How to add nvidia-drm.modeset=1 about arch-secure-boot HOT 19 CLOSED

You don't need a keyfile for your initramfs if you're using a unified kernel image, which is exactly what arch-secure-boot does. The initramfs is embedded in the unified kernel image.

The boot process of regular Linux setups (with full disk encryption) is as follow:

• Your motherboard runs its firmware which complies with the UEFI specs
• The motherboard firmware will look for an EFI partition on the disk it has been configured to boot into
• The motherboard firmware will check the signature of the EFI binary on your EFI partition, commonly GRUB, and execute it
• GRUB will ask you for a password to decrypt the harddrive
• GRUB will execute the initramfs
• The initramfs will ask you for a password to decrypt the disk (this is the step where you usually need a keyfile, because you don't want to enter your password twice)
• The initramfs will setup everything for the OS to run properly
• The initramfs will execute the Linux kernel (which is on the encrypted disk, this is why an additional decryption by the initramfs is required)

When you use a unified kernel image and no in between bootloader like arch-secure-boot does, here are the step:

• Your motherboard runs its firmware which complies with the UEFI specs
• The motherboard firmware will look for an EFI partition on the disk it has been configured to boot into
• The motherboard firmware will check the signature of the EFI binary (which is the unified kernel image here) on your EFI partition, and execute it
• The initramfs will ask you for a password to decrypt the disk and pass execution to the kernel

The main difference between the two is that in the first common setup, your kernel (and initramfs) is encrypted on your disk, whereas with arch-secure-boot, it is not encrypted, and directly executed by the firmware of your motherboard.

from arch-secure-boot.

Hello, you can put all the desired kernel params in this file:

I don't know if that specific nvidia param is necessary, you'd have to experiment 🙂

from arch-secure-boot.

Hi, Thank you. Would it be added to the line like this:

CMDLINE=/etc/kernel/cmdline nvidia-drm.modeset=1

from arch-secure-boot.

No, /etc/kernel/cmdline is a file, you open or create it and put your nvidia-drm.modeset=1 inside.

from arch-secure-boot.

ok i see will add to the file. Thank you

Notes:When not using a bootloader, one can enter the cmd for the kernal without a Variable name. So "nvidia-drm.modeset=1" on a new line is fine.

Will report back if required, but generally for NVIDIA hyperland install, when using any bootloader it is a requirement, is there anything you can think that makes this step obsolete? Thanks for the great work.

from arch-secure-boot.

Quick search seems to suggest that this param enables additional features on nvidia, that might be required by hyprland or provide smoother experience, it sounds like you'll need it

from arch-secure-boot.

Thank you.

best to set a command so arch-secure-boot generate-snapshots is run if snapper creates a new snapshot? (to keep list up to date?) Can this be installed during an arch install script? if so after pacstrap, in chroot or once chroot exits. Is it ok to install LUKS2?

from arch-secure-boot.

I use snap-pac plus pacman hook in this repo to keep the list up-to-date, but it's safe to run whenever, so do feel free to set up refresh when you like it best👍

Should be fine to install whenever, and yes I use luks2 too.

from arch-secure-boot.

Thats perfect thank you. last 2 questions hopefully...

1. modding mkinitcpio and initramfs, edit this first then run arch-secure-boot?
2. Do we still need a efi partition? or just create 1 btrfs volume?
3. sorry one more just confirm arch-secure-boot unifies all the parts

thanks again for the support!

from arch-secure-boot.

1. Yep, and make sure to rebuild initramfs after modding the configs
2. Still need efi partition, in my case btrfs is encrypted, but there needs to be something that is not encrypted and can kick off the boot.

Hope that helps 😉

from arch-secure-boot.

I think this is what i got stuck on with other solutions. The solution i tried was to setup a keyfile so i can encrypt EFI and only get one password prompt at boot. could not get it to work, i found the relevant parts of that dev code.

partition setup

# formatting the disk
wipefs -af "$DISK" &>/dev/null
sgdisk -Zo "$DISK" &>/dev/null

# Partition disks
sgdisk --clear \
       --new=1:0:+512M --typecode=1:ef00 --change-name=1:ESP \
       --new=2:0:0     --typecode=2:8300 --change-name=2:LUKS \
       --align=2048 $DEVICE

# Informing the Kernel of the changes.
echo "Informing the Kernel about the disk changes."
partprobe "$DISK"umount $MOUNT_POINT

# Set up LUKS
echo "Creating the encrypted partition."
echo -n "Enter encryption passphrase: "
cryptsetup luksFormat --type luks2 $OSROOT
echo -n "Enter encryption passphrase again: "
cryptsetup open $OSROOT luksroot

# Format ESP
mkfs.vfat -F32 -n ESP $EFI

# Format the LUKS volume as Btrfs
$ mkfs.btrfs -f -L system $BTRFS
mount -o noatime,compress=zstd:2 $BTRFS $MOUNT_POINT

# Create Btrfs subvolumes and set COW
mount -t btrfs $BTRFS $MOUNT_POINT
btrfs subvolume create $MOUNT_POINT/@ &>/dev/null
btrfs subvolume create $MOUNT_POINT/@/snapshots &>/dev/null
btrfs subvolume create $MOUNT_POINT/@/boot/ &>/dev/null
btrfs subvolume create $MOUNT_POINT/@/home &>/dev/null

# Create Btrfs subvolumes and set COW
mount -t btrfs $BTRFS $MOUNT_POINT
btrfs subvolume create $MOUNT_POINT/@ &>/dev/null
btrfs subvolume create $MOUNT_POINT/@/snapshots &>/dev/null
btrfs subvolume create $MOUNT_POINT/@/boot/ &>/dev/null
btrfs subvolume create $MOUNT_POINT/@/home &>/dev/null

mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/cryptkey $BTRFS /mnt/cryptkey

mkdir -p /mnt/boot/efi
mount -o nodev,nosuid,noexec $ESP /mnt/boot/efi

add key file to the initramfs:

# Adding keyfile to the initramfs to avoid double password.
dd bs=512 count=4 if=/dev/random of=/mnt/cryptkey/.root.key iflag=fullblock &>/dev/null
chmod 000 /mnt/cryptkey/.root.key &>/dev/null
cryptsetup -v luksAddKey /dev/disk/by-partlabel/cryptroot /mnt/cryptkey/.root.key
sed -i "s#quiet#cryptdevice=UUID=$UUID:cryptroot root=$BTRFS lsm=landlock,lockdown,yama,apparmor,bpf cryptkey=rootfs:/cryptkey/.root.key#g" /mnt/etc/default/grub
sed -i 's#FILES=()#FILES=(/cryptkey/.root.key)#g' /mnt/etc/mkinitcpio.conf

from arch-secure-boot.

I dont think you need to deal with double encryption and key file, keep efi partition unencrypted, it will contain just the efi files verified using secure boot, and all the rest is a single btrfs partition, encrypted only once

from arch-secure-boot.

@maximbaz @ShellCode33

Thank you both. and what a fantastic implementation and support with this.

Is plymouth compatible with this setup? I think it would just theme the password prompt. Not an issue if unsupported.

the script i made to semi automate plymouth install:

#!/bin/bash

# Function to install packages using yay
install_packages() {
    yay -S $@
}

# Function to set Plymouth default theme
set_plymouth_theme() {
    sudo plymouth-set-default-theme $1
}

# Function to add Plymouth to HOOKS in mkinitcpio.conf
add_plymouth_to_hooks() {
    local mkinitcpio_file="/etc/mkinitcpio.conf"
    
    # Check if 'plymouth' is already in HOOKS
    if grep -q 'plymouth' $mkinitcpio_file; then
        echo "'plymouth' already present in HOOKS"
    else
        # Find 'systemd' and insert 'plymouth' next to it
        sed -i '/^HOOKS=/ s/\(.*systemd.*\)/\1 sd-plymouth/' $mkinitcpio_file
        echo "Added 'plymouth' to HOOKS in $mkinitcpio_file"
    fi
}

# Function to prompt user for Plymouth theme
prompt_for_theme() {
    clear
    display_logo
    local themes=("gbrt (BIOS theme)" "arch linux" "legion" "owl")
    local theme_options=$( (IFS=,; echo "${themes[*]}") )
    
    echo "Choose a Plymouth theme or enter '-c \"theme_name\"' to input a custom theme name:"
    select theme in $theme_options "-c \"Custom\""; do
        case $theme in
            "gbrt (BIOS theme)" | "arch linux" | "legion" | "owl")
                install_packages "plymouth-theme-$theme"
                set_plymouth_theme "$theme"
                echo "Installed and set Plymouth theme: $theme"
                break
                ;;
            "-c \"Custom\"")
                read -r -p "Enter the name of the custom Plymouth theme package: " custom_theme
                if yay -Qi "$custom_theme" &>/dev/null; then
                    install_packages "plymouth-theme-$custom_theme"
                    set_plymouth_theme "$theme"
                    echo "Installed and set Plymouth theme: $custom_theme"
                    break
                else
                    echo "Package '$custom_theme' not found in AUR. Please enter a valid package name."
                fi
                ;;
            *)
                echo "Invalid choice. Please select a valid theme or enter '-c \"theme_name\"' for a custom theme."
                ;;
        esac
    done
}

# Function to add kernel options to /boot/loader/entries/linux.conf
add_kernel_options() {
    local linux_conf="/boot/loader/entries/linux.conf"
    local kernel_options="quiet splash loglevel=3 rd.udev.log_priority=3 vt.global_cursor_default=0"
    
    # Check if kernel options are already present
    if grep -q "$kernel_options" $linux_conf; then
        echo "Kernel options already present in $linux_conf"
    else
        # Append kernel options to the options line
        sed -i "/^options/ s/$/ $kernel_options/" $linux_conf
        echo "Added kernel options to $linux_conf"
    fi
}

# Prompt user for Plymouth theme and install it
prompt_for_theme

# Add Plymouth to HOOKS in mkinitcpio.conf
add_plymouth_to_hooks

# Add kernel options to /boot/loader/entries/linux.conf
add_kernel_options

echo "Plymouth Installation completed."

from arch-secure-boot.

Yes it is, I use it as well, works just fine. In case you didn't know, there's a huge collection of themes there: https://github.com/adi1090x/plymouth-themes

from arch-secure-boot.

Oh yes was tempted to add it to the script, i think i will now, seeing in you mentioned it and i have to rewrite the script. I will work on modifying it to work with arch-secure-boot any hints would be appreciated. this is going into a project im working on (scriptOS), dont want a bad setup, its purpose was primarily to help nvidia dgpu laptop users have a solid setup but its growing in use case.

thanks again

from arch-secure-boot.

@ShellCode33 trying to construct the HOOKS part in mkinitcpio. What does yours HOOKS line look like? where did you position "plymouth". :

`add_plymouth_to_hooks() {
local mkinitcpio_file="/etc/mkinitcpio.conf"

    # Find 'udev' and insert 'plymouth' next to it
    sed -i '/^HOOKS=/ s/\(.*udev.*\)/\1 plymouth/' $mkinitcpio_file
    echo "Added 'plymouth' to HOOKS in $mkinitcpio_file"

}
`

Thank you

from arch-secure-boot.

There you go:

https://github.com/ShellCode33/ArchLinux-Hardened/blob/85e48c316f13dc00a051147dc2420335c04c07b4/install.sh#L286-L294

from arch-secure-boot.

Thank you!

from arch-secure-boot.

All questions were hopefully addressed, thus closing the thread. Feel free to comment further though if something comes up. Thanks for the questions, and thanks @ShellCode33 for your participation and detailed answers!

from arch-secure-boot.