Giter Club home page Giter Club logo

arch-secure-boot's Introduction

UEFI Secure Boot for Arch Linux + btrfs snapshot recovery

Highly opinionated setup that provides minimal Secure Boot for Arch Linux, and a few recovery tools.

Bootloaders (such as GRUB or systemd-boot) are intentionally not supported, as they significantly increase the amount of code that runs during boot, therefore increasing the attack surface.

Motivation

There are two key goals that motivated this project:

  1. Achieve encrypted /boot without using GRUB (it is possible, contrary to popular belief)
  2. Minimize amount of code that runs during boot (less code means less vulnerabilities to guard against)

Here's how it works:

  1. Remove built-in Secure Boot keys, generate your own keys, leave private key on encrypted disk and register public key in BIOS

  2. Keep /boot on encrypted disk, and mount unencrypted ESP FAT32 partition to /efi.

  3. Generate a new .efi file that you will register in BIOS as boot target (i.e. instead of grub.efi), which consists of:

    • CPU microcode (ucode.img)
    • initramfs
    • vmlinuz
    • hardcoded kernel cmdline (that specifies exact kernel arguments to boot, including root btrfs subvolume)

    All of the above components are taken from the encrypted /boot, so cannot be tampered with while the computer is turned off.

  4. Sign this .efi file with your own Secure Boot key and put this one file into unencrypted /efi.

  5. Configure in your BIOS that this is the boot target (instead of e.g. GRUB)

Now evil-maid attack is not possible, because the only unencrypted file is your signed .efi file, and if it is being tampered with, Secure Boot will refuse to load it.

Because cmdline is hardcoded in the image, Secure Boot also guarantees that you or attackers cannot just change it (e.g. to boot in an old subvolume).

In addition, because there is less steps in the process, and especially because you aren't decrypting your disk twice (like it is the case with GRUB), the boot is so much faster!

This project automates everything above, and adds a few other integrations that I personally use:

  • pacman hooks (similar to snap-pac-grub, so I can enable the tool and forget about it)
  • integration with fwupd
  • custom EFI shell (because at least Dell's built-in implementation was quite buggy at the time of creating the project)
  • a simple script that provides UI for selecting snapshot to boot into (inspired by grub-btrfs)

Installation

The package is available on AUR: arch-secure-boot

Configuration

See the available configuration options in the top of the script.

Add your overrides to /etc/arch-secure-boot/config.

Most notably, set KERNEL=linux-hardened if you use hardened Linux.

Initial setup

  • BIOS: Set admin password, disable Secure Boot, delete all Secure Boot keys
  • Run arch-secure-boot initial-setup command, which:
    • Generates and enrolls keys
    • Generates EFI images and adds the main one to UEFI (it's important, only the main one!)
  • BIOS: Enable Secure Boot

Recovery concept

When the system fails to boot, it is commonly caused by one of the two things:

  1. Something is wrong on the system (late boot), which might be resolved by booting in a btrfs snapshot.
  2. Something is wrong with the kernel (early boot), which might be resolved by booting in an LTS kernel.

That is why, in addition to generating the main image (which is added to your UEFI as boot target), this project generates two more .efi files:

  1. One with:

    • initramfs
    • vmlinuz
    • NO microcode (in case it causes boot failures)
    • NO hardcoded cmdline (so that we can later select which subvolume to boot in)

  2. Another just like the above, but with LTS kernel

These two are also signed with Secure Boot keys, but NOT added to UEFI boot targets.

  • Attackers cannot use these .efi files because to boot into it they need to know your BIOS password.
  • Evil maid attack is not possible because this image is signed with Secure Boot keys and at no point in time do we disable Secure Boot.
  • Because cmdline is NOT hardcoded in these recovery images, Secure Boot will let us specify a custom one - one where you specify rootflags=subvol=snapshots/123/snapshot in order to boot into snapshot 123.

In order to avoid typing a custom cmdline by hand, this project provides a simple recovery.nsh script that allows you to select a snapshot to boot into - DO inspect it before launching, as it is stored on unencrypted /efi partition when you need to use it.

Recovery instructions

  • BIOS: use admin password to boot into efi-shell image
  • Inspect recovery script using edit FS0:\recovery.nsh (if FS0 is not your hard disk, try other FSn)
  • Run the script using FS0:\recovery.nsh
  • Once recovered, remove efi-shell entry from UEFI

Commands

  • arch-secure-boot initial-setup runs all the steps below in the proper order
  • arch-secure-boot generate-keys generates new keys for Secure Boot
  • arch-secure-boot enroll-keys adds them to your UEFI
  • arch-secure-boot generate-efi creates several images signed with Secure Boot keys
  • arch-secure-boot add-efi adds UEFI entry for the main Secure Boot image
  • arch-secure-boot generate-snapshots generates a list of btrfs snapshots for recovery

Generated images

  • secure-boot-linux.efi - the main image
    • vmlinuz-linux + initramfs-linux + *-ucode + hardcoded cmdline
  • secure-boot-linux-efi-shell.efi - UEFI shell that is used to boot into a snapshot
    • because built-in UEFI shells are known to be buggy
  • secure-boot-linux-recovery.efi - recovery image that can be a used to boot from snapshot
    • vmlinuz-linux + initramfs-linux-fallback
  • secure-boot-linux-lts-recovery.efi - recovery LTS image that can be used to boot from snapshot
    • vmlinuz-linux-lts + initramfs-linux-lts-fallback

fwupdx64.efi image is also being signed.

Related links:

arch-secure-boot's People

Contributors

cyrinux avatar maximbaz avatar shellcode33 avatar xenrox avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

xenrox max-k cyrinux as400l debnath-d shellcode33 kdevo ely-mayor

arch-secure-boot's Issues

How to add nvidia-drm.modeset=1

Hi, in order for nvidia to work on grub or systemd the wiki tell us to add nvidia-drm.modeset=1:

sudo sed -i 's/\(GRUB_CMDLINE_LINUX_DEFAULT=".*\)"/\1 nvidia-drm.modeset=1"/' /etc/default/grub

is this required/ possible with arch-secure-boot?

Thank you

What's your backup strategy ?

Hey Maxim, for some time now I've been reading a lot about backups. Considering I'm using arch-secure-boot which comes with a snapper dependency, I've been wondering how that could interact with my backup strategy.

Initially, my plan was as follow:

  • Daily incremental backup of my home folder to a remote server (I use restic for that)
  • Weekly full backup of my home folder to a remote server (I do that with tar+gpg because I trust them more than restic)
  • Daily incremental btrfs backup of all my system to an external drive (if it's plugged in)
  • Monthly full system backup to an external drive (by using tar+gpg on a btrfs snapshot, in order to have atomic backups)

I haven't done the last two items yet, I'm not sure I want to trust btrfs for my backups, there are multiple examples on the internet of people having issues with it. However I have to admit that its incremental backup feature using btrfs send | btrfs receive is very appealing.

I'm looking for ideas, what do you do ? Do you use snapper only to boot into a previous state of your system or do you also use btrfs features for your backups ? What's your take on using btrfs as a backup utility ?

PS: sorry for hijacking your issue tracker for something unrelated :-)

Suggestions and thank you !

Hi Maximbaz,

Above all I would like to thank you for this great tool !

I have some suggestions if you would like to make this project more popular. I was thinking about why people don't use secure boot while it's available in every machine sold nowadays. And came to the conclusion that most people are just afraid when they hear "private keys", "public keys" or encryption in general :)
But your tool is good enough to remove thinking about those "scary" things from people minds.
So my proposals are:

  1. Improve documentation. It just does not provide enough information how this tool works. While at the same time you wrote a great post with all of the details. So please attach this information to the readme --> Antynea/grub-btrfs#92 (comment)

  2. Not everobody uses snapper. Personally I have very bad experience with it. So make the tool conditional - with or without snapper.

And getting to the problem that I have personally. I know you might have no idea why it is happening to me but, hey - it's worth asking. When I enter my Lenovo IdeaPad uefi I just don't see any other entries except of linux-secure-boot. And I have no way to choose anything else while at the same time all the images on /efi are created and in place:

root@i5 ~# ll /efi/EFI/arch/
total 107M
-rwxr-xr-x 1 root root 1008K Jul 30 19:50 secure-boot-linux-efi-shell.efi
-rwxr-xr-x 1 root root 39M Jul 30 19:50 secure-boot-linux-recovery-lts.efi
-rwxr-xr-x 1 root root 44M Jul 30 19:50 secure-boot-linux-recovery.efi
-rwxr-xr-x 1 root root 23M Jul 30 19:50 secure-boot-linux.efi

Big thanks for you work once again !
Any ideas ?

Dual boot system with windows

Thanks for creating this resource I am seriously excited to possibly drop a lot of grub cruft I have been dealing with. My one issue that I am wondering if you have experience with is a system that also boots into windows. This style of booting from uefi directly is new to me and I am wondering how this would work. Does the windows side just work by creating its own uefi entry and there is no overlap, or would I have to get the same private key generated from scripts embedded into the windows filesystem somehow?

if you aren’t familiar with this then no worries, just seeing if it’s possible to know about this before diving in.

generate-efi : only sign what has been updated

Currently the pacman hook will re-sign all the EFI binaries if a single one of them is updated.

It would be nice to only sign what has been updated.

alpm-hooks provides a NeedsTargets which according to the man page does the following:

Causes the list of matched trigger targets to be passed to the running hook on stdin.

Currently the hook looks like this :

arch-secure-boot/pacman-hooks/95-arch-secure-boot-generate-efi.hook

Lines 9 to 12 in 928c698

[Action]
Description = Generating signed EFI boot files
When = PostTransaction
Exec = /usr/bin/arch-secure-boot generate-efi

Instead we could do something like this :

Exec = /usr/bin/arch-secure-boot generate-efi --from-stdin

Or maybe just the standard trailing -.

That way generate-efi would be able to sign only the updated EFI image, instead of signing them all.

To consider: an update of *-ucode.img must trigger the recreation of $NAME-unsigned.efi + signing it

Confusing name of LTS image when using hardened kernel

Hey, thanks for this amazing tool ! This is a very small issue, it doesn't have any impact but I thought I would still let you know.

When using a hardened kernel, the recovery EFI image of the LTS kernel will be named secure-boot-linux-hardened-recovery-lts.efi which is a bit confusing because this not a hardened version.

Maybe instead of using $NAME-recovery-lts-unsigned.efi you could hardcode linux-recovery-lts-unsigned.efi ? It would require to change the loop logic though.

arch-secure-boot/arch-secure-boot

Lines 85 to 93 in 4b55a33

objcopy \
--add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 \
--add-section .linux=/boot/vmlinuz-linux-lts --change-section-vma .linux=0x40000 \
--add-section .initrd=/boot/initramfs-linux-lts-fallback.img --change-section-vma .initrd=0x3000000 \
/usr/lib/systemd/boot/efi/linuxx64.efi.stub "$NAME-recovery-lts-unsigned.efi"
for flavor in '' '-recovery' '-recovery-lts' '-efi-shell'; do
sbsign --key "$KEYSDIR/db.key" --cert "$KEYSDIR/db.crt" --output "${NAME}${flavor}.efi" "${NAME}${flavor}-unsigned.efi"
done

systemd 254-1 makes generate-efi create a corrupt efi

After upgrading to systemd 254 I was unable to boot anymore.

The following lines are new when doing generate-efi:

objcopy: secure-boot-linux-unsigned.efi:.osrel: section below image base
objcopy: secure-boot-linux-unsigned.efi:.cmdline: section below image base
objcopy: secure-boot-linux-unsigned.efi:.linux: section below image base
objcopy: secure-boot-linux-unsigned.efi:.initrd: section below image base
 objcopy: secure-boot-linux-recovery-unsigned.efi:.osrel: section below image base
objcopy: secure-boot-linux-recovery-unsigned.efi:.linux: section below image base
objcopy: secure-boot-linux-recovery-unsigned.efi:.initrd: section below image base
objcopy: secure-boot-linux-lts-recovery-unsigned.efi:.osrel: section below image base
objcopy: secure-boot-linux-lts-recovery-unsigned.efi:.linux: section below image base
objcopy: secure-boot-linux-lts-recovery-unsigned.efi:.initrd: section below image base

It has probably to do with /usr/lib/systemd/boot/efi/linuxx64.efi.stub but I do not know what currently. I created this issue as more users are probably going to stumble on this. I just downgraded systemd using pacman -U /var/cache/pacman/pkg/systemd-253.7-1-x86_64.pkg.tar.zst and run generate-efi again

Pacman hook not triggered on kernel update

Hey it's been a while :)

After a kernel upgrade, I'm unable to boot and get the following error:

Nov 01 14:15:38 laptop bootctl[563]: No ESP found, not initializing random seed.
Nov 01 14:15:38 laptop systemd-pcrphase[564]: Extended PCR index 11 with 'sysinit' (banks sha1, sha256).
Nov 01 14:15:40 laptop apparmor.systemd[357]: Restarting AppArmor
Nov 01 14:15:40 laptop apparmor.systemd[357]: Reloading AppArmor profiles
Nov 01 14:15:40 laptop systemd-fsck[366]: fsck.fat 4.2 (2021-01-31)
Nov 01 14:15:40 laptop systemd-fsck[366]: /dev/sda2: 11 files, 40218/140690 clusters
Nov 01 14:15:40 laptop mount[497]: mount: /efi: unknown filesystem type 'vfat'.
Nov 01 14:15:40 laptop mount[497]:        dmesg(1) may have more information after failed mount system call.

I've had this issue a few times now, I'm not sure where it comes from to be honest, but I thought I would write it here in case you have any clue what's going on.

To fix this error I have to boot into a livecd and run arch-secure-boot generate-efi.

Here are the pacman logs that caused the issue:

Click to expand 
[2023-10-30T19:16:44+0100] [PACMAN] Running '/usr/bin/pacman -S -y -u --config /etc/pacman.conf --'
[2023-10-30T19:16:44+0100] [PACMAN] synchronizing package lists
[2023-10-30T19:16:45+0100] [PACMAN] starting full system upgrade
[2023-10-30T19:16:56+0100] [ALPM] running '05-snap-pac-pre.hook'...
[2023-10-30T19:16:57+0100] [ALPM-SCRIPTLET] ==> root: 574
[2023-10-30T19:16:57+0100] [ALPM] running '60-mkinitcpio-remove.hook'...
[2023-10-30T19:16:57+0100] [ALPM] transaction started
[2023-10-30T19:16:57+0100] [ALPM] upgraded bash (5.1.016-4 -> 5.2.015-5)
[2023-10-30T19:16:57+0100] [ALPM] upgraded containerd (1.7.7-1 -> 1.7.8-1)
[2023-10-30T19:16:57+0100] [ALPM] upgraded krb5 (1.20.1-1 -> 1.20.1-2)
[2023-10-30T19:16:57+0100] [ALPM] upgraded libnghttp2 (1.57.0-1 -> 1.58.0-1)
[2023-10-30T19:16:58+0100] [ALPM] upgraded docker (1:24.0.6-1 -> 1:24.0.7-1)
[2023-10-30T19:16:58+0100] [ALPM] upgraded fzf (0.42.0-1 -> 0.43.0-1)
[2023-10-30T19:16:58+0100] [ALPM] upgraded gpgme (1.23.0-1 -> 1.23.1-1)
[2023-10-30T19:16:58+0100] [ALPM] upgraded libyuv (r2322+3aebf69d-1 -> r2426+464c51a0-1)
[2023-10-30T19:16:58+0100] [ALPM] upgraded libavif (1.0.1-3 -> 1.0.1-4)
[2023-10-30T19:16:58+0100] [ALPM] upgraded linux-firmware-whence (20230804.7be2766d-2 -> 20230918.3672ccab-1)
[2023-10-30T19:16:59+0100] [ALPM] upgraded linux-firmware (20230804.7be2766d-2 -> 20230918.3672ccab-1)
[2023-10-30T19:17:00+0100] [ALPM] upgraded shadow (4.14.1-1 -> 4.14.2-1)
[2023-10-30T19:17:02+0100] [ALPM] upgraded linux-hardened (6.5.8.hardened1-1 -> 6.5.9.hardened1-1)
[2023-10-30T19:17:07+0100] [ALPM] upgraded linux-hardened-headers (6.5.8.hardened1-1 -> 6.5.9.hardened1-1)
[2023-10-30T19:17:08+0100] [ALPM] upgraded restic (0.16.0-1 -> 0.16.1-1)
[2023-10-30T19:17:08+0100] [ALPM] transaction completed
[2023-10-30T19:17:09+0100] [ALPM] running '20-systemd-sysusers.hook'...
[2023-10-30T19:17:09+0100] [ALPM] running '30-systemd-daemon-reload.hook'...
[2023-10-30T19:17:09+0100] [ALPM] running '30-systemd-tmpfiles.hook'...
[2023-10-30T19:17:10+0100] [ALPM] running '30-systemd-udev-reload.hook'...
[2023-10-30T19:17:11+0100] [ALPM] running '30-systemd-update.hook'...
[2023-10-30T19:17:11+0100] [ALPM] running '60-depmod.hook'...
[2023-10-30T19:17:13+0100] [ALPM] running '90-mkinitcpio-install.hook'...
[2023-10-30T19:17:13+0100] [ALPM-SCRIPTLET] ==> Building image from preset: /etc/mkinitcpio.d/linux-hardened.preset: 'default'
[2023-10-30T19:17:13+0100] [ALPM-SCRIPTLET] ==> Using default configuration file: '/etc/mkinitcpio.conf'
[2023-10-30T19:17:13+0100] [ALPM-SCRIPTLET]   -> -k /boot/vmlinuz-linux-hardened -g /boot/initramfs-linux-hardened.img --microcode /boot/intel-ucode.img
[2023-10-30T19:17:13+0100] [ALPM-SCRIPTLET] ==> Starting build: '6.5.9-hardened1-1-hardened'
[2023-10-30T19:17:13+0100] [ALPM-SCRIPTLET]   -> Running build hook: [base]
[2023-10-30T19:17:13+0100] [ALPM-SCRIPTLET]   -> Running build hook: [consolefont]
[2023-10-30T19:17:13+0100] [ALPM-SCRIPTLET]   -> Running build hook: [keymap]
[2023-10-30T19:17:14+0100] [ALPM-SCRIPTLET]   -> Running build hook: [udev]
[2023-10-30T19:17:14+0100] [ALPM-SCRIPTLET]   -> Running build hook: [autodetect]
[2023-10-30T19:17:14+0100] [ALPM-SCRIPTLET]   -> Running build hook: [modconf]
[2023-10-30T19:17:14+0100] [ALPM-SCRIPTLET]   -> Running build hook: [block]
[2023-10-30T19:17:16+0100] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: 'xhci_pci'
[2023-10-30T19:17:17+0100] [ALPM-SCRIPTLET]   -> Running build hook: [plymouth]
[2023-10-30T19:17:18+0100] [ALPM-SCRIPTLET]   -> Running build hook: [encrypt]
[2023-10-30T19:17:20+0100] [ALPM-SCRIPTLET]   -> Running build hook: [filesystems]
[2023-10-30T19:17:20+0100] [ALPM-SCRIPTLET]   -> Running build hook: [keyboard]
[2023-10-30T19:17:22+0100] [ALPM-SCRIPTLET] ==> Generating module dependencies
[2023-10-30T19:17:22+0100] [ALPM-SCRIPTLET] ==> Creating zstd-compressed initcpio image: '/boot/initramfs-linux-hardened.img'
[2023-10-30T19:17:23+0100] [ALPM-SCRIPTLET] ==> Image generation successful
[2023-10-30T19:17:23+0100] [ALPM-SCRIPTLET] ==> Building image from preset: /etc/mkinitcpio.d/linux-hardened.preset: 'fallback'
[2023-10-30T19:17:23+0100] [ALPM-SCRIPTLET] ==> Using default configuration file: '/etc/mkinitcpio.conf'
[2023-10-30T19:17:23+0100] [ALPM-SCRIPTLET]   -> -k /boot/vmlinuz-linux-hardened -g /boot/initramfs-linux-hardened-fallback.img -S autodetect --microcode /boot/intel-ucode.img
[2023-10-30T19:17:23+0100] [ALPM-SCRIPTLET] ==> Starting build: '6.5.9-hardened1-1-hardened'
[2023-10-30T19:17:23+0100] [ALPM-SCRIPTLET]   -> Running build hook: [base]
[2023-10-30T19:17:23+0100] [ALPM-SCRIPTLET]   -> Running build hook: [consolefont]
[2023-10-30T19:17:23+0100] [ALPM-SCRIPTLET]   -> Running build hook: [keymap]
[2023-10-30T19:17:23+0100] [ALPM-SCRIPTLET]   -> Running build hook: [udev]
[2023-10-30T19:17:24+0100] [ALPM-SCRIPTLET]   -> Running build hook: [modconf]
[2023-10-30T19:17:24+0100] [ALPM-SCRIPTLET]   -> Running build hook: [block]
[2023-10-30T19:17:25+0100] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: 'aic94xx'
[2023-10-30T19:17:25+0100] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: 'bfa'
[2023-10-30T19:17:26+0100] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: 'qed'
[2023-10-30T19:17:26+0100] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: 'qla1280'
[2023-10-30T19:17:26+0100] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: 'qla2xxx'
[2023-10-30T19:17:26+0100] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: 'wd719x'
[2023-10-30T19:17:27+0100] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: 'xhci_pci'
[2023-10-30T19:17:30+0100] [ALPM-SCRIPTLET]   -> Running build hook: [plymouth]
[2023-10-30T19:17:31+0100] [ALPM-SCRIPTLET]   -> Running build hook: [encrypt]
[2023-10-30T19:17:33+0100] [ALPM-SCRIPTLET]   -> Running build hook: [filesystems]
[2023-10-30T19:17:34+0100] [ALPM-SCRIPTLET]   -> Running build hook: [keyboard]
[2023-10-30T19:17:39+0100] [ALPM-SCRIPTLET] ==> Generating module dependencies
[2023-10-30T19:17:40+0100] [ALPM-SCRIPTLET] ==> Creating zstd-compressed initcpio image: '/boot/initramfs-linux-hardened-fallback.img'
[2023-10-30T19:17:41+0100] [ALPM-SCRIPTLET] ==> Image generation successful
[2023-10-30T19:17:42+0100] [ALPM] running 'gdk-pixbuf-query-loaders.hook'...
[2023-10-30T19:17:42+0100] [ALPM] running 'post-20-dash-symlink.hook'...
[2023-10-30T19:17:42+0100] [ALPM] running 'texinfo-install.hook'...
[2023-10-30T19:17:42+0100] [ALPM] running 'zz-snap-pac-post.hook'...
[2023-10-30T19:17:42+0100] [ALPM-SCRIPTLET] ==> root: 575
[2023-10-30T19:17:42+0100] [ALPM] running 'zzz-arch-secure-boot-generate-snapshots.hook'...

It seems that for some reason the 95-arch-secure-boot-generate-efi hook is not being triggered. Therefore the signed UKI is not being updated and the system becomes unbootable. I'm not sure why it becomes unbootable though, might be due to systemd, I found the following in my kernel logs:

Nov 01 14:15:37 laptop systemd-modules-load[288]: Failed to find module 'crypto_user'
Nov 01 14:15:37 laptop systemd-modules-load[288]: Failed to find module 'dm-multipath'
Nov 01 14:15:37 laptop systemd-modules-load[288]: Failed to find module 'pkcs8_key_parser'

I'm wondering if Operation = Upgrade in the pacman hook is enough. Here's how dracut-hook from the AUR does it:

[Trigger]
Type = Path
Operation = Install
Operation = Upgrade
Target = usr/lib/modules/*/vmlinuz
Target = usr/lib/dracut/*
Target = usr/lib/systemd/systemd

[Action]
Description = Updating initramfs...
When = PostTransaction
Exec = /usr/share/libalpm/scripts/dracut-install
NeedsTargets

We can see that they use both Operation = Install and Operation = Upgrade, and that they also trigger the hook when systemd is being updated.

#21 might be related

Let me know what you think :)

initial-setup failed with "cat: '/boot/*-ucode.img': No such file or directory"

problem : initial-setup failed with "cat: '/boot/*-ucode.img': No such file or directory"

OS: Arch Linux
Kernel: x86_64 Linux 5.14.8-arch1-1

full output :

➜  ~ arch-secure-boot initial-setup
Generating Secure Boot keys...
Generating a RSA private key
.........................................................................................................++++
........................++++
writing new private key to 'PK.key'
-----
Generating a RSA private key
...............................................................................................................................++++
.......................................................++++
writing new private key to 'KEK.key'
-----
Generating a RSA private key
..................................++++
.....++++
writing new private key to 'db.key'
-----
Generating EFI images...
cat: '/boot/*-ucode.img': No such file or directory

== Command ==
/usr/bin/arch-secure-boot generate-efi

== Config ==
ESP=/boot/efi
EFI=/EFI/arch
KERNEL=linux
NAME=secure-boot-linux
CMDLINE=/proc/cmdline

== Command ==
/usr/bin/arch-secure-boot initial-setup

== Config ==
ESP=/boot/efi
EFI=/EFI/arch
KERNEL=linux
NAME=secure-boot-linux
CMDLINE=/proc/cmdline

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.