Ir al contenido principal

Arch install with full disk encryption on libreboot

These notes reflect process of installing Arch linux on x200 ThinkPad with LibreBoot v. 20160907 and full disk encryption. "Full" means full, as disk is initially decrypted with LB, and if default named logical volumes are found, boot process is handled to OS grub and then process follows more or less as usual. We use default LB naming for logical volumes, you can modify those and reflash LB.

Steps are based on:

Prepare Arch USB pendrive
  • Download arch image (refered as "arch.iso")
  • Plug your USB drive and check for its location (dmesg and lsblk)
  • Burn arch.iso on your USB drive with your preferred method (for example cat arch.iso > /dev/sdX. Warning : this is destructive for all the data you have on your /dev/sdX so be sure to replace sdX with correct denominator).
Boot from live USB

Plug the Live USB and power up your ThinkPad. Be fast in LB menu, arrow pressing is enough to get its attention. Try any of USB options, in my case "isolinux" on USB worked. With certain sticks/OSs neither of USB menu options worked, in this case check another pendrive / another OS version.

Underneath steps were tested to work with recent Arch and TalkingParabola sticks (with respective variations on packages names).

Install

Initial setup
  • loadkeys es # Replace es with your keyboard layout, check available options with ls -l /usr/share/kbd/keymaps/*/*.map.gz
  • /bin/bash # Optative, you can stick with zsh, too.
  • iwctl # Interactive mode - use Tab key to autocomplete :
    • station wlanX scan
    • station wlanX connect MY_WIFI_123
    • station wlanX show # And put your password
  • timedatectl set-ntp true
Format hard drive
  • Check for path of your hard drive with lsblk (From now on, /dev/sdY refers to it, make sure to use correct device path).
  • head -c 3145728 /dev/urandom > /dev/sdY; sync # Clean previous partitioning and Luks headers
  • modprobe dm_mod # Make sure device mapper kernel module is loaded
  • fdisk /dev/sdY
    • o # Create a new empty dos partition table
    • n # Create a new partition
    • p # Primary one
    • Enter # Default partition number "1"
    • Enter # Default starting point
    • Enter # Default end partition at the end of the disk
    • w # Write
cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool \
--iter-time 500 --use-random --verify-passphrase --type luks1 luksFormat /dev/sdY1

You can change those parameters, but certain other options seem not to be recognised by LB.

  • cryptsetup luksOpen /dev/sdY1 lvm
Create Logical Volumes

I like to have my /var on a separate partition, but you can skip that (sticking to official guide) or put any partition layout you fancy, adapting the following steps, as you needest.

  • pvcreate /dev/mapper/lvm # Create a physical volume
  • pvdisplay # Check it
  • vgcreate matrix /dev/mapper/lvm # Create a volume group
  • vgdisplay # Check it
  • lvcreate -L 2G matrix -n swapvol # Create logical volume for swap
  • lvcreate -L 10G matrix -n varvol # Create logical volume for /var
  • lvcreate -l +100%FREE matrix -n rootvol # Create logical root volume
  • lvdisplay # Check it
Create filesystems
  • mkswap /dev/matrix/swapvol
  • swapon /dev/matrix/swapvol

Remember, we do not mount swap.

  • mkfs.ext4 /dev/matrix/rootvol
  • mkfs.ext4 /dev/matrix/varvol

  • mount /dev/matrix/rootvol /mnt # You can change /mnt for any mountpoint you wish, adapting the following steps.

  • mkdir /mnt/var
  • mount /dev/matrix/varvol /mnt/var
Install Arch
  • pacstrap /mnt reflector # Easy way to setup pacman repos
  • pacstrap /mnt base base-devel linux linux-firmware linux-lts lvm2 grub mkinitcpio # Bootstrap base system and necessary packages
  • pacstrap /mnt iwd wpa_supplicant man-db dhcp-client vim # Optative. You can install your preferred utils, but remember not to expect any editor nor network utils on the system by default.

  • genfstab -U /mnt >> /mnt/etc/fstab # Create fstab entry corresponding to created (logical) partitions.

Chroot and setup your Arch

  • arch-chroot /mnt
  • ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime # Choose yours
  • hwclock --systohc
  • vim /etc/locale.gen
  • locale-gen
  • vim /etc/locale.conf
  • echo "127.0.0.1 localhost" >> /etc/hosts # Minimal setup, I later put long list of domains to be blocked here.
  • echo ArchLB > /etc/hostname # Choose your hostname
  • vim /etc/mkinitcpio.conf # Make sure to include the following options:
    MODULES="i915"
    HOOKS=(base udev autodetect modconf block keyboard keymap consolefont encrypt lvm2 filesystems fsck shutdown)
  • vim /etc/vconsole.conf # Change "es" to your keyboard layout. "eurlatgr" should be fine for more standardised scriptures.
    KEYMAP=es
    FONT=eurlatgr
Grub
  • vim /etc/default/grub
GRUB_CMDLINE_LINUX="cryptdevice=UUID=<device-UUID>:lvm"

↑ To insert the UUID of your hard drive, in vim you can run the command :r!blkid /dev/sdY1 and trim the output.

GRUB_ENABLE_CRYPTODISK=y

↑ This will be necessary when LB handles boot process to your OS grub and this will have to decrypt the disk again.
:wq

  • mkinitcpio -P
  • grub-install --recheck /dev/sdY # Not the partition
  • grub-mkconfig -o /boot/grub/grub.cfg
  • mkinitcpio -P # Rebuild presets, just in case...
Extra set-ups
  • passwd # Set root password
  • useradd -m -G wheel snoopie # Add a user
  • passwd snoopie # Set user's password
  • systemctl enable iwd
  • systemctl enable dhcpd
  • you may want to use a keyfile not to have to enter your Luks password twice, remember to chmod 000 it.
Optionally install DE + DM
  • pacman -S xfce4 lxdm xfce4-goodies
  • localectl set-x11-keymap es
  • pacman -S ttf-dejavu gnu-free-fonts ttf-linux-libertine ttf-fira-code ttf-fira-mono # Install your preferred fonts
  • pacman -S lshw gvfs ntfs-3g rsync openssh tmux alsa-utils lynx pass gobby mumble falkon claws-mail # Install your preferred utils

Reboot

  • exit # exit chroot
  • umount -R /mnt
  • swapoff -a
  • lvchange -an /dev/matrix/rootvol
  • lvchange -an /dev/matrix/varvol
  • lvchange -an /dev/matrix/swapvol
  • cryptsetup luksClose lvm
  • poweroff

Remove Arch pendrive, power on your ThinkPad.

For Parabola instalation, the steps are quite alike, use "linux-libre" kernel and you may need to synchronise your parabola keyring with pacman -Syy archlinux-keyring parabola-keyring and pacman-key --populate archlinux parabola.