Arch Linux on a coreboot/SeaBIOS Librem 13v3

Sat Jul 30, 2022 · 450 words · 3 min

---

Arch Linux on a Librem 13v3

Notes on installing Arch Linux on a Purism Librem 13v3 laptop.

Tech:

• coreboot/SeaBIOS
• BIOS, because that's what the laptop boots via above
  • We'll muck with the partitions to make this upgradable to EFI, however
• GPT
• GRUB as bootloader, for encrypted /boot, and /

Process

1. Open up the laptop and put in an M.2 SSD, which we'll use for the OS
2. Download latest arch linux ISO and write to a flash drive, then insert into right USB port
3. Boot the laptop. Hit ESC and boot from the USB drive.
   • for the 13v3, it will boot in BIOS mode
4. (optional) Write random data to the hard disks to create background signal across the entire drive
5. Use gdisk to create the following partitions on /dev/nvmX:
   1. Partition 1: 1MiB of type ef02. Do not format this partition.
   2. (optional) Partition 2: 1GiB of type ef00.
      • This is for future use in EFI systems, if you want to move this drive somewhere else
   3. Partition 3-X: 100GiB for the base system, and whatever else you want
   4. "An unpartitioned space of at least 33 512-byte sectors (16.5 KiB) at the end of the disk to allow converting to GPT in the future" 1
6. Run cryptsetup, formatting the 3rd (or whatever) partition with luks1
7. cryptsetup open the device, then mount the mapped device to /mnt
   • cryptsetup open /dev/nvmX cryptnvme, then type in password
8. Follow the arch install guide until mkinitcpio step
9. Update mkinitcpio.conf per 2
10. Install grub to /dev/nvmX (the device, not the partition)
    • grub-install --target=i386-pc /dev/nvmX
11. lsblk -o +UUID > /blockdevices.txt. Get the UUID of the nvmX device (not the partition)
12. Follow instructions here to enable cryptodisk in /etc/default/grub.
13. Update /etc/default/grub as follows:
    • GRUB_CMDLINE_LINUX="cryptdevice=UUID=your_device_uuid:cryptnvme cryptnvme=/dev/mapper/cryptnvme"
    • Be sure this is the dmcrypt partition UUID, not the decrypted, mapped partition UUID
    • This assumes your fstab (and original mount for the mapped, decrypted partition) is /dev/mapper/cryptnvme; update accordingly
14. Don't forget to install networking utilities, sudo, zsh, and other goodies.
15. Don't install intel-microcode, however - that's handled by the Purism coreboot updates.

Obviously, you can modify this to e.g. forego GPT, use LVM, don't encrypt /boot, or whatever else.

You can also use a keyfile to prevent having to type your password twice (once to unlock /boot, the other to unlock the drive).