install booting
This commit is contained in:
Eric Phillips
@@ -1,6 +1,6 @@
|
||||
+++
|
||||
date = '2025-12-19T22:51:02-07:00'
|
||||
draft = true
|
||||
draft = false
|
||||
title = 'Lenovo Slim'
|
||||
tags = ['install', 'guide']
|
||||
+++
|
||||
@@ -15,7 +15,8 @@ Windows is not my favorite and with the new push for fancy pattern matching engi
|
||||
- Follow the [Arch Linux Install Guide](https://wiki.archlinux.org/title/Installation_guide)
|
||||
- I deleted all partitions except the EFI and have one encrypted partition with btrfs and several subvolumes. Swap will be in a file.
|
||||
|
||||
` partition 1 -> EFI
|
||||
```
|
||||
partition 1 -> EFI
|
||||
partition 2 -> LUKS encryption
|
||||
btrfs:
|
||||
@ -> /
|
||||
@@ -23,27 +24,43 @@ Windows is not my favorite and with the new push for fancy pattern matching engi
|
||||
@varlog -> /var/log
|
||||
@paccache -> /var/cache/pacman
|
||||
@dockerroot -> /var/docker
|
||||
`
|
||||
```
|
||||
|
||||
We use [dm-crypt](https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system) to encrypt the partition first, then make the filesystem and subvolumes.
|
||||
## Getting a bootable system
|
||||
|
||||
`
|
||||
With the usb live environment we want to do the minimal necessary to get a bootable system. This means setting up disk encryption, mounts, basic software, and a root password. We'll worry about userspace apps and pretty stuff once we're booted into the permanent system. Disk encryption will use [dm-crypt](https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system) to encrypt the partition first, then make the filesystem and subvolumes.
|
||||
|
||||
```
|
||||
crytpsetup -v luksFormat --label *cryptname* /dev/sda2
|
||||
cryptsetup open /dev/sda2 sdacrypt
|
||||
`
|
||||
```
|
||||
|
||||
Once the encrypted partition is open we want to run the following once to set some options that will be applied everytime the partition is opened. These options are described here [dm-crypt/Specialties](https://wiki.archlinux.org/title/Dm-crypt/Specialties#Discard/TRIM_support_for_solid_state_drives_(SSD))
|
||||
|
||||
```
|
||||
cryptsetup --allow-discards --perf-no_read_workqueue \
|
||||
--perf-no_write-workqueue --persistant refresh sdacrypt
|
||||
```
|
||||
|
||||
check that they were applied using
|
||||
|
||||
```
|
||||
cryptsetup luksDump /dev/sda2
|
||||
Flags: allow-discards no-read-workqueue no-write-workqueue
|
||||
```
|
||||
|
||||
Create the filesystem and subvols
|
||||
|
||||
`
|
||||
```
|
||||
mkfs.btrfs -L realroot /dev/sda2
|
||||
mount /dev/sda2 /mnt
|
||||
btrfs subvol create @ # repeat for all desired subvolumes
|
||||
umount /mnt
|
||||
`
|
||||
```
|
||||
|
||||
mount the root subvol, create the mountpoints and mount everything else
|
||||
|
||||
`
|
||||
```
|
||||
mount -o rw,noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@ /dev/sda2 /mnt
|
||||
mkdir /mnt/boot
|
||||
mkdir /mnt/home
|
||||
@@ -55,31 +72,31 @@ mount -o rw,noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@varlo
|
||||
mount -o rw,noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@paccache /dev/sda2 /mnt/var/cache/pacman
|
||||
mount -o rw,noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@docker /dev/sda2 /mnt/var/docker
|
||||
mount /dev/sda1 /mnt/boot
|
||||
`
|
||||
```
|
||||
|
||||
install the base system and required packages to boot
|
||||
install the base system and required packages to boot and get network up
|
||||
|
||||
`
|
||||
pacstrap -K /mnt base linux linux-firmware amd-microcode btrfs-progs iwd neovim sudo vi
|
||||
`
|
||||
```
|
||||
pacstrap -K /mnt base linux linux-firmware amd-microcode btrfs-progs iwd neovim sudo vi pam-u2f
|
||||
```
|
||||
|
||||
Configure the system and chroot
|
||||
|
||||
`
|
||||
```
|
||||
gentfstab -U /mnt >> /mnt/etc/fstab
|
||||
arch-chroot /mnt
|
||||
ln -sf /usr/share/zoneinfo/America/Denver /etc/location
|
||||
hwclock --systohc
|
||||
`
|
||||
```
|
||||
|
||||
Edit locale.gen and uncomment the US english lines
|
||||
create locale.conf and add
|
||||
|
||||
`
|
||||
```
|
||||
LANG="en_US.UTF-8"
|
||||
|
||||
LC_COLLATE="C"
|
||||
`
|
||||
```
|
||||
|
||||
- Run locale-gen
|
||||
- Set the hosname in /etc/hostname
|
||||
@@ -89,28 +106,64 @@ I like using a unified kernel instead of a bootloader where possible. With this
|
||||
|
||||
Add to the hooks for dealing with encryption to mkinitcpio.conf:
|
||||
|
||||
`
|
||||
```
|
||||
HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)
|
||||
`
|
||||
```
|
||||
|
||||
create a file called crypt.conf in /etc/cmd and add(UUID and cryptname need to match luksDump):
|
||||
create a file called `/etc/crypttab.initramfs` (UUID and cryptname need to match luksDump):
|
||||
|
||||
`
|
||||
rd.luks.name=UUID=root root=/dev/mapper/cryptname
|
||||
`
|
||||
|
||||
create a file called root.conf in /etc/cmd and add(cryptname must match cryptname in crypt.conf):
|
||||
`cryptname UUID=UUID none password-echo=no`
|
||||
|
||||
`
|
||||
|
||||
create a file called root.conf in /etc/cmd and add(cryptname must match cryptname in crypttab.initramfs):
|
||||
|
||||
```
|
||||
root=/dev/mapper/cryptname rw rootfstype=btrfs rootflags=subvol=@
|
||||
`
|
||||
```
|
||||
|
||||
edit /etc/mkinitcpio.d/linux.preset and comment out `PRESET_image` and uncomment `PRESET_uki`. Change the dir part of uki to match the path to the EFI directory ie `/boot/EFI/Linux`. make the Linux dir in the EFI path. Then recreate the image with:
|
||||
|
||||
`
|
||||
mkinitcpio -p linux
|
||||
`
|
||||
|
||||
`mkinitcpio -p linux`
|
||||
|
||||
|
||||
Set the root password using `passwd` then reboot.
|
||||
|
||||
Upon rebooting we're going to finish setting up the system, see here for more recommendations [General recommendations](https://wiki.archlinux.org/title/General_recommendations). For our uses we need to:
|
||||
|
||||
- add a user, set password, add to sudoers file
|
||||
- enroll yubikey or other fido2 device into the luks partition
|
||||
- intall our window manager and user programs and tools
|
||||
- set the root password to a long random string(test sudo works first)
|
||||
- install our user environment eg dotfiles and associated tooling
|
||||
- setup fido2 login
|
||||
|
||||
## Add a user
|
||||
|
||||
Never run daily as root, just don't. We add the user, create a home, add groups using
|
||||
|
||||
```
|
||||
useradd -m -G wheel myuser
|
||||
passwd myuser
|
||||
```
|
||||
|
||||
Edit the sudoers file and uncomment the line %wheel line then logout, login as the new user and make sure sudo works, ie sudo pacman -Syu
|
||||
|
||||
```
|
||||
visudo
|
||||
%wheel ALL=(ALL:ALL) ALL
|
||||
```
|
||||
|
||||
## Decrypting with a FIDO2 hardware token
|
||||
|
||||
Why, cause I can and it's way better security wise than a password that's easy to rememeber and easy to type. The process has been made pretty easy [Unlocking LUKS2](https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html) and [systemd-cryptenroll](https://wiki.archlinux.org/title/Systemd-cryptenroll#FIDO2_tokens). First we have to enroll the device then edit crypttab.initramfs and tell the boot process to ask for the device instead of a password.
|
||||
|
||||
```
|
||||
sudo systemd-cryptenroll /dev/sda2 --fido2-device=auto
|
||||
cryptname UUID=UUID none password-echo=no,fido2-device=auto
|
||||
```
|
||||
|
||||
Reboot and see if it works.
|
||||
|
||||
## Install user environment and niceties
|
||||
|
||||
Reference in New Issue
Block a user