Our goal:
- UEFI Arch installation on encrypted volume + /boot also should be encrypted
- enable and use secure boot with own keys on laptop
- do post installation hardening
- installation steps for Gnome without unneeded software
Installation
Another guide to consider is https://headcrash.industries/reference/fully-encrypted-archlinux-with-secure-boot-on-yoga-920/. There you can find specifics about btrfs and Yoga 920 installation.
Secure Boot
You can start reading about secure boot from wiki - https://wiki.archlinux.org/index.php/Secure_Boot. If you really want to understand what is going on in system I highly recommend go through this article https://bentley.link/secureboot/ and manually create everything. However, for automation you can use tool from github (https://github.com/xmikos/cryptboot) which is described in "Secure Boot" section from second installation guide on Yoga. After finish you can check whether secure boot is active by using this command: od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX. To get right value of XX, just use tab completion. Last digit should be 1.
Post installation hardening
After installation finished I went through hardening. I will advise to go through wiki page - https://wiki.archlinux.org/index.php/Security. When I read about kernel hardening, I decided to install linux-hardened package, using this guide - https://thacoon.gitlab.io/articles/2017-07/arch-linux-hardened-kernel.html. It broke system for me as there were no kernel module for fat to proceed with boot. I found that I was not alone with my problems - https://flameeyes.blog/2011/09/12/hardened-and-efi-aren-t-buddies/. As for now I just wait for new releases. After all hardening I used tool called Lynis for audit (https://cisofy.com/lynis/). I found this sufficient enough to have a better level of security.
Post installation tips
Well, now you can install anything you want in your new system. Pretty good list can be found in official wiki - https://wiki.archlinux.org/index.php/list_of_applications For decent terminal fonts I used this package - https://www.archlinux.org/packages/community/any/awesome-terminal-fonts/.
As a desktop environment I prefer gnome, but I don't like loads of software which will be installed together with gnome. I found this conversation in reddit helpful, especially comment about what name stands for what software - https://www.reddit.com/r/archlinux/comments/3q98sf/gnome_without_the_bloat_what_is_neccesary/cwd8rj8/?st=jg194hew&sh=c96834de