Install Arch Linux on a Dell XPS 13 9310 with Disk Encryption

I am mostly just writing this down as a reference for my future self. I recently got a Dell XPS 13 9310 “developer edition” laptop, which came preinstalled with Ubuntu Focal. Since I know all the hardware is Linux compatible I installed Arch. The laptop ships with a NVME HDD and is configured for UEFI booting, so that’s what is represented here.

This is largely copied from this existing gist and most of the credit for figuring all of this out is due to Mohammad Javad Naderi.

Disable Secure Boot

My laptop came with secure boot turned on, but this won’t work with Arch. Boot the laptop while hitting the F2 key until it shows that you’re going into the BIOS setup. Once you’re in there, find the area for secure boot, turn it off, hit the button to apply changes, and finally hit OK to exit.

Prepare a USB Flash Drive

Download an ISO image from the download site.

Since we are booting it via UEFI, you want to extract the ISO image to an empty, FAT formatted flash drive. I did this from a different Linux laptop using 7z.

# 7z x archlinux-2021.01.01-x86_64.iso -o/path/to/FLASHDRIVE

You need to explicitly label the Flash drive with what the computer expects it to be named or it won’t boot. For the ISO referenced above, the correct label is ARCH_202101. On my system, this was done with the command

# sudo mlabel ::'ARCH_202101' -i '/dev/sda1'

You may need to use something other than /dev/sda1 depending on where the device shows up for you.

Boot the Flash Drive

Put the flash drive in and boot the computer. Keep hitting the F12 key and it should bring up a boot menu where you can select the flash drive as the medium to boot from. You should see a menu where you can choose to install Arch.

Partition the Hard Drive

We’ll make two partitions, one to boot from and the other to hold the rest of the filesystem. I like to use cfdisk as I find it to be the easiest for this sort of thing.

# cfdisk /dev/nvme0n1

First, delete all the existing partitions. Next create a new partition that is 512M in size. Change the type of this partition to EFI System which is the top choice on the Type menu. Next, create a second partition which is the rest of the size of the disk. Write the partition table to the desk and exit.

Format the Partitions

I think the boot partition should already be formatted at this point, but no harm in making sure.

# mkfs.vfat -F32 /dev/nvme0n1p1

Next, we’ll set up our encrypted partition.

# cryptsetup -c aes-xts-plain64 -y --use-random luksFormat /dev/nvme0n1p2
# cryptsetup luksOpen /dev/nvme0n1p2 luks

You’ll be asked for a password after the first cryptsetup command. You must remember this password as you won’t be able to boot into the system later without it. If you forget this password, all the data on the computer will be unrecoverable, so pick something good that you’ll remember.

Now, we need to set up our logical volumes. I just use two, one for swap, and one for the filesystem.

# pvcreate /dev/mapper/luks
# vgcreate vg0 /dev/mapper/luks
# lvcreate --size 16G vg0 --name swap
# lvcreate -l +100%FREE vg0 --name arch

Finally, let’s put filesystems on the LVM partitions

# mkfs.ext4 /dev/mapper/vg0-arch
# mkswap /dev/mapper/vg0-swap

and mount them.

# mount /dev/mapper/vg0-arch /mnt
# mkdir /mnt/boot
# mount /dev/nvme0n1p1 /mnt/boot
# swapon /dev/mapper/vg0-swap

Get on the Network

You’ll need to be connected to a network to download everything for the installation. This is now accomplished from the installer with the iwctl command. First, type

# iwctl

to bring up the interactive [iwd] prompt. From the prompt, type

[iwd]# station wlan0 connect <ssid>

where <ssid> is your wireless network name. It will ask you for the password. There will be no success or failure indication when you do this. Next, type

[iwd]# exit

to get out of the interactive prompt. Check that you have network connectivity now with something like:

# ping -c 3 google.com

Assuming you can ping Google, you should be in good shape.

Install the System

We’re ready to start installing the system.

# pacstrap -i /mnt base base-devel linux linux-firmware openssh git vim lvm2 efibootmgr

We’ll need to generate a fstab.

# genfstab -pU /mnt >> /mnt/etc/fstab

Now, let’s chroot into the system and set some things up that we’ll want.

# arch-chroot /mnt /bin/bash

Set the timezone and locale

# cd /etc
# ln -s /usr/share/zoneinfo/America/Los_Angeles localtime
# echo LANG=en_US.UTF-8 > /etc/locale.conf
# vim /etc/locale.gen

and uncomment en_US.UTF-8 UTF-8, then

# locale-gen

I picked the host name idril for my laptop, but insert whatever you choose.

# echo idril > /etc/hostname
# hostnamectl set-hostname idril
# echo "127.0.0.1 localhost" >> /etc/hosts
# echo "::1       localhost" >> /etc/hosts
# echo "127.0.1.1 idril" >> /etc/hosts

Create a user, my standard username is chl but insert whatever you choose here.

# useradd -m -g users -G wheel -s /bin/bash chl
# passwd chl

This will let you set the password for your user. Then do

# visudo

and uncomment

%wheel ALL=(ALL) ALL

to give your user sudo access. I also did

# passwd

to set a password for my root user.

Next on the list is to configure mkinitcpio with the modules it needs.

# cd /etc
# vim mkinitcpio.conf

You want to add ext4 to MODULES. Then, you want to add encrypt and lvm2 to HOOKS before filesystems. This is what just those two lines from that file look like on my system:

MODULES=(ext4)
HOOKS=(base udev autodetect modconf block encrypt lvm2 filesystems keyboard fsck)

Don’t touch anything else in there. Then run:

# mkinitcpio -p linux

We’re getting pretty close to having the base system ready to go. The last thing we need is to install the bootloader grub and set it up.

# pacman -S grub
# grub-install --target=x86_64-efi --efi-directory=/boot --recheck

To configure grub, you’ll edit a file:

# vim /etc/default/grub

and set GRUB_CMDLINE_LINUX as follows

GRUB_CMDLINE_LINUX="cryptdevice=/dev/nvme0n1p2:luks:allow-discards"

and then run

# grub-mkconfig -o /boot/grub/grub.cfg

Note that if you are trying to boot multiple operating systems, you would run os-prober before the grub-mkconfig command listed above.

If grub-mkconfig completes successfully, then you should have the system installed. But, it’s not very much fun to use at this point, so let’s do a bit more work.

Install a Desktop Environment

I am roughly 9000 years old now, so I like old school things like the simplicity of the MATE Desktop Environment.

# pacman -S mate mate-extra

will install the MATE desktop. We also need to install and set up a display manager.

# pacman -S lightdm lightdm-gtk-greeter
# systemctl enable lightdm

A desktop environment isn’t much use without X, so let’s do

# pacman -S xorg-server xf86-video-intel

We’ll also want our normal desktop networking setup:

# pacman -S networkmanager network-manager-applet blueman bluez
# systemctl enable networkmanager
# systemctl enable bluetooth

We need some extra firmware to make the sound card work correctly.

# pacman -S sof-firmware

And last, let’s make sure things look nice and legible.

# pacman -S noto-fonts ttf-dejavu ttf-liberation

Finish Up

Exit out of the chroot

# exit

then unmount things and shut down.

# umount -R /mnt
# swapoff -a
# poweroff

Now you should be able to remove the flash drive, power the computer on, and boot into Arch Linux. You’ll be asked to enter a password to unlock /dev/nvme0n1p2 and you’ll use the password from the cryptsetup step earlier.

Enjoy!

Also published on Medium.