use systemd-boot with secure boot

2023-08-14 01:47:43 -04:00
parent 675007c700
commit 29bec8fc23
1 changed files with 112 additions and 57 deletions
--- a/arch.md
+++ b/arch.md
@@ -32,6 +32,8 @@
    - [VSCode](#vscode)
  - [Apps](#apps)
  - [Bashrc](#bashrc)
+  - [Unecessary](#unecessary)
+    - [Plymouth Background Image](#plymouth-background-image)
  - [Help](#help)
    - [Update Grub](#update-grub)
    - [Downgrading Kernel](#downgrading-kernel)
@@ -47,8 +49,13 @@ Follow most of the instructions here:
 2. Verify the image
 3. Create a bootable ISO
 4. Disable secureboot (reenable later)
-5. Boot into the live image
-6. Check for network connectivity
+5. Put your machine in setup mode
+
+    On framework this is done in the UEFI setup page for Security, sub-page
+    Secure Boot, choose “Erase all Secure Boot Settings.”
+
+6. Boot into the live image
+7. Check for network connectivity

    ```bash
    # Check for internet
@@ -56,72 +63,114 @@ Follow most of the instructions here:
    ping archlinux.org
    ```

-7. `timedatectl` to update system clock
-8. Create disk partitions
+8. `timedatectl` to update system clock
+9. Create disk partitions. Use gdisk or beware "bootctl install is not on a gpt partition table"

    ```bash
    fdisk -l
-    fdisk /dev/vda
+    gdisk /dev/vda
    ```

    - +1G for /boot
    - t EFI SYSTEM for /boot
    - remaining for /

-9. `mkfs.fat -F 32 /dev/vda1` (/mnt/boot partition)
-10. `cryptsetup luksFormat /dev/vda2`
-11. `cryptsetup luksOpen /dev/vda2 root`
-12. `mkfs.btrfs /dev/mapper/root` (root partition)
-13. Mount the root partition with `mount /mnt`
-14. Mount the boot partition with `mount --mkdir /mnt/boot`
-15. `pacstrap -K /mnt base linux linux-firmware`
+10. `mkfs.fat -F 32 /dev/vda1` (/mnt/boot partition)
+11. `cryptsetup luksFormat /dev/vda2`
+12. `cryptsetup luksOpen /dev/vda2 root`
+13. `mkfs.btrfs /dev/mapper/root` (root partition)
+14. Mount the root partition with `mount /mnt`
+15. Mount the boot partition with `mount --mkdir /mnt/boot`
+16. `pacstrap -K /mnt base linux linux-firmware`

    Note: linux-zen works, linux-hardened breaks appimages

-16. `genfstab -U /mnt >> /mnt/etc/fstab`
-17. `arch-chroot /mnt`
-18. `ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime`
-19. `hwclock --systohc`
-20. `echo 'LANG=en_US.UTF-8' > /etc/locale.conf`
-21. `echo 'KEYMAP=us' > /etc/vconsole.conf`
-22. `echo 'hostname' > /etc/hostname`
-23. `pacman -S sudo vim gdm gnome dhclient dhcpcd bash-completion grub`
-24. `grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=BOOT` (this will fail)
-25. Note: for some systems you'll have to move grubx64.efi into an expected location:
-
-    ```bash
-    cp /boot/EFI/BOOT/grubx64.efi /boot/EFI/BOOT/bootx64.efi
-    ```
-
-26. Edit /etc/default/grub
-
-    ```conf
-    GRUB_CMDLINE_LINUX="quiet splash rd.luks.uuid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
-    GRUB_ENABLE_CRYPTODISK=y
-    GRUB_DISABLE_SUBMENU=y
-    GRUB_DEFAULT=saved
-    GRUB_SAVEDEFAULT=true
-    ```
-
-27. Edit /etc/mkinitcpio.conf and set up systemd/sd-encrypt
+17. `genfstab -U /mnt >> /mnt/etc/fstab`
+18. `arch-chroot /mnt`
+19. `ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime`
+20. `hwclock --systohc`
+21. `echo 'LANG=en_US.UTF-8' > /etc/locale.conf`
+22. `echo 'KEYMAP=us' > /etc/vconsole.conf`
+23. `echo 'hostname' > /etc/hostname`
+24. `pacman -S sudo vim gdm gnome dhclient dhcpcd bash-completion tpm2-tss btrfs-progs`
+25. Edit /etc/mkinitcpio.conf and set up systemd/sd-encrypt

    ```conf
    HOOKS=(systemd autodetect modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)
    ```

