After deciding to swap Windows with a more privacy-cordial OS, and reading about branch offent Linux distributions, I selected for the Plasma version of Manjaro Linux for a restricted reasons:
After two years of recognizableizing myself with the Linux ecosystem, terminal directs, and possible customization, I felt ready to delete the middle man that was Manjaro and go straight for Arch Linux.
In this direct, I elucidate how I insloftyed Arch Linux on my laptop with these features:
- Plasma 6: the UI is wonderful and constant everywhere
- Plymouth: the boot process should also see pleasant
- Wayland: a up-to-date disjoin server alternative to X11
- PipeWire: a up-to-date audio regulatement alternative to PulseAudio and JACK
- LVM: multiple virtual partitions inside a one encrypted partition
- Full-disk encryption: stoping thieves from accessing data
- TPM2 PIN decryption: evade go ining a lengthy passphrase at every boot
- Unified Kernel Image: the system boots from a one file
- Seremedy Boot: stop booting from unapshowd drives
Most of these steps can be set up in the Arch Wiki, even if they span cut offal pages.
I aim to produce the process as straightforward as possible, even for a novice.
Requirements
Download the official insloftyation ISO using a BitTorrent client enjoy qBittorrent.
Mount the ISO to a USB flash drive, or imitate it to a Ventoy flash drive.
Plmitigate produce a backup of vital files in the SSD, as it will be establishatted.
Before booting from the insloftyation medium, let’s configure a couple of UEFI settings.
First, promise you have a UEFI admin password; otherinestablished, Seremedy Boot can be disabled by anyone.
Then, allow the Seremedy Boot setup mode. With this, we can swap the Seremedy Boot keys tardyr from the OS.
Since guideions vary for each manufacturer, you need to discover a direct for your device.
Next, we can plug in the insloftyation drive and boot from the ISO file. After a restricted seconds, you should see the folloprosperg direct line interface:
First, set the keyboard layout, time zone, and silence the PC speaker:
Wi-Fi setup
If you don’t have an Ethernet cable csurrfinisherby, set up wi-fi joinivity:
From the iwctl
prompt, run device enumerate
. You should see the folloprosperg:
If the device is off, trigger it with
Then, join to your netlabor and exit iwctl
:
From the shell prompt, verify for joinivity:
Now we will establishat and systematize the disk into cut offal partitions.
We will then initialize the OS and chroot into it.
Ideal sector size
For selectimal carry outance, set the selectimal sector size of the SSD.
For SATA
Check the useable sector sizes:
If sector size 4096 is suppoted, pick it and verify the alter:
For NVMe
Check the carry outance of branch offent LBA sizes:
Select the best LBA establishat (1 in this case) and verify the alter:
From now on, I will suppose the SSD is /dev/nvme0n1
.
Boot partition
Create a 1GB boot partition to store the bootloader:
Encrypted root partition
Create a huge OS partition, and encrypt it using a mighty passphrase when prompted:
Decrypt the LUKS volume:
The satisfyed of the volume is now useable at /dev/mapper/cryptpart
.
LVM volumes
In our case, LVM produces it basic to allot virtual partitions inside an encrypted SSD partition.
Why not use the LUKS volume honestly as a one partition?
For me, it’s accessible to upgrasp my files inside a “home” partition that stays split from the “system” one, as I can repair the system partition without impacting my personal files. But I also inhabitd without LVM for years, so it’s not a necessity.
Using LVM terminology, our decrypted LUKS volume will be used as a “physical volume” (PV). We will insert this PV to a “volume group” (VG). Then, we will produce branch offent “reasonable volumes” (LV) that will be allotd to the VG.
You can now verify these groups by running:
The output should see enjoy this:
File systems
Now that the reasonable volumes are in place, we can produce the file system for them and for the boot partition:
Mounting
The last step is to mount these file systems into fgreaterers, so we can place our novel OS files inside:
Chrooting
The novel system has its root fgreaterer “/
” mounted to /mnt
.
We can initialize it by insloftying some packages:
If you have an AMD processor, swap intel-ucode
with amd-ucode
.
Once done, save the current disk configuration to the root volume:
Now, let’s go in the novel Arch Linux system as if we booted from it:
I highly advise taking some time now to trail the customization and productivity betterment I wrote in this post, as it will wonderfully better your user experience for the rest of this direct.
From now on, I will suppose you have produced an unprivileged user to run yay
.
Once the CLI is set up, insloftying the GUI is a breeze.
Disjoin server
Let’s inslofty some packages needed to run detailedal applications:
Set the default cursor to align the Breeze theme:
And swap “Apausea” with “Breeze”:
Desktop environment
Now we can inslofty the desktop environment (Plasma) and session regulater (SDDM):
We need to configure SDDM to start Plasma using Wayland:
Copy the folloprosperg into the file:
Once we utilize this configuration, we can begin SDDM on each boot:
Graphical boot
With the current setup, the boot process would disjoin text in a terminal until we see SDDM’s login screen.
