Open Break-Off opened 2 years ago
No, sorry - this use case is not currently supported. My setup isn't nearly as fancy (no encryption either) so I don't even have all the prerequisites needed to design and develop this feature. I'm not sure it's even possible.
Does grub-btrfs support this?
Aw, shucks. I was hoping I was missing some configuration, but I guess I'll have to manually launch the snapshots. Thanks for the prompt response!
Hi I recently migrated to a similar setup and found myself dealing with this as well. I tried to have a look at the issue and by the looks of it it might require some work to get it working due to how efi stubs are built.
First of all as OP mentioned, in this scenario refind.conf would look like this at the bare minimum:
menuentry Arch {
loader /EFI/arch/arch-linux.efi
}
where we have an "all-included" efi image in the /efi
partition, everything else resides in the encrypted root volume (including /boot
).
In my particular case, arch-linux.efi
is built directly by mkninitcpio
and signed with sbctl
. Correct me if I'm wrong, but refind-btrfs gets the root UUID from refind conf itself, whereas in this scenario parameters are pre-built into the efi image, taken from /etc/kernel/cmdline
as a default.
So for this to work refind-btrfs would need to:
/etc/kernel/cmdline
although that could be configured so I'm not sure that's the right place to fetch them from
ALL_config="/root/.refind-btrfs/rwsnap_2000-01-01_01-01-01_ID001/etc/mkinitcpio.conf"
ALL_kver="/root/.refind-btrfs/rwsnap_2000-01-01_01-01-01_ID001/boot/vmlinuz-linux"
ALL_microcode=(/root/.refind-btrfs/rwsnap_2000-01-01_01-01-01_ID001/boot/*-ucode.img)
PRESETS=('default')
default_image="/root/.refind-btrfs/rwsnap_2000-01-01_01-01-01_ID001/boot/initramfs-linux.img" default_efi_image="/efi/EFI/arch/arch-linux-rwsnap_ID001.efi"
- sign the efi image for secure boot, using `sbctl` or `sbupdate`
At this point the generated stanza should look something similar to this:
menuentry Arch { loader /EFI/arch/arch-linux-rwsnap_ID001.efi" }
One thing to note though: after this is all setup, you'll be able to boot your system into the snapshot, but rolling back to it (as in: taking a new fresh ro snapshot), would probably require rebuilding and signing the "normal" efi image again.
I understand this is quite a feat, especially so if you don't have a secure boot setup to start with. I'll try to have a look at the code and cobble something together, although I know very little about python so I doubt I'll be able to make anything remotely "production ready" or even functioning.
Correct me if I'm wrong, but refind-btrfs gets the root UUID from refind conf itself
The currently mounted root partitions's UUID is retrieved by using the findmnt
CLI tool. Manual boot stanzas (found in the refind.conf file) are parsed but are not necessarily matched with the root partition solely by its UUID - other properties are usable, as well. It depends on how you like to describe your own system, i.e. its partitions, subvolumes and such.
This feature looks like a pretty damn huge effort, at the moment. Thank you for this exhaustive implementation requirements description.
If you want to start playing around with it, sure - I don't mind at all. :+1:
I am experimenting with Secure Boot, rEFInd, encrypted LUKS root partition formatted with BTRFS and an unified kernel image signed with my own keys. Since the kernel parameters are contained inside the image, rEFInd is just instructed to launch the .efi binary, so refind-btrfs can't find a boot stanza to match with the root partition. Is there a way to manually configure refind-btrfs to hook it to sbupdate to generate unified kernel images with snapshot support? Thanks for any help.