Extend compatibility with systemd-boot and other kernels

[max-k]

Hi,

I use btrfs as my main filesystem (single-disk with subvolumes), snapper for timeline snapshots and snap-pac for pacman transactional snapshots. I also use systemd-boot as a bootloader.

With this configuration, I was unable to enable secure-boot using you script. First, I had to remove --no-dbus option from snapper comand-line because with it, it was unable to find my snapshots. Then had to adapt the script a bit because I use linux-hardened as my main kernel and this use case wasn't implemented. I also had a problem due to the fact I mount efivarfs read-only for security reasons. So, to be able to add efi entries, I had to remount this vfs in rw mode. Finally, for some reasons I still don't understand, even after fixing all these issues, adding a new efi entry using efibootmgr and setting it as the first element had no effect, and was not able to boot with secure-boot activated.

After many tries, my opinion was that systemd-boot probably interfere with vanilla EFI boot process in a way I don't understand. Anyway, I discovered some interesting bit of information. 1st : When I copy *.efi file to $ESP/EFI/Linux, they appear in systemd-boot menu. 2nd: systemd-boot efi loader is located at $ESP/EFI/systemd/systemd-bootx64.efi 3rd: If I sign systemd-boot efi loader using sbsign, and copy it to $ESP/EFI/BOOT/BOOTX64.EFI, I'm able to securely boot on it.

So I decided to also include this use-case in arch-secure-boot script.

One more thing, after all that journey, I wanted to be able to only include Intel ucode because I don't have any AMD CPU here. So I also implemented this possibility in the script.

To resume, in this pull request, I introduce five different improvements:

• Allow user to choose a main kernel other than linux (for example, linux-hardened or linux-zen)
• Allow user to customize snapper options used to retrieve snapshots (eg. remove --no-dbus)
• Automatically mount efivarfs if it's not mounted and remount it with write enabled if it's mounted with read-only option.
• Automatically detect systemd-boot ans use it's own efi loader (and also ensure efi files will be copied to $ESP/EFI/Linux)
• Allow user to restrict which cpu microcode to integrate in unified efi kernel images (keep all by default) (maybe also a bit of refactoring)

This is not the cleanest implementation but I tried to ensure retro-compatibility.

Here is the working config I use:

ESP="/esp"
EFI="/EFI/Linux"
KERNEL="linux-hardened"
SNAPPER_OPTIONS=""
SUBVOLUME_ROOT="@"
SUBVOLUME_SNAPSHOT="@snapshots/%1/snapshot" # %1 is replaced with snapshot ID
UCODE="intel"

I hope you'll like these additions.

Regards

[maximbaz]

Closing for now due to inactivity. I have documented in README that boot managers are intentionally not supported, and specifically mentioned KERNEL=linux-hardened option for visibility. Once again, thank you for your time to open the PR, even though in this particular case it is not something that was merged, your collaboration is very much appreciated!