Documentation written to get Arch booting with UKI, using an encrypted BTRFS automatically detected by systemd.
-
Load keyboard layout:
loadkeys br-abnt2
orloadkeys us-intl
-
Connect to the network
- Ethernet should just work.
- WiFi needs to be set up with iwctl:
iwctl
- Get device with
device list
. - It should be
Powered on
. - Scan with
station $(DEV) scan
. - Fetch list with
station $(DEV) get-networks
. - Connect with
station $(DEV) connect $(SSID)
.
-
Ping any page with
ping
to check if network is working. -
Check if time is accurate:
timedatectl
-
Use
gdisk
to create two partitions.- ESP: 512MB (GUID: EF00)
- System: Remaining space (GUID: 8304)
-
Format EFI partition with
mkfs.vfat -F32
-
Create encrypted system partition:
cryptsetup luksFormat
-
Open encrypted system partition:
cryptsetup open /dev/$(part) root
-
SSD performance tweaks: Disable workqueue and allow discards:
cryptsetup --perf-no_read_workqueue --perf-no_write-workqueue --allow-discards --persistent refresh root
-
Format device:
mkfs.btrfs -L system /dev/mapper/root
The following setup was designed considering a personal machine, which shouldn't be running anything worthwhile in /srv or using /root. Otherwise, follow OpenSUSE's layout instead. Swap is documented below for convenience, zram can be used instead.
Create subvolumes for root, home, swapfile and var, and a snapshot subvolume for root.
/
->@root
/home
->@home
/swap
->@swap
/var
->@var
@root-snapshots
, to be configured later.
-
Mount
/dev/mapper/root
to/mnt
:mount -o compress=zstd /dev/mapper/root /mnt
. -
Run
btrfs subvolume create /mnt/$(VOL)
for each volume defined previously. -
Run
umount /mnt
.
-
Mount @root subvolume in /mnt:
mount -o compress=zstd,subvol=@root /dev/mapper/root /mnt
. -
Create folders in
/mnt
for each subvolume. -
Create folder
efi
inmnt
for EFI partition, mount it. -
Mount each subvolume.
@var
and@swap
should have CoW disabled.
- No CoW:
mount -o nodatacow,subvol=@xxx /dev/mapper/root /mnt/xxx
. - Compression:
mount -o compress=zstd,subvol=@xxx /dev/mapper/root /mnt/xxx
.
- SWAP: After mounting
@swap
, runbtrfs filesystem mkswapfile --size $(SWAP_SIZE)g --uuid clear /mnt/swap/swapfile
and runswapon /mnt/swap/swapfile
.
Personal package choice brings in base-devel
for AUR, linux-lts
as a fallback, bash-completion
and openssh
for convenience, and required packages for proper man
and info
support.
For filesystems, only btrfs-progs is really required, others are for convenience as they are used daily.
networkmanager
and neovim
as my personal picks for networking and text editing.
amd-ucode
should be replaced with intel-ucode
in Intel machines.
-
Install packages:
pacstrap -K /mnt base base-devel linux linux-lts linux-firmware networkmanager neovim openssh man-db man-pages texinfo bash-completion btrfs-progs dosfstools exfatprogs e2fsprogs ntfs-3g amd-ucode
. -
Generate fstab with
genfstab -U /mnt >> /mnt/etc/fstab
-
Enter the new installed system with
arch-chroot /mnt
-
Set timezone with
ln -sf /usr/share/zoneinfo/America/Sao_Paulo /etc/localtime
and sync HW clock withhwclock --systohc
. -
Uncomment locales in
/etc/locale.gen
and runlocale-gen
. -
Set locale with
echo "LANG=en_US.UTF-8" >> /etc/locale.conf
-
Set keymap with
echo "KEYMAP=br-abnt2" >> /etc/vconsole.conf
-
Set hostname with
echo "$(HOSTNAME)" >> /etc/hostname
. -
Set root password with
passwd
. -
Edit
/etc/mkinitcpio.conf
.- Replace
udev
withsystemd
. - Replace
keymap
andconsolefont
withsd-vconsole
. - Add
sd-encrypt
beforefilesystems
.
- Replace
-
Update presets in
/etc/mkinitcpio.d/*.preset
- Uncomment
$(PRESET)_uki
and$(PRESET)_options
- Uncomment
-
Create
/etc/kernel/cmdline
if it doesn't exist and add the required kernel parameters there.- Optionally: Create
fallback_cmdline
for fallback preset if you need different parameters. - Baseline parameters:
rw quiet rootflags=subvol=@root
rootflags
can be removed ifbtrfs subvolume set-default
was run before.
- Optionally: Create
-
Install systemd-bootloader with
bootctl install
. -
Run
mkinitcpio -P
to regenerate the images. -
Reboot and check it everything works.
-
Login and create a new user:
useradd -m -G wheel -s bash $(USER) && passwd $(USER)
. -
Enable 'wheel' to use sudo.
EDITOR=nvim visudo
. -
Lock
root
:passwd -l root
. -
Install applications, configure things.
-
Install
sbctl
. Make sure to enable Secure Boot and enable Setup Mode. -
Create keys with
sbctl create-keys
. -
Enroll created keys alongside Microsoft's keys:
sbctl enroll-keys -m
-
Sign files listed in
sbctl verify
usingsbctl sign-all
.- Check with
sbctl verify
again, if it failed, sign each file manually withsbctl sign /path/to/file
- Check with
-
Enable
systemd-boot-update.service
, put signed files in systemd folder withsbctl sign -s -o /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed /usr/lib/systemd/boot/efi/systemd-bootx64.efi
-
Reboot and check if it is working with
sbctl status
.
-
Install
tpm2-tss
. -
Get the path for the tpm2 device with
systemd-cryptenroll --tpm2-device=list
. -
Enroll a new key and tie it to the Secure Boot state:
systemd-cryptenroll --tpm2-device=/path/to/tpm2_device /dev/sdX