Last active
March 20, 2023 16:18
-
-
Save ansulev/1155de2e2f2249f7273406793df467bd to your computer and use it in GitHub Desktop.
Install UEFI Arch Linux dual boot with Windows 10 on Thinkpad T480s. Full encrypted btrfs subvolume inside luks. UEFI and Secure Boot enabled.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Install Arch Linux dual boot with Windows 10 on Thinkpad T480s. Dec 2018. | |
# Full encrypted btrfs subvolume inside luks. UEFI and Secure Boot enabled. | |
# filename: install-arch-linux-on-btrfs-subvolume-inside-luks.txt | |
# The official guide: https://wiki.archlinux.org/index.php/Installation_Guide | |
# Last edit: 2021/10/11 (Work in priogress...) | |
# Shrink Windows partition to make room for the linux. | |
# Remove BitLocker encryption and Fast Boot. After install can re-enable BitLocker. | |
# Need to setup again Bitlocker, PIN, Fingerprint (tested on Win10 1803) | |
# Download the archiso image from https://www.archlinux.org/download/ | |
# Copy to a usb-drive | |
dd bs=16M if=archlinux.iso of=/dev/sdx status=progress oflag=sync # on linux | |
# Disable secure boot during install | |
# OR | |
# To boot with Secure boot enabled: | |
# Install preload-signed from AUR on existing arch system or copy the signed | |
lsblk | |
sudo mkdir /mnt/temp | |
sudo mount /dev/sdb2 /mnt/temp | |
cd /mnt/temp/EFI/boot/ | |
sudo cp /usr/share/preloader-signed/PreLoader.efi ./bootx64.efi | |
sudo cp /usr/share/preloader-signed/HashTool.efi ./ | |
sudo umount /mnt/temp | |
# On next reboot enroll the loader.efi and vmlinuz.efi and boot secure | |
# Boot from the usb. | |
# Set keymap | |
loadkeys us | |
# Connect to Internet: | |
# Ethernet - plug in the cable | |
# WLAN - use iwctl utility | |
# WWAN - use mmcli utility | |
# Connect to WLAN using wlan0: | |
iwctl | |
[iwd]# station wlan0 connect SSID | |
# enter the passphras | |
# or directly connect from zsh: | |
iwctl --passphrase passphrase station wlan0 connect SSID | |
# Check connection: | |
ping archilinux.org | |
# Use cfdisk to create linux partition on the freed space. | |
cfdisk /dev/nvme0n1 | |
# Create luks container. My linux partition is /dev/nvme0n1p4 | |
cryptsetup luksFormat --align-payload=8192 -s 256 -c aes-xts-plain64 /dev/nvme0n1p4 | |
# Open container | |
cryptsetup open /dev/nvme0n1p4 archlinux | |
# Create and mount btrfs filesystem | |
mkfs.btrfs --force --label archlinux -n 32k /dev/mapper/archlinux | |
o=defaults,x-mount.mkdir | |
o_btrfs=$o,compress=zstd,ssd,noatime,nodiratime,space_cache | |
mount -t btrfs LABEL=archlinux /mnt | |
# Create btrfs subvolumes | |
btrfs subvolume create /mnt/@ | |
btrfs subvolume create /mnt/@home | |
btrfs subvolume create /mnt/@snapshots | |
# Umount everything | |
umount -R /mnt | |
# Remount only the subvolumes | |
mount -t btrfs -o subvol=@,$o_btrfs LABEL=archlinux /mnt | |
mount -t btrfs -o subvol=@home,$o_btrfs LABEL=archlinux /mnt/home | |
mount -t btrfs -o subvol=@snapshots,$o_btrfs LABEL=archlinux /mnt/.snapshots | |
# Mount EFI partition - in my case: /dev/nvme0n1p1 | |
mkdir /mnt/boot | |
mount /dev/nvme0n1p1 /mnt/boot | |
# Install base system | |
pacstrap /mnt base | |
# Generate fstab | |
genfstab -L -p /mnt >> /mnt/etc/fstab | |
cat /mnt/etc/fstab | |
....... | |
# /dev/mapper/system UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | |
LABEL=archlinux / btrfs rw,noatime,compress=lzo,ssd,space_cache,subvolid=257,subvol=@ 0 0 | |
# /dev/mapper/system UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | |
LABEL=archlinux /home btrfs rw,noatime,compress=lzo,ssd,space_cache,subvolid=258,subvol=@home 0 0 | |
# /dev/mapper/system UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | |
LABEL=archlinux /.snapshots btrfs rw,noatime,compress=lzo,ssd,space_cache,subvolid=259,subvol=@snapshots 0 0 | |
# /dev/nvme0n1p1 UUID=xxxx-xxxx | |
LABEL=EFI /boot vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro 0 2 | |
# swap in zram | |
#/dev/zram0 none swap defaults 0 0 | |
#/dev/zram1 none swap defaults 0 0 | |
# mysqltmp on /tmp (mysql is 973) | |
#tmpfs /var/lib/mysqltmp tmpfs rw,gid=973,uid=973,size=100M,mode=0750,noatime 0 0 | |
.... | |
# Notes: | |
# We don't use discard option for btrfs subvols. Will set later: systemctl enable fstrim.timer | |
# Set noatime,nodiratime,commit=60 for best performence. | |
# Using autodefrag on btrfs ssd is discused here: https://www.mail-archive.com/linux-btrfs@vger.kernel.org/msg30749.html | |
# To set noCOW for BDs, VMs, Torrents dirs: chattr +C /dir/file | |
# Add root password and Boot into new system | |
# You may need to run 'rm /mnt/etc/securetty /mnt/usr/share/factory/etc/securetty' | |
# if you get 'Login incorrect' error | |
# Aditionally add these files to NoExtract in pacman.conf | |
systemd-nspawn -D /mnt | |
passwd | |
logout | |
systemd-nspawn -bD /mnt | |
# Generate and set default locale | |
vi /etc/locale.gen | |
# Uncomment en_US.UTF-8 | |
locale-gen | |
systemd-firstboot --prompt-locale | |
# Set time - Hardware clock to UTC. Need to setup Windows, too. TODO: Post the .reg file for Win | |
timedatectl set-ntp 1 | |
timedatectl set-timezone Europe/Madrid | |
#hwclock --systohc --utc | |
# Hostname | |
hostnamectl set-hostname myhostname | |
cat /etc/hosts | |
... | |
127.0.0.1 localhost.localdomain localhost | |
::1 localhost.localdomain localhost | |
127.0.1.1 myhostname.localdomain myhostname | |
... | |
# Install other needed packages | |
pacman -Syu base-devel btrfs-progs gptfdisk dosfstools efibootmgr os-prober grub intel-ucode iw iwd wpa_supplicant dialog | |
# Set virtual console | |
nano /etc/vconsole.conf | |
KEYMAP=us | |
FONT=latcyrheb-sun32 | |
# Create mkinitcpio.conf | |
vim /etc/mkinitcpio.conf | |
... | |
MODULES=(atkbd intel_agp i915) | |
BINARIES=(/usr/sbin/btrfs) | |
HOOKS=(base udev autodetect modconf block filesystems keyboard fsck) | |
COMPRESSION="zstd" | |
COMPRESSION_OPTIONS=(-T0 -19) | |
... | |
mkinitcpio -P | |
# Create user | |
useradd -m -G wheel angel | |
passwd angel | |
# Install GRUB2 | |
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=ArchLinux --recheck | |
# Edit /etc/default/grub | |
... | |
GRUB_ENABLE_CRYPTODISK=y | |
GRUB_CMDLINE_LINUX_DEFAULT="acpi_osi=! acpi_osi='Windows2018' acpi=force acpi_enforce_resources=lax drm.vblankoffdelay=1 acpi_backlight=video i915.modeset=1 i915.enable_psr=1 i915.enable_guc=3 i915.enable_fbc=1 net.ifnames=0 spectre_v2=off nopti nowatchdog" | |
GRUB_CMDLINE_LINUX="cryptdevice=/dev/nvme0n1p4:archlinux:allow-discards rd.luks.options=discards" | |
