The situation did improve in the last few years thanks to ARM and MIPS proliferation, but mostly in the mobile/embedded world. Long time there was no desktop mainboard on the market that would meet my needs: non-x86, but functionally close to an x86 PC board, capable of driving a home PC as I wanted it.

MACCHIATObin cuts it: mini ITX (so I can put in a regular PC case), ARMv8 quad-core 1.6 GHz on the Single Shot version I have (actually I even down-clocked it to 1.3 GHz), 3 SATA connectors (so I can have it with my 2 RAID1 HDDs and an optical drive), a regular PC-like memory slot (DDR4 DIMM up to 16 GB RAM; 4GB was enough for me), an on-board LAN connector (plus 3 SFPs; superfluous for me), USB 3.0 connector and a USB 2.0 header (attach it to USB connectors with a 2 dollars worth a cable), a micro SD card slot, an ATX power connector (it went fine with my spare Streacom's Nano150 PSU and a 12V power supply; one could use the power brick alone, as the board has a 12V DC input jack, too). The internal eMMC storage can be used as a low-grade SSD counterpart. 8 GB might be too little eg. for Gnome or KDE, but it will do for my headless Linux setup. The board has a PCIe 3.0 x4 slot if you want it with a graphics card for a full PC box experience. There's also a couple interfaces for hardware tinkerers, including the micro USB which I'll use for a console terminal access during the installation.

My intention is to follow the standard Arch Linux installation process as far as the Arch Linux ARM specialties allow, encrypt the eMMC using dm-crypt with LUKS and use a btrfs filesystem with on-the-fly compression to utilize the somewhat smallish eMMC capacity to its max. All with deviations from Arch Linux standards reduced to a minimum, to provide for possibly painless system upgrades and maintenance.

Boot partition is left unencrypted, as per U-Boot requirements. However, if I get the information on their forum and mailing list right, it might be possible to have UEFI + GRUB on MACCHIATObin boards, thus an encrypted boot partition as well.


Step-by-step:


1. Proceed as per Arch Linux ARM instructions to create a micro SD card you'll boot the mainboard off. Before booting the board connect your other computer to MACCHIATObin's micro USB port, and run screen -h 99999 /dev/ttyUSB0 115200 on your computer's terminal to monitor the boot process, for an emergency access in case there's some issue with SSH, and to be able to enter your dm-crypt passphrase during eMMC boot in the end.


2. Once you connect to MACCHIATObin with SSH or the serial terminal, proceed with Arch Linux installation guide:

  • "Set the keyboard layout" - as is.
  • "Update the system clock" - as is.
  • "Partition the disks".
    • Create 2 partitions.
      • fdisk /dev/mmcblk0
      • Type "g" to create a new empty GPT partition table.
      • Type "n" to add a 256M partition starting at sector 8192. We'll use it for /boot mount. U-Boot binary will be flashed to sectors below 8192.
      • Type "n" again and create a second partition using the remaining free eMMC space. We'll use it for root filesystem.
    • Prepare the root partition.
      • Wipe it.
        • cryptsetup open --type plain -d /dev/urandom /dev/mmcblk0p2 to_be_wiped
        • dd if=/dev/zero of=/dev/mapper/to_be_wiped status=progress bs=1M (takes around 5 minutes)
        • cryptsetup close to_be_wiped
      • Encrypt it. Change --key-size, --hash, --iter-time to your liking.
        • cryptsetup --verbose --type luks2 --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 2500 --use-random --verify-passphrase luksFormat /dev/mmcblk0p2
      • Open it. --persistent relieves one from having to enable the SSD TRIM support on the LUKS container each time it's opened in the future. Please mind the security implications. Requires --type luks2 at LUKS container creation time.
        • cryptsetup open --allow-discards --persistent /dev/mmcblk0p2 root-cr
  • "Format the partitions". FS labels are optional; I just like using them.
    • mkfs.ext4 -L boot-fs /dev/mmcblk0p1
    • pacman -Sy btrfs-progs
    • mkfs.btrfs -L root-fs /dev/mapper/root-cr
  • "Mount the file systems".
    • mount --options relatime,compress-force=lzo,ssd,discard,space_cache /dev/mapper/root-cr /mnt
    • mkdir /mnt/boot
    • mount --options relatime,discard /dev/mmcblk0p1 /mnt/boot
  • Skip "Select the mirrors". The default http://mirror.archlinuxarm.org provides a Geo-IP based mirror selection and load balancing.
  • Install the installation scripts.
    • pacman -Sy arch-install-scripts
  • "Install the base packages". Mind that the kernel package needs to be listed explicitly, it won't be installed automatically in a group (unlike on an x86_64 box). Plus a couple more packages which will come in handy or required sooner or later.
    • pacstrap /mnt base linux-aarch64 btrfs-progs sudo pacman-contrib arch-install-scripts bash-completion rsync mlocate vim
  • "Configure the system" / "Fstab" - as is.
  • "Configure the system" / "Chroot" - as is.
  • "Configure the system" / "Time zone" - as is.
  • "Configure the system" / "Localization" - as is.
  • "Configure the system" / "Network configuration" - as is. I'm using networkmanager.
  • "Configure the system" / "Initramfs" - as is. Make sure you've included /usr/bin/btrfs in BINARIES and encrypt in HOOKS. And substitute linux-aarch64 for linux in mkinitcpio -p.
  • "Configure the system" / "Root password" - as is.
  • "Configure the system" / "Boot loader".
    • Install U-Boot packages. You can answer "no" to "U-Boot version needs to be flashed onto /dev/mmcblk1. Do you want to do this now?".
      • pacman -Sy uboot-macchiatobin uboot-tools
    • Install U-Boot on eMMC.
      • dd if=/boot/flash-image.bin of=/dev/mmcblk0 seek=4096 conv=fdatasync,notrunc
    • Set up U-boot.
      • cd /boot
      • Copy boot.txt aside: cp -a boot.txt boot.txt.bck
      • Find out the UUIDs of the LUKS container and the root filesystem: lsbk --fs | grep -A1 mmcblk0p2
      • Use those UUIDs in /boot/boot.txt's bootargs and cryptdevice sections, as per the encrypt hook instructions. Eg:
      • [root@alarm boot]# diff boot.txt.bck boot.txt
        5c5
        < setenv bootargs "console=ttyS0,115200 root=PARTUUID=${uuid} rw rootwait earlycon"
        ---
        > setenv bootargs "console=ttyS0,115200 root=UUID=9ca7c962-94db-4b9a-a2c7-95d4f8732ba1 rw cryptdevice=UUID=536a77e7-8cd8-477b-8418-4d522365bc40:root-cr rootwait earlycon"
      • Generate image for U-Boot: ./mkscr.
      • Create a symlink, so that boot.scr is able to find files where it expects them, during boot: ln -s . boot
  • Quit the chroot shell, umount /mnt/boot, umount /mnt, cryptsetup close root-cr, poweroff, turn power off.

3. Final act:
  • Eject the SD card, or the board will insist on booting from the card rather than eMMC, even though you've set the jumpers as needed (a bug?).
  • Run screen -h 99999 /dev/ttyUSB0 115200 on the terminal of your other computer, while it's connected to MACCHIATObin's micro USB port. You will enter your dm-crypt passphrase here.
  • Power the board on. If all went fine, in few seconds you'll be prompted for dm-crypt passphrase - something like:
  • [    4.855130] Run /init as init process
    :: running early hook [udev]
    Starting version 242.29-1-arch
    :: running hook [udev]
    :: Triggering uevents...
    :: running hook [encrypt]
    A password is required to access the root-cr volume:
    Enter passphrase for /dev/mmcblk0p2:

And there we have it. Now follow the Arch Linux general and security recommendations, and enjoy your Intel-free PC box!