Install Arch Linux ARM on a Raspberry Pi 4

In this article, we are going to see how to install an Arch Linux on a Raspberry Pi model B with 4 GB of RAM. The system on chip is a Broadcom BCM2711. This contains a quad-core Cortex-A72 running at 1.5 GHz.

Information and requirements

These elements are to be taken into consideration to follow this article:

• the manipulations are carried out on Arch Linux,
• superuser rights are required (storage device operations).

Optional: overwrite device

sudo shred --verbose --random-source=/dev/urandom --iterations 1 /dev/mmcblk0

Partition the SD card

sudo fdisk /dev/mmcblk0

At the fdisk prompt, delete old partitions and create a new one:

• type o, this will clear out any partitions on the drive,
• type p to list partitions, there should be no partitions left,
• type n, then p for primary, 1 for the first partition on the drive, press ENTER to accept the default first sector, then type +100M for the last sector,
• type t, then c to set the first partition to type W95 FAT32 (LBA),
• type n, then p for primary, 2 for the second partition on the drive, and then press ENTER twice to accept the default first and last sector,
• write the partition table and exit by typing w.

Create the filesystem

sudo mkfs.vfat /dev/mmcblk0p1
mkdir boot
sudo mount /dev/mmcblk0p1 boot

Mount the ext4 filesystem

sudo mkfs.ext4 /dev/mmcblk0p2
mkdir root
sudo mount /dev/mmcblk0p2 root

Download and extract the root filesystem

curl -Lo archlinux.tar.gz -sSf http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-4-latest.tar.gz
sudo bsdtar -xpf archlinux.tar.gz -C root
sync

Move boot files

sudo mv root/boot/* boot

Unmount the partitions

sudo umount boot root

Insert the SD card into the Raspberry Pi, connect the network, and apply 5 V power supply.

First connection

You can find its IP address by scanning your local network.

nmap -sn 192.168.0.0/24

Flags -sn tell Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the scan. This is often known as a ping scan.

Now that the ARP table is updated, we can consult it because we know that the first three bytes, the OUI (Organizationally Unique Identifier) corresponds to dc:a6:33, you can find this information here.

ip neigh | grep -i "dc:a6:32"
192.168.0.17 dev wlp2s0 lladdr dc:a6:32:xx:xx:xx STALE

The allocated address is 192.168.0.17. It is not possible to log in directly as root, so you have to go through the alarm user. The password is alarm.

ssh alarm@192.168.0.17

Basic configurations

Switch to root user

The dash (-) starts the shell as a login shell with an environment similar to a real login.

su -

The password is root.

Initialize the pacman keyring and populate the Arch Linux ARM package

pacman-key --init
pacman-key --populate archlinuxarm

Update the system

pacman -Syyuu

Install the basic softwares

pacman -S base-devel git sudo vim linux-raspberrypi4-headers

Add a user

useradd -m -g users -G wheel <username>

Replace <username> with the username of your choice.

Set the password for the newly created user

passwd <username>

Give sudo privileges

Uncomment the line 82 (%wheel ALL=(ALL) ALL) by setting EDITOR environment variable to vim to make it easier to edit.

EDITOR=vim visudo

Delete the default user

userdel -fr alarm

Set timezone

timedatectl set-timezone Europe/Paris

Set the timezone depending on your location. You can use timedatectl list-timezones to list available timezones.

Set hostname

hostnamectl set-hostname ras-001

According to my local network, I have set this name, but you can put whatever you want.

Set the root password

passwd

Enable colors for pacman, yay…

sed -i "s/#Color/Color/" /etc/pacman.conf

Disable audit messages

The Linux audit framework provides a CAPP-compliant (Controlled Access Protection Profile) auditing system that reliably collects information about any security-relevant (or non-security-relevant) event on a system. It can help you track actions performed on a system. But it also writes too messages on the console. Add audit=0 at the end of /boot/cmdline.txt, your file should look like this:

root=/dev/mmcblk0p2 rw rootwait console=ttyAMA0,115200 console=tty1 selinux=0 plymouth.enable=0 smsc95xx.turbo_mode=N dwc_otg.lpm_enable=0 kgdboc=ttyAMA0,115200 elevator=noop audit=0

The basic configurations are now finished. Disconnect from root and alarm (press Ctrl+d twice), we will log in with the newly created user.

Final configurations

ssh <username>@192.168.0.17

Install yay

Yay allows us to download and install packages from the AUR (Arch User Repository). The arguments are identical to pacman, so if you know pacman, you know yay.

git clone https://aur.archlinux.org/yay.git /tmp/yay
cd /tmp/yay
makepkg -si
cd
rm -rf /tmp/yay

Update the system with yay

yay -Syyuu

Disable SSH password and root authentication

sudo sed -i "s/#PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config
sudo sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin no/" /etc/ssh/sshd_config

Uncomment the lines above.

Configure access via SSH key pair

You have to generate SSH key pair on your local machine, so you need SSH tools.

ssh-keygen -t ed25519 -a 100 -f ~/.ssh/ras-001 -C <comment>
<passphrase>
<confirm>

I recommend you to always use advanced cryptography technologies. In this case, I use Ed25519 public-key signature system. The -C allows you to provide a comment, put what you want.

Configure this key pair to work with you Raspberry Pi

Add the followng snippet into ~/.ssh/config.

Host	ras-001
	PubkeyAuthentication yes
	Hostname 192.168.0.17
	User <username>
	Port 22
	IdentityFile ~/.ssh/ras-001

Copy the public key to the Raspberry Pi

ssh-copy-id -i ~/.ssh/ras-001.pub 192.168.0.17
<username's account password>

Connect with the SSH key pair

ssh ras-001
<passphrase>

Restart the SSH daemon

sudo systemctl restart sshd

Now, the authentication via password is not possible anymore and also, you can’t connect via root user through SSH.

Miscellaneous

Update EEPROM

The Raspberry Pi 4 has an SPI-attached EEPROM (4MBits/512KB), which contains code to boot up the system and replaces bootcode.bin previously found in the boot partition of the SD card. Note that if a bootcode.bin is present in the boot partition of the SD card in a Pi 4, it is ignored.

The easiest way to to update the bootloader to the latest version with default settings is to use the rpi-eeprom package.

yay -S rpi-eeprom

Check if an update is available

sudo rpi-eeprom-update
BCM2711 detected
Dedicated VL805 EEPROM detected
*** UPDATE AVAILABLE ***
BOOTLOADER: update available
CURRENT: Tue Sep 10 10:41:50 UTC 2019 (1568112110)
 LATEST: Thu Apr 16 17:11:26 UTC 2020 (1587057086)
 FW DIR: /lib/firmware/raspberrypi/bootloader/critical
VL805: up-to-date
CURRENT: 000137ad
 LATEST: 000137ad

An update is available.

Update the EEPROM

sudo rpi-eeprom-update -a
BCM2711 detected
Dedicated VL805 EEPROM detected
BOOTFS /boot
*** INSTALLING EEPROM UPDATES ***
BOOTLOADER: update available
CURRENT: Tue Sep 10 10:41:50 UTC 2019 (1568112110)
 LATEST: Thu Apr 16 17:11:26 UTC 2020 (1587057086)
 FW DIR: /lib/firmware/raspberrypi/bootloader/critical
VL805: up-to-date
CURRENT: 000137ad
 LATEST: 000137ad
BOOTFS /boot
EEPROM updates pending. Please reboot to apply the update.

As mentioned, a reboot is required to apply the changes. Once restarted, we can check that it has been updated correctly.

sudo rpi-eeprom-update
BCM2711 detected
Dedicated VL805 EEPROM detected
BOOTLOADER: up-to-date
CURRENT: Thu Apr 16 17:11:26 UTC 2020 (1587057086)
 LATEST: Thu Apr 16 17:11:26 UTC 2020 (1587057086)
 FW DIR: /lib/firmware/raspberrypi/bootloader/critical
VL805: up-to-date
CURRENT: 000137ad
 LATEST: 000137ad

Your Raspberry Pi has now Arch Linux ARM freshly installed and everything is up to date!