Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using refind-btrfs with an unified kernel image #32

Open
Break-Off opened this issue Jul 6, 2022 · 4 comments
Open

Using refind-btrfs with an unified kernel image #32

Break-Off opened this issue Jul 6, 2022 · 4 comments
Assignees
@Venom1991
Labels
enhancement New feature or request

Comments

@Break-Off
Copy link

I am experimenting with Secure Boot, rEFInd, encrypted LUKS root partition formatted with BTRFS and an unified kernel image signed with my own keys. Since the kernel parameters are contained inside the image, rEFInd is just instructed to launch the .efi binary, so refind-btrfs can't find a boot stanza to match with the root partition. Is there a way to manually configure refind-btrfs to hook it to sbupdate to generate unified kernel images with snapshot support? Thanks for any help.
@Venom1991
Copy link
Owner

No, sorry - this use case is not currently supported. My setup isn't nearly as fancy (no encryption either) so I don't even have all the prerequisites needed to design and develop this feature. I'm not sure it's even possible.
Does grub-btrfs support this?

@Venom1991 Venom1991 added the enhancement New feature or request label Jul 6, 2022
@Venom1991 Venom1991 self-assigned this Jul 6, 2022
@Break-Off
Copy link
Author

Aw, shucks. I was hoping I was missing some configuration, but I guess I'll have to manually launch the snapshots. Thanks for the prompt response!

@rogueai
Copy link

rogueai commented Sep 26, 2022

Hi I recently migrated to a similar setup and found myself dealing with this as well. I tried to have a look at the issue and by the looks of it it might require some work to get it working due to how efi stubs are built.

First of all as OP mentioned, in this scenario refind.conf would look like this at the bare minimum:

menuentry Arch {
    loader /EFI/arch/arch-linux.efi
}

where we have an "all-included" efi image in the /efi partition, everything else resides in the encrypted root volume (including /boot).

In my particular case, arch-linux.efi is built directly by mkninitcpio and signed with sbctl. Correct me if I'm wrong, but refind-btrfs gets the root UUID from refind conf itself, whereas in this scenario parameters are pre-built into the efi image, taken from /etc/kernel/cmdline as a default.

So for this to work refind-btrfs would need to:

  • retrieve the root UUID by other means, possibly looking into /etc/kernel/cmdline although that could be configured so I'm not sure that's the right place to fetch them from
  • create the usual rw snapshot in the target location
  • generate an efi image with a custom mkinitpcio preset, that is, a preset must be generated on-the-fly matching the location of the target rw snapshot, something like:
ALL_config="/root/.refind-btrfs/rwsnap_2000-01-01_01-01-01_ID001/etc/mkinitcpio.conf"
ALL_kver="/root/.refind-btrfs/rwsnap_2000-01-01_01-01-01_ID001/boot/vmlinuz-linux"
ALL_microcode=(/root/.refind-btrfs/rwsnap_2000-01-01_01-01-01_ID001/boot/*-ucode.img)

PRESETS=('default')

default_image="/root/.refind-btrfs/rwsnap_2000-01-01_01-01-01_ID001/boot/initramfs-linux.img"
default_efi_image="/efi/EFI/arch/arch-linux-rwsnap_ID001.efi"
  • sign the efi image for secure boot, using sbctl or sbupdate

At this point the generated stanza should look something similar to this:

menuentry Arch {
    loader /EFI/arch/arch-linux-rwsnap_ID001.efi"
}

One thing to note though: after this is all setup, you'll be able to boot your system into the snapshot, but rolling back to it (as in: taking a new fresh ro snapshot), would probably require rebuilding and signing the "normal" efi image again.

I understand this is quite a feat, especially so if you don't have a secure boot setup to start with. I'll try to have a look at the code and cobble something together, although I know very little about python so I doubt I'll be able to make anything remotely "production ready" or even functioning.

@Venom1991
Copy link
Owner

Correct me if I'm wrong, but refind-btrfs gets the root UUID from refind conf itself

The currently mounted root partitions's UUID is retrieved by using the findmnt CLI tool. Manual boot stanzas (found in the refind.conf file) are parsed but are not necessarily matched with the root partition solely by its UUID - other properties are usable, as well. It depends on how you like to describe your own system, i.e. its partitions, subvolumes and such.

This feature looks like a pretty damn huge effort, at the moment. Thank you for this exhaustive implementation requirements description.

If you want to start playing around with it, sure - I don't mind at all. 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Venom1991 Venom1991

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rogueai @Venom1991 @Break-Off