Introduction

So I purchased a used Thinkpad X220 for about £90 on eBay and decided to install Arch Linux onto it. This guide is the steps that I took to achieve this.

Now when it comes to Linux there is always more than one way of doing things and this guide is just my preferred way. Feel free to follow it for your own installation, just keep in mind that you may have to change some of the steps to suit your own circumstances. Also there is every chance that the information presented here will be out of date so I recommend that you at least read the through the official installation guide for the most up-to-date information.

Download the Arch Linux ISO Image

The Arch Linux download page provides direct download and torrent links. You should also download the PGP signature to the same location and use the gpg command to verify that the ISO has not been compromised.

$ gpg --keyserver-options auto-key-retrieve --verify archlinux-2020.05.01-x86_64.iso.sig

Create a live USB of Arch Linux

Flash the image to a USB drive using Etcher. Alternatively you can use the dd command. Just ensure that /path/to/archlinux.iso is to where you have downloaded the image and that /dev/sdx is your USB drive.

dd bs=4M if=/path/to/archlinux.iso of=/dev/sdx status=progress && sync

Boot the live environment

I wanted to make sure that the Thinkpad was using UEFI as I would be using EFISTUB to load the Linux kernel as an EFI executable. This is done through the BIOS which can be gotten to by pressing the ThinkVantage button as the machine is booting before pressing F1 to get to the BIOS settings. From there navigate to Startup and changed the UEFI/Legacy Boot option to be UEFI Only. Press F10 to save and exit the BIOS and then power down the machine.

With the USB drive plugged in power the machine back on, all the while pressing F12 until the boot menu appears and select USB HDD: Mass Storage Device and wait for the installation image to boot. When prompted select Arch Linux archiso X86_64 UEFI CD where you will be take to the live environment's terminal.

Set the keyboard layout

The default console map is US which meant that for me pressing Shift+3 was displaying the hash symbol (#) instead of the pound symbol (£). So the UK keyboard layout needed to be loaded.

$ loadkeys uk

You can get a list of supported keyboard layouts if you need to load a different one.

ls /usr/share/kbd/keymaps/**/*.map.gz

Verify the boot mode

To verify that the Thinkpad has UEFI enabled check that the efivars directory exists.

$ ls /sys/firmware/efi/efivars

Connect to the internet

Verify that the machine can connect to the internet with the ping command.

$ ping -c3 davidtsadler.com

Before booting the machine I plugged in an Ethernet cable that was connected directly to my home network's router. The installation environment detected the network connection and obtained an IP address via DHCP.

Update the system clock

Ensure the system clock is correct.

$ timedatectl set-ntp true

Partition the disks

Use the lsblk command to determine which disks and partitions exist on the system.

$ lsblk

NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
loop0    7:0    0   535M  1 loop /run/archiso/sfs/airootfs
sda      8:0    0 298.1G  0 disk
sdb      8:16   1   7.4G  0 disk
├─sdb1   8:17   1   652M  0 part /run/archiso/bootmnt
└─sdb2   8:18   1    64M  0 part

From the above output I could see that my hard drive was sda as sdb was the USB drive and loop0 could just be ignored.

I knew that I wanted to have an encrypted partition and make use of LVM on it so my disk layout would be.

+-------------------+ +--------------------------------------------------------+
| Boot partition    | | Logical volume 1 | Logical volume 2 | Logical volume 3 |
|                   | |                  |                  |                  |
| /boot             | | /                | [SWAP]           | /home            |
|                   | |                  |                  |                  |
|                   | | 50G              | 16G              | 200G             |
|                   | |                  |                  |                  |
|                   | | /dev/vg0/root    | /dev/vg0/swap    | /dev/vg0/home    |
|                   | |_ _ _ _ _ _ _ _ _ |_ _ _ _ _ _ _ _ _ |_ _ _ _ _ _ _ _ _ |
|                   | |                                                        |
|                   | |              LUKS2 encrypted partition                 |
| /dev/sda1 (512MB) | |                    /dev/sda2                           |
+-------------------+ +--------------------------------------------------------+

The hard drive would be split into two partitions. The first, sdb1 would be 512MB in size and mounted in the file system at /boot. This would be the EFI system partition. The reminder of the disk space would be given to the partition sda2 and encrypted using LUKS2. LVM would then be used to create the volume group vg0 that would be divided into three partitions as logical volumes.

  • /dev/vg0/root 50G root partition.
  • /dev/vg0/swap 16G swap partition.
  • /dev/vg0/home 200G home partition.

Use fdisk to create the partitions.

$ fdisk /dev/sda

Enter g to create a new empty GPT partition table

Command (m for help): g
Created a new GPT disklabel (GUID: 6987D065-936E-1547-9F02-F78145025A96).

Since this is a UEFI system there must be a EFI partition at the beginning of the disk. Enter n to add a new partition and enter 1 to assign it as the first partition. Use the default value for the first sector but enter +512M for the last sector.

Command (m for help): n
Partition number (1-128, default 1): 1
First sector (2048-625142414, default 2048): 
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-625142414, default 625142414): +512M

Created a new partition 1 of type 'Linux filesystem' and of size 512 MiB.

Enter t to change the partition type and enter 1 to make it an EFI System. You can also get a list of partition types by pressing L.

Command (m for help): t
Selected partition 1
Partition type (type L to list all types): 1
Changed type of partition 'Linux filesystem' to 'EFI System'.

To create the second partition enter n again to add another partition, and then enter 2 to assign it as the second partition. Use the default values for both first and last sectors to allocate the remainder of the drive.

Command (m for help): n
Partition number (2-128, default 2): 2
First sector (1050624-625142414, default 1050624): 
Last sector, +/-sectors or +/-size{K,M,G,T,P} (1050624-625142414, default 625142414): 

Created a new partition 2 of type 'Linux filesystem' and of size 297.6 GiB.

Enter w to write the changes and quit.

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

Use lsblk to confirm that two partitions have been created.

$ lsblk /dev/sda

NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
sda      8:0    0 298.1G  0 disk
├─sda1   8:1    0   512M  0 part
└─sda2   8:2    0 297.6G  0 part

LUKS

Encrypt the second partition with the cryptsetup command.

$ cryptsetup luksFormat /dev/sda2

When prompted enter YES in capitals to overwrite any data that is currently on the partition.

WARNING!
========
This will overwrite data on /dev/sda2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES

Enter and verify a passphrase. Whenever the machine is now booted you will be prompted to enter this passphrase in order for the partition to be decrypted.

Enter passphrase for /dev/sda2: 
Verify passphrase: 
cryptsetup luksFormat /dev/sda2  17.01s user 1.05s system 105% cpu 17.106 total

LVM on LUKS

Before setting up LVM decrypt the partition.

$ cryptsetup open /dev/sda2 cryptlvm

You will be prompted to enter the passphrase that you set up earlier.

Enter passphrase for /dev/sda2: 
cryptsetup open /dev/sda2 cryptlvm  6.48s user 0.36s system 92% cpu 7.436 total

Create a physical volume.

$ pvcreate /dev/mapper/cryptlvm

Create a volume group called vg0.

$ vgcreate vg0 /dev/mapper/cryptlvm

Create three logical volumes for the root, swap and home partitions.

$ lvcreate -L 50G vg0 -n root
$ lvcreate -L 16G vg0 -n swap
$ lvcreate -L 200G vg0 -n home

Make use of lsblk again to verify that LVM has been setup as expected.

$ lsblk /dev/sda

NAME           MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda              8:0    0 298.1G  0 disk  
├─sda1           8:1    0   512M  0 part  
└─sda2           8:2    0 297.6G  0 part  
  └─cryptlvm   254:0    0 297.6G  0 crypt 
    ├─vg0-root 254:1    0    50G  0 lvm   
    ├─vg0-swap 254:2    0    16G  0 lvm   
    └─vg0-home 254:3    0   200G  0 lvm

Format the partitions

Format the boot partition at /dev/sda1 with a FAT32 file system as the UEFI specification requires the usage of it.

$ mkfs.fat -F32 /dev/sda1

The root and home partitions can be formatted with ext4.

$ mkfs.ext4 /dev/vg0/root
$ mkfs.ext4 /dev/vg0/home

Initialise the swap partition.

$ mkswap /dev/vg0/swap
$ swapon /dev/vg0/swap

Mount the file systems

Mount the root partition into /mnt.

$ mount /dev/vg0/root /mnt

Mount the boot partition into /mnt/boot.

$ mkdir /mnt/boot
$ mount /dev/sda1 /mnt/boot

Finally mount the home partition into /mnt/home.

$ mkdir /mnt/home
$ mount /dev/vg0/home /mnt/home

Select the mirrors

All mirror servers defined in /etc/pacman.d/mirrorlist where done at the time the installation image was built. Since it's ideal to try and use servers that are close to your location you can rebuild the list using the rankmirrors utility. This is not included by default on the live environment so you will need to download it.

First sync the pacman repository.

pacman -Syy

Then download the pacmain-contrib package which contains the rankmirrors utility.

$ pacman -S pacman-contrib

The official Pacman Mirrorlist Generator can be used to get an up-to-date list of servers for your country. The below command obtains a list of UK servers that support https and pass it to rankmirrors to obtain the 5 fastest.

$ curl -s "https://www.archlinux.org/mirrorlist/?country=GB&protocol=https&use_mirror_status=on" | sed -e 's/^#Server/Server/' -e '/^#/d' | rankmirrors -n 5 - > /etc/pacman.d/mirrorlist

Install essential packages

The pacstrap script is used to install the base package, Linux kernel and firmware.

$ pacstrap /mnt base linux linux-firmware neovim wpa_supplicant dhcpcd cryptsetup lvm2 efibootmgr intel-ucode

I also installed a few other packages that I knew I was going to need.

  • neovim. Allows you to edit files instead of using nano.
  • wpa_supplicant. Provides tools for connecting to a WPA2 protected wireless network.
  • dhcpcd. Needed so that you machine can obtain an IP address from your home router via dhcp.
  • cryptsetup. Since the partition is encrypted this package is required in order for it to be decrypted during booting.
  • lvm2. Provides the LVM tools to manage the LVM partition.
  • efibootmgr. Needed to configure the system to boot via UEFI.
  • intel-ucode. Enables microcode updates during boot.

Fstab

Create a fstab file on the new system.

$ genfstab -U /mnt >> /mnt/etc/fstab

Chroot

Use arch-chroot to enter the new system as the root user. From now on you will be configuring the new system.

$ arch-chroot /mnt

Time zone

Setup the timezone. Replace Europe/London with your timezone.

$ ln -sf /usr/share/zoneinfo/Europe/London /etc/localtime

Update the hardware clock.

$ hwclock --systohc

Localization

Use nvim to edit /etc/locale.gen.

$ nvim /etc/locale.gen

Uncomment your preferred language. For me this meant en_GB.UTF-8 UTF-8. Save the file and exit before generating the locales.

$ locale-gen

Edit /etc/locale.conf.

$ nvim /etc/locale.conf

Add the below line. Replace en_GB.UTF-8 with the language that you chose earlier.

LANG=en_GB.UTF-8

If you used loadkeys earlier you will need to edit /etc/vconsole.conf and add your chosen keymap.

$ nvim /etc/vconsole.conf

For me this meant adding the UK keymap.

KEYMAP=uk

Network configuration

Create the file /etc/hostname and add an entry to it. This hostname will be the name of the machine on your network. I tend to name by devices after characters from the book Howl's Moving Castle.

$ echo suliman > /etc/hostname

You then need to edit the /etc/hosts file.

$ nvim /etc/hosts

Add the following lines to this file. Replace suliman with the hostname you set up earlier.

127.0.0.1   localhost
::1         localhost
127.0.0.1   suliman.localdomain suliman

Wireless

Use theip command to determine the name of the wireless network interface.

$ip link

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether f0:de:f1:86:e1:75 brd ff:ff:ff:ff:ff:ff
3: wwp0s29u1u4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 86:06:37:c4:9b:41 brd ff:ff:ff:ff:ff:ff
4: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 08:11:96:02:10:ac brd ff:ff:ff:ff:ff:ff

Looking at the output of the ip command this is wlan0. This name however will not be the name of the interface once the installation has been completed. You see the Arch installation environment does not use predictable names for interfaces. This is due to it using iwd which is unable to cope with interface renaming and so it is disabled for wireless interfaces. When the system boots into the installed system predictable names for interfaces will be enabled and wlan0 will be assigned a different name.

In order to find out what name will be assigned use the udevadm command.

$ udevadm test-builtin net_id /sys/class/net/wlan0

Load module index
Parsed configuration file /usr/lib/systemd/network/99-default.link
Parsed configuration file /usr/lib/systemd/network/80-iwd.link
Created link configuration context.
Using default interface naming scheme 'v245'.
ID_NET_NAMING_SCHEME=v245
ID_NET_NAME_MAC=wlx0811960210ac
ID_OUI_FROM_DATABASE=Intel Corporate
ID_NET_NAME_PATH=wlp3s0
Unload module index
Unloaded link configuration context.

What we are interested in is the value of ID_NET_NAME_PATH which is wlp3s0.

My wireless network is a WPA2 protected network with a hidden SSID. Since wpa_supplicant has been installed when running pacstrap it is possible to use wpa_passphrase to generate the configuration file that wpa_supplicant will use to connect to the wireless network. Replace <SSID> and <PASSWORD> with your details. Note that the name of the configuration file contains the name of the network interface wlp3s0. Replace this with the name of your network interface.

$ wpa_passphrase <SSID> <PASSWORD> > /etc/wpa_supplicant/wpa_supplicant-wlp3s0.conf

If your wireless network uses a hidden SSID you will need to edit the configuration file.

$ nvim /etc/wpa_supplicant/wpa_supplicant-wlp3s0.conf

And add the below line.

scan_ssid=1

Make sure that wpa_supplicant starts at boot.

$ systemctl enable wpa_supplicant@wlp3s0.service

Have an IP address assigned via DHCP during booting.

$ systemctl enable dhcpcd@wlp3s0.service

Initramfs

You will need to rebuild the initial ramdisk and the current one is not aware that the filesystem will be encrypted. Before rebuilding it some configuration changes need to be made.

$ nvim /etc/mkinitcpio.conf

Locate the section where the HOOKS are configured and replace it with the line below.

HOOKS=(base udev autodetect keyboard keymap modconf block encrypt lvm2 filesystems fsck)

This ensures that the keyboard is present before the filesystem is detected so that you are enter the passphrase to decrypt the partition. It also ensures that the decryption is done before the LVM is handled.

Save the changes and exist before rebuilding with the mkinitcpio command.

mkinitcpio -P

EFISTUB Booting and Microcode

The Thinkpad X220 UEFI implementation allows an operating system to be booted without the need for an intermediate bootloader such as GRUB. It is possible to add a UEFI boot entry to the motherboard itself and have Arch booted directly.

Modifying the motherboard boot entries is done using efibootmgr. However usage of this command can be quite verbose so it is recommended to create a shell script instead.

nvim /usr/local/sbin/mkefibootentry

The shell script will call efibootmgr with the required arguments.

#!/bin/sh

# Determine the UUID of the partition that is encrypted
PARTUUID=`blkid /dev/sda2 -s PARTUUID -o value`

efibootmgr \
  --disk /dev/sda --part 1 \
  --create --label "Arch Linux" \
  --loader /vmlinuz-linux \
  --unicode 'cryptdevice=PARTUUID='$PARTUUID':cryptlvm root=/dev/vg0/root rw initrd=\intel-ucode.img initrd=\initramfs-linux.img' \
  --verbose 

The --unicode argument is where the kernel parameters are specified. This tells the system that the partition identified by PARTUUID is encrypted and that the root filesystem to mount is the logical volume called root that is part of the volume group vg0. The microcode is also loaded with initrd=\intel-ucode.img.

Make this script executable.

chmod u+x /usr/local/sbin/mkefibootentry

Run the script to add to the motherboard boot entries.

$ mkefibootentry

Root password

Create a secure password for the root user.

$ passwd

Reboot

Return to the Arch live installation environment.

$ exit

Unmount the partitions.

$ umount -R /mnt

Restart the machine with reboot. Remember to remove any installation media such as a USB drive.

$ reboot

Provided nothing has gone wrong your machine will boot into a fresh installation of Arch Linux. Don't forget that during the boot you will be prompted to enter the passphrase to decrypt the system partition.

Following this guide will leave you with a very minimal system where you can login as the root user. From this point how you configure the system is up to you as it will be very different to how I configure my own. If you interested in seeing how I do it then see my other posts on the subject.