Complete Guide: Installing Manjaro with Secure Boot Enabled

Securing your Manjaro installation is crucial for ensuring the safety of your data and privacy. Enabling Secure Boot is one way to add an extra layer of security to your system. However, installing Manjaro with Secure Boot Enabled can be complicated. In this guide, we will provide a step-by-step tutorial to help you successfully install Manjaro with Secure Boot Enabled, ensuring the security and stability of your system.

Previously, I underestimated the usefulness of LVM and never bothered to explore its potential. I considered it to be an unnecessary complication. However, after receiving a recommendation from @openminded, I will set aside my biases and embrace LVM for this lesson. While I understand the importance of learning to manually create the LVM structure, I will postpone it for now as I find the Manjaro-architect tool incredibly useful. It can be added to a running instance of a live ISO, provided you have a functional mirror and package databases. It’s important to note that using the update argument or GUI is not recommended, as this will attempt to update the live ISO, which is impractical.


pacman -Sy
pacman -S manjaro-architect

The base install needed to implement a secure boot

  1. create two partitions
    • efi system (0xEF00)
    • default Linux filesystem (0x8300)
  2. create a luks container on the Linux partition
  3. open the luks container
    • inside the Luks container
      • create a volume group
      • create three logical volumes
        • root (40G)
        • swap (4G)
        • home (remaining space)
  4. Format $esp using fat32
  5. Format the lvroot using ext4
  6. Format the lvhome using ext4
  7. Mount lvroot as /
  8. Mount $esp /boot
  9. Mount lvhome as /home
  10. Install base CLI system using systemd boot loader (GUI is not needed right now)
  11. Reboot system to verify it works
  12. Create /efi and modify fstab $esp mount to /efi

Don’t forget to verify networking

Table of Contents

Building the tools required

The following guide contains mostly quotes from the original topic – refactored to suit my reading style.

@openminded lists some required tools. Some tools are only available as PKGBUILDS, which can be fetched from AUR.

Tools from the repo

  • sbsigntools
  • efitools
  • tpm2-tools

The tools I need to build are (although tpm2-top and plymouth is in the official repo, I will go with the doc)

  • tpm2-totp-git
  • plymouth-git
  • sbupdate-git
  • shim-signed

There are a couple of methods available – either using an AUR helper or doing it the archway

Manjaro’s package manager Pamac


pamac install sbsigntools efitools tpm2-tools
pamac build tpm2-totp-git plymouth-git sbupdate-git shim-signed

The Swiss Army knife yay

yay -Syu sbsigntools efitools tpm2-tools tpm2-totp-git sbupdate-git shim-signed

Archway – using git and makepkg. In this case, you must ensure the package group base-devel is available as well

pacman -Syu sbsigntools efitools tpm2-tools git base-devel --needed

Then, a small script


#!/usr/bin/env bash
tools=('tpm2-totp-git' 'plymouth-git' 'sbupdate-git' 'shim-signed')
for tool in ${tools[@]}; do
    git clone https://aur.archlinux.org/${tool}.git
    cd tpm2-totp-git
    makepkg -is
    cd ..
done

EFI Preparation

These explanations and commands are quoted from the original topic

The first step is enabling support for Secure Boot. Normally it should be disabled because if using its default settings it prevents Manjaro from booting, but as it is required for ensuring that only allowed code is executed, you need to enable it as follows:

Breaking down the steps

  1. create a folder to hold the keys
  2. remove permissions for other than root

# mkdir -p -v /etc/efikeys
# chmod -v 700 /etc/efikeys
# cd /etc/efikeys

The following saves default Secure Boot keys just in case, but we’re not going to change / remove them anyway so you can skip this step:

Note: If you get a message Variable XX has no entries, don’t worry – it just means there is no values to backup – in my case, it is because the laptop was bought without the Windows operating system.

The steps outlined in copying values from efi to a file


# efi-readvar -v PK -o default_PK.esl
# efi-readvar -v KEK -o default_KEK.esl
# efi-readvar -v db -o default_db.esl
# efi-readvar -v dbx -o default_dbx.esl

Now it’s time to generate machine-specific key which will be used to authenticate your Manjaro kernels and bootloader(s):

Still inside the /etc/efikeys folder.

  1. Create a certificate request using the system hostname with a validity of 10y
  2. Generate a self-signed certificate based on the request

# openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$(hostname) platform key/" -keyout db.key -out db.crt -days 3650 -nodes -sha256
# openssl x509 -outform DER -in db.crt -out db.cer

Now let’s copy our Secure Boot certificate on $ESP to let MokManager utility enroll it on the next boot

Now we need a new root folder for the $esp

# mkdir -p /efi

Mount the $esp partition – usually the first partition on the device, e.g. /dev/sda1 or /dev/nvme0n1/p1

# mount /dev/nvme0n1p1 /efi

Still in the /efi/efikeys folder, the certificate must copied to the $esp for the MOK manager to use on the next boot.

# cp db.cer /efi/MOK.cer

NOTE: I have a vague recollection of system-boot possibly failing on kernel update when $esp is not mounted at /boot – I will have to watch this part closely.

Change fstab mountpoint to `/efi

# sed -i 's|/efi/boot|/efi|' /etc/fstab

Reference

Note: as I am building from scratch with systemd-boot, this is for reference only.

Now you need to replace grub with systemd-boot to make whole setup easier and more straightforward. With extra effort you can keep Grub and use it as your bootloader but that again is out of scope of this how-to since it would overcomplicate things dramatically. Frankly speaking, systemd-boot isn’t necessary too, but it makes booting different kernels and efi tools easier than just UEFI boot menu.

First, remove grub:

# pacman -R grub
The following will change the mountpoint of your EFI partition to sane and logical location, which is, most importantly, perfectly supported by systemd-boot.

Breaking down the command

  1. unmount the efi partition
  2. change the mount in fstab
  3. create a new mountpoint /efi
  4. remount all from fstab if not mounted

# umount /boot/efi
# sed -i 's|/efi/boot|/efi|' /etc/fstab
# mkdir /efi
# mount -a

initrd configuration

It’s time to prepare initrd part of your boot image.

You need to decide which path you prefer: udev-based initrd or systemd-based.

If you have no idea, choose the first (Manjaro/Arch default). Hereinafter everything hallmarked with (a) should be considered referring to udev-based initrd setup, and everything with a foregoing (b) literal – referring to systemd-based setup.

Backup your existing mkinitcpio file with a timestamp


# cp /etc/mkinitcpio.conf /etc/mkinitcpio.conf.$(date +%Y%m&d%H%M)

Then edit your /etc/mkinitcpio.conf and replace the line HOOKS=

Either the udev type (a)


HOOKS=(base udev keyboard consolefont autodetect plymouth modconf block plymouth-tpm2-totp tpm2 plymouth-encrypt lvm2 resume filesystems)

Or the systemd type (b)


HOOKS=(base systemd keyboard sd-vconsole autodetect sd-plymouth modconf block sd-plymouth-tpm2-totp sd-encrypt lvm2 filesystems)

For scripting purpose – using sed to edit the file in place – adding the previous hooks for backup purpose

Either udev type (a)


OLD_HOOKS=$(cat /etc/mkinitcpio.conf | grep "^HOOKS=(")
sed -i 's/"${OLD_HOOKS}"/HOOKS=(base udev keyboard consolefont autodetect plymouth modconf block plymouth-tpm2-totp tpm2 plymouth-encrypt lvm2 resume filesystems)/g' /etc/mkinitcpio.conf 
echo "#previous_$OLD_HOOKS" | tee -a /etc/mkinitcpio.conf

Or systemd type (b)


OLD_HOOKS=$(cat /etc/mkinitcpio.conf | grep "^HOOKS=(")
sed -i 's/'"${OLD_HOOKS}"'/HOOKS=(base systemd keyboard sd-vconsole autodetect sd-plymouth modconf block sd-plymouth-tpm2-totp sd-encrypt lvm2 filesystems)/g' /etc/mkinitcpio.conf 
echo "#previous_$OLD_HOOKS" | tee -a /etc/mkinitcpio.conf

Add an entry about your LUKS partition to crypttab (discard is optional)


CRYPT_PART=/dev/nvme0n1p2
echo cryptlvm $(blkid -s UUID -o value $CRYPT_PART) - tpm2-device=/dev/tpmrm0,tpm2-pcrs=0+7+14,nofail,discard,x-initrd.attach | tee -a /etc/crypttab.initramfs

For better (de)compression speed/efficiency ratio consider setting COMPRESSION=”zstd” in your /etc/mkinitcpio.conf if not set already.
Note This works only with kernels from 5.10 and onwards


sed -i 's/#COMPRESSION="zstd'/COMPRESSION="zstd"/g' /etc/mkinitcpio.conf

This is not a good time to loose power or … dang – I have to start over ….

kernel 5.10/5.15 systemd type partial script


CRYPT_PART=/dev/nvme0n1p2
echo cryptlvm $(blkid -s UUID -o value $CRYPT_PART) - tpm2-device=/dev/tpmrm0,tpm2-pcrs=0+7+14,nofail,discard,x-initrd.attach | tee -a /etc/crypttab.initramfs
cp /etc/mkinitcpio.conf /etc/mkinitcpio.conf.$(date +%Y%m&d%H%M)
OLD_HOOKS=$(cat /etc/mkinitcpio.conf | grep "^HOOKS=(")
sed -i 's/'"${OLD_HOOKS}"'/HOOKS=(base systemd keyboard sd-vconsole autodetect sd-plymouth modconf block sd-plymouth-tpm2-totp sd-encrypt lvm2 filesystems)/g' /etc/mkinitcpio.conf 
echo "#previous_$OLD_HOOKS" | tee -a /etc/mkinitcpio.conf
sed -i 's/#COMPRESSION="zstd'/COMPRESSION="zstd"/g' /etc/mkinitcpio.conf

Verify luks setup

At this stage you might want to check your cryptsetup status:

cryptsetup luksDump /dev/nvme0n1p2

Normally you should have 1 or 2 keyslots already occupied, the first one is your passphrase, the other is probably /crypto_keyfile.bin, and no tokens in place (yet). I suggest nuking your slot 1 if it’s occupied by crypto_keyfile at the moment (since it’s not safe to use crypto_keyfile in configuration we’re building):

As of 2023-02-07, a pristine installation only occupies Keyslot [0] – I have to watch carefully if I experiment with other ciphers than aes-xts-plaini64, and the following command would have no effect on this system

cryptsetup luksKillSlot /dev/nvme0n1p2 1
Double-check, of course, I doubt you want to destroy a slot with actual passphrase.

Mimick Manjaro Mate using sdboot and luks

Toolbox script

Installing a Manjaro Mate using systemd boot and LUKS encryption


#
#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation, either version 3 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program.  If not, see <https://www.gnu.org/licenses/>.
#
# Copyright (c) 2021 @linux-aarhus
#
# This script is based on
#    https://forum.manjaro.org/t/root-tip-diy-installer-script-base-sdboot-luks/88502
#
# MODIFIED TO FIT A SPECIFIC FORUM TOPIC
#    https://forum.manjaro.org/t/how-do-i-install-manjaro-mate-with-lvm-on-luks-and-dual-boot-with-windows/87358
#
#  ! IMPORTANT !
#  ! GREAT CARE SHOULD BE EXCERCISED !
#  ! A lot of assumptions are made - please review carefully !
#
#    The script assumes the system is booted using a recent Manjaro Mate ISO
#    The disk is pre-installed using Windows in EFI mode
#    The Manjaro ISO is booted in EFI mode (firmware Legacy boot disabled)
#    The existing Windows EFI partition ($esp) is located at /dev/sda1
#    An empty partition has been created to hold a Linux filesystem (0x8300) as /dev/sda5
#    systemd-boot is installed as bootloader
#    The root filesystem is using f2fs inside a LUKS container
#
#  ! PLEASE REVIEW THE VARIABLES SECTION !
#  ! AMEND THE VARIABLES AS NECESSARY !
#

if [ "$(id -u)" != "0" ]; then
    echo "Please change to root context using su or sudo"
    echo ""
    exit
fi

#############################################################
#### VARIABLES SECTION

TARGET="/dev/sda"
EFI_PART="/dev/sda1"                         # existing Windows $esp
LUKS_PART="/dev/sda2"                        # root partition to hold LUKS container
TUSER=manjaro                                # first user == wheel group
TDISPLAYMANAGER=lightdm                      # display manager
KERNEL="5.10"                                # linux kernel number
KERNELPKG=$(echo linux$KERNEL | sed 's/\.//')# kernel package name
MIRROR='https://mirrors.manjaro.org/repo/'   # build mirror
BRANCH='unstable'                            # target branch
TKEYMAP='dk'                                 # target keyboard layout
TLOCALE_CONF='en_DK.UTF-8'                   # target locale.conf
TLOCALE_PRIMARY='en_DK.UTF-8 UTF-8'          # target primary locale
TLOCALE_FALLBACK='en_US.UTF-8 UTF-8'         # target fallback locale
TTIMEZONE='Europe/Copenhagen'                # target timezone
THOSTNAME='manjaro'                          # target hostname
ITER_TIME="10000"                            # luks iteration time
RETRIES="3"                                  # luks decryption retries
BASE_PKGS="base $KERNELPKG mkinitcpio networkmanager bash-completion"
TGROUPS='lp,network,power,wheel'
TSERVICES='cronie ModemManager NetworkManager cups tlp tlp-sleep avahi-daemon add-autologin-group haveged apparmor snapd.apparmor snapd'

#### VARIABLES END
#############################################################

# == BARE METAL TEST SETUP ============================
#echo "==> Unmounting $TARGET"
#umount -f "$TARGET"
#echo "==> Preparing disk $TARGET"
#sgdisk --zap-all "$TARGET"
#sgdisk --mbrtogpt "$TARGET"
#### efi
#echo "==> Creating EFI partition"
#sgdisk --new 1::+512M  --typecode 1:ef00 --change-name 1:"EFI System" "$TARGET"
#echo "==> wiping EFI partition"
#wipefs -af "$TARGET"1
#echo "==> formatting EFI partition"
#mkfs.vfat -F32 "$TARGET"1
#### root
#echo "==> Creating root partition"
#sgdisk --new 2::: --typecode 2:8304 --change-name 2:"Linux x86-64 root" "$TARGET"
#echo "==> wiping root partition"
#wipefs -af "$TARGET"2
# == END BARE METAL TEST SETUP ========================

# ===== EXISTING WINDOWS DEVICE =======================
echo "==> Unmounting $EFI_PART"
umount -f "$EFI_PART"
echo "==> Unmounting $LUKS_PART"
umount -f "$LUKS_PART"
echo "==> wiping root partition"
wipefs -af "$LUKS_PART"
# ====================================================

echo "==> ------------------------------------------"
echo "==> Setting up root LUKS container"
echo "  -> WATCHOUT FOR THE UPPERCASE CONFIRMATION"
echo "  -> If using CapsLock remember to toggle back"
cryptsetup --type luks2 --use-urandom luksFormat "$LUKS_PART"

echo "==> ------------------------------------------"
echo "==> Open LUKS container"
cryptsetup open "$LUKS_PART" cryptroot

echo "==> Formatting LUKS using ext4"
mkfs.ext4 /dev/mapper/cryptroot

echo "==> Mounting root partition"
mount /dev/mapper/cryptroot /mnt

echo "==> Creating /boot"
mkdir /mnt/boot

echo "==> Mounting EFI partition"
mount "$EFI_PART" /mnt/boot

echo "==> Setting branch and mirror"
pacman-mirrors --api --set-branch $BRANCH --url $MIRROR

echo "==> Syncronizing pacman databases"
pacman -Syy

echo "==> installing base system"
basestrap /mnt $BASE_PKGS

echo "==> Configure base ..."
echo "  -> Creating file: vconsole.conf"
echo KEYMAP=$TKEYMAP > /mnt/etc/vconsole.conf

echo "  -> Creating file: locale.conf"
echo LANG=$TLOCALE_CONF > /mnt/etc/locale.conf

echo "  -> Creating file: hostname"
echo manjaro > /mnt/etc/hostname

echo "  -> Creating file: hosts"
cat > /mnt/etc/hosts <<EOF
127.0.0.1 localhost
127.0.1.1 $THOSTNAME.localdomain $THOSTNAME
EOF

echo "  -> Creating symlink: localtime"
ln -sf /usr/share/zoneinfo/$TTIMEZONE /mnt/etc/localtime

echo "  -> Setting hardware clock"
manjaro-chroot /mnt hwclock --systohc

echo "  -> Enabling services"
manjaro-chroot /mnt  systemctl enable NetworkManager systemd-timesyncd

echo "  -> Modifying file: locale.gen"
echo $TLOCALE_PRIMARY >> /mnt/etc/locale.gen
echo $TLOCALE_FALLBACK >> /mnt/etc/locale.gen

echo "  -> Generating locale"
manjaro-chroot /mnt locale-gen

echo "  -> Setting up mkinitcpio.conf"
sed -i '/HOOKS=/c\HOOKS=(systemd keyboard keymap sd-vconsole block sd-encrypt autodetect modconf filesystems fsck)' /mnt/etc/mkinitcpio.conf

echo "  -> Generating initrd"
manjaro-chroot /mnt mkinitcpio -P

echo "  -> Installing bootloader"
bootctl --path=/mnt/boot install

echo "  -> Updating entries with device UUID"
devuuid=$(lsblk -no uuid "$LUKS_PART" | head -n1)

echo "  -> Creating loader entry: manjaro.conf"
cat > /mnt/boot/loader/entries/manjaro.conf <<EOF
title   Manjaro
linux   /vmlinuz-$KERNEL-x86_64
initrd  /initramfs-$KERNEL-x86_64.img
options root=/dev/mapper/cryptroot rd.luks.name=$devuuid=cryptroot
EOF

echo "  -> Creating fallback entry: manjaro-fallback.conf"
cat > /mnt/boot/loader/entries/manjaro-fallback.conf <<EOF
title   Manjaro (fallback)
linux   /vmlinuz-$KERNEL-x86_64
initrd  /initramfs-$KERNEL-fallback-x86_64.img
options root=/dev/mapper/cryptroot rd.luks.name=$devuuid=cryptroot
EOF

echo "  -> Setting default loader"
sed -i '/default/c\/default manjaro\*/' /mnt/boot/loader/loader.conf

echo "==> Setting target branch and mirror"
pacman-mirrors --api --prefix /mnt --set-branch $BRANCH --url $MIRROR

echo "==> Set root password
manjaro-chroot /mnt passwd root

#############################################################
#### ISO SPECIFIC SETUP

echo "==> Installing display manager"
manjaro-chroot /mnt pacman -S $TDISPLAYMANAGER --noconfirm

echo "==> Installing ISO package lists"
manjaro-chroot /mnt pacman -S $(comm -12 <(awk '{print $1}' /rootfs-pkgs.txt | sort) <(awk '{print $1}' /desktopfs-pkgs.txt | sort) | sed '/^grub/d' | sed '/^os-prober/d' | sed '/^kernel-modules-hook/d' | sed '/^kernel-alive/d' | sed '/^linux[0-9][0-9]/d') --needed --noconfirm
echo " --> Done installing ISO packages."

echo "==> Copying ISO specific settings..."
cp /etc/lightdm/lightdm-gtk-greeter.conf /mnt/etc/lightdm
cp /etc/lightdm/slick-greeter.conf /mnt/etc/lightdm
cp /etc/environment /mnt/etc
cp /usr/share/icons/default /mnt/usr/share/icons

echo "==> Setting up wheel group"
cat > /mnt/etc/sudoers.d/100-wheel <<EOF
%wheel ALL=(ALL) ALL
EOF

echo "==> Create new admin user $TUSER"
manjaro-chroot /mnt useradd -mUG $TGROUPS $TUSER

echo "==> Set admin user password
manjaro-chroot /mnt passwd $TUSER

echo "==> Enable display manager"
manjaro-chroot /mnt systemctl enable $TDISPLAYMANAGER

echo "==> Enable ISO services"
manjaro-chroot /mnt systemctl enable $TSERVICES

#### ISO SETUP END
#############################################################

echo "==> Cleaning up"
echo "  -> Unmounting partitions"
umount -R /mnt

echo "  -> Closing LUKS container"
cryptsetup close /dev/mapper/cryptroot
sync

echo "==> Done! You have succesfully mimicked a Manjaro Mate Edition"
echo "==> TODO: Configure swapfile ..."
echo "  -> Swap configuration <https://wiki.manjaro.org/index.php/Swap>"
echo ""

systemd-boot – BASIC – installation

Yet another CLI guide

But what if your requirements are simple? And you want the installation to be as simple as possible? Plain and simple, no fuzz – boot Manjaro – that’s it.

