This article describes how I configure my Arch Linux system for my gaming laptop. It has the following specs:
I will install Arch on the 2TB SSD with the following characteristics:
* File system: Btrfs (with full drive encryption configured);
* Kernels: linux-bazzite-bin (primary) and linux-lts (fallback);
* Desktop Environment: KDE Plasma (Wayland only);
* Swap: 32GiB file (with hibernation configured);
* Bootloader: systemd-boot;
* Firmware mode: UEFI;
* Multimedia framework (for audio and video): PipeWire;
* Shell: Bash;
* Secure Boot: Enabled;
* Display/login manager: none, the login will be directly from the shell.
Go to the Arch Linux download page, select a mirror that's geographically close to you (for better download speeds) and download the file.
Turn on the laptop and repeatedly press the key to get into the UEFI menu. From there, go to Boot configuration and disable Secure Boot for now, see the note here.
Save your changes, reboot and repeatedly press the to enter the one-time boot menu. Select your installation medium and boot from it. When the boot menu appears, select Arch Linux install medium.
The installation medium creates an Arch environment that runs in the computer's RAM, and you'll automatically be logged in as the root user. After logging in, you can unplug your USB drive.
The default keyboard layout is US. Since this laptop has a Brazilian layout, I'll be selecting it for ease of use:
# loadkeys br-abnt2
Also, for ease of reading, you may wish to increase the font size:
# setfont ter-v32n
The following drive layout will be used:
* An EFI system partition (also called ESP) of 512MiB;
* A root partition encompassing the rest of the drive.
Use lsblk(8) to see the drives detected by the live environment. Entries with TYPE equal to and can be ignored. Write down the block device that represents the 2TB SSD, e.g. .
Next, use gdisk(8) to wipe the drive clean:
# gdisk /dev/nvme1n1
This will open a new prompt. Press to use expert commands, and then press to zap (destroy) the GPT on the drive. If it asks you to also blank out the MBR, confirm this action.
Now you have a blank drive, ready to be partitioned. To verify, you can run again, and the drive shouldn't have any partitions. If this is the case, re-enter the command above.
In the new prompt, press to create a new partition. The program will interactively ask for more parameters. As an example, let's create the ESP:
Command (? for help): n Partition number (...): First sector (...) or {+-}size{KMGTP}: Last sector (...) or {+-}size{KMGTP}: +512M Current type is 8300 (Linux filesystem) Hex code or GUID (...): EF00
Repeat the process for the root partition:
Command (? for help): n Partition number (...): First sector (...) or {+-}size{KMGTP}: Last sector (...) or {+-}size{KMGTP}: Current type is 8300 (Linux filesystem) Hex code or GUID (...):
Finally, write your changes to the drive by pressing and confirming that you wish to proceed.
Here's an example layout created in a virtual machine, yours should look similar:
root@archiso ~ # lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS loop0 7:0 0 853.9M 1 loop /run/archiso/airootfs sr0 11:0 1 1.2G 0 rom /run/archiso/bootmnt nvme0n1 259:0 0 30G 0 disk ├nvme0n1p1 259:1 0 512M 0 part └nvme0n1p2 259:3 0 29.5G 0 part
Format the ESP with mkfs.fat(8) to create a FAT32 file system:
# mkfs.fat -F 32 /dev/nvme1n1p1
Format and open the partition with cryptsetup(8):
# cryptsetup luksFormat /dev/nvme1n1p2 # cryptsetup open --allow-discards --persistent /dev/nvme1n1p2 root
These options on the command allow the usage of TRIM. Remove them if you don't want to enable it.
Format the LUKS container with mkfs.btrfs(8):
# mkfs.btrfs /dev/mapper/root
The following subvolumes will be created:
* @ (root subvolume);
* @home (for the /home folder);
* @root (for the /root folder);
* @var (for the /var folder);
* @snapshots (for storing snapshots);
* @swap (for storing the swap file);
* @bootbackup (for storing old versions of the /boot folder).
First, mount the LUKS container to a folder e.g. and go to it with cd(n):
# mount /dev/mapper/root /mnt # cd /mnt
Next, create the subvolumes with btrfs-subvolume(8):
# btrfs subvolume create @ # btrfs subvolume create @home # btrfs subvolume create @root # btrfs subvolume create @var # btrfs subvolume create @snapshots # btrfs subvolume create @swap # btrfs subvolume create @bootbackup
Finally, get out of the folder and unmount the container:
# cd; umount /mnt
# mount /dev/mapper/root -o relatime,compress=zstd:X,subvol=@ /mnt # mount /dev/mapper/root -o relatime,compress=zstd:X,subvol=@home /mnt/home --mkdir # mount /dev/mapper/root -o relatime,compress=zstd:X,subvol=@root /mnt/root --mkdir # mount /dev/mapper/root -o relatime,compress=zstd:X,subvol=@var /mnt/var --mkdir # mount /dev/mapper/root -o relatime,compress=zstd:X,subvol=@bootbackup /mnt/.bootbackup --mkdir # mount /dev/mapper/root -o relatime,compress=zstd:X,subvol=@snapshots /mnt/.snapshots --mkdir # mount /dev/mapper/root -o relatime,compress=zstd:X,subvol=@swap /mnt/.swap --mkdir # mount /dev/nvme1n1p1 /mnt/boot --mkdir
The parameter in the Btrfs subvolumes is optional. Here is a full explanation.
Use pacstrap(8) to create your new installation:
# pacstrap -K /mnt base linux-lts linux-lts-headers base-devel bash-completion nano git cryptsetup terminus-font
For the console text editor, I use nano. If you prefer something else, go ahead and use it instead.
# genfstab -U /mnt >> /mnt/etc/fstab
You can find more details in genfstab(8).
Before rebooting into my new system, I like to stay in the live environment a bit longer, in order to configure some things.
