server/Workstation
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

use systemd-boot with secure boot

Browse Source
This commit is contained in:
ducoterra
2023-08-14 01:47:43 -04:00
parent 675007c700
commit 29bec8fc23
1 changed files with 112 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

169
arch.md
View File

@@ -32,6 +32,8 @@
- [VSCode](#vscode) - [VSCode](#vscode)
- [Apps](#apps) - [Apps](#apps)
- [Bashrc](#bashrc) - [Bashrc](#bashrc)
- [Unecessary](#unecessary)
- [Plymouth Background Image](#plymouth-background-image)
- [Help](#help) - [Help](#help)
- [Update Grub](#update-grub) - [Update Grub](#update-grub)
- [Downgrading Kernel](#downgrading-kernel) - [Downgrading Kernel](#downgrading-kernel)
@@ -47,8 +49,13 @@ Follow most of the instructions here:
2. Verify the image 2. Verify the image
3. Create a bootable ISO 3. Create a bootable ISO
4. Disable secureboot (reenable later) 4. Disable secureboot (reenable later)
5. Boot into the live image 5. Put your machine in setup mode
6. Check for network connectivity
On framework this is done in the UEFI setup page for Security, sub-page
Secure Boot, choose “Erase all Secure Boot Settings.”
6. Boot into the live image
7. Check for network connectivity
```bash ```bash
# Check for internet # Check for internet
@@ -56,72 +63,114 @@ Follow most of the instructions here:
ping archlinux.org ping archlinux.org
``` ```
7. `timedatectl` to update system clock 8. `timedatectl` to update system clock
8. Create disk partitions 9. Create disk partitions. Use gdisk or beware "bootctl install is not on a gpt partition table"
```bash ```bash
fdisk -l fdisk -l
fdisk /dev/vda gdisk /dev/vda
``` ```
- +1G for /boot - +1G for /boot
- t EFI SYSTEM for /boot - t EFI SYSTEM for /boot
- remaining for / - remaining for /
9. `mkfs.fat -F 32 /dev/vda1` (/mnt/boot partition) 10. `mkfs.fat -F 32 /dev/vda1` (/mnt/boot partition)
10. `cryptsetup luksFormat /dev/vda2` 11. `cryptsetup luksFormat /dev/vda2`
11. `cryptsetup luksOpen /dev/vda2 root` 12. `cryptsetup luksOpen /dev/vda2 root`
12. `mkfs.btrfs /dev/mapper/root` (root partition) 13. `mkfs.btrfs /dev/mapper/root` (root partition)
13. Mount the root partition with `mount /mnt` 14. Mount the root partition with `mount /mnt`
14. Mount the boot partition with `mount --mkdir /mnt/boot` 15. Mount the boot partition with `mount --mkdir /mnt/boot`
15. `pacstrap -K /mnt base linux linux-firmware` 16. `pacstrap -K /mnt base linux linux-firmware`
Note: linux-zen works, linux-hardened breaks appimages Note: linux-zen works, linux-hardened breaks appimages
16. `genfstab -U /mnt >> /mnt/etc/fstab` 17. `genfstab -U /mnt >> /mnt/etc/fstab`
17. `arch-chroot /mnt` 18. `arch-chroot /mnt`
18. `ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime` 19. `ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime`
19. `hwclock --systohc` 20. `hwclock --systohc`
20. `echo 'LANG=en_US.UTF-8' > /etc/locale.conf` 21. `echo 'LANG=en_US.UTF-8' > /etc/locale.conf`
21. `echo 'KEYMAP=us' > /etc/vconsole.conf` 22. `echo 'KEYMAP=us' > /etc/vconsole.conf`
22. `echo 'hostname' > /etc/hostname` 23. `echo 'hostname' > /etc/hostname`
23. `pacman -S sudo vim gdm gnome dhclient dhcpcd bash-completion grub` 24. `pacman -S sudo vim gdm gnome dhclient dhcpcd bash-completion tpm2-tss btrfs-progs`
24. `grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=BOOT` (this will fail) 25. Edit /etc/mkinitcpio.conf and set up systemd/sd-encrypt
25. Note: for some systems you'll have to move grubx64.efi into an expected location:
```bash
cp /boot/EFI/BOOT/grubx64.efi /boot/EFI/BOOT/bootx64.efi
```
26. Edit /etc/default/grub
```conf
GRUB_CMDLINE_LINUX="quiet splash rd.luks.uuid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
GRUB_ENABLE_CRYPTODISK=y
GRUB_DISABLE_SUBMENU=y
GRUB_DEFAULT=saved
GRUB_SAVEDEFAULT=true
```
27. Edit /etc/mkinitcpio.conf and set up systemd/sd-encrypt
```conf ```conf
HOOKS=(systemd autodetect modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck) HOOKS=(systemd autodetect modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)
``` ```
28. `mkinitcpio -P` 26. `mkinitcpio -P`
29. `grub-mkconfig -o /boot/grub/grub.cfg` 27. Install systemd-boot
30. `sudo systemctl enable gdm`
31. `useradd ducoterra` https://wiki.archlinux.org/title/systemd-boot
32. `passwd ducoterra`
33. `groupadd sudo` ```bash
34. Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege bootctl install
35. `usermod -aG sudo ducoterra` ```
36. `usermod -aG wheel ducoterra`
37. `mkdir /home/ducoterra` 28. edit your loader.conf with some defaults
38. `chown ducoterra:ducoterra /home/ducoterra`
39. `exit` /boot/loader/loader.conf
40. `reboot`
```conf
default arch.conf
timeout 4
console-mode max
editor no
```
29. Create a loader (/usr/share/systemd/bootctl/loader.conf)
/boot/loader/entries/arch.conf
```conf
title Arch Linux
linux /vmlinuz-linux
initrd /initramfs-linux.img
options quiet splash rd.luks.name=d9828faa-2b8c-4184-9e74-9054ae328c6d=root root=/dev/mapper/root rootflags=subvol=root nvme.noacpi=1 acpi_osi="!Windows 2020" mem_sleep_default="deep" rw
```
30. Add a pacman hook for systemd-boot updates
/etc/pacman.d/hooks/95-systemd-boot.hook
```conf
[Trigger]
Type = Package
Operation = Upgrade
Target = systemd
[Action]
Description = Gracefully upgrading systemd-boot...
When = PostTransaction
Exec = /usr/bin/systemctl restart systemd-boot-update.service
```
31. `cd /root/`
32. `pacman -S efitools`
33. `for var in PK KEK db dbx ; do efi-readvar -v $var -o old_${var}.esl ; done`
34. `pacman -S sbctl`
35. `sbctl create-keys`
36. `sbctl enroll-keys -m`
37. `sbctl status`
38. `sbctl verify`
39. `sbctl sign -s /boot/vmlinuz-linux`
40. `sbctl sign -s /boot/EFI/BOOT/BOOTX64.EFI`
41. `sbctl status`
42. `sudo systemctl enable gdm`
43. `useradd ducoterra`
44. `passwd ducoterra`
45. `groupadd sudo`
46. Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege
47. `usermod -aG sudo ducoterra`
48. `usermod -aG wheel ducoterra`
49. `mkdir /home/ducoterra`
50. `chown ducoterra:ducoterra /home/ducoterra`
51. `exit`
52. `reboot`
Don't forget to enable secure boot. Don't forget to add a trusted boot loader.
There is a pacman hook which will automatically sign new binaries on update.
## Post Install ## Post Install
@@ -151,7 +200,7 @@ vainfo
AMD AMD
```bash ```bash
sudo pacman -S libva-utils libva-mesa-driver mesa-vdpau sudo pacman -S vulkan-radeon libva-utils libva-mesa-driver xf86-video-amdgpu
``` ```
### Firewall ### Firewall
@@ -364,10 +413,7 @@ sudo pacman -S firefox gnome-browser-connector
1. Install virtualization capabilties 1. Install virtualization capabilties
```bash ```bash
sudo pacman -S qemu-full sudo pacman -S qemu-full libvirt iptables-nft dnsmasq virt-manager qemu-desktop swtpm
sudo pacman -S libvirt
sudo pacman -S iptables-nft dnsmasq
sudo pacman -S virt-manager qemu-desktop
sudo usermod -aG libvirt ducoterra sudo usermod -aG libvirt ducoterra
sudo virsh net-autostart default sudo virsh net-autostart default
``` ```
@@ -435,11 +481,13 @@ Include = /etc/pacman.d/mirrorlist
``` ```
```bash ```bash
sudo pacman -S steam sudo pacman -S steam steam-native
``` ```
When prompted, use vulkan-radeon When prompted, use vulkan-radeon
`steam-native` allows vaapi hardware encoding for steam remote play.
### XWayland ### XWayland
Provides compatibility with X server applications (like wine) Provides compatibility with X server applications (like wine)
@@ -812,6 +860,13 @@ alias lsc='find . -type f | wc -l'
alias lmt='ls -t -1' alias lmt='ls -t -1'
``` ```
## Unecessary
### Plymouth Background Image
1. `sudo cp image.png /usr/share/plymouth/themes/spinner/background-tile.png`
1. `sudo plymouth-set-default-theme -R spinner`
## Help ## Help
### Update Grub ### Update Grub