Manjaro Linux Setup
Install
- partition esp partition
1
2
3
4
5
6
7NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
nvme0n1 259:0 0 931.5G 0 disk
├─nvme0n1p1 259:1 0 400M 0 part /boot/efi
...
├─nvme0n1p5 259:5 0 258G 0 part
│ └─luks-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 254:0 0 258G 0 crypt /
...nvme0n1p1
mount on\boot\efi
, while the root system installed on crypted partitionnvme0n1p5
with LUKSv1. Replace block names according to actual situation of your computer.
System modification
Before start, make an upgrade for the whole system.
1 | sudo pacman -Syu |
Repository
- Change server location: China
- Add archlinuxcn Repository at the end of file.
1
2
3
4sudo echo >> /etc/pacman.conf "
[archlinuxcn]
Server = https://mirrors.ustc.edu.cn/archlinuxcn/$arch
" - Enable flatpak and AUR in "Add / Remove Software" setting.
- Install yay tool for more comfortable package
management experience.
1
sudo pacman -S yay
Shell
Install
oh-my-zsh-git
from archlinuxcn repository with the latest code.After installing the package, copy1
yay -S archlinuxcn/oh-my-zsh-git
.zshrc
from system to home directory.Add the following code to the end of1
cp /usr/share/oh-my-zsh/zshrc ~/.zshrc
.zshrc
for original manjaro shell experience.At last, make some small modification, install autojump plugin.1
2
3
4
5
6
7
8
9
10# Use powerline
USE_POWERLINE="true"
# Source manjaro-zsh-configuration
if [[ -e /usr/share/zsh/manjaro-zsh-config ]]; then
source /usr/share/zsh/manjaro-zsh-config
fi
# Use manjaro zsh prompt
if [[ -e /usr/share/zsh/manjaro-zsh-prompt ]]; then
source /usr/share/zsh/manjaro-zsh-prompt
fimodify the .zshrc file.1
yay -S autojump
then, change shell to zsh.1
plugins=(git autojump)
1
chsh -s /bin/zsh
sudo without password add this line at the end of file
/etc/sudoers.d/10-installer
1
sudo echo %wheel ALL=(ALL:ALL) NOPASSWD: ALL >> /etc/sudoers.d/10-installer
GPU Switch
Use envycontrol to switch intel, nvidia, and hybrid mode.
1 | yay -S envycontrol |
In addition, a kde plasma5 widget can be convenient.
1 | yay -S plasma5-applets-optimus-gpu-switcher |
Fonts
Install several fonts both in Latin and Chinese.
1 | yay -S wqy-microhei-lite wqy-bitmapfont wqy-microhei wqy-zenhei ttf-roboto adobe-source-han-sans-cn-fonts adobe-source-han-serif-cn-fonts |
Install ttf-apple-emoji
to replace original
noto-fonts-emoji
1 | yay -S ttf-apple-emoji |
Make system custom font configuration to enable apple color emoji and change preferred Chinese fonts.
1 | sudo touch /etc/fonts/local.conf |
Paste following code into local.conf
.
1 |
|
Command
Install some very useful and common tools.
1 | yay -S zip net-tools base-devel nmap vulscan python-pypandoc |
1 | yay -S cowsay xcowsay sl asciiquarium fortune-mod cmatrix oneko toilet lolcat |
Appearance
Install latte dock
1 | yay -S latte-dock |
Change the desktop layout:
- move panel from bottom to top;
- add widgets into panel: Application Launcher, Global menu, Panel Spacer, Network speed, CatWalk, System tray, Pager, Digital clock, Peek at Desktop.
- add latte dock at bottom of desktop with widgets: Application Dashboard, Latte Tasks, Trashcan, Analog clock.
- add a weather widget right side the desktop.
For widgets configuration, CatWalk idle threshold is 30%, weather location is Tianjin, China. For latte dock, Items absolute size is 56px., zoom on hover is 10%, background size is 14%, and Opacity is 52%.
swapfile
The system has no swap partition after default installation process, for the full suspend and hibernation function experience, we setup swap manually.
Create a swap file matched the physical memory and set proper permissions.
1 | sudo fallocate -l 8G /.swapfile # create a hide swapfile on root / |
Enable and open swap
1 | sudo mkswap /.swapfile |
Insert swap info into fstab
1 | sudo echo "/.swapfile none swap defaults 0 0" >> /etc/fstab |
Reboot and check if the swap on
1 | swapon |
Samba
In Dolphin, the property share tab is unavailable because of samba service broken. Now we fix it.
1 | yay -S samba |
Add following text into smb.conf (in order to prevent bugs, add a blank line at the end of file.)
1 | [global] |
then reboot.
Attention: it seems like there are many bugs in property share tab.
Firewall
A Firewall and Firewall GUI manager is optional for network using.
1 | yay -S firewalld |
SSD trim
Trim is referred to discard unused blocks on the SSD. Trim on encrypted device has specific security risks, but for most users, the benefit of TRIM outweigh those security concerns.
1 | sudo cryptsetup --allow-discards --persistent refresh luks-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
Java environment
In order to run jar application such as minecraft, Java environment is required. we can install OpenJDK environment with JavaFX support.
1 | yay -S aur/java-openjfx # jre and jdk will be installed as dependencies automatically |
Install and config application
git
add lfs support
1 | yay -S git-lfs |
config username and e-mail.
1 | git config --global user.name "My Name" |
Internet Technology
there are many useful packages in repository.
1 | yay -S archlinuxcn/*****-verge-rev-bin watt-toolkit-bin |
fcitx5 and rime
Install fcitx5 bundle including 4 packages:
- fcitx5 2) fcitx5-configtool 3) fcitx5-gtk 4) fcitx5-qt
and other extra packages
1 | yay -S fcitx5-im fcitx5-lua kcm-fcitx5 fcitx5-rime fcitx5-chinese-addons libime manjaro-asian-input-support-fcitx5 rime-symbols |
then reboot to apply modify.
clone clover_flypinyin to local
1 | git clone https://github.com/happylzyy/rime-cloverpinyin.git |
follow the README.md
to build the package.
extract package to /usr/share/rime-data
and replace
exsiting file.
create a config file in ~/.local/share/fcitx5/rime
1 | touch default.custom.yaml |
and write
1 | patch: |
restart the rime engine.
apparmor
install apparmor utils and enable the service.
1 | yay -S apparmor |
Add kernel cmdline as follows. This section is not suitable for grub but for UKI.
1 | mkdir /etc/cmdline.d |
1 | # enable apparmor |
vim
install gvim via yay tool.
1 | yay -S gvim |
clone the vim config to .vim folder. 1
2
3mkdir -p ~/.vim && cd ~/.vim
git clone https://github.com/happylzyy/vim-init.git
cd vim-init && git checkout linux.vimrc' in home directory and add following code
:PluginInstall`
to fix missing plugins via internet.1
echo source ~/.vim/vim-init/init.vim > .vimrc
typora
the last free version of typora is 0.11.18(beta), we can build it by using AUR PKGBUILD.
1 | yay -S aur/typora-free |
albert
1 | yay -S archlinuxcn/albert |
Open System Setting -> Startup and Shutdown->Autostart, add albert in autorun list.
Attention: albert has no wayland support yet.
WPS
Install wps and all dependencies including chinese language support, font packages, and several fix patch, etc.
1 | yay -S wps-office wps-office-all-dicts-win-languages wps-office-mui-zh-cn wps-office-mime-cn wps-office-fonts wps-office-bwrap freetype2-wps ttf-wps-fonts ttf-ms-fonts |
install bug fix libtiff5
1 | yay -S libtiff5 |
GIMP
1 | yay -S gimp |
Make GIMP Look Like Photoshop, follow the PhotoGIMP project.
Node.js
1 | yay -S nodejs npm |
configure local repository
1 | npm config set registry https://registry.npmmirror.com/ |
OneDrive
As some files synced on onedrive, we install onedriver and create some links
1 | yay -S onedrive-abraunegg onedrivegui |
Other app without configuration
1 | yay -S steam stellarium visual-studio-code-bin zenmap wechat-beta-bwrap lx-music-desktop-bin calibre zotero kleopatra |
Secure Boot and LUKS TPM
Prepare
Install all packages we need
1 | yay -S sbctl tpm2-tss tpm2-tools |
follow this guideline , generate Machine Own Key and enroll it into the EFI variables.
Install bootloader
this section changes bootloader from grub to systemd-boot, because grub has not support to LUKSv2.
Change esp partition mount point from /boot/efi
to
/efi
permanently. If the esp mount point remains unchanged,
grub packages should be removed.
1 | umount /boot/efi |
Delete old boot entry and install new bootloader
1 | OLD_MANJARO="$(efibootmgr | grep "manjaro" | cut -d' ' -f1 | cut -c 5-8)" # Manjaro is old boot entry name |
After installation, it should be a new boot entry "Linux Boot Manager" appeared in the UEFI boot menu.
Open /boot/efi/loader/loader.conf
and add there
default @saved
. This will make systemd-boot select your
previously booted kernel by default. Another useful change is setting
timeout
to 1 or 2, most likely that’s long enough period to
see bootloader’s menu and stop countdown if needed.
Configure initramfs
mkinitcpio.conf
Replace HOOKS array in /etc/mkinitcpio.conf
and save old
ones commented in the end of the file just in case:
1 | OLD_HOOKS=$(cat /etc/mkinitcpio.conf | grep "^HOOKS=(") |
Also for better (de)compression speed/efficiency ratio consider
setting COMPRESSION="zstd"
in your
/etc/mkinitcpio.conf
if not set already. Note though that
this works only starting from linux 5.10.
crypttab.initramfs
Do the following to add entry about LUKS partition to crypttab.initramfs
1 | UUID=$(sudo blkid -s UUID -o value /dev/nvme0n1p5) |
cmdline
Create cmdline
with the current boot parameters of the
system
Optionally, /etc/cmdline.d
can be used for more flexible
configuration.
1 | cat /proc/cmdline > /etc/kernel/cmdline |
linux.preset
Open preset file for the current kernel in
/etc/mkinitcpio.d
, such as linux66.preset
.
Make changes following line :
- uncomment
default_uki
fallback_uki
default_options
- comment
default_image
fallback_image
- make sure the appropriate mount point of the esp in the uki path
build UKI
1 | sudo mkinitcpio -P |
After building, there should be several UKI images in
/boot/efi/EFI/Linux
. Optionally, we can remove old images
unused under /boot
.
1 | sudo rm /boot/initramfs* |
if warning about consolefont
appears during build
process, create vconsole.conf and build again.
1 | echo "KEYMAP=us\nFONT=tcvn8x16" > /etc/vconsole.conf |
Secure Boot
sbctl is a tool that generates signed and thus trusted images used to boot system.
Create a new script sbsign-all
.
1 | vim ./sbsign-all |
Write following code in this script and save
1 |
|
change permission for excutation
1 | sudo chmod a+x ./sbsign-all |
then run the script.
1 | sudo ./sbsign-all |
Benefit from mkinitcpio hook and pacman hook, the sign process will run automatically when system upgrade or modified.
After all steps above, reboot and enter UEFI setup menu, set Secure Boot ON, exit saving setting, check if the system can boot normally.
Unlock LUKS via TPM
The manjaro installation use LUKSv1 for the default crypt solution, but our plan only support LUKSv2. So we need convert LUKS before configuring TPM.
Insert the manjaro installation U-disk into the computer, enter live CD environment. if it is prohibited by secure policy, disable secure boot mode temporarily.
Open a terminal, run following command.
1 | sudo cryptsetup convert --type luks2 /dev/nvme0n1p5 |
reboot and enable secure boot mode again.
Before sealing LUKS key into TPM, check command bootctl
,
following condition should be satisfied:
system booted by systemd-boot bootloader
system booted in secure boot mode
If the conditions are satisfied, check the cryptsetup status:
1
sudo cryptsetup luksDump /dev/nvme0n1p5
Normally it should have 1 or 2 keyslots already occupied, the first
one is passphrase we set, the other is probably
/crypto_keyfile.bin
, and no tokens in place (yet). we
suggest remove slot 1 if it’s occupied by crypto_keyfile
at
the moment (since it’s not safe to use crypto_keyfile in configuration
we’re building).
1 | sudo cryptsetup luksKillSlot /dev/nvme0n1p5 1 |
Then seal the LUKS key into TPM with PCR 7
1 | sudo systemd-cryptenroll /dev/nvme0n1p5 --tpm2-device=auto --tpm2-pcrs=7 |
References
- https://forum.manjaro.org/t/howto-using-secure-boot-and-tpm2-to-unlock-luks-partition-on-boot/101626
- https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#
- https://wiki.archlinux.org/title/Unified_kernel_image
- https://wiki.archlinux.org/title/Trusted_Platform_Module
- https://wiki.archlinux.org/title/Systemd-cryptenroll#Trusted_Platform_Module
- https://wiki.archlinux.org/title/Dm-crypt/System_configuration#Using_systemd-cryptsetup-generator
- https://wiki.archlinux.org/title/Dm-crypt/System_configuration#Examples
- https://wiki.archlinux.org/title/Dm-crypt/System_configuration#Trusted_Platform_Module_and_FIDO2_keys