Install Arch Linux ARM on a Raspberry Pi 4

In this article, we are going to see how to install an Arch Linux on a Raspberry Pi model B with 4 GB of RAM. The system on chip is a Broadcom BCM2711. This contains a quad-core Cortex-A72 running at 1.5 GHz.

Information and requirements

These elements are to be taken into consideration to follow this article:

Optional: overwrite device

[adrien@laptop ~]$ sudo shred -v --random-source=/dev/urandom -n 1 /dev/mmcblk0

Partition the SD card

[adrien@laptop ~]$ sudo fdisk /dev/mmcblk0

At the fdisk prompt, delete old partitions and create a new one:

Create the filesystem

[adrien@laptop ~]$ sudo mkfs.vfat /dev/mmcblk0p1
[adrien@laptop ~]$ mkdir boot
[adrien@laptop ~]$ sudo mount /dev/mmcblk0p1 boot

Mount the ext4 filesystem

[adrien@laptop ~]$ sudo mkfs.ext4 /dev/mmcblk0p2
[adrien@laptop ~]$ mkdir root
[adrien@laptop ~]$ sudo mount /dev/mmcblk0p2 root

Download and extract the root filesystem

[adrien@laptop ~]$ curl -LOsSf http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-aarch64-latest.tar.gz

Extract as root user (not via sudo) using bsdtar to preserve extended attributes and ACLs.

[adrien@laptop ~]$ su -
[root@laptop ~]# bsdtar -xpf /home/adrien/ArchLinuxARM-rpi-aarch64-latest.tar.gz -C /home/adrien/root
[root@laptop ~]# exit
logout

Write to disk all data in memory buffers.

[adrien@laptop ~]$ sync

Move boot files

[adrien@laptop ~]$ sudo mv root/boot/* boot

Update fstab

[adrien@laptop ~]$ sudo sed -i "s/mmcblk0/mmcblk1/g" root/etc/fstab

Unmount the partitions

[adrien@laptop ~]$ sudo umount boot root

Insert the SD card into the Raspberry Pi, connect the network, and apply 5 V power supply.

First connection

You can find its IP address by scanning your local network.

[adrien@laptop ~]$ nmap -sn 192.168.0.0/24

Flags -sn tell Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the scan. This is often known as a ping scan.

Now that the ARP table is updated, we can consult it because we know that the first three bytes, the OUI (Organizationally Unique Identifier) corresponds to dc:a6:33, you can find this information here.

[adrien@laptop ~]$ ip neigh | grep -i "dc:a6:32"
192.168.0.17 dev wlp2s0 lladdr dc:a6:32:xx:xx:xx REACHABLE

The allocated address is 192.168.0.17. It is not possible to log in directly as root, so you have to go through the alarm user. The password is alarm.

[adrien@laptop ~]$ ssh alarm@192.168.0.17

Basic configurations

Switch to root user

The dash (-) starts the shell as a login shell with an environment similar to a real login.

[alarm@alarm ~]$ su -

The password is root.

Initialize the pacman keyring and populate the Arch Linux ARM package

[root@alarm ~]# pacman-key --init
[root@alarm ~]# pacman-key --populate archlinuxarm

Update the system

[root@alarm ~]# pacman -Syyuu --noconfirm

Install the basic softwares

[root@alarm ~]# pacman -S base-devel git sudo vim linux-rpi-headers

Add user

Here I create a user named pi, choose username you want.

[root@alarm ~]# useradd -m -g users -G wheel pi

Set the password for the newly created user

[root@alarm ~]# passwd pi

Give sudo privileges

Uncomment the line 82 (%wheel ALL=(ALL) ALL) by setting EDITOR environment variable to vim to make it easier to edit.

[root@alarm ~]# EDITOR=vim visudo

Delete the default user

[root@alarm ~]# userdel -fr alarm

Set timezone

[root@alarm ~]# timedatectl set-timezone Europe/Paris

Set the timezone depending on your location. You can use timedatectl list-timezones to list available timezones.

Set hostname

[root@alarm ~]# hostnamectl set-hostname ras-001

According to my local network, I have set this name, but you can put whatever you want.

Set the root password

[root@alarm ~]# passwd

Enable colors for package managers

[root@alarm ~]# sed -i "s/#Color/Color/" /etc/pacman.conf

Disable audit messages

The Linux audit framework provides a CAPP-compliant (Controlled Access Protection Profile) auditing system that reliably collects information about any security-relevant (or non-security-relevant) event on a system. It can help you track actions performed on a system. But it also writes too messages on the console.

[root@alarm ~]# systemctl mask systemd-journald-audit.socket

The basic configurations are now finished. Disconnect from root and alarm (press Ctrl+d twice), we will log in with the newly created user.

Final configurations

[adrien@laptop ~]$ ssh pi@192.168.0.17
pi@192.168.0.15's password:

Install yay

Yay allows us to download and install packages from the AUR (Arch User Repository). The arguments are identical to pacman, so if you know pacman, you know yay.

[pi@ras-001 ~]$ git clone https://aur.archlinux.org/yay.git
[pi@ras-001 ~]$ cd yay
[pi@ras-001 yay]$ makepkg -si
[pi@ras-001 yay]$ cd
[pi@ras-001 ~]$ rm -rf yay

Update the system with yay

[pi@ras-001 ~]$ yay -Syyuu --noconfirm

Disable SSH password and root authentication

[pi@ras-001 ~]$ sudo sed -i "s/#PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config
[pi@ras-001 ~]$ sudo sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin no/" /etc/ssh/sshd_config

Configure access via SSH key pair

You have to generate SSH key pair on your local machine, so you need SSH tools.

[adrien@laptop ~]$ ssh-keygen -t ed25519 -a 100 -f ~/.ssh/ras-001 -C <comment>
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase): <passphrase>
Enter same passphrase again: <confirm>

I recommend you to always use advanced cryptography technologies. In this case, I use Ed25519 public-key signature system. The -C allows you to provide a comment, put what you want.

Configure this key pair to work with you Raspberry Pi

Add the followng snippet into ~/.ssh/config.

Host	ras-001
	PubkeyAuthentication yes
	Hostname 192.168.0.17
	User pi
	Port 22
	IdentityFile ~/.ssh/ras-001

Copy the public key to the Raspberry Pi

[adrien@laptop ~]$ ssh-copy-id -i ~/.ssh/ras-001.pub pi@192.168.0.17
pi@192.168.0.17's password:

Connect with the SSH key pair

[adrien@laptop ~]$ ssh ras-001

Restart the SSH daemon

[pi@ras-001 ~]$ sudo systemctl restart sshd

Now, the authentication via password is not possible anymore and also, you can’t connect via root user through SSH.

Miscellaneous

Update EEPROM

The Raspberry Pi 4 has an SPI-attached EEPROM (4MBits/512KB), which contains code to boot up the system and replaces bootcode.bin previously found in the boot partition of the SD card. Note that if a bootcode.bin is present in the boot partition of the SD card in a Pi 4, it is ignored.

The easiest way to to update the bootloader to the latest version with default settings is to use the rpi-eeprom package.

[pi@ras-001 ~]$ yay -S rpi-eeprom

Check if an update is available

[pi@ras-001 ~]$ sudo rpi-eeprom-update
BCM2711 detected
Dedicated VL805 EEPROM detected
*** UPDATE AVAILABLE ***
BOOTLOADER: update available
CURRENT: Tue Sep 10 10:41:50 UTC 2019 (1568112110)
 LATEST: Thu Apr 16 17:11:26 UTC 2020 (1587057086)
 FW DIR: /lib/firmware/raspberrypi/bootloader/critical
VL805: up-to-date
CURRENT: 000137ad
 LATEST: 000137ad

An update is available.

Update the EEPROM

[pi@ras-001 ~]$ sudo rpi-eeprom-update -a
BCM2711 detected
Dedicated VL805 EEPROM detected
BOOTFS /boot
*** INSTALLING EEPROM UPDATES ***
BOOTLOADER: update available
CURRENT: Tue Sep 10 10:41:50 UTC 2019 (1568112110)
 LATEST: Thu Apr 16 17:11:26 UTC 2020 (1587057086)
 FW DIR: /lib/firmware/raspberrypi/bootloader/critical
VL805: up-to-date
CURRENT: 000137ad
 LATEST: 000137ad
BOOTFS /boot
EEPROM updates pending. Please reboot to apply the update.

As mentioned, a reboot is required to apply the changes. Once restarted, we can check that it has been updated correctly.

[pi@ras-001 ~]$ sudo rpi-eeprom-update
BCM2711 detected
Dedicated VL805 EEPROM detected
BOOTLOADER: up-to-date
CURRENT: Thu Apr 16 17:11:26 UTC 2020 (1587057086)
 LATEST: Thu Apr 16 17:11:26 UTC 2020 (1587057086)
 FW DIR: /lib/firmware/raspberrypi/bootloader/critical
VL805: up-to-date
CURRENT: 000137ad
 LATEST: 000137ad

Your Raspberry Pi has now Arch Linux ARM freshly installed and everything is up to date!