Skip to content

Instantly share code, notes, and snippets.

@mjkstra
Last active November 16, 2024 02:40
Show Gist options
  • Save mjkstra/96ce7a5689d753e7a6bdd92cdc169bae to your computer and use it in GitHub Desktop.
Save mjkstra/96ce7a5689d753e7a6bdd92cdc169bae to your computer and use it in GitHub Desktop.
A modern, updated installation guide for Arch Linux with BTRFS on an UEFI system

Modern Arch linux installation guide

Table of contents

Introduction

The goal of this guide is to help new users set up a modern and minimal installation of Arch Linux with BTRFS on an UEFI system. I'll start from the basic terminal installation and then set up video drivers, a desktop environment and provide basic gaming configuration. This guide is thought to be read alongside the wiki, so that it if something ever changes you can fix it but it's not necessary unless my guide becomes outdated. Also I will mention external references to justify some choices that I've made so that curious users can delve into the details.

Note that:

  • I won't prepare the system for secure boot because the procedure of custom key enrollment in the BIOS is dangerous and can lead to a bricked system. If you are wondering why not using the default OEM keys in the BIOS, it's because they will make secure boot useless by being most likely not enough secure.

  • I won't encrypt the system because I don't need it and because encryption always adds a little bit of overhead in the boot phase leading to a slower to varying degrees start-up, depending on your configuration. However it may be important for you so if you really wanna go this way I recommend reading the wiki page in this regards and must perform the documented steps IMMEDIATELY AFTER disk partitioning. Also note that you must set the type of partition to a LUKS partition instead of a standard Linux partition when partitioning with fdisk.

  • I'll skip the Arch ISO installation media preparation.

  • I'll use a wired connection, so no wireless configuration steps will be shown. If you want to connect to wifi, you can either launch wifi-menu from the terminal which is a TGUI or use iwctl.


Preliminary steps

First set up your keyboard layout

# List all the available keyboard maps and filter them through grep, in this case i am looking for an italian keyboard, which usually starts with "it", for english filter with "en"
ls /usr/share/kbd/keymaps/**/*.map.gz | grep it

# If you prefer you can scroll the whole list like this
ls /usr/share/kbd/keymaps/**/*.map.gz | less

# Or like this
localectl list-keymaps

# Now get the name without the path and the extension ( localectl returns just the name ) and load the layout. In my case it is simply "it"
loadkeys it

Check that we are in UEFI mode

# If this command prints 64 or 32 then you are in UEFI
cat /sys/firmware/efi/fw_platform_size

Check the internet connection

ping -c 5 archlinux.org 

Check the system clock

# Check if ntp is active and if the time is right
timedatectl

# In case it's not active you can do
timedatectl set-ntp true

# Or this
systemctl enable systemd-timesyncd.service

Main installation

Disk partitioning

I will make 2 partitions:

Number Type Size
1 EFI 512 Mb
2 Linux Filesystem 99.5Gb (all of the remaining space )

# Check the drive name. Mine is /dev/nvme0n1
# If you have an hdd is something like sdax
fdisk -l

# Now you can either go and partition your disk with fdisk and follow the steps below,
# or if you want to do things yourself and make it easier, use cfdisk ( an fdisk TUI wrapper ) which is
# much more user friendly. A reddit user suggested me this and it's indeed very intuitive to use.
# If you choose cfdisk you will have to invoke it the same way as I did with fdisk below, but
# you don't need to follow my commands blindly as with fdisk below, just navigate the UI with the arrows
# and press enter to get inside menus, remember to write changes before quitting.

# Invoke fdisk to partition
fdisk /dev/nvme0n1

# Now press the following commands, when i write ENTER press enter
g
ENTER
n
ENTER
ENTER
ENTER
+512M
ENTER
t
ENTER
ENTER
1
ENTER
n
ENTER
ENTER
ENTER # If you don't want to use all the space then select the size by writing +XG ( eg: to make a 10GB partition +10G )
p
ENTER # Now check if you got the partitions right

# If so write the changes
w
ENTER

# If not you can quit without saving and redo from the beginning
q
ENTER

Disk formatting

For the file system I've chosen BTRFS which has evolved quite a lot in the recent years. It is most known for its Copy on Write feature which enables it to make system snapshots in a blink of a an eye and to save a lot of disk space, which can be even saved to a greater extent by enabling built-in compression. Also it lets the user create subvolumes which can be individually snapshotted.

