buhman/uefisetup.sh

## uefisetup.sh
# Gist is stupid and doesn't seem to allow manual selection of syntax highlighting; .sh extension is used for increased readability.

# This is only a guide to show the required steps for successful UEFI + GRUB2 installation
# Many of the choices are examples or assumptions; don't blindly type shit into your machine
# until/unless you at least read the comments around each command
#
# These steps assume you've booted in UEFI mode by preparing your USB stick per these instructions:
# https://wiki.archlinux.org/index.php/UEFI#Archiso
#
# If you're using an actual CD burned from the official Arch ISO, just make sure you've booted it in UEFI mode

# before we even begin...
modprobe efivars
stat /proc/efi/vars > /dev/null || systemctl reboot

# Assuming /dev/sda is the target disk
gdisk /dev/sda
# Make a partition of type EF00 (EFI System Partition)
# Minimum size I can get without complaints from mkfs.vfat is 64M--unless you plan on putting your kernel in the efi-system partition, this should be far more than sufficient.
# Then make a second partition spanning the remainder of the drive

# Create EFI System Partition (EF00) filesystem
mkfs.vfat -F32 -n efi /dev/sda1

# this might not possibly work as-is
curl https://aur.archlinux.org/packages/fr/frandom/frandom.tar.gz | tar xz && cd frandom && makepkg && pacman -U frandom*.tar.xz && modprobe frandom

# frandomize that shiznit
dd if=/dev/frandom of=/dev/sda2 bs=1M
# I have yet to conclusively determine the optimal bs; 1M works well for rotational media; not sure about SSD's (320k-ish is best for DRAM, might be similar for NAND).

# because we can
cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --verify-passphrase luksFormat /dev/sda2
dd if=/dev/random of=/tmp/key bs=512 count=4
cryptsetup luksAddKey /dev/sda2 /tmp/key
cryptsetup luksOpen /dev/sda2 crypt -d /tmp/key

# In this example, I'm using btrfs
mkfs.btrfs -KL root /dev/mapper/crypt

# Mount the needful -- note the btrfs-specific sexyness
mount -o ssd,discard,noatime,compress=lzo /dev/mapper/crypt /mnt

# Networking stuff
dhcpcd eth0
# if you need more than that, go read the fscking wiki

# Install as per usual, but snag grub-efi
pacstrap /mnt base base-devel grub-efi-x86_64 cryptsetup vim
# make sure cryptsetup is manually selected, and vim because fuck nano

mv /tmp/key /mnt/root/luks-key

# even though systemd mount units are better, util-linux hasn't been merged yet.
genfstab -pU /mnt >> /mnt/etc/fstab

# Chroot, and gimme some bash plox
arch-chroot /mnt /bin/bash

# Bootloader install;
mkdir -p /boot/efi && mount /dev/sda1 /boot/efi
GRUB_CRYPTODISK_ENABLE=y grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=arch_grub --recheck --debug
# if "efibootmgr" isn't somewhere near the end of the output, you fscked up somewhere

# doesn't hurt to make sure it actually exists either
efibootmgr

curl https://bugs.archlinux.org/task/31877?getfile=9445 | patch -o /usr/lib/initcpio/hooks/encrypt_keyfile /usr/lib/initcpio/hooks/encrypt
# a ln -s would be better, but mkinitcpio seems to think that indicates that the install hook is "deprecated"
cp /usr/lib/initcpio/install/encrypt /usr/lib/initcpio/install/encrypt_keyfile

# my turn to be lazy
vim /etc/mkinitcpio.conf
# use the encrypt-keyfile hook at the appropriate place, and make sure your modules array looks ok, and FILES="/root/luks-key"

# regenerate initramfs
mkinitcpio -p linux

# erm you'll want cryptdevice=UUID=blahblah:crypt cryptkey=.:/root/luks-key
vim /etc/default/grub
# Generate grub.cfg
grub-mkconfig -o /boot/grub/grub.cfg

curl http://sprunge.us/CgOV > /etc/systemd/system/kexec-load.service
systemctl enable kexec-load

# Oh, and read https://wiki.archlinux.org/index.php/Systemd#Native_configuration

# Exit chroot; or not, because fsck the installation media

# systemd-sysvcompat can go to hell
systemctl reboot
	# Gist is stupid and doesn't seem to allow manual selection of syntax highlighting; .sh extension is used for increased readability.

	# This is only a guide to show the required steps for successful UEFI + GRUB2 installation
	# Many of the choices are examples or assumptions; don't blindly type shit into your machine
	# until/unless you at least read the comments around each command
	#
	# These steps assume you've booted in UEFI mode by preparing your USB stick per these instructions:
	# https://wiki.archlinux.org/index.php/UEFI#Archiso
	#
	# If you're using an actual CD burned from the official Arch ISO, just make sure you've booted it in UEFI mode

	# before we even begin...
	modprobe efivars
	stat /proc/efi/vars > /dev/null \|\| systemctl reboot

	# Assuming /dev/sda is the target disk
	gdisk /dev/sda
	# Make a partition of type EF00 (EFI System Partition)
	# Minimum size I can get without complaints from mkfs.vfat is 64M--unless you plan on putting your kernel in the efi-system partition, this should be far more than sufficient.
	# Then make a second partition spanning the remainder of the drive

	# Create EFI System Partition (EF00) filesystem
	mkfs.vfat -F32 -n efi /dev/sda1

	# this might not possibly work as-is
	curl https://aur.archlinux.org/packages/fr/frandom/frandom.tar.gz \| tar xz && cd frandom && makepkg && pacman -U frandom*.tar.xz && modprobe frandom

	# frandomize that shiznit
	dd if=/dev/frandom of=/dev/sda2 bs=1M
	# I have yet to conclusively determine the optimal bs; 1M works well for rotational media; not sure about SSD's (320k-ish is best for DRAM, might be similar for NAND).

	# because we can
	cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --verify-passphrase luksFormat /dev/sda2
	dd if=/dev/random of=/tmp/key bs=512 count=4
	cryptsetup luksAddKey /dev/sda2 /tmp/key
	cryptsetup luksOpen /dev/sda2 crypt -d /tmp/key

	# In this example, I'm using btrfs
	mkfs.btrfs -KL root /dev/mapper/crypt

	# Mount the needful -- note the btrfs-specific sexyness
	mount -o ssd,discard,noatime,compress=lzo /dev/mapper/crypt /mnt

	# Networking stuff
	dhcpcd eth0
	# if you need more than that, go read the fscking wiki

	# Install as per usual, but snag grub-efi
	pacstrap /mnt base base-devel grub-efi-x86_64 cryptsetup vim
	# make sure cryptsetup is manually selected, and vim because fuck nano

	mv /tmp/key /mnt/root/luks-key

	# even though systemd mount units are better, util-linux hasn't been merged yet.
	genfstab -pU /mnt >> /mnt/etc/fstab

	# Chroot, and gimme some bash plox
	arch-chroot /mnt /bin/bash

	# Bootloader install;
	mkdir -p /boot/efi && mount /dev/sda1 /boot/efi
	GRUB_CRYPTODISK_ENABLE=y grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=arch_grub --recheck --debug
	# if "efibootmgr" isn't somewhere near the end of the output, you fscked up somewhere

	# doesn't hurt to make sure it actually exists either
	efibootmgr

	curl https://bugs.archlinux.org/task/31877?getfile=9445 \| patch -o /usr/lib/initcpio/hooks/encrypt_keyfile /usr/lib/initcpio/hooks/encrypt
	# a ln -s would be better, but mkinitcpio seems to think that indicates that the install hook is "deprecated"
	cp /usr/lib/initcpio/install/encrypt /usr/lib/initcpio/install/encrypt_keyfile

	# my turn to be lazy
	vim /etc/mkinitcpio.conf
	# use the encrypt-keyfile hook at the appropriate place, and make sure your modules array looks ok, and FILES="/root/luks-key"

	# regenerate initramfs
	mkinitcpio -p linux

	# erm you'll want cryptdevice=UUID=blahblah:crypt cryptkey=.:/root/luks-key
	vim /etc/default/grub
	# Generate grub.cfg
	grub-mkconfig -o /boot/grub/grub.cfg

	curl http://sprunge.us/CgOV > /etc/systemd/system/kexec-load.service
	systemctl enable kexec-load

	# Oh, and read https://wiki.archlinux.org/index.php/Systemd#Native_configuration

	# Exit chroot; or not, because fsck the installation media

	# systemd-sysvcompat can go to hell
	systemctl reboot