- secure boot
- encrypted root Arch Linux partition
- Windows 11 with bitlocker on C partition
- enable TPM2
Arch Linux ISO: https://archlinux.org/download/
Windows 11 ISO: https://www.microsoft.com/software-download/windows11
Prepare at least 8 GiB flash drive
Download ventoy: https://www.ventoy.net/en/index.html
Boot into UEFI, choose ventoy. Select Windows 11 ISO. I have 512 GB SSD. I allocaate 250 GB for windows and the rest for linux. Proceed to installation. Reboot
Boot into UEFI, choose ventoy. Select Arch Linux ISO
lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS PARTLABEL
sda 8:16 1 14.9G 0 disk
├─sda1 8:17 1 14.9G 0 part /mnt/usbdrive
└─sda2 8:18 1 32M 0 part
nvme0n1 259:0 0 465.8G 0 disk
├─nvme0n1p1 259:1 0 100M 0 part EFI system partition
├─nvme0n1p2 259:2 0 16M 0 part Microsoft reserved partition
├─nvme0n1p3 259:3 0 243.4G 0 part Basic data partition
└─nvme0n1p4 259:4 0 682M 0 part
cgdisk /dev/nvme0
Create EFI partition on /dev/nvme0n1p5
, about 512 MiB is enough
Allocate remaining space for root partition on /dev/nvme0n1p6
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS PARTLABEL
sda 8:16 1 14.9G 0 disk
├─sda1 8:17 1 14.9G 0 part /mnt/usbdrive
└─sda2 8:18 1 32M 0 part
nvme0n1 259:0 0 465.8G 0 disk
├─nvme0n1p1 259:1 0 100M 0 part EFI system partition
├─nvme0n1p2 259:2 0 16M 0 part Microsoft reserved partition
├─nvme0n1p3 259:3 0 243.4G 0 part Basic data partition
├─nvme0n1p4 259:4 0 682M 0 part
├─nvme0n1p5 259:5 0 512M 0 part /boot EFI
└─nvme0n1p6 259:6 0 221.1G 0 part Arch Linux
Format EFI partition
mkfs.fat -F32 -n EFI /dev/nvme0n1p5
Encrypt root partition
crypsetup luksFormat /dev/nvme0n1p6
Open the encrypted root partition
cryptsetup open /dev/nvme0n1p6 crypt_root
Format the encrypted root partition
mkfs.btrfs -L ArchOS /dev/mapper/crypt_root
Mount the encrypted root partition
mount /dev/mapper/crypt_root /mnt
Create BTRFS subvolume
btrfs su cr /mnt/@
btrfs su cr /mnt/@home
btrfs su cr /mnt/@snapshots
Unmount the encrypted root partition
umount -R /mnt
Mount the encrypted root partition with specific option
mount -o noatime,space_cache=v2,ssd,discard=async,subvol=@ /dev/mapper/crypt_root /mnt
Create directories
mkdir /mnt/{boot,home,.snapshots}
Mount the EFI partition
mount /dev/nvme0n1p5 /mnt/boot
Mount home
and .snapshots
directory
mount -o noatime,space_cache=v2,ssd,discard=async,subvol=@home /dev/mapper/crypt_root /mnt/home
mount -o noatime,space_cache=v2,ssd,discard=async,subvol=@snapshots /dev/mapper/crypt_root /mnt/.snapshots
Edit pacman configuration
vim /etc/pacman.conf
Edit the following content
# Misc options
UseSyslog
Color
ILoveCandy
#NoProgressBar
CheckSpace
VerbosePkgLists
ParallelDownloads = 10
Refresh pacman mirrorlist
reflector --save /etc/pacman.d/mirrorlist --protocol https --sort rate --latest 5
Pacstrap
replace amd-ucode
with intel-ucode
if you have intel CPU
pacstrap /mnt linux linux-headers linux-firmware base base-devel man-db btrfs-progs amd-ucode zsh git neovim
Generate fstab
genfstab -U /mnt > /mnt/etc/fstab
Copy pacman configuration and mirrorlist
cp /etc/pacman.conf /mnt/etc/pacman.conf
cp /etc/pacman.d/mirrorlist /mnt/etc/pacman.d/mirrorlist
ch-root into /mnt
arch-chroot /mnt /bin/zsh
Set root password
passwd
Change root shell
chsh -s /bin/zsh
Create user
useradd -mG wheel -s /bin/zsh <your_username>
Change user password
passwd <your_username>
Add wheel groups into sudoers
add EDITOR=nvim to /etc/environment
export EDITOR=nvim
visudo
## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL:ALL) ALL
Set locale
edit /etc/locale.gen
, uncomment your locale, for example
en_US.UTF-8
generate locale
locale-gen
edit /etc/locale.conf
LANG=en_US.UTF-8
Set hostname
edit /etc/hostname
<your_hostnaem>
edit /etc/hosts
# <ip-address> <hostname.domain.org> <hostname>
127.0.0.1 localhost
::1 localhost
127.0.1.1 <your_hostname>.localdomain <your_hostname>
Configure mkinitcpio
edit /etc/mkinitcpio.conf
MODULES=(btrfs)
BINARIES=(/usr/bin/btrfs)
HOOKS=(base systemd autodetect keyboard modconf block sd-encrypt filesystems fsck)
mkinitcpio -P
Install bootloader
bootctl install
Create default boot entries, run this command twice
blkid -s UUID -o value /dev/nvme0n1p6 >> /boot/loader/entries/arch.conf
edit /boot/loader/entries/arch.conf
. <root_UUID> is the output of previous command. change /amd-ucode.img
to /intel-ucode.img
if you use Intel CPU
title Arch Linux
linux /vmlinuz-linux
initrd /amd-ucode.img
initrd /initramfs-linux.img
options rd.luks.name=<root_UUID>=crypt_root rd.luks.options=<root_UUID>=discard root=/dev/mapper/crypt_root rootflags=subvol=@ rw quiet
Edit loader configuration, /boot/loader/loader.conf
default arch.conf
timeout 10
console-mode max
editor yes
Copy Windows EFI
mkdir /tmp/win_boot
mount /dev/nvme0n1p1 /tmp/win_boot
cp -r /tmp/win_boot/EFI/Microsoft /boot/EFI
View bootloader status. There will be 2 entries for Windows boot manager.
bootctl status
pacman -S networkmanager
systemctl enable NetworkManager
Reboot your computer now and make sure no error occured.
timedatectl status
timedatectl set-timezone Asia/Singapore
timedatectl set-local-rtc 1
timedatectl set-ntp 1
$ git clone https://aur.archlinux.org/paru-bin
$ cd paru-bin
$ makepkg -si
# paru -S bat
edit paru config /etc/paru.conf
BottomUp
SudoLoop
Enable setup mode for secure boot in UEFI. If you encountered some problem with setup mode for secure boot, change your secure boot from factory / default to custom.
Install sbctl
# paru -S sbctl
Check sbctl status
# sbctl status
Create keys
# sbctl create-keys
reboot into bios setting. set secure boot mode to custom. set into setup mode
Enroll Microsoft keys
# sbctl enroll-keys -m
Verify keys
# sbctl verify
Sign keys
# sbctl sign -s /boot/EFI/BOOT/BOOTX64.EFI
# sbctl sign -s /boot/vmlinuz-linux
# sbctl sign -s /boot/EFI/systemd/systemd-bootx64.efi
# sbctl sign -s /boot/EFI/Microsoft/Boot/bootmgfw.efi
# sbctl sign -s /boot/EFI/Microsoft/Boot/bootmgr.efi
View secure boot status
$ sbctl status
Reboot into UEFI, enable secure boot. If no error occured then you may proceed.
View TPM2 device
systemd-cryptenroll --tpm2-device=list
Enroll TPM2 keys
# systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/nvme0n1p6
Automount encrypted drive on boot using TMP2
# mkdir /mnt/data
# chown <your_username>: /mnt/data
# systemd-cryptsetup --tpm2-device=auto --tpm2-pcrs=7 /dev/sda1
edit /etc/crypttab
crypt_data /dev/sda1 none
edit /etc/fstab
/dev/mapper_crypt_data /mnt/data ext4 defaults 0 0
# pacman -S snapper snap-pac
# umount /.snapshots
# rm -rf /.snapshots
# snapper -c root create-config /
for turing (GTX 16 series) and later GPU
# pacman -S nvidia-open-dkms
otherwise
# pacman -S nvidia-dkms
edit /etc/mkinitcpio.conf
add nvidia nvidia_modeset nvidia_uvm nvidia_drm to modules
# mkinitcpio -P
add nvidia_drm.modeset=1
to kernel parameters
# paru -S hyprland-nvidia xdg-desktop-portal-hyprland
TODO: post installation
# paru -S pipewire pipewire-alsa pipewire-jack pipewire-pulse wireplumber
# paru -S ttf-jetbrains-mono-nerd noto-font noto-fonts-cjk noto-fonts-emoji noto-fonts-extra
# paru -S bottom kitty lf mako rofi starship eza
# paru -S carapace-bin
# paru -S autin
bash <(curl https://raw.githubusercontent.com/atuinsh/atuin/main/install.sh)
# paru -S kvantum
add QT_STYLE_OVERRIDE=kvantum
to environment
# paru -S catppuccin-gtk-theme-mocha
add GTK_THEME='Catppuccin-Mocha-Standard-Lavendar-Dark'
to environment
# paru -S fcits5-im fcitx5-mozc
# paru -S swaylock swayidle
# paru -S unzip unrar zip
After 2 days of using dual boot option and different customizations I've found that in the BIOS "Secure Boot" mode is marked "v", but when I check it in terminal by sbctl status output is:
Can anybody explain me what's wrong?