joel/archinstall-luks2-lvm2-secureboot-tpm2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #3 from JimMoen/fix-minor-tips

Browse Source 
fix: minor tips for mkinitcpio
This commit is contained in:
Joel Mathew Thomas
2025-06-04 23:02:11 +05:30
committed by GitHub
parent 9e39570341 da67dbf8c6
commit c5240bcecd
1 changed files with 55 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+38 -11
View File
@@ -90,7 +90,8 @@ Now we, need to create the **LUKS2** encrypted container.
**Optional**: Overwriting your disk with random data is an optional step that can help prevent any possible recovery of old data. This is typically done before setting up the LUKS2 container to ensure the disk is fully erased.
Warning: This will erase all data on the disk. Ensure you have selected the correct device.
> [!WARNING]
> This will erase all data on the disk. Ensure you have selected the correct device.
```
dd if=/dev/urandom of=/dev/nvme0n1p2 bs=1M status=progress
@@ -128,7 +129,8 @@ Create a volume group (in this example, it is named `MyVolGroup`, but it can be
Create all your logical volumes on the volume group:
**Tip**: If a logical volume will be formatted with ext4, leave at least 256 MiB free space in the volume group to allow using `e2scrub`. After creating the last volume with `-l 100%FREE`, this can be accomplished by reducing its size with `lvreduce -L -256M MyVolGroup/home`.
> [!TIP]
> If a logical volume will be formatted with ext4, leave at least 256 MiB free space in the volume group to allow using `e2scrub`. After creating the last volume with `-l 100%FREE`, this can be accomplished by reducing its size with `lvreduce -L -256M MyVolGroup/home`.
```
# lvcreate -L 4G MyVolGroup -n swap
@@ -168,9 +170,10 @@ Mount the partition to `/mnt/efi`:
### 6. Installation
**Note**: This section of the guide deals with installing the base system, setting up timezones, locale, hostname, hosts, creating new non-root user's, setting passwords for both `root` and `non-root` user accounts.
This is generally user specific configuration, and you might have a different setup you might, want to follow.
So it is recommended to refer to official [Arch Wiki Installation guide](https://wiki.archlinux.org/title/installation_guide#Installation), for this section. And you may come back here and follow from the next section, when it is time to [configure mkinitcpio](https://github.com/joelmathewthomas/archinstall-luks2-lvm2-secureboot-tpm2#7-configure-mkinitcpio).
> [!NOTE]
> This section of the guide deals with installing the base system, setting up timezones, locale, hostname, hosts, creating new non-root user's, setting passwords for both `root` and `non-root` user accounts.
> This is generally user specific configuration, and you might have a different setup you might, want to follow.
> So it is recommended to refer to official [Arch Wiki Installation guide](https://wiki.archlinux.org/title/installation_guide#Installation), for this section. And you may come back here and follow from the next section, when it is time to [configure mkinitcpio](https://github.com/joelmathewthomas/archinstall-luks2-lvm2-secureboot-tpm2#7-configure-mkinitcpio).
But, if you want to follow through, how I do it, feel free to follow through this section.
@@ -409,12 +412,20 @@ fallback_uki="/efi/EFI/Linux/arch-linux-fallback.efi"
fallback_options="-S autodetect"
```
> [!TIP]
> Regarding the situation where other kernels (such as `extra/linux-zen`) are installed, the corresponding `/etc/mkinitcpio.d/linux-zen.preset` file should be edited.
Finally, to build the **UKI**, make sure that the directory for the UKIs exist.
For example, for the linux preset:
```
# mkdir -p /efi/EFI/Linux
```
> [!TIP]
> All kernel UKI efi files are located in this directory, including `extra/linux-zen`.
>
> That is to say, regardless of which kernel you use, you only need to create this one directory.
Now install the `lvm2` package:
```
@@ -427,6 +438,11 @@ Now, regenerate `initramfs`:
# mkinitcpio -p linux
```
> [!TIP]
> Use the command `mkinitcpio -P` to generate all initramfs at once for multiple kernels.
