gdamjan
commented
4 years ago there's already a variable: EFIBOOTDEVICE.
any suggestions how to use findmnt?
Closed XVicarious closed 4 years ago
gdamjan
commented
4 years ago there's already a variable: EFIBOOTDEVICE.
any suggestions how to use findmnt?
XVicarious
commented
4 years ago Oh wow, can't believe I didn't see that. Thanks for the great work with this!
As far as findmnt goes, findmnt -n -o SOURCE $(EFIDIR) would return the partition as well as device, so /dev/sda1. But knowing now EFIBOOTDEVICE is a thing idk if its really needed.
XVicarious
commented
4 years ago This isn't about this issue particularly but also I seem to have found that when you include config.mk you do it too late to INITRAMFS, VMLINUZ, and DESTFILE. So since I run linux-hardened, even though my config.mk is correct the script has already set these variables.
gdamjan
commented
4 years ago Thanks for reporting these, I'll take a look.
Can you tell me what exactly do you have in config.mk to understand your context better?
XVicarious
commented
4 years ago This part here. KERNEL is set to linux, then VMLINUZ, INITRAMFS, and DESTFILE are set then if you include my config file,
KERNEL := linux-hardened
EFIBOOTDEVICE := /dev/sdeKERNEL gets set, but the variables mentioned above stay the same. The make docs say that := are "simply" expanded variables which means they take effect immediately.
Take the following for example:
KERNEL := linux
# Note VMLINUZ uses ":="
VMLINUZ := /boot/vmlinuz-${KERNEL}
# Note INITRAMFS uses "="
INITRAMFS = /boot/initramfs-${KERNEL}
KERNEL = linux-hardened
default:
@echo $(VMLINUZ)
@echo $(INITRAMFS)The output would be:
/boot/vmlinuz-linux
/boot/initramfs-linux-hardenedok, the idea for KERNEL was that you can run secure-boot KERNEL=linux-hardened and it would then set all the other variables based on that.
Isn't that sufficient for you?
XVicarious
commented
4 years ago It could be, but then that doesn't work with the hooks, and I'd have to manually run it. I'd have to modify the hooks, instead of the config file.
Sent from ProtonMail mobile
-------- Original Message -------- On Nov 27, 2019, 3:20 PM, Дамјан Георгиевски < notifications@github.com> wrote:
ok, the idea for KERNEL was that you can run
secure-boot KERNEL=linux-hardenedand it would then set all the other variables based on that.Isn't that sufficient for you?
— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub, or unsubscribe.
gdamjan
commented
4 years ago I created this under the assumption that you'd have to write a custom hook for your custom kernel. That way when you have two or more kernels installed all (that have hooks) will be signed. In your case the hook would run for one package but sign another ?!
I think, now with the changes to packaging of the Arch kernels a more generic hook can be made, but I've been waiting for things to settle before I explore that path.
XVicarious
commented
4 years ago As it stands now, without using a command line argument the only kernel that works with this is the default linux. Changing the KERNEL variable via config.mk does nothing. Maybe I over explained? I don't know. Is this supposed to be the expected behavior? Like the only options available to configure are ESP, EFIDIR, and EFIBOOTDEVICE?
gdamjan
commented
4 years ago As it stands now, without using a command line argument the only kernel that works with this is the default linux.
yes, but that's already as such in the hook. so, to match on linux-hardened, you'd still need a custom hook.
efibootmgr by default assumes the boot device is /dev/sda, which it isn't in all cases. A variable in
config.mkor deriving it fromfintmnt(from util-linux) could be options for this case.