# Find the efi partition with fdisk -l or lsblk. For me it's /dev/nvme0n1p1 and format it.
mkfs.fat -F 32 /dev/nvme0n1p1

# Find the root partition. For me it's /dev/nvme0n1p2 and format it. I will use BTRFS.
mkfs.btrfs /dev/nvme0n1p2

# Mount the root fs to make it accessible
mount /dev/nvme0n1p2 /mnt

Disk mounting

I will lay down the subvolumes on a flat layout, which is overall superior in my opinion and less constrained than a nested one. What's the difference ? If you're interested this section of the old sysadmin guide explains it.

# Create the subvolumes, in my case I choose to make a subvolume for / and one for /home. Subvolumes are identified by prepending @
# NOTICE: the list of subvolumes will be increased in a later release of this guide, upon proper testing and judgement. See the "Things to add" chapter.
btrfs subvolume create /mnt/@
btrfs subvolume create /mnt/@home

# Unmount the root fs
umount /mnt

For this guide I'll compress the btrfs subvolumes with Zstd, which has proven to be a good algorithm among the choices

# Mount the root and home subvolume. If you don't want compression just remove the compress option.
mount -o compress=zstd,subvol=@ /dev/nvme0n1p2 /mnt
mkdir -p /mnt/home
mount -o compress=zstd,subvol=@home /dev/nvme0n1p2 /mnt/home

Now we have to mount the efi partition. In general there are 2 main mountpoints to use: /efi or /boot but in this configuration i am forced to use /efi, because by choosing /boot we could experience a system crash when trying to restore @ ( the root subvolume ) to a previous state after kernel updates. This happens because /boot files such as the kernel won't reside on @ but on the efi partition and hence they can't be saved when snapshotting @. Also this choice grants separation of concerns and also is good if one wants to encrypt /boot, since you can't encrypt efi files. Learn more here

mkdir -p /mnt/efi
mount /dev/nvme0n1p1 /mnt/efi

Packages installation

# This will install some packages to "bootstrap" methaphorically our system. Feel free to add the ones you want
# "base, linux, linux-firmware" are needed. If you want a more stable kernel, then swap linux with linux-lts
# "base-devel" base development packages
# "git" to install the git vcs
# "btrfs-progs" are user-space utilities for file system management ( needed to harness the potential of btrfs )
# "grub" the bootloader
# "efibootmgr" needed to install grub
# "grub-btrfs" adds btrfs support for the grub bootloader and enables the user to directly boot from snapshots
# "inotify-tools" used by grub btrfsd deamon to automatically spot new snapshots and update grub entries
# "timeshift" a GUI app to easily create,plan and restore snapshots using BTRFS capabilities
# "amd-ucode" microcode updates for the cpu. If you have an intel one use "intel-ucode"
# "vim" my goto editor, if unfamiliar use nano
# "networkmanager" to manage Internet connections both wired and wireless ( it also has an applet package network-manager-applet )
# "pipewire pipewire-alsa pipewire-pulse pipewire-jack" for the new audio framework replacing pulse and jack. 
# "wireplumber" the pipewire session manager.
# "reflector" to manage mirrors for pacman
# "zsh" my favourite shell
# "zsh-completions" for zsh additional completions
# "zsh-autosuggestions" very useful, it helps writing commands [ Needs configuration in .zshrc ]
# "openssh" to use ssh and manage keys
# "man" for manual pages
# "sudo" to run commands as other users
pacstrap -K /mnt base base-devel linux linux-firmware git btrfs-progs grub efibootmgr grub-btrfs inotify-tools timeshift vim networkmanager pipewire pipewire-alsa pipewire-pulse pipewire-jack wireplumber reflector zsh zsh-completions zsh-autosuggestions openssh man sudo

Fstab

# Fetch the disk mounting points as they are now ( we mounted everything before ) and generate instructions to let the system know how to mount the various disks automatically
genfstab -U /mnt >> /mnt/etc/fstab

# Check if fstab is fine ( it is if you've faithfully followed the previous steps )
cat /mnt/etc/fstab

Context switch to our new system

# To access our new system we chroot into it
arch-chroot /mnt

Set up the time zone

# In our new system we have to set up the local time zone, find your one in /usr/share/zoneinfo mine is /usr/share/zoneinfo/Europe/Rome and create a symbolic link to /etc/localtime
ln -sf /usr/share/zoneinfo/Europe/Rome /etc/localtime

# Now sync the system time to the hardware clock
hwclock --systohc

Set up the language and tty keyboard map

Edit /etc/locale.gen and uncomment the entries for your locales. Each entry represent a language and its formats for time, date, currency and other country related settings. By uncommenting we will mark the entry to be generated when the generate command will be issued, but note that it won't still be active. In my case I will uncomment ( ie: remove the # ) en_US.UTF-8 UTF-8 and it_IT.UTF-8 UTF-8 because I use English as a display language and Italian for date, time and other formats.

# To edit I will use vim, feel free to use nano instead.
vim /etc/locale.gen

# Now issue the generation of the locales
locale-gen

Since the locale is generated but still not active, we will create the configuration file /etc/locale.conf and set the locale to the desired one, by setting the LANG variable accordingly. In my case I'll write LANG=it_IT.UTF-8 to apply Italian settings to everything and then override only the display language to English by setting ( on a new line ) LC_MESSAGES=en_US.UTF-8. ( if you want formats and language to stay the same DON'T set LC_MESSAGES ). More on this here

touch /etc/locale.conf
vim /etc/locale.conf

Now to make the current keyboard layout permanent for tty sessions , create /etc/vconsole.conf and write KEYMAP=your_key_map substituting the keymap with the one previously set here. In my case KEYMAP=it

vim /etc/vconsole.conf

Hostname and Host configuration

# Create /etc/hostname then choose and write the name of your pc in the first line. In my case I'll use Arch
touch /etc/hostname
vim /etc/hostname

# Create the /etc/hosts file. This is very important because it will resolve the listed hostnames locally and not over Internet DNS.
touch /etc/hosts

Write the following ip, hostname pairs inside /etc/hosts, replacing Arch with YOUR hostname:

127.0.0.1 localhost
::1 localhost
127.0.1.1 Arch
# Edit the file with the information above
vim /etc/hosts

Root and users

# Set up the root password
passwd

# Add a new user, in my case mjkstra.
# -m creates the home dir automatically
# -G adds the user to an initial list of groups, in this case wheel, the administration group. If you are on a Virtualbox VM and would like to enable shared folders between host and guest machine, then also add the group vboxsf besides wheel.
useradd -mG wheel mjkstra
passwd mjkstra

# The command below is a one line command that will open the /etc/sudoers file with your favourite editor.
# You can choose a different editor than vim by changing the EDITOR variable
# Once opened, you have to look for a line which says something like "Uncomment to let members of group wheel execute any action"
# and uncomment exactly the line BELOW it, by removing the #. This will grant superuser priviledges to your user.
# Why are we issuing this command instead of a simple vim /etc/sudoers ? 
# Because visudo does more than opening the editor, for example it locks the file from being edited simultaneously and
# runs syntax checks to avoid committing an unreadable file.
EDITOR=vim visudo

Grub configuration

Now I'll deploy grub

grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB  

Generate the grub configuration ( it will include the microcode installed with pacstrap earlier )

grub-mkconfig -o /boot/grub/grub.cfg

Unmount everything and reboot

# Enable newtork manager before rebooting otherwise, you won't be able to connect
systemctl enable NetworkManager

# Exit from chroot
exit

# Unmount everything to check if the drive is busy
umount -R /mnt

# Reboot the system and unplug the installation media
reboot

# Now you'll be presented at the terminal. Log in with your user account, for me its "mjkstra".

# Enable and start the time synchronization service
timedatectl set-ntp true

Automatic snapshot boot entries update

Each time a system snapshot is taken with timeshift, it will be available for boot in the bootloader, however you need to manually regenerate the grub configuration, this can be avoided thanks to grub-btrfs, which can automatically update the grub boot entries.

Edit the grub-btrfsd service and because I will rely on timeshift for snapshotting, I am going to replace ExecStart=... with ExecStart=/usr/bin/grub-btrfsd --syslog --timeshift-auto. If you don't use timeshift or prefer to manually update the entries then lookup here

sudo systemctl edit --full grub-btrfsd

# Enable grub-btrfsd service to run on boot
sudo systemctl enable grub-btrfsd

Virtualbox support

Follow these steps if you are running Arch on a Virtualbox VM. This will enable features such as clipboard sharing, shared folders and screen resolution tweaks

# Install the guest utils
pacman -S virtualbox-guest-utils

# Enable this service to automatically load the kernel modules
systemctl enable vboxservice.service

Note: the utils will only work after a reboot is performed.

Warning: the utils seems to only work in a graphical environment.


