- Enter bios/uefi setup, enter secure boot setup
- Enable microsoft CAs
- Enable custom key management
- Delete existing database
- Boot and Root disk setup
fdisk /dev/sda g # efi partition n [enter] +1024M t 1 1 # swap partition n [enter] +64G t 2 19 # root partition n [enter] [enter] t 3 23 w ## mkfs.fat -F 32 /dev/sda1 mkswap /dev/sda2 swapon /dev/sda2
- Encrypted root
cryptsetup luksFormat /dev/sda3 cryptsetup open /dev/sda3 root mkfs.ext4 -T largefile4 -m 1 /dev/mapper/root mount /dev/mapper/root /mnt mount --mkdir /dev/sda1 /mnt/efi
- Base install
pacstrap -K /mnt base linux linux-firmware zsh vim intel-ucode sbctl genfstab -U /mnt >> /mnt/etc/fstab arch-chroot /mnt ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime hwclock --systohc echo 'en_US.UTF-8 UTF-8' > /etc/locale.gen echo 'LANG=en_US.UTF-8' > /etc/locale.conf echo 'KEYMAP=us' > /etc/vconsole.conf echo 'hostname' > /etc/hostname locale-gen passwd
- Unified Kernel build to ESP
# Change XX.uuid.XX to the physical partition uuid, NOT the dm volume echo 'rd.luks.name=XX.uuid.XX=root root=/dev/mapper/root' > /etc/kernel/cmdline # replace /etc/mkinitcpio.conf hooks with `HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)` # enable 1.1.2 .preset file mkinit settings, comment bin uncommmen efi bootctl install # can probably just mkdir -p /efi/EFI/Linux mkinitcpio -p linux
- Restart into firmware setup
- Create boot entry to
esp/EFI/Linux/arch-linux.efi
- boot to it
- Create boot entry to
- Secure Boot
sbctl create-keys sbctl enroll-keys -m sbctl sign -s /efi/EFI/Linux/arch-linux.efi
- Reboot into signed image
- TPM root decrypt + backup pass
- https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system#Enrolling_the_TPM
- ssh to the device
systemd-cryptenroll /dev/sda3 --recovery-key systemd-cryptenroll /dev/sda3 --wipe-slot=empty --tpm2-device=auto
Last active
March 25, 2024 16:16
-
-
Save commiebstrd/279b249d3db898d06d97a905bbc8b67f to your computer and use it in GitHub Desktop.
archlinux EFI + TPM
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment