Skip to content

Instantly share code, notes, and snippets.

@apsun

apsun/t450s-archlinux.md

Last active February 22, 2022 01:02
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save apsun/0aaead4b5bfb293ceb80cb3df94d7efa to your computer and use it in GitHub Desktop.
Save apsun/0aaead4b5bfb293ceb80cb3df94d7efa to your computer and use it in GitHub Desktop.
Download ZIP
Raw
t450s-archlinux.md

T450s Arch Linux installation

This documents how to install Arch Linux on a ThinkPad T450s, with full disk encryption and UEFI secure boot. It assumes you're familiar with installing Arch Linux, but new to encryption/secure boot. It does not install a bootloader (UEFI comes with one built in), and assumes you are not going to dual boot another OS.

(The instructions here should work fine for other devices too - just ignore the ThinkPad-specific bits)

Wipe the hard drive (optional)

My T450s has issues with using hdparm to wipe the disk, so instead we will use the drive erase utility provided by Lenovo. This section is mostly copied from this tutorial.

  1. Install unetbootin
  2. Format a USB drive as FAT32
  3. Use unetbootin to install FreeDOS on the USB drive
  4. Download and extract the ThinkPad Drive Erase Utility
  5. Copy DrvErase.exe to ${USB_DRIVE}/DrvErase.exe
  6. Copy BootX64.efi to ${USB_DRIVE}/EFI/BOOT/BootX64.efi
  7. Boot into the USB drive and select the first erase option

Wipe existing secure boot keys

Reboot the system and enter the BIOS. Navigate to Security -> Secure Boot -> Clear All Secure Boot Keys. This basically disables secure boot until we are able to enroll our keys, at which point it will automatically re-enable itself.

While you're here, ensure that you are booting in UEFI mode with CSM disabled. Also, make sure that you have a supervisor password enabled in the BIOS, or else secure boot is useless (anyone can just turn it off)!

Install the system

Follow https://gist.github.com/apsun/1f7b1da40b028a9ed1e0409ca8c3b3cc, up to but not including the unified kernel image step.

Generate and sign a unified kernel image

We want to bundle the kernel, initramfs, microcode, and cmdline into a single binary that we can sign with sbsign, and boot this binary directly from the UEFI boot manager. This lets us avoid adding a bootloader to our boot chain, which reduces attack surface.

Install the following packages with pacman:

Also install sbkeys and sbupdate-git from the AUR. How to do this is left as an exercise to the reader.

cd to /etc/efi-keys and run sbkeys to generate all of the secure boot keys (it will output them to the current directory, ensure permissions are set such that only root can access these). If you want, you can uninstall sbkeys after this step.

Next, find the UUID of your /dev/sda2 partition (blkid will show it). Edit /etc/sbupdate.conf, and update the kernel cmdline to tell it how to decrypt the root filesystem:

CMDLINE_DEFAULT="cryptdevice=UUID=${YOUR_PARTITION_UUID}:cryptroot root=/dev/mapper/cryptroot rw quiet"

Run sbupdate, which will generate a unified kernel image and sign it with the keys that sbkeys generated. This will be output to /boot/EFI/Arch/linux-signed.efi. You can verify that it worked by running sbverify --list /boot/EFI/Arch/linux-signed.efi. If you want to install other kernels or customize your boot, you can play around with /etc/sbupdate.conf (remember to run sbupdate afterwards).

Finally, configure the UEFI boot manager to boot this image by running efibootmgr --create --disk /dev/sda --part 1 --label "Arch Linux" --loader "EFI\\Arch\\linux-signed.efi" --verbose.

Be aware that everything in this unified kernel image is unencrypted. Some tutorials have you embed a keyfile in the initramfs and enroll that in LUKS; this only works if your initramfs is encrypted (i.e. you have a separate bootloader and an encrypted /boot with the initramfs). Since our /boot is just the EFI system partition, which is unencrypted, do not store anything sensitive in it (except to complete the next section).

Enroll secure boot keys

On my T450s, sbkeysync fails with permission errors. We will use KeyTool.efi instead to enroll the keys.

  1. Copy all of the *.auth keys from /etc/efi-keys to your ESP partition (/boot)
  2. Copy /usr/share/efitools/efi/KeyTool.efi to /boot
  3. Reboot your system into the Arch Linux live USB. Instead of booting the installer, enter the UEFI shell.
  4. Change to the ESP partition (the shell works like Windows cmd.exe, type FS1: for example to switch to the FS1 partition). There might be multiple partitions, just try them all until you find the one with your keys and KeyTool.efi.
  5. Run KeyTool.efi, choose Edit Keys, and add the DB, KEK, and PK keys in that order. PK must be added last, as secure boot will turn itself back on after you enroll that key.
  6. Exit the UEFI shell, reboot the system, and unplug the USB drive. You should be greeted with a prompt to enter your decryption passphrase. Once booted, run bootctl to verify that secure boot is enabled.
  7. Important: Delete your keys and KeyTool.efi from /boot (remember, the EFI system partition isn't encrypted). You should use a secure erase tool like shred to ensure that the keys cannot be recovered.

Success!

Your system is now ready to use!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment