The Ultimate Arch + Secureboot guide for Ryzen AI Max (ft. HP G1A 128gb 8060S monster laptop)

On NixOS I use Lanzaboote from GitHub - nix-community/lanzaboote: Secure Boot for NixOS [maintainers=@blitz @raitobezarius @nikstur].

You need to enable boot.bootspec and maybe unintuitively set boot.loader.systemd-boot to false (it still uses systemd-boot under the hood).

      bootspec = {
        enable = true;
      };
      loader = {
        systemd-boot = {
          enable = lib.mkForce false;
        };
        efi = {
          canTouchEfiVariables = true;
        };
      };
      lanzaboote = {
        enable = true;
        pkiBundle = "/etc/secureboot";
      };

It automatically signs all kernel and EFI stub entries (not the initrd images). Running systemd-cryptenroll to add a TPM2 slot to your LUKS devices also work out of the box.

Finally got it (16 core, 128 GB) and installed EndeavourOS with i3. First impression is that the thing is tiny, it replaces an older Lenovo L14 (14 inch) and have an even older x270 (12 inch) at home and the G1a is much closer to the x270 in size.

Here are some observations, I hope they will help others:

• Love the keyboard, the L14 has the best Laptop keyboard I have every used, the G1a is a bit different but comes very close.
• Applications tended to freeze, especially if something graphically demanding was running. To get them unstuck, I had to switch window focus or even Ctrl-Alt-F2 into a different tty. I solved it by using picom as a compositor. Yesterday I had to turn picom off to make it work again. Not sure what the problem here is, I guess it must be something related to the GPU driver. Also, Calamares got stuck a couple of times before finishing the install, I suspect, this is the same issue.
• Webcam not working on current linux-mainline (6.16-RC2), I hope this gets fixed soon.
• use sbctl sign --save /boot/vmlinuz-linux to enable automatic signing of kernels after updates, --save adds the file to the auto sign database of sbctl. Do this for all installed kernels!
• rocm from the repository already sees the GPU. Tried some pytorch today but there are no kernels for operations for the GPU.
• ollama doesn’t know about GTT yet, haven’t had time to increase GPU memory.

I have noticed that kernel version is very tied to this kind of behavior. Care is not generally taken in most distros, it seems, to sync linux-firmware and the functionality from the firmware the kernel expects. Been using 6.15.1-4-cachyos on arch proper, and its been slightly slightly more unbstable than 6.14.9 – 6.15 from arch was more unstable than 6.14 as well, so maybe some type of regression.

the docker images for “theRock” are the least effort/most servicable path to pytorch with graphics1151 atm. If you want to DIY it there is a path I’ve been working on, but it isn’t much fun.

some more news:

• linux-mainline 6.16-RC3 boots but just shows a black screen instead of the display manager. I also cannot even to into a different tty and logs don’t really show anything obvious.
• lmstudio from aur worked out of the box with manually setting vram, ollama-rocm did not.
• I have looked into TheRock and couldn’t find a ready to go docker image, so I created one [1]. It does not work out of the box yet and I couldn’t test any large models because my internet at home is very slow. I could increase speed of qwen3:0.6b from 140 t/s on CPU to >200 t/s for short prompts, I guess this will be much better on larger models.

[1] not allowed to post links, you can find the repo on Github under GitHub - gdkrmr/ollama-rocm-docker-gfx1151: Use Ollama with ROCM on Ryzen AI Max

Did you have any luck running ROCm on the Strix Halo 980M? I am specifically asking because there are threads about these having two different IDs 1151 and 1150 as far as I remember and the 1150 being the one for example in the Framework 13 (HX 370) not being supported?

There are TheRock nightly builds for gfx1151 but taking a look, there don’t appear to be ones for gfx1150, so you’d probably have to build your own: Releases · ROCm/TheRock · GitHub

I believe all Strix Halo are gfx1151 and Strix Point are gfx1150 but I haven’t been paying that close attention to it so don’t quote me… User Guide for AMDGPU Backend — LLVM 21.0.0git documentation

I found the kernel option for increasing GTT is i don’t think this can be adjusted at runtime. (96GB)

amdgpu.gttsize=98304

for ROCM if you dont want to build theRock, I think we are waiting on

I also used keyd to rebind the copilot key to ctrl

[ids]
*
[main]
f23 = oneshot(control)
[control]
toggle(control)

because the copilot key doesn’t hold i don’t see a way to hold the ctrl key.

Results are in using llama 3.3 70B. I have dedictated 96GB VRAM in Bios.

• LMStudio gets 4.8 t/s and I was able to set context window to full 128k when enabling flash attention (without, it crashes the X session).
• Ollama from my docker container crashed my desktop until I lowered context window size to 80k with flash attention. I got 4.11 t/s. Every window starts get graphical glitches that persist, even after unloading the model. The process does not appear in the nvtop process list but GPU utilization is shown correctly.

@wendell how are the speakers compared to windows? ive heard windows uses digital signal processing to make the speakers sound better while on linux you have to do this manually via easyeffects if using pipewire.

Hey, I am following the guide as a relatively new Arch user, having previously used archinstall and not a “manual” install. Here are some “issues”, which are not really issues but probably stuff that the more seasoned arch users know is implied, but noobs like me did not know.

First issue arose after the command for generating the fstab:

genfstab -U /mnt >> /mnt/etc/fstab

The swap partition did not appear until after running:

swapon /dev/nvme0n1p3

And even then, it was a bit different from the guide where it was listed as:

UUID=SWAP_UUID   swap           swap   defaults                    0 0

for me it was listed as none instead of swap.

UUID=SWAP_UUID   none           swap   defaults                    0 0

using blkid seemed to report everything was fine.

Next issue was with running: sudo snapper -c root create-config /
Where the result was something along the lines of Failure: org.freedesktop.DBus.Error.ServiceUnknown

but I skipped ahead since it was related to snapshots.

Now I had issues with GRUB and the Secure Boot keys. After manually running pacman -S grub efibootmgr for GRUB and manually creating the /boot/grub/grub.cfg file, I had issues with signing the EFI files.
/boot/EFI/GRUB/grubx64.efi worked, but sbctl sign /boot/EFI/BOOT/BOOTX64.EFI said that no such file exists. I attempted to fix it by manually copying the files:

mkdir -p /boot/EFI/BOOT
cp /boot/EFI/GRUB/grubx64.efi /boot/EFI/BOOT/BOOTX64.EFI

but after running sbctl verify there were a lot of unverified files (full screens worth):

image935×1247 221 KB

tried powering through, and the next command was also problematic, but aperently it is a typo:
sbctl sign /boot/vmlinux-linux → sbctl sign /boot/vmlinuz-linux

Not sure if this /boot/EFI/BOOT/BOOTX64.EFI issue will cause problems later, but I was able to boot into the system after the reboot and the Secure Boot is enabled in the bios.

If you use FDE cryptenroll can be configured to block automatic decrypting if the initramfs or additional files are not signed.

https://www.freedesktop.org/software/systemd/man/latest/systemd-cryptenroll.html#TPM2%20PCRs%20and%20policies

Is GRUB still popular? I’ve been using systemd-boot for a few years without any issue.

Oh right, when I tried to run:
pacstrap -K /mnt base linux linux-firmware systemd-boot networkmanager vim snapper linux-firmware mokutil

i had an error saying Target not found: systemd-boot, so I replaced it with systemd

This might be of interest plus some examples on how to automatically sign the boot files: systemd-boot - ArchWiki