Arch Linux

dootfs

Member

Registered: 2024-01-27

Posts: 24

Failed UKI Install on LUKS

Attempting to make a fresh Arch install on an encrypted partition with a separate /boot partition mounted with a UKI file.

The problem is that the system fails to initialize using the unsigned UKI file mounted to /boot/EFI/Linux/ukify_build_output.efi

UEFI Boot Manager indicates that Secure Boot is OFF, TPM is ON.

UEFI won't boot from the /boot partition, can't boot from the /root partition:

ERROR: device ' ' not found. Skipping fsck.
mount: /new_root: fsconfig system call failed: fuseblk: Bad value for 'source'.
dmesg(1) may have more information after failed mount system call.
ERROR: Failed to mount ' ' on real root. 
You are now being dropped into an emergency shell
sh: can't access tty: job control turned off
[rootfs ~]#

For context, the entire drive is wiped using the nvme utility. Partitions are GPT formatted, cryptsetup formatted the root partition, and the virtual root device is formatted ext4, while the boot partition is formatted fat32. The whole system + systemd-ukify is installed to /mnt using pacstrap, and profile configurations are set. The mkinitcpio HOOKS are left alone, and bootctl stands up the /boot/EFI/Linux tree. Minimal ukify build pointed to /boot/EFI/Linux and passwd set. The same problem has resulted from running this procedure with and without also running mkinitcpio -P before reboot.

Other than the fact that it failed, is there anything obviously wrong with this procedure?

Scimmia

Fellow

Registered: 2012-09-01

Posts: 12,476

Re: Failed UKI Install on LUKS

From that output, it looks like you did not configure the kernel command line to include the root= parameter?

dootfs

Member

Registered: 2024-01-27

Posts: 24

Re: Failed UKI Install on LUKS

What parameters are missing from this example from the wiki:

# ukify build --linux=/boot/vmlinuz-linux  --initrd=/boot/amd-ucode.img --initrd=/boot/initramfs-linux.img --cmdline="quiet rw"

Could the problem be that the root device fails to mount because the partition is encrypted and cannot be read unless keys are generated/enrolled and all boot components are signed? I was attempting to test the system for functionality using the unsigned UKI file, but the encrypted drive cannot be mounted neither automatically nor manually suggesting the problem may be with the LUKS implementation.

Last edited by dootfs (2025-02-21 04:12:03)

Scimmia

Fellow

Registered: 2012-09-01

Posts: 12,476

Re: Failed UKI Install on LUKS

No, the problem is that "quite rw" doesn't tell the system where the root partition is. Since you're using mkinitcpio, see https://wiki.archlinux.org/title/Unifie … mmand_line

dootfs

Member

Registered: 2024-01-27

Posts: 24

Re: Failed UKI Install on LUKS

That makes sense from the error message - the system doesn't see the root filesystem. I'll try the install again using mkinitcpio and manually assembling the UKI rather than using systemd-ukify.