Arch Linux dual secure boot with Windows 11

dual_secure_boot.md

Arch Linux dual secure boot with Windows 11

• secure boot
• encrypted root Arch Linux partition
• Windows 11 with bitlocker on C partition
• enable TPM2

Download Arch Linux and Windows 11 ISO

Arch Linux ISO: https://archlinux.org/download/ Windows 11 ISO: https://www.microsoft.com/software-download/windows11

Create bootable usb drive

Prepare at least 8 GiB flash drive Download ventoy: https://www.ventoy.net/en/index.html

For those that already have Arch Linux installed, install ventoy-bin^AUR Before plug in your usb drive, view all available drive fisrt

$ lsblk

Then, plug in your usb drive and once again view the available drive

$ lsblk

A new drive should appear, for example /dev/sda1.

NAME                      MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda                         8:64   1  14.9G  0 disk
└─sda1                      8:66   1  14.9G  0 part
nvme0n1                   259:0    0 465.8G  0 disk
└─nvme0n1p1               259:1    0 465.8G  0 part

Install ventoy on /dev/sda

Disable Windows 11 hardware check

Copy the ISOs to /dev/sda1

Install Windows 11

Boot into UEFI, choose ventoy. Select Windows 11 ISO Allocate 250 GiB for Windows Proceed to installation Reboot

Install Arch Linux

Boot into UEFI, choose ventoy. Select Arch Linux ISO

Create EFI and root partition

$ lsblk

nvme0n1                   259:0    0 465.8G  0 disk
├─nvme0n1p1               259:1    0   100M  0 part
├─nvme0n1p2               259:2    0    16M  0 part
├─nvme0n1p3               259:3    0 243.4G  0 part
└─nvme0n1p4               259:4    0   633M  0 part

# cgdisk /dev/nvme0

Format EFI partition

# mkfs.fat -F32 -n EFI /dev/nvme0n1p5

Encrypt root partition

# crypsetup luksFormat /dev/nvme0n1p6

Open the encrypted root partition

# cryptsetup open /dev/nvme0n1p6 crypt_root

Format the encrypted root partition

# mkfs.btrfs -L ArchOS /dev/mapper/crypt_root

Mount the encrypted root partition

# mount /dev/mapper/crypt_root /mnt

Create BTRFS subvolume

# btrfs su cr /mnt/@
# btrfs su cr /mnt/@home
# btrfs su cr /mnt/@snapshots

Unmount the encrypted root partition

# umount -R /mnt

Mount the encrypted root partition with specific option

# mount -o noatime,space_cache=v2,ssd,discard=async,subvol=@ /dev/mapper/crypt_root /mnt

Create directories

# mkdir /mnt/{boot,home,.snapshots}

Mount the EFI partition

# mount /dev/nvme0n1p5 /mnt/boot

Mount home and .snapshots directory

# mount -o noatime,space_cache=v2,ssd,discard=async,subvol=@home /dev/mapper/crypt_root /mnt/home
# mount -o noatime,space_cache=v2,ssd,discard=async,subvol=@snapshots /dev/mapper/crypt_root /mnt/.snapshots

Edit pacman configuration

# vim /etc/pacman.conf

Edit the following content

# Misc options
UseSyslog
Color
ILoveCandy
#NoProgressBar
CheckSpace
VerbosePkgLists
ParallelDownloads = 10

Refresh pacman mirrorlist

# reflector --save /etc/pacman.d/mirrorlist --protocol https --sort rate --latest 5 --thread 12

Pacstrap

# pacstrap /mnt linux linux-headers linux-firmware base base-devel btrfs-progs amd-ucode bash-completion zsh zsh-completions git neovim

Generate fstab

# genfstab -U /mnt > /mnt/etc/fstab

Copy pacman configuration and mirrorlist

# cp /etc/pacman.conf /mnt/etc/pacman.conf
# cp /etc/pacman.d/mirrorlist /mnt/etc/pacman.d/mirrorlist

ch-root into /mnt

# arch-chroot /mnt /bin/zsh

Set root password

# passwd

Change root shell

# chsh -s /bin/zsh

Create user

useradd -mG wheel -s /bin/zsh <your_username>

Change user password

passwd <your_username>

Add wheel groups into sudoers

export EDITOR=nvim
visudo

## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL:ALL) ALL

Set locale and timezone edit /etc/locale.gen uncomment your locale, for example

en_SG.UTF-8

locale-gen

edit /etc/locale.conf, and insert your locale

LANG=en_SG.UTF-8

Set hostname

edit /etc/hostname

<your_hostnaem>

Set hosts edit /etc/hosts

# <ip-address>	<hostname.domain.org>	<hostname>
127.0.0.1	localhost
::1		localhost
127.0.1.1	$HOSTNAME.localdomain	$HOSTNAME

Configure mkinitcpio

edit /etc/mkinitcpio.conf

MODULES=(btrfs)
BINARIES=(/usr/bin/btrfs)
HOOKS=(base systemd autodetect keyboard modconf block sd-encrypt filesystems fsck)

sudo mkinitcpio -P

Install essential packages

Install bootloader

bootctl --boot-path /boot install

Create default boot entries ROOT_UUID=blkid -s UUID -o value /dev/disk/by-partlabel/ArchOS

blkid -s UUID -o value /dev/nvme0n1p6 >> /boot/loader/entries/arch.conf
blkid -s UUID -o value /dev/nvme0n1p6 >> /boot/loader/entries/arch.conf

edit /boot/loader/entries/arch.conf

title Arch Linux
linux /vmlinuz-linux
initrd /amd-ucode.img
initrd /initramfs-linux.img
options rd.luks.name=$ROOT_UUID=crypt_root rd.luks.options=ROOT_UUID=discard root=/dev/mapper/crypt_root rootflags=subvol=@ rw quiet

Edit loader configuration, /boot/loader/loader.conf

default arch.conf
editor no
timeout 10
console-mode max

Copy Windows EFI

mkdir /tmp/win_boot
mount /dev/nvme0n1p1 /tmp/win_boot
mkdir /boot/EFI
cp /tmp/win_boot/EFI/Microsoft /boot/EFI

View bootloader status

bootctl status

Configure network

sudo paru -S networkmanager dialog wpa_supplicant
sudo systemctl enable NetworkManager

Secure boot

Enable setup mode for secure boot in UEFI Install sbctl

sudo pacman -S sbctl

Check sbctl status

sbctl status

Create keys

sudo sbctl create-keys

Enroll Microsoft keys

sudo sbctl enroll-keys -m

Verify keys

sudo sbctl verify

Sign keys

sudo sbctl sign -s /boot/efi/BOOT/BOOTX64.EFI
sudo sbctl sign -s /boot/vmlinuz-linux
sudo sbctl sign -s /boot/efi/systemd/systemd-bootx64.efi
sudo sbctl sign -s /boot/efi/Microsoft/Boot/bootmgfw.efi
sudo sbctl sign -s /boot/efi/Microsoft/Boot/bootmgr.efi
sudo sbctl sign -s /boot/efi/Microsoft/Boot/memtest.efi

Create bunldes

sudo sbctl bundle -s -a /boot/amd-ucode.img -l /usr/share/systemd/bootctl/splash-arch.bmp -c /proc/cmdline -k /boot/vmlinuz-linux -f /boot/initramfs-linux.img /boot/EFI/Linux/linux.efi
sudo sbctl bundle -s -a /boot/amd-ucode.img -l /usr/share/systemd/bootctl/splash-arch.bmp -c /proc/cmdline -k /boot/vmlinuz-linux -f /boot/initramfs-linux-fallback.img /boot/EFI/Linux/linux-fallback.efi

Sign bundles

sudo sbctl sign -s /boot/efi/Linux/linux.efi
sudo sbctl sign -s /boot/efi/Linux/linux-fallback.efi

View secure boot status

sbctl status

Reboot into UEFI, enable secure boot.

