Closed zsolt-donca closed 3 years ago
andreyv
commented
3 years ago There is no bootloader involved in the direct booting method. The firmware runs the systemd EFI stub, which starts the kernel with the set command line and initramfs.
So, anything you can do from the kernel and initramfs is supported.
Note that the EFI system partition, where the signed images are stored, must still be FAT32.
zsolt-donca
commented
3 years ago Do you have any suggestion on how to be able to specify which btrfs subvolume to load as root? Is there some kind of an initramfs module for this?
I am thinking of having periodic "backups" in the form of subvolumes, and in case an update goes wrong, I could simply switch the previous version.
Some kind of reading material would be welcome, but I cannot find much on the subject.
andreyv
commented
3 years ago Sorry, I don't use btrfs. Presumably you need to set something special in the root= argument on the kernel command line.
Have you checked Arch Wiki?
maximbaz
commented
3 years ago I explored this specific use-case of setting up a direct Secure Boot into Arch Linux together with the option of recovery boot into a btrfs subvolume. The trick I chose is to have a second signed image that does not have a hardcoded cmdline, so Secure Boot allows you to override the root= argument and choose a different subvolume to boot into - I even made a tiny script where you can interactively select the subvolume directly in UEFI shell 🙂
You can have a look at the code here: https://github.com/maximbaz/arch-secure-boot
Hope you'll find it useful.
Disclaimer: what I have is a highly opinionated and specific use-case that I don't plan to extend beyond what is already possible, to whoever actually wants a feature-rich customizable setup I always recommend this repo 🙂
I am interested in moving to btfs, but I am not sure if it was compatible with the direct booting method of sbupdate. The arch wiki article says to "check if your boot loader supports Btrfs."
Does sbupdate's boot images support btrfs? If so, does it also support booting with a specific revision of the root file system somehow?
In my current setup, sbupdate's directly bootable images are on an unencrypted EFI partition, signed by my custom keys (which are loaded into the EFI firmware), with secure boot enabled, which then boots a signed image and using TPM 2 (based on the boot secure boot enabled) automatically unlocks my LUKS2 volumes (which is otherwise a simple LVM_on_LUKS setup).
I am about to get a new laptop, and I thinking of using btrfs for the root file system. I like in my current setup the fact that it is secure, convenient (with the TPM-based automatic unlock, just like BitLocker), and it works like a charm.
Thanks!