Install Arch - Documentation

Link to this headingInstall Arch Linux

Link to this headingSetup Partition

Link to this headingSetup Secure Boot

Setup DM-Integrity:

# Generate a random key for HMAC dd if=/dev/urandom of=/tmp/integrity-key.bin bs=32 count=1 # Format with integrity using HMAC-SHA256 integritysetup format --integrity-key-file /tmp/integrity-key.bin \ --tag-size 32 --sector-size 4096 --integrity hmac-sha256 /dev/sdX2 # Open the integrity device integritysetup open --integrity-key-file /tmp/integrity-key.bin \ /dev/sdX2 integrity0

Encrypt HDD:

# Set up LUKS on top of integrity cryptsetup luksFormat --type luks2 /dev/mapper/integrity0 cryptsetup open /dev/mapper/integrity0 cryptroot ### Create LVM volume # Create physical volume pvcreate /dev/mapper/cryptroot # Create volume group vgcreate vg0 /dev/mapper/cryptroot # Create logical volumes - adjust swap size as needed lvcreate -L 8G vg0 -n swap lvcreate -l 100%FREE vg0 -n root # Format volumes mkfs.ext4 /dev/vg0/root mkswap /dev/vg0/swap ### Enroll Keys # For TPM (if available) systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7+14 /dev/mapper/integrity0 # For your YubiKey systemd-cryptenroll --fido2-device=auto /dev/mapper/integrity0 # Save the integrity key to the LUKS header for automatic mounting # Create a temporary keyfile dd if=/dev/urandom of=/tmp/luks-key.bin bs=32 count=1 # Add the keyfile to LUKS cryptsetup luksAddKey /dev/mapper/integrity0 /tmp/luks-key.bin # Store the integrity key with the keyfile reference mkdir -p /etc/cryptsetup-keys.d cp /tmp/integrity-key.bin /etc/cryptsetup-keys.d/integrity0.key chmod 600 /etc/cryptsetup-keys.d/integrity0.key

Format Partitions:

# Format the EFI partition mkfs.fat -F32 /dev/sdX1 # Mount partitions mount /dev/vg0/root /mnt mkdir -p /mnt/boot mount /dev/sdX1 /mnt/boot # Enable swap swapon /dev/vg0/swap

Link to this headingInstall

Finish Initial Install:

pacstrap /mnt base base-devel linux linux-firmware intel-ucode lvm2 \ efitools sbsigntools openssl tpm2-tools nitrokey-app engine-pkcs11 opensc \ systemd-boot-manager vim networkmanager dmraid cryptsetup integritysetup # Generate fstab genfstab -U /mnt >> /mnt/etc/fstab # Chroot and setup integrity keys arch-chroot /mnt # Create directory for integrity keys mkdir -p /etc/cryptsetup-keys.d cp /tmp/integrity-key.bin /etc/cryptsetup-keys.d/integrity0.key chmod 600 /etc/cryptsetup-keys.d/integrity0.key # Edit /etc/crypttab # <name> <device> <password> <options> integrity0 /dev/sdX2 /etc/cryptsetup-keys.d/integrity0.key integrity,no-read-workqueue,no-write-workqueue cryptroot /dev/mapper/integrity0 - tpm2-device=auto,fido2-device=auto # Configure /etc/mkinitcpio.conf MODULES=(tpm) HOOKS=(base udev autodetect modconf block keyboard keymap integritysetup sd-encrypt lvm2 filesystems fsck) # Regenerate initramfs mkinitcpio -P # Install and configure systemd-boot: bootctl install # Create Boot Option /boot/loader/entries/arch.conf title Arch Linux linux /vmlinuz-linux initrd /intel-ucode.img # or /amd-ucode.img depending on your CPU initrd /initramfs-linux.img options rd.luks.name=$(blkid -s UUID -o value /dev/mapper/integrity0)=cryptroot root=/dev/vg0/root resume=/dev/vg0/swap rw #Update Bootloader # Update Bootloader echo "timeout 4" >> /boot/loader/loader.conf echo "editor no" >> /boot/loader/loader.conf

Sign Initramfs:

cd /boot OPENSSL_CONF=/root/openssl-pkcs11.cnf sbsign --engine pkcs11 --key slot_03-label_db \ --cert /root/secureboot/keys/db.crt --output vmlinuz-linux vmlinuz-linux OPENSSL_CONF=/root/openssl-pkcs11.cnf sbsign --engine pkcs11 --key slot_03-label_db \ --cert /root/secureboot/keys/db.crt --output initramfs-linux.img initramfs-linux.img OPENSSL_CONF=/root/openssl-pkcs11.cnf sbsign --engine pkcs11 --key slot_03-label_db \ --cert /root/secureboot/keys/db.crt --output intel-ucode.img intel-ucode.img # or amd-ucode.img #Create Kernel Update Hook /etc/pacman.d/hooks/99-secureboot.hook # Create Kernel Update Hook /etc/pacman.d/hooks/99-secureboot.hook Operation = Install Operation = Upgrade Type = Path Target = usr/lib/modules/*/vmlinuz Target = usr/lib/initcpio/* Target = boot/intel-ucode.img Target = boot/amd-ucode.img [Action] Description = Signing kernel and initramfs for secure boot... When = PostTransaction Exec = /usr/local/bin/sign-kernel.sh Depends = sbsigntools Depends = engine-pkcs11 Depends = opensc

Script to Re-sign Everything:

#!/bin/bash # Script for signing kernel and initramfs images for Secure Boot OPENSSL_CONF=/root/openssl-pkcs11.cnf # Check if Nitrokey is connected if ! pkcs11-tool --module opensc-pkcs11.so --list-slots | grep -q "Nitrokey HSM"; then echo "Error: Nitrokey HSM not found." exit 1 fi # Sign kernel echo "Signing kernel..." sbsign --engine pkcs11 \ --key slot_03-label_db \ --cert /root/secureboot/keys/db.crt \ --output /boot/vmlinuz-linux \ /boot/vmlinuz-linux # Sign initramfs echo "Signing initramfs..." sbsign --engine pkcs11 \ --key slot_03-label_db \ --cert /root/secureboot/keys/db.crt \ --output /boot/initramfs-linux.img \ /boot/initramfs-linux.img # Sign fallback initramfs if exists if [ -f /boot/initramfs-linux-fallback.img ]; then echo "Signing fallback initramfs..." sbsign --engine pkcs11 \ --key slot_03-label_db \ --cert /root/secureboot/keys/db.crt \ --output /boot/initramfs-linux-fallback.img \ /boot/initramfs-linux-fallback.img fi # Sign microcode updates if they exist for ucode in /boot/*-ucode.img; do if [ -f "$ucode" ]; then echo "Signing $ucode..." sbsign --engine pkcs11 \ --key slot_03-label_db \ --cert /root/secureboot/keys/db.crt \ --output "$ucode" \ "$ucode" fi done echo "All kernel and initramfs images signed successfully." exit 0