Test pacman post install hook Install linux kernel

TPM2

View TPM2 device

systemd-cryptenroll --tpm2-device=list

Enroll TPM2 keys

sudo systemd-cryptenroll --tpm2-device=/path/to/tpm2_device --tpm2-pcrs=0+7 /dev/nvme0n1p6

Edit boot loader entry,

sudo nvim /boot/loader/entries/arch.conf

options rd.luks.name=$ROOT_UUID=crypt_root rd.luks.options=$ROOT_UUID=tpm2-device=auto,discard root=/dev/mapper/crypt_root rootflags=subvol=@ rw quiet

Post-installation

Paru

sudo pacman -S rustup
rustup default stable
git clone https://aur.archlinux.org/paru-bin.git
cd paru-bin
makepkg -si
cd ..
rm -rf paru-bin

Snapper

Firewall

Fonts

sudo paru -S noto-fonts noto-fonts-cjk noto-fonts-emoji noto-fonts-extra nerd-fonts-jetbrains-mono

Window manager

sudo paru -S qtile

Display manager

sudo paru -S lighdm lightdm-gtk-greeter
sudo systemctl enable lightdm

Terminal emulator

sudo paru -S alacritty

Japanese input

Samba

sudo paru -S samba
sudo curl "https://git.samba.org/samba.git/?p=samba.git;a=blob_plain;f=examples/smb.conf.default;hb=HEAD" -o /etc/samba/smb.conf

edit /etc/samba/smb.conf

[global]
workgroup = MYGROUP
server string = Samba Server
server role = standalone server
log file = /usr/local/samba/var/log.%m
max log size = 50
dns proxy = no 
mangled names = no

[Some name]
comment = Some description
path = /some/path
browsable = yes
writeable = yes
create mask = 0700
directory mask = 0700
read only = no
guest ok = no

Create samba user

sudo pdbedit -au $USER_NAME

Enable samba service

sudo systemctl enable --now smb.service

Nvidia

sudo paru -S nvidia-dkms nvidia-settings

edit /etc/mkinicpio.conf

MODULES=(... nvidia nvidia_modeset nvidia_uvm nvidia_drm ..)

sudo mkinitcpio -P

avoid screen tearing

nvidia-settings --assign CurrentMetaMode="nvidia-auto-select +0+0 { ForceFullCompositionPipeline = On }"
sudo nvidia-xconfig
sudo mv /etc/X11/xorg.conf /etc/X11/xorg.conf.d/20-nvidia.conf

edit /etc/X11/xorg.conf.d/20-nvidia.conf

Section "Device"
        Identifier "NVIDIA Card"
        Driver     "nvidia"
        VendorName "NVIDIA Corporation"
        BoardName  "GeForce GTX 1050 Ti"
EndSection

Section "Screen"
    Identifier     "Screen0"
    Device         "Device0"
    Monitor        "Monitor0"
    Option         "ForceFullCompositionPipeline" "on"
    Option         "AllowIndirectGLXProtocol" "off"
    Option         "TripleBuffer" "on"
EndSection

ZSH

Audio

sudo paru -S pipewire pipewire-alsa pipewire-pulse pipewire-jack

Pacman mirror

sudo paru -S reflector
sudo systemctl enable reflector.service
sudo systemctl enable reflector.timer

edit /etc/xdg/reflector/reflector.conf

# Set the output path where the mirrorlist will be saved (--save).
--save /etc/pacman.d/mirrorlist
# Select the transfer protocol (--protocol).
--protocol https
# Use only the  most recently synchronized mirrors (--latest).
--latest 5
# Sort the mirrors by MirrorStatus score
--sort rate

Neofetch

# paru -S neofetch

mpv

# paru -S mpv

Theme Qt GTK

File explorer

Advance cp and mv

# paru -S advcpmv

edit ~/.alias

alias cp="advcp -g"
alias mv="advmv -g"

edit ~/.zshrc

source ~/.alias

Android tools

# paru -S android-tools

HiDPI

Miniconda

# paru -S miniconda3
$ conda init zsh
$ source ~/.zshrc
$ conda config --set auto_activate_base false

Browser

# paru -S firefox

Others

Fix clock

# timedatectl set-local-rtc true

Cna this be done without encrypting the root partition?

Wouldn't bet my money on it, but from other readings online this should be possible without encryption.