archlinux EFI + TPM

archinstall.md

• Enter bios/uefi setup, enter secure boot setup
  • Enable microsoft CAs
  • Enable custom key management
  • Delete existing database
• Boot and Root disk setup
  • https://wiki.archlinux.org/title/EFI_system_partition

  fdisk /dev/sda
  g
  # efi partition
  n
  [enter]
  +1024M
  t
  1
  1
  # swap partition
  n
  [enter]
  +64G
  t
  2
  19
  # root partition
  n
  [enter]
  [enter]
  t
  3
  23
  w
  ##
  mkfs.fat -F 32 /dev/sda1
  mkswap /dev/sda2
  swapon /dev/sda2

• Encrypted root
  • https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system#LUKS_on_a_partition_with_TPM2_and_Secure_Boot

  cryptsetup luksFormat /dev/sda3
  cryptsetup open /dev/sda3 root
  mkfs.ext4 -T largefile4 -m 1 /dev/mapper/root
  mount /dev/mapper/root /mnt
  mount --mkdir /dev/sda1 /mnt/efi

• Base install
  • https://wiki.archlinux.org/title/Installation_guide#Installation

  pacstrap -K /mnt base linux linux-firmware zsh vim intel-ucode sbctl
  genfstab -U /mnt >> /mnt/etc/fstab
  arch-chroot /mnt
  ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime
  hwclock --systohc
  echo 'en_US.UTF-8 UTF-8' > /etc/locale.gen
  echo 'LANG=en_US.UTF-8' > /etc/locale.conf
  echo 'KEYMAP=us' > /etc/vconsole.conf
  echo 'hostname' > /etc/hostname
  locale-gen
  passwd

• Unified Kernel build to ESP
  • https://wiki.archlinux.org/title/Unified_kernel_image#Preparing_a_unified_kernel_image

  # Change XX.uuid.XX to the physical partition uuid, NOT the dm volume
  echo 'rd.luks.name=XX.uuid.XX=root root=/dev/mapper/root' > /etc/kernel/cmdline
  # replace /etc/mkinitcpio.conf hooks with `HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)`
  # enable 1.1.2 .preset file mkinit settings, comment bin uncommmen efi
  bootctl install # can probably just mkdir -p /efi/EFI/Linux
  mkinitcpio -p linux

• Restart into firmware setup
  • Create boot entry to esp/EFI/Linux/arch-linux.efi
  • boot to it
• Secure Boot
  • https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot

  sbctl create-keys
  sbctl enroll-keys -m
  sbctl sign -s /efi/EFI/Linux/arch-linux.efi

• Reboot into signed image
• TPM root decrypt + backup pass
  • https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system#Enrolling_the_TPM
  • ssh to the device

  systemd-cryptenroll /dev/sda3 --recovery-key
  systemd-cryptenroll /dev/sda3 --wipe-slot=empty --tpm2-device=auto