# arch-chroot /mnt
Even though these were configured before, the file must be edited to make them permanent. An example configuration can be found below:
/etc/vconsole.conf
# Written by systemd-localed(8) or systemd-firstboot(1), read by systemd-localed # and systemd-vconsole-setup(8). Use localectl(1) to update this file. # KEYMAP: https://wiki.archlinux.org/title/Linux_console/Keyboard_configuration#Listing_keymaps # XKBLAYOUT: https://wiki.archlinux.org/title/Xorg/Keyboard_configuration#Setting_keyboard_layout # XKBMODEL: https://wiki.archlinux.org/title/Xorg/Keyboard_configuration#Setting_keyboard_layout # XKBOPTIONS: https://wiki.archlinux.org/title/Xorg/Keyboard_configuration#Frequently_used_XKB_options # FONT: https://wiki.archlinux.org/title/Linux_console#Fonts KEYMAP=br-abnt2 XKBLAYOUT=br XKBMODEL=abnt2 XKBOPTIONS=terminate:ctrl_alt_bksp FONT=ter-v32n
See Xorg/Keyboard_configuration for more details.
Depending on which font you want to use in the console, you may need to install the package that contains said font, e.g. terminus-font.
After completing this section, remember to regenerate the initramfs.
I do this because I never use them, since my fallback is linux-lts, and therefore the fallback initramfs is a waste of space in my case.
Remember to edit the file paths to point to instead of .
First, ensure the configuration directory exists:
# mkdir -p /etc/cmdline.d
Then, add new configuration files, as desired. A few examples are listed below. The represents a value that you must get with the command within the parenthesis and manually substitute in the file (run the commands as root).
/etc/cmdline.d/root.conf
# https://wiki.archlinux.org/title/Btrfs#Mounting_subvolume_as_root # https://wiki.archlinux.org/title/Dm-crypt/System_configuration#Kernel_parameters cryptdevice=UUID=$(cryptsetup luksUUID /dev/nvme1n1p2):root root=/dev/mapper/root rootfstype=btrfs rootflags=subvol=/@
/etc/cmdline.d/resume.conf
# https://wiki.archlinux.org/title/Power_management/Suspend_and_hibernate#Manually_specify_hibernate_location # https://wiki.archlinux.org/title/Power_management/Suspend_and_hibernate#Acquire_swap_file_offset # https://wiki.archlinux.org/title/Dm-crypt/System_configuration#resume resume=/dev/mapper/root resume_offset=$(btrfs inspect-internal map-swapfile -r /.swap/swapfile)
/etc/cmdline.d/miscellaneous.conf
loglevel=3 rw
Nothing needs to be done right now, sbctl will take care of this step after we set it up.
/etc/mkinitcpio.conf
... MODULES=(btrfs dell_smm_hwmon dell_smbios dcdbas i915) ...
/etc/mkinitcpio.conf
... HOOKS=(base udev autodetect microcode keyboard block modconf kms keymap consolefont encrypt filesystems fsck) ...
First, select your time zone:
# ln -s /usr/share/zoneinfo/Region/City /etc/localtime
Then, syncronize your hardware clock with hwclock(8):
# hwclock --systohc --utc
Finally, enable the NTP daemon so your clock is automatically and periodically synced.
# passwd
Also consider installing and configuring a privilege escalation tool, like sudo, and then restricting the root user.
# useradd -m -g users -aG wheel,storage,power,audio -s /usr/bin/bash yourusername
Also set a password for your user account:
# passwd yourusername
To allow your new user account to have root privileges via sudo, run visudo(8) to edit the file:
# EDITOR=nano visudo
Write the line shown below, at the end of the file:
/etc/sudoers.tmp
... yourusername ALL=(ALL:ALL) ALL ...
Optionally, you can configure sudo to only accept the root user's password for authentication, instead of your user's password. However, if you choose to do so, then you absolutely cannot disable root!
/etc/security/limits.conf
... # https://wiki.archlinux.org/title/Limits.conf #<domain> <type> <item> <value> ... * soft core 0 # Prevent corefiles from being generated by default. * hard core unlimited # Allow corefiles to be temporarily enabled. * hard nice -19 # Prevent non-root users from running a process at minimal niceness. root hard nice -20 # Allows root to run a process at minimal niceness to fix the system when unresponsive. * hard nofile 65535 * soft nofile 8192 # Required for certain games to run. * soft nproc 4096 # Prevent fork-bombs from taking out the system. * hard nproc 8192 root hard nproc 65536 # Prevent root from not being able to launch enough processes. * soft priority 0 # Set the default priority to neutral niceness.
# pacman-key --init; pacman-key --populate archlinux
I like to use 7 concurrent downloads.
Inside , on the section, uncomment (remove the symbol at the beginning of) the line and add below:
/etc/pacman.conf
... [options] ... # Misc options ... Color ... ILoveCandy ...
# mkdir -p /etc/pacman.d/hooks
Below is an example hook I use (and so should you):
/etc/pacman.d/hooks/zzz-data-sync.hook
# https://man.archlinux.org/man/alpm-hooks.5#EXAMPLES # Force disks to sync to reduce the risk of data corruption [Trigger] Operation = Install Operation = Upgrade Operation = Remove Type = Package Target = * [Action] Description = Syncing disks... Depends = coreutils When = PostTransaction Exec = /usr/bin/sync
See alpm-hooks(5) for more details.
Install pacman-contrib and enable . Optionally, you can customize paccache by editing . An example configuration can be found below:
# https://bbs.archlinux.org/viewtopic.php?pid=2013004#p2013004 # Remove all cached versions of uninstalled packages; Keep only 1 previous version of installed packages in the cache [Service] ExecStart= ExecStart=/usr/bin/paccache -ruk0 ; /usr/bin/paccache -rk1 # Correct way to run multiple commands in sequence found here: https://bbs.archlinux.org/viewtopic.php?pid=2012970#p2012970
Install networkmanager and enable
For a full explanation, read hosts(5). A template is shown below:
/etc/hosts
# Static table lookup for hostnames. # See hosts(5) for details. #################################################################### # The following lines are desirable for IPv4 capable hosts 127.0.0.1 localhost 127.0.0.1 localhost.localdomain 127.0.1.1 localhost 127.0.1.1 localhost.localdomain #################################################################### # The following lines are desirable for IPv6 capable hosts ::1 localhost ::1 localhost.localdomain ::1 ip6-localhost ::1 ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts ff02::4 ip6-allrouters-mcast ff02::5 ip6-ospf-routers ff02::6 ip6-ospf-designated-routers ff02::9 ip6-rip-routers
Ensure the hook is present within the array inside and then install intel-ucode.
