Setting up Archlinux on my Framework 16 laptop - Getting to First Boot

Evan Posted by Evan. laptop, linux

After assembling the laptop it is time to start installing Archlinux.

My goal is to run the laptop with a fully encrypted disk via cryptsetup.

Important References

Firmware Settings

The first time you power on, you should end up in the BIOS/Boot Manager/Firmware or whatever you want to call it. If not, try tapping F2 repeatedly as it powers up.

Secure Boot

Go into Administer Secure Boot and disable Enforce Secure Boot.

F10 to save and exit.

If you don’t do this, you will not be able to boot off the Archlinux installation USB stick.

Linux Audio

Go into the setup utility and under Advanced set Linux Audio Compatibility to Linux.

F10 to save and exit.

Getting to First Boot

Follow the installation guide to download and prepare a USB stick as the installation medium. Use this in the laptop to boot into the live environment.

Note: I used an ethernet cable so didn’t have to contend with wi-fi during installation.

When you get the section on partitioning the disks come back here.

Setting the NVMe logical block size

I installed a Western Digital Black SN850X NVMe drive, and followed the section on NVMe solid state drives in the Advanced Format page of the wiki to ensure the logical block address size was the recommended 4096 bytes.

Basically I ran:

nvme id-ns -H /dev/nvme0n1 | grep "Relative Performance"

to see what the current and preferred LBA format was, and:

nvme format --lbaf=1 /dev/nvme0n1

to set it to format number one, which was the preferred.

Partitioning and Encrypting

This guide by Lena Fuhrimann was super helpful for getting the encryption bits right. I found the dm-crypt page on the wiki somewhat overwhelming and hence less than helpful. It gives you all the possibilities but not very clear, for me at least, on what I should actually do. Lena’s guide was more prescriptive (as is this guide) which was a great help.

My disk was named /dev/nvme0n1, which is what I’ll use in the examples below. If you’re not sure what the device name is, use lsblk to figure it out.

Partitioning

I’m going with a fairly simple layout. Basically just one big partition for my operating system. I’ll be using a swap file rather than a separate swap partition. Other’s may prefer to use logical volume manager (LVM) which is beyond the scope of what I’m writing here.

You’ll want two partitions on the drive:

  • A 512M partition at the start of the disk as your EFI boot partition.

  • The rest of the disk as your encrypted root partition.

As per the Partition section of Lena’s guide, the step by step instructions are:

  1. Run gdisk /dev/nvme0n1 to start partitioning the disk.

  2. Delete any existing partitions using d.

  3. Use p to print the partition table and ensure it is empty.

  4. Create the boot partition with n. Go with the default partition number, default first sector, last sector at +512M and ef00 as the type for an EFI system.

  5. Create the root partition, again with n. Go with the default partition number again, and the default last sector which should be the rest of the disk. Then 8300 as the type for a Linux file system.

  6. Use p again to check everything looks right.

  7. Then w to write the partitions and exit gdisk.

  8. Run lsblk to double-check everything looks right.

Encrypting the Root Partition

Running cryptsetup luksFormat /dev/nvme0n1p2 formats the encrypted partition. You’ll need to enter a password that will be used whenever you want to open the partition (like when you boot the laptop!)

Then run cryptsetup open /dev/nvme0n1p2 which effectively opens and mounts the encrypted partition at /dev/mapper/root.

(cryptsetup close /dev/nvme0n1p2 will close or “unmount” it again if/when you need to. Remember that you may have /dev/mapper/root mounted too, so unmount that first.)

Create the File Systems

To format the first (EFI) partition:

mkfs.fat -F32 /dev/nvme0n1p1

For format the second, operating system partition:

mkfs.ext4 /dev/mapper/root

Others may prefer a different file system like btrfs or zfs, but I’m sticking with the trusty ext4.

Mounting File Systems

Now the file systems are initialised, you need set them up under /mnt the way they are going be when in use.

mount /dev/mapper/root /mnt

The above mounts your encrypted partition which will be the root partition once your laptop boots off the internal disk.

mount --mkdir /dev/nvme0n1p1 /mnt/boot

The above mounts the EFI partition in the right spot as the boot partition.

Swap File

There’s a lot of debate as to the appropriate size or even the necessity of a swap file or partition. Read about swap on the wiki. From my reading on the topic, about 1.5 times your RAM seems to be a good guideline, particularly for hibernating a laptop.

Using free --mebi I can see my total memory is 31279 mebibytes, so I’m aiming for 46918.

Using dd to create the appropriately sized swap file:

dd if=/dev/zero of=/mnt/swapfile bs=1M count=46918 status=progress

Then the following to set permissions, initialise and switch the swap file on:

chmod 600 /mnt/swapfile
mkswap /mnt/swapfile
swapon /mnt/swapfile

Installation

At this point you can pick back up with the Archlinux Installation Guide around section 2.2 where you call pacstrap. Follow along with my notes below, but be sure to come back here for dealing with Initramfs.

Here I’m basically installing the minimum packages needed to make the system boot and get it ready for configuration with Ansible. Here’s what I ran:

pacstrap -K /mnt base linux linux-firmware vi amd-ucode efivar efibootmgr

With the AMD Ryzen CPU you want the amd-ucode package for updating the CPU’s microcode. The efivar and efibootmgr packages are for dealing with initialising the boot manager below.

Installing vi so I can edit files. You may prefer nano instead.

Keep following the installation guide to configure things. In particular:

genfstab -U /mnt >> /mnt/etc/fstab

Will add all the mount and swap configuration you did above to the fstab file for future booting.

Then to change your viewpoint of the file system:

arch-chroot /mnt

This will change the apparent root directory so you can configure and run things in the right environment.

Now set your time zone, localisation, hostname and root password. For me this looked like:

ln -sf /usr/share/zoneinfo/Australia/Melbourne /etc/localtime
hwclock --systohc

Then I edited /etc/locale.gen and uncommented en_AU.UTF-8 UTF-8 and en_US.UTF-8 UTF-8, then:

locale-gen
echo 'LANG="en_AU.UTF-8"' > /etc/locale.conf

echo 'yourhostname' > /etc/hostname
passwd

Substituting “yourhostname” with whatever you want your machine called, and setting the root password with the last command. (This is different to the password you use when booting to decrypt the drive.)

At this point is would also be worth installing networkmanager and configuring it to start at boot so you’ll have connectivity when after you reboot.

pacman -S networkmanager
systemctl enable NetworkManager

Initramfs

Edit /etc/mkinitcpio.conf and in the HOOKS array, add encrypt between block and filesystems, and add resume between filesystems and fsck.

You want encrypt because you’re using an encrypted file system, and resume for allowing the laptop to hibernate.

Once done, run mkinitcpio -P.

The Boot Manager

Here is another area where the Archlinux installation guide and wiki frustrate me. It just says to install a boot loader and points off to another overwhelming page with too many choices. As per Lena’s guide, I went with efibootmgr. Hey, it worked!

Run filefrag -v /swapfile | head to get the offset of the swap file. It is the first number of “physical_offset” of the line for ext zero.

Then blkid -s UUID -o value /dev/nvme0n1p2 to get the UUID of the device.

Then initialise the boot manager with the following command:

efibootmgr --disk /dev/nvme0n1 --part 1 --create --label "Arch Linux" --loader /vmlinuz-linux --unicode 'cryptdevice=UUID=xxxx:root root=/dev/mapper/root resume=/dev/mapper/root resume_offset=yyyy rw initrd=\amd-ucode.img initrd=\initramfs-linux.img' --verbose

Substitute the UUID for “xxxx” and the swap file offset for “yyyy”.

Boot!

Run exit to return to the outer shell, and then reboot to reboot the laptop.

All things being well, you’ll find yourself being prompted for the password to access your encrypted drive, and after that you’ll reach the login prompt!