Skip to content

Instantly share code, notes, and snippets.

@orhun
Last active July 3, 2024 21:17
Show Gist options
  • Save orhun/02102b3af3acfdaf9a5a2164bea7c3d6 to your computer and use it in GitHub Desktop.
Save orhun/02102b3af3acfdaf9a5a2164bea7c3d6 to your computer and use it in GitHub Desktop.
Notes on my Arch Linux installation: UEFI/Secure Boot + systemd-boot, LUKS-encrypted root (XFS), LUKS-encrypted swap (with hibernate & unlocked via TPM)

Notes on my Arch Linux installation

Hardware

  • Lenovo ThinkPad E15G2 (20T8001UTX)
    • AMD Ryzen 7 4700U
    • 8GB RAM (+16GB)
    • 512GB SSD (+1 TB)
    • 15.6" FHD
    • Freedos

Known Issues

Preparation

Boot up Arch Linux ISO and do the following:

  • Disable the annoying beep sound: rmmod pcspkr
  • Bring up WiFi via iwctl station wlan0 connect <SSID>
  • Have some coffee ☕

Pre-installation

Select the drive

export DRIVE=/dev/nvme0n1

(Use lsblk to determine the correct drive to install)

Zap the disk

sgdisk --zap-all $DRIVE
-Z, --zap-all
    Zap (destroy) the GPT and MBR data structures and then exit. This option works much like -z, but as it wipes the MBR as well as the GPT, it's more  suitable  if  you  want  to repartition a disk after using this option, and completely unsuitable if you've already repartitioned the disk.

Create the partitions

sgdisk --clear \
       --new=1:0:+550MiB --typecode=1:ef00 --change-name=1:EFI \
       --new=2:0:+8GiB   --typecode=2:8200 --change-name=2:cryptswap \
       --new=3:0:0       --typecode=3:8300 --change-name=3:cryptsystem $DRIVE

Partition types

Check the partitions

lsblk -o +PARTLABEL
NAME        MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS           PARTLABEL
loop0         7:0    0 641.6M  1 loop /run/archiso/airootfs 
sda           8:0    1   7.3G  0 disk                       
└─sda1        8:1    1   7.3G  0 part /run/archiso/bootmnt  
nvme0n1     259:0    0 476.9G  0 disk                       
├─nvme0n1p1 259:1    0   550M  0 part                       EFI
├─nvme0n1p2 259:2    0     8G  0 part                       cryptswap
└─nvme0n1p3 259:3    0 468.4G  0 part                       cryptsystem

Format EFI partition

mkfs.fat -F32 -n EFI /dev/disk/by-partlabel/EFI

Encrypt system partition

cryptsetup luksFormat /dev/disk/by-partlabel/cryptsystem

Add an additional LUKS key

cryptsetup luksAddKey /dev/disk/by-partlabel/cryptsystem

Backup LUKS header

If the header of a LUKS encrypted partition gets destroyed, you will not be able to decrypt your data. It is just as much of a dilemma as forgetting the passphrase or damaging a key-file used to unlock the partition. Damage may occur by your own fault while re-partitioning the disk later or by third-party programs misinterpreting the partition table. Therefore, having a backup of the header and storing it on another disk might be a good idea.

cryptsetup luksHeaderBackup /dev/disk/by-partlabel/cryptsystem --header-backup-file /mnt/<backup>/<file>.img

Open the encrypted system partition

cryptsetup open /dev/disk/by-partlabel/cryptsystem system

Encrypt swap partition

To be able to resume after suspending the computer to disk (hibernate), it is required to keep the swap space intact. Therefore, it is required to have a pre-existent LUKS swap partition or file, which can be stored on the disk or input manually at startup.

cryptsetup luksFormat /dev/disk/by-partlabel/cryptswap
cryptsetup open /dev/disk/by-partlabel/cryptswap swap
mkswap -L swap /dev/mapper/swap
swapon -L swap

The following setup has the disadvantage of having to insert an additional passphrase for the swap partition manually on every boot.