... | |
# Generate config file | |
grub-mkconfig -o /boot/grub/grub.cfg | |
# Exit nspawn, umount all and reboot | |
poweroff | |
umount -R /mnt | |
# Create keyfile for paswordless login | |
dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin | |
cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin | |
and add to /etc/mkinitcpio.conf | |
FILES=/crypto_keyfile.bin | |
run: | |
mkinitcpio -p linux | |
# Reboot again, you’ll only need to enter your password once. | |
reboot | |
# Secure keyfile and /boot | |
chmod 000 /crypto_keyfile.bin # actually, even root doesn't need to access this | |
#chmod -R g-rwx,o-rwx /boot # just to be safe TODO: Check the correct while /boot is EFI partition. | |
# Install the rest and configure the system | |
pacman -Syu | |
# Download yay helper from AUR | |
https://aur.archlinux.org/cgit/aur.git/snapshot/yay.tar.gz | |
# Install YAY as regular user (extract, run makepkg, pacman -U) | |
# Modify pacman.conf and add extra repos: | |
vim /etc/pacman.conf | |
... | |
XferCommand = /usr/bin/aria2c --allow-overwrite=true --continue=true --file-allocation=none --log-level=error --max-tries=2 --max-connection-per-server=2 --max-file-not-found=5 --min-split-size=5M --no-conf --remote-time=true --summary-interval=60 --timeout=5 --dir=/ --out %o %u | |
NoExtract = usr/lib/binfmt.d/wine.conf | |
NoExtract = usr/share/applications/wine.desktop | |
NoExtract = etc/securetty | |
NoExtract = usr/share/factory/etc/securetty | |
# Misc options | |
#UseSyslog | |
Color | |
#TotalDownload | |
CheckSpace | |
#VerbosePkgLists | |
ILoveCandy | |
[DEB_Arch_Extra] | |
SigLevel = Optional TrustAll | |
Server = https://mega.nz/linux/MEGAsync/Arch_Extra/$arch | |
[archlinuxcn] | |
Include = /etc/pacman.d/archlinuxcn-mirrorlist | |
#Server = http://repo.archlinuxcn.org/$arch | |
[chaotic-aur] | |
Include = /etc/pacman.d/chaotic-mirrorlist | |
[blackarch] | |
SigLevel = TrustAll | |
Include = /etc/pacman.d/blackarch-mirrorlist | |
#[archlinuxgr] | |
#SigLevel = Optional TrustAll | |
#Server = http://archlinuxgr.tiven.org/archlinux/$arch | |
#[archstrike] | |
#Server = https://mirror.archstrike.org/$arch/$repo | |
#[muflone-aur] | |
#SigLevel = Required | |
#Server = https://www.muflone.com/repositories/archlinux/$repo/$arch | |
#[sublime-text] | |
#Server = https://download.sublimetext.com/arch/dev/x86_64 | |
... | |
# X server | |
pacman -S xorg-server xorg-xinit xf86-video-intel xf86-video-fbdev xorg-xrandr | |
# Terminals | |
pacman -S xterm rxvt-unicode terminator lxterminal screen tmux | |
# Fonts | |
pacman -S ttf-liberation ttf-droid ttf-hack terminus-font terminus-font-ttf | |
# Media (TODO: PulseAudio for bluetooth) | |
pacman -S alsa-utils alsa-plugins alsa-firmware | |
# Install OpenBox WM and few applications (or i3 or xfce4 - TODO:) | |
yay -S openbox tint2 udevil conky dmenu compton volumeicon scrot slock feh xarchiver cups-pdf sane | |
yay -S clipit scite spacefm-git redshift perwindowlayoutd gxkb nitrogen gpicview viewnior mtpaint | |
TODO: | |
Configure Power, Performance, ThinkPad specific, Btrfs specific, Xorg settings, User settings (dotfiles) | |
# EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment