Installation guide - loyiwen/MatchaMaster GitHub Wiki

1 Pre-installation

1.1 Set console keyboard layout and font

To set the keyboard layout, pass its name to loadkeys(1):

# loadkeys uk

Console fonts are located in /usr/share/kbd/consolefonts/ and can likewise be set with setfont(8) omitting the path and file extension. For example, to use one of the largest fonts suitable for HiDPI screens, run:

# setfont ter-132b

1.2 Verify boot mode

Check the UEFI bitness:

# cat /sys/firmware/efi/fw_platform_size
  • If the command returns 64, the system is booted in UEFI mode and has a 64-bit x64 UEFI.
  • If the command returns 32, the system is booted in UEFI mode and has a 32-bit IA32 UEFI. While this is supported, it will limit the boot loader choice to those that support mixed mode booting.
  • If it returns No such file or directory, the system may be booted in BIOS (or CSM) mode.

If the system did not boot in the mode you desired (UEFI vs BIOS), refer to your motherboard's manual.

1.3 Connect to the internet

# iwctl
[iwd]# station wlan0 connect <SSID>

The connection may be verified with ping:

# ping archlinux.org

1.4 Update the system clock

In the live environment systemd-timesyncd is enabled by default and time will be synced automatically once a connection to the internet is established.

Use timedatectl(1) to ensure the system clock is synchronized:

# timedatectl

1.5 Partition the disks

# cfdisk /dev/nvme0n1

1.6 Encrypt the root partition with LUKS2

# cryptsetup luksFormat -v --pbkdf pbkdf2 /dev/nvme0n1p7

Type YES. You will then be prompted to enter a password.

# cryptsetup open /dev/nvme0n1p7 cryptroot

1.7 Format the partitions

# mkfs.ext4 /dev/mapper/cryptroot
# mkswap /dev/nvme0n1p6
# mkfs.fat -F 32 /dev/nvme0n1p5

1.8 Mount the file systems

# mount /dev/mapper/cryptroot /mnt
# mount --mkdir /dev/nvme0n1p5 /mnt/boot
# swapon /dev/nvme0n1p6

2 Installation

2.1 Select the mirrors

# vim /etc/pacman.d/mirrorlist

2.2 Install essential packages

# pacstrap -K /mnt base base-devel linux linux-firmware intel-ucode vim sudo iwd networkmanager cryptsetup man-db man-pages efibootmgr grub

3 Configure the system

3.1 Fstab

Generate an stab file (use -U or -L to define by UUID or labels, respectively):

# genfstab -U /mnt >> /mnt/etc/fstab

3.2 Chroot

Change root into the new system:

# arch-chroot /mnt

3.3 Time

Set the time zone:

# ln -sf /usr/share/zoneinfo/Europe/London /etc/localtime

Run hwclock(8) to generate /etc/adjtime

# hwclock --systohc

3.4 Localisation

Edit /etc/locale.gen and uncomment en_GB.UTF-8 UTF-8 and other needed UTF-8 locales:

# vim /etc/locale.gen

Generate the locales by running:

# locale-gen

Create the locale.conf(5) file, and set the LANG variable accordingly:

# vim /etc/locale.conf
LANG=en_GB.UTF-8

If you set the console keyboard layout, make the changes persistent in vconsole.conf

# vim /etc/vconsole.conf
KEYMAP=uk

3.5 Network configuration

Create the hostname file:

# vim /etc/hostname
matchamaster

3.6 Root password

Set the root password:

passwd

3.7 Initramfs

Add the encrypt hook to mkinitcpio.conf:

# vim /etc/mkinitcpio.conf
HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block encrypt filesystems fsck)

3.8 Boot loader (GRUB)

# grub-install --target=x86_64-efi --efi-directory=boot/ --bootloader-id=GRUB --modules="tpm" --disable-shim-lock

# vim /etc/default/grub
GRUB_ENABLE_CRYPTODISK=y
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=$(blkid -s UUID -o value /dev/nvme0n1p7):cryptroot root=/dev/mapper/cryptroot"

# grub-mkconfig -o /boot/grub/grub.cfg

3.9 Finalise the installation

Regenerate the initramfs:

# mkinitcpio -P

Exit the chroot environment by typing exit or pressing Ctrl+D.

Optionally manually unmount all the partitions with umount -R /mnt: this allows noticing any "busy" partitions, and finding the cause with fuser(1).

Finally, restart the machine by typing reboot: any partitions still mounted will be automatically unmounted by systemd. Remember to remove the installation medium and then login into the new system with the root account.

4 Secure Boot

sbctl is a user-friendly way of setting up secure boot and signing files.

To use it, install sbctl. See also the upstream README and sbctl(8).

4.1 Creating and enrolling keys

Before starting, go to your firmware settings and set secure boot mode to Setup mode. This is different for each device: see sbctl(8) § USAGE.

Once you log back in, check the secure boot status:

$ sbctl status

You should see that sbctl is not installed and secure boot is disabled.

Installed:      sbctl is not installed
Setup Mode:     Enabled
Secure Boot:    Disabled
Vendor Keys:    microsoft builtin-db builtin-db builtin-KEK

Then create your custom secure boot keys:

# sbctl create-keys

Enroll your keys, with Microsoft's keys, to the UEFI:

# sbctl enroll-keys -m

You may have to chattr -i files in efivarfs before you are able to enroll keys.

Check the secure boot status again:

# sbctl status

sbctl should now be installed, but secure boot will not work until the boot files have been signed with the keys you just created

Installed:      sbctl is installed
Owner GUID:     <UUID>
Setup Mode:     Disabled
Secure Boot:    Disabled
Vendor Keys:    microsoft

4.2 Signing

Check what files need to be signed for secure boot to work:

# sbctl verify

Now sign all the unsigned files. Usually the kernel and the boot loader need to be signed. For example:

# sbctl sign -s /boot/vmlinuz-linux

The files that need to be signed will depend on your system's layout, kernel and boot loader.

Now you are done! Reboot your system and turn secure boot back on in the firmware settings. If the boot loader and OS load, secure boot should be working. Check with:

# sbctl status
⚠️ **GitHub.com Fallback** ⚠️