Aur helper and additional packages installation

To gain access to the arch user repository we need an aur helper, I will choose yay which also works as a pacman wrapper ( which means you can use yay instead of pacman ). Yay has a CLI, but if you later want to have an aur helper with a GUI you can install pamac ( a Manjaro software, so use at your own risk ), however note that front-ends like pamac and also any store ( KDE discovery, Ubuntu store etc. ) are not officially supported and should be avoided, because of the high risk of performing partial upgrades. This is also why later when installing KDE, I will exclude the KDE discovery store from the list of packages.

To learn more about yay read here

Note: you can't execute makepkg as root, so you need to log in your main account. For me it's mjkstra

# Install yay
sudo pacman -S --needed git base-devel && git clone https://aur.archlinux.org/yay.git && cd yay && makepkg -si

# Install "timeshift-autosnap", a configurable pacman hook which automatically makes snapshots before pacman upgrades.
yay -S timeshift-autosnap

Learn more about timeshift autosnap here


Finalization

# To complete the main/basic installation reboot the system
reboot

After these steps you should be able to boot on your newly installed Arch Linux, if so congrats !

The basic installation is complete and you could stop here, but if you want to to have a graphical session, you can continue reading the guide.


Video drivers

In order to have the smoothest experience on a graphical environment, Gaming included, we first need to install video drivers. To help you choose which one you want or need, read this section of the arch wiki.

Note: skip this section if you are on a Virtual Machine


Amd

For this guide I'll install the AMDGPU driver which is the open source one and the recommended, but be aware that this works starting from the GCN 3 architecture, which means that cards before RX 400 series are not supported. ( I have an RX 5700 XT )

# What are we installing ?
# mesa: DRI driver for 3D acceleration.
# xf86-video-amdgpu: DDX driver for 2D acceleration in Xorg. I won't install this, because I prefer the default kernel modesetting driver.
# vulkan-radeon: vulkan support.
# libva-mesa-driver: VA-API h/w video decoding support.
# mesa-vdpau: VDPAU h/w accelerated video decoding support.

sudo pacman -S mesa vulkan-radeon libva-mesa-driver mesa-vdpau

32 Bit support

If you want to add 32-bit support, we need to enable the multilib repository on pacman: edit /etc/pacman.conf and uncomment the [multilib] section ( ie: remove the hashtag from each line of the section. Should be 2 lines ). Now we can install the additional packages.

# Refresh and upgrade the system
yay

# Install 32bit support for mesa, vulkan, VA-API and VDPAU
sudo pacman -S lib32-mesa lib32-vulkan-radeon lib32-libva-mesa-driver lib32-mesa-vdpau

Nvidia

In summary if you have an Nvidia card you have 2 options:

  1. NVIDIA proprietary driver
  2. Nouveau open source driver

The recommended is the proprietary one, however I won't explain further because I don't have an Nvidia card and the process for such cards is tricky unlike for AMD or Intel cards. Moreover for reason said before, I can't even test it.


Intel

Installation looks almost identical to the AMD one, but every time a package contains the radeon word substitute it with intel. However this does not stand for h/w accelerated decoding, and to be fair I would recommend reading the wiki before doing anything.


Setting up a graphical environment

I'll provide 2 options:

  1. KDE-plasma
  2. Hyprland

On top of that I'll add a display manager, which you can omit if you don't like ( if so, you have additional configuration steps to perform ).


Option 1: KDE-plasma

KDE Plasma is a very popular DE which comes bundled in many distributions. It supports both the older Xorg and the newer Wayland protocols. It's user friendly, light and it's also used on the Steam Deck, which makes it great for gaming. I'll provide the steps for a minimal installation and add some basic packages.

