Introduction
Installing Arch Linux on VMware (Fusion) - Part 2
Guides

Installing Arch Linux on VMware (Fusion) - Part 2

The previous post went through the installation of Arch Linux in VMware. This post goes through some additional configuration, namely Secure Boot and replacing systemd-boot with an EFISTUB.


Step 13 - Install Paru

To make life easier, we're going to install paru in order to simplify the installation of packages from the AUR:

git clone https://aur.archlinux.org/paru.git /tmp/paru
cd /tmp/paru
makepkg -si

Step 14 - Install required packages

First, let's install the necessary prerequisites (note: whilst we also need efitools and sbsigntools, they get installed as a dependency of the below):

paru sbkeys

gpg2 --keyserver hkps://keyserver.ubuntu.com --recv-keys F6532C30466E8B3E
paru sbupdate-git 

Step 15 - Generate Secure Boot assets

First, we'll generate the necessary Secure Boot assets and copy the certificates to /boot/tmp/ (so that we can add them to VMware's BIOS):

sudo -i

cd /etc/efi-keys
sbkeys

mkdir /boot/tmp
cp *.cer /boot/tmp/

exit

Step 16 - Configure automatic kernel signing

First, we need to configure sbupdate by backing-up the default config and creating a new one as follows:

sudo mv /etc/sbupdate.conf /etc/sbupdate.conf.bak
sudo nano /etc/sbupdate.conf

Now, enter the following into /etc/sbupdate.conf, replacing the UUID in CMDLINE_DEFAULT:

KEY_DIR="/etc/efi-keys"
ESP_DIR="/boot"
OUT_DIR="EFI/Arch"
SPLASH="/usr/share/systemd/bootctl/splash-arch.bmp"
BACKUP=1
EXTRA_SIGN=('/boot/EFI/BOOT/BOOTX64.EFI' '/boot/efi/systemd/systemd-bootx64.efi')
CMDLINE_DEFAULT="root=UUID=000000-0000-0000-0000-000000000000 rw quiet"

CONFIGS["linux"]="linux linux-fallback"
CONFIGS["linux-hardened"]="linux-hardened linux-hardened-fallback"
CONFIGS["linux-lts"]="linux-lts linux-lts-fallback"
CONFIGS["linux-zen"]="linux-zen linux-zen-fallback"

Now that sbupdate has been configured, run the following:

sudo sbupdate

Step 17 - Adding the loader(s) (again)

We're now going to undo all of our hard work that we did, with regards to systemd-boot in Part 1. This is because as part of the Secure Boot implementation, we are going to boot from a unified kernel image.

With this in mind, let's archive the existing boot loader entries:

sudo -i
cd /boot/loader/entries
for file in *; do mv -- "$file" "$file.bak"; done
exit

We'll now create a new boot entry for the unified kernel image:

sudo nano /boot/loader/entries/00-arch-stable.conf

The new boot entry is much less complicated than it was previously, being simply:

title   Arch Linux - Stable
efi     /EFI/Arch/linux-signed.efi

Now, if you've installed additional kernels, repeat this. for 01-arch-hardened.conf, 02-arch-lts.conf and 03-arch-zen.conf and

Step 18 - Create EFISTUB entries

Enter the following:

sudo -i
efibootmgr --disk /dev/nvme0n1 --part 1 --create --label "Arch Linux - Stable" --loader /EFI/Arch/linux-signed.efi --verbose
efibootmgr --disk /dev/nvme0n1 --part 1 --create --label "Arch Linux - Hardened" --loader /EFI/Arch/linux-hardened-signed.efi --verbose
efibootmgr --disk /dev/nvme0n1 --part 1 --create --label "Arch Linux - LTS" --loader /EFI/Arch/linux-lts-signed.efi --verbose
efibootmgr --disk /dev/nvme0n1 --part 1 --create --label "Arch Linux - Zen" --loader /EFI/Arch/linux-zen-signed.efi --verbose
exit

Now we're ready to configure the BIOS, so enter:

sudo shutdown -h now

Step 19 - Configure BIOS

Now that Secure Boot has been configured within the OS, we need to make some tweaks to the BIOS, as follows:

Set the .vmx options

Navigate to your vm-name.vmx (which, for VMware Fusion will be located in ~/Virtual Machines.localized/vm-name.vmwarevm/vm-name.vmwarevm/vm-name.vmx) and add the following lines:

uefi.allowAuthBypass = "TRUE"
uefi.secureBoot.enabled = "FALSE"

Following this, the BIOS needs configuring. Boot the VM and immediately hammer F2, then proceed through the following steps:

Configure screen size

  1. Select Enter setup
  2. Select Configure screen size
  3. Set screen size to 128 x 40
  4. Select Commit changes and exit.

Load Secure Boot certificates

  1. Select Enter setup
  2. Select Secure Boot Configuration
  3. Select PK Options
  4. Select Enroll PK
  5. Select Enroll PK Using File
  6. Navigate to /boot/tmp/ and select PK.cer
  7. Select Commit Changes and Exit
  8. Repeat Steps 3-7 for KEK Options and DB Options
  9. Press Esc to exit Secure Boot Options.

Change boot order

  1. Select Enter setup

  2. Select Configure boot options

  3. Select Change boot order

  4. Ensure that your Arch Linux - * entries are prioritised over Linux Boot Manager - I would suggest the following order works well:

    • Arch Linux - Zen
    • Arch Linux - Stable
    • Arch Linux - Hardened
    • Arch Linux - LTS
    • Linux Boot Manager
    • EFI VMware Virtual NVME Namespace (NSID 1)
    • EFI Vmware Virtual IDE CDROM Drive (IDE 1:0)
    • EFI Network
    • EFI Internal Shell (Unsupported option)
  5. When you have finished ordering the boot entries, press Enter

  6. Select Commit changes and exit.

Disable boot options

  1. Select Enter setup
  2. Select Configure boot options
  3. Select Enable or disable boot option
  4. Ensure that only the following entries are enabled:
    • Arch Linux - Zen
    • Arch Linux - Stable
    • Arch Linux - Hardened
    • Arch Linux - LTS
  5. Select Commit changes and exit
  6. Select Shut down the system.

Set the .vmx options (again)

Now, navigate again to your vm-name.vmx and set the following lines:

uefi.allowAuthBypass = "FALSE"
uefi.secureBoot.enabled = "TRUE"
Peter Lewis
Author

Peter Lewis

View Comments
Previous Post

Installing Arch Linux on VMware (Fusion)