My notes for installing Arch Linux on encrypted Btrfs with UEFI Secure Boot on ThinkPad T14s

arch-linux-installation.md

Arch Linux Installation

1. Securely erase drive

cryptsetup open --type plain -d /dev/urandom /dev/nvme0n1 to-be-wiped
dd if=/dev/zero of=/dev/mapper/to-be-wiped bs=1M status=progress
cryptsetup close to-be-wiped
wipefs -a /dev/nvme0n1

References

• https://wiki.archlinux.org/title/Dm-crypt/Drive_preparation#dm-crypt_wipe_on_an_empty_disk_or_partition

2. Create partition table

Kernel will be stored on EFI System Partition.

Number  Size       Name  Flags
1       1024 MiB   efi   boot, esp
3        -1   MiB  data

3. Create filesystems

1. Format EFI partition with FAT32:

    mkfs.fat -F 32 -n EFI /dev/nvme0n1p1
   

2. Format data partition with LUKS:

    cryptsetup luksFormat -i 5000 --label system-luks /dev/nvme0n1p2
    cryptsetup --allow-discards --perf-no_read_workqueue --perf-no_write_workqueue --persistent open /dev/nvme0n1p2 system
   

3. Create Btrfs on LUKS:

    mkfs.btrfs -L system /dev/mapper/data
   

4. Mount Btrfs:

    mount -t btrfs -o autodefrag,compress=zstd:1,noatime,space_cache,ssd /dev/mapper/system /mnt
   

5. Create subvolumes:

    cd /mnt
    btrfs subvolume create @
    btrfs subvolume create @home
   

6. Prepare mount points:

    mkdir /mnt/@/boot
    chmod 000 /mnt/@/boot
    mkdir /mnt/@/home
    chmod 000 /mnt/@/home
   

7. (Re)mount filesystems:

    umount /mnt
    mount -t btrfs -o autodefrag,compress=zstd:1,noatime,space_cache,ssd,,subvol=@ /dev/mapper/system /mnt
    mount -t btrfs -o autodefrag,compress=zstd:1,noatime,space_cache,ssd,,subvol=@home /dev/mapper/system /mnt/home
    mount /dev/nvme0n1p1 /mnt/boot
   

Considerations:

• The default and recommended cipher is AES-XTS.
• AMD Ryzen 7 4750U has SHA extension that accelerates SHA-1 and SHA-256, but not SHA-512 – better to use SHA-256 (which is also LUKS default).
• The default key size is 512b for XTS, which is effectively 256b due to key splitting. Fedora uses 512b as well.
• Iteration time is recommended 5000 in the articles above, default is 2000.
• My Samsung NVMe disk supports only 512 bytes block size.

References

• https://wiki.archlinux.org/title/EFI_system_partition
• https://wiki.archlinux.org/title/Dm-crypt/Device_encryption
• https://wiki.archlinux.org/title/Dm-crypt/Specialties#Discard/TRIM_support_for_solid_state_drives_(SSD)
• https://wiki.archlinux.org/title/Dm-crypt/Specialties#Disable_workqueue_for_increased_solid_state_drive_(SSD)_performance
• https://github.com/keithieopia/linux-guides/blob/master/full-disk-encryption.md

4. Install and configure Arch

1. Install essential packages:

    pacstrap /mnt base linux linux-firmware btrfs-progs amd-ucode efibootmgr vim
   

2. Generate fstab:

    genfstab -U /mnt >> /mnt/etc/fstab
   

3. chroot into:

    arch-chroot /mnt
   

4. Configure time:

    ln -sf /usr/share/zoneinfo/Europe/Prague /etc/localtime
    hwclock --systohc
   

5. Configure locale:

    # edit `/etc/locale.gen` and uncomment `en_US.UTF-8 UTF-8`
    locale-gen
    echo "LANG=en_US.UTF-8" > /etc/locale.conf
   

6. Configure hostname and hosts:

    echo your-hostname > /etc/hostname
    printf "127.0.0.1\tlocalhost\n::1\tlocalhost\n" >> /etc/hosts
    printf "127.0.0.1\tyour-hostname.local your-hostname\n::1\tyour-hostname.local your-hostname\n" >> /etc/hosts
   

7. Edit /etc/mkinitcpio.conf and regenerate initramdisk:

   • add vfat to MODULES
   • remove fsck from HOOKS, move keyboard after udev and add ecrypt after block
   • mkinitcpio -P

5. Setup EFI boot

Create boot entry:

efibootmgr --disk /dev/nvme0n1 --part 1 --create --label 'Arch Linux' --load /vmlinuz-linux --unicode 'cryptdevice=UUID=<LUKS-UUID>:system root=/dev/mapper/system rw rootflags=autodefrag,compress=zstd:1,noatime,space_cache,ssd,subvol=@ initrd=\amd-ucode.img initrd=\initramfs-linux.img' --verbose

efibootmgr --bootnum 0000 --active

References

• https://wiki.archlinux.org/title/EFISTUB#Using_UEFI_directly

6. Reboot

exit
umount /mnt/boot
umount /mnt/home
umount /mnt
cryptsetup close system
reboot

7. Install kernel module for WiFi card

1. Install base-devel:

    pacman -S base-devel
   

2. Clone, build and install rtw89-dkms-git from AUR:

    $ mkdir ~/pkgbuilds
    $ git clone https://aur.archlinux.org/packages/rtw89-dkms-git pkgbuilds/rtw89-dkms-git
    $ cd pkgbuilds/rtw89-dkms-git
    # Fix PKGBUILD to copy dkms.conf *after* copying files from rtw89 repository
    $ makepkg -si
    root# modprobe rtw89pci
   

Secure Boot – Part 1

1. Install package efitools.

2. Prepare directory for keys: install -d -m 700 /etc/efi-keys

3. Backup vendor keys:

    mkdir -p /etc/efi-keys/vendor
    cd /etc/efi-keys/vendor
    for i in PK KEK db dbx; do efi-readvar -v $i -o $i.esl; done
   

4. Download efi-mkkeys script:

    curl -o efi-mkkeys https://raw.githubusercontent.com/jirutka/efi-mkkeys/v0.1.0/efi-mkkeys
    chmod +x efi-mkkeys
   

5. Generate self-signed PK, KEK and db key, including .esl and .auth files:

    ./efi-mkkeys -s "Your Name" -o /etc/efi-keys
   

6. Clone, build and install sbupdate-git from AUR:

    $ git clone https://aur.archlinux.org/sbupdate-git.git pkgbuilds/sbupdate-git
    $ cd pkgbuilds/sbupdate-git
    $ makepkg -si
   

7. Edit /etc/sbupdate.conf:

    BACKUP=1
    CMDLINE_DEFAULT="cryptdevice=UUID=<LUKS-UUID>:system root=/dev/mapper/system rw rootflags=autodefrag,compress=zstd:1,noatime,space_cache,ssd,subvol=@"
    CONFIGS["linux"]="linux linux-fallback"
   

8. Sign kernel: sbupdate

9. Add boot entry:

    efibootmgr --disk /dev/nvme0n1 --part 1 --create --label 'Arch Linux (default)' --load /EFI/Arch/linux-signed.efi --verbose
   

10. Reboot system and verify that it boots.

SecureBoot – Part 2

1. Reboot system and enter ThinkPad Setup (F1).
2. Go to Security > Secure Boot
3. Change Secure Boot to Enabled
4. Reset to Setup Mode
5. Go to Key Management
6. Authorized Signature Database (DB)
   • Enroll DB > select your Flash Drive > select db.auth
   • Delete DB > delete Microsoft certificates
7. Key Exchange Key (KEK)
   • Enroll KEK > select your Flash Drive > select KEK.auth
   • Delete KEK > delete Microsoft certificates
8. Platform Key (PK) > Enroll PK > select your Flash Drive > select PK.auth
9. Go to top, Restart > Exit Saving Changes

SecureBoot – Part 3

1. Move /boot/* to encrypted Btrfs and keep only /boot/EFI/Arch on the EFI partition:

    umount /boot
    mount LABEL=EFI /mnt
    chmod 755 /boot
    mv /mnt/*.img /mnt/vmlinuz-linux /boot/
    install -d -m 000 /boot/EFI
    mv /mnt/EFI/Arch /mnt/
    rmdir /mnt/EFI
   

2. Change mountpoint for EFI partition in /etc/fstab from /boot to /boot/EFI.

3. Edit /etc/sbupdate.conf:

    ESP_DIR="/boot/EFI"
    OUT_DIR="Arch"
   

4. Delete and re-create boot entries:

    efibootmgr -b 0000 --delete-bootnum
    efibootmgr -b 0001 --delete-bootnum    
    efibootmgr --disk /dev/nvme0n1 --part 1 --create --label 'Arch Linux (default)' --load /Arch/linux-signed.efi --verbose
    efibootmgr --disk /dev/nvme0n1 --part 1 --create --label 'Arch Linux (fallback)' --load /Arch/linux-fallback-signed.efi --verbose
   

5. Regenerate initramdisks:

    mkinitcpio -P
    sbupdate
   

References

• https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot
• https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
• https://gist.github.com/Th3Whit3Wolf/2f24b29183be7f8e9c0b05115aefb693

Thanks for this, I found it very helpful! I appreciate starting with secure erase. I followed this so closely, with the official installation guide open in the background, that i neglected to set the root password before reboot.

I'm new to any kind of volumes, but shouldn't the path in step 3.3 match step 3.4? I used /dev/mapper/system for both.

My other suggestion would be to include "amd_pstate=passive" in the boot command. Apparently that has been needed since kernel 6 for the system to use the amd_pstates, My T14s uses quite a bit less power with that and I've seen using amd_pstates also gives higher performance per watt.