Download arch installation iso then write to USB flash drive:
dd bs=4M if=~/Downloads/archlinux.iso of=/dev/sdX status=progress && sync
In order to boot the arch install ISO, a couple changes must be made to the BIOS1 settings.
- Enter BIOS configuration by pressing
<F2>
2 repeatedly during power up. - Under the Configuration tab:
a. Optional: set Hotkey Mode to 'Disabled' to use the function keys as
<F1>
,<F2>
, etc and enable the hotkeys such as Volume, Airplane Mode, etc with the<Fn>
key. a. Optional: set Intel Virtual Technology to 'Disabled' to allow VM's to access virtualization optimisations3. - Under the Security tab: a. Set Intel Platform Trust Technology to 'Disabled' a. Set Secure Boot to 'Disabled'
- Under the Boot tab: a. Make sure USB Boot is 'Enabled' a. change the boot order so that the system boots from USB before the internal eMMc Card
Now reboot with the Arch Installation USB drive inserted, select gArch Linux archiso x86_64 UEFI CD and hit <Enter>
.
Set the keyboard layout, if needed. <keymap_file>
should be one of the files under /usr/share/kbd/keymaps
.
loadkeys <keymap_file>
Arch requires an internet connection to install. Unless you have a USB Ethernet adapter for the 120s, you'll need to connect to your WiFi:
wifi-menu
Set the clock using NTP:
timedatectl set-ntp true
Set up pacman
and install packages needed for install
pacman --noconfirm -Sy
pacman --noconfirm -S reflector
reflector --verbose -l 5 --sort rate --save /etc/pacman.d/mirrorlist
pacman --noconfirm -S pv
We need to set up the following partition layout:
/dev/mmblk0: GPT Partion Table
├── /dev/mmblk0p1: EFI Boot Partition (512MiB)
└── /dev/mmblk0p2: Encrypted Main Partition (the rest)
└── /dev/mapper/luks: LUKS2 Encrypted Layer
└── vg0 LVM Layer
├── / root partition (the rest)
└── swap (1.5 x RAM)
You can set this up with fdisk
parted
or whatever you're most comfortable with. If you need help, check out the ArchWiki article on Partitioning.
Here's an example using parted
parted --script /dev/mmcblk0 -- \
mklabel gpt \
mkpart ESP fat32 64s 512MiB \
set 1 boot on \
mkpart primary ext4 512MiB -1s \
print
Before creating encrypted filesystems, the block device should be washed with random data4. This prevents an attacker from being able to see how much of the partition is used as well as overwriting any data that was already there.
/dev/urandom
can be pretty slow, but if a temporary dm-crypt mapping is made with a one-time random key-file, then simply writing zeroes to the dm-crypt mapping will produce "random" data to the block device. Since we never saw or saved the key, it's essentially a random wash of data.
Here's how to do it:
cryptsetup create --key-file <(head -c300 /dev/urandom) wash /dev/mmcblk0p2
pv -s 64G /dev/zero >/dev/mapper/wash # takes about 25 min
cryptsetup close /dev/mapper/wash
- Create the temporary dm-crypt device called
wash
with a randomly generated key-file of sufficient length from/dev/urandom
- Pipe zeroes with
pv
into the encrypted device so we have a nice graphical progress to watch - Close the device
This will format the device as a LUKS2 device. Enter a passphrase when prompted and DO NOT LOSE IT.
cryptsetup -v luksFormat --type luks2 /dev/mmcblk0p2
cryptsetup open /dev/mmcblk0p2 luks
The LUKS layer is now set up and ready to use.
pvcreate /dev/mapper/luks
vgcreate vg0 /dev/mapper/luks
lvcreate -L 4G vg0 -n swap # size of RAM
lvcreate -L 100%FREE vg0 -n root # the rest
You can check that the volumes were created properly with the lvdisplay
command.
mkfs.fat -F32 -n EFIBOOT /dev/mmcblk0p1
mkfs.ext4 /dev/mapper/vg0-root
mkswap /dev/mapper/vg0-swap
mount -o noatime /dev/mapper/vg0-root /mnt
swapon /dev/mapper/vg0-swap
mkdir /mnt/boot
mount /dev/mmcblk0p1 /mnt/boot
For a little better performance at the risk of losing work after an un-clean shutdown, we can change the commit
and date
mount options for the root filesystem:
umount -R /mnt
mount -o noatime,commit=300,data=writeback /dev/mapper/vg0-root /mnt
mount /dev/mmcblk0p1 /mnt/boot
This will only sync
the filesystem every 5 minutes (unless an application calls sync(2)) and writes metadata before data. This means in an un-clean shutdown, your last 5 minutes of work may disappear or the files may contain old data. See the tunefs(8) manpage for details.
Make sure you're still connected to the internet, then install the base package and generate /etc/fstab
pacstrap /mnt base
genfstab -U -p | tee -a /mnt/etc/fstab
First chroot
into /mnt
:
arch-chroot /mnt
Then configure timezone and clock:
ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime # select timezone
hwclock --systohc --utc # set system clock to UTC
Set the locale by editing /etc/locale.gen
and generate locale info:
nano /etc/locale.gen # uncomment your locale(s)
locale-gen
export LANG=en_US.UTF-8
echo LANG=$LANG >/etc/locale.conf # select language
Generate boot files:
mkinit.cpio
Exit chroot and reboot system:
exit
umount -R /mnt
reboot
Set hostname and configure /etc/hosts
:
echo "MyHostname" >/etc/hostname
cat >/etc/hosts <<EOF
127.0.0.1 localhost
::1 localhost
127.0.1.1 $(cat /etc/hostname).localdomain
EOF
Now we need to install a minimal amount of software to make the base system be usable:
pacman -S dialog wpa_supplicant
Set the root password:
passwd
Install bootloader:
bootctl --path=/boot install
Edit /etc/mkinitcpio
:
MODULES=(ext4)
...
HOOKS=(base udev autodetect modconf block keyboard keymap encrypt lvm2 resume filesystems fsck)
Create /boot/loader/entries/arch.conf
:
cat >/boot/loader/entries/arch.conf <<EOF
title Arch Linux
linux /vmlinuz-linux
initrd /initramfs-linux.img
options cryptdevice=UUID=$(ls -l /dev/disk/by-uuid | awk '/mmcblk0p2/ {print $9}'):vg0 resume=/dev/mapper/vg0-swap root=/dev/mapper/vg0-root rw quiet
EOF
Create /boot/loader/loader.conf
:
cat >/boot/loader/loader.conf <<EOF
timeout 1
default arch
EOF
https://calum.org/posts/backup-your-LUKS-header-and-LVM-config
Tune vm_swappiness
and vfs_cache_pressure
. This site has a good explanation of these settings.
sysctl vm.swappiness=1 # try hard not to swap
sysctl vm.vfs_cache_pressure=50
echo "vm.swappiness=1" >> /etc/sysctl.conf
echo "vm.vfs_cache_pressure = 50" >> /etc/sysctl.conf
Create your user:
useradd -m -g wheel -G adm,ftp,http,log,network,rfkill,sys,users,uucp <user_name>
passwd <user_name>
Allow password-less sudo
for users in the 'wheel' group. Shouldn't be a big issue since we are using full disk encryption, as long as you don't get your computer stolen while logged in and/or suspended. Feel free to uncomment the line above it for sudo
access with a password.
sed -i 's/# \(%wheel ALL=(ALL) NOPASSWD: ALL\)/\1/' /etc/sudoers
Footnotes
-
I know it's EFI and not BIOS, but I'm not exactly sure what you call this configuration utility now.. ↩
-
Note: you may need to pres the
<Fn>
key in order to activate the<F1>
to<F12>
keys. ↩ -
This laptop is not exactly a powerhouse, so I'm not sure how many VMs you'll want to spin up, but the option is there. ↩