-28. `mkinitcpio -P`
-29. `grub-mkconfig -o /boot/grub/grub.cfg`
-30. `sudo systemctl enable gdm`
-31. `useradd ducoterra`
-32. `passwd ducoterra`
-33. `groupadd sudo`
-34. Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege
-35. `usermod -aG sudo ducoterra`
-36. `usermod -aG wheel ducoterra`
-37. `mkdir /home/ducoterra`
-38. `chown ducoterra:ducoterra /home/ducoterra`
-39. `exit`
-40. `reboot`
+26. `mkinitcpio -P`
+27. Install systemd-boot
+
+    https://wiki.archlinux.org/title/systemd-boot
+
+    ```bash
+    bootctl install
+    ```
+
+28. edit your loader.conf with some defaults
+
+    /boot/loader/loader.conf
+
+    ```conf
+    default  arch.conf
+    timeout  4
+    console-mode max
+    editor   no
+    ```
+
+29. Create a loader (/usr/share/systemd/bootctl/loader.conf)
+
+    /boot/loader/entries/arch.conf
+
+    ```conf
+    title   Arch Linux
+    linux   /vmlinuz-linux
+    initrd  /initramfs-linux.img
+    options quiet splash rd.luks.name=d9828faa-2b8c-4184-9e74-9054ae328c6d=root root=/dev/mapper/root rootflags=subvol=root nvme.noacpi=1 acpi_osi="!Windows 2020" mem_sleep_default="deep" rw
+    ```
+
+30. Add a pacman hook for systemd-boot updates
+
+    /etc/pacman.d/hooks/95-systemd-boot.hook
+
+    ```conf
+    [Trigger]
+    Type = Package
+    Operation = Upgrade
+    Target = systemd
+
+    [Action]
+    Description = Gracefully upgrading systemd-boot...
+    When = PostTransaction
+    Exec = /usr/bin/systemctl restart systemd-boot-update.service
+    ```
+
+31. `cd /root/`
+32. `pacman -S efitools`
+33. `for var in PK KEK db dbx ; do efi-readvar -v $var -o old_${var}.esl ; done`
+34. `pacman -S sbctl`
+35. `sbctl create-keys`
+36. `sbctl enroll-keys -m`
+37. `sbctl status`
+38. `sbctl verify`
+39. `sbctl sign -s /boot/vmlinuz-linux`
+40. `sbctl sign -s /boot/EFI/BOOT/BOOTX64.EFI`
+41. `sbctl status`
+42. `sudo systemctl enable gdm`
+43. `useradd ducoterra`
+44. `passwd ducoterra`
+45. `groupadd sudo`
+46. Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege
+47. `usermod -aG sudo ducoterra`
+48. `usermod -aG wheel ducoterra`
+49. `mkdir /home/ducoterra`
+50. `chown ducoterra:ducoterra /home/ducoterra`
+51. `exit`
+52. `reboot`
+
+Don't forget to enable secure boot. Don't forget to add a trusted boot loader.
+There is a pacman hook which will automatically sign new binaries on update.

 ## Post Install

@@ -151,7 +200,7 @@ vainfo
 AMD

 ```bash
-sudo pacman -S libva-utils libva-mesa-driver mesa-vdpau
+sudo pacman -S vulkan-radeon libva-utils libva-mesa-driver xf86-video-amdgpu
 ```

 ### Firewall
@@ -364,10 +413,7 @@ sudo pacman -S firefox gnome-browser-connector
 1. Install virtualization capabilties

    ```bash
-    sudo pacman -S qemu-full
-    sudo pacman -S libvirt
-    sudo pacman -S iptables-nft dnsmasq
-    sudo pacman -S virt-manager qemu-desktop
+    sudo pacman -S qemu-full libvirt iptables-nft dnsmasq virt-manager qemu-desktop swtpm
    sudo usermod -aG libvirt ducoterra
    sudo virsh net-autostart default
    ```
@@ -435,11 +481,13 @@ Include = /etc/pacman.d/mirrorlist
 ```

 ```bash
-sudo pacman -S steam
+sudo pacman -S steam steam-native
 ```

 When prompted, use vulkan-radeon

+`steam-native` allows vaapi hardware encoding for steam remote play.
+
 ### XWayland

 Provides compatibility with X server applications (like wine)
@@ -812,6 +860,13 @@ alias lsc='find . -type f | wc -l'
 alias lmt='ls -t -1'
 ```

+## Unecessary
+
+### Plymouth Background Image
+
+1. `sudo cp image.png /usr/share/plymouth/themes/spinner/background-tile.png`
+1. `sudo plymouth-set-default-theme -R spinner`
+
 ## Help

 ### Update Grub