# plasma-desktop: the barebones plasma environment.
# plasma-pa: the KDE audio applet.
# plasma-nm: the KDE network applet.
# plasma-systemmonitor: the KDE task manager.
# plasma-firewall: the KDE firewall.
# plasma-browser-integration: cool stuff, it lets you manage things from your browser like media currently played via the plasma environment. Make sure to install the related extension on firefox ( you will be prompted automatically upon boot ).
# kscreen: the KDE display configurator.
# kwalletmanager: manage secure vaults ( needed to store the passwords of local applications in an encrypted format ). This also installs kwallet as a dependency, so I don't need to specify it.
# kwallet-pam: automatically unlocks secure vault upon login ( without this, each time the wallet gets queried it asks for your password to unlock it ).
# bluedevil: the KDE bluetooth manager.
# powerdevil: the KDE power manager.
# power-profiles-daemon: adds 3 power profiles selectable from powerdevil ( power saving, balanced, performance ). Make sure that its service is enabled and running ( it should be ).
# kdeplasma-addons: some useful addons.
# xdg-desktop-portal-kde: better integrates the plasma desktop in various windows like file pickers.
# xwaylandvideobridge: exposes Wayland windows to XWayland-using screen sharing apps ( useful when screen sharing on discord, but also in other instances ).
# kde-gtk-config: the native settings integration to manage GTK theming.
# breeze-gtk: the breeze GTK theme.
# cups, print-manager: the CUPS print service and the KDE front-end.
# konsole: the KDE terminal.
# dolphin: the KDE file manager.
# ffmpegthumbs: video thumbnailer for dolphin.
# firefox: the web browser.
# kate: the KDE text editor.
# okular: the KDE pdf viewer.
# gwenview: the KDE image viewer.
# ark: the KDE archive manager.
# pinta: a paint.net clone written in GTK.
# spectacle: the KDE screenshot tool.
# dragon: a simple KDE media player. A more advanced alternative based on libmpv is Haruna.
sudo pacman -S plasma-desktop plasma-pa plasma-nm plasma-systemmonitor plasma-firewall plasma-browser-integration kscreen kwalletmanager kwallet-pam bluedevil powerdevil power-profiles-daemon kdeplasma-addons xdg-desktop-portal-kde xwaylandvideobridge kde-gtk-config breeze-gtk cups print-manager konsole dolphin ffmpegthumbs firefox kate okular gwenview ark pinta spectacle dragon

Now don't reboot your system yet. If you want a display manager, which is generally recommended, head to the related section in this guide and proceed from there otherwise you'll have to manually configure and launch the graphical environment each time (which I would advise to avoid).


Option 2: Hyprland [WIP]

Note: this section needs configuration and is basically empty, I don't know when and if I will expand it but at least you have a starting point.


Hyprland is a tiling WM that sticks to the wayland protocol. It looks incredible and it's one of the best Wayland WMs right now. It's based on wlroots the famous library used by Sway, the most mature Wayland WM there is. I don't know if I would recommend this to beginners because it's a totally different experience and it may not be better. Moreover it requires you to read the wiki for configuration but it also features a master tutorial. The good part is that even if it seems discouraging, it's actually an easy read because it is written beautifully.

# Install hyprland from tagged releases and other utils:
# swaylock: the lockscreen
# wofi: the wayland version of rofi, an application launcher, extremely configurable
# waybar: a status bar for wayland wm's
# dolphin: a powerful file manager from KDE applications
# alacritty: a beautiful and minimal terminal application, super configurable
pacman -S --needed hyprland swaylock wofi waybar dolphin alacritty

# wlogout: a logout/shutdown menu
yay -S wlogout

Adding a display manager

Display managers are useful when you have multiple DE or WMs and want to choose where to boot from or select the display protocol ( Wayland or Xorg ) in a GUI fashion, also they take care of the launch process. I'll show the installation process of SDDM, which is highly customizable and compatible.

Note: hyprland does not support any display manager, however SDDM is reported to work flawlessly from the wiki

# Install SDDM
sudo pacman -S sddm

# Enable SDDM service to make it start on boot
sudo systemctl enable sddm

# If using KDE I suggest installing this to control the SDDM configuration from the KDE settings App
pacman -S --needed sddm-kcm

# Now it's time to reboot the system
reboot

Gaming

Gaming on linux has become a very fluid experience, so I'll give some tips on how to setup your arch distro for gaming.
Before going further I'll assume that you have installed the video drivers, also make sure to install with pacman, if you haven't done it already: lib32-mesa, lib32-vulkan-radeon and additionally lib32-pipewire ( Note that the multilib repository must be enabled, here I've explained how to do it ).

Let's break down what is needed to game:

  1. Gaming client ( eg: Steam, Lutris, Bottles, etc..)
  2. Windows compatibility layers ( eg: Proton, Wine, DXVK, VKD3D )

Optionally we can have:

  1. Generic optimization ( eg: gamemode )
  2. Overclocking and monitoring software ( eg: CoreCtrl, Mangohud )
  3. Custom kernels

Gaming clients

I'll install Steam and to access games from other launchers I'll use Bottles, which should be installed through flatpak.

# Install steam and flatpak
sudo pacman -S steam flatpak

# Install bottles through flatpak
flatpak install flathub com.usebottles.bottles

Windows compatibility layers

Proton is the compatibility layer developed by Valve, which includes DXVK( DirectX 9-10-11 to Vulkan), VKD3D ( DirectX 12 to Vulkan ) and a custom version of Wine. It is embedded in Steam and can be enabled for non native games direclty in Steam: Steam > Settings > Compatibility > Enable Steam Play for all other titles. A custom version of proton, Proton GE exists and can be used as an alternative if something is broken or doesn't perform as expected. Can be either downloaded manually or through yay as below.

# Installation through yay
yay -S proton-ge-custom-bin

Generic optimizations

We can use gamemode to gain extra performance. To enable it read here

# Install gamemode
sudo pacman -S gamemode

Overclocking and monitoring

To live monitor your in-game performance, you can use mangohud. To enable it read here.

In order to easily configure mangohud, I'll use Goverlay.

# Install goverlay which includes mangohud as a dependency
sudo pacman -S goverlay

To overclock your system, i suggest installing corectrl if you have an AMD Gpu or TuxClocker for NVIDIA.


Additional notes

  • On KDE disabling mouse acceleration is simple, just go to the settings via the GUI and on the mouse section enable the flat acceleration profile. If not using KDE then read here

  • To enable Freesync or Gsync you can read here, depending on your session ( Wayland or Xorg ) and your gfx provider ( Nvidia, AMD, Intel ) the steps may differ. On a KDE wayland session, you can directly enable it from the monitor settings under the name of adaptive sync

  • Some considerations if you are thinking about switching to a custom kernel:

    • You have to manually recompile it each time there is a new update unless you use a precompiled kernel from pacman or aur such as linux-zen.
    • There is no such thing as the best kernel, all kernels make tradeoffs ( eg: latency for throughtput ) and this it why it's generally advised to stick with the generic one.
    • If you are mainly a gamer you MAY consider the TKG or CachyOS kernel. These kernels contain many optimizations and are highly customizable, however the TKG kernel has to be compiled ( mainly it's time consuming, not hard ), while CachyOS kernel comes already packaged and optimized for specific hardware configurations, and can be simply installed with pacman upon adding their repos to pacman.conf. Some users have reported to experience a smoother experience with lower latency, however I couldn't find consistent information about this and it seems that is all backed by a personal sensation and not a result obtained through objective measurements ( Also this is difficult because in Linux there can be countless configuration variables and it also depends by the graphic card being used ).
  • Some recommended reads:


Things to add

  1. Additional pacman configuration ( paccache, colors, download packages simultaneously )
  2. Reflector configuration
  3. Snapper: a more advanced snapshot program as a timeshift alternative.
  4. Overhaul the subvolumes partitioning into a richer set including @log @cache @tmp @snapshots. This way they they won't be included when snapshotting the root subvolume ( ie: @ ).
  5. Better fstab structure

@5p4r74cu5
Copy link

Maybe I'll add secure boot configuration, but if I will it'll be a "do at your own risk" kind of thing. The procedure may vary because mobo firmwares are different and they handle enrollment in different ways: some accept the cohexistence of multiple keys others will overwrite the oem keys ( risk of breakage ). My board handles multiple keys so I could try it

That would be great :-) I have to take cyber security a little more seriously than the average person because I stream on twitch, and didn't take long for hackers target me rolls eyes

A warning sounds like a good idea, I've heard some boards can be finicky, but fortunately I managed to get secure boot working with Debian without issue on mine. Although signing kernel modules with a key passphrase is another matter, but that's a task for the future!

@5p4r74cu5
Copy link

5p4r74cu5 commented Dec 20, 2023

Okay, update for secure boot:

sudo sbctl status # Check that setup mode is enabled.
sudo grub-install --target=x86_64-efi --efi-directory=esp --bootloader-id=GRUB --modules="tpm" --disable-shim-lock
sudo grub-mkconfig -o /boot/grub/grub.cfg
sudo pacman -S sbctl
sudo sbctl create-keys
sudo sbctl enroll-keys -m
sbctl status
sudo sbctl sign -s /efi/EFI/GRUB/grubx64.efi
sudo sbctl sign -s /boot/vmlinuz-linux
sudo sbctl verify
Reboot
sudo sbctl status # Check that secure boot is enabled and setup mode is disabled.

