secureboot and TPM2
This commit is contained in:
parent
b042cd234e
commit
3ec8fdd1ca
35
archlinux.md
35
archlinux.md
@ -15,8 +15,33 @@ journalctl --disk-usage && journalctl --vacuum-size={size}M
|
|||||||
```
|
```
|
||||||
or prepare the file`/etc/systemd/journald.conf` and this value:`SystemMaxUse=50M`
|
or prepare the file`/etc/systemd/journald.conf` and this value:`SystemMaxUse=50M`
|
||||||
|
|
||||||
|
## archinstall
|
||||||
|
#### preinstalled software
|
||||||
|
```
|
||||||
|
htop vim tmux bash-completion firefox networkmanager git sbctl tpm2-tools base-devel firefox-i18n-de gparted exfatprogs ntfs-3g udftools usbutils btop powertop wireguard-tools acpi_call unrar squashfs-tools bluez-tools bluez-utils ddcutil read-edid cups evemu dconf-editor diffutils libguestfs networkmanager-vpnc pam-u2f go gutenprint p7zip wayland-utils
|
||||||
|
|
||||||
|
solo2 gpa libfido2 solo1 efitools fprintd opensc nitrokey-app rhash
|
||||||
|
|
||||||
|
keepassxc wl-clipboard element-desktop signal-desktop syncthing
|
||||||
|
thunderbird thunderbird-i18n-de libreoffice-fresh libreoffice-fresh-de nextcloud-client chromium aria2 meld gimp esptool pinta tracker tracker-miner paperwork pdftricks
|
||||||
|
gnome-firmware dmidecode brasero clinfo opencl-mesa opencl-driver clpeak croc cups-pdf handbrake sdparm hdparm smartmontools openocd poke remmina gsmartcontrol partclone
|
||||||
|
radare2 cutter r2ghidra binwalk cabextract hashcat diffpdf ghex flashrom hwinfo i2c-tool nbd virtualbox bootterm veracrypt youtube-dl
|
||||||
|
```
|
||||||
|
### gparted
|
||||||
|
flash usb stick with gparted.iso and dd. boot it
|
||||||
|
1. mount encrypted luks2
|
||||||
## customize fresh system
|
## customize fresh system
|
||||||
- /etc/mkinitcpio.conf
|
#### change /etc/mkinitcpio.conf
|
||||||
|
```
|
||||||
|
MODULES=(btrfs tpm_tis)
|
||||||
|
HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-encrypt filesystems fsck)
|
||||||
|
```
|
||||||
|
#### generate linux image
|
||||||
|
```
|
||||||
|
sudo vim /etc/mkinitcpio.d/linux
|
||||||
|
sudo vim /etc/kernel/cmdline
|
||||||
|
sudo mkinitcpio -p linux
|
||||||
|
```
|
||||||
- /boot/loader/entries/arch.conf https://wiki.archlinux.org/title/Kernel_parameters#systemd-boot
|
- /boot/loader/entries/arch.conf https://wiki.archlinux.org/title/Kernel_parameters#systemd-boot
|
||||||
- unified kernel image https://wiki.archlinux.org/title/Unified_kernel_image
|
- unified kernel image https://wiki.archlinux.org/title/Unified_kernel_image
|
||||||
- kernel cmdline
|
- kernel cmdline
|
||||||
@ -25,6 +50,14 @@ or prepare the file`/etc/systemd/journald.conf` and this value:`SystemMaxUse=50M
|
|||||||
- root and resume are links to the mapper
|
- root and resume are links to the mapper
|
||||||
- reboot the system to check if anything is broken
|
- reboot the system to check if anything is broken
|
||||||
- add secureboot https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Implementing_Secure_Boot
|
- add secureboot https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Implementing_Secure_Boot
|
||||||
|
- systemd-enroll tpm2
|
||||||
|
- WARNING! do not delete slo0
|
||||||
|
- call `systemd-cryptenroll --tpm2-device=auto --tpm2-with-pin=yes /dev/nvme0n1p2`
|
||||||
|
- add to cmdline `rd.luks.options=tpm2-device=auto,tpm2-pin=yes`
|
||||||
|
- regenerate unified kernel image `mkinitcpio -p linux`
|
||||||
|
- check `sbctl verify` and resign
|
||||||
|
- reboot and pray
|
||||||
|
- enable pcsc.socket
|
||||||
|
|
||||||
### git use credential store
|
### git use credential store
|
||||||
https://gist.github.com/maelvls/79d49740ce9208c26d6a1b10b0d95b5e
|
https://gist.github.com/maelvls/79d49740ce9208c26d6a1b10b0d95b5e
|
||||||
|
Loading…
Reference in New Issue
Block a user