Skip to content

Instantly share code, notes, and snippets.

Forked from Apsu/
Last active Oct 13, 2015
What would you like to do?
Arch Linux UEFI Setup
# Gist is stupid and doesn't seem to allow manual selection of syntax highlighting; .sh extension is used for increased readability.
# This is only a guide to show the required steps for successful UEFI + GRUB2 installation
# Many of the choices are examples or assumptions; don't blindly type shit into your machine
# until/unless you at least read the comments around each command
# These steps assume you've booted in UEFI mode by preparing your USB stick per these instructions:
# If you're using an actual CD burned from the official Arch ISO, just make sure you've booted it in UEFI mode
# before we even begin...
modprobe efivars
stat /proc/efi/vars > /dev/null || systemctl reboot
# Assuming /dev/sda is the target disk
gdisk /dev/sda
# Make a partition of type EF00 (EFI System Partition)
# Minimum size I can get without complaints from mkfs.vfat is 64M--unless you plan on putting your kernel in the efi-system partition, this should be far more than sufficient.
# Then make a second partition spanning the remainder of the drive
# Create EFI System Partition (EF00) filesystem
mkfs.vfat -F32 -n efi /dev/sda1
# this might not possibly work as-is
curl | tar xz && cd frandom && makepkg && pacman -U frandom*.tar.xz && modprobe frandom
# frandomize that shiznit
dd if=/dev/frandom of=/dev/sda2 bs=1M
# I have yet to conclusively determine the optimal bs; 1M works well for rotational media; not sure about SSD's (320k-ish is best for DRAM, might be similar for NAND).
# because we can
cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --verify-passphrase luksFormat /dev/sda2
dd if=/dev/random of=/tmp/key bs=512 count=4
cryptsetup luksAddKey /dev/sda2 /tmp/key
cryptsetup luksOpen /dev/sda2 crypt -d /tmp/key
# In this example, I'm using btrfs
mkfs.btrfs -KL root /dev/mapper/crypt
# Mount the needful -- note the btrfs-specific sexyness
mount -o ssd,discard,noatime,compress=lzo /dev/mapper/crypt /mnt
# Networking stuff
dhcpcd eth0
# if you need more than that, go read the fscking wiki
# Install as per usual, but snag grub-efi
pacstrap /mnt base base-devel grub-efi-x86_64 cryptsetup vim
# make sure cryptsetup is manually selected, and vim because fuck nano
mv /tmp/key /mnt/root/luks-key
# even though systemd mount units are better, util-linux hasn't been merged yet.
genfstab -pU /mnt >> /mnt/etc/fstab
# Chroot, and gimme some bash plox
arch-chroot /mnt /bin/bash
# Bootloader install;
mkdir -p /boot/efi && mount /dev/sda1 /boot/efi
GRUB_CRYPTODISK_ENABLE=y grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=arch_grub --recheck --debug
# if "efibootmgr" isn't somewhere near the end of the output, you fscked up somewhere
# doesn't hurt to make sure it actually exists either
curl | patch -o /usr/lib/initcpio/hooks/encrypt_keyfile /usr/lib/initcpio/hooks/encrypt
# a ln -s would be better, but mkinitcpio seems to think that indicates that the install hook is "deprecated"
cp /usr/lib/initcpio/install/encrypt /usr/lib/initcpio/install/encrypt_keyfile
# my turn to be lazy
vim /etc/mkinitcpio.conf
# use the encrypt-keyfile hook at the appropriate place, and make sure your modules array looks ok, and FILES="/root/luks-key"
# regenerate initramfs
mkinitcpio -p linux
# erm you'll want cryptdevice=UUID=blahblah:crypt cryptkey=.:/root/luks-key
vim /etc/default/grub
# Generate grub.cfg
grub-mkconfig -o /boot/grub/grub.cfg
curl > /etc/systemd/system/kexec-load.service
systemctl enable kexec-load
# Oh, and read
# Exit chroot; or not, because fsck the installation media
# systemd-sysvcompat can go to hell
systemctl reboot
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment