5.9 KiB
5.9 KiB
keywords | |
---|---|
|
Archlinux
clean system from old files
paccache -r
paccache -ruk0
paccache -rk1
yay -Ycc
flatpak uninstall --unused
journalctl --disk-usage && journalctl --vacuum-size={size}M
or prepare the file/etc/systemd/journald.conf
and this value:SystemMaxUse=50M
archinstall
preinstalled software
htop vim tmux bash-completion firefox networkmanager git sbctl tpm2-tools base-devel firefox-i18n-de gparted exfatprogs ntfs-3g udftools usbutils btop powertop wireguard-tools acpi_call unrar squashfs-tools bluez-tools bluez-utils ddcutil read-edid cups evemu dconf-editor diffutils libguestfs networkmanager-vpnc pam-u2f go gutenprint p7zip wayland-utils age
solo2 gpa libfido2 solo1 efitools fprintd opensc nitrokey-app rhash
keepassxc wl-clipboard element-desktop signal-desktop syncthing
thunderbird thunderbird-i18n-de libreoffice-fresh libreoffice-fresh-de nextcloud-client chromium aria2 meld gimp esptool pinta tracker tracker-miner paperwork pdftricks
gnome-firmware dmidecode brasero clinfo opencl-mesa opencl-driver clpeak croc cups-pdf handbrake sdparm hdparm smartmontools openocd poke remmina gsmartcontrol partclone ipp-usb
radare2 cutter r2ghidra binwalk cabextract hashcat diffpdf ghex flashrom hwinfo i2c-tool nbd virtualbox bootterm veracrypt youtube-dl
brscan5
gst-libav gnome-power-manager acpid
gparted
flash usb stick with gparted.iso and dd. boot it
- mount encrypted luks2
customize fresh system
change /etc/mkinitcpio.conf
MODULES=(btrfs tpm_tis)
HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-encrypt filesystems fsck)
generate linux image
sudo vim /etc/mkinitcpio.d/linux
sudo vim /etc/kernel/cmdline
sudo mkinitcpio -p linux
- /boot/loader/entries/arch.conf https://wiki.archlinux.org/title/Kernel_parameters#systemd-boot
- unified kernel image https://wiki.archlinux.org/title/Unified_kernel_image
- kernel cmdline
- power state cpu
- WARNING: do not use the partuuid in the cmdline. check the uuid correctness with the LUKS container,
blkid
- root and resume are links to the mapper
- reboot the system to check if anything is broken
- add secureboot https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Implementing_Secure_Boot
- systemd-enroll tpm2
- WARNING! do not delete slo0
- call
systemd-cryptenroll --tpm2-device=auto --tpm2-with-pin=yes /dev/nvme0n1p2
- add to cmdline
rd.luks.options=tpm2-device=auto,tpm2-pin=yes
- regenerate unified kernel image
mkinitcpio -p linux
- check
sbctl verify
and resign - reboot and pray
- enable pcsc.socket
uefi update cd
- download iso image
- extract the upgrade image
geteltorito.pl -o r1qur08w.img r1qur08w.iso
- put it on the usb stick
dd if=r1qur08w.img o=/dev/sda bs=64K
- reboot to disable SecureBoot
- reboot to boot
- reboot (UEFI), reboot (EC) and reboot (reasons)
- reboot to activate SecureBoot again
git use credential store
https://gist.github.com/maelvls/79d49740ce9208c26d6a1b10b0d95b5e well, no:
yay seahorse libgnome-keyring
git config --global credential.helper /usr/lib/git-core/git-credential-gnome-libsecret
gnome thumbnail raw picture
https://support.system76.com/articles/fix-raw-image-previews/
failure recovery
- boot from archlinux usb stick
- mount LUKS Container
cryptsetup luksOpen /dev/nvme0n1pX luksDev
- temporary dir
mkdir tmpmnt
- mount
mount -o subvol=@ /dev/mapper/luksDev tmp
arch-chroot tmp bash
mount /dev/nmve0n1p1 /boot
- fix stuff
mkinicpio -p linux
- sbctl verify; sbctl sign /boot/{things}
- sync, unmount boot and tmp
cryptsetup luksClose luksdev
acpi lid behaviour
the lid can cause wakeups or even prohibited sleep or hibernate. this is done through the acpi subsystem and needs to be fixed on each power up. the pci devices are unknown, maybe NIC and WLAN wake on, SLPB should be the button, RESA
cat /proc/acpi/wakeup
Device S-state Status Sysfs node
GPP4 S3 *enabled pci:0000:00:02.3
RESA S3 *disabled
GP17 S3 *enabled pci:0000:00:08.1
XHC0 S3 *enabled pci:0000:07:00.3
XHC1 S3 *enabled pci:0000:07:00.4
LID S4 *enabled platform:PNP0C0D:00
SLPB S3 *enabled platform:PNP0C0E:00
[user@user-think-yoga acpi]$ sudo echo LID > /proc/acpi/wakeup
bash: /proc/acpi/wakeup: Keine Berechtigung
[user@user-think-yoga acpi]$ sudo -i
[root@user-think-yoga ~]# echo LID > /proc/acpi/wakeup
[root@user-think-yoga ~]# cat /proc/acpi/wakeup
Device S-state Status Sysfs node
Device S-state Status Sysfs node
GPP4 S3 *enabled pci:0000:00:02.3
RESA S3 *disabled
GP17 S3 *enabled pci:0000:00:08.1
XHC0 S3 *enabled pci:0000:07:00.3
XHC1 S3 *enabled pci:0000:07:00.4
LID S4 *disabled platform:PNP0C0D:00
SLPB S3 *enabled platform:PNP0C0E:00
cat /etc/tmpfiles.d/acpi-lid.conf
# Path Mode UID GID Age Argument
w /proc/acpi/wakeup - - - - LID
usbguard gnome
``2022.11.07 currently not working. Gnome not showing any entry
/etc/polkit-1/rules.d/70-allow-usbguard.rules
// Allow users in wheel group to communicate with USBGuard
polkit.addRule(function(action, subject) {
if ((action.id == "org.usbguard.Policy1.listRules" ||
action.id == "org.usbguard.Policy1.appendRule" ||
action.id == "org.usbguard.Policy1.removeRule" ||
action.id == "org.usbguard.Devices1.applyDevicePolicy" ||
action.id == "org.usbguard.Devices1.listDevices" ||
action.id == "org.usbguard1.getParameter" ||
action.id == "org.usbguard1.setParameter") &&
subject.active == true && subject.local == true &&
subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});
to activate it for gnome:
$ gsettings set org.gnome.desktop.privacy usb-protection true
and to harden it further:
$ gsettings set org.gnome.desktop.privacy usb-protection-level always