ewpt3ch/blog.ewpt3ch.dev
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
31c445793fa33b3782863128cfda25132a12fb88
blog.ewpt3ch.dev/content/posts/Lenovo-slim.md
T
Eric Phillips 31c445793f install booting
2025-12-22 23:15:45 -07:00

170 lines
6.6 KiB
Markdown
Raw Blame History

+++
date = '2025-12-19T22:51:02-07:00'
draft = false
title = 'Lenovo Slim'
tags = ['install', 'guide']
+++
## Getting rid of Windows
Windows is not my favorite and with the new push for fancy pattern matching engines that we call 'ai'I'm even less fond. My old yoga2 pro was getting long in the tooth and Sarah's is not doign well with the increased load from Windows so we got new laptops, Costco had a sale. First things first, how do we get rid of Windows on this Lenovo Ideapad Slim.
- Get into UEFI by holding F2 at poweron
- turn off secure boot, and some other windows only options
- boot into a live usb, I've had great luck with [Ventoy](https://www.ventoy.net/en/doc_start.html)
- Follow the [Arch Linux Install Guide](https://wiki.archlinux.org/title/Installation_guide)
- I deleted all partitions except the EFI and have one encrypted partition with btrfs and several subvolumes. Swap will be in a file.
```
partition 1 -> EFI
partition 2 -> LUKS encryption
btrfs:
@ -> /
@home -> /home
@varlog -> /var/log
@paccache -> /var/cache/pacman
@dockerroot -> /var/docker
```
## Getting a bootable system
With the usb live environment we want to do the minimal necessary to get a bootable system. This means setting up disk encryption, mounts, basic software, and a root password. We'll worry about userspace apps and pretty stuff once we're booted into the permanent system. Disk encryption will use [dm-crypt](https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system) to encrypt the partition first, then make the filesystem and subvolumes.
```
crytpsetup -v luksFormat --label *cryptname* /dev/sda2
cryptsetup open /dev/sda2 sdacrypt
```
Once the encrypted partition is open we want to run the following once to set some options that will be applied everytime the partition is opened. These options are described here [dm-crypt/Specialties](https://wiki.archlinux.org/title/Dm-crypt/Specialties#Discard/TRIM_support_for_solid_state_drives_(SSD))
```
cryptsetup --allow-discards --perf-no_read_workqueue \
--perf-no_write-workqueue --persistant refresh sdacrypt
```
check that they were applied using
```
cryptsetup luksDump /dev/sda2
Flags: allow-discards no-read-workqueue no-write-workqueue
```
Create the filesystem and subvols
```
mkfs.btrfs -L realroot /dev/sda2
mount /dev/sda2 /mnt
btrfs subvol create @ # repeat for all desired subvolumes
umount /mnt
```
mount the root subvol, create the mountpoints and mount everything else
```
mount -o rw,noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@ /dev/sda2 /mnt
mkdir /mnt/boot
mkdir /mnt/home
mkdir -p /mnt/var/log
mkdir -p /mnt/var/cache/pacman
mkdir /var/docker
mount -o rw,noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@home /dev/sda2 /mnt/home
mount -o rw,noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@varlog /dev/sda2 /mnt/var/log
mount -o rw,noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@paccache /dev/sda2 /mnt/var/cache/pacman
mount -o rw,noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@docker /dev/sda2 /mnt/var/docker
mount /dev/sda1 /mnt/boot
```
install the base system and required packages to boot and get network up
```
pacstrap -K /mnt base linux linux-firmware amd-microcode btrfs-progs iwd neovim sudo vi pam-u2f
```
Configure the system and chroot
```
gentfstab -U /mnt >> /mnt/etc/fstab
arch-chroot /mnt
ln -sf /usr/share/zoneinfo/America/Denver /etc/location
hwclock --systohc
```
Edit locale.gen and uncomment the US english lines
create locale.conf and add
```
LANG="en_US.UTF-8"
LC_COLLATE="C"
```
- Run locale-gen
- Set the hosname in /etc/hostname
- enable systemd-resolved and systemd-networkd, ln -s the appropriate network example into systemd/network.
I like using a unified kernel instead of a bootloader where possible. With this in mind and the encrypted root we need to edit mkinitcpio.conf and the preset. See [Encrypting the entire filesystem](https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system) for details related to the encryption. See [Unified kernel image](https://wiki.archlinux.org/title/Unified_kernel_image) for details on booting the kernel directly.
Add to the hooks for dealing with encryption to mkinitcpio.conf:
```
HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)
```
create a file called `/etc/crypttab.initramfs` (UUID and cryptname need to match luksDump):
`cryptname UUID=UUID none password-echo=no`
create a file called root.conf in /etc/cmd and add(cryptname must match cryptname in crypttab.initramfs):
```
root=/dev/mapper/cryptname rw rootfstype=btrfs rootflags=subvol=@
```
edit /etc/mkinitcpio.d/linux.preset and comment out `PRESET_image` and uncomment `PRESET_uki`. Change the dir part of uki to match the path to the EFI directory ie `/boot/EFI/Linux`. make the Linux dir in the EFI path. Then recreate the image with:
`mkinitcpio -p linux`
Set the root password using `passwd` then reboot.
Upon rebooting we're going to finish setting up the system, see here for more recommendations [General recommendations](https://wiki.archlinux.org/title/General_recommendations). For our uses we need to:
- add a user, set password, add to sudoers file
- enroll yubikey or other fido2 device into the luks partition
- intall our window manager and user programs and tools
- set the root password to a long random string(test sudo works first)
- install our user environment eg dotfiles and associated tooling
- setup fido2 login
## Add a user
Never run daily as root, just don't. We add the user, create a home, add groups using
```
useradd -m -G wheel myuser
passwd myuser
```
Edit the sudoers file and uncomment the line %wheel line then logout, login as the new user and make sure sudo works, ie sudo pacman -Syu
```
visudo
%wheel ALL=(ALL:ALL) ALL
```
## Decrypting with a FIDO2 hardware token
Why, cause I can and it's way better security wise than a password that's easy to rememeber and easy to type. The process has been made pretty easy [Unlocking LUKS2](https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html) and [systemd-cryptenroll](https://wiki.archlinux.org/title/Systemd-cryptenroll#FIDO2_tokens). First we have to enroll the device then edit crypttab.initramfs and tell the boot process to ask for the device instead of a password.
```
sudo systemd-cryptenroll /dev/sda2 --fido2-device=auto
cryptname UUID=UUID none password-echo=no,fido2-device=auto
```
Reboot and see if it works.
## Install user environment and niceties
Reference in New Issue View Git Blame Copy Permalink