/boot/loader/loader.conf
# https://wiki.archlinux.org/title/Systemd-boot#Loader_configuration # https://man.archlinux.org/man/loader.conf.5#OPTIONS timeout 10 console-mode keep editor no auto-firmware yes beep no
No boot entries are required, since we are using UKIs, which systemd-boot automatically recognizes.
However, you may wish to create boot entries for other purposes. Some examples can be found in my GitHub repository.
Uncomment the entries in for the languages you want. For example:
/etc/locale.gen
... en_US.UTF-8 UTF-8 ... fr_FR.UTF-8 UTF-8 ... pt_BR.UTF-8 UTF-8 ...
Next, generate the locales:
# locale-gen
Finally, set the desired language for the system:
/etc/locale.conf
... LANG=pt_BR.UTF-8
This setting will take effect after rebooting. If you want it to take effect immediately, run:
# export LANG=pt_BR.UTF-8
/etc/mkinitcpio.conf
... HOOKS=(... resume) ...
Use the free(1) command to get the total size, in bytes, of the system's RAM:
# free -b total used free shared buff/cache available Mem.: 33307652096 14337105920 4296572928 9928708096 25083359232 18970546176 Swap: 34359734272 0 34359734272
Then follow this section.
# pacman -S --needed linux-firmware-intel linux-firmware-nvidia linux-firmware-other linux-firmware-realtek
# pacman -S --needed btrfs-progs ntfs-3g exfatprogs dosfstools
# pacman -S --needed alacritty ttf-jetbrains-mono-nerd ttf-input-nerd ttf-hack-nerd
Here's an example configuration for Alacritty.
/home/youruser/.config/alacritty/alacritty.toml
# Extra settings can be found here: https://github.com/alacritty/alacritty/blob/master/extra/man/alacritty.5.scd # And here: https://alacritty.org/config-alacritty.html #################################################################### [cursor] blink_interval = 500 # Milliseconds blink_timeout = 0 unfocused_hollow = true [cursor.style] shape = "Block" blinking = "Always" #################################################################### # Make sure the font you want to use is installed. If not, search for it and use pacman to install it # Example with JetBrains Mono Nerd Font: sudo pacman -S --needed ttf-jetbrains-mono-nerd [font] size = 12.0 [font.bold] family = "JetBrains Mono Nerd Font" style = "Bold" [font.bold_italic] family = "JetBrains Mono Nerd Font" style = "Bold Italic" [font.italic] family = "JetBrains Mono Nerd Font" style = "Italic" [font.normal] family = "JetBrains Mono Nerd Font" style = "Regular" #################################################################### # Select a color theme # Here's a good repository: https://github.com/alacritty/alacritty-theme [general] import = [ "~/.config/alacritty/themes/xterm.toml" ] #################################################################### [scrolling] history = 5000 #################################################################### [terminal.shell] program = "/usr/bin/bash" #################################################################### [window] opacity = 1 #padding.x = 10 #padding.y = 10 decorations = "Full" decorations_theme_variant = "Dark" # Accepts "Light", "Dark" or "None" (which uses the system configuration) dynamic_title = true [window.dimensions] lines = 42 columns = 117
# pacman -S --needed mesa lib32-mesa vulkan-intel lib32-vulkan-intel opencl-mesa lib32-opencl-mesa
Create the module configuration file. Here's an example configuration:
# The parameters were taken from the following pages # 1st parameter: https://wiki.archlinux.org/title/Intel_graphics#Framebuffer_compression_(enable_fbc) # 2nd parameter: https://wiki.archlinux.org/title/Intel_graphics#Fastboot # 3rd parameter: https://wiki.archlinux.org/title/Intel_graphics#Enable_GuC_/_HuC_firmware_loading options i915 enable_fbc=1 fastboot=1 enable_guc=3
# pacman -S --needed libpipewire libwireplumber pipewire pipewire-alsa pipewire-audio pipewire-jack pipewire-libcamera pipewire-pulse wireplumber lib32-libpipewire lib32-pipewire lib32-pipewire-jack alsa-firmware sof-firmware
After installing Plasma, install archlinux-xdg-menu and run the command below:
# ln -s /etc/xdg/menus/arch-applications.menu /etc/xdg/menus/applications.menu
See this forum thread for more details and also other options.
Also uninstall SDDM and kwin-x11.
I reboot now because having a GUI will make the next steps much easier to follow.
After rebooting, repeatedly press the key to enter the firmware menu, go to Boot configuration and put systemd's entry at the top of the boot order. Save the changes and exit.
After logging in with your regular user account, connect to the internet and launch Plasma manually from the CLI.
Use the systemd unit provided by btrfs-progs.
First, ensure that base-devel and git are installed.
Then, choose and install an AUR helper (I personally like yay):
$ cd /tmp $ git clone https://aur.archlinux.org/yay.git # chown -R mr_robot:users yay/ $ cd yay/ $ makepkg -sic
$ yay -S linux-bazzite-bin
Repeat Section 3.4.
I will be using Dolphin.
I will be using Kate.
I will be using VLC and FFmpeg.
systemd-boot will automatically create a new entry if an EFI binary is present at . To automate the creation and removal of this file in the ESP, you can use the following pacman hooks.
/etc/pacman.d/hooks/80-efi-shell-copy.hook
# Automatically perform the step at https://wiki.archlinux.org/title/Systemd-boot#UEFI_Shells_or_other_EFI_applications [Trigger] Operation = Install Operation = Upgrade Type = Package Target = edk2-shell [Action] Description = Copying the shell EFI file to /boot... Depends = coreutils When = PostTransaction Exec = /usr/bin/cp /usr/share/edk2-shell/x64/Shell.efi /boot/shellx64.efi --force
/etc/pacman.d/hooks/80-efi-shell-remove.hook
# Automatically undo the step at https://wiki.archlinux.org/title/Systemd-boot#UEFI_Shells_or_other_EFI_applications [Trigger] Operation = Remove Type = Package Target = edk2-shell [Action] Description = Removing the shell EFI file inside /boot... Depends = coreutils When = PostTransaction Exec = /usr/bin/rm /boot/shellx64.efi --force
After setting them up, install edk2-shell.
I will be using Ark.
# flatpak install com.rtosta.zapzap
# flatpak install com.obsproject.Studio
# flatpak install dev.vencord.Vesktop
# flatpak install io.missioncenter.MissionCenter
# flatpak install io.github.ungoogled_software.ungoogled_chromium
# flatpak install org.onlyoffice.desktopeditors
# flatpak install io.gitlab.librewolf-community
Flatpak can automatically detect installed packages that are no longer required. Periodically run the following command:
# flatpak uninstall --unused
A GUI system monitor (Mission Center) was already installed, but it's also good to have one with a TUI. I like btop.
Add the following to :
~/.bashrc
# DON'T CHANGE THIS FILE # You can define your custom configuration by adding/editing files in ~/.config/bashrc for file in "$HOME"/.config/bashrc/*; do [ -f "$file" ] && [ -r "$file" ] && [ -s "$file" ] || continue if ! . "$file"; then printf 'Failed to load: %s\n' "$file" >&2 fi done # -f checks if $file exists and it's a regular file; # -r checks if $file is readable; # -s checks if $file isn't empty;
My personal bashrc configuration can be found in my GitHub repository.
Add the following to :
~/.bash_profile
# DON'T CHANGE THIS FILE # You can define your custom configuration by adding/editing files in ~/.config/bashprofile for file in "$HOME"/.config/bashprofile/*; do [ -f "$file" ] && [ -r "$file" ] && [ -s "$file" ] || continue if ! . "$file"; then printf 'Failed to load: %s\n' "$file" >&2 fi done #################################################################### [ -f "$HOME"/.bashrc ] && [ -r "$HOME"/.bashrc ] && [ -s "$HOME"/.bashrc ] && . "$HOME"/.bashrc # -f checks if $file exists and it's a regular file; # -r checks if $file is readable; # -s checks if $file isn't empty;
My personal bash_profile configuration can also be found in my GitHub repository.
# pacman -S --needed efitools sbsigntools sbctl curl openssl dkms efibootmgr mokutil
You can create a directory anywhere, I like to create one inside :
# mkdir -p /root/secureboot
Make sure only root has any access to this directory:
# chmod -R 0700 /root/secureboot
Then create the subdirectories:
# mkdir -p /root/secureboot/{keys,backup_keys,MS} # mkdir -p /root/secureboot/keys/{AUTH,db,KEK,MOK,PK} # mkdir -p /root/secureboot/keys/AUTH/{db,KEK,PK}
# cd /root/secureboot/backup_keys # for var in PK KEK db dbx ; do efi-readvar -v "$var" -o "old_${var}.esl" ; done
You can use sig-list-to-certs(1) to get the certificates from the ESL files and then use openssl-x509(1ssl) to print their contents in human-readable text.
# uuidgen --random > /root/secureboot/GUID.txt
# cd /root/secureboot/keys/PK
# openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days 7300 -subj "/CN=Mr. Robot Alienware Platform Key/" -out PK.crt
# openssl x509 -outform DER -in PK.crt -out PK.cer
# cert-to-efi-sig-list -g "$(< /root/secureboot/GUID.txt)" PK.crt PK.esl
# sign-efi-sig-list -g "$(< /root/secureboot/GUID.txt)" -k PK.key -c PK.crt PK PK.esl PK.auth
# cp PK.auth /root/secureboot/keys/AUTH/PK/
# openssl x509 -in PK.cer -inform DER -out PK.pem -outform PEM
Also sign an empty file to allow removal of the PK:
# sign-efi-sig-list -g "$(< /root/secureboot/GUID.txt)" -c PK.crt -k PK.key PK /dev/null /root/secureboot/noPK.auth
# cd /root/secureboot/keys/KEK
# openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days 7300 -subj "/CN=Mr. Robot Alienware Key Exchange Key/" -out KEK.crt
# openssl x509 -outform DER -in KEK.crt -out KEK.cer
# cert-to-efi-sig-list -g "$(< /root/secureboot/GUID.txt)" KEK.crt KEK.esl
# sign-efi-sig-list -g "$(< /root/secureboot/GUID.txt)" -k /root/secureboot/keys/PK/PK.key -c /root/secureboot/keys/PK/PK.crt KEK KEK.esl KEK.auth
# cp KEK.auth /root/secureboot/keys/AUTH/KEK/
# openssl x509 -in KEK.cer -inform DER -out KEK.pem -outform PEM
# cd /root/secureboot/keys/db
# openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days 7300 -subj "/CN=Mr. Robot Alienware Signature Database key/" -out db.crt
# openssl x509 -outform DER -in db.crt -out db.cer
# cert-to-efi-sig-list -g "$(< /root/secureboot/GUID.txt)" db.crt db.esl
# sign-efi-sig-list -g "$(< /root/secureboot/GUID.txt)" -k /root/secureboot/keys/KEK/KEK.key -c /root/secureboot/keys/KEK/KEK.crt db db.esl db.auth
# cp db.auth /root/secureboot/keys/AUTH/db/
# openssl x509 -in db.cer -inform DER -out db.pem -outform PEM
# cd /root/secureboot/keys/MOK
# openssl req -newkey rsa:2048 -nodes -keyout MOK.key -new -x509 -sha256 -days 7300 -out MOK.crt -subj "/CN=Mr. Robot Alienware Machine Owner Key/" -addext "extendedKeyUsage = codeSigning,1.3.6.1.4.1.2312.16.1.2"
# openssl x509 -in MOK.crt -out MOK.cer -outform DER
# cp MOK.cer MOK.pub
# cd /root/secureboot/MS
# curl -o MicWinProPCA2011_2011-10-19.crt https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
# curl -o "windows uefi ca 2023.crt" https://www.microsoft.com/pkiops/certs/windows%20uefi%20ca%202023.crt
# curl -o MicCorUEFCA2011_2011-06-27.crt https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt
# curl -o "microsoft uefi ca 2023.crt" https://www.microsoft.com/pkiops/certs/microsoft%20uefi%20ca%202023.crt
# curl -o MicCorKEKCA2011_2011-06-24.crt https://www.microsoft.com/pkiops/certs/MicCorKEKCA2011_2011-06-24.crt
# curl -o "microsoft corporation kek 2k ca 2023.crt" https://www.microsoft.com/pkiops/certs/microsoft%20corporation%20kek%202k%20ca%202023.crt
# echo 77fa9abd-0359-4d32-bd60-28f4e78f784b > MS_GUID.txt
# sbsiglist --owner "$(< MS_GUID.txt)" --type x509 --output MS_Win_db_2011.esl MicWinProPCA2011_2011-10-19.crt
# sbsiglist --owner "$(< MS_GUID.txt)" --type x509 --output MS_Win_db_2023.esl "windows uefi ca 2023.crt"
# sbsiglist --owner "$(< MS_GUID.txt)" --type x509 --output MS_UEFI_db_2011.esl MicCorUEFCA2011_2011-06-27.crt
# sbsiglist --owner "$(< MS_GUID.txt)" --type x509 --output MS_UEFI_db_2023.esl "microsoft uefi ca 2023.crt"
# cat MS_Win_db_2011.esl MS_Win_db_2023.esl MS_UEFI_db_2011.esl MS_UEFI_db_2023.esl > MS_db.esl
# sbsiglist --owner "$(< MS_GUID.txt)" --type x509 --output MS_Win_KEK_2011.esl MicCorKEKCA2011_2011-06-24.crt
# sbsiglist --owner "$(< MS_GUID.txt)" --type x509 --output MS_Win_KEK_2023.esl "microsoft corporation kek 2k ca 2023.crt"
# cat MS_Win_KEK_2011.esl MS_Win_KEK_2023.esl > MS_Win_KEK.esl
Now you should have a key and a key. They must be signed with your KEK and PK, respectively:
# sign-efi-sig-list -a -g "$(< MS_GUID.txt)" -k /root/secureboot/keys/KEK/KEK.key -c /root/secureboot/keys/KEK/KEK.crt db MS_db.esl add_MS_db.auth
# cp add_MS_db.auth /root/secureboot/keys/AUTH/db/
# sign-efi-sig-list -a -g "$(< MS_GUID.txt)" -k /root/secureboot/keys/PK/PK.key -c /root/secureboot/keys/PK/PK.crt KEK MS_Win_KEK.esl add_MS_Win_KEK.auth
# cp add_MS_Win_KEK.auth /root/secureboot/keys/AUTH/KEK/
We want the and files inside , because of the NVRAM entry that will be created later [2]. To automate this, you can use the following pacman hooks:
/etc/pacman.d/hooks/92-shim-copy.hook
[Trigger] Type = Package Target = shim-signed Operation = Install Operation = Upgrade [Action] Depends = coreutils Description = Copying shimx64.efi and mmx64.efi into /boot/EFI/systemd... When = PostTransaction Exec = /usr/bin/cp /usr/share/shim-signed/shimx64.efi /usr/share/shim-signed/mmx64.efi /boot/EFI/systemd/ --force
/etc/pacman.d/hooks/92-shim-remove.hook
[Trigger] Type = Package Target = shim-signed Operation = Remove [Action] Depends = coreutils Description = Removing shimx64.efi and mmx64.efi from /boot/EFI/systemd... When = PreTransaction Exec = /usr/bin/rm /boot/EFI/systemd/shimx64.efi /boot/EFI/systemd/mmx64.efi --force
After setting them up, install shim-signed.
By default, shim will try to load an EFI file named . Although this can be overriden, it is more foolproof to rely on this default. Create the following script:
/usr/local/sbin/systemd-boot-setup-for-shim.bash
#!/usr/bin/env bash # Inspired by https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#shim_with_key # This script creates the grubx64.efi file and signs it with a custom MOK. # It is meant to be run by systemd-boot-update.service systemd_file=/boot/EFI/systemd/systemd-bootx64.efi grub_file=/boot/EFI/systemd/grubx64.efi key=/root/secureboot/keys/MOK/MOK.key cert=/root/secureboot/keys/MOK/MOK.crt cp "$systemd_file" "$grub_file" --force if ! sbverify --cert "$cert" "$grub_file" &>/dev/null; then sbsign --key "$key" --cert "$cert" --output "$grub_file" "$grub_file" fi
Remember to make it executable.
Edit and add the instruction below to automatically run this script after every systemd-boot upgrade:
[Service] ExecStartPost=/usr/bin/bash /usr/local/sbin/systemd-boot-setup-for-shim.bash
sbctl will automatically keep track of signed files via pacman hooks. Import your custom keys and GUID:
# sbctl import-keys -d /root/secureboot/keys --force
# cp /root/secureboot/GUID.txt /var/lib/sbctl/GUID
Then, sign systemd-boot and restart .
Finally, regenerate the initramfs and sign all files needed for Secure Boot.
# efibootmgr --disk /dev/nvme1n1 --part 1 --create --label "Systemd-boot via Shim" --loader "\EFI\systemd\shimx64.efi" --unicode
By default, DKMS uses a MOK that it creates after installation. Create the following file to override this behaviour and make DKMS use your MOK instead:
/etc/dkms/framework.conf.d/custom_mok.conf
# Tell DKMS to use my custom MOK's mok_signing_key=/root/secureboot/keys/MOK/MOK.key mok_certificate=/root/secureboot/keys/MOK/MOK.pub
This procedure allows the modules built to be loaded when restricted module loading is enabled. To verify if a module is loaded, you can use lsmod(8) or modinfo(8).
I personally use the manual method. First copy the keys into the ESP:
# mkdir -p /boot/sb-keys/{AUTH,MOK}
# cp -r /root/secureboot/keys/AUTH/* /boot/sb-keys/AUTH/
# cp /root/secureboot/keys/MOK/MOK.cer /boot/sb-keys/MOK/
Then, reboot into the firmware menu:
# systemctl reboot --firmware-setup
Go into Boot Configuration, put your custom NVRAM entry as the first in the boot order, enable Secure Boot and put it in Deployed Mode.
Now, do the steps listed below for PK, KEK and db:
1. Delete all keys and select Replace from File;
2. Add your custom key by navigating through the ESP;
3. Append (do not replace) the relevant Microsoft file.
Save your changes and reboot. Shim will automatically launch MokManager, which will allow you to add your MOK.
If it doesn't launch, you can manually import your MOK with mokutil. See mokutil(1), this page and this link for more details on MOK management.
Install the following packages:
# pacman -S --needed nvidia-open-dkms nvidia-prime nvidia-utils nvidia-settings libglvnd opencl-nvidia lib32-nvidia-utils lib32-libglvnd lib32-opencl-nvidia ffnvcodec-headers nvtop
Add the relevant modprobe files and udev files.
Also enable the services below:
# systemctl enable nvidia-hibernate.service nvidia-persistenced.service nvidia-resume.service nvidia-suspend.service nvidia-suspend-then-hibernate.service
My Bash configuration will automatically configure the environment variables. Therefore, all that is left to do is install the relevant packages.
# pacman -S --needed intel-media-driver libva-nvidia-driver libva-utils lib32-libva libva
# pacman -S --needed libvdpau libvdpau-va-gl vdpauinfo lib32-libvdpau
# pacman -S --needed vulkan-intel vulkan-mesa-layers vulkan-tools lib32-vulkan-intel lib32-vulkan-mesa-layers
# pacman -S --needed libvpl vpl-gpu-rt
My current printer is a Canon E4210. To use it, installing Canon's PPD driver is mandatory.
First, follow CUPS and SANE. Then, install canon-pixma-ts5055-complete, start and add the printer in CUPS' web interface.
I use auto-cpufreq. Here's an example configuration file:
/etc/auto-cpufreq.conf
# Sourced from https://github.com/AdnanHodzic/auto-cpufreq?tab=readme-ov-file#4-auto-cpufreq-config-file # settings for when connected to a power source [charger] # see available governors by running: cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_available_governors # preferred governor governor = performance # EPP: see available preferences by running: cat /sys/devices/system/cpu/cpu0/cpufreq/energy_performance_available_preferences energy_performance_preference = performance # EPB (Energy Performance Bias) for the intel_pstate driver # see conversion info: https://www.kernel.org/doc/html/latest/admin-guide/pm/intel_epb.html # available EPB options include a numeric value between 0-15 # (where 0 = maximum performance and 15 = maximum power saving), # or one of the following strings: # performance (0), balance_performance (4), default (6), balance_power (8), or power (15) # if the parameter is missing in the config and the hardware supports this setting, the default value will be used # the default value is 'balance_performance' (for charger) energy_perf_bias = performance # Platform Profiles # https://www.kernel.org/doc/html/latest/userspace-api/sysfs-platform_profile.html # See available options by running: # cat /sys/firmware/acpi/platform_profile_choices platform_profile = balanced-performance # minimum cpu frequency (in kHz) # example: for 800 MHz = 800000 kHz --> scaling_min_freq = 800000 # see conversion info: https://www.rapidtables.com/convert/frequency/mhz-to-hz.html # to use this feature, uncomment the following line and set the value accordingly scaling_min_freq = 800000 # maximum cpu frequency (in kHz) # example: for 1GHz = 1000 MHz = 1000000 kHz -> scaling_max_freq = 1000000 # see conversion info: https://www.rapidtables.com/convert/frequency/mhz-to-hz.html # to use this feature, uncomment the following line and set the value accordingly scaling_max_freq = 5400000 # 5.4 GHz # turbo boost setting. possible values: always, auto, never turbo = auto # settings for when using battery power [battery] # see available governors by running: cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_available_governors # preferred governor governor = powersave # EPP: see available preferences by running: cat /sys/devices/system/cpu/cpu0/cpufreq/energy_performance_available_preferences energy_performance_preference = power # EPB (Energy Performance Bias) for the intel_pstate driver # see conversion info: https://www.kernel.org/doc/html/latest/admin-guide/pm/intel_epb.html # available EPB options include a numeric value between 0-15 # (where 0 = maximum performance and 15 = maximum power saving), # or one of the following strings: # performance (0), balance_performance (4), default (6), balance_power (8), or power (15) # if the parameter is missing in the config and the hardware supports this setting, the default value will be used # the default value is 'balance_power' (for battery) energy_perf_bias = power # Platform Profiles # https://www.kernel.org/doc/html/latest/userspace-api/sysfs-platform_profile.html # See available options by running: # cat /sys/firmware/acpi/platform_profile_choices platform_profile = quiet # minimum cpu frequency (in kHz) # example: for 800 MHz = 800000 kHz --> scaling_min_freq = 800000 # see conversion info: https://www.rapidtables.com/convert/frequency/mhz-to-hz.html # to use this feature, uncomment the following line and set the value accordingly scaling_min_freq = 800000 # maximum cpu frequency (in kHz) # see conversion info: https://www.rapidtables.com/convert/frequency/mhz-to-hz.html # example: for 1GHz = 1000 MHz = 1000000 kHz -> scaling_max_freq = 1000000 # to use this feature, uncomment the following line and set the value accordingly scaling_max_freq = 3600000 # 3.6 GHz # turbo boost setting (always, auto, or never) turbo = never # battery charging threshold # reference: https://github.com/AdnanHodzic/auto-cpufreq/#battery-charging-thresholds #enable_thresholds = true #start_threshold = 30 #stop_threshold = 85
You need to perform the steps listed here before proceeding with any undervolting.
This setting is inside the "hidden" firmware menu. To access it, follow the steps below:
* Navigate to this GitHub repository, download the compressed folder and extract it somewhere;
* Grab an USB flash drive, format it with FAT32 and copy the extracted folder's contents to it;
* Reboot, enter the firmware menu by pressing repeatedly and disable Secure Boot;
* Save and exit, launch the boot menu by pressing repeatedly and select your USB drive;
* Go into the Intel Advanced Menu > OverClocking Performance Menu and disable UnderVolt Protection;
* Save and reboot. Now you may turn Secure Boot back on if you wish.
Here's a video walkthrough.
/etc/intel-undervolt.conf
# Enable or Disable Triggers (elogind) # Usage: enable [yes/no] enable yes # CPU Undervolting # Usage: undervolt ${index} ${display_name} ${undervolt_value} # Example: undervolt 2 'CPU Cache' -25.84 (this value is in mV) undervolt 0 'CPU' -100 undervolt 1 'GPU' -70 undervolt 2 'CPU Cache' -100 undervolt 3 'System Agent' -70 undervolt 4 'Analog I/O' -70 # Power Limits Alteration # Usage: power ${domain} ${short_power_value} ${long_power_value} # Power value: ${power}[/${time_window}][:enabled][:disabled] # Domains: package # Example: power package 45 35 # Example: power package 45/0.002 35/28 # Example: power package 45/0.002:disabled 35/28:enabled power package 157/5:disabled 150:enabled # Critical Temperature Offset Alteration # Usage: tjoffset ${temperature_offset} # Example: tjoffset -20 tjoffset -10 # Energy Versus Performance Preference Switch # Usage: hwphint ${mode} ${algorithm} ${load_hint} ${normal_hint} # Hints: see energy_performance_available_preferences # Modes: switch, force # Load algorithm: load:${capture}:${threshold} # Power algorithm: power[:${domain}:[gt/lt]:${value}[:[and/or]]...] # Capture: single, multi # Threshold: CPU usage threshold # Domain: RAPL power domain, check with 'intel-undervolt measure' # Example: hwphint force load:single:0.8 performance balance_performance # Example: hwphint switch power:core:gt:8 performance balance_performance # Daemon Update Interval # Usage: interval ${interval_in_milliseconds} interval 300000 # 5 minutes # Daemon Actions # Usage: daemon action[:option...] # Actions: undervolt, power, tjoffset # Options: once daemon undervolt daemon power daemon tjoffset
Only after testing the stability of your system, enable either or .
The information presented here was compiled from this GitHub discussion, this Reddit post (big shoutout to u/rexpulli) and this article.
Throughout this section, you are advised to use a GPU benchmark to test the GPU's stability. I used Unigine Heaven, it's available on the AUR as unigine-heaven. There are other Unigine and non-Unigine benchmarks available as well.
1. Check if your laptop supports Dynamic Boost. If so, make sure nvidia-utils is installed, and enable . You can read more about it here and in Chapter 23 of the Nvidia docs, accessible here. You will need to navigate down the tree to the documentation (README file) of your driver's current version. In said chapter, there's a manual step that needs to be done, which is the copying of the file to .
2. Install python-nvidia-ml-py.
3. Create the following Python script:
/usr/local/sbin/nvidia-undervolt.py
#!/usr/bin/env python # Adapted from https://wiki.archlinux.org/title/NVIDIA/Tips_and_tricks#Simple_overclocking_script_using_NVML # And also https://www.reddit.com/r/linux_gaming/comments/1fm17ea/comment/lo7mo09 from pynvml import * from ctypes import byref nvmlInit() # This sets the GPU to adjust - if this gives you errors or you have multiple GPUs, set to 1 or try other values. myGPU = nvmlDeviceGetHandleByIndex(0) ##print(f"myGPU value: {myGPU}") # Figure out the minimum and maximum power values allowed. ##min_power, max_power = nvmlDeviceGetPowerManagementLimitConstraints(myGPU) ##print(f"Allowed range: {min_power} mW to {max_power} mW") # The power limit can be set below in mW - 216W becomes 216000, etc. # This value must be within the minimum and maximum allowed power limits. # Remove or comment out the line below if you don't want to adjust power limits. nvmlDeviceSetPowerManagementLimit(myGPU, 140000) # Define the minimum and maximum clocks allowed. # The clocks supported by your GPU can be verified with: # nvidia-smi -q -d SUPPORTED_CLOCKS nvmlDeviceSetGpuLockedClocks(myGPU,210,2340) #################################### # ============ P0 State ============ #################################### # ============ Memory ============ # Uncomment and edit this section if desired. # Note: The memory clock offset should be **multiplied by 2**. # E.g. a desired offset of 500 means inserting a value of 1000 in the clockOffsetMHz line. ##infoMemP0 = c_nvmlClockOffset_t() ##infoMemP0.version = nvmlClockOffset_v1 ##infoMemP0.type = NVML_CLOCK_MEM ##infoMemP0.pstate = NVML_PSTATE_0 ##infoMemP0.clockOffsetMHz = 2000 ### This offset is simply how much faster your memory will run. ### E.g. instead of running at 8000 MHz, the memory will run at 8000 + (2000 / 2) = 9000 MHz. ##nvmlDeviceSetClockOffsets(myGPU, byref(infoMemP0)) # ============ Core ============= infoCoreP0 = c_nvmlClockOffset_t() infoCoreP0.version = nvmlClockOffset_v1 infoCoreP0.type = NVML_CLOCK_GRAPHICS infoCoreP0.pstate = NVML_PSTATE_0 infoCoreP0.clockOffsetMHz = 270 ## What this offset means is: The frequency-voltage curve is lifted up by 270 MHz. ## E.g. the voltage value originally assigned to 2070 MHz will now be used at 2070 + 270 = 2340 MHz. nvmlDeviceSetClockOffsets(myGPU, byref(infoCoreP0)) nvmlShutdown()
Remember to make the script executable.
The details of the functions used can be read in Section 4.18 of the NVML API documentation.
If you want to configure other P-states aside from P0, check this Reddit post for advice.
4. Create a systemd service:
# systemctl edit --force --full nvidia-undervolt.service
This opens a new file with a text editor. Copy the contents below and save the file:
[Unit] Description=Undervolt the Nvidia GPU [Service] Type=oneshot ExecStart=/usr/bin/python /usr/local/sbin/nvidia-undervolt.py StandardOutput=journal StandardError=journal [Install] WantedBy=graphical.target
Start the service and test your configuration. Only after verifying that your system is stable (e.g. Heaven doesn't freeze/crash, no graphical glitches appear, etc.), enable the service so the settings are applied after every startup, if desired.
I will install Windows on the 1TiB SSD. First create a debloated ISO and then install it normally.
Since Windows has a superiority complex, during installation it will create a boot entry in the firmware and place it as the first option. To fix this, wait until the installation is complete, reboot into the firmware and put systemd-boot as the first option again.
Open as admin, go to , create a DWORD variable called and set its value to 0.
To enable hibernation, in the same registry path, create a DWORD variable called and set its value to 1. Then, open a cmd or PowerShell window as admin and run:
> powercfg /H on
If you followed these instructions so far, then you are installing Windows after installing Arch. So, even though Windows is installed in a separate drive, it will use the ESP created during the installation of Arch. This is not necessarily a bad thing: systemd-boot will automatically create an entry for Windows because of this.
However, if you prefer to keep the 2 OS's completely physically separate (which isn't a bad idea), then boot into Windows, create a new ESP in Windows' drive and create new boot files with . This video by Chris Titus Tech shows how to do so. The TL;DW of it is:
1. Reduze Windows' partition size by ~128MB;
2. Use the freshly made empty space to create a new partition;
3. Format this new partition with FAT32;
4. Mount the partition (assign a letter to it, e.g. );
5. Create boot files with ;
6. Unmount (unassign the letter of) the partition, so Windows doesn't remount it after rebooting;
7. Boot into Arch and delete the files added by Windows to Arch's ESP.
First, make sure ntfs-3g is installed. Then, choose a location to mount Windows on, e.g. . Run the following command to add an entry to . Shoutout to Mutahar @ SomeOrdinaryGamers, from whom I learned this trick:
# echo "UUID=$(blkid -s UUID -o value /dev/nvmeXnYpZ) /mnt/windows ntfs-3g rw,nosuid,nodev,noexec,user_id=0,group_id=0,allow_other,blksize=4096,x-systemd.automount 0 0" >> /etc/fstab
Remember to replace with the correct partition. Use lsblk(8) to identify it.
If you created a new ESP for Windows, you can use the same logic to mount it on Arch as well (I used as an example mount point):
# echo "UUID=$(blkid -s UUID -o value /dev/nvmeXnYpZ) /boot/windows vfat rw,nosuid,nodev,noexec,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,errors=remount-ro,x-systemd.automount 0 0" >> /etc/fstab
The following stable voltage settings were discovered by empirical testing, using MSI Afterburner and this method.
* 2500 MHz @ 900 mV
* 2400 MHz @ 850 mV
* 2300 MHz @ 825 mV
* 2200 MHz @ 800 mV
Install Intel XTU. If it complains about VBS being turned on, disable it by opening , going to Local Computer Policy > Computer Configuration > Administrative Templates > System > Device Guard, double-clicking Turn on Virtualization Based Security, selecting Disabled, saving and rebooting.
After configuring all the settings you want, click the Save button and create a new profile, e.g. Undervolt. Then, go to Profiles, select your newly created profile and export it. A file will be created. If XTU for some reason changes the values for your settings, go to Profiles, select your profile, click Show Values and click Apply.
The voltage settings below were discovered by empirical testing, using Cinebench to stress the CPU. Other settings, like frequency and power limits, were based off of the official Intel specifications. Settings that I also changed in the "hidden" firmware menu are written in bold.
Test your system to check if it's stable or not. Only after doing this you should save and apply your settings permanently.
1. Core
* Reference Clock: 100 MHz;
* Core Voltage Mode: Adaptive;
* Intel Turbo Boost Technology: Enabled;
* Core Voltage Offset: -0.1 V;
* Processor Core IccMax: 250 A;
* Power Limit 1 (PL1): 150 W;
* Turbo Boost Short Power Max Enable (PL2 Enable): Disable;
* Performance Active-Core Tuning:
* Efficient Active-Core Tuning:
2. Cache
* Processor Cache Frequency Ratio: 49x;
* Processor Cache Voltage Mode: Adaptive;
* Processor Cache Voltage Offset: -0.1 V;
* Efficient Cores Cache Voltage Mode: Adaptive;
* Efficient Cores Cache Voltage Offset: -0.1 V;
3. Graphics
* Processor Graphics Ratio Limit: 16.5x;
* Processor Graphics Voltage Mode: Adaptive;
* Processor Graphics Voltage Offset: -0.07 V;
* Processor Graphics IccMax: 42 A;
* Processor Graphics Media Voltage Mode: Adaptive;
* Processor Graphics Media Voltage Offset: -0.07 V;
4. Other
* System Agent Voltage Mode: Adaptive;
* System Agent Voltage Offset: -0.07 V;
5. Settings only available in the firmware
* Watchdog Timer: Enabled! (If you don't enable this, XTU won't reapply your settings across reboots);
* Legacy Game Mode: Enabled (Scroll Lock key toggles E-Cores);
* Maximum performance core frequency allowed: 5.4 GHz;
* Maximum efficiency core frequency allowed: 3.9 GHz;
* Maximum iGPU frequency allowed: 1.65 GHz;
Even though XTU has an option in its settings to apply the settings across reboots, it might not automatically launch.
If this happens to you, there are a few solutions, presented here. Before using any of them, enable the Watchdog Timer in the firmware and check the Restore tuning after reboot box inside XTU's settings menu.
1. Using Windows Services
Press Win + R, run , look for , open its Properties tab and change the startup behaviour to Automatic (Delayed Start).
2. Using shell:startup
If the 1st solution isn't enough, press Win + R, run , copy or create a shortcut for the XTU executable and put it inside the folder that opened. This will force it to launch after every boot.
The downside of this method is that it launches the GUI, not just the background task, and you have to manually close it every time. But after doing so, XTU will run in the background, with your settings applied.
Windows is already pretty bloated on its own, and even though this laptop has plenty of computing power, that's not an excuse to add even more crap into the system.
This software is completely unnecessary. Instead of installing it, consider using AlienFX Tools (it can do more than AWCC, while occupying hundreds of times less storage space, literally).
Users of Windows Pro and above can use Group Policy to, among other things, run scripts at startup and shutdown time. This allows running a script that empties a specific folder automatically, similar to on Linux.
1. Create the folder that will be used, e.g. ;
2. Press Win + R and run ;
3. Go to Local Computer Policy > Computer Configuration > Windows Settings > Scripts (Startup/Shutdown) > Shutdown > Add > Add a Script > Browse. Close the File Explorer tab that just opened. This creates the folder where the script will be stored;
4. Open Notepad as admin and create the following Batch script:
C:\Windows\System32\GroupPolicy\Machine\Scripts\Shutdown\DeleteFilesInTmp.bat
@echo off del /f /q /s "C:\tmp\*.*" for /d %%x in ("C:\tmp\*") do rmdir /s /q "%%x"
5. Follow Step 3, but instead of closing the Explorer tab, select the script, press OK and then press Apply. Test the script by saving unimportant data to the folder and rebooting.