Next step is disk encryption with btrfs :-|

@mjkstra
Copy link
Author

mjkstra commented Dec 21, 2023

Okay, update for secure boot:

sudo sbctl status # Check that setup mode is enabled.
sudo grub-install --target=x86_64-efi --efi-directory=esp --bootloader-id=GRUB --modules="tpm" --disable-shim-lock
sudo grub-mkconfig -o /boot/grub/grub.cfg
sudo pacman -S sbctl
sudo sbctl create-keys
sudo sbctl enroll-keys -m
sbctl status
sudo sbctl sign -s /efi/EFI/GRUB/grubx64.efi
sudo sbctl sign -s /boot/vmlinuz-linux
sudo sbctl verify
Reboot
sudo sbctl status # Check that secure boot is enabled and setup mode is disabled.

Next step is disk encryption with btrfs :-|

Thank you for the contribution !
Note that signing the kernel and the bootloader should be done each time they get updated. In this regards sbctl offers a pacman hook however I don't have any idea on how it works because the readme on github seems not to mention them. My best guess is that sbctl keeps track of the signed binaries and each time a system update occurs it checks if the original binaries changed. I doubt that the hook needs to be configured by yourself, but you never know, so maybe it's worth a while looking at. I still haven't check myself the content but FYI they should be here:

usr/share/libalpm/hooks/
usr/share/libalpm/hooks/zz-sbctl.hook

@5p4r74cu5
Copy link

Thank you for the contribution ! Note that signing the kernel and the bootloader should be done each time they get updated. In this regards sbctl offers a pacman hook however I don't have any idea on how it works because the readme on github seems not to mention them. My best guess is that sbctl keeps track of the signed binaries and each time a system update occurs it checks if the original binaries changed. I doubt that the hook needs to be configured by yourself, but you never know, so maybe it's worth a while looking at. I still haven't check myself the content but FYI they should be here:

usr/share/libalpm/hooks/
usr/share/libalpm/hooks/zz-sbctl.hook

Your most welcome :-)

I was wondering about the same thing, but I ended up coming to the same conclusion as you, all I could find was a few comments on Reddit suggesting that it should sign them automatically, guess I'll find out with 6.8 ;-)

Oh, an important addition is that apparently for some people, some firmware files are immutable, so you have to check them and remove the immutability flag with the following, luckily wasn't a problem for me however.

sudo chattr -i /sys/firmware/efi/efivars/<filename>

@Lamphobic
Copy link

Lamphobic commented Mar 26, 2024

plasma-wayland-session -> plasma-workspace

@mjkstra
Copy link
Author

mjkstra commented Mar 31, 2024

plasma-wayland-session -> plasma-workspace

Thanks for the report ! I've just checked and predictably this changed with the release of plasma 6, since now the wayland session is the default and preferred one. To be precise I will remove it because plasma-workspace is already included as a dependency in plasma-desktop

@rmelendezz
Copy link

Incredible guide, I got a few stuff from this that the arch install guide got me confused. Thank you so much!

@mjkstra
Copy link
Author

mjkstra commented May 14, 2024

Incredible guide, I got a few stuff from this that the arch install guide got me confused. Thank you so much!

Thank you !!

@TheNewsYorkTime
Copy link

Shouldn't there be a swap file or partition created?

@5p4r74cu5
Copy link

Shouldn't there be a swap file or partition created?

Agreed, I forgot to suggest that when I setup arch using this guide, I ended up deciding zram was probably the best bet, I think I did something like this:

pacstrap /mnt zram-generator
arch-chroot /mnt bash -c 'cat > /etc/systemd/zram-generator.conf <<EOF
[zram0]
zram-size = min(ram, 8192)
EOF'

@TheNewsYorkTime
Copy link

What made you choose ZRAM? I just ended up going with a swap subvolume with a swap file on it. Would zram be better?

@5p4r74cu5
Copy link

What made you choose ZRAM? I just ended up going with a swap subvolume with a swap file on it. Would zram be better?

Honestly I can't remember most of the details, I did a bit of digging and reading, what I ultimately came to was that it works just as well, but its more versatile cause its its not disk based; one less partition to manage and setup. I recall that maybe it wasnt great for lower ram systems, but for higher ram systems its a no brainer, and I have 64 gb ram, so why not. Just make sure you remove your existing swap if you use zram, they dont play nice together.

@TheNewsYorkTime
Copy link

OK thanks

@mjkstra
Copy link
Author

mjkstra commented Jun 26, 2024

Shouldn't there be a swap file or partition created?

I almost never setup the swap on my systems because I've never run out of ram resources. So no you don't need it if you have enough RAM ( I have 16GBs ) and if you aren't in a very specific situation that requires it

@TheNewsYorkTime
Copy link

Shouldn't there be a swap file or partition created?

I almost never setup the swap on my systems because I've never run out of ram resources. So no you don't need it if you have enough RAM ( I have 16GBs ) and if you aren't in a very specific situation that requires it

If you want to use hibernate it's required.

@mjkstra
Copy link
Author

mjkstra commented Jun 27, 2024

Shouldn't there be a swap file or partition created?

I almost never setup the swap on my systems because I've never run out of ram resources. So no you don't need it if you have enough RAM ( I have 16GBs ) and if you aren't in a very specific situation that requires it

If you want to use hibernate it's required.

Well, I never use hybernation and to be honest I think that the majority of people don't use it aswell, it's an old feature and has been basically surpassed by suspension ( even if it's a different thing ), for example on Windows 11 it's even disabled by default.

@5p4r74cu5
Copy link

For those who want to use it, go for it, but yeah last time I remember someone I know using it was when I was in highschool like 20 years ago lol

@TheNewsYorkTime
Copy link

TheNewsYorkTime commented Jun 28, 2024

Could you explain what suspension is? I couldn't find much information with a quick search. Also I make heavy use of hybernation. (I have a laptop that I use as my desktop. Closing the lid hybernates it. )

@mjkstra
Copy link
Author

mjkstra commented Jun 28, 2024

Could you explain what suspension is? I couldn't find much information with a quick search. Also I make heavy use of hybernation. (I have a laptop that I use as my desktop. Closing the lid hybernates it. )

Suspension works by turning off all components except for the ram which should stay in a kind of low power status. Hybernation works by saving the ram contents to the disk and then turning off the computer entirely, then when you boot up again the status of the RAM is retrieved from the disk. The bad thing about hybernation is that it requires you to reserve disk space for it ( maybe some kind of dynamic allocation could be used to avoid preallocating, however I am not sure if this is possible ), while the downsides of suspension is to lose data if a power outage happens or in case of a laptop if your battery drains ( however this is unlikely to happen ). Also I had problems with hybernation in the past such as my overclock settings being resetted after resuming the session.

@undrivendev
Copy link

Good guide. Thanks!

@sebastian-palma
Copy link

Small update, here the comment should say

Uncomment to allow members of group wheel to execute any command

@mjkstra
Copy link
Author

mjkstra commented Sep 27, 2024

Small update, here the comment should say

Uncomment to allow members of group wheel to execute any command

I've done something better and refactored the whole comment into a more verbose version, since another user was confused about this step. Thanks for the prompt, also I would like to know if you feel it's better now.

@antonispgs
Copy link

antonispgs commented Sep 29, 2024

All good until the point I have to run sudo systemctl edit --full grub-btrfsd where I am getting a message No files found for grub-btrfsd.service
Everything up to that part went fine.
I did create some extra subvolumes by myself (things like /var/lib/libvirt/images etc.) Could that have anything to do with it?

@mjkstra
Copy link
Author

mjkstra commented Sep 30, 2024

All good until the point I have to run sudo systemctl edit --full grub-btrfsd where I am getting a message No files found for grub-btrfsd.service Everything up to that part went fine. I did create some extra subvolumes by myself (things like /var/lib/libvirt/images etc.) Could that have anything to do with it?

I don't think it's related to additional subvolumes or partitions, but be sure that all of them are mounted. From the message it seems like grub-btrfs is not installed..strange or maybe you forgot to install inotify-tools? The documentation states that in order to use the grub-btrfs deamon you need to have this installed ( I also said this in the pacstrap step )

@jsphan
Copy link

jsphan commented Sep 30, 2024

Thanks so much for making this! I'm going to try it tonight after actually building the computer lol. Hopefully there's nothing I can't figure between this guide and the wiki, but in case that does happen I may ask for help.

@sebastian-palma
Copy link

Small update, here the comment should say

Uncomment to allow members of group wheel to execute any command

I've done something better and refactored the whole comment into a more verbose version, since another user was confused about this step. Thanks for the prompt, also I would like to know if you feel it's better now.

Yes, that's perfect. Big thanks for this, keep it up!

@Ten0fTens
Copy link

This made it so much easier to get setup and I stopped breaking my efi boot from tinkering! This help me get a jump start into arch without digging and getting lost under tons of options in the Arch Wiki. THANK YOU, THANK YOU!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment