owner Key for Secure Boot
When = PostTransaction
Exec = /usr/bin/find /boot/ -maxdepth 1 -name 'vmlinuz-*' -exec /usr/bin/sh -c 'if ! /usr/bin/sbverify --cert /root/SecureBoot/MOK.crt --list {} 2>/dev/null | /usr/bin/grep -q "signature certificates"; then /usr/bin/sbsign --key /root/SecureBoot/MOK.key --cert /root/SecureBoot/MOK.crt --output {} {}; fi' ;
Depends = sbsigntools
Depends = findutils
Depends = grep

Exit chroot and reboot

# exit
# umount -R /mnt
# cryptsetup close root
# reboot

Create user

# useradd -m -s /bin/bash -G wheel user
# passwd user
# nvim /etc/sudoers  # uncomment wheel privileges

Install paru and shim

# su user
$ cd $(mktemp -d)
$ git clone https://aur.archlinux.org/paru-bin.git
$ cd paru-bin
$ makepkg -si
$ paru -S shim-signed
$ exit
# cp /usr/share/shim-signed/{shimx64,mmx64}.efi /boot/efi/EFI/shim/
# efibootmgr -v -d /dev/vda -c -L Shim -l /EFI/shim/shimx64.efi

Reboot and setup Secure Boot

  1. efibootmgr -n0 to reboot to uefi setup
  2. reboot
  3. Setup secure boot in uefi
  4. Reboot to shim
  5. Enroll key from disk: SecureBoot/MOK.cer
  6. Reboot
  7. Find bootnum of GRUB: efibootmgr -v
  8. Remove GRUB from UEFI: efibootmgr -B -b xxxx

Links

Raw
build_grub.sh
#!/bin/bash
output=/boot/efi/EFI/shim/grubx64.efi
config=$(mktemp)
grub-mkconfig -o $config
grub-mkstandalone -O x86_64-efi -o $output --sbat /usr/share/grub/sbat.csv --modules="pgp part_gpt part_msdos fat ext2 configfile gcry_sha256 gcry_rsa password_pbkdf2 normal linux all_video search search_fs_uuid reboot sleep loadenv minicmd test echo font" boot/grub/grub.cfg=$config -v
rm $config
for file in /boot/vmlinuz-linux $output; do
sbsign --key MOK.key --cert MOK.crt --output $file $file
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment