Install Arch Linux ARM on a Raspberry Pi 4
In this article, we are going to see how to install an Arch Linux on a Raspberry Pi model B with 4 GB of RAM. The system on chip is a Broadcom BCM2711. This contains a quad-core Cortex-A72 running at 1.5 GHz.
Information and requirements
These elements are to be taken into consideration to follow this article:
- the manipulations are carried out on Arch Linux,
- superuser rights are required (storage device operations).
Optional: overwrite device
sudo shred --verbose --random-source=/dev/urandom --iterations 1 /dev/mmcblk0
Partition the SD card
sudo fdisk /dev/mmcblk0
At the fdisk prompt, delete old partitions and create a new one:
- type
o
, this will clear out any partitions on the drive, - type
p
to list partitions, there should be no partitions left, - type
n
, thenp
for primary,1
for the first partition on the drive, pressENTER
to accept the default first sector, then type+100M
for the last sector, - type
t
, thenc
to set the first partition to typeW95 FAT32 (LBA)
, - type
n
, thenp
for primary,2
for the second partition on the drive, and then pressENTER
twice to accept the default first and last sector, - write the partition table and exit by typing
w
.
Create the filesystem
sudo mkfs.vfat /dev/mmcblk0p1
mkdir boot
sudo mount /dev/mmcblk0p1 boot
Mount the ext4 filesystem
sudo mkfs.ext4 /dev/mmcblk0p2
mkdir root
sudo mount /dev/mmcblk0p2 root
Download and extract the root filesystem
curl -Lo archlinux.tar.gz -sSf http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-4-latest.tar.gz
sudo bsdtar -xpf archlinux.tar.gz -C root
sync
Move boot files
sudo mv root/boot/* boot
Unmount the partitions
sudo umount boot root
Insert the SD card into the Raspberry Pi, connect the network, and apply 5 V power supply.
First connection
You can find its IP address by scanning your local network.
nmap -sn 192.168.0.0/24
Flags -sn
tell Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the scan. This is often known as a ping scan.
Now that the ARP table is updated, we can consult it because we know that the first three bytes, the OUI (Organizationally Unique Identifier) corresponds to dc:a6:33
, you can find this information here.
ip neigh | grep -i "dc:a6:32"
192.168.0.17 dev wlp2s0 lladdr dc:a6:32:xx:xx:xx STALE
The allocated address is 192.168.0.17
. It is not possible to log in directly as root, so you have to go through the alarm user. The password is alarm
.
ssh alarm@192.168.0.17
Basic configurations
Switch to root user
The dash (-
) starts the shell as a login shell with an environment similar to a real login.
su -
The password is root.
Initialize the pacman keyring and populate the Arch Linux ARM package
pacman-key --init
pacman-key --populate archlinuxarm
Update the system
pacman -Syyuu
Install the basic softwares
pacman -S base-devel git sudo vim linux-raspberrypi4-headers
Add a user
useradd -m -g users -G wheel <username>
Replace <username>
with the username of your choice.
Set the password for the newly created user
passwd <username>
Give sudo privileges
Uncomment the line 82 (%wheel ALL=(ALL) ALL
) by setting EDITOR
environment variable to vim
to make it easier to edit.
EDITOR=vim visudo
Delete the default user
userdel -fr alarm
Set timezone
timedatectl set-timezone Europe/Paris
Set the timezone depending on your location. You can use timedatectl list-timezones
to list available timezones.
Set hostname
hostnamectl set-hostname ras-001
According to my local network, I have set this name, but you can put whatever you want.
Set the root password
passwd
Enable colors for pacman, yay…
sed -i "s/#Color/Color/" /etc/pacman.conf
Disable audit messages
The Linux audit framework provides a CAPP-compliant (Controlled Access Protection Profile) auditing system that reliably collects information about any security-relevant (or non-security-relevant) event on a system. It can help you track actions performed on a system. But it also writes too messages on the console. Add audit=0
at the end of /boot/cmdline.txt
, your file should look like this:
root=/dev/mmcblk0p2 rw rootwait console=ttyAMA0,115200 console=tty1 selinux=0 plymouth.enable=0 smsc95xx.turbo_mode=N dwc_otg.lpm_enable=0 kgdboc=ttyAMA0,115200 elevator=noop audit=0
The basic configurations are now finished. Disconnect from root and alarm (press Ctrl+d
twice), we will log in with the newly created user.
Final configurations
ssh <username>@192.168.0.17
Install yay
Yay allows us to download and install packages from the AUR (Arch User Repository). The arguments are identical to pacman
, so if you know pacman
, you know yay
.
git clone https://aur.archlinux.org/yay.git /tmp/yay
cd /tmp/yay
makepkg -si
cd
rm -rf /tmp/yay
Update the system with yay
yay -Syyuu
Disable SSH password and root authentication
sudo sed -i "s/#PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config
sudo sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin no/" /etc/ssh/sshd_config
Uncomment the lines above.
Configure access via SSH key pair
You have to generate SSH key pair on your local machine, so you need SSH tools.
ssh-keygen -t ed25519 -a 100 -f ~/.ssh/ras-001 -C <comment>
<passphrase>
<confirm>
I recommend you to always use advanced cryptography technologies. In this case, I use Ed25519 public-key signature system. The -C
allows you to provide a comment, put what you want.
Configure this key pair to work with you Raspberry Pi
Add the followng snippet into ~/.ssh/config
.
Host ras-001
PubkeyAuthentication yes
Hostname 192.168.0.17
User <username>
Port 22
IdentityFile ~/.ssh/ras-001
Copy the public key to the Raspberry Pi
ssh-copy-id -i ~/.ssh/ras-001.pub 192.168.0.17
<username's account password>
Connect with the SSH key pair
ssh ras-001
<passphrase>
Restart the SSH daemon
sudo systemctl restart sshd
Now, the authentication via password is not possible anymore and also, you can’t connect via root user through SSH.
Miscellaneous
Update EEPROM
The Raspberry Pi 4 has an SPI-attached EEPROM (4MBits/512KB), which contains code to boot up the system and replaces bootcode.bin
previously found in the boot partition of the SD card. Note that if a bootcode.bin
is present in the boot partition of the SD card in a Pi 4, it is ignored.
The easiest way to to update the bootloader to the latest version with default settings is to use the rpi-eeprom
package.
yay -S rpi-eeprom
Check if an update is available
sudo rpi-eeprom-update
BCM2711 detected
Dedicated VL805 EEPROM detected
*** UPDATE AVAILABLE ***
BOOTLOADER: update available
CURRENT: Tue Sep 10 10:41:50 UTC 2019 (1568112110)
LATEST: Thu Apr 16 17:11:26 UTC 2020 (1587057086)
FW DIR: /lib/firmware/raspberrypi/bootloader/critical
VL805: up-to-date
CURRENT: 000137ad
LATEST: 000137ad
An update is available.
Update the EEPROM
sudo rpi-eeprom-update -a
BCM2711 detected
Dedicated VL805 EEPROM detected
BOOTFS /boot
*** INSTALLING EEPROM UPDATES ***
BOOTLOADER: update available
CURRENT: Tue Sep 10 10:41:50 UTC 2019 (1568112110)
LATEST: Thu Apr 16 17:11:26 UTC 2020 (1587057086)
FW DIR: /lib/firmware/raspberrypi/bootloader/critical
VL805: up-to-date
CURRENT: 000137ad
LATEST: 000137ad
BOOTFS /boot
EEPROM updates pending. Please reboot to apply the update.
As mentioned, a reboot is required to apply the changes. Once restarted, we can check that it has been updated correctly.
sudo rpi-eeprom-update
BCM2711 detected
Dedicated VL805 EEPROM detected
BOOTLOADER: up-to-date
CURRENT: Thu Apr 16 17:11:26 UTC 2020 (1587057086)
LATEST: Thu Apr 16 17:11:26 UTC 2020 (1587057086)
FW DIR: /lib/firmware/raspberrypi/bootloader/critical
VL805: up-to-date
CURRENT: 000137ad
LATEST: 000137ad
Your Raspberry Pi has now Arch Linux ARM freshly installed and everything is up to date!