Skip to content

Instantly share code, notes, and snippets.

@fikri-izzuddin

fikri-izzuddin/dual_secure_boot.md

Last active April 2, 2024 14:20
Show Gist options
  • Save fikri-izzuddin/885ccec977340060cd2f8d2eb0b3b56c to your computer and use it in GitHub Desktop.
Save fikri-izzuddin/885ccec977340060cd2f8d2eb0b3b56c to your computer and use it in GitHub Desktop.
Download ZIP
Arch Linux dual secure boot with Windows 11
Raw
dual_secure_boot.md
  • secure boot
  • encrypted root Arch Linux partition
  • Windows 11 with bitlocker on C partition
  • enable TPM2

Installation

Download Arch Linux and Windows 11 ISO

Arch Linux ISO: https://archlinux.org/download/

Windows 11 ISO: https://www.microsoft.com/software-download/windows11

Create bootable usb drive

Prepare at least 8 GiB flash drive

Download ventoy: https://www.ventoy.net/en/index.html

Install Windows 11

Boot into UEFI, choose ventoy. Select Windows 11 ISO. I have 512 GB SSD. I allocaate 250 GB for windows and the rest for linux. Proceed to installation. Reboot

Install Arch Linux

Boot into UEFI, choose ventoy. Select Arch Linux ISO

lsblk
NAME           MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS   PARTLABEL 
sda              8:16   1  14.9G  0 disk                
├─sda1           8:17   1  14.9G  0 part  /mnt/usbdrive 
└─sda2           8:18   1    32M  0 part                
nvme0n1        259:0    0 465.8G  0 disk                
├─nvme0n1p1    259:1    0   100M  0 part                EFI system partition
├─nvme0n1p2    259:2    0    16M  0 part                Microsoft reserved partition
├─nvme0n1p3    259:3    0 243.4G  0 part                Basic data partition
└─nvme0n1p4    259:4    0   682M  0 part                
cgdisk /dev/nvme0

Create EFI partition on /dev/nvme0n1p5, about 512 MiB is enough

Allocate remaining space for root partition on /dev/nvme0n1p6

NAME           MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS   PARTLABEL
sda              8:16   1  14.9G  0 disk                
├─sda1           8:17   1  14.9G  0 part  /mnt/usbdrive 
└─sda2           8:18   1    32M  0 part                
nvme0n1        259:0    0 465.8G  0 disk                
├─nvme0n1p1    259:1    0   100M  0 part                EFI system partition
├─nvme0n1p2    259:2    0    16M  0 part                Microsoft reserved partition
├─nvme0n1p3    259:3    0 243.4G  0 part                Basic data partition
├─nvme0n1p4    259:4    0   682M  0 part                
├─nvme0n1p5    259:5    0   512M  0 part  /boot         EFI
└─nvme0n1p6    259:6    0 221.1G  0 part                Arch Linux

Format EFI partition

mkfs.fat -F32 -n EFI /dev/nvme0n1p5

Encrypt root partition

crypsetup luksFormat /dev/nvme0n1p6

Open the encrypted root partition

cryptsetup open /dev/nvme0n1p6 crypt_root

Format the encrypted root partition

mkfs.btrfs -L ArchOS /dev/mapper/crypt_root

Mount the encrypted root partition

mount /dev/mapper/crypt_root /mnt

Create BTRFS subvolume

btrfs su cr /mnt/@
btrfs su cr /mnt/@home
btrfs su cr /mnt/@snapshots

Unmount the encrypted root partition

umount -R /mnt

Mount the encrypted root partition with specific option

mount -o noatime,space_cache=v2,ssd,discard=async,subvol=@ /dev/mapper/crypt_root /mnt

Create directories

mkdir /mnt/{boot,home,.snapshots}

Mount the EFI partition

mount /dev/nvme0n1p5 /mnt/boot

Mount home and .snapshots directory

mount -o noatime,space_cache=v2,ssd,discard=async,subvol=@home /dev/mapper/crypt_root /mnt/home
mount -o noatime,space_cache=v2,ssd,discard=async,subvol=@snapshots /dev/mapper/crypt_root /mnt/.snapshots

Edit pacman configuration

vim /etc/pacman.conf

Edit the following content

# Misc options
UseSyslog
Color
ILoveCandy
#NoProgressBar
CheckSpace
VerbosePkgLists
ParallelDownloads = 10

Refresh pacman mirrorlist

reflector --save /etc/pacman.d/mirrorlist --protocol https --sort rate --latest 5

Pacstrap

replace amd-ucode with intel-ucode if you have intel CPU

pacstrap /mnt linux linux-headers linux-firmware base base-devel man-db btrfs-progs amd-ucode zsh git neovim

Generate fstab

genfstab -U /mnt > /mnt/etc/fstab

Copy pacman configuration and mirrorlist

cp /etc/pacman.conf /mnt/etc/pacman.conf
cp /etc/pacman.d/mirrorlist /mnt/etc/pacman.d/mirrorlist

ch-root into /mnt

arch-chroot /mnt /bin/zsh

Set root password

passwd

Change root shell

chsh -s /bin/zsh

Create user

useradd -mG wheel -s /bin/zsh <your_username>

Change user password

passwd <your_username>

Add wheel groups into sudoers

add EDITOR=nvim to /etc/environment
export EDITOR=nvim
visudo

## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL:ALL) ALL

Set locale

edit /etc/locale.gen, uncomment your locale, for example

en_US.UTF-8

generate locale

locale-gen

edit /etc/locale.conf

LANG=en_US.UTF-8

Set hostname

edit /etc/hostname

<your_hostnaem>

edit /etc/hosts

# <ip-address>	<hostname.domain.org>	<hostname>
127.0.0.1	localhost
::1		localhost
127.0.1.1	<your_hostname>.localdomain	<your_hostname>

Configure mkinitcpio

edit /etc/mkinitcpio.conf

MODULES=(btrfs)
BINARIES=(/usr/bin/btrfs)
HOOKS=(base systemd autodetect keyboard modconf block sd-encrypt filesystems fsck)

mkinitcpio -P

Install essential packages

Install bootloader

bootctl install

Create default boot entries, run this command twice

blkid -s UUID -o value /dev/nvme0n1p6 >> /boot/loader/entries/arch.conf

edit /boot/loader/entries/arch.conf. <root_UUID> is the output of previous command. change /amd-ucode.img to /intel-ucode.img if you use Intel CPU

title Arch Linux
linux /vmlinuz-linux
initrd /amd-ucode.img
initrd /initramfs-linux.img
options rd.luks.name=<root_UUID>=crypt_root rd.luks.options=<root_UUID>=discard root=/dev/mapper/crypt_root rootflags=subvol=@ rw quiet

Edit loader configuration, /boot/loader/loader.conf

default arch.conf
timeout 10
console-mode max
editor yes

Copy Windows EFI

mkdir /tmp/win_boot
mount /dev/nvme0n1p1 /tmp/win_boot
cp -r /tmp/win_boot/EFI/Microsoft /boot/EFI

View bootloader status. There will be 2 entries for Windows boot manager.

bootctl status

Configure network

pacman -S networkmanager
systemctl enable NetworkManager

Reboot your computer now and make sure no error occured.

Configure time and date

timedatectl status
timedatectl set-timezone Asia/Singapore
timedatectl set-local-rtc 1
timedatectl set-ntp 1

AUR helper

$ git clone https://aur.archlinux.org/paru-bin
$ cd paru-bin
$ makepkg -si
# paru -S bat

edit paru config /etc/paru.conf

BottomUp
SudoLoop

Secure boot

Enable setup mode for secure boot in UEFI. If you encountered some problem with setup mode for secure boot, change your secure boot from factory / default to custom.

Install sbctl

# paru -S sbctl

Check sbctl status

# sbctl status

Create keys

# sbctl create-keys

reboot into bios setting. set secure boot mode to custom. set into setup mode

Enroll Microsoft keys

# sbctl enroll-keys -m

Verify keys

# sbctl verify

Sign keys

# sbctl sign -s /boot/EFI/BOOT/BOOTX64.EFI
# sbctl sign -s /boot/vmlinuz-linux
# sbctl sign -s /boot/EFI/systemd/systemd-bootx64.efi
# sbctl sign -s /boot/EFI/Microsoft/Boot/bootmgfw.efi
# sbctl sign -s /boot/EFI/Microsoft/Boot/bootmgr.efi

View secure boot status

$ sbctl status

Reboot into UEFI, enable secure boot. If no error occured then you may proceed.

TPM2

View TPM2 device

systemd-cryptenroll --tpm2-device=list

Enroll TPM2 keys

# systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/nvme0n1p6

Automount encrypted drive on boot using TMP2

# mkdir /mnt/data
# chown <your_username>: /mnt/data
# systemd-cryptsetup --tpm2-device=auto --tpm2-pcrs=7 /dev/sda1

edit /etc/crypttab

crypt_data /dev/sda1 none

edit /etc/fstab

/dev/mapper_crypt_data /mnt/data ext4 defaults 0 0

snapper

# pacman -S snapper snap-pac
# umount /.snapshots
# rm -rf /.snapshots
# snapper -c root create-config /

Nvidia Driver

for turing (GTX 16 series) and later GPU

# pacman -S nvidia-open-dkms

otherwise

# pacman -S nvidia-dkms

edit /etc/mkinitcpio.conf

add nvidia nvidia_modeset nvidia_uvm nvidia_drm to modules

# mkinitcpio -P

add nvidia_drm.modeset=1 to kernel parameters

install hyprland

# paru -S hyprland-nvidia xdg-desktop-portal-hyprland

TODO: post installation

# paru -S pipewire pipewire-alsa pipewire-jack pipewire-pulse wireplumber

# paru -S ttf-jetbrains-mono-nerd noto-font noto-fonts-cjk noto-fonts-emoji noto-fonts-extra

# paru -S bottom kitty lf mako rofi starship eza

# paru -S carapace-bin

# paru -S autin
bash <(curl https://raw.githubusercontent.com/atuinsh/atuin/main/install.sh)

install znap

Kvantum

# paru -S kvantum

add QT_STYLE_OVERRIDE=kvantum to environment

GTK

# paru -S catppuccin-gtk-theme-mocha

add GTK_THEME='Catppuccin-Mocha-Standard-Lavendar-Dark' to environment

fcitx5

# paru -S fcits5-im fcitx5-mozc

# paru -S swaylock swayidle

# paru -S unzip unrar zip
@UliPlabst
Copy link

Thanks for this guide, I made some minor changes and am running this setup right now. Worked very well!
One thing I had to change was in section Install bootloader

bootctl --boot-path /boot install

to

bootctl --esp-path /boot install

@marol75
Copy link

marol75 commented Mar 2, 2024

Thank you for your guide! :)
The only thing I couldn't make was # systemd-cryptsetup --tpm2-device=auto --tpm2-pcrs=7 /dev/sda1
I tried, but I've got message there's no encrypted block /dev/sda (or /dev/sda1). I have separate HDD /dev/sda, it is formated in ext4.

@marol75
Copy link

marol75 commented Mar 4, 2024

After 2 days of using dual boot option and different customizations I've found that in the BIOS "Secure Boot" mode is marked "v", but when I check it in terminal by sbctl status output is:

$ sbctl status
Installed:  ✓ sbctl is installed
Setup Mode: ✗ Enabled
Secure Boot:    ✗ Disabled
Vendor Keys: microsoft

Can anybody explain me what's wrong?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment