ansulev/arch-install-dual-encrypted-t480s.sh

## arch-install-dual-encrypted-t480s.sh
# Install Arch Linux dual boot with Windows 10 on Thinkpad T480s. Dec 2018.
# Full encrypted btrfs subvolume inside luks. UEFI and Secure Boot enabled.
# filename: install-arch-linux-on-btrfs-subvolume-inside-luks.txt
# The official guide: https://wiki.archlinux.org/index.php/Installation_Guide
# Last edit: 2021/10/11 (Work in priogress...)

# Shrink Windows partition to make room for the linux.
# Remove BitLocker encryption and Fast Boot. After install can re-enable BitLocker.
# Need to setup again Bitlocker, PIN, Fingerprint (tested on Win10 1803)

# Download the archiso image from https://www.archlinux.org/download/
# Copy to a usb-drive
dd bs=16M if=archlinux.iso of=/dev/sdx status=progress oflag=sync # on linux
# Disable secure boot during install
# OR
# To boot with Secure boot enabled:
# Install preload-signed from AUR on existing arch system or copy the signed
lsblk
sudo mkdir /mnt/temp
sudo mount /dev/sdb2 /mnt/temp
cd /mnt/temp/EFI/boot/
sudo cp /usr/share/preloader-signed/PreLoader.efi ./bootx64.efi
sudo cp /usr/share/preloader-signed/HashTool.efi ./
sudo umount /mnt/temp
# On next reboot enroll the loader.efi and vmlinuz.efi and boot secure

# Boot from the usb.
# Set keymap
loadkeys us

# Connect to Internet:
# Ethernet - plug in the cable
# WLAN - use iwctl utility
# WWAN - use mmcli utility

# Connect to WLAN using wlan0:
iwctl
[iwd]# station wlan0 connect SSID
# enter the passphras
# or directly connect from zsh:
iwctl --passphrase passphrase station wlan0 connect SSID

# Check connection:
ping archilinux.org

# Use cfdisk to create linux partition on the freed space.
cfdisk /dev/nvme0n1

# Create luks container. My linux partition is /dev/nvme0n1p4
cryptsetup luksFormat --align-payload=8192 -s 256 -c aes-xts-plain64 /dev/nvme0n1p4

# Open container
cryptsetup open /dev/nvme0n1p4 archlinux

# Create and mount btrfs filesystem
mkfs.btrfs --force --label archlinux -n 32k /dev/mapper/archlinux
o=defaults,x-mount.mkdir
o_btrfs=$o,compress=zstd,ssd,noatime,nodiratime,space_cache
mount -t btrfs LABEL=archlinux /mnt

# Create btrfs subvolumes
btrfs subvolume create /mnt/@
btrfs subvolume create /mnt/@home
btrfs subvolume create /mnt/@snapshots

# Umount everything
umount -R /mnt

# Remount only the subvolumes
mount -t btrfs -o subvol=@,$o_btrfs LABEL=archlinux /mnt
mount -t btrfs -o subvol=@home,$o_btrfs LABEL=archlinux /mnt/home
mount -t btrfs -o subvol=@snapshots,$o_btrfs LABEL=archlinux /mnt/.snapshots

# Mount EFI partition - in my case: /dev/nvme0n1p1
mkdir /mnt/boot
mount /dev/nvme0n1p1 /mnt/boot

# Install base system
pacstrap /mnt base

# Generate fstab
genfstab -L -p /mnt >> /mnt/etc/fstab

cat /mnt/etc/fstab
.......
# /dev/mapper/system UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
LABEL=archlinux     	/         	btrfs     	rw,noatime,compress=lzo,ssd,space_cache,subvolid=257,subvol=@	0 0

# /dev/mapper/system UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
LABEL=archlinux     	/home     	btrfs     	rw,noatime,compress=lzo,ssd,space_cache,subvolid=258,subvol=@home	0 0

# /dev/mapper/system UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
LABEL=archlinux       /.snapshots	btrfs     	rw,noatime,compress=lzo,ssd,space_cache,subvolid=259,subvol=@snapshots	0 0

# /dev/nvme0n1p1 UUID=xxxx-xxxx
LABEL=EFI           	/boot      	vfat      	rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro	0 2

# swap in zram
#/dev/zram0						none 				swap 				defaults 			0 0
#/dev/zram1						none 				swap 				defaults 			0 0

# mysqltmp on /tmp (mysql is 973)
#tmpfs   /var/lib/mysqltmp   	tmpfs   rw,gid=973,uid=973,size=100M,mode=0750,noatime   0 0
....

# Notes:
# We don't use discard option for btrfs subvols. Will set later: systemctl enable fstrim.timer
# Set noatime,nodiratime,commit=60 for best performence.
# Using autodefrag on btrfs ssd is discused here: https://www.mail-archive.com/linux-btrfs@vger.kernel.org/msg30749.html
# To set noCOW for BDs, VMs, Torrents dirs: chattr +C /dir/file

# Add root password and Boot into new system
# You may need to run 'rm /mnt/etc/securetty /mnt/usr/share/factory/etc/securetty'
# if you get 'Login incorrect' error
# Aditionally add these files to NoExtract in pacman.conf
systemd-nspawn -D /mnt
passwd
logout
systemd-nspawn -bD /mnt

# Generate and set default locale
vi /etc/locale.gen
# Uncomment en_US.UTF-8
locale-gen
systemd-firstboot --prompt-locale

# Set time - Hardware clock to UTC. Need to setup Windows, too. TODO: Post the .reg file for Win
timedatectl set-ntp 1
timedatectl set-timezone Europe/Madrid
#hwclock --systohc --utc

# Hostname
hostnamectl set-hostname myhostname
cat /etc/hosts
...
127.0.0.1	localhost.localdomain	localhost
::1		localhost.localdomain	localhost
127.0.1.1	myhostname.localdomain	myhostname
...

# Install other needed packages
pacman -Syu base-devel btrfs-progs gptfdisk dosfstools efibootmgr os-prober grub intel-ucode iw iwd wpa_supplicant dialog

# Set virtual console
nano /etc/vconsole.conf
KEYMAP=us
FONT=latcyrheb-sun32

# Create mkinitcpio.conf
vim /etc/mkinitcpio.conf
...
MODULES=(atkbd intel_agp i915)
BINARIES=(/usr/sbin/btrfs)
HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)
COMPRESSION="zstd"
COMPRESSION_OPTIONS=(-T0 -19)
...
mkinitcpio -P

# Create user
useradd -m -G wheel angel
passwd angel

# Install GRUB2
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=ArchLinux --recheck
# Edit /etc/default/grub
...
GRUB_ENABLE_CRYPTODISK=y
GRUB_CMDLINE_LINUX_DEFAULT="acpi_osi=! acpi_osi='Windows2018' acpi=force acpi_enforce_resources=lax drm.vblankoffdelay=1 acpi_backlight=video i915.modeset=1 i915.enable_psr=1 i915.enable_guc=3 i915.enable_fbc=1 net.ifnames=0 spectre_v2=off nopti nowatchdog"
GRUB_CMDLINE_LINUX="cryptdevice=/dev/nvme0n1p4:archlinux:allow-discards rd.luks.options=discards"
...
# Generate config file
grub-mkconfig -o /boot/grub/grub.cfg

# Exit nspawn, umount all and reboot
poweroff
umount -R /mnt

# Create keyfile for paswordless login
dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin
and add to /etc/mkinitcpio.conf
FILES=/crypto_keyfile.bin
run:
mkinitcpio -p linux
# Reboot again, you’ll only need to enter your password once.
reboot

# Secure keyfile and /boot
chmod 000 /crypto_keyfile.bin  # actually, even root doesn't need to access this
#chmod -R g-rwx,o-rwx /boot     # just to be safe TODO: Check the correct while /boot is EFI partition.

# Install the rest and configure the system
pacman -Syu

# Download yay helper from AUR
https://aur.archlinux.org/cgit/aur.git/snapshot/yay.tar.gz
# Install YAY as regular user (extract, run makepkg, pacman -U)

# Modify pacman.conf and add extra repos:
vim /etc/pacman.conf
...
XferCommand = /usr/bin/aria2c --allow-overwrite=true --continue=true --file-allocation=none --log-level=error --max-tries=2 --max-connection-per-server=2 --max-file-not-found=5 --min-split-size=5M --no-conf --remote-time=true --summary-interval=60 --timeout=5 --dir=/ --out %o %u
NoExtract = usr/lib/binfmt.d/wine.conf
NoExtract = usr/share/applications/wine.desktop
NoExtract = etc/securetty
NoExtract = usr/share/factory/etc/securetty
# Misc options
#UseSyslog
Color
#TotalDownload
CheckSpace
#VerbosePkgLists
ILoveCandy

[DEB_Arch_Extra]
SigLevel = Optional TrustAll
Server = https://mega.nz/linux/MEGAsync/Arch_Extra/$arch

[archlinuxcn]
Include = /etc/pacman.d/archlinuxcn-mirrorlist
#Server = http://repo.archlinuxcn.org/$arch

[chaotic-aur]
Include = /etc/pacman.d/chaotic-mirrorlist

[blackarch]
SigLevel = TrustAll
Include = /etc/pacman.d/blackarch-mirrorlist

#[archlinuxgr]
#SigLevel = Optional TrustAll
#Server = http://archlinuxgr.tiven.org/archlinux/$arch

#[archstrike]
#Server = https://mirror.archstrike.org/$arch/$repo

#[muflone-aur]
#SigLevel = Required
#Server = https://www.muflone.com/repositories/archlinux/$repo/$arch

#[sublime-text]
#Server = https://download.sublimetext.com/arch/dev/x86_64
...

# X server
pacman -S xorg-server xorg-xinit xf86-video-intel xf86-video-fbdev xorg-xrandr

# Terminals
pacman -S xterm rxvt-unicode terminator lxterminal screen tmux

# Fonts
pacman -S ttf-liberation ttf-droid ttf-hack terminus-font terminus-font-ttf

# Media (TODO: PulseAudio for bluetooth)
pacman -S alsa-utils alsa-plugins alsa-firmware

# Install OpenBox WM and few applications (or i3 or xfce4 - TODO:)
yay -S openbox tint2 udevil conky dmenu compton volumeicon scrot slock feh xarchiver cups-pdf sane
yay -S clipit scite spacefm-git redshift perwindowlayoutd gxkb nitrogen gpicview viewnior mtpaint

TODO:
Configure Power, Performance, ThinkPad specific, Btrfs specific, Xorg settings, User settings (dotfiles)

# EOF
	# Install Arch Linux dual boot with Windows 10 on Thinkpad T480s. Dec 2018.
	# Full encrypted btrfs subvolume inside luks. UEFI and Secure Boot enabled.
	# filename: install-arch-linux-on-btrfs-subvolume-inside-luks.txt
	# The official guide: https://wiki.archlinux.org/index.php/Installation_Guide
	# Last edit: 2021/10/11 (Work in priogress...)

	# Shrink Windows partition to make room for the linux.
	# Remove BitLocker encryption and Fast Boot. After install can re-enable BitLocker.
	# Need to setup again Bitlocker, PIN, Fingerprint (tested on Win10 1803)

	# Download the archiso image from https://www.archlinux.org/download/
	# Copy to a usb-drive
	dd bs=16M if=archlinux.iso of=/dev/sdx status=progress oflag=sync # on linux
	# Disable secure boot during install
	# OR
	# To boot with Secure boot enabled:
	# Install preload-signed from AUR on existing arch system or copy the signed
	lsblk
	sudo mkdir /mnt/temp
	sudo mount /dev/sdb2 /mnt/temp
	cd /mnt/temp/EFI/boot/
	sudo cp /usr/share/preloader-signed/PreLoader.efi ./bootx64.efi
	sudo cp /usr/share/preloader-signed/HashTool.efi ./
	sudo umount /mnt/temp
	# On next reboot enroll the loader.efi and vmlinuz.efi and boot secure

	# Boot from the usb.
	# Set keymap
	loadkeys us

	# Connect to Internet:
	# Ethernet - plug in the cable
	# WLAN - use iwctl utility
	# WWAN - use mmcli utility

	# Connect to WLAN using wlan0:
	iwctl
	[iwd]# station wlan0 connect SSID
	# enter the passphras
	# or directly connect from zsh:
	iwctl --passphrase passphrase station wlan0 connect SSID

	# Check connection:
	ping archilinux.org

	# Use cfdisk to create linux partition on the freed space.
	cfdisk /dev/nvme0n1

	# Create luks container. My linux partition is /dev/nvme0n1p4
	cryptsetup luksFormat --align-payload=8192 -s 256 -c aes-xts-plain64 /dev/nvme0n1p4

	# Open container
	cryptsetup open /dev/nvme0n1p4 archlinux

	# Create and mount btrfs filesystem
	mkfs.btrfs --force --label archlinux -n 32k /dev/mapper/archlinux
	o=defaults,x-mount.mkdir
	o_btrfs=$o,compress=zstd,ssd,noatime,nodiratime,space_cache
	mount -t btrfs LABEL=archlinux /mnt

	# Create btrfs subvolumes
	btrfs subvolume create /mnt/@
	btrfs subvolume create /mnt/@home
	btrfs subvolume create /mnt/@snapshots

	# Umount everything
	umount -R /mnt

	# Remount only the subvolumes
	mount -t btrfs -o subvol=@,$o_btrfs LABEL=archlinux /mnt
	mount -t btrfs -o subvol=@home,$o_btrfs LABEL=archlinux /mnt/home
	mount -t btrfs -o subvol=@snapshots,$o_btrfs LABEL=archlinux /mnt/.snapshots

	# Mount EFI partition - in my case: /dev/nvme0n1p1
	mkdir /mnt/boot
	mount /dev/nvme0n1p1 /mnt/boot

	# Install base system
	pacstrap /mnt base

	# Generate fstab
	genfstab -L -p /mnt >> /mnt/etc/fstab

	cat /mnt/etc/fstab
	.......
	# /dev/mapper/system UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
	LABEL=archlinux / btrfs rw,noatime,compress=lzo,ssd,space_cache,subvolid=257,subvol=@ 0 0

	# /dev/mapper/system UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
	LABEL=archlinux /home btrfs rw,noatime,compress=lzo,ssd,space_cache,subvolid=258,subvol=@home 0 0

	# /dev/mapper/system UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
	LABEL=archlinux /.snapshots btrfs rw,noatime,compress=lzo,ssd,space_cache,subvolid=259,subvol=@snapshots 0 0

	# /dev/nvme0n1p1 UUID=xxxx-xxxx
	LABEL=EFI /boot vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro 0 2

	# swap in zram
	#/dev/zram0 none swap defaults 0 0
	#/dev/zram1 none swap defaults 0 0

	# mysqltmp on /tmp (mysql is 973)
	#tmpfs /var/lib/mysqltmp tmpfs rw,gid=973,uid=973,size=100M,mode=0750,noatime 0 0
	....

	# Notes:
	# We don't use discard option for btrfs subvols. Will set later: systemctl enable fstrim.timer
	# Set noatime,nodiratime,commit=60 for best performence.
	# Using autodefrag on btrfs ssd is discused here: https://www.mail-archive.com/linux-btrfs@vger.kernel.org/msg30749.html
	# To set noCOW for BDs, VMs, Torrents dirs: chattr +C /dir/file

	# Add root password and Boot into new system
	# You may need to run 'rm /mnt/etc/securetty /mnt/usr/share/factory/etc/securetty'
	# if you get 'Login incorrect' error
	# Aditionally add these files to NoExtract in pacman.conf
	systemd-nspawn -D /mnt
	passwd
	logout
	systemd-nspawn -bD /mnt

	# Generate and set default locale
	vi /etc/locale.gen
	# Uncomment en_US.UTF-8
	locale-gen
	systemd-firstboot --prompt-locale

	# Set time - Hardware clock to UTC. Need to setup Windows, too. TODO: Post the .reg file for Win
	timedatectl set-ntp 1
	timedatectl set-timezone Europe/Madrid
	#hwclock --systohc --utc

	# Hostname
	hostnamectl set-hostname myhostname
	cat /etc/hosts
	...
	127.0.0.1 localhost.localdomain localhost
	::1 localhost.localdomain localhost
	127.0.1.1 myhostname.localdomain myhostname
	...

	# Install other needed packages
	pacman -Syu base-devel btrfs-progs gptfdisk dosfstools efibootmgr os-prober grub intel-ucode iw iwd wpa_supplicant dialog

	# Set virtual console
	nano /etc/vconsole.conf
	KEYMAP=us
	FONT=latcyrheb-sun32

	# Create mkinitcpio.conf
	vim /etc/mkinitcpio.conf
	...
	MODULES=(atkbd intel_agp i915)
	BINARIES=(/usr/sbin/btrfs)
	HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)
	COMPRESSION="zstd"
	COMPRESSION_OPTIONS=(-T0 -19)
	...
	mkinitcpio -P

	# Create user
	useradd -m -G wheel angel
	passwd angel

	# Install GRUB2
	grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=ArchLinux --recheck
	# Edit /etc/default/grub
	...
	GRUB_ENABLE_CRYPTODISK=y
	GRUB_CMDLINE_LINUX_DEFAULT="acpi_osi=! acpi_osi='Windows2018' acpi=force acpi_enforce_resources=lax drm.vblankoffdelay=1 acpi_backlight=video i915.modeset=1 i915.enable_psr=1 i915.enable_guc=3 i915.enable_fbc=1 net.ifnames=0 spectre_v2=off nopti nowatchdog"
	GRUB_CMDLINE_LINUX="cryptdevice=/dev/nvme0n1p4:archlinux:allow-discards rd.luks.options=discards"
	...
	# Generate config file
	grub-mkconfig -o /boot/grub/grub.cfg

	# Exit nspawn, umount all and reboot
	poweroff
	umount -R /mnt

	# Create keyfile for paswordless login
	dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
	cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin
	and add to /etc/mkinitcpio.conf
	FILES=/crypto_keyfile.bin
	run:
	mkinitcpio -p linux
	# Reboot again, you’ll only need to enter your password once.
	reboot

	# Secure keyfile and /boot
	chmod 000 /crypto_keyfile.bin # actually, even root doesn't need to access this
	#chmod -R g-rwx,o-rwx /boot # just to be safe TODO: Check the correct while /boot is EFI partition.

	# Install the rest and configure the system
	pacman -Syu

	# Download yay helper from AUR
	https://aur.archlinux.org/cgit/aur.git/snapshot/yay.tar.gz
	# Install YAY as regular user (extract, run makepkg, pacman -U)

	# Modify pacman.conf and add extra repos:
	vim /etc/pacman.conf
	...
	XferCommand = /usr/bin/aria2c --allow-overwrite=true --continue=true --file-allocation=none --log-level=error --max-tries=2 --max-connection-per-server=2 --max-file-not-found=5 --min-split-size=5M --no-conf --remote-time=true --summary-interval=60 --timeout=5 --dir=/ --out %o %u
	NoExtract = usr/lib/binfmt.d/wine.conf
	NoExtract = usr/share/applications/wine.desktop
	NoExtract = etc/securetty
	NoExtract = usr/share/factory/etc/securetty
	# Misc options
	#UseSyslog
	Color
	#TotalDownload
	CheckSpace
	#VerbosePkgLists
	ILoveCandy

	[DEB_Arch_Extra]
	SigLevel = Optional TrustAll
	Server = https://mega.nz/linux/MEGAsync/Arch_Extra/$arch

	[archlinuxcn]
	Include = /etc/pacman.d/archlinuxcn-mirrorlist
	#Server = http://repo.archlinuxcn.org/$arch

	[chaotic-aur]
	Include = /etc/pacman.d/chaotic-mirrorlist

	[blackarch]
	SigLevel = TrustAll
	Include = /etc/pacman.d/blackarch-mirrorlist

	#[archlinuxgr]
	#SigLevel = Optional TrustAll
	#Server = http://archlinuxgr.tiven.org/archlinux/$arch

	#[archstrike]
	#Server = https://mirror.archstrike.org/$arch/$repo

	#[muflone-aur]
	#SigLevel = Required
	#Server = https://www.muflone.com/repositories/archlinux/$repo/$arch

	#[sublime-text]
	#Server = https://download.sublimetext.com/arch/dev/x86_64
	...

	# X server
	pacman -S xorg-server xorg-xinit xf86-video-intel xf86-video-fbdev xorg-xrandr

	# Terminals
	pacman -S xterm rxvt-unicode terminator lxterminal screen tmux

	# Fonts
	pacman -S ttf-liberation ttf-droid ttf-hack terminus-font terminus-font-ttf

	# Media (TODO: PulseAudio for bluetooth)
	pacman -S alsa-utils alsa-plugins alsa-firmware

	# Install OpenBox WM and few applications (or i3 or xfce4 - TODO:)
	yay -S openbox tint2 udevil conky dmenu compton volumeicon scrot slock feh xarchiver cups-pdf sane
	yay -S clipit scite spacefm-git redshift perwindowlayoutd gxkb nitrogen gpicview viewnior mtpaint

	TODO:
	Configure Power, Performance, ThinkPad specific, Btrfs specific, Xorg settings, User settings (dotfiles)

	# EOF