Skip to content

Latest commit

 

History

History
272 lines (227 loc) · 7.68 KB

INSTALL_EFI.md

File metadata and controls

272 lines (227 loc) · 7.68 KB

Arch installation guide covering the following topics

  • GPT partition and UEFI mode installation
  • Full disk encryption (including boot)
  • LVM on LUKS partition scheme
  • Minimal system configuration including intel-ucode or amd-ucode update

Table of contents

  1. Create bootable install medium
  2. Create disk layout
  3. Install base system
  4. Install bootloader
  5. Configure users

Disk partition layout:

+----------------+-----------------+-----------------+
| EFI partition: | Volume 1:       | Volume 2:       |
|                |                 |                 |
| /boot/efi      | swap            | /               |
|                |                 |                 |
|                | /dev/vg0/swap   | /dev/vg0/root   |
| /dev/sda1      +-----------------+-----------------+
| unencrypted    | /dev/sda2 encrypted LVM on LUKS   |
+----------------+-----------------------------------+

1. Create bootable install medium

Get the latest iso and checksums from a fast mirror.

$ wget https://mirror.puzzle.ch/archlinux/iso/latest/archlinux-$(date +%Y.%m.%d)-x86_64.iso archlinux.iso
$ wget https://mirror.puzzle.ch/archlinux/iso/latest/md5sums.txt
$ wget https://mirror.puzzle.ch/archlinux/iso/latest/sha1sums.txt

Validate the downloads.

$ md5sum --check md5sums.txt
$ sha1sum --check sha1sums.txt

Create a bootable usb flash drive, make sure /dev/sdX corresponds to the usb drive.

$ dd if=archlinux.iso of=/dev/sdX bs=1M status=progress && sync

Boot and check your internet connection, fix if necessary.

$ ping google.com

Enable network time synchronization and check if the time got synchronized.

$ timedatectl set-ntp true
$ timedatectl status

Change keyboard layout and increase font size if needed.

$ setfont sun12x22
$ loadkeys de_CH-latin1

Check if your system is running in uefi mode.

$ ls /sys/firmware/efi/efivars
$ efibootmgr

2. Create disk layout

Create partitions according to the partitioning scheme above. Use a gpt partition table. And do not forget to set the correct partition types.

$ fdisk /dev/sda

The partition table should look like the following example.

Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048         1050623   512.0 MiB   EF00  EFI System
   2         1050624       976773133   465.3 GiB   8E00  Linux LVM

Create an encrypted container containing the logical volumes /root and swap. Set a safe passphrase. The default cipher for LUKS is aes-xts-plain64, which means AES as cipher and XTS as mode of operation. This should be changed only under very rare circumstances. However it is crucial to set the pbkdf to pbkdf2 as grub does not support argon2d or argon2i so far (2024).

$ cryptsetup luksFormat --type luks2 --pbkdf pbkdf2 -c aes-xts-plain64 -s 512 /dev/sda2
$ cryptsetup open /dev/sda2 cryptlvm

Create a physical volume and a volume group inside the luks container.

$ pvcreate /dev/mapper/cryptlvm
$ vgcreate vg0 /dev/mapper/cryptlvm

Create the logical volumes.

$ lvcreate -L 32G vg0 -n swap # This should be at least the size of your RAM if you want hybernation to work
$ lvcreate -l 100%FREE vg0 -n root

Create the filesystems.

$ mkfs.fat -F32 -n EFI /dev/sda1
$ mkfs.ext4 -L root /dev/mapper/vg0-root
$ mkswap -L swap /dev/mapper/vg0-swap

Mount everything on the live system.

$ mount /dev/mapper/vg0-root /mnt
$ mount --mkdir /dev/sda1 /mnt/boot/efi

Activate the swap partition.

$ swapon /dev/mapper/vg0-swap

Check all the filesystems.

$ lsblk

If the output looks like this you're good to go.

NAME           MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda              8:0    0 931.5G  0 disk
├─sda1           8:1    0   512M  0 part  /mnt/boot/efi
└─sda2           8:3    0   800G  0 part
  └─cryptlvm   254:1    0   800G  0 crypt
    ├─vg0-swap 254:2    0    32G  0 lvm   [SWAP]
    └─vg0-root 254:3    0   784G  0 lvm   /mnt

3. Install base system

Install the base system and some further components using pacstrap.

$ pacstrap -K /mnt base base-devel grub efibootmgr lvm2 linux linux-firmware vim

Generate fstab with UUID representation.

$ genfstab -pU /mnt >> /mnt/etc/fstab

Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)

tmpfs   /tmp    tmpfs   defaults,noatime,mode=1777  0 0

Chroot into your new base system.

$ arch-chroot /mnt /bin/bash

Set timezone and set your hwclock to use utc format.

$ ln -sf /usr/share/zoneinfo/Europe/Zurich /etc/localtime
$ hwclock --systohc --utc

Configure your locales.

$ echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
$ echo "de_CH.UTF-8 UTF-8" >> /etc/locale.gen
$ locale-gen
$ locale > /etc/locale.conf

Set a hostname, keymap and nice console font.

$ echo "myhostname" > /etc/hostname
$ echo "127.0.1.1 myhostname.localdomain myhostname" >> /etc/hosts
$ echo "KEYMAP=de_CH-latin1" >> /etc/vconsole.conf
$ echo "FONT=lat9w-16" >> /etc/vconsole.conf
$ echo "FONT_MAP=8859-1_to_uni" >> /etc/vconsole.conf

Set a strong root password.

$ passwd

Change /etc/mkinitcpio.conf to support encryption. You need to change the following line.

HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt lvm2 resume filesystems fsck)

4. Install bootloader

One limitation of this partitioning is that the key to unlock the rootfs needs to be entered twice. Once for grub to find /boot and once for the initramfs to access your root. There are two solutions to this:

  • The first one is to create a separate, unencrypted /boot partition.
  • The second is to embed a key into your initramfs.

I choose the second approach, as an unencrypted /boot poses potential risks to a system. So there are some extra steps we need to take.

Create a keyfile and add it to your LUKS partition.

$ dd bs=512 count=4 if=/dev/random iflag=fullblock | install -m 0600 /dev/stdin /etc/cryptsetup-keys.d/cryptlvm.key
$ cryptsetup -v luksAddKey /dev/sda2 /etc/cryptsetup-keys.d/cryptlvm.key

Add the key to your initramfs by appending the keyfile to /etc/mkinicpio.conf.

FILES=(/etc/cryptsetup-keys.d/cryptlvm.key)

Regenerate the initrd image. And check for errors.

$ mkinitcpio -p linux

Change or add the following lines to your grub config. To determine the UUID of your crypto partition use blkid /dev/sda2 -s UUID -o value.

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch Linux"
GRUB_ENABLE_CRYPTODISK=y
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet"
GRUB_CMDLINE_LINUX="cryptdevice=UUID=YOUR_DEVICE_UUID:cryptlvm root=/dev/mapper/vg0-root cryptkey=rootfs:/etc/cryptsetup-keys.d/cryptlvm.key resume=/dev/mapper/vg0-swap"

Install GRUB to your EFI Partition

$ grub-install --target=x86_64-efi --efi-directory=/boot/efi

I strongly recommend to install microcode updates for security reasons. Grub will automatically recognize the image so no further configuration is necessary.

$ pacman -S intel-ucode # for intel processors
or
$ pacman -S amd-ucode # for amd processors

Generate grub config.

$ grub-mkconfig -o /boot/grub/grub.cfg

Set a strong root password.

$ passwd

5. Configure users

Create a new user and set its password.

$ useradd -m -g users -G wheel $YOUR_USER_NAME
$ passwd $YOUR_USER_NAME

Finally uncomment the string %wheel ALL=(ALL) ALL in /etc/sudoers to allow sudo for users of the group wheel.

$ vim /etc/sudoers

Exit from chroot, unmount system, shutdown, extract flash stick. You made it! Now you have fully encrypted system.

$ exit
$ umount -R /mnt
$ swapoff -a
$ reboot