# Overview Stable enough for my initial use-case, light-duty laptop for travel and presentations, running Linux all the time but retain a small ChromeOS volume for firmware updates and restoring settings. 1st attempt I wiped the drive and then found that when the machine attempted to suspect when the lid closed it wiped the NVRAM with no other option to boot into legacy mode than to restore ChromeOS and enable it again. * Setup base system in ChromeOS * Fully encrypted Btrfs root partition & ext4 boot * Install Arch Linux * Configure some basics ## Status June 2nd 2018 - [x] boots - [x] X + i3 - [x] usb - [x] wifi - [x] touch screen - [x] bluetooth - [x] boot process requires password to be entered in a black screen - [X] trackpad - [ ] sound (still fiddling) - [ ] hibernate - [ ] suspend - [ ] suspend on lid close # ChromeOS Enable developer mode ## Enabling SeaBIOS From Chrome hit `Ctrl-Alt-T` to enter chrosh mode `chrosh` `sudo bash` `crossystem dev_boot_usb=1 dev_boot_legacy=1` Alternatively you can turn on debug mode at the start page and set a root password, select a wireless network and then ssh in without setting up an account in ChromeOS. Install the latest SeaBIOS firmware (the stock firmware won't detect NVME hard drive) https://mrchromebox.tech/#fwscript `cd; curl -LO https://mrchromebox.tech/firmware-util.sh && sudo bash firmware-util.sh` Run the command in the terminal, and select: * "Install/Update the RW_LEGACY firmware" option * The script will prompt you to enable USB boot by default, select YES You can now start SeaBIOS by pressing `Ctrl + L` at the white boot splash screen. ## Resize the partition map to add BOOT-C and KERN-C ``` curl -O https://raw.githubusercontent.com/ethanmad/chromeos-resize/master/cros-resize.sh sudo bash cros-resize.sh ``` ``` Got /dev/nvme0n1 as the target drive. WARNING! All data on this device will be wiped out! Continue at your own risk! Press [Enter] to proceed on /dev/nvme0n1 or CTRL+C to quit To resize the KERN-C and ROOT-C partitions, we will shrink the STATE partition (Chrome OS's data partition). You will specify how much size to allocate to the STATE partition and KERN-C, and the rest of the space will be allocated to ROOT-C. There are 480040 MiB (468.79 GiB) available to work with. The sum of the following two partition sizes must be less than this amount. You have the option of modifying your STATE partition using either MiB or GiB(default) precision. Would you like to use MiB or GiB? [m/G] G How big should the STATE partition be in GiB (default: 5)? 25 KERN-C is where you can store kernels and should be mounted at /boot. More space means you can keep more copies of kernels for rolling back, in case something goes wrong. How big should the KERN-C partition be in MiB (default: 64)? 128 You chose to allocate 25 GiB for the state partition and 128 MiB for the KERN-C partition. ROOT-C will be allocated to the remaining space available space. The size of the STATE and KERN-C partitions must be integers. Is everything correct? [y/N] y STATE will be allocated 52428800 sectors, or 25600 MiB, or 25 GiB. KERN-C will be allocated 262144 sectors, or 128 MiB, or 0.12 GiB. ROOT-C will be allocated 930431631 sectors, or 454312 MiB, or 443.66 GiB. Afer this point, your disk will be repartitioned and wiped. Does this look good? [y/N] y Unmounting stateful partition... Editing partition table... Zeroing stateful partition... 26198671360 bytes (26 GB, 24 GiB) copied, 19.0005 s, 1.4 GB/s 25600+0 records in 25600+0 records out 26843545600 bytes (27 GB, 25 GiB) copied, 19.586 s, 1.4 GB/s Now reboot and allow Chrome OS to repair itself. You may have to run this program again with the same values before they stick. ``` After rebooting `lsblk` ``` NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT loop0 7:0 0 7.4G 0 loop `-encstateful 253:1 0 7.4G 0 dm /mnt/stateful_partition/encrypted loop1 7:1 0 683.3M 1 loop /opt/google/containers/android/rootfs/ro loop2 7:2 0 4K 1 loop /opt/google/containers/arc-removable-med loop3 7:3 0 4K 1 loop /opt/google/containers/arc-sdcard/mountp loop4 7:4 0 4K 1 loop /opt/google/containers/arc-obb-mounter/m loop5 7:5 0 91.3M 1 loop zram0 252:0 0 22.8G 0 disk [SWAP] nvme0n1 259:0 0 477G 0 disk |-nvme0n1p1 259:1 0 25G 0 part /mnt/stateful_partition |-nvme0n1p2 259:2 0 16M 0 part |-nvme0n1p3 259:3 0 4G 0 part / |-nvme0n1p4 259:4 0 16M 0 part |-nvme0n1p5 259:5 0 4G 0 part |-nvme0n1p6 259:6 0 128M 0 part |-nvme0n1p7 259:7 0 443.7G 0 part |-nvme0n1p8 259:8 0 16M 0 part /usr/share/oem |-nvme0n1p9 259:9 0 512B 0 part |-nvme0n1p10 259:10 0 512B 0 part |-nvme0n1p11 259:11 0 8M 0 part `-nvme0n1p12 259:12 0 32M 0 part ``` # Install Arch ## Prep USB for installing Arch `sudo dd if=archlinux-2018.05.01-x86_64.iso of=/dev/sda bs=4M` ### Boot USB to install `Ctrl + L` ## set a bigger font ``` setfont sun12x22 ``` ## Setup wifi `wifi-menu` ## Enable SSH to simplify the installation process (optional) * Set a root password ``` passwd root ``` * Enable sshd ``` systemctl start sshd ``` Now you should be able ssh to this box from another one which has a font which you can see. # Preparing the System Drive ## Encrypting the System Drive ######################################### * Find out how fast are ciphers on your machine (AES should have hardware acceleration therefore win) `cryptsetup benchmark` ``` # Tests are approximate using memory only (no storage IO). PBKDF2-sha1 1519675 iterations per second for 256-bit key PBKDF2-sha256 1667052 iterations per second for 256-bit key PBKDF2-sha512 1264868 iterations per second for 256-bit key PBKDF2-ripemd160 1026003 iterations per second for 256-bit key PBKDF2-whirlpool 728177 iterations per second for 256-bit key argon2i 4 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time) argon2id 4 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time) # Algorithm | Key | Encryption | Decryption aes-cbc 128b 1032.1 MiB/s 3005.4 MiB/s serpent-cbc 128b 82.9 MiB/s 588.8 MiB/s twofish-cbc 128b 183.5 MiB/s 308.3 MiB/s aes-cbc 256b 811.6 MiB/s 2399.1 MiB/s serpent-cbc 256b 82.9 MiB/s 576.8 MiB/s twofish-cbc 256b 149.5 MiB/s 254.5 MiB/s aes-xts 256b 1333.9 MiB/s 1359.7 MiB/s serpent-xts 256b 429.3 MiB/s 424.2 MiB/s twofish-xts 256b 234.1 MiB/s 234.9 MiB/s aes-xts 512b 1241.6 MiB/s 1237.0 MiB/s serpent-xts 512b 438.0 MiB/s 426.5 MiB/s twofish-xts 512b 237.2 MiB/s 240.1 MiB/s cryptsetup benchmark 14.79s user 24.55s system 124% cpu 31.648 total ```` * Make data partition LUKS formatted ``` cryptsetup --cipher aes-xts-plain64 --key-size 512 --use-random --verify-passphrase luksFormat /dev/nvme0n1p7 ``` * Check if everything looks good ``` cryptsetup luksDump /dev/nvme0n1p7 ``` * Open encrypted partition ``` cryptsetup open --type luks /dev/nvme0n1p7 cryptroot ``` * Create BTRFS on cryptdata volume ``` mkfs.btrfs -L data /dev/mapper/cryptroot ``` * Mount BTRFS with flags ``` mount /dev/mapper/cryptroot /mnt -t btrfs -o defaults,noatime,nodiratime,discard,autodefrag,ssd,compress=lzo,space_cache ``` * Create subvolumes ``` btrfs subvolume create /mnt/@ btrfs subvolume create /mnt/@home btrfs subvolume create /mnt/@snapshots ``` * Create boot partition ``` mkfs.ext4 /dev/nvme0n1p6 ``` * Mount sub-volumes and boot partition ``` umount /mnt mount -o defaults,noatime,nodiratime,discard,autodefrag,ssd,compress=lzo,space_cache,subvol=@ /dev/mapper/cryptroot /mnt mkdir /mnt/home mount -o defaults,noatime,nodiratime,discard,autodefrag,ssd,compress=lzo,space_cache,subvol=@home /dev/mapper/cryptroot /mnt/home mkdir /mnt/.snapshots mount -o compress=lzo,discard,noatime,nodiratime,subvol=@snapshots /dev/mapper/cryptroot /mnt/.snapshots mkdir /mnt/boot mount /dev/nvme0n1p6 /mnt/boot ``` * create nested subvolumes for special folders ``` mkdir -p /mnt/var/cache/pacman btrfs subvolume create /mnt/var/cache/pacman/pkg btrfs subvolume create /mnt/var/log btrfs subvolume create /mnt/var/tmp ``` # Arch Installation * use reflector to speed up install (optional) ``` pacman -Syy reflector reflector --sort rate --save /etc/pacman.d/mirrorlist -f 5 -n 10 -p https ``` * synchronize clock ``` timedatectl set-ntp true ``` * install base packages ``` pacstrap /mnt base base-devel btrfs-progs sshd ``` * generate fstab ``` genfstab -Up /mnt >> /mnt/etc/fstab ``` * optional: add ramdisk tmp ``` echo "tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0" >> /mnt/etc/fstab ``` * change into installation root ``` arch-chroot /mnt ``` * There is only SSD, so we want to reduce swapping as much as possible ``` echo "vm.swappiness=10" > /etc/sysctl.d/99-sysctl.conf ``` * add modules, binaries, files, and hooks to mkinitcpio.conf `vi /etc/mkinitcpio.conf` > ... > MODULES=(btrfs loop) > ... > BINARIES=(/usr/bin/btrfs) > ... > HOOKS=(base udev autodetect modconf keyboard encrypt block filesystems fsck) * Generate initial ramdisk image ``` mkinitcpio -p linux ``` # Bootloader Installation Hours were spent trying to use grub, 15 minutes and syslinux is working like a charm. If you want/need to use grub good luck! ``` pacman -S syslinux intel-ucode gptfdisk ``` ``` syslinux-install_update -iam ``` > Syslinux BIOS install successful > Attribute Legacy Bios Bootable Set - /dev/nvme0n1p6 > Installed MBR (/usr/lib/syslinux/bios/gptmbr.bin) to /dev/nvme0n1 ### Configure syslinux `vi /boot/syslinux/syslinux.cfg` ``` LABEL arch MENU LABEL Arch Linux LINUX ../vmlinuz-linux APPEND rootflags=subvol=@ root=/dev/mapper/cryptroot cryptdevice=/dev/nvme0n1p7:cryptroot zswap.enabled=1 rw INITRD ../intel-ucode.img,../initramfs-linux.img LABEL archfallback MENU LABEL Arch Linux Fallback LINUX ../vmlinuz-linux APPEND rootflags=subvol=@ root=/dev/mapper/cryptroot cryptdevice=/dev/nvme0n1p7:cryptroot rw INITRD ../initramfs-linux-fallback.img ``` # System Configuration * synchronize clock ``` timedatectl set-ntp true ``` * Set locale ``` cat >/etc/locale.gen < /etc/locale.conf ``` * Set timezone ``` ln -sf /usr/share/zoneinfo/Europe/London /etc/localtime hwclock --systohc --utc ``` * set hostname ``` echo pixelarch > /etc/hostname ``` * Add some more useful packages and setup reflector ``` pacman -Suy base-devel git iw wpa_supplicant dialog zsh sudo reflector vim reflector --sort rate --save /etc/pacman.d/mirrorlist -f 5 -n 10 -p https ``` * add a new user account ``` useradd -m -g users -G wheel,storage,power -s /bin/zsh damon passwd damon ``` * enable sudo for your user account uncomment the following line > %wheel ALL=(ALL) ALL * disable root account ``` passwd -l root ``` ## zmem for swap I'm not a huge fan of swap these days, and let OOM killer do it's job. It's not safe to run a swapfile in the event that you find yourself needing swap for some reason so zmem provides a nice way to turn a bit of memory into swap. ``` pacman -S systemd-swap ``` vi /etc/systemd/swap.conf > zswap_enabled=0 > zram_enabled=1 # Tidy up and reboot ``` exit umount -R /mnt swapoff -a reboot ``` Hit Ctrl+L at the developer screen and it should boot to syslinux, the menu has some screen tearing but the arrow navigation works, press enter on the first entry and you should be promoted to decrypt your root drive and then boot right to the login prompt. # Post-install steps ## install, configure and enable Snapper ``` sudo pacman -S snapper sudo umount /.snapshots sudo rm -r /.snapshots sudo snapper -c root create-config / sudo mount -o compression=lzo,discard,noatime,nodiratime,subvol=@snapshots /dev/mapper/cryptroot /.snapshots sudo systemctl start snapper-timeline.timer ``` ## install & enable power management ``` sudo pacman -S tlp x86_energy_perf_policy tlp-rdw sudo systemctl enable tlp.service sudo systemctl enable tlp-sleep.service sudo systemctl enable NetworkManager-dispatcher.service sudo systemctl mask systemd-rfkill.service sudo systemctl mask systemd-rfkill.socket ``` ## enable bluetooth ``` pacman -S bluez bluez-firmware bluez-utils blueman sudo systemctl enable --now bluetooth.service ``` # Misc Quick paste to open and mount drives when booting off USB, useful for trying to install grub or when something is hosed up. ``` cryptsetup open --type luks /dev/nvme0n1p7 cryptroot mount -o defaults,noatime,nodiratime,discard,autodefrag,ssd,compress=lzo,space_cache,subvol=@ /dev/mapper/cryptroot /mnt mount -o defaults,noatime,nodiratime,discard,autodefrag,ssd,compress=lzo,space_cache,subvol=@home /dev/mapper/cryptroot /mnt/home mount -o compress=lzo,discard,noatime,nodiratime,subvol=@snapshots /dev/mapper/cryptroot /mnt/.snapshots mount /dev/nvme0n1p6 /mnt/boot ``` ### Firmware tarball A tarball of the /lib/firmware directory of ChromeOS for future inspection https://s3.eu-west-1.amazonaws.com/petta.org/firmware.tar.gz ### Trackpad The trackpad is funky out of the box and is still in need of some fine-tuning. There is quite a bit of dislike for synaptics driver, but it does the job better than anything else I tested (mtrack and libinput) ``` pacman -S xf86-input-synaptics ``` `/etc/X11/xorg.conf.d/70-synaptics.conf` ``` Section "InputClass" Identifier "touchpad" Driver "synaptics" MatchIsTouchpad "on" Option "TapButton1" "1" Option "TapButton2" "3" Option "TapButton3" "2" Option "VertEdgeScroll" "on" Option "VertTwoFingerScroll" "on" Option "HorizEdgeScroll" "on" Option "HorizTwoFingerScroll" "on" Option "EmulateTwoFingerMinZ" "40" Option "EmulateTwoFingerMinW" "8" Option "CoastingSpeed" "0" Option "MaxTapTime" "125" # Enable clickpad/multitouch support Option "ClickPad" "true" # Middle-button emulation is not supported Option "EmulateMidButtonTime" "0" # Define right soft button at the bottom Option "SoftButtonAreas" "50% 0 82% 0 0 0 0 0" EndSection ``` ### Sound Modules Still very much WIP, Kaby Lake AoC isn't quite in mainline yet https://github.com/GalliumOS/galliumos-distro/issues/379 `lsmod | grep snd` ``` snd_soc_kbl_rt5663_rt5514_max98927 24576 3 snd_soc_hdac_hdmi 24576 1 snd_soc_kbl_rt5663_rt5514_max98927 snd_soc_skl_ssp_clk 16384 3 snd_soc_dmic 16384 0 snd_soc_skl 65536 3 snd_soc_skl_ssp_clk snd_soc_skl_ipc 32768 1 snd_soc_skl snd_soc_sst_ipc 16384 1 snd_soc_skl_ipc snd_soc_sst_dsp 32768 1 snd_soc_skl_ipc snd_soc_sst_match 16384 1 snd_soc_skl snd_hda_ext_core 20480 2 snd_soc_hdac_hdmi,snd_soc_skl snd_hda_core 57344 3 snd_hda_ext_core,snd_soc_hdac_hdmi,snd_soc_skl snd_soc_rt5514 40960 1 snd_soc_max98927 24576 2 snd_soc_rt5663 65536 2 snd_soc_kbl_rt5663_rt5514_max98927 snd_soc_rt5514_spi 16384 3 snd_soc_rt5514 snd_soc_rl6231 16384 2 snd_soc_rt5514,snd_soc_rt5663 snd_seq_dummy 16384 0 snd_seq 57344 5 snd_seq_dummy snd_seq_device 16384 1 snd_seq ``` # References https://gist.github.com/JindrichPilar/e22ed9c316f7dc1e4f20 https://github.com/markitoxs/pixelbook https://github.com/EmbeddedAndroid/linux-eve https://www.syslinux.org/wiki/index.php?title=Filesystem https://github.com/bparmentier/www/blob/master/posts/how-to-install-arch-linux-on-an-encrypted-btrfs-partition.md https://bbs.archlinux.org/viewtopic.php?id=222985 https://wiki.archlinux.org/index.php/microcode -- syslinux microcode https://github.com/GalliumOS/galliumos-skylake -- skylake bits and bobs https://www.codentium.com/category/chromebooks.html -- audio bits