However, we will eliminate this by storing the LUKS key in TPM.

Create and mount XFS filesystem

mkfs.xfs -f -L system /dev/mapper/system
mount LABEL=system /mnt

Mount EFI partition

mkdir /mnt/boot
mount LABEL=EFI /mnt/boot

Installation

Install essential packages

pacstrap /mnt base linux linux-firmware

Generate fstab

genfstab -L /mnt >> /mnt/etc/fstab
-L
  Use labels for source identifiers (shortcut for -t LABEL).
# /dev/mapper/system UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
LABEL=system        	/         	xfs       	rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota	0 1

# /dev/nvme0n1p1 UUID=xxxx-xxxx
LABEL=EFI           	/boot     	vfat      	rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro	0 2

# /dev/mapper/swap UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
#LABEL=swap          	none      	swap      	defaults  	0 0
# add this line instead for using the mapped device as swap
/dev/mapper/swap swap swap defaults 0 0

Boot into the system

arch-chroot /mnt

Configure the system

pacman -S vim
# Set the time zone
ln -sf /usr/share/zoneinfo/Europe/Istanbul /etc/localtime

# Set the Hardware Clock from the System Clock, and update the timestamps in /etc/adjtime.
hwclock --systohc

# Uncomment desired locales
vim /etc/locale.gen
# Generate the locales
locale-gen

# Create the hostname
vim /etc/hostname

# Set the root password
passwd

Install network manager

pacman -S netctl wpa_supplicant dhcpcd dialog

Regenerate initramfs

Create a backup of the original config:

cp /etc/mkinitcpio.conf /etc/mkinitcpio.conf.orig

Update HOOKS in /etc/mkinitcpio.conf as follows:

HOOKS="base systemd modconf keyboard block sd-encrypt filesystems fsck"

Regenerate:

mkinitcpio -p linux

Select the CPU architecture

export CPU_ARCH=amd # amd or intel

Install microcode

Processor manufacturers release stability and security updates to the processor microcode. These updates provide bug fixes that can be critical to the stability of your system. Without them, you may experience spurious crashes or unexpected system halts that can be difficult to track down.

All users with an AMD or Intel CPU should install the microcode updates to ensure system stability.

pacman -S $CPU_ARCH-ucode

Install systemd-boot

Make sure the system has booted in UEFI mode and that UEFI variables are accessible:

ls /sys/firmware/efi/efivars

Use bootctl to install systemd-boot into the EFI system partition:

bootctl install
Created "/boot/EFI"
Created "/boot/EFI/systemd"
Created "/boot/EFI/BOOT"
Created "/boot/loader"
Created "/boot/loader/entries"
Created "/boot/EFI/Linux"
Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" to "/boot/EFI/systemd/systemd-bootx64.efi"
Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" to "/boot/EFI/BOOT/BOOTX64.EFI"
Created "/boot/xxxxxx"
Random seed file /boot/loader/random-seed successfully written (512 bytes).
Created EFI boot entry "Linux Boot Manager".

Configure systemd-boot

/boot/loader/loader.conf:

default arch*.conf
timeout 5
editor no
console-mode auto

When using the systemd-based initramfs with the sd-encrypt mkinitcpio hook, simply specify additional rd.luks kernel parameters to unlock the swap partition.

/boot/loader/entries/arch.conf:

title Arch Linux
linux /vmlinuz-linux
initrd /<CPU-ARCHITECTURE>-ucode.img
initrd /initramfs-linux.img
options rd.luks.name=<ROOT-PARTITION-UUID>=system root=/dev/mapper/system rd.luks.name=<SWAP-PARTITION-UUID>=swap resume=/dev/mapper/swap rw
  • <ROOT-PARTITION-UUID>: lsblk -o NAME,UUID | grep nvme0n1p3 | awk '{print $NF}'
  • <SWAP-PARTITION-UUID>: lsblk -o NAME,UUID | grep nvme0n1p2 | awk '{print $NF}'
  • <CPU-ARCHITECTURE>: value of $CPU_ARCH

Update kernel parameters

  • audit=0: disable audit logs
  • acpi_backlight=vendor: prefer vendor specific driver for backlight (see the other options)
  • splash: show splash during boot
  • quiet: enable non-verbose mode

Installing Secure Boot

* You need to boot in the freshly installed OS (without chroot) before following these steps.

Before you proceed, beware of this.

Secure Boot is a security feature found in the UEFI standard, designed to add a layer of protection to the pre-boot process: by maintaining a cryptographically signed list of binaries authorized or forbidden to run at boot, it helps in improving the confidence that the machine core boot components (boot manager, kernel, initramfs) haven't been tampered with.

  1. Clear existing keys and reset Secure Boot to Setup Mode on firmware settings.
  2. pacman -S sbctl
  3. sbctl status
Installed:    Sbctl is not installed
Setup Mode:   Enabled
Secure Boot:  Disabled
  1. sbctl create-keys
  2. sbctl enroll-keys -> sbctl status
Installed:    Sbctl is installed
Owner GUID:   xxx
Setup Mode:   Disabled
Secure Boot:  Disabled
  1. sbctl verify -> sbctl sign -s <file>
  2. sbctl list-files

Using TPM 2.0

Trusted Platform Module (TPM) is an international standard for a secure cryptoprocessor, which is a dedicated microprocessor designed to secure hardware by integrating cryptographic keys into devices.

Check for support:

cat /sys/class/tpm/tpm0/tpm_version_major

Install required packages for management:

pacman -S tpm2-tss tpm2-tools

List available TPMs:

systemd-cryptenroll --tpm2-device=list
PATH        DEVICE     DRIVER
/dev/tpmrm0 NTC0702:00 tpm_tis

Platform Configuration Registers (PCR) contain hashes that can be read at any time but can only be written via the extend operation, which depends on the previous hash value, thus making a sort of blockchain. They are intended to be used for platform hardware and software integrity checking between boots (e.g. protection against Evil Maid attack). They can be used to unlock encryption keys and proving that the correct OS was booted.

See Accessing PCR registers.

Enroll the key in the TPM and the LUKS volume and bind the key to PCRs 0 and 7:

systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0,7 /dev/disk/by-partlabel/cryptswap
  • PCR0: Core System Firmware executable code (aka Firmware)
  • PCR7: Secure Boot State
New TPM2 token enrolled as key slot 1.

Test that the key can open the volume:

/usr/lib/systemd/systemd-cryptsetup attach swap /dev/disk/by-partlabel/cryptswap - tpm2-device=auto

Update /etc/crypttab to unlock the encrypted swap at boot:

# Configuration for encrypted block devices.

# <name>       <device>                                     <password>              <options>
swap           /dev/disk/by-partlabel/cryptswap             -                       tpm2-device=auto

Update kernel parameters (/boot/loader/entries/arch.conf) to use TPM for decryption:

[...] rd.luks.name=<SWAP-PARTITION-UUID>=swap rd.luks.options=<SWAP-PARTITION-UUID>=tpm2-device=auto resume=/dev/mapper/swap [...]

If you wish to remove LUKS keys from TPM: systemd-cryptenroll /dev/disk/by-partlabel/cryptswap --wipe-slot=tpm2

Post-installation

Set up a wireless netwok

wifi-menu
netctl list
netctl enable <profile>
netctl is-enabled <profile>

Create an user

useradd -G wheel -m orhun
passwd orhun
pacman -S sudo vi
visudo # uncomment "%wheel ALL=(ALL) ALL"

Update pacman mirrors

(this section needs review)

sudo pacman -S reflector
reflector --country Germany --age 12 --protocol https --sort rate --save /etc/pacman.d/mirrorlist
curl "https://archlinux.org/mirrorlist/?country=TR&protocol=http&protocol=https&ip_version=4" | sudo tee -a /etc/pacman.d/mirrorlist
sudo vim /etc/pacman.d/mirrorlist

Install an AUR helper

pacman -S git wget rust base-devel
rustup install stable
git clone https://aur.archlinux.org/paru
cd paru/
makepkg -si

Install display server

pacman -S xorg-server xorg-xinit xterm

Also, install xf86-video-amdgpu or xf86-video-intel based on CPU architecture respectively.

Install window manager

pacman -S i3

Configure i3 and run it with xinit.

Install code editor

pacman -S neovim

Install web browser

pacman -S firefox-developer-edition

Install docker

pacman -S docker
usermod -a -G docker orhun
systemctl enable --now docker.service

Set up screen locker

Install i3lock:

paru i3lock-fancy

Install screenshot utility:

pacman -S menyoki

Create a script at ~/scripts/lock.sh for locking the screen:

#!/usr/bin/env bash

i3lock-fancy -g -t "" -- menyoki -q cap --root png -c fast save 2>/dev/null

Lock the screen after 5 minutes of inactivity:

  1. Install the screen locker:
pacman -S xautolock
  1. Create /etc/systemd/system/screen-locker.service:
[Unit]
Description=Lock the screen automatically after a timeout

[Service]
Type=simple
User=orhun
Environment=DISPLAY=:0
ExecStart=/usr/bin/xautolock -time 5 -locker /home/orhun/scripts/lock.sh -detectsleep
Restart=on-failure
RestartSec=5m

[Install]
WantedBy=graphical.target

Lock the screen after suspend:

  1. Create /etc/systemd/system/resume-locker.service:
[Unit]
Description=Lock the screen on resume from suspend
Before=suspend.target

[Service]
Type=forking
User=orhun
Environment=DISPLAY=":0"
ExecStart=/usr/bin/bash /home/orhun/scripts/lock.sh

[Install]
WantedBy=suspend.target
WantedBy=sleep.target
  1. Keep the lock screen from flashing the desktop:

2.a. Create /lib/systemd/system-sleep/blank:

#!/usr/bin/env bash

if [ "$1" == "pre" ]; then
  sleep 2
fi

2.b. chmod +x /lib/systemd/system-sleep/blank

Lastly, start/enable both services:

systemctl enable --now screen-locker.service
systemctl enable --now resume-locker.service

Set up audio

Check the audio device:

lspci | grep -i audio

Install pipewire/pulse:

pacman -S alsa-utils pipewire pipewire-pulse
systemctl start --user pipewire-pulse.service
pactl info

Set up bluetooth:

rfkill unblock all
pacman -S bluez bluez-utils
systemctl start bluetooth.service
systemctl enable bluetooth.service

Update /etc/bluetooth/main.conf to auto power-on the bluetooth device after boot:

[Policy]
AutoEnable=true

Configure bluetooth headset:

bluetoothctl

[bluetooth]# power on
[CHG] Controller XX:XX:XX:XX:XX:XX Class: 0x006c010c
Changing power on succeeded
[CHG] Controller XX:XX:XX:XX:XX:XX Powered: yes

[bluetooth]# agent on
Agent is already registered
[bluetooth]# default-agent
Default agent request successful

[bluetooth]# scan on
Discovery started
[CHG] Controller XX:XX:XX:XX:XX:XX Discovering: yes
[NEW] Device E8:D0:3C:8B:7B:48 JBL TUNE500BT

[bluetooth]# pair E8:D0:3C:8B:7B:48 
Attempting to pair with E8:D0:3C:8B:7B:48
[CHG] Device E8:D0:3C:8B:7B:48 Connected: yes
[CHG] Device E8:D0:3C:8B:7B:48 ServicesResolved: yes
[CHG] Device E8:D0:3C:8B:7B:48 Paired: yes
Pairing successful
[CHG] Device E8:D0:3C:8B:7B:48 ServicesResolved: no
[CHG] Device E8:D0:3C:8B:7B:48 Connected: no

[bluetooth]# connect E8:D0:3C:8B:7B:48 
Attempting to connect to E8:D0:3C:8B:7B:48
[CHG] Device E8:D0:3C:8B:7B:48 Connected: yes
Connection successful
[CHG] Device E8:D0:3C:8B:7B:48 ServicesResolved: yes

