Introduction
After deciding to replace Windows with a more privacy-friendly OS, and reading about different Linux distributions, I opted for the Plasma version of Manjaro Linux for a few reasons:
- Plasma looks very similar to the Windows UI, but more modern
- It is a rolling release distribution, as Manjaro derives from Arch Linux
- It has a guided graphical installation, unlike Arch Linux
- It has a large community
After two years of familiarizing myself with the Linux ecosystem, terminal commands, and possible customization, I felt ready to remove the middle man that was Manjaro and go straight for Arch Linux.
In this guide, I explain how I installed Arch Linux on my laptop with these features:
- Plasma 6: the Breeze theme is great and consistent everywhere
- Plymouth: the boot process should also look nice
- Wayland: a modern display server alternative to X11
- PipeWire: a modern audio management alternative to PulseAudio and JACK
- LVM: multiple virtual partitions inside a single encrypted partition
- Full-disk encryption: preventing thieves from accessing data
- TPM2 PIN decryption: avoid entering a long passphrase at every boot
- Unified Kernel Image: the system boots from a single file
- Secure Boot: prevent booting from unauthorized drives
Most of these steps can be found in the Arch Wiki, even if they span several pages. I aim to make the process as straightforward as possible, even for a novice.
Requirements
- A modern laptop with an SSD and TPM2
- A spare USB flash drive
- Internet connectivity
- Patience. Lots of it.
Before rebooting
Download the official installation ISO using a BitTorrent client like qBittorrent.
Mount the ISO to a USB flash drive, or copy it to a Ventoy flash drive.
Please make a backup of important files in the SSD, as it will be formatted.
Modifying UEFI settings
Before booting from the installation medium, let’s configure a couple of UEFI settings.
First, ensure you have a UEFI admin password; otherwise, Secure Boot can be disabled by anyone.
Then, enable the Secure Boot setup mode. With this, we can replace the Secure Boot keys later from the OS.
Since instructions vary for each manufacturer, you need to find a guide for your device.
Booting from ArchISO
Next, we can plug in the installation drive and boot from the ISO file. After a few seconds, you should see the following command line interface:
First, set the keyboard layout, time zone, and silence the PC speaker:
Wi-Fi setup
If you don’t have an Ethernet cable nearby, set up wi-fi connectivity:
From the iwctl
prompt, run device list
. You should see the following:
If the device is off, activate it with
Then, connect to your network and exit iwctl
:
From the shell prompt, check for connectivity:
Preparing the SSD
Now we will format and organize the disk into several partitions. We will then initialize the OS and chroot into it.
Ideal sector size
For optimal performance, set the ideal sector size of the SSD.
For SATA
Check the available sector sizes:If sector size 4096 is suppoted, select it and confirm the change:
For NVMe
Check the performance of different LBA sizes:Select the best LBA format (1 in this case) and confirm the change:
From now on, I will assume the SSD is /dev/nvme0n1
.
Boot partition
Create a 1GB boot partition to store the bootloader:
Encrypted root partition
Create a large OS partition, and encrypt it using a strong passphrase when prompted:
Why these encryption options?
AES-XTS is the fastest cipher, you can test it by runningcryptsetup benchmark
. XTS mode will split the key in half, so specifying a 512 key size means using two AES 256 keys. Argon2ID replaced Argon2I only recently, and we are requiring 1GB of RAM, 4 core and 5 seconds of computational time to make brute-force attacks impractical. The optimal sector size is the one we set before for the SSD.
Decrypt the LUKS volume:
The content of the volume is now available at /dev/mapper/cryptpart
.
LVM volumes
In our case, LVM makes it easy to allocate virtual partitions inside an encrypted SSD partition.
Why not use the LUKS volume directly as a single partition?
For me, it’s convenient to keep my files inside a “home” partition that stays separate from the “system” one, as I can repair the system partition without affecting my personal files. But I also lived without LVM for years, so it’s not a necessity.
Using LVM terminology, our decrypted LUKS volume will be used as a “physical volume” (PV). We will add this PV to a “volume group” (VG). Then, we will create different “logical volumes” (LV) that will be allocated to the VG.
You can now check these groups by running:
The output should look like this:
File systems
Now that the logical volumes are in place, we can build the file system for them and for the boot partition:
Mounting
The last step is to mount these file systems into folders, so we can place our new OS files inside:
Chrooting
The new system has its root folder “/
” mounted to /mnt
.
We can initialize it by installing some packages:
If you have an AMD processor, replace intel-ucode
with amd-ucode
.
Once done, save the current disk configuration to the root volume:
Now, let’s enter the new Arch Linux system as if we booted from it:
Command line interface
I highly recommend taking some time now to follow the steps I wrote in this post, as it will greatly improve the user experience for the rest of this guide.
In particular, I talk about setting up the correct language and timezone, create users, and get yay
, a command line utility to install packages from the AUR.
Graphical user interface
Once the CLI is set up, installing the GUI is a breeze.
Display server
Let’s install some packages needed to run graphical applications:
Set the default cursor to match the Breeze theme:
And replace “Awaita” with “Breeze”:
Desktop environment
Now we can install the desktop environment (Plasma) and session manager (SDDM):
We need to configure SDDM to launch Plasma using Wayland:
Copy the following into the file:
Once we apply this configuration, we can start SDDM on each boot:
Graphical boot
With the current setup, the boot process would display text in a terminal until we see SDDM’s login screen. By using a Plymouth theme, we can hide this behind a nicer loading screen:
Install Plymouth and set the Breeze theme:
Now that the graphical part is complete, we can tackle the most delicate part: configuring the boot process.
Boot process
There are several components to be configured for the boot process to work smoothly and securely.
The final result will be a single file placed in the unencrypted boot partition, signed with a Secure Boot “db” key. When Secure Boot is on, the laptop can only boot from this file.
Kernel command line
First, we need to configure the Linux kernel to find our root volume and display Plymouth properly.
Run blkid
and save the UUID of the encrypted SSD partition, which has type="crypto_LUKS"
:
Create a file with the kernel parameters:
Copy the following into the file:
Temporary file system
We will now configure the generation of the boot temporary file system, a file that contains the Linux kernel and other boot utilities.
To use the TPM and early graphical boot, comment out the existing MODULES
array, make a copy, and add tpm_tis
and your GPU modules to it. In this case, i915
is the module for the integrated Intel GPU:
In the same file, make a copy of the HOOKS
array and modify it in this way:
- replace the
base
andudev
hooks withsystemd
- move
keyboard
aftersystemd
- add
plymouth
afterkms
- replace
keymap
andconsolefont
withsd-vconsole
- add
sd-encrypt
andlvm2
afterblock
The final result should look like this:
Secure Boot
By default, most computers authorize only Microsoft’s signature, so that only the official Windows bootloader can be executed at boot.
Now, we will create and enroll our own keys as UEFI variables. We will then use the db key to sign our bootloader automatically every time it gets rebuilt.
Install these utilities and generate your Secure Boot keys:
Check if the system has been booted into Setup Mode before enrolling your Secure Boot keys:
You should see:
Then, you can enroll your keys:
Create a new hook at /etc/initcpio/post/sbsign
that automatically signs the unified kernel image whenever mkinitcpio
is run:
Make the file executable:
Remove some unneeded sbctl
hooks:
Prevent pacman from restoring them by editing /etc/pacman.conf
:
Unified Kernel Image
Make a backup copy of /etc/mkinitcpio.d/linux.preset
:
Then, create a new .preset file:
Copy the following into the file:
The fallback_uki
option will create another unified kernel image with different settings, useful in case you have problems booting from the default file.
Now that we have everything in place, we can finally generate and sign the two unified kernel images:
Check that two files have been created inside the boot partition, and that they are signed with your Secure Boot key:
UEFI boot entries
To make the UEFI aware of these files, we need to create two boot entries for these UKIs:
TPM unlock
With the current setup, we would need to enter the LUKS decryption passphrase at every boot. We can use our laptop TPM to protect the LUKS encryption key, and retrieve it after we enter a PIN:
Why this PCRs combination?
The TPM will “take a snapshot” of the current state of the UEFI firmware, UEFI settings, partition table, secure boot keys, and kernel command line. If one of these change after the enrollment, the TPM will consider the environment “altered”, and will not prompt us for the PIN.
In this case, we will be prompted by Plymouth for our LUKS passphrase. We can always re-enroll the TPM after booting, if we trust that no one altered our PC while we were away.
You can check that a new entry has been created under the “Tokens” section of the LUKS header:
Starting from the next boot, the PIN prompt will look this:
Other configurations
Now that the boot process is done, we can finalize our installation with some desktop-specific features.
Audio
To make audio work out of the box, install PipeWire:
Bluetooth
For Bluetooth connectivity, install Bluez:
Fingerprint reader
If your laptop has a fingerprint sensor, consider following the excellent Fprint guide after you boot your laptop.
Printing
CUPS comes with a web interface to manage printers. To install it, run:
Power-saving mode
To extend the battery duration, install TLP:
Then, enable the default settings by running:
If you need a GUI to change them, I use slimbookbattery from the AUR.
Wi-Fi backend
By default, NetworkManager uses wpa_supplicant
as its wireless network backend.
To use the newer iwd
, create a custom configuration file:
Copy the following into the file:
Start NetworkManager on each boot:
Graphics card
To keep the guide straightforward, we only covered the example of a laptop with an integrated Intel GPU. However, there are a few configurations to change based on your GPU:
Intel-only
Install the user-space driver:Nvidia-only
Install the Nvidia kernel driver:
Append to the kernel command line the following:
In your temporary file system configuration file, replace the Intel module with Nvidia modules:
Create an update hook that will regenerate the UKI every time Nvidia drivers gets updated:
Copy the following into the file:
Regenerate the UKI:
AMD-only
Install the user-space drivers:
In your temporary file system configuration file, remove the Intel module:
Regenerate the UKI:
Intel + Nvidia laptop
Install both Intel user-space and Nvidia kernel drivers:To run apps using the dedicated GPU, prepend them with prime-run
:
Intel + AMD laptop
Install both Intel and AMD user-space drivers:To run apps using the dedicated GPU, prepend them with DRI_PRIME=1
:
In case of issues, refer to the Graphics category in the Arch Wiki.
Reboot
You can finally reboot and test that everything works well.
To reboot, exit from the chroot and unmount all volumes and partitions.
At the next boot, Plymouth will prompt you for your TPM PIN, followed by SDDM prompting you for your user password.
Once logged in, you can check that the setup mode of UEFI Secure Boot has been disabled:
If it’s still enabled, remember to disable it from your UEFI settings.
Happy Arching!