Microsoft Surface Pro 3 with Arch Linux and i3
(Dual) Booting Arch Linux (and Windows) with UEFI and Secure Boot
-
Save all your files, will will format the whole file system.
-
Download Arch Linux ISO [archlinux-yyyy.mm.dd-dual.iso] [arch] via HTTP Direct Downloads (choose a Mirror) or BitTorrent Download [arch]: https://www.archlinux.org/download/ "Arch Linux Downloads"
-
Create UEFI bootable USB device (with [Rufus] [rufus] and default settings) [rufus]: https://rufus.akeo.ie/ "Rufus"
-
Disable Secure Boot Source: Windows [win:sb]
- Shut down your Surface.
- Press and hold the volume-up button on your Surface and at the same time, press and release the power button.
- When you see the Surface logo, release the volume-up button. The UEFI menu will display within a few seconds.
- Disable Secure Boot Control [win:sb]: https://www.microsoft.com/surface/en-us/support/warranty-service-and-recovery/how-to-use-the-bios-uefi?os=windows-10&=undefined "Windows"
-
(Optionally: Disable Windows Fast Boot — to switch between operating systems)
Installing the Linux distro
Insert the live USB and boot by holding volume down, then the power button.
Optionally set the keyboard layout (default is US)
$ loadkeys de-latin1
Set or in this case increase the font size
$ setfont latarcyrheb-sun32
Connect to the Internet
$ iw dev # list wireless devices
$ iw dev wlp1s0 link # Print information about the current link
$ wifi-menu -o wlp1s0 # -o hides the password
Update the system clock
$ timedatectl set-ntp true
$ timedatectl status
$ timedatectl set-timezone Europe/Berlin
Partitioning
Note: Using parted with mkpart defines partitions via a from and a to
argument.
$ lsblk # list devices /dev/sda?
$ parted /dev/sdx # could be /dev/sda
(parted) mklabel gpt # for UEFI
(parted) mkpart ESP fat32 1MiB 513MiB # EFI System Partition
(parted) set 1 boot on
(parted) mkpart primary linux-swap 513MiB 9GiB # for 8GB DRAM
(parted) mkpart primary ext4 9GiB 40% # Linux partition
(parted) mkpart primary ntfs 40% 60% # Shared partition
(parted) quit
That last entry is for a shared NTFS filesystem that both operating systems (Linux and Windows) can use, e. g. for a cloud service like Dropbox, email, downloads, etc. The Windows section is left unallocated, it will be formatted by the windows installer.
Formatting
$ mkfs.fat -F32 /dev/sdx1 # UEFI boot must be fat32
$ mkswap /dev/sdx2
$ swapon /dev/sdx2
$ mkfs.ext4 /dev/sdx3 # Linux root
$ mkfs.ntfs -f /dev/sdx4
Mount
Mount the root partition on /mnt and for the boot partition first create
directory and then mount it also.
$ mount /dev/sdx3 /mnt
$ mkdir -p /mnt/boot
$ /dev/sbx1 /mnt/boot
Install the base packages and configure the system
Edit /etc/pacman.d/mirrorlist and select a download mirror (uncommenting the
specific line). see also Arch Linux Wiki: Mirrors [arch:mirrors]
[arch:mirrors]: https://wiki.archlinux.org/index.php/Mirrors "Arch Linux Mirrors"
Install the base packages or more
$ pacstrap /mnt base
# or
$ pacstrap -i /mnt base base-devel btrfs-progs
Generate an fstab file, so the filesystem knows how to mount the disk
partitions. see also Arch Linux Wiki: fstab [arch:fstab]
[arch:fstab]: https://wiki.archlinux.org/index.php/Fstab "Arch Linux fstab"
$ genfstab -U /mnt >> /mnt/etc/fstab
Change root into the new system
$ arch-chroot /mnt /bin/bash # bash shell instead of the default sh
For localizations uncomment en_US.UTF-8 UTF-8 and other needed localizations
in /etc/locale.gen, e. g. de_DE.UTF-8 UTF-8. Finally generate the locale
files:
$ locale-gen
Set the LANG variable in /etc/locale.conf accordingly
LANG=en_US.UTF-8
Optionally set the keyboard layout and set the font in /etc/vconsole.conf
KEYMAP=de-latin1
FONT=latarcyrheb-sun32
Set the time zone, e. g. for Germany as Europe/Berlin. Three ways possible: see also Arch Linux Wiki: Time zone [arch:tz] [arch:tz]: https://wiki.archlinux.org/index.php/Fstab "Arch Linux Time zone"
-
interactively with
tzselect(e. g. 7) Europe, 16) Germany, 2) Germany, 1) yes), -
via
timedatectl$ timedatectl # check the current zone $ timedatectl list-timezones # list available zones $ timedatectl set-timezone Europe/Berlin # change your time zone -
or create the symlink manually
$ ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime
Set the Hardware Clock from the System Clock, and update the timestamps in
/etc/adjtime via:
hwclock --systohc --utc
Create an entry for your hostname in /etc/hostname (witch is a computer name):
surfacepro3
A matching entry in /etc/hosts is recommended
127.0.0.1 localhost.localdomain localhost surfacepro3
::1 localhost.localdomain localhost surfacepro3
Set the root password:
$ passwd
Bootloader
Install the bootloader.
$ pacman -S efibootmgr efitools
$ bootctl --path=/boot install
Custom entries for the Systemd-boot must be made for linux kernels.
Edit /boot/loader/loader.conf
default arch
timeout 4
editor 0
Install the intel microcode updater and note the PARTUUID for the root /
partition on your Arch drive /dev/sdx3 via blkid
$ pacman -S intel-ucode
$ blkid
Add the boot entry for the linux kernel in /boot/loader/entries/arch.conf and
load the intel microcode updater before initramfs
title Arch
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
options root=PARTUUID=THE-NUMBER-GIVEN-BY-BLKID rw
Download a Microsoft-signed loader and hashing tool, to generate compatible keys for any kernel, tool, etc. Also, change (copy) the name of the standard systemd bootloader so that the PreLoader will recognize it
$ cd /boot/EFI/systemd
$ pacman -S wget
$ wget http://blog.hansenpartnership.com/wp-uploads/2013/PreLoader.efi
$ wget http://blog.hansenpartnership.com/wp-uploads/2013/HashTool.efi
$ cp /boot/EFI/systemd/systemd-bootx64.efi /boot/EFI/systemd/loader.efi
The boot order on the motherboard NVRAM has to be changed so that PreLoader.efi and HashTool.efi are present
$ efibootmgr -c -d /dev/sdx -p 1 -L PreLoader -l /EFI/systemd/PreLoader.efi
$ efibootmgr -c -d /dev/sdx -p 1 -L HashTool -l /EFI/systemd/HashTool.efi
and in the correct order; PreLoader, HashTool and Linux Boot Manager.
$ efibootmgr -v # get the numbers 000x
$ efibootmgr -o 000P,000H,000L # in my case it was 0003,0004,0000
Exit the root shell
exit
Unmount all the partitions
umount -R /mnt
Restart the machine
reboot
Turn secure boot back on. After reboot you should be loaded into a blue screen. The screen prompts you that no signed binaries were found and that you need to sign them (Enroll). Using the HashTool the following items MUST be signed for the Linux kernel to boot correctly:
/boot/EFI/systemd/loader.efi
/boot/vmlinuz-linux
You can navigate back through folders using the ../ option. If you forgot to
sign something and can not boot, don’t worry. You can load up the live USB
(disable Secure Boot), and set HashTool.efi to be the first boot entry
using efibootmgr. Then, you can re-sign (enroll) as needed.
Installing Windows
Install windows normally.
Before you restart for the first time disable fast startup (Windows 10)
- Type Control Panel in the search box.
- Click Control Panel.
- Click Power Options.
- Click Choose what the power buttons do.
- Click Change settings that are currently unavailable.
- Scroll down to Shutdown settings and uncheck Turn on fast startup.
- Click Save changes.
To make Systemd-boot able to load windows through PreLoader.efi the Windows boot
manager must be on the same ESP. But Windows will see the ESP and install it’s
manager to /boot/EFI/Microsoft/.
Windows will overwrite your existing boot order in NVRAM to place its boot manager first. Load up the live USB again (disable Secure Boot) and change the boot order back to PreLoader.efi being first:
$ mount /dev/sdx3 /mnt # the Arch / partition
$ mount /dev/sdx1 /mnt/boot # The Arch /boot partition
$ arch-chroot /mnt /bin/bash
$ efibootmgr -v # get the numbers 000x
$ efibootmgr -o 000P,000H,000L,000W
$ exit
$ umount -R /mnt
$ reboot
To make an entry in the systemd-boot menu as default select the entry and press
d.
It could be handy to make Windows the default entry because of automatic updates
that require multiple restarts, etc.