Skip to content

Instantly share code, notes, and snippets.

@ymatsiuk

ymatsiuk/DellXPS13-9370 Arch Full Disk Encryption Secure Boot

Created October 5, 2019 18:28
Show Gist options
  • Save ymatsiuk/ce26df974335fb96731c54236310aad6 to your computer and use it in GitHub Desktop.
Save ymatsiuk/ce26df974335fb96731c54236310aad6 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
DellXPS13-9370 Arch Full Disk Encryption Secure Boot
setfont latarcyrheb-sun32
wifi-menu
timedatectl set-ntp 1
timedatectl set-timezone Europe/Amsterdam
hwclock --systohc --utc
gdisk /dev/nvme0n1
cryptsetup luksFormat --type=luks2 --verbose -c aes-xts-plain64 -y --use-random /dev/nvme0n1p2
lsblk
mkfs.vfat -F32 /dev/nvme0n1p1
cryptsetup open /dev/nvme0n1p2 luks
pvcreate /dev/mapper/luks
vgcreate xps /dev/mapper/luks
lvcreate -L 16G xps -n swap
lvcreate -L 32G xps -n root
lvcreate -L 64G xps -n docker
lvcreate -l 100%FREE xps -n home
mkfs.ext4 /dev/xps/root
mkfs.ext4 /dev/xps/docker
mkfs.ext4 /dev/xps/home
mkswap /dev/xps/swap
mount /dev/xps/root /mnt
mkdir -p /mnt/{home,boot}
mount /dev/xps/home /mnt/home
mount /dev/nvme0n1p1 /mnt/boot
swapon /dev/xps/swap
pacstrap /mnt base base-devel zsh vim git efibootmgr dialog wpa_supplicant
genfstab -L /mnt >> /mnt/etc/fstab
arch-bootstrap
ln -s /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime
hwclock --systohc
vim /etc/locale.gen
locale-gen
echo 'LANG=en_US.UTF-8' > /etc/locale.conf
echo 'KEYMAP=us' > etc/vconsole.conf
echo 'FONT=latarcyrheb-sun32' >> /etc/vconsole.conf
echo xps > /etc/hostname
hostnamectl
passwd
# edit /etc/mkinitcpio.conf
mkinitcpio -p linux
bootctl --path=/boot install
pacman -S intel-microcode
pacman -S intel-ucode
cryptsetup luksUUID /dev/nvme0n1p2 >> /boot/loader/entries/arch.conf
vim /boot/loader/entries/arch.conf
title Arch
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
options rw luks.name=_<UUID>_=luks root=/dev/xps/root resume=/dev/xps/swap mem_sleep_default=deep rng_core.default_quality=1000
vim /boot/loader/loader.conf
default arch
# /etc/mkinitcpio.conf
HOOKS=(base systemd autodetect sd-tpm2 modconf block keyboard sd-vconsole sd-encrypt sd-lvm2 filesystems)
# Boot into clean system
wifi-menu
vim /etc/pacman.d/mirrorlist
pacman -Syu
pacman -S iproute2
pacman -S tpm2-tools
# Setup tpm2
dd if=/dev/random of=luks.key iflag=fullblock count=1 bs=32
cryptsetup luksAddKey /dev/nvme0n1p2 /root/luks.key --verbose
chmod 000 luks.key
tpm2_pcrread
# Script for readding the key if PCR is changed
#!/bin/bash
#Clear old key
tpm2_evictcontrol -c 0x81000000
tpm2_createpolicy --policy-pcr -l sha1:0,1,2,3,4,5,6,7 -L policy.digest
tpm2_createprimary -c primary.ctx
tpm2_create -C primary.ctx -u obj.pub -r obj.priv -L policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i luks.key
tpm2_flushcontext -t
tpm2_load -C primary.ctx -u obj.pub -r obj.priv -c load.ctx
tpm2_evictcontrol -c load.ctx
tpm2_flushcontext -t
tpm2_getcap handles-persistent
rm load.ctx obj.p* policy.digest primary.ctx
pacman -S fwupd throttled
# Add the following into /etc/initcpio/install/sd-tpm2
#!/bin/bash
build() {
local mod
add_module "tpm_crb"
add_module "tpm_tis"
add_binary "tpm2_unseal"
add_binary "/usr/lib/libtss2-tcti-device.so"
add_systemd_unit "cryptsetup-pre.target"
add_systemd_unit "tpm2-unseal.service"
add_symlink "/usr/lib/systemd/system/sysinit.target.wants/cryptsetup-pre.service" "../cryptsetup-pre.target"
add_symlink "/usr/lib/systemd/system/sysinit.target.wants/tpm2-unseal.service" "../tpm2-unseal.service"
}
help() {
cat <<HELPEOF
This hook allows for reading the encryption key from TPM.
HELPEOF
}
# Create systemd service /usr/lib/systemd/system/tpm2-unseal.service
[Unit]
Description=Get key from TPM
Before=cryptsetup-pre.target
DefaultDependencies=no
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStartPre=/usr/bin/modprobe -a -q tpm_crb tpm_tis
ExecStart=/usr/bin/tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,2,3,4,5,6,7 -o /luks
pacman -S docker networkmanager
systemctl enable NetworkManager
systemctl enable docker
useradd -m -G wheel -s /bin/zsh ymatsiuk
systemctl enable systemd-resolved
systemctl enable lenovo_fix.service
su - ymatsiuk
cd /tmp
git clone https://aur.archlinux.org/yay.git
cd yay/
makepkg -si
yay -S s-tui-git
pacman -S xf86-video-intel jq termite termite-terminfo
yay -S ttf-font-awesome-4
yay -S firefox
yay -S vulkan-intel
yay -S i3blocks pactl lastpass-cli gnome-keyring htop keybase keybase-gui slack-desktop code
sudo usermod -aG video,audio,docker ymatsiuk
yay -S acpi sysstat
yay -S pulseaudio pulseaudio-alsa
yay -S strace
yay -S i3-gaps i3blocks i3status i3lock dmenu alsa-utils feh compton xorg-xbacklight arandr playerctl lightdm lightdm-gtk-greeter
pacman -S xterm xorg-server xorg-apps xf86-video-intel xorg-xinit
yay -S ttf-mac-fonts ttf-bitstream-vera ttf-croscore ttf-dejavu ttf-droid ttf-roboto noto-fonts ttf-liberation ttf-ubuntu-font-family xdotool wmctrl ttf-google-fonts-git ttf-ms-fonts adobe-source-code-pro-fonts noto-fonts-emoji otf-ipafont ttf-hanazono ttf-inconsolata ttf-mac-fonts
yay -S openvpn bind-tools xorg-xbacklight kubectl ffmpeg network-manager-applet zathura nvme-cli systemd-swap util-linux lshw dmidecode spotify
sudo systemctl enable lightdm
sudo systemctl enable docker
fwupdmgr get-updates
yay -S scrot xcursor-themes wget wireless_tools dunst unzip awless howdy
/etc/systemd/resolved.conf
/etc/X11/xorg.conf.d/90-monitor.conf
/etc/X11/xorg.conf.d/20-intel.conf
mkdir ~/bin
cd ~/bin && wget https://raw.githubusercontent.com/lastpass/lastpass-cli/master/contrib/examples/git-credential-lastpass && wget https://releases.hashicorp.com/terraform/0.11.14/terraform_0.11.14_linux_amd64.zip && wget vault
git config --global credential.helper lastpass
cp /usr/lib/security/howdy/config.ini
add howdy into /etc/pam.d/sudo
sudo cat /sys/kernel/debug/dri/0/i915_huc_load_status
sudo cat /sys/kernel/debug/dri/0/i915_guc_load_status
###
### Secure boot
uuidgen --random > GUID.txt
openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=my Platform Key/" -out PK.crt
openssl x509 -outform DER -in PK.crt -out PK.cer
cert-to-efi-sig-list -g "$(< GUID.txt)" PK.crt PK.esl
sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt PK PK.esl PK.auth
sign-efi-sig-list -g "$(< GUID.txt)" -c PK.crt -k PK.key PK /dev/null rm_PK.auth
openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=my Key Exchange Key/" -out KEK.crt
openssl x509 -outform DER -in KEK.crt -out KEK.cer
cert-to-efi-sig-list -g "$(< GUID.txt)" KEK.crt KEK.esl
sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt KEK KEK.esl KEK.auth
openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=my Signature Database key/" -out db.crt
openssl x509 -outform DER -in db.crt -out db.cer
cert-to-efi-sig-list -g "$(< GUID.txt)" db.crt db.esl
sign-efi-sig-list -g "$(< GUID.txt)" -k KEK.key -c KEK.crt db db.esl db.auth
sudo sbsign --key db.key --cert db.crt --output /boot/vmlinuz-linux /boot/vmlinuz-linux
sudo sbsign --key db.key --cert db.crt --output /boot/EFI/boot/bootx64.efi /boot/EFI/boot/bootx64.efi
sudo mkfs.vfat -F32 /dev/mmcblk0p1
sudo mount /dev/mmcblk0p1 /tmp/disk
sudo cp *.cer *.esl *.auth /tmp/disk
sudo systemctl reboot --firmware
cat /usr/lib/systemd/system/i3lock@.service
[Unit]
Description = Lock screen when going to sleep/suspend/hibernate
[Service]
User=%I
Type=simple
Environment=DISPLAY=:0
ExecStart=/usr/bin/lock.sh
TimeoutSec=infinity
[Install]
WantedBy=sleep.target
WantedBy=suspend.target
WantedBy=hibernate.target
sudo mv screen-lock.sh /usr/bin/lock.sh
sudo systemctl enable i3lock@ymatsiuk
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment