From 3ec8fdd1cabe400d9791ffd8888e5c72153588c2 Mon Sep 17 00:00:00 2001
From: user <user@localhost.com>
Date: Thu, 1 Sep 2022 16:08:26 +0200
Subject: [PATCH] secureboot and TPM2

---
 archlinux.md | 35 ++++++++++++++++++++++++++++++++++-
 1 file changed, 34 insertions(+), 1 deletion(-)

diff --git a/archlinux.md b/archlinux.md
index f215a2d..ecba819 100644
--- a/archlinux.md
+++ b/archlinux.md
@@ -15,8 +15,33 @@ journalctl --disk-usage && journalctl --vacuum-size={size}M
 ```
 or prepare the file`/etc/systemd/journald.conf` and this value:`SystemMaxUse=50M`
 
+## archinstall
+#### preinstalled software
+```
+htop vim tmux bash-completion firefox networkmanager git sbctl tpm2-tools base-devel firefox-i18n-de gparted exfatprogs ntfs-3g udftools usbutils btop powertop wireguard-tools acpi_call unrar squashfs-tools bluez-tools bluez-utils ddcutil read-edid cups evemu dconf-editor diffutils libguestfs networkmanager-vpnc pam-u2f go gutenprint p7zip wayland-utils
+
+solo2 gpa libfido2 solo1 efitools fprintd opensc nitrokey-app rhash
+
+keepassxc wl-clipboard element-desktop signal-desktop syncthing
+thunderbird thunderbird-i18n-de libreoffice-fresh libreoffice-fresh-de nextcloud-client chromium aria2 meld gimp esptool pinta tracker tracker-miner paperwork pdftricks 
+gnome-firmware dmidecode brasero clinfo opencl-mesa opencl-driver clpeak croc cups-pdf handbrake sdparm hdparm smartmontools openocd poke remmina gsmartcontrol partclone
+radare2 cutter r2ghidra binwalk cabextract hashcat diffpdf ghex flashrom hwinfo i2c-tool nbd virtualbox bootterm veracrypt youtube-dl
+```
+### gparted
+flash usb stick with gparted.iso and dd. boot it
+1. mount encrypted luks2
 ## customize fresh system
-- /etc/mkinitcpio.conf
+#### change  /etc/mkinitcpio.conf
+```
+MODULES=(btrfs tpm_tis)
+HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-encrypt filesystems fsck)
+```
+#### generate linux image
+```
+sudo vim /etc/mkinitcpio.d/linux
+sudo vim /etc/kernel/cmdline
+sudo mkinitcpio -p linux
+```
 - /boot/loader/entries/arch.conf https://wiki.archlinux.org/title/Kernel_parameters#systemd-boot
 - unified kernel image https://wiki.archlinux.org/title/Unified_kernel_image
 - kernel cmdline
@@ -25,6 +50,14 @@ or prepare the file`/etc/systemd/journald.conf` and this value:`SystemMaxUse=50M
     - root and resume are links to the mapper
 - reboot the system to check if anything is broken
 - add secureboot https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Implementing_Secure_Boot
+- systemd-enroll tpm2
+    - WARNING! do not delete slo0
+    - call `systemd-cryptenroll --tpm2-device=auto --tpm2-with-pin=yes /dev/nvme0n1p2`
+    - add to cmdline `rd.luks.options=tpm2-device=auto,tpm2-pin=yes`
+    - regenerate unified kernel image `mkinitcpio -p linux`
+    - check `sbctl verify` and resign
+    - reboot and pray
+- enable pcsc.socket
 
 ### git use credential store
 https://gist.github.com/maelvls/79d49740ce9208c26d6a1b10b0d95b5e