See also  Pixelicious – Turn Your Ugly Photos Into Pixel Art

systemd-boot is a bootloader that does not get much attention on Manjaro – since most Manjaro installations are created using the Calamares installer, which installs grub. I recall a setting for an iso-profile setting, the efi_bootloader="grub" – but it didn’t work very well, so I decided to learn how to implement systemd-boot the simplest way – later, create a merge request to the tools.

Before you begin

First – I am assuming you know your device path – for the safety of less experienced readers – I am using a device path /dev/sdy you most likely do not find on your system.

Second, I assume you are using a root TTY, as no commands are prefixed with sudo.

TIP: Don’t use a graphical environment – switch to TTY – because the live system may lock the screen and do another unpleasant thing while using the terminal – thus breaking whatever you were doing.

Third – I will use command line partitioning – no menu interfaces – pure command line.

Fourth – This guide will work for any device – it is internal, removable USB, or otherwise attached to your system. I used an environment variable to ease the pain of writing the same device repeatedly – I assume you set the same, too.

TIP: If your circumstances allow for it – you can use [ssh] to install remotely using another device on your network.

Let’s begin

If you have not done so already, open a root TTY and set the device variable – remember it only exists in the current shell

# INS="/dev/sdy"

Ensure your device is not mounted anywhere

# umount -f "$INS"

Now to the serious stuff

The stuff that needs disclaimers – you are on your kind of stuff.

Clean the disk’s partition tables

# sgdisk --zap-all "$INS"

Create a new GPT partition table

# sgdisk --mbrtogpt "$INS"

Create the $esp partition

# sgdisk --new 1::+512M --typecode 1:ef00 --change-name 1:"EFI System" "$INS"

Create the root partition

# sgdisk --new 2::: --typecode 2:8304 --change-name 2:"Linux x86-64 root" "$INS"

Wipe everything from the partitions

# wipefs -af "$INS"1
# wipefs -af "$INS"2

Format the partitions

Format $esp partition using FAT32

# mkfs.vfat -vF32 "$INS"1

Format the the root partition using your preferred filesystem- If your device is Flash, you can use f2fs, created for Flash, or you can use ext4, a defacto standard for Linux.

# mkfs.f2fs "$INS"2

Mounting

Mount your root partition on the systems temporary mountpoint

# mount "$INS"2 /mnt

Then, create the folder for booting systemd ($esp)

# mkdir /mnt/boot

And mount the $esp partition

# mount "$INS"1 /mnt/boot

Installing a base Manjaro system

This guide is only scratching the surface of the new system. We only install a basic bootable system using the base meta package, filesystem tools for f2fs along with kernel and some required tools – and don’t forget network connectivity.

# basestrap /mnt base f2fs-tools linux55 nano mkinitcpio bash-completion networkmanager systemd-boot-manager

Configuring the base system

Configuring the system is the tedious – extremely boring – but crucial part, usually abstracted by tools like Manjaro Architect.”The

Booting

systemd-boot on Arch Wiki

This is the interesting part you have worked yourself down to.

initramfs

Use the mkinicpio command to generate the initramfs – it will copy the files to the boot ($esp) partition.

# mkinitcpio -P

bootloader

Now install the systemd bootloader to the boot ($esp) partition

# bootctl --path=/boot install

The rest of the configuration can be done outside chroot – necessary to write a boot entry to your EFI firmware

# exit

For the bootloader to actually load we need create a configuration file to specify the kernel, initrd.

To avoid typos – use ls to list the content of the boot folder and pipe the output to the boot configuration

# ls /mnt/boot/init* /mnt/boot/vmlinuz* > /mnt/boot/loader/entries/manjaro.conf

Now open the file using nano

# nano /mnt/boot/loader/entries/manjaro.conf

Amend the file to look like this (the order of the lines is not important)

title   Manjaro
linux   /vmlinuz-5.5-x86_64
initrd  /initramfs-5.5-x86_64.img 

This new configuration file is then added to the file loader.conf

# nano /mnt/boot/loader/loader.conf
default manjaro

Maintenance

This guide does not consider the amd/intel microcode and maintenance due to kernel upgrades or booting different kernels.

To learn more – read up on systemd-boot on the Arch Wiki.

Just a few things worth noting.

  • With systemd-boot, we also need to handle microcode loading by hand in the entries
  • It is probably worth pointing out that these entries will need to be added/updated as new kernels are installed and removed
  • Lastly, systemd-boot-manager will handle both those things for you in an automated fashion. It can automate the installation of systemd-boot, the creation and removal of entries, the addition of microcode updates and has options setting defaults automatically. It has full support for luks/lvm/btrfs/zfs/etc. — @dalto

Finally

Unmount your devices

# umount -R /mnt

If you are installing to a USB device – sync the device before removing it

# sync

And reboot

# reboot

Conclusion

You have only scratched the surface, and there is work to be done – installing xorg, applications, themes – whatever you fancy – it’s really up to you how this adventure ends.

Have fun – I did.

systemd-boot – LUKS – btrfs

Manjaro UEFI using systemd-boot, LUKS and btrfs

While reading, the following are my notes and the changes I made to the subsequent installation to fit into a Manjaro system installation.

NOTE: Before you dive into btrfs – be sure to read the entire guide – including the documentation linked at the end of this document.

Overview


  • UEFI using systemd-boot
  • LUKS encrypted root
  • btrfs with subvolumes
  • Sources are listed at the end of this document

You can boot from any Manjaro ISO – open a terminal – and follow this guide.

For a similar guide without LUKS read here

  • https://forum.manjaro.org/t/manjaro-uefi-systemd-boot-and-btrfs/116466?u=linux-aarhus

Assuming you know how to identify your disk devices and can replace the example device name /dev/sdy with the device for your system.

All commands written assume you are logged in as root. On Manjaro ISOs the root login is root:manjaro

General


Connect to your network and ensure your system clock is correct

# systemctl start systemd-timesyncd

Set a preferred mirror and branch, then download databases

# pacman-mirrors -aU https://manjaro.moson.eu -Sunstable
# pacman -Syy

Partitioning and File System Creation


Partition

Clear the disk of any existing file systems using a random pattern – as the partition will be encrypted, this will disguise the partitions and data on it. It will take some time to complete – hours if you have a big storage device.

# dd if=/dev/urandom of=/dev/sdy status=progress bs=10M

Use cdisk to create the boot partition and the main partition, which will be encrypted

# cfdisk /dev/sdy
  1. boot
    • 512M
    • EFI system partition type
      1. root
    • remaining space
    • default type Linux file system

Set up the encryption container

# cryptsetup luksFormat /dev/sdy2
Are you sure? YES
Enter passphrase (twice)
# cryptsetup open /dev/sdy2 luk

Format

Format to FAT32 for the boot and btrfs for the root

# mkfs.vfat -F32 /dev/sdy1
# mkfs.btrfs /dev/mapper/luks

The author of the original guide has some reasonable suggestions which also matches the defaults used by Manjaro Architect.

  • / subvolume
  • /home subvolume in case a root snapshot needs to be restored
  • /var changes often, so also a separate subvolume.
  • noatime and nodiratime are used to prevent a write every time a file or directory is accessed (not great for a COW filesystem like btrfs).
  • zstd is used for compression because it’s fast and provides compression similar to xz.
  • Don’t use discard. Issue manual trim commands with fstrim or enable the fstrim.timer.Subvolumes# mount /dev/mapper/luks /mnt # btrfs subvolume create /mnt/@ # btrfs subvolume create /mnt/@home # btrfs subvolume create /mnt/@var # umount /mnt # mount -o subvol=@,ssd,compress=zstd,noatime,nodiratime /dev/mapper/luks /mnt # mkdir /mnt/{boot,home,var} # mount -o subvol=@home,ssd,compress=zstd,noatime,nodiratime /dev/mapper/luks /mnt/home # mount -o subvol=@var,ssd,compress=zstd,noatime,nodiratime /dev/mapper/luks /mnt/var # mount /dev/sdy1 /mnt/bootCopyInstallationInstall base Manjaro# basestrap /mnt base btrfs-progs sudo manjaro-zsh-config intel-ucode networkmanager linux54 nano vim systemd-boot-manager mkinitcpioCopyGenerate fstabGenerate fstab and verify the content# fstabgen -U /mnt >> /mnt/etc/fstab # cat /mnt/etc/fstabCopyConfigure systemChroot# manjaro-chroot /mnt /bin/zshCopyHostname# echo manjaro > /etc/hostnameCopyEdit /etc/hosts# nano /etc/hostsCopy127.0.0.1 localhost ::1 localhost 127.0.1.1 manjaro.localdomain manjaroCopyShell# chsh -s /bin/zshCopyTimezoneExample for Denmark# ln -sf /usr/share/zoneinfo/Europe/Copenhagen /etc/localtime # hwclock --systohcCopyNetwork ManagerEnable network connection# systemctl enable NetworkManagerCopyEnable ntp client# systemctl enable systemd-timesyncdCopyLocaleLocale example for Danish locale
  • uncomment en_DK.UTF-8 and en_US.UTF-8
See also  Rymdport: Securely Share Your Files with Another Wormhole Client

Save the file and generate the messages

# nano /etc/locale.gen
# locale-gen

/etc/locale.conf

Locale.conf example for Denmark

# echo LANG=en_DK.UTF-8 > /etc/locale.conf

Root password

# passwd

/etc/mkinitcpio.conf

Add btrfs and encrypt and save

# nano /etc/mkinitcpio.conf
HOOKS="base udev btrfs encrypt autodetect modconf block filesystems keyboard fsck"
# mkinitcpio -p linux54

systemd-boot

Install the boot loader

# bootctl --path=/boot install

Create Manjaro loaders

# sdboot-manage gen

Navigate to /boot/loader/entries and check the configurations sdboot-manage has created (there will be two).

information_source: If you create the entries by hand, please note

  • root=UUID= is the UUID of your LUKS container
  • cryptdevice=UUID= is the UUID of the physical partition hosting your container
Default
title Manjaro Linux 5.4
linux /vmlinuz-5.4-x86_64
initrd /intel-ucode.img
initrd /initramfs-5.4-x86_64.img
options root=UUID=289ae676-7cbc-43a7-b4b7-e9cf325227c9 rw rootflags=subvol=/@ cryptdevice=UUID=9d336c58-0e8f-434d-b12a-b75663c4ad59
Fallback
title Manjaro Linux 5.4
linux /vmlinuz-5.4-x86_64
initrd /intel-ucode.img
initrd /initramfs-5.4-x86_64-fallback.img
options root=UUID=289ae676-7cbc-43a7-b4b7-e9cf325227c9 rw rootflags=subvol=/@ cryptdevice=UUID=9d336c58-0e8f-434d-b12a-b75663c4ad59:luks

Base config done

# exit
# umount -R /mnt
# reboot

Customizing


You should have a fully functioning Manjaro system. What comes next is your personal preferences. The example is a very basic vanilla Gnome desktop.

Gnome desktop

# pacman -Syu xorg-server xorg-server-common xorg-xinit xorg-drivers accountsservice gnome-keyring gnome-session gnome-shell gnome-desktop gnome-terminal gdm

Add a user and set a password

# useradd -mUG lp,network,power,sys,wheel -s /bin/zsh newuser
# passwd newuser

Admin user

Add user to the wheel group

# visudo
Uncomment and save
%wheel ALL=(ALL) ALL

Enable displaymanager

# systemctl enable gdm

Reboot

# reboot

Trouble shooting


If something went wrong and you need to get back in from the live image:

# cryptsetup open /dev/sdy2 luks
# mount -o subvol=@,ssd /dev/mapper/luks /mnt
# mount -o subvol=@home,ssd /dev/mapper/luks /mnt/home
# mount -o subvol=@var,ssd /dev/mapper/luks /mnt/var
# mount /dev/sdy1 /mnt/boot
# manjaro-chroot /mnt /bin/zsh

drive preparation resource

  • https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation

btrfs resources


  • https://btrfs.wiki.kernel.org/index.php/Status
  • https://btrfs.wiki.kernel.org/index.php/FAQ#Is_btrfs_stable.3F
  • https://btrfs.wiki.kernel.org/index.php/Getting_started
  • https://wiki.archlinux.org/index.php/Btrfs
  • https://forum.manjaro.org/t/btrfs-tips-and-tricks/71186?u=linux-aarhus

Credits


  • https://austinmorlan.com/posts/arch_linux_install/

Credits in source

  • https://fogelholk.io/installing-arch-with-lvm-on-luks-and-btrfs/
  • https://flypenguin.de/2018/01/20/arch-full-disk-encryption-btrfs-on-efi-systems/
  • https://wiki.archlinux.org/

systemd-boot – LUKS – ext4

Why another guide on encryption?


Using Grub to boot an encrypted system often leads to long waits while Grub decrypts the Luks container to get to the kernels.

This load time is a weakness of the current grub implementation – and while it will probably be solved in due time – we need to find ways around it.

For example, you can use a separate partition for boot, $esp, and root and leave the boot unencrypted. This works, and grub will happily boot. If you want to dual boot several variations of Linux and throw in a Windows and a couple of ISO – this is the way to go.

But what if your requirements are simple? Do you want an encrypted Manjaro? And you want the installation to be as simple as possible?

systemd-boot is a bootloader that does not get much attention on Manjaro – since most Manjaro installations are created using the Calamares installer, which installs grub. I recall a setting for an iso-profile setting, the efi_bootloader="grub" – but it didn’t work very well, so I decided to learn how to implement systemd-boot the simplest way – later, create a merge request to the tools.

Before you begin


First – I am assuming you know your device path – for the safety of less experienced readers – I am using a device path /dev/sdy you most likely do not find on your system.

Second – I assume you are using a root TTY, as no commands are prefixed with sudo.

TIP: Don’t use a graphical environment – switch to TTY – because the live system may lock the screen and do another unpleasant thing while using the terminal – thus breaking whatever you were doing.

Third – I will use command line partitioning – no menu interfaces – pure command line.

Fourth – This guide will work for any device – it is internal, removable USB, or otherwise attached to your system. To ease the pain of writing the same device repeatedly, I used an environment variable – I assume you set the same, too.

TIP: If your circumstances allow for it – you can use ssh to install remotely using another device on your network.

Let’s begin


If you have not done so already, open a root TTY and set the device variable – remember it only exists in the current shell

INS="/dev/sdy"

Ensure your device is not mounted anywhere

umount -f "$INS"

The stuff that needs disclaimers – you are on your kind of stuff.

Clean the disk’s partition tables

sgdisk --zap-all "$INS"

Create a new GPT partition table

sgdisk --mbrtogpt "$INS"

Randomize the dev

dd if=/dev/urandom of=$INS status=progress

Create the $esp partition

sgdisk --new 1::+512M --typecode 1:ef00 --change-name 1:"EFI System" "$INS"

Create the root partition

sgdisk --new 2::: --typecode 2:8304 --change-name 2:"Linux x86-64 root" "$INS"

Wipe everything from the partitions

wipefs -af "$INS"1

wipefs -af "$INS"2

Format the partitions

Format $esp partition using FAT32

mkfs.vfat -vF32 "$INS"1

Root LUKS container

Create the LUKS container – the --iter-time an argument can be changed (default>10000) – the more iterations, the better. --tries It can be changed defaults to three (3) times.

cryptsetup -v --iter-time 5000 --type luks2 --iter-time 50000 --hash sha512 --tries 5 --use-urandom luksFormat "$INS"2

Open the LUKS container.

cryptsetup open "$INS"2 cryptroot

Format the container using your preferred file system – If your device is Flash-based, you can use f2fs, created for Flash, or you can use ext4, which is a defacto standard for Linux.

mkfs.ext4 /dev/mapper/cryptroot

Mounting

Mount your LUKS container on the systems temporary mountpoint

mount /dev/mapper/cryptroot /mnt

Then, create the folder for booting systemd ($esp)

mkdir /mnt/boot

And mount the $esp partition

mount "$INS"1 /mnt/boot

Installing a base Manjaro system

This guide is only scratching the surface of the new system. We only install a basic bootable system using the base meta package (if you use f2fs add the package f2fs-tools) along with kernel and some required tools – and don’t forget network connectivity

basestrap /mnt base linux510 nano mkinitcpio bash-completion networkmanager f2fs-tools

Configuring the base system


Configuring the system is the tedious – extremely boring – but crucial part, usually abstracted by tools like Manjaro Architect.

Chroot into the mountpoint

manjaro-chroot /mnt /bin/bash

Configurations

The vconsole.conf file contains information about the type of keymap you are using – in this case, a Danish keymap – but it could use for a default US English keymap.

echo KEYMAP=dk > /etc/vconsole.conf

The hostname file contains the name of your computer on a network – this must be unique – you can, of course, select another name.

echo manjaro > /etc/hostname

The host file contains information local to your system. The is almost empty – edit the file and append below IP addresses and the hostname from your hostname file.

nano /etc/hosts
127.0.0.1 localhost
127.0.1.1 manjaro.localdomain manjaro

The ever-important system time – the example is for Denmark, but it could be Europe/Paris if you live in that area.

ln -sf /usr/share/zoneinfo/Europe/Copenhagen /etc/localtim

Unix systems expect the hardware clock to run in UTC, and the system then corrects the clock using the timezone information – this is a point where Windows and Linux disagree, causing trouble for dual-booters – which we are not.

hwclock --systohc

Enable the network and timesync (don’t use --now in chroot, it will fail)

systemctl enable NetworkManager systemd-timesyncd

Now, we create a locale configuration that defines system messages and how time, date, and other units are displayed.

nano /etc/locale.gen

Uncomment the locales you want to use – e.g., English for messages and German for date and time uncomment. In this example – again for Denmark.

en_DK.UTF-8 UTF-8

To actually use preferences, the necessary files need to be generated – this is done using the locale-gen command

locale-gen

The locale.conf file references the locale files just created. Please see the Arch Wiki page on locales for additional entries you can add.

echo LANG=en_DK.UTF-8 > /etc/locale.conf

And finally, set the root password – do not skip as you cannot log into the rebooted system.

passwd

systemd-boot


This is the interesting part you have worked yourself down to. Because we use LUKS encrypted root partition, we need to make some system parts available at boot time.

We need to make the initramfs aware of the encryption we use, and it needs to accept input from the user on the encryption phrase used to decrypt the system.

initramfs

Those settings are defined in the file mkinitcpio.conf – we need to edit that file to suit our purpose

nano /etc/mkinitcpio.conf

Edit the HOOKS line to include keyboardkeymapsd-vconsole and sd-encrypt. This is required to get past the decryption phase. And the order of appearance is important – they must appear before autodetect.

HOOKS="systemd keyboard keymap sd-vconsole block sd-encrypt autodetect modconf filesystems fsck"

Use the mkinicpio command to generate the initramfs – it will copy the files to the boot ($esp) partition.

mkinitcpio -P -d /boot

bootloader

Now install the systemd bootloader to the boot ($esp) partition

bootctl --path=/boot install

To get the UUID for the device, we need to exit chroot, and the rest of the configuration can be done outside.

exit

For the bootloader to actually load, we need to create a configuration file to specify the kernel, initrd, and kernel options.

The configuration must match your system’s kernel and initrd. also, DEVICE-UUID must be the UUID of the physical device hosting the LUKS container. We can use lsblk to output the UUID and write it directly to the entry configuration.

lsblk -no PATH,UUID "$INS"2 > /mnt/boot/loader/entries/manjaro.conf

We also need the filenames of the kernel, and to avoid typos – we use ls and pipe the output to the same file – just appending instead

ls /mnt/boot/init* /mnt/boot/vmlinuz* >> /mnt/boot/loader/entries/manjaro.conf

Now open the file using nano

nano /mnt/boot/loader/entries/manjaro.conf

Amend the file to look like this (the order of the lines is not important)

title   Manjaro
linux   /vmlinuz-5.10-x86_64
initrd  /initramfs-5.10-x86_64.img 
options root=/dev/mapper/cryptroot rd.luks.name=DEVICE-UUID=cryptroot

This new configuration file is then added to the file loader.conf

nano /mnt/boot/loader/loader.conf
default manjaro

Maintenance


This guide does not consider the amd/intel microcode and maintenance due to kernel upgrades or booting different kernels.

To learn more – read up on systemd-boot on the Arch Wiki.

To facilitate tedious maintenance tasks, you can install the systemd-boot-manager package from the official repo.

Just a few things worth noting.

  • With systemd-boot, we also need to handle microcode loading by hand in the entries
  • It is probably worth pointing out that these entries will need to be added/updated as new kernels are installed and removed
  • Lastly, systemd-boot-manager will handle both those things for you in an automated fashion. It can automate the installation of systemd-boot, the creation and removal of entries, the addition of microcode updates and has options setting defaults automatically. It has full support for luks/lvm/btrfs/zfs/etc. — @dalto

Test your install


Unmount your devices

# umount -R /mnt

Close the LUKS container

# cryptsetup close /dev/mapper/cryptroot

If you are installing to a USB device – sync the device before removing it

# sync

And reboot

# reboot

Install Manjaro Edition


You now have the minimum for a system to boot and make a network connection – where you go from here is really up to you.

See also  Bandwidth+ - To no longer overload your bandwidth when you are sharing a connection on your Mac

Option 1

Pick from the big-big box of Linux Lego and customize your favorite system.

Option 2

On your favorite system, you can use two files from your root

  • /rootfs-pkgs.txt
  • /desktopfs-pkgs.txt

Sanitize the lists combining them into one list – then feed them to pacman to install them into your new root file system.

Start with the root filesystem and pipe it into a new file

cat /rootfs-pkgs.txt | awk '{print $1;}' > ~/iso-pkglist.txt

Continue with the desktop filesystem and append it to the file

cat /desktopfs-pkgs.txt | awk '{print $1;}' >> ~/iso-pkglist.txt

Then feed the entire list to Pacman and direct the installation to your mounted root using the convenient options of not confirming and only installing if not already installed.

pacman -Syy --no-confirm --needed --root /mnt - < ~/iso-pkglist.txt

You will now require a few extra steps – which require chroot.

Administrative user

It is important to hold back on user creation until you have installed the packages making up the Manjaro look and feel; otherwise, your user will have only desktop defaults. All theming, etc., is stored in /etc/skel and upon user creation, these files as used as a skeleton.

The first created should be an administrative user – replace $USERNAME with an actual username.

useradd --create-home --user-group -G network,scanner,lp,wheel $USERNAME

Then, set a password for the user

passwd $USERNAME

Display manager

To enable a graphical login, you must enable the display manager. Which one depends on the environment

KDE

systemctl enable sddm

Xfce

systemctl enable lightdm

Gnome

systemctl enable gdm

Conclusion


You have only scratched the surface, and there is work to be done – installing Xorg, applications, themes – whatever you fancy – it’s really up to you how this adventure ends.

Have fun – I did.

USB LXDE with persistence

Manjaro-To-Go LXDE with persistence

This guide is different than the usual guides I write – the purpose is to give any of you a serious tool in case of displacement due to war, evacuation due to natural disasters, riots, ban on religious practice, etc. You can also use the stick at home for your occasional secure computing – you can have a normal computer in the home – and when necessary, you can boot the stick – do what you need to do, e.g., keeping it up-to-date – shut it down and hide it for whatever prying eyes – governments, gangs, rebels, thieves – may force their way into your home.

With the escalating instability of the world around us – the escalating impact human actions have on our environment – and the ever-increasing possibilities of having to evacuate – many of us have emergency kits – sleeping bags, food supplies, and water – ready to go – we sometimes forget our most vital belongings – the documents that define us, our origin, our marriage, our children, photos of our relatives, photos of our passports, electronic copies of birth- and marriage certificates, our real-estate documents, proof of ownership for various items we carry – these invaluable documents we don’t want others to get their hands on. Many of us value the Bible over everything and would want to have a copy – even an electronic copy – with us.

We can’t rely on having a computer if we need to evacuate, but we can rely on – should the need arise – that we can access a computer. But we cannot trust others with the stick – they could copy the documents off the stick – we cannot trust a computer we have not booted to be clean – no keylogger, malware – we cannot trust it to decrypt our data. The Xorg set of display drivers works with recent hardware – but due to the fast development of graphics hardware and though I expect it to work – obviously, I cannot make any guarantee.

So this is – in my opinion – the ultimate guide to having a Linux in your pocket – an encrypted Linux – for storing your documents.

What is this about

I will demonstrate how to create a portable encrypted system using a USB device and the most minimal graphical environment possible using Manjaro.

CAUTION

You will be doing the following as root, so in the case of device names – do double-check your devices.

IMPORTANTNever unplug your device – you will damage the filesystem. If plugged into another operating system, use the system file manager’s eject method or ensure device data has been sync’d using the sync command. Then, use umount it to safely remove the device.

DISCLAIMER: I take no responsibility if you wreck something because you are too quick on the Enter key.

Let us begin

Change user

Open a terminal and log in as root.

$ su -l root
Password: 

Locating your device

Through the rest of this guide – I will be using a device path of /dev/sdy – replace with your actual device. You can verify which device you use by removing all USB flash devices. Insert the device you want to use and list your devices. You can recognize the removable device by 1 in the RM column.

Prepare the device

We will be using an unencrypted boot partition, so we cannot hide the presence of a Linux system on the device and where it is. Before we do anything, we will fill the device using a random pattern. The benefit is that encrypted data cannot be distinguished from the rest of the device.

Start by unmounting your device – using force if necessary.

umount -f /dev/sdy

Wipe the device (double-check the device path) using a random pattern.

dd if=/dev/urandom of=/dev/sdy bs=4M status=progress

Partitions

You can use a stick of your choice – you have to adjust the partition sizes accordingly.

For this guide, I am using a 64G SanDisk Extreme. To exchange unencrypted data without having to boot the USB, we will create a partition of 16G. To maximize compatibility, we use exFAT, which will be readable by most systems.

The intention is to create a hybrid USB capable of booting from a BIOS system and an EFI system, so we need a special BIOS partition as well.

Create a GUID partition table

sgdisk --mbrtogpt /dev/sdy

Create the bios boot partition

sgdisk --new 1::+1M --typecode 1:ef02 --change-name 1:"BIOS boot partition" /dev/sdy

Create the EFI system partition

sgdisk --new 2::+50M --typecode 2:ef00 --change-name 2:"EFI System" /dev/sdy

Create the data partition

sgdisk --new 3::+16G --typecode 3:0700 --change-name 3:"Microsoft basic data" /dev/sdy

Copy

Create a grub boot partition

sgdisk --new 4::+1G --typecode 4:8300 --change-name 4:"Linux filesystem" /dev/sdy

Create root partition

sgdisk --new 5::: --typecode 5:8300 --change-name 5:"Linux filesystem" /dev/sdy

Create hybrid MBR

Arch Linux documentation

sgdisk --hybrid 1:2:3 /dev/sdy

Boot flag for data partition

sgdisk --attributes 3:set:2 /dev/sdy

Clean BIOS partition

wipefs -af /dev/sdy1

Copy

Clean and format EFI partition

wipefs -af /dev/sdy2

FAT32

mkfs.vfat -vF32 /dev/sdy2

Clean and format data partition

wipefs -af /dev/sdy3

Copy

exFAT

mkfs.exfat /dev/sdy3

Clean and format grub boot partition

wipefs -af /dev/sdy4

ext2

mkfs.ext2 /dev/sdy4

Create LUKS container

The larger --iter-time the argument will create a stronger resistance against brute force but takes longer to decrypt.

  • Example 1cryptsetup --verbose --hash sha256 --iter-time 2000 --use-random luksFormat /dev/sdy5Copy
  • Example 2cryptsetup --verbose --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sdy5Copy

Confirm and enter the passphrase twice and unlock the container (longer password – better encryption)

cryptsetup open --type luks /dev/sdy5 cryptroot

Create an ext4 file system in the container

mkfs.ext4 /dev/mapper/cryptroot

Mounting

Mount root

mount /dev/mapper/cryptroot /mnt

Create the /boot folder

mkdir /mnt/boot

Mount the grub boot partition

mount /dev/sdy4 /mnt/boot

Create the /boot/efi folder

mkdir /mnt/boot/efi

And mount the EFI partition

mount /dev/sdy2 /mnt/boot/efi

Finally, create a folder for the data partition

mkdir /mnt/data

And mount the data partition

mount /dev/sdy3 /mnt/data

Base installation

Replace $LINUX with the kernel of your choice.

e.g. linux58 – linux-latest or linux-lts

basestrap /mnt base sudo networkmanager $LINUX links nano vim grub mkinitcpio bash-completion broadcom-wl ipw2100-fw

Configure system

Create fstab

fstabgen -U /mnt >> /mnt/etc/fstab

Verify the generated fstab has the expected content – remove references to devices which is not your USB /dev/sdy (e.g. the host systems swap – is often added).

Chroot

manjaro-chroot /mnt /bin/bash

Console keyboard

Example for Denmark

echo LANG=dk > /etc/vconsole.conf

Copy

Hostname

echo manjaro > /etc/hostname

Edit /etc/hosts

nano /etc/hosts
127.0.0.1   localhost
::1     localhost
127.0.1.1   manjaro.localdomain   manjaro

Timezone

Example for Denmark

ln -sf /usr/share/zoneinfo/Europe/Copenhagen /etc/localtime
hwclock --systohc

Network Manager

Enable network connection

systemctl enable NetworkManager

Enable ntp client

systemctl enable systemd-timesyncd

Locale

Locale example of Danish locale

  • uncomment en_DK.UTF-8 and en_US.UTF-8

Save the file and generate the massage table

nano /etc/locale.gen
locale-gen

/etc/locale.conf

Locale.conf example for Denmark

echo LANG=en_DK.UTF-8 > /etc/locale.conf

Root password

This is important – if you don’t set it, you will not be able to log in as root – so the other option is to create a user with admin before rebooting. Pick a good password and do not reuse your luks key

passwd

/etc/mkinitcpio.conf

Add encrypt and block – the order is important – then save the changes

# nano /etc/mkinitcpio.conf
HOOKS="base udev encrypt block keyboard autodetect modconf filesystems fsck"

— https://wiki.archlinux.org/index.php/Mkinitcpio#Common_hooks

Build initramfs

mkinitcpio -P

Install grub

EFI

grub-install --target=x86_64-efi --boot-directory=/boot --efi-directory=/boot/efi --removable --recheck

BIOS

grub-install --force --target=i386-pc --recheck --boot-directory=/boot /dev/sdy

Fallback

grub-install --force --target=i386-pc --boot-directory=/boot --recheck /dev/sdy3

Edit grub default

We could use the device naming, but in systemd world this naming may not always be the same – not guaranteed to be identical on every boot – so it is highly recommended to use UUID.

To the UUID of the sdy5 partition holding the cryptroot we use lsblk and define the output as NAME,UUID.

lsblk -o NAME,UUID /dev/sdy5

You will get two UUIDs – the first being the physical partition – the second the cryptroot partition – and it is the UUID of the physical partition we need for grub.

# nano /etc/default/grub
GRUB_CMDLINE_LINUX="cryptdevice=UUID=xxxx-yyy-zzzz:cryptroot"

Save the file and create grub config

grub-mkconfig -o /boot/grub/grub.cfg

USB specific considerations

Because we are using USB, we know repeating writes is not healthy in the long run.

Switch journal configuration to use RAM and ensure the journal is not filling up the RAM.

nano /etc/systemd/journald.conf

Modify to include this and save the file.

Storage=volatile
SystemMaxUse=16M

Edit your fstab and edit the options to include the noatime option. This will prevent writing to the filesystem every time a file changes, which can be a lot.

nano /etc/fstab

Append to the options list like this – and save the file

# <file system>   <mount point>  <type>  <options>  <dump>  <pass>
UUID=sample-uuid   /              ext4    defaults,noatime 0 1

Exit your chroot and eject the stick

sync
exit
umount -R /mnt
cryptsetup close /dev/mapper/cryptroot

Copy

sync

Moment of truth


Verify the stick is bootable on another system at hand. Login as root.

If you are using a cable, verify you have a network connection.

nmcli device show | grep  IP4

If you need to create a wireless connection, launch the Network Manager console

nmtui

Test your internet connection.

links manjaro.org

If you cannot make a network connection – various Broadcom and RALink-based devices come to mind – you need to mount the stick in a chroot, install the necessary drivers, and test it again.

Installing minimal GUI


The best GUI for this use case is LXDE. It is based on the Openbox window manager and is well known for its stability.

Xorg and drivers

sudo pacman -Syu xorg-server xorg-server-common xorg-xinit xf86-video-amdgpu xf86-video-ati xf86-video-intel xf86-video-nouveau xf86-video-vesa xf86-input-libinput xf86-input-evdev

LXDE

LXDE can be installed using the meta package, so for this writeup, it is the lxde package also adding some packages to make our life easier.

sudo pacman -Syu lxde epdfview accountsservice gnome-keyring gnome-icon-theme gnome-icons-standard perl-file-mimeinfo xdg-user-dirs xdg-user-dirs-gtk xdg-utils

Spicing LXDE

sudo pacman -Syu lxde-wallpapers manjaro-lxde-config manjaro-lxde-desktop-settings manjor-lxde-logout-banner matcha-gtk-theme manjaro-openbox-matcha papirus-icon-theme papirus-maia-icon-theme ttf-dejavu ttf-roboto xcursor-breeze

Network Utilities

sudo pacman -Syu netctl ifplugd iw wpa_supplicant dialog network-manager-applet networkmanager-openvpn

User


The reason for creating the user is the theming packages. Those packages are installed to /etc/skel and used as a skeleton when creating new users.

Choose a username and replace $USERNAME below with the chosen username

useradd -mUG lp,network,power,sys,wheel $USERNAME

Allow members of the wheel group to perform administrative tasks

Run visudo

visudo

Locate the line reading # %wheel ALL=(ALL) ALL and remove the # in the beginning of the line

%wheel ALL=(ALL) ALL

Copy

And press EscShiftzz

Logout from the root session

exit

Copy

Start X


Login with the new username and launch X

startx

Remember to shut the system down – don’t remove the stick while it is running :slight_smile:

Conclusion

In conclusion, installing Manjaro with Secure Boot Enabled can be a complex process, but it provides your system with an added layer of security. Following the steps outlined in this guide, you can ensure a successful installation and enjoy the benefits of a secure and stable operating system. Remember to take caution during installation, backup important data, and keep your system up to date to maintain optimal security.

End.

5/5 - (4 votes)

Mohamed SAKHRI

I am Mohamed SAKHRI, the creator and editor-in-chief of Tech To Geek, where I've demonstrated my passion for technology through extensive blogging. My expertise spans various operating systems, including Windows, Linux, macOS, and Android, with a focus on providing practical and valuable guides. Additionally, I delve into WordPress-related subjects. You can find more about me on my Linkedin!, Twitter!, Reddit

Leave a Comment