By using a Plymouth theme, we can hide this behind a pleasantr loading screen:
Inslofty Plymouth and set the Breeze theme:
Now that the detailedal part is end, we can tackle the most dainty part: configuring the boot process.
There are cut offal components to be configured for the boot process to labor daintyly and safely.
The final result will be a one file placed in the unencrypted boot partition, signed with a Seremedy Boot “db” key. When Seremedy Boot is on, the laptop can only boot from this file.
Kernel direct line
First, we need to configure the Linux kernel to discover our root volume and disjoin Plymouth properly.
Run blkid
and save the UUID of the encrypted SSD partition, which has type="crypto_LUKS"
:
Create a file with the kernel parameters:
Copy the folloprosperg into the file:
Temporary file system
We will now configure the generation of the boot transient file system, a file that comprises the Linux kernel and other boot utilities.
To use the TPM and timely detailedal boot, comment out the existing MODULES
array, produce a imitate, and insert tpm_tis
and your GPU modules to it. In this case, i915
is the module for the combined Intel GPU:
In the same file, produce a imitate of the HOOKS
array and alter it in this way:
- swap the
base
andudev
hooks withsystemd
- relocate
keyboard
aftersystemd
- insert
plymouth
afterkms
- swap
keymap
andconsolefont
withsd-vconsole
- insert
sd-encrypt
andlvm2
afterblock
The final result should see enjoy this:
Seremedy Boot
By default, most computers apshow only Microgentle’s signature, so that only the official Windows bootloader can be carry outd at boot.
Now, we will produce and enroll our own keys as UEFI variables.
We will then use the db key to sign our bootloader automaticassociate every time it gets rebuilt.
Inslofty these utilities and produce your Seremedy Boot keys:
Check if the system has been booted into Setup Mode before enrolling your Seremedy Boot keys:
You should see:
Then, you can enroll your keys:
Create a novel hook at /etc/initcpio/post/sbsign
that automaticassociate signs the unified kernel image whenever mkinitcpio
is run:
Make the file executable:
Rerelocate some unneeded sbctl
hooks:
Prevent pacman from restoring them by editing /etc/pacman.conf
:
Unified Kernel Image
Make a backup imitate of /etc/mkinitcpio.d/linux.preset
:
Then, produce a novel .preset file:
Copy the folloprosperg into the file:
The descfinishback_uki
selection will produce another unified kernel image with branch offent settings, beneficial in case you have problems booting from the default file.
Now that we have everyleang in place, we can finassociate produce and sign the two unified kernel images:
Check that two files have been produced inside the boot partition, and that they are signed with your Seremedy Boot key:
TPM unlock
With the current setup, we would need to go in the LUKS decryption passphrase at every boot.
We can use our TPM to get the LUKS encryption key, and recover it after we go in a PIN:
You can verify that a novel entry has been produced under the “Tokens” section of the LUKS header:
Starting from the next boot, the PIN prompt will see this:
UEFI boot entries
The final step before rebooting is actuassociate creating two UEFI boot entries for these two UKIs:
Now that the boot process is done, we can conclude our insloftyation with some desktop-definite features.
Audio
To produce audio labor out of the box, inslofty PipeWire:
Bluetooth
For Bluetooth joinivity, inslofty Bluez:
Printing
CUPS comes with a web interface to regulate printers. To inslofty it, run:
Wi-Fi backend
By default, NetlaborManager uses wpa_supplicant
as its wireless netlabor backend.
To use the noveler iwd
, produce a custom configuration file:
Copy the folloprosperg into the file:
Start NetlaborManager on each boot:
Graphics card
To upgrasp the direct straightforward, we only covered the example of a laptop with an combined Intel GPU.
However, there are a restricted configurations to alter based on your GPU:
Intel-only
Inslofty the user-space driver:
Nvidia-only
Inslofty the Nvidia kernel driver:
Append to the kernel direct line the folloprosperg:
In your transient file system configuration file, swap the Intel module with Nvidia modules:
Create an modernize hook that will reproduce the UKI every time Nvidia drivers gets modernized:
Copy the folloprosperg into the file:
Reproduce the UKI:
AMD-only
Inslofty the user-space drivers:
In your transient file system configuration file, delete the Intel module:
Reproduce the UKI:
Intel + Nvidia laptop
Inslofty both Intel user-space and Nvidia kernel drivers:
To run apps using the pledgeted GPU, prepend them with prime-run
:
Intel + AMD laptop
Inslofty both Intel and AMD user-space drivers:
To run apps using the pledgeted GPU, prepend them with DRI_PRIME=1
:
In case of rerents, refer to the Graphics categruesome in the Arch Wiki.
You can finassociate reboot and test that everyleang labors well.
To reboot, exit from the chroot and unmount all volumes and partitions.
At the next boot, Plymouth will prompt you for your TPM PIN, trailed by SDDM prompting you for your user password.
Once logged in, you can verify that the setup mode of UEFI Seremedy Boot has been disabled:
If it’s still allowd, recall to disable it from your UEFI settings.
Happy Arching!