[JBL TUNE500BT]# trust E8:D0:3C:8B:7B:48 
[CHG] Device E8:D0:3C:8B:7B:48 Trusted: yes
Changing E8:D0:3C:8B:7B:48 trust succeeded

[JBL TUNE500BT]# scan off
[JBL TUNE500BT]# exit

Update /etc/pulse/default.pa for auto connecting to the bluetooth headset:

### Automatically switch to newly-connected devices
load-module module-switch-on-connect

Change TrackPoint sensitivity

Install xinput for configuring devices:

pacman -S xorg-xinput xf86-input-libinput

List the available devices by running xinput command:

⎡ Virtual core pointer                    	id=2	[master pointer  (3)]
⎜   ↳ Virtual core XTEST pointer              	id=4	[slave  pointer  (2)]
⎜   ↳ ETPS/2 Elantech Touchpad                	id=12	[slave  pointer  (2)]
⎜   ↳ ETPS/2 Elantech TrackPoint              	id=13	[slave  pointer  (2)]

List the properties of the TrackPoint:

xinput list-props "ETPS/2 Elantech TrackPoint"
[...]
libinput Accel Speed (316):	0.000000
libinput Accel Speed Default (317):	0.000000
libinput Accel Profiles Available (318):	1, 1
[...]

Override the libinput Accel Speed property in /etc/X11/xorg.conf.d/20-thinkpad.conf:

Section "InputClass"
    Identifier "TrackPoint Configuration"
    MatchProduct "ETPS/2 Elantech TrackPoint"
    Option "AccelSpeed"	"-0.65"
EndSection

References

@IPlayZed
Copy link

Are you sure you actually tried this? I followed this exactly, and at sbctl verify it fails:

failed to find EFI system partition

@orhun
Copy link
Author

orhun commented Aug 14, 2022

Are you sure you actually tried this?

Yes, I wrote this gist as I'm running the commands. Maybe something has changed in sbctl? Did you have any other issues?

@IPlayZed
Copy link

IPlayZed commented Aug 15, 2022

Are you sure you actually tried this?

Yes, I wrote this gist as I'm running the commands. Maybe something has changed in sbctl? Did you have any other issues?

I will try to do this again on my laptop, I did a TPM encrypted root install already on my PC... I think I just messed something up with a typo.

But this setup does not protect the initramfs against evil maid attacks. Maybe you should do a unified kernel image? Also, how do you automate the signing?

It would also be helpful to mention setting the UEFI into secboot setup mode at the begging bc some might have to reboot halfway there...

@orhun
Copy link
Author

orhun commented Aug 20, 2022

But this setup does not protect the initramfs against evil maid attacks. Maybe you should do a unified kernel image?

Yeah, I would be glad to update the gist if you provide instructions for that.

Also, how do you automate the signing?

There is a pacman hook installed along with sbctl package: https://github.com/Foxboron/sbctl/blob/master/contrib/pacman/ZZ-sbctl.hook

It would also be helpful to mention setting the UEFI into secboot setup mode at the begging bc some might have to reboot halfway there...

I don't quite remember my exact steps for doing that so I will keep it as-is for now. It should definitely be kept in mind, though.

@IPlayZed
Copy link

IPlayZed commented Aug 22, 2022

But this setup does not protect the initramfs against evil maid attacks. Maybe you should do a unified kernel image?

Yeah, I would be glad to update the gist if you provide instructions for that.

It turns out that sbctl does have a hook (at least it worked for me with systemd-boot) for automatic unified image creation! Now, all I have to do is install and the hooks will automatically update the initramfs.
You just have to manually use the bundle option and sign that manually with sbctl to activate the hook, it is very handy : ) !
So if you do that that should sign from then on automatically when needed. Now you are protected against evil maids.
(Ofc you must manually create the bundle and sign it when you manually change your kernel params or update the initramfs by yourself.)
(PS: I actually TPM encrypted my root, and it works flawlessly. Just don't forget to use the right TPM registers for that.)

@StevenMacias
Copy link

Are you sure you actually tried this? I followed this exactly, and at sbctl verify it fails:

failed to find EFI system partition

I had the very same message. My mistake was that I was setting the Secure Boot in Setup Mode even before starting the installation. Then I rebooted to make sure it was on Setup Mode and open and mounted the system and EFI partitions. After arch-chroot and trying to setup sbctl, same issue. I had to boot in the freshly installed OS to make sbctl work.

@orhun Maybe it makes sense to add a note mentioning that you should boot on the new SO and move the wifi and network setup before the Secure Boot steps?

Thanks for your notes, really good job!

@orhun
Copy link
Author

orhun commented Nov 13, 2022

Gist updated. Thanks!

@db6edr
Copy link

db6edr commented Dec 4, 2022

Hi @orhun , I'm pretty sure it should be cp /etc/mkinitcpio.conf /etc/mkinitcpio.conf.orig instead of mv /etc/mkinitcpio.conf /etc/mkinitcpio.conf.orig when creating the backup of mkinitcpio.conf, right?

@orhun
Copy link
Author

orhun commented Dec 12, 2022

@db6edr good catch!

@djallits
Copy link

djallits commented Feb 9, 2023

@orhun

I am reading through this before I give it a go, but if I understand correctly, both signed and unsigned images are available in the unencrypted /boot partition.

Wouldn't it be preferable to keep the unsigned images in the encrypted space and my signed image(s) in the EFI Bootloader? If so, have you seen anywhere that discusses this? I have searched the Arch Wiki extensively for an answer to this already.

@orhun
Copy link
Author

orhun commented Feb 9, 2023

@djallits

I'm not sure how you would do that. Sounds like a more secure solution so I would like to update the guide if you figure that out!

@IPlayZed
Copy link

@orhun

I am reading through this before I give it a go, but if I understand correctly, both signed and unsigned images are available in the unencrypted /boot partition.

Wouldn't it be preferable to keep the unsigned images in the encrypted space and my signed image(s) in the EFI Bootloader? If so, have you seen anywhere that discusses this? I have searched the Arch Wiki extensively for an answer to this already.

@djallits

You are right, it would be preferable. There are 2 ways I go about this:

  1. Using unified kernel images: In this way, I bypass the problem entirely. I generate the unified kernel image for my desired configurations (kernel parameters, initrafms, etc.), sign them and boot from there. In this case, encryption is not a concern, as these images are signed, so there will be a boot policy violation if they were tampered with. This is the most robust solution but if you have small space in the partition where you boot these images from and you have a lot of possible configurations (which is an extreme case), they take up the most space. Also, to modify the launch parameter you have to regenerate and sign them, but in my opinion that is the robust and correct way.
  2. You can use GRUB. You can sign the GRUB bootloader and encrypt the partition where your bootloader boots the kernel and images from. In this way, in theory, you can get away with unsigned images and still have a verifiable boot chain. The problem here is that, it is not unattended anymore, as you need to provide a password for GRUB to unlock the partition where you kernels and images are. The legacy GRUB had a fork for TPM, which in theory could do this actually, but only GRUB2 supports booting from an encrypted partition (and LUKS1 only afaik). So this is a patchwork solution.

As you see, the correct option is 1 right now, option 2 is a patchwork thingy. I think Pottering wrote about this in his blog, proposing (actually right-now workable) solutions to this. In general the Linux boot chain was not designed to be monolithic, so problems like this persist. But there are ways to both keep flexibility and conforming to standards, just like the concept of MOK.

@alexdelorenzo
Copy link

Any luck getting hibernate to work with this setup?

@IPlayZed
Copy link

Any luck getting hibernate to work with this setup?

@alexdelorenzo See hibernation configuration and hibenation dm-crypt specific configuration. Unless you are on Nvidia, this works.

@djallits
Copy link

djallits commented Feb 21, 2023

@IPlayZed

So where do you store the unsigned images? I am guessing those are still in the /boot directory, which would be on the encrypted disk/partition, and then the signed images would be in /EFI on an unencrypted disk/partition. Am I going down the right path here? Any chance you can point me to any documentation or if you have notes from your process?

Edit: I am reading Pottering's posts here: http://0pointer.de/blog/

Thank you!

@IPlayZed
Copy link

IPlayZed commented Feb 25, 2023

@djallits I am not sure what is not clear. Signed images are not needed to be encrypted, unless you have a specific reason to. Your /boot can be on any partition. Unsigned images are only to be trusted if you encrypt them and GRUB itself is signed and you are OK with not validating them. This opens up attacks for userspace modifications tho.

@StevenMacias
Copy link

@orhun Why --align-payload is needed in cryptsetup luksFormat --align-payload=8192 /dev/disk/by-partlabel/cryptsystem? It seems this option is deprecated: https://man7.org/linux/man-pages/man8/cryptsetup-luksformat.8.html

@orhun
Copy link
Author

orhun commented Jun 13, 2023

@StevenMacias it's been a while since I ran those commands and some of them might be outdated. Just removed the deprecated parameter!

I'm still on the same computer that I wrote this guide for. I might update it soon if I re-install Arch.

@StevenMacias
Copy link

@orhun Thanks! I have another suggestion. I had a little bit of trouble because of eager copy/paste. Can you add a comment for intel users in these sections, something like this:

Replace <arch> with your CPU architecture (amd or intel):

pacman -S <arch>-ucode

Replace <arch> with your CPU architecture (amd or intel):

title Arch Linux
linux /vmlinuz-linux
initrd /<arch>-ucode.img
initrd /initramfs-linux.img
options rd.luks.name=<ROOT-PARTITION-UUID>=system root=/dev/mapper/system rd.luks.name=<SWAP-PARTITION-UUID>=swap resume=/dev/mapper/swap rw

Replace <arch> with amdgpu or intel:

pacman -S xorg-server xorg-xinit xterm xf86-video-<arch>

Maybe an environment variable approach is better like you did with $DRIVE

@orhun
Copy link
Author

orhun commented Jun 16, 2023

@StevenMacias done! Thanks for the suggestion.

@trclst
Copy link

trclst commented Nov 9, 2023

mount LABEL=EFI /mnt/boot current at line 177

is a problem because later if you install systemd-boot the following message appears:

⚠️ Mount point '/boot' which backs the random seed file is world accessible, which is a security hole! ⚠️
⚠️ Random seed file '/boot/loader/.#bootctlrandom-seedX' is world accessible, which is a security hole! ⚠️

The fix would be using the following mount options and replace line 177:

mount -o fmask=0137,dmask=0027 LABEL=EFI /mnt/boot

@IPlayZed
Copy link

IPlayZed commented Nov 9, 2023

mount LABEL=EFI /mnt/boot current at line 177

is a problem because later if you install systemd-boot the following message appears:

⚠️ Mount point '/boot' which backs the random seed file is world accessible, which is a security hole! ⚠️
⚠️ Random seed file '/boot/loader/.#bootctlrandom-seedX' is world accessible, which is a security hole! ⚠️

The fix would be using the following mount options and replace line 177:

mount -o fmask=0137,dmask=0027 LABEL=EFI /mnt/boot

This is good, but not enough. One could easily change the seed when booting into another OS. You should have boot encrypted. Also, boot should not be the same as the EFI partition, should not be a FAT32 partition, should be encrypted, should be GUID type XBOOTLDR and should be mounted from the signed UKI.

@trclst
Copy link

trclst commented Nov 9, 2023

Another thing I noticed the request to install the filesystem tools in chroot is missing. in this case xfsprogs.. mkinitcpio complain about missing fsck.

@orhun
Copy link
Author

orhun commented Nov 10, 2023

mount -o fmask=0137,dmask=0027 LABEL=EFI /mnt/boot

Good catch!

This is good, but not enough.

Should I add this to the document?

xfsprogs

So just pacman -S?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment