Install Arch Linux ARM on a Raspberry Pi 4
In this article, we are going to see how to install an Arch Linux on a Raspberry Pi model B with 4 GB of RAM. The system on chip is a Broadcom BCM2711. This contains a quad-core Cortex-A72 running at 1.5 GHz.
Information and requirements
These elements are to be taken into consideration to follow this article:
- the manipulations are carried out on Arch Linux,
- superuser rights are required (storage device operations).
Optional: overwrite device
sudo shred --verbose --random-source=/dev/urandom --iterations 1 /dev/mmcblk0
Partition the SD card
sudo fdisk /dev/mmcblk0
At the fdisk prompt, delete old partitions and create a new one:
o, this will clear out any partitions on the drive,
pto list partitions, there should be no partitions left,
1for the first partition on the drive, press
ENTERto accept the default first sector, then type
+200Mfor the last sector,
cto set the first partition to type
W95 FAT32 (LBA),
2for the second partition on the drive, and then press
ENTERtwice to accept the default first and last sector,
- write the partition table and exit by typing
Create the filesystem
sudo mkfs.vfat /dev/mmcblk0p1 mkdir boot sudo mount /dev/mmcblk0p1 boot
Mount the ext4 filesystem
sudo mkfs.ext4 /dev/mmcblk0p2 mkdir root sudo mount /dev/mmcblk0p2 root
Download and extract the root filesystem
curl -Lo archlinux.tar.gz -sSf http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-aarch64-latest.tar.gz sudo bsdtar -xpf archlinux.tar.gz -C root sync
Move boot files
sudo mv root/boot/* boot
sudo sed -i 's/mmcblk0/mmcblk1/g' root/etc/fstab
Unmount the partitions
sudo umount boot root
Insert the SD card into the Raspberry Pi, connect the network, and apply 5 V power supply.
You can find its IP address by scanning your local network.
nmap -sn 192.168.0.0/24
-sn tell Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the scan. This is often known as a ping scan.
Now that the ARP table is updated, we can consult it because we know that the first three bytes, the OUI (Organizationally Unique Identifier) corresponds to
dc:a6:33, you can find this information here.
ip neigh | grep -i "dc:a6:32" 192.168.0.17 dev wlp2s0 lladdr dc:a6:32:xx:xx:xx REACHABLE
The allocated address is
192.168.0.17. It is not possible to log in directly as root, so you have to go through the alarm user. The password is
Switch to root user
The dash (
-) starts the shell as a login shell with an environment similar to a real login.
The password is root.
Initialize the pacman keyring and populate the Arch Linux ARM package
pacman-key --init pacman-key --populate archlinuxarm
Update the system
Install the basic softwares
pacman -S base-devel git sudo vim linux-raspberrypi4-headers
Add a user
useradd -m -g users -G wheel <username>
<username> with the username of your choice.
Set the password for the newly created user
Give sudo privileges
Uncomment the line 82 (
%wheel ALL=(ALL) ALL) by setting
EDITOR environment variable to
vim to make it easier to edit.
Delete the default user
userdel -fr alarm
timedatectl set-timezone Europe/Paris
Set the timezone depending on your location. You can use
timedatectl list-timezones to list available timezones.
hostnamectl set-hostname ras-001
According to my local network, I have set this name, but you can put whatever you want.
Set the root password
Enable colors for pacman, yay…
sed -i "s/#Color/Color/" /etc/pacman.conf
Disable audit messages
The Linux audit framework provides a CAPP-compliant (Controlled Access Protection Profile) auditing system that reliably collects information about any security-relevant (or non-security-relevant) event on a system. It can help you track actions performed on a system. But it also writes too messages on the console. Add
audit=0 at the end of
/boot/cmdline.txt, your file should look like this:
root=/dev/mmcblk0p2 rw rootwait console=ttyAMA0,115200 console=tty1 selinux=0 plymouth.enable=0 smsc95xx.turbo_mode=N dwc_otg.lpm_enable=0 kgdboc=ttyAMA0,115200 elevator=noop audit=0
The basic configurations are now finished. Disconnect from root and alarm (press
Ctrl+d twice), we will log in with the newly created user.
Yay allows us to download and install packages from the AUR (Arch User Repository). The arguments are identical to
pacman, so if you know
pacman, you know
git clone https://aur.archlinux.org/yay.git /tmp/yay cd /tmp/yay makepkg -si cd rm -rf /tmp/yay
Update the system with yay
yay -Syyuu --noconfirm
Disable SSH password and root authentication
sudo sed -i "s/#PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config sudo sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin no/" /etc/ssh/sshd_config
Configure access via SSH key pair
You have to generate SSH key pair on your local machine, so you need SSH tools.
ssh-keygen -t ed25519 -a 100 -f ~/.ssh/ras-001 -C <comment> <passphrase> <confirm>
I recommend you to always use advanced cryptography technologies. In this case, I use Ed25519 public-key signature system. The
-C allows you to provide a comment, put what you want.
Configure this key pair to work with you Raspberry Pi
Add the followng snippet into
Host ras-001 PubkeyAuthentication yes Hostname 192.168.0.17 User <username> Port 22 IdentityFile ~/.ssh/ras-001
Copy the public key to the Raspberry Pi
ssh-copy-id -i ~/.ssh/ras-001.pub 192.168.0.17 <username's account password>
Connect with the SSH key pair
ssh ras-001 <passphrase>
Restart the SSH daemon
sudo systemctl restart sshd
Now, the authentication via password is not possible anymore and also, you can’t connect via root user through SSH.
The Raspberry Pi 4 has an SPI-attached EEPROM (4MBits/512KB), which contains code to boot up the system and replaces
bootcode.bin previously found in the boot partition of the SD card. Note that if a
bootcode.bin is present in the boot partition of the SD card in a Pi 4, it is ignored.
The easiest way to to update the bootloader to the latest version with default settings is to use the
yay -S rpi-eeprom
Check if an update is available
sudo rpi-eeprom-update BCM2711 detected Dedicated VL805 EEPROM detected *** UPDATE AVAILABLE *** BOOTLOADER: update available CURRENT: Tue Sep 10 10:41:50 UTC 2019 (1568112110) LATEST: Thu Apr 16 17:11:26 UTC 2020 (1587057086) FW DIR: /lib/firmware/raspberrypi/bootloader/critical VL805: up-to-date CURRENT: 000137ad LATEST: 000137ad
An update is available.
Update the EEPROM
sudo rpi-eeprom-update -a BCM2711 detected Dedicated VL805 EEPROM detected BOOTFS /boot *** INSTALLING EEPROM UPDATES *** BOOTLOADER: update available CURRENT: Tue Sep 10 10:41:50 UTC 2019 (1568112110) LATEST: Thu Apr 16 17:11:26 UTC 2020 (1587057086) FW DIR: /lib/firmware/raspberrypi/bootloader/critical VL805: up-to-date CURRENT: 000137ad LATEST: 000137ad BOOTFS /boot EEPROM updates pending. Please reboot to apply the update.
As mentioned, a reboot is required to apply the changes. Once restarted, we can check that it has been updated correctly.
sudo rpi-eeprom-update BCM2711 detected Dedicated VL805 EEPROM detected BOOTLOADER: up-to-date CURRENT: Thu Apr 16 17:11:26 UTC 2020 (1587057086) LATEST: Thu Apr 16 17:11:26 UTC 2020 (1587057086) FW DIR: /lib/firmware/raspberrypi/bootloader/critical VL805: up-to-date CURRENT: 000137ad LATEST: 000137ad
Your Raspberry Pi has now Arch Linux ARM freshly installed and everything is up to date!