Systemd mkinitcpio hook support

[langri-sha]

If we're using systemd-boot, should the udev and shutdown hooks be replaced with systemd and sd-shutdown?

[Vincent43]

systemd-boot is bootloader, it should load every initramfs image that's available just fine.

I didn't test systemd specific hooks for mkinitcpio but I think they aren't compatible with ykfde so it's better to stay with udev and shutdown unless you want to do some testing.

[langri-sha]

Yes, I was migrating to systemd-boot and can confirm that the systemd and sd-shutdown hooks do not work.

I'm at the moment keeping two configurations and using a separate LUKS key slot for loading with systemd-boot. I haven't ever written any hooks, but I have a setup to try and make the ykfde hook working properly.

[VGrol]

I've done some testing on this end, The ykfde hood is effecitvely a hijacked encrypt hook, It only adds the following

add_binary "tr" add_binary "ykchalresp" add_binary "ykinfo" add_binary "date" add_binary "sleep" add_binary "printf" add_file "/etc/ykfde.conf" "/etc/ykfde.conf" add_file "/usr/lib/ykfde-suspend/initramfs-suspend" "/ykfde-suspend" 755

Adapting it to sd-encrypt still fails, since the script handling and extra binaries added in the ykfde hook don't seem to work with systemd out of box. It ends up waiting for startjobs, required by ykfde.

I have found a different project that adapts yubikey to systemd init, but it appears to use an entirely seperate ykfde hook and it still requires the sd-encrypt hook. It might be worth looking at, you can find it here.

That said, I think the while ykfde-hook might need a minor rewrite, as the shutdown hook is still recommended for ykfde-suspend, but it has been depreciated for a long time.

[Vincent43]

The ykfde hood is effecitvely a hijacked encrypt hook,

"Hijacked" is a strange choice of wording. ykfde hook is build on top of Arch's encrypt hook - that sounds simpler.

It only adds the following

In other words - it only adds everything which is needed for it to work :smile:. However I think that you missed the runtime part of the hook which is totally different.

Adapting it to sd-encrypt still fails, since the script handling and extra binaries added in the ykfde hook don't seem to work with systemd out of box. It ends up waiting for startjobs, required by ykfde.

If that was only question of copy-pasting ykfde changes to sd-encrypt hook it would be already done. Arch itself recommends using non-systemd initramfs with encrypt hook. The only benefits of using sd-encrypt are support for multiple encrypted devices and detached luks header.

I have found a different project that adapts yubikey to systemd init, but it appears to use an entirely seperate ykfde hook and it still requires the sd-encrypt hook. It might be worth looking at, you can find it here.

Yes, I'm aware of the project you linked :smile: . Unfortunately it's coded in C, not in shell scripting as we do.

That said, I think the while ykfde-hook might need a minor rewrite, as the shutdown hook is still recommended for ykfde-suspend, but it has been depreciated for a long time.

It doesn't really matter if it's deprecated. It was used for different purpose in Arch and still fits for our usecase. When Arch decide to delete it we can bring it back in this repo.

[VGrol]

Apologies if my phrasing might've come off as hostile, it wasn't intended to be.

"Hijacked" is a strange choice of wording. ykfde hook is build on top of Arch's encrypt hook - that sounds simpler.

In other words - it only adds everything which is needed for it to work smile. However I think that you missed the runtime part of the hook which is totally different.

I was merely implying that it operates on the foundations of the encrypt hook, rather than being its own standalone hook. The contents that define the ykfde part of the hook are simply minimalistic.

If that was only question of copy-pasting ykfde changes to sd-encrypt hook it would be already done. Arch itself recommends using non-systemd initramfs with encrypt hook. The only benefits of using sd-encrypt are support for multiple encrypted devices and detached luks header

Yeah, I never expected my hack-job modifications to work out of the gate, I was merely interested in what would happen. The reason I delved into it in the first place was because it seems that Arch is slowly moving into moving the boot and init process towards systemd, together with the recent push of systemd-boot (a boot loader, a different topic however).

It doesn't really matter if it's deprecated. It was used for different purpose in Arch and still fits for our usecase. When Arch decide to delete it we can bring it back in this repo.

I haven't looked into what ykfde uses in shutdown hook, could you point it out to me? If I recall correctly, one of the two devices where ykfde-suspend is running, the shutdown hook was omitted and it seemed fine.

[Vincent43]

The reason I delved into it in the first place was because it seems that Arch is slowly moving into moving the boot and init process towards systemd, together with the recent push of systemd-boot (a boot loader, a different topic however).

What is the base for this assumptions? Let me quote Arch Wiki maintainer from January this year: There's no need to use systemd hooks unless you have a problem with the busybox hooks, or need functionality that busybox hooks don't provide . There wasn't any activity in Arch's mkinitcpio project this year.

I haven't looked into what ykfde uses in shutdown hook, could you point it out to me? If I recall correctly, one of the two devices where ykfde-suspend is running, the shutdown hook was omitted and it seemed fine.

The shutdown hook copies initramfs content to /run/initramfs dir on running system. ykfde uses /run/initramfs for chroot directory. It isn't possible for ykfde-suspend to work if /run/initramfs doesn't exist or is empty.

[guyest]

I think what would solve this issue of no compatibility with systemd-boot (which I still experience) is building on top of the sd-encrypt hook rather than the encrypt hook. Is the code structured in such a way where it is possible to create a second hook called sd-ykfde in addition to ykfde so that systemd-boot users can make use of this great tool?

I would be willing to help implement that if you would be kind enough to point me to the right places in the code that would need to be reworked to add that functionality.

[anatol]

I tried to enable ykfde hook at systemd type of boot. I replaced sd-encrypt with ykfde and boot fails. I had to revert back to sd-encrypt hook.

+1 for having ykfde ported to systemd.

[B4b4u]

+1 for having ykfde ported to systemd.