Full Version: Customised (encrypted) eMMC installation using Anarsoul's ArchLinux
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
ArchLinux ARM is a very flexible base for a highly customised Linux experience on the Pinebook.

As I personally had some requirements towards my Pinebook that were not covered by any provided image, I decided to use Anarsoul's great ArchLinux image as a base for a custom ArchLinux installation. This process is very simple if you have already have experience with installing ArchLinux on a x64 system - it does not differ much from the normal way how ArchLinux is installed. The short todo list is

  1. flash Anarsoul's ArchLinux image to an SD card and boot it,
  2. connect to your local WiFi,
  3. install the arch-install-scripts package and
  4. follow the normal ArchLinux installation instructions, carefully merging them with what
  5. Anarsoul's shell scripts for creating the SD card image do.
Doing that yourself is the best way to get a real customised installation on your eMMC in the Pinebook, but as I know that many people will refrain from reading through lenghty manuals and prefer mindless copying of commands into shell*, I'll share the steps here that I used to install ArchLinux ARM into an encrypted LVM on my Pinebook. Just do me a favour and if you encounter any problems, try to understand any error messages or symptoms that you get before asking anyone for support; in addition to the great flexibility & simplicity of ArchLinux, learning how everything works under the hood is one of the great advantages of the ArchLinux installation process & of using ArchLinux, don't throw that opportunity away.


Still here? Let's go Smile . These steps will lead to an encrypted installation on your eMMC card (that was my usecase because I tend to forget hardware in trains, buses and so on).

1. Flash Anarsoul's ArchLinux image to an SD card and boot it. It's available via the official PineBook installer utility, but the last time I checked the version available via the PineBook installer utility was out of date.

2. Boot it & log-in.

3. Fire up a terminal.

4. Get a root shell (using sudo for everything is possible, too).

$ su

5. Connect to your wifi (either via the NetworkManager gui or from within the terminal using wifi-menu).

6. Install arch-install-scripts. Updating everything else on the SD card while we're here doesn't hurt, either.

# pacman -Syu arch-install-scripts

7. Make sure you take the right device for partioning. The SD card should normally be mmcblk1, the eMMC should normally be mmcblk2.

# lsblk

8. Start partioning. The following commands come basically directly from Anarsoul's scripts. You can adapt sizes, types & everything here if you want to. If step 7 lead to a different result than /dev/mmcblk2, adapt the command below.

fdisk /dev/mmcblk2

9. Create a new empty partition table.

Command (m for help): o

10. Create a boot partition. This partition should start at position 40960 and have a size of (at least) 100M. As I have 64GB eMMC, I like to be more generous and use 1GB.


11. Change the type of the partition to "W95 FAT32 (LBA)".


12. Create the main partition that we'll use for the encryption. I use all remaiming space for mine, so this step is easier. This partition should start were the previous partition ends; you can find out that position by either calculating it (starting position of the previous partition plus two-times its size) or by looking it up (use p to print the current partion layout).


13. Give it type 83 ("Linux").


14. Anarsoul sets a boot flag on one of his partitions, but it was not necessary on my Pinebook. Simply write the changes to disk.


15. Let's create the FAT32 file system on our boot partition. Check with lsblk beforehand what device names/parition names to use.

# mkfs.fat -n ARCHBOOT -F 32 /dev/mmcblk2p1

16. Let's create the encrypted partition.

# cryptsetup luksFormat /dev/mmcblk2p2

17. Mount it with the password that you created in step 16.

# cryptsetup luksOpen /dev/mmcblk2p2 archcrypt

18. Create an LVM in it. I actually use quite a large swap partition, but as I said, my eMMC is large enough. The previous version contained a typo; the command should be pvcreate.

# pvcreate /dev/mapper/archcrypt
# vgcreate archlvm /dev/mapper/archcrypt
# lvcreate -L 4G archlvm -n swap
# lvcreate -l 100%FREE archlvm -n root

19. Create the swap.

# mkswap -L archswap /dev/archlvm/swap

20. Create whatever filesystem you want for your root partition.

# mkfs.ext4 -L archroot /dev/archlvm/root

21. Mount root to /mnt, boot to /mnt/boot.

# mount /dev/archlvm/root /mnt
# mkdir /mnt/boot
# mount /dev/mmcblk2p1 /mnt/boot

22. Install (at least) the base system. Add the packages from Anarsoul's scripts here. You can already add a desktop environment and other stuff here if you want to. The Arch Wiki's advice for most DEs works flawlessly on ARM, too. Incomplete list of DEs (using only a window manager might be a nice idea on the Pinebook): KDE LXDE LXQt Xfce

pacstrap /mnt base base-devel dosfstools curl xz iw rfkill netctl dialog wpa_supplicant alsa-utils pv linux-pine64 linux-pine64-headers networkmanager \
dkms-rtl8723cs uboot-pine64-git rtl8723bt-firmware uboot-tools

23. Generate the fstab for the new system.

# genfstab -U /mnt >> /mnt/etc/fstab

24. Switch to the new system.

# arch-chroot /mnt

25. Set your timezone.

# ln -sf /usr/share/zoneinfo/<Continent>/<City> /etc/localtime

26. Generate your locale. Edit /etc/locale.gen and uncomment all the locales you want to use. After that, generate them.

# locale-gen

27. Set one of the languages you just generated in /etc/locale.conf. Here's an example.


28. If you want a special keyboard layout, that it in /etc/vconsole.conf. Here's an example.


29. Set a hostname for the computer in /etc/hostname. Here's an example.


28. Set a password for root.

# passwd

29. Add Anarsoul's repository to /etc/pacman.conf.

SigLevel = Never
Server =

30. Now for the fun part: Getting this thingie to boot from our encrypted partition! First we'll need some additional hooks in the initial kernel. So edit /etc/mkinitcpio.conf, look for the HOOKS line and add some hooks (for keymap support, for encryption support, for lvm support). The order is important.

HOOKS=(base udev autodetect modconf block keyboard keymap encrypt lvm2 filesystems fsck)

31. Generate the new image.

# mkinitcpio -p linux-pine64

32. Modify /boot/boot.txt. We need to set kernel options for the cryptdevice. I also set one for the resume even though that is currently not working, but may work in the future. We need to modify the line with setenv bootargs in it. Personally, I use the UUID for the partition, but that's harder to write. Use blkid to find out the UUID of the encrypted partition and then use cryptdevice=UUID=... if you want that. Here's an non-UUID example:

setenv bootargs console=${console} console=tty0 cryptdevice=/dev/mmcblk2p2:archcrypt root=/dev/archlvm/root resume=/dev/archlvm/swap rw rootwait quiet

In the same file, adapt all the paths in the big if-fi block so that they point directly at e.g. /Image.gz as the parition will be mounted by u-boot without the prepending /boot/.

33. Compile the file.

# cd /boot
# ./mkscr

34. Leave the chroot.

# exit

35. Do the finetuning from Anarsoul's scripts. The last two lines only work if you already installed a desktop environment during step 22.

# cp /var/lib/alsa/asound.state /mnt/var/lib/alsa
# cp /etc/sysctl.d/sysrq.conf /mnt/etc/sysctl.d/
# cp /etc/polkit-1/rules.d/81-blueman.rules /mnt/etc/polkit-1/rules.d/

# cp /etc/X11/xorg.conf.d/modesetting.conf /mnt/etc/X11/xorg.conf.d/
# cp /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache /mnt/usr/lib/gdk-pixbuf-2.0/2.10.0/

36. Write uboot to the beginning of the eMMC.

# dd if=/mnt/boot/u-boot-sunxi-with-spl-pinebook.bin of=/dev/mmcblk2 bs=8k seek=1

37. Reboot without the SD card.

37. Enter your encryption password to boot.

38. Log in as root, add a normal user, configure your wifi with wifi-menu and install whatever DE you want.

I hope I didn't forget something. Please report any typos or missing steps. Thank you!

Thanks to e-minguez for pointing out errors and typos!

* I'm one of these many people myself often enough.
A couple of things:
  • When creating the second partition, you shouldn't accept the defaults as it tries to use the first unused sector which is the 2048 one. Instead, you should use the last used sector+1
Command (m for help): n
Partition type
  p   primary (1 primary, 0 extended, 3 free)
  e   extended (container for logical partitions)
Select (default p): p
Partition number (2-4, default 2):
First sector (2048-30535679, default 2048):
  • There is a typo in 'pgcreate' (it should be 'pvcreate' instead)
  • genfstab instead gen-fstab
  • 'resume=/dev...' instead 'resume/dev'
  • It would be nice to have a full /boot/boot.txt example such as:
part uuid ${devtype} ${devnum}:${distro_bootpart} uuid
setenv bootargs console=${console} console=tty0 cryptdevice=851f5a25-a354-4f0d-bb9c-3556e083c1ab:archcrypt root=/dev/a
rchlvm/root resume=/dev/archlvm/swap rw rootwait quiet
setenv kernel_addr_z 0x44080000

if load ${devtype} ${devnum}:${distro_bootpart} ${kernel_addr_z} /Image.gz; then
 unzip ${kernel_addr_z} ${kernel_addr_r}
 if load ${devtype} ${devnum}:${distro_bootpart} ${fdt_addr_r} /dtbs/${fdtfile}; then
   if load ${devtype} ${devnum}:${distro_bootpart} ${ramdisk_addr_r} /initramfs-linux.img; then
     booti ${kernel_addr_r} ${ramdisk_addr_r}:${filesize} ${fdt_addr_r};
     booti ${kernel_addr_r} - ${fdt_addr_r};
  • The /etc/X11/xorg.conf.d/modesetting.conf  and /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache cannot be copied as there is no x/gdk stuff installed
Thank you for pointing this out!

I was on a business trip, but now I corrected those steps. Does that mean you tried it and it worked for you?

I think I should actually add adding the user to the tutorial as I fear inexperienced users might end up with a desktop environment on a system with only a root user available.
(02-25-2019, 03:31 AM)Blutkoete Wrote: [ -> ]Thank you for pointing this out!

I was on a business trip, but now I corrected those steps. Does that mean you tried it and it worked for you?

I think I should actually add adding the user to the tutorial as I fear inexperienced users might end up with a desktop environment on a system with only a root user available.

Thank you for creating the howto!

More suggestions:
  • gen-fstab is still not fixed (it is genfstab)
  • It would be nice to have a full /boot/boot.txt example
  • 'resume=/dev...' instead 'resume/dev' is still not fixed
  • I agree on your idea of creating a user
useradd -m -G network,video,audio,optical,storage,input,scanner,games,lp,rfkill <YOURUSER>
I have my system in a 'bootable' state, no X so far, but it boots Smile

Thanks again!
From my point of view, getting the system to boot up correctly from a encrypted eMMC is the hard part  Smile .

I corrected the resume kernel arg and genfstab.

Your suggestions are good. I hope I find the time this weekend to completely overhaul the guide, maybe including adding a part on how to get at least one desktop environment running. And I'll happy try the linked WiFi fix - I assumed until now that the connection drops are something I have to live with, but it looks as if there is a fix already available!

I'm glad someone is using this how-to to get an encrypted system running. I'm actually very happy with my Pinebook since it's running ArchLinux on encrypted eMMC.

P.S.: If you encounter problems getting a desktop environment running, you can use exactly the command line from Anarsoul's build scripts to set up XFCE the way he set it up, including enabling the login manager (see the link on top of the how-to to get to Anarsoul's Github repository).
Arch with encryption + xfce running properly \o/

Just a minor detail... swap partition is not added to the /etc/fstab with genfstab as it is not mounted during the setup. I've added it as:

echo "$(blkid /dev/mapper/archlvm-swap --output=export | grep UUID) swap swap 0 0" >> /etc/fstab
Also, I've created a couple of PRs to anarsoul's repo to:

Another tip:

* To disable bluetooth automatically enabled at boot, you can:

gsettings set org.blueman.plugins.powermanager auto-power-on false