>
> Or use `mkinitcpio -p linux-zen` for `extra/linux-zen`.
### 12. Configuring the boot loader
Install `systemd-boot` with:
@@ -465,7 +481,8 @@ Now to configure secure boot , first install the `sbctl` utility:
$ pacman -S sbctl
```
**Note**: It might say completed installation with some errors, that's fine because sbctl can't find the key database, because there never was one.
> [!NOTE]
> It might say completed installation with some errors, that's fine because sbctl can't find the key database, because there never was one.
Now run ```sbctl status``` and ensure setup mode is enabled.
@@ -502,7 +519,9 @@ delimitered string.
Default: "db,KEK"
```
**Warnings:** If using the flag `--tpm-eventlog`, results in a warning or error, just ignore it. It means that operation is not supported on your specific device. Trying to force it can soft brick your device.
> [!WARNING]
> If using the flag `--tpm-eventlog`, results in a warning or error, just ignore it.
> It means that operation is not supported on your specific device. Trying to force it can soft brick your device.
Some firmware is signed and verified with Microsoft's keys when secure boot is enabled. Not validating devices could brick them. To enroll your keys without enrolling Microsoft's, run: `sbctl enroll-keys`. Only do this if you know what you are doing.
@@ -590,7 +609,10 @@ This would allow our TPM to unlock our encrypted drive, as long as the state has
```
$ sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --tpm2-public-key /etc/kernel/pcr-initrd.pub.pem --tpm2-with-pin=yes /dev/nvme0n1p2
```
**Warning**: It is recommended to use a pin to unlock the TPM, instead of allowing it to unlock automatically, for more security.
> [!WARNING]
> It is recommended to use a pin to unlock the TPM, instead of allowing it to unlock automatically, for more security.
> Use `--tpm2-with-pin=no` **ONLY** if you think that touchless tpm unlocking is acceptable (this is also the default option).
```
Additional Flags
@@ -600,7 +622,12 @@ When enrolling a TPM2 device, controls whether to require the user to enter a PI
Note that incorrect PIN entry when unlocking increments the TPM dictionary attack lockout mechanism, and may lock out users for a prolonged time, depending on its configuration. The lockout mechanism is a global property of the TPM, systemd-cryptenroll does not control or configure the lockout mechanism. You may use tpm2-tss tools to inspect or configure the dictionary attack lockout, with tpm2_getcap(1) and tpm2_dictionarylockout(1) commands, respectively.
```
**Note**: Including PCR0 in the PCRs can cause the entry to become invalid after every firmware update. This happens because PCR0 reflects measurements of the firmware, and any update to the firmware will change these measurements, invalidating the TPM2 entry. If you prefer to avoid this issue, you might exclude PCR0 and use only PCR7 or other suitable PCRs.
> [!NOTE]
> Including PCR0 in the PCRs can cause the entry to become invalid after every firmware update.
> This happens because PCR0 reflects measurements of the firmware, and any update to the firmware will change these measurements, invalidating the TPM2 entry.
> If you prefer to avoid this issue, you might exclude PCR0 and use only PCR7 or other suitable PCRs.
>
> For reference see discussion: [PCR_0_should_be_avoided](https://wiki.archlinux.org/title/Talk:Trusted_Platform_Module#PCR_0_should_be_avoided)
Info on all additional PCRs can be found [here](https://wiki.archlinux.org/title/Trusted_Platform_Module#Accessing_PCR_registers).
@@ -633,11 +660,11 @@ In the **Tokens**: section, look for systemd-tmp2, and under it find the keyslot
```
Tokens:
0: systemd-recovery
Keyslot: 1
Keyslot: 1
1: systemd-tpm2
...
...
Keyslot: 2
Keyslot: 2
```
As you can see keyslot **1** is used by `systemd-recovery` and **2** is used by `systemd-tpm2`