Comments (19)
You don't need a keyfile for your initramfs if you're using a unified kernel image, which is exactly what arch-secure-boot does. The initramfs is embedded in the unified kernel image.
The boot process of regular Linux setups (with full disk encryption) is as follow:
- Your motherboard runs its firmware which complies with the UEFI specs
- The motherboard firmware will look for an EFI partition on the disk it has been configured to boot into
- The motherboard firmware will check the signature of the EFI binary on your EFI partition, commonly GRUB, and execute it
- GRUB will ask you for a password to decrypt the harddrive
- GRUB will execute the initramfs
- The initramfs will ask you for a password to decrypt the disk (this is the step where you usually need a keyfile, because you don't want to enter your password twice)
- The initramfs will setup everything for the OS to run properly
- The initramfs will execute the Linux kernel (which is on the encrypted disk, this is why an additional decryption by the initramfs is required)
When you use a unified kernel image and no in between bootloader like arch-secure-boot does, here are the step:
- Your motherboard runs its firmware which complies with the UEFI specs
- The motherboard firmware will look for an EFI partition on the disk it has been configured to boot into
- The motherboard firmware will check the signature of the EFI binary (which is the unified kernel image here) on your EFI partition, and execute it
- The initramfs will ask you for a password to decrypt the disk and pass execution to the kernel
The main difference between the two is that in the first common setup, your kernel (and initramfs) is encrypted on your disk, whereas with arch-secure-boot, it is not encrypted, and directly executed by the firmware of your motherboard.
from arch-secure-boot.
Hello, you can put all the desired kernel params in this file:
arch-secure-boot/arch-secure-boot
Line 23 in 8b5a1e5
I don't know if that specific nvidia param is necessary, you'd have to experiment π
from arch-secure-boot.
Hi, Thank you. Would it be added to the line like this:
CMDLINE=/etc/kernel/cmdline nvidia-drm.modeset=1
from arch-secure-boot.
No, /etc/kernel/cmdline is a file, you open or create it and put your nvidia-drm.modeset=1 inside.
from arch-secure-boot.
ok i see will add to the file. Thank you
Notes:When not using a bootloader, one can enter the cmd for the kernal without a Variable name. So "nvidia-drm.modeset=1" on a new line is fine.
Will report back if required, but generally for NVIDIA hyperland install, when using any bootloader it is a requirement, is there anything you can think that makes this step obsolete? Thanks for the great work.
from arch-secure-boot.
Quick search seems to suggest that this param enables additional features on nvidia, that might be required by hyprland or provide smoother experience, it sounds like you'll need it
from arch-secure-boot.
Thank you.
best to set a command so arch-secure-boot generate-snapshots is run if snapper creates a new snapshot? (to keep list up to date?) Can this be installed during an arch install script? if so after pacstrap, in chroot or once chroot exits. Is it ok to install LUKS2?
from arch-secure-boot.
I use snap-pac plus pacman hook in this repo to keep the list up-to-date, but it's safe to run whenever, so do feel free to set up refresh when you like it bestπ
Should be fine to install whenever, and yes I use luks2 too.
from arch-secure-boot.
Thats perfect thank you. last 2 questions hopefully...
- modding mkinitcpio and initramfs, edit this first then run arch-secure-boot?
- Do we still need a efi partition? or just create 1 btrfs volume?
- sorry one more just confirm arch-secure-boot unifies all the parts
thanks again for the support!
from arch-secure-boot.
- Yep, and make sure to rebuild initramfs after modding the configs
- Still need efi partition, in my case btrfs is encrypted, but there needs to be something that is not encrypted and can kick off the boot.
Hope that helps π
from arch-secure-boot.
I think this is what i got stuck on with other solutions. The solution i tried was to setup a keyfile so i can encrypt EFI and only get one password prompt at boot. could not get it to work, i found the relevant parts of that dev code.
partition setup
# formatting the disk
wipefs -af "$DISK" &>/dev/null
sgdisk -Zo "$DISK" &>/dev/null
# Partition disks
sgdisk --clear \
--new=1:0:+512M --typecode=1:ef00 --change-name=1:ESP \
--new=2:0:0 --typecode=2:8300 --change-name=2:LUKS \
--align=2048 $DEVICE
# Informing the Kernel of the changes.
echo "Informing the Kernel about the disk changes."
partprobe "$DISK"umount $MOUNT_POINT
# Set up LUKS
echo "Creating the encrypted partition."
echo -n "Enter encryption passphrase: "
cryptsetup luksFormat --type luks2 $OSROOT
echo -n "Enter encryption passphrase again: "
cryptsetup open $OSROOT luksroot
# Format ESP
mkfs.vfat -F32 -n ESP $EFI
# Format the LUKS volume as Btrfs
$ mkfs.btrfs -f -L system $BTRFS
mount -o noatime,compress=zstd:2 $BTRFS $MOUNT_POINT
# Create Btrfs subvolumes and set COW
mount -t btrfs $BTRFS $MOUNT_POINT
btrfs subvolume create $MOUNT_POINT/@ &>/dev/null
btrfs subvolume create $MOUNT_POINT/@/snapshots &>/dev/null
btrfs subvolume create $MOUNT_POINT/@/boot/ &>/dev/null
btrfs subvolume create $MOUNT_POINT/@/home &>/dev/null
# Create Btrfs subvolumes and set COW
mount -t btrfs $BTRFS $MOUNT_POINT
btrfs subvolume create $MOUNT_POINT/@ &>/dev/null
btrfs subvolume create $MOUNT_POINT/@/snapshots &>/dev/null
btrfs subvolume create $MOUNT_POINT/@/boot/ &>/dev/null
btrfs subvolume create $MOUNT_POINT/@/home &>/dev/null
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/cryptkey $BTRFS /mnt/cryptkey
mkdir -p /mnt/boot/efi
mount -o nodev,nosuid,noexec $ESP /mnt/boot/efi
add key file to the initramfs:
# Adding keyfile to the initramfs to avoid double password.
dd bs=512 count=4 if=/dev/random of=/mnt/cryptkey/.root.key iflag=fullblock &>/dev/null
chmod 000 /mnt/cryptkey/.root.key &>/dev/null
cryptsetup -v luksAddKey /dev/disk/by-partlabel/cryptroot /mnt/cryptkey/.root.key
sed -i "s#quiet#cryptdevice=UUID=$UUID:cryptroot root=$BTRFS lsm=landlock,lockdown,yama,apparmor,bpf cryptkey=rootfs:/cryptkey/.root.key#g" /mnt/etc/default/grub
sed -i 's#FILES=()#FILES=(/cryptkey/.root.key)#g' /mnt/etc/mkinitcpio.conf
from arch-secure-boot.
I dont think you need to deal with double encryption and key file, keep efi partition unencrypted, it will contain just the efi files verified using secure boot, and all the rest is a single btrfs partition, encrypted only once
from arch-secure-boot.
Thank you both. and what a fantastic implementation and support with this.
Is plymouth compatible with this setup? I think it would just theme the password prompt. Not an issue if unsupported.
the script i made to semi automate plymouth install:
#!/bin/bash
# Function to install packages using yay
install_packages() {
yay -S $@
}
# Function to set Plymouth default theme
set_plymouth_theme() {
sudo plymouth-set-default-theme $1
}
# Function to add Plymouth to HOOKS in mkinitcpio.conf
add_plymouth_to_hooks() {
local mkinitcpio_file="/etc/mkinitcpio.conf"
# Check if 'plymouth' is already in HOOKS
if grep -q 'plymouth' $mkinitcpio_file; then
echo "'plymouth' already present in HOOKS"
else
# Find 'systemd' and insert 'plymouth' next to it
sed -i '/^HOOKS=/ s/\(.*systemd.*\)/\1 sd-plymouth/' $mkinitcpio_file
echo "Added 'plymouth' to HOOKS in $mkinitcpio_file"
fi
}
# Function to prompt user for Plymouth theme
prompt_for_theme() {
clear
display_logo
local themes=("gbrt (BIOS theme)" "arch linux" "legion" "owl")
local theme_options=$( (IFS=,; echo "${themes[*]}") )
echo "Choose a Plymouth theme or enter '-c \"theme_name\"' to input a custom theme name:"
select theme in $theme_options "-c \"Custom\""; do
case $theme in
"gbrt (BIOS theme)" | "arch linux" | "legion" | "owl")
install_packages "plymouth-theme-$theme"
set_plymouth_theme "$theme"
echo "Installed and set Plymouth theme: $theme"
break
;;
"-c \"Custom\"")
read -r -p "Enter the name of the custom Plymouth theme package: " custom_theme
if yay -Qi "$custom_theme" &>/dev/null; then
install_packages "plymouth-theme-$custom_theme"
set_plymouth_theme "$theme"
echo "Installed and set Plymouth theme: $custom_theme"
break
else
echo "Package '$custom_theme' not found in AUR. Please enter a valid package name."
fi
;;
*)
echo "Invalid choice. Please select a valid theme or enter '-c \"theme_name\"' for a custom theme."
;;
esac
done
}
# Function to add kernel options to /boot/loader/entries/linux.conf
add_kernel_options() {
local linux_conf="/boot/loader/entries/linux.conf"
local kernel_options="quiet splash loglevel=3 rd.udev.log_priority=3 vt.global_cursor_default=0"
# Check if kernel options are already present
if grep -q "$kernel_options" $linux_conf; then
echo "Kernel options already present in $linux_conf"
else
# Append kernel options to the options line
sed -i "/^options/ s/$/ $kernel_options/" $linux_conf
echo "Added kernel options to $linux_conf"
fi
}
# Prompt user for Plymouth theme and install it
prompt_for_theme
# Add Plymouth to HOOKS in mkinitcpio.conf
add_plymouth_to_hooks
# Add kernel options to /boot/loader/entries/linux.conf
add_kernel_options
echo "Plymouth Installation completed."
from arch-secure-boot.
Yes it is, I use it as well, works just fine. In case you didn't know, there's a huge collection of themes there: https://github.com/adi1090x/plymouth-themes
from arch-secure-boot.
Oh yes was tempted to add it to the script, i think i will now, seeing in you mentioned it and i have to rewrite the script. I will work on modifying it to work with arch-secure-boot any hints would be appreciated. this is going into a project im working on (scriptOS), dont want a bad setup, its purpose was primarily to help nvidia dgpu laptop users have a solid setup but its growing in use case.
thanks again
from arch-secure-boot.
@ShellCode33 trying to construct the HOOKS part in mkinitcpio. What does yours HOOKS line look like? where did you position "plymouth". :
`add_plymouth_to_hooks() {
local mkinitcpio_file="/etc/mkinitcpio.conf"
# Find 'udev' and insert 'plymouth' next to it
sed -i '/^HOOKS=/ s/\(.*udev.*\)/\1 plymouth/' $mkinitcpio_file
echo "Added 'plymouth' to HOOKS in $mkinitcpio_file"
}
`
Thank you
from arch-secure-boot.
There you go:
from arch-secure-boot.
Thank you!
from arch-secure-boot.
All questions were hopefully addressed, thus closing the thread. Feel free to comment further though if something comes up. Thanks for the questions, and thanks @ShellCode33 for your participation and detailed answers!
from arch-secure-boot.
Related Issues (15)
- Allow to set ucode HOT 1
- Confusing name of LTS image when using hardened kernel HOT 4
- generate-efi : only sign what has been updated HOT 4
- Does this must require linux-lts? HOT 7
- systemd 254-1 makes generate-efi create a corrupt efi HOT 7
- generate-efi not triggered when arch-secure-boot is updated HOT 5
- What's your backup strategy ? HOT 4
- Pacman hook not triggered on kernel update HOT 3
- Does the tool support booting read-only snapshots in overlayfs mode? HOT 4
- Kernels/modules versions consistency to boot from snapshots and BTRFS subvolume layout HOT 7
- sbctl error: couldn't access /usr/share/secureboot/keys/db/db.pem: no such file or directory HOT 6
- Suggestions and thank you ! HOT 11
- initial-setup failed with "cat: '/boot/*-ucode.img': No such file or directory" HOT 2
- Dual boot system with windows HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from arch-secure-boot.