Skip to content

Instantly share code, notes, and snippets.

@thefekete

thefekete/120s-arch-base.md

Last active June 12, 2018 12:05
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save thefekete/5647a11c36936ab501453bf37e29b5d0 to your computer and use it in GitHub Desktop.
Save thefekete/5647a11c36936ab501453bf37e29b5d0 to your computer and use it in GitHub Desktop.
Download ZIP
Lenovo 120s-11IAP Arch Base Install
Raw
120s-arch-base.md

Installation Media

Download arch installation iso then write to USB flash drive:

dd bs=4M if=~/Downloads/archlinux.iso of=/dev/sdX status=progress && sync

Booting the Installer

In order to boot the arch install ISO, a couple changes must be made to the BIOS1 settings.

  1. Enter BIOS configuration by pressing <F2>2 repeatedly during power up.
  2. Under the Configuration tab: a. Optional: set Hotkey Mode to 'Disabled' to use the function keys as <F1>, <F2>, etc and enable the hotkeys such as Volume, Airplane Mode, etc with the <Fn> key. a. Optional: set Intel Virtual Technology to 'Disabled' to allow VM's to access virtualization optimisations3.
  3. Under the Security tab: a. Set Intel Platform Trust Technology to 'Disabled' a. Set Secure Boot to 'Disabled'
  4. Under the Boot tab: a. Make sure USB Boot is 'Enabled' a. change the boot order so that the system boots from USB before the internal eMMc Card

Now reboot with the Arch Installation USB drive inserted, select gArch Linux archiso x86_64 UEFI CD and hit <Enter>.

Preliminary Setup

Set the keyboard layout, if needed. <keymap_file> should be one of the files under /usr/share/kbd/keymaps.

loadkeys <keymap_file>

Arch requires an internet connection to install. Unless you have a USB Ethernet adapter for the 120s, you'll need to connect to your WiFi:

wifi-menu

Set the clock using NTP:

timedatectl set-ntp true

Set up pacman and install packages needed for install

pacman --noconfirm -Sy
pacman --noconfirm -S reflector
reflector --verbose -l 5 --sort rate --save /etc/pacman.d/mirrorlist
pacman --noconfirm -S pv

Preparing the Filesystem

We need to set up the following partition layout:

/dev/mmblk0: GPT Partion Table
├── /dev/mmblk0p1: EFI Boot Partition (512MiB)
└── /dev/mmblk0p2: Encrypted Main Partition (the rest)
        └── /dev/mapper/luks: LUKS2 Encrypted Layer
            └── vg0 LVM Layer
                ├── / root partition (the rest)
                └── swap (1.5 x RAM)

Partition the Internal Flash

You can set this up with fdisk parted or whatever you're most comfortable with. If you need help, check out the ArchWiki article on Partitioning.

Here's an example using parted

parted --script /dev/mmcblk0 -- \
  mklabel gpt \
  mkpart ESP fat32 64s 512MiB \
  set 1 boot on \
  mkpart primary ext4 512MiB -1s \
  print

Wash the Main Partition

Before creating encrypted filesystems, the block device should be washed with random data4. This prevents an attacker from being able to see how much of the partition is used as well as overwriting any data that was already there.

/dev/urandom can be pretty slow, but if a temporary dm-crypt mapping is made with a one-time random key-file, then simply writing zeroes to the dm-crypt mapping will produce "random" data to the block device. Since we never saw or saved the key, it's essentially a random wash of data.

Here's how to do it:

cryptsetup create --key-file <(head -c300 /dev/urandom) wash /dev/mmcblk0p2
pv -s 64G /dev/zero >/dev/mapper/wash  # takes about 25 min
cryptsetup close /dev/mapper/wash
  1. Create the temporary dm-crypt device called wash with a randomly generated key-file of sufficient length from /dev/urandom
  2. Pipe zeroes with pv into the encrypted device so we have a nice graphical progress to watch
  3. Close the device

Create LUKS Layer

This will format the device as a LUKS2 device. Enter a passphrase when prompted and DO NOT LOSE IT.

cryptsetup -v luksFormat --type luks2 /dev/mmcblk0p2
cryptsetup open /dev/mmcblk0p2 luks

The LUKS layer is now set up and ready to use.

Create root and swap LVM Volumes

pvcreate /dev/mapper/luks
vgcreate vg0 /dev/mapper/luks
lvcreate -L 4G vg0 -n swap  # size of RAM
lvcreate -L 100%FREE vg0 -n root  # the rest

You can check that the volumes were created properly with the lvdisplay command.

Format and Mount Partitions

mkfs.fat -F32 -n EFIBOOT /dev/mmcblk0p1
mkfs.ext4 /dev/mapper/vg0-root
mkswap /dev/mapper/vg0-swap

mount -o noatime /dev/mapper/vg0-root /mnt
swapon /dev/mapper/vg0-swap
mkdir /mnt/boot
mount /dev/mmcblk0p1 /mnt/boot

For a little better performance at the risk of losing work after an un-clean shutdown, we can change the commit and date mount options for the root filesystem:

umount -R /mnt
mount -o noatime,commit=300,data=writeback /dev/mapper/vg0-root /mnt
mount /dev/mmcblk0p1 /mnt/boot

This will only sync the filesystem every 5 minutes (unless an application calls sync(2)) and writes metadata before data. This means in an un-clean shutdown, your last 5 minutes of work may disappear or the files may contain old data. See the tunefs(8) manpage for details.

Install the Base System

Make sure you're still connected to the internet, then install the base package and generate /etc/fstab

pacstrap /mnt base
genfstab -U -p | tee -a /mnt/etc/fstab

chroot Into Target Install and Finish up

First chroot into /mnt:

arch-chroot /mnt

Then configure timezone and clock:

ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime  # select timezone
hwclock --systohc --utc  # set system clock to UTC

Set the locale by editing /etc/locale.gen and generate locale info:

nano /etc/locale.gen  # uncomment your locale(s)
locale-gen
export LANG=en_US.UTF-8
echo LANG=$LANG >/etc/locale.conf  # select language

Generate boot files:

mkinit.cpio

Exit chroot and reboot system:

exit
umount -R /mnt
reboot

Set hostname and configure /etc/hosts:

echo "MyHostname" >/etc/hostname
cat >/etc/hosts <<EOF
127.0.0.1	localhost
::1		localhost
127.0.1.1	$(cat /etc/hostname).localdomain
EOF

Now we need to install a minimal amount of software to make the base system be usable:

pacman -S dialog wpa_supplicant

Set the root password:

passwd

Install bootloader:

bootctl --path=/boot install

Edit /etc/mkinitcpio:

MODULES=(ext4)
...
HOOKS=(base udev autodetect modconf block keyboard keymap encrypt lvm2 resume filesystems fsck)

Create /boot/loader/entries/arch.conf:

cat >/boot/loader/entries/arch.conf <<EOF
title	Arch Linux
linux	/vmlinuz-linux
initrd	/initramfs-linux.img
options cryptdevice=UUID=$(ls -l /dev/disk/by-uuid | awk '/mmcblk0p2/ {print $9}'):vg0 resume=/dev/mapper/vg0-swap root=/dev/mapper/vg0-root rw quiet
EOF

Create /boot/loader/loader.conf:

cat >/boot/loader/loader.conf <<EOF
timeout 1
default arch
EOF

IMPORTANT NOTES

Backup the LUKS Header and LVM Configuration

https://calum.org/posts/backup-your-LUKS-header-and-LVM-config

Next Steps

Tune vm_swappiness and vfs_cache_pressure. This site has a good explanation of these settings.

sysctl vm.swappiness=1  # try hard not to swap
sysctl vm.vfs_cache_pressure=50 
echo "vm.swappiness=1" >> /etc/sysctl.conf
echo "vm.vfs_cache_pressure = 50" >> /etc/sysctl.conf

Create your user:

useradd -m -g wheel -G adm,ftp,http,log,network,rfkill,sys,users,uucp <user_name>
passwd <user_name>

Allow password-less sudo for users in the 'wheel' group. Shouldn't be a big issue since we are using full disk encryption, as long as you don't get your computer stolen while logged in and/or suspended. Feel free to uncomment the line above it for sudo access with a password.

sed -i 's/# \(%wheel ALL=(ALL) NOPASSWD: ALL\)/\1/' /etc/sudoers

References

Footnotes

  1. I know it's EFI and not BIOS, but I'm not exactly sure what you call this configuration utility now..

  2. Note: you may need to pres the <Fn> key in order to activate the <F1> to <F12> keys.

  3. This laptop is not exactly a powerhouse, so I'm not sure how many VMs you'll want to spin up, but the option is there.

  4. And check out this comment on that page.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment