| Archlinux个人生存手册.md | 您所在的位置:网站首页 › 树莓派调整显存 › Archlinux个人生存手册.md |
Archlinux个人生存手册.md
|
Archlinux个人生存手册
前两天(2023年03月22日)Gnome44发布,心心念念的想着能体验一把。但奈何更新不给力,可能有Manjaro有点商业版的意思,顺便一直想着能用上磁盘加密和TPM2,干脆直接将系统重装为Archlinux了。之后所有对系统的重要更改就在此篇记录,方便自己之后查看。 安装目标:实现安全启动、磁盘加密以及利用TPM2.0存储磁盘加密的密钥。 镜像:Arch2023.03.01镜像,内核为6.2.1 镜像下载及校验镜像地址: https://mirrors.nju.edu.cn/archlinux/iso/2023.03.01/archlinux-2023.03.01-x86_64.iso https://mirrors.nju.edu.cn/archlinux/iso/2023.03.01/archlinux-2023.03.01-x86_64.iso.sig 校验 nsfoxer@ns-pc ~/Temp> ls archlinux-2023.03.01-x86_64.iso archlinux-2023.03.01-x86_64.iso.sig nsfoxer@ns-pc ~/Temp> gpg --keyserver-options auto-key-retrieve --verify archlinux-2023.03.01-x86_64.iso.sig gpg: 目录‘/home/nsfoxer/.gnupg’已创建 gpg: 钥匙箱‘/home/nsfoxer/.gnupg/pubring.kbx’已创建 gpg: 假定被签名的数据在‘archlinux-2023.03.01-x86_64.iso’ gpg: 签名建立于 2023年03月01日 星期三 20时55分51秒 CST gpg: 使用 EDDSA 密钥 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C gpg: 签发者 "[email protected]" gpg: /home/nsfoxer/.gnupg/trustdb.gpg:建立了信任度数据库 gpg: 密钥 76A5EF9054449A5C:公钥 “Pierre Schmitz ” 已导入 gpg: 密钥 7F2D434B9741E8AC:公钥 “Pierre Schmitz ” 已导入 gpg: 处理的总数:2 gpg: 已导入:2 gpg: 未找到任何绝对信任的密钥 gpg: 完好的签名,来自于 “Pierre Schmitz ” [未知] gpg: 警告:此密钥未被受信任签名认证! gpg: 没有证据表明此签名属于其声称的所有者。 主密钥指纹: 3E80 CA1A 8B89 F69C BA57 D98A 76A5 EF90 5444 9A5C查看archlinux开发者指纹 https://archlinux.org/people/developers/
指纹匹配的上,镜像校验通过。 刻录镜像和启动 刻录u盘: # 注意:此操作会导致u盘数据全部丢失 dd bs=4M if=path/to/archlinux-version-x86_64.iso of=/dev/sdx conv=fsync oflag=direct status=progress && sync # 成功后,u盘目录 nsfoxer@ns-pc /r/m/n/ARCH_202303> ls arch boot EFI shellia32.efi shellx64.efi插入刻录好的u盘,启动电脑,进入BIOS设置,关闭安全启动,选择u盘启动。 选择第一个进入
设置键盘布局,默认为us,不需要设置 暂时关闭恼人的蜂鸣声: rmmod pcspkr验证启动模式(我这里是UEFI) root@archiso ~ # ls /sys/firmware/efi/efivars有该文件夹即表示是UEFI启动 连接网络:无线网络使用iwctl,有线网络插入电缆(开箱即用)。 ping baidu.com验证联网是否成功。 验证时间是否正确:(默认会启用systemd-timesyncd ,在网络连接成功后会进行时间同步) root@archiso ~ # timedatectl Local time: Sat 2023-03-25 04:14:26 UTC Universal time: Sat 2023-03-25 04:14:26 UTC RTC time: Sat 2023-03-25 04:14:24 Time zone: UTC (UTC, +0000) System clock synchronized: yes NTP service: active RTC in local TZ: no # 这里的时间是未进行本地化,我们是东8区,所以命令显示的时间会慢8小时。磁盘分区: 我计划分区(虚拟机): /boot 300M swap 1G / 其余 # 1. 查看硬盘 我只有一块硬盘 sda root@archiso ~ # lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS loop0 7:0 0 688.5M 1 loop /run/archiso/airootfs sda 8:0 0 14.5G 0 disk sr0 11:0 1 810.3M 0 rom /run/archiso/bootmnt # 2. 分区 参考archwiki,按照计划分区分割 root@archiso ~ # fdisk /dev/sda Welcome to fdisk (util-linux 2.38.1). Changes will remain in memory only, until you decide to write them. Be careful before using the write command. Device does not contain a recognized partition table. Created a new DOS disklabel with disk identifier 0xcfc2e6a9. Command (m for help): g # 这个很重要,创建一个gpt分区表 Created a new GPT disklabel (GUID: F6C14734-9837-5340-A02B-B5C82D13DA64). Command (m for help): n Partition type p primary (0 primary, 0 extended, 4 free) e extended (container for logical partitions) Select (default p): p Partition number (1-4, default 1): First sector (2048-30401119, default 2048): Command (m for help): n Partition type p primary (0 primary, 0 extended, 4 free) e extended (container for logical partitions) Select (default p): p Partition number (1-4, default 1): Value out of range. First sector (2048-30401119, default 2048): Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-30401119, default 30401119): +300M Created a new partition 1 of type 'Linux' and of size 300 MiB. Command (m for help): n Partition type p primary (1 primary, 0 extended, 3 free) e extended (container for logical partitions) Select (default p): p Partition number (2-4, default 2): First sector (616448-30401119, default 616448): Last sector, +/-sectors or +/-size{K,M,G,T,P} (616448-30401119, default 30401119): +1G Created a new partition 2 of type 'Linux' and of size 1 GiB. Command (m for help): n Partition type p primary (2 primary, 0 extended, 2 free) e extended (container for logical partitions) Select (default p): Using default response p. Partition number (3,4, default 3): First sector (2713600-30401119, default 2713600): Last sector, +/-sectors or +/-size{K,M,G,T,P} (2713600-30401119, default 30401119): Created a new partition 3 of type 'Linux' and of size 13.2 GiB. Command (m for help): p Disk /dev/sda: 14.5 GiB, 15565373440 bytes, 30401120 sectors Disk model: VBOX HARDDISK Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0xcfc2e6a9 Device Boot Start End Sectors Size Id Type /dev/sda1 2048 616447 614400 300M 83 Linux /dev/sda2 616448 2713599 2097152 1G 83 Linux /dev/sda3 2713600 30401119 27687520 13.2G 83 Linux Command (m for help): w The partition table has been altered. Calling ioctl() to re-read partition table. Syncing disks. # 3. 设置efi标志 # 没有EFI标志,会导致后续安装引导报错: # File system "/dev/sda1" has wrong type for an EFI System Partition (ESP). root@archiso / # gdisk /dev/sda GPT fdisk (gdisk) version 1.0.9.1 Partition table scan: MBR: protective BSD: not present APM: not present GPT: present Found valid GPT with protective MBR; using GPT. Command (? for help): t Partition number (1-3): 1 Current type is 8300 (Linux filesystem) Hex code or GUID (L to show codes, Enter = 8300): L Type search string, or to show all codes: efi ef00 EFI system partition Hex code or GUID (L to show codes, Enter = 8300): EF00 Changed type of partition to 'EFI system partition' # 4. 查看分割后 root@archiso ~ # lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS loop0 7:0 0 688.5M 1 loop /run/archiso/airootfs sda 8:0 0 14.5G 0 disk ├─sda1 8:1 0 300M 0 part # /boot目录 ├─sda2 8:2 0 1G 0 part # 作为缓冲区 └─sda3 8:3 0 13.2G 0 part # / 目录 sr0 11:0 1 810.3M 0 rom /run/archiso/bootmnt磁盘加密及格式化 /boot不进行加密,后期利用TPM保护/boot的安全性。 swap分区目前忽略 /分区需要加密 我们使用[dm-crypt](https://wiki.archlinuxcn.org/wiki/Dm-crypt)进行加密。 # 1. 测试加密性能 nsfoxer@ns-pc ~/N/Mbin> cryptsetup benchmark # 测试仅使用内存(无存储 IO)。 PBKDF2-sha1 2416073 iterations per second for 256-bit key PBKDF2-sha256 4554076 iterations per second for 256-bit key PBKDF2-sha512 1820444 iterations per second for 256-bit key PBKDF2-ripemd160 948079 iterations per second for 256-bit key PBKDF2-whirlpool 739475 iterations per second for 256-bit key argon2i 9 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time) argon2id 9 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time) # Algorithm | Key | Encryption | Decryption aes-cbc 128b 1302.7 MiB/s 5424.8 MiB/s serpent-cbc 128b 124.4 MiB/s 915.7 MiB/s twofish-cbc 128b 245.2 MiB/s 462.4 MiB/s aes-cbc 256b 1002.2 MiB/s 4397.5 MiB/s serpent-cbc 256b 127.8 MiB/s 925.8 MiB/s twofish-cbc 256b 251.6 MiB/s 466.4 MiB/s aes-xts 256b 4451.5 MiB/s 4497.5 MiB/s serpent-xts 256b 810.7 MiB/s 811.4 MiB/s twofish-xts 256b 444.1 MiB/s 443.7 MiB/s aes-xts 512b 3754.9 MiB/s 3746.5 MiB/s serpent-xts 512b 822.5 MiB/s 801.0 MiB/s twofish-xts 512b 446.1 MiB/s 444.1 MiB/s # aes-xts 性能最好,这也是cryptsetup默认采用格式。如果需要指定其他加密格式,请参考https://wiki.archlinuxcn.org/wiki/Dm-crypt/%E8%AE%BE%E5%A4%87%E5%8A%A0%E5%AF%86#%E4%BD%BF%E7%94%A8_dm-crypt_%E7%9A%84%E5%8A%A0%E5%AF%86%E9%80%89%E9%A1%B9 # 2. 加密/dev/sda3 (也就是根目录) root@archiso ~ # cryptsetup luksFormat /dev/sda3 WARNING! ======== This will overwrite data on /dev/sda3 irrevocably. Are you sure? (Type 'yes' in capital letters): YES Enter passphrase for /dev/sda3: Verify passphrase: cryptsetup luksFormat /dev/sda3 6.04s user 0.39s system 44% cpu 14.610 total # 3. 解密加密设备 # cryptsetup open device dm_name root@archiso ~ # cryptsetup open /dev/sda3 root-crypt Enter passphrase for /dev/sda3: # 将/dev/sda3解密后的硬件映射为/dev/mapper/dm_name # 在这里及解密后的硬盘为 /dev/mapper/root-crypt root@archiso ~ # ls /dev/mapper control root-crypt # 为提高SSD性能,禁用工作队列 root@archiso ~ # cryptsetup --perf-no_read_workqueue --perf-no_write_workqueue --persistent refresh root-crypt Enter passphrase for /dev/sda3: # 4. 格式化 # 将/dev/mapper/root-crypt格式化为ext4格式 root@archiso ~ # mkfs.ext4 /dev/mapper/root-crypt mke2fs 1.47.0 (5-Feb-2023) Creating filesystem with 3456844 4k blocks and 864960 inodes Filesystem UUID: 3cb0c8fb-2bab-4ba8-82c1-e48f971440ac Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208 Allocating group tables: done Writing inode tables: done Creating journal (16384 blocks): done Writing superblocks and filesystem accounting information: done # 将/dev/sda1格式化为fat root@archiso ~ # mkfs.fat -F 32 /dev/sda1 mkfs.fat 4.2 (2021-01-31) # 5. 挂载 # 注意:必须先挂载根分区 # 挂载根分区 root@archiso ~ # mount /dev/mapper/root-crypt /mnt/ # 挂载/boot分区 root@archiso ~ # cd /mnt root@archiso /mnt # mkdir boot root@archiso /mnt # mount /dev/sda1 /mnt/boot # 最后挂载详情 root@archiso /mnt # lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS loop0 7:0 0 688.5M 1 loop /run/archiso/airootfs sda 8:0 0 14.5G 0 disk ├─sda1 8:1 0 300M 0 part /mnt/boot ├─sda2 8:2 0 1G 0 part └─sda3 8:3 0 13.2G 0 part └─root-crypt 254:0 0 13.2G 0 crypt /mnt sr0 11:0 1 810.3M 0 rom /run/archiso/bootmnt安装软件 # 1. 修改镜像源 默认排序还可以,虚拟机里不晓得为什么网络很慢,只能手动修改了 nsfoxer@ns-pc ~/N/Mbin> cat /etc/pacman.d/mirrorlist # 南京邮电大学 Server = https://mirror.nju.edu.cn/archlinux/$repo/os/$arch Server = https://mirrors.sjtug.sjtu.edu.cn/archlinux/$repo/os/$arch # 2. 安装必要的软件及网络 root@archiso /mnt # pacstrap -K /mnt base linux linux-firmware networkmanager neovim生成/etc/fstab oot@archiso / # genfstab -U /mnt >> /mnt/etc/fstab本地化设置 # 1. 进入新系统 root@archiso / # arch-chroot /mnt # 2. 设置时区 [root@archiso /]# ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime [root@archiso /]# date Sun Mar 26 19:13:08 CST 2023 [root@archiso /]# hwclock --systohc # 3. 设置locale [root@archiso /]# cat /etc/locale.gen #(修改) en_US.UTF-8 UTF-8 zh_CN.UTF-8 UTF-8 [root@archiso /]# locale-gen Generating locales... en_US.UTF-8... done zh_CN.UTF-8... done Generation complete. [root@archiso /]# cat /etc/locale.conf #(新增文件) LANG=en_US.UTF-8 # 4. 设置主机名 [root@archiso /]# cat /etc/hostname #(新增文件) nf-vir # 5. 设置root密码 [root@archiso /]# passwd New password: Retype new password: passwd: password updated successfully安装引导程序以及内核启动参数 # 1. 安装微码更新 amd-ucode (intel请安装intel-ucode) [root@archiso /]# pacman -S amd-ucode # 2. 使用systemd-boot (在systemd里已包含,systemd时NetworkManager的依赖,所以相当于已经安装了) [root@archiso /]# bootctl --path=/boot install Created "/boot/EFI". Created "/boot/EFI/systemd". Created "/boot/EFI/BOOT". Created "/boot/loader". Created "/boot/loader/entries". Created "/boot/EFI/Linux". Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" to "/boot/EFI/systemd/systemd-bootx64.efi". Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" to "/boot/EFI/BOOT/BOOTX64.EFI". Random seed file /boot/loader/random-seed successfully written (32 bytes). Successfully initialized system token in EFI variable with 32 bytes. Created EFI boot entry "Linux Boot Manager". # 3. 查看并记录/dev/sda3的UUID [root@archiso entries]# blkid /dev/sda3 /dev/sda3: UUID="bc31f0a4-436b-4849-a28c-46ae6c608643" TYPE="crypto_LUKS" PARTLABEL="Linux filesystem" PARTUUID="791c2d0d-ba27-4fff-9d51-e5b4225227b1" # 4. 新增systemd-boot的引导配置,并增加相关内核参数 # options 解释 cryptdevice=UUID=加密容器的UUID,可以通过 blkid 命令查看:映射设备名 root=根分区" [root@archiso /]# cat /boot/loader/entries/arch.conf #(新增文件) title Arch Linux linux vmlinuz-linux initrd amd-ucode.img initrd initramfs-linux.img options cryptdevice=UUID=bc31f0a4-436b-4849-a28c-46ae6c608643:root-crypted root=/dev/mapper/root-crypted quiet rw # 5. 查看boot配置是否正确 [root@archiso /]# bootctl list type: Boot Loader Specification Type #1 (.conf) title: Arch Linux (default) (not reported/new) id: arch.conf source: /boot//loader/entries/arch.conf linux: /boot//vmlinuz-linux initrd: /boot//amd-ucode.img /boot//initramfs-linux.img options: cryptdevice=UUID=bc31f0a4-436b-4849-a28c-46ae6c608643:root-crypted root=/dev/mapper/root-crypted quiet rw # 6. 增加内核 HOOKS # 修改 /etc/mkinitcpio.conf 文件, 增加encrypt配置 [root@archiso /]# grep '^HOOKS' /etc/mkinitcpio.conf #(修改文件,这个是修改完成之后的结果) HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block encrypt filesystems fsck) # 7. 重新构建镜像 [root@archiso /]# mkinitcpio -P ==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default' -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux.img --microcode /boot/amd-ucode.img ==> Starting build: '6.2.8-arch1-1' ==> ********* ==> Generating module dependencies ==> Creating zstd-compressed initcpio image: '/boot/initramfs-linux-fallback.img' ==> Image generation successful到目前为止,一切正常的话,已经可以重启了。退出chroot状态,执行reboot。会看到系统提示输入加密密码:
待补充 桌面 Gnome相关 Nvidia显卡驱动,没有wayland模式这个和gdm有关。在nvidia驱动安装好之后,执行 # ln -s /dev/null /etc/udev/rules.d/61-gdm.rules但目前(gnome 版本43.3)这会导致gnome-shell使用nvidia显卡,导致功耗增加。 +-----------------------------------------------------------------------------+ | NVIDIA-SMI 525.60.11 Driver Version: 525.60.11 CUDA Version: 12.0 | |-------------------------------+----------------------+----------------------+ | GPU Name Persistence-M| Bus-Id Disp.A | Volatile Uncorr. ECC | | Fan Temp Perf Pwr:Usage/Cap| Memory-Usage | GPU-Util Compute M. | | | | MIG M. | |===============================+======================+======================| | 0 NVIDIA GeForce ... Off | 00000000:01:00.0 Off | N/A | | N/A 44C P3 7W / N/A | 2MiB / 4096MiB | 0% Default | | | | N/A | +-------------------------------+----------------------+----------------------+ +-----------------------------------------------------------------------------+ | Processes: | | GPU GI CI PID Type Process name GPU Memory | | ID ID Usage | |=============================================================================| | 0 N/A N/A 1763 G /usr/bin/gnome-shell 1MiB | +-----------------------------------------------------------------------------+目前已有issue: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/6146 详细查看:https://wiki.archlinux.org/title/GDM#Wayland_and_the_proprietary_NVIDIA_driver 我就故且暂时禁用掉nvidia了,的确除了打游戏,目前也没有什么用到显卡的地方。 录屏使用录屏可能发现不生效,安装[gst-plugin-pipewire](https://archlinux.org/packages/?name=gst-plugin-pipewire)和[gst-plugins-good](https://archlinux.org/packages/?name=gst-plugins-good)。 番外 文件系统修复 前几天把树莓派直接断电,导致无法启动。实在懒得重装配环境了,所以尝试修复一下,结果真成功了。忍不住赞美一句,文件系统的修复功能还是很顶的。 插入树莓派SD卡; 查看SD分区:
卸载SD卡(umount /dev/mmcblk0p1) 修复boot分区: sudo fsck /dev/mmcblk0p1 检测到错误,选择2(从备份数据复制到现有数据),再选择1(确认写入磁盘)
重新插入SD卡,树莓派正常开机了。Nice |
【本文地址】
公司简介
联系我们