Arch Linux

dootfs

Member

Registered: 2024-01-27

Posts: 32

cmdline.d missing? [SOLVED]

I've been hitting my head against the wall for a while trying to install Arch via netboot.

The system is configured in basic fashion with an encrypted LUKS root partition, and unencrypted boot and swap partitions [swap is getting the encryption treatment just as soon as the install is finished].

The problem is that I don't see the /etc/cmdline.d directory which is supposed to contain .conf files for mkinitcpio to pick up in order to generate the UKI file.

Working off of the installation guide , it looks as simple as dropping in the relevant UUIDs into corresponding .conf files contained in /etc/cmdline.d but again, there appears to be no such directory.

I wound up with the same problem in trying to build the UKI using systemd-ukify, when the cmdline parameter didn't seem to pick up anything.

I'm wondering if I'm just fooling myself into thinking that the directory is supposed to be there, when maybe the wiki authors assume the user would make the file themselves?

Last edited by dootfs (2025-04-25 23:22:27)

Scimmia

Fellow

Registered: 2012-09-01

Posts: 12,604

Re: cmdline.d missing? [SOLVED]

Stating the obvious....make it?

mackin_cheese

Member

Registered: 2025-01-07

Posts: 445

Re: cmdline.d missing? [SOLVED]

if it's not there.... you make it.... you put it there.

qu@rk

Member

Registered: 2021-07-28

Posts: 149

Re: cmdline.d missing? [SOLVED]

unencrypted boot

Not ideal. Mount the unencrypted partition as /efi and use /boot on the encrypted partition.

dootfs

Member

Registered: 2024-01-27

Posts: 32

Re: cmdline.d missing? [SOLVED]

unencrypted boot

Not ideal. Mount the unencrypted partition as /efi and use /boot on the encrypted partition.

The goal is to build a .uki file in /boot/efi/Linux and then sign the .uki file to render it tamper proof, making an encrypted /boot partition unnecessary. The /boot partition is simply mounted to the encrypted root partition.

Because the root partition is GPT formatted, the GUIDs for every partition is labeled. Why do I have to drop in a .conf file when the root partition is labeled? And does cryptsetup run on startup or does mkinitcpio require a HOOK to decrypt the root partition?

qu@rk

Member

Registered: 2021-07-28

Posts: 149

Re: cmdline.d missing? [SOLVED]

You also have the kernel in /boot, and in my case amd-ucode.img. No reason to have them out of encryption. I only keep uki on /efi which is outside of encryption, and of-course it gets signed.
You can choose where uki gets created, doesn't have to be in /boot/efi/Linux.

And does cryptsetup run on startup or does mkinitcpio require a HOOK to decrypt the root partition?

You need "encrypt" hook before "filesystems"

Scimmia

Fellow

Registered: 2012-09-01

Posts: 12,604

Re: cmdline.d missing? [SOLVED]

unencrypted boot

Not ideal. Mount the unencrypted partition as /efi and use /boot on the encrypted partition.

Which just moves the files from /boot to /efi. Completely useless.

qu@rk

Member

Registered: 2021-07-28

Posts: 149

Re: cmdline.d missing? [SOLVED]

Huh? It only moves the uki. What other files are you talking about?

Scimmia

Fellow

Registered: 2012-09-01

Posts: 12,604

Re: cmdline.d missing? [SOLVED]

And the UKI is the only thing that matters

qu@rk

Member

Registered: 2021-07-28

Posts: 149

Re: cmdline.d missing? [SOLVED]

I think there's some kind of miscomunication here.
My whole point is you don't have to have any other files outside of encryption, apart from uki. That's it.
But there's usually more on /boot:

# ls /efi
linux.efi

# ls /boot
amd-ucode.img  vmlinuz-linux

Again, why have /boot outside encryption?

Scimmia

Fellow

Registered: 2012-09-01

Posts: 12,604

Re: cmdline.d missing? [SOLVED]

Those are only there because you put them there. They are doing nothing at all, and since you mentioned signing, they CAN'T do anything. Hell, amd-ucode.img is completely useless for the vast majority of users, and completely unnecessary for those that can use it as it's mostly been superseded by the microcode hook. The point isn't that you should have /boot outside encryption, the point is that it doesn't matter *at all*, and criticizing someone else's setup for it, give me a break.

qu@rk

Member

Registered: 2021-07-28

Posts: 149

Re: cmdline.d missing? [SOLVED]

That's just bad practice though. You're getting annoyed by me insisting you shouldn't keep unnecessary files outside encryption? Give me a break.

Scimmia

Fellow

Registered: 2012-09-01

Posts: 12,604

Re: cmdline.d missing? [SOLVED]

It's not bad practice. Do you know what cargo culting means?

qu@rk

Member

Registered: 2021-07-28

Posts: 149

Re: cmdline.d missing? [SOLVED]

It is if they aren't required. It's just extra stuff you put outside and lock when you can just put inside.
Not familiar with that phrase but I'll take a guess you're going for something witty.
Again, I will insist it's just bad practice no matter it rubs you the wrong way. I appreciate your knowledge here but I think you are wrong with this, that's it. The "oh cmon" is not an argument.

seth

Member

Registered: 2012-09-03

Posts: 63,021

Re: cmdline.d missing? [SOLVED]

That's just bad practice though. You're getting annoyed by me insisting you shouldn't keep unnecessary files outside encryption? Give me a break.

You "should" not keep unnecessary files anywhere.
The stuff in boot is supposed to be required to [checks notes] "boot" the system.
If you have other stuff there, move it out of /boot (except if it's a porn video and you loop that in the bootloader - "rule #4: boobs are always on topic") and if you have unnecessary files anywhere on your drive, just move them to /dev/null

@dootfs, I guess you managed to create that directory and now proceed with the configuration, ie. this topic is solved?
Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

dootfs

Member

Registered: 2024-01-27

Posts: 32

Re: cmdline.d missing? [SOLVED]

@dootfs, I guess you managed to create that directory and now proceed with the configuration, ie. this topic is solved?
Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.

Thanks for weighing in. I managed to make two files. The first config file under /etc/cmdline.d/root.conf that stores root=UUID=[/dev/mapper/root UUID]. The second UKI file was generated by mkinitcpio under /efi/EFI/Linux/arch-linux.efi - a separate partition and distinct location from FAT32 formatted /boot/EFI/Linux/, to which arch-linux.efi was copied.

This configuration boots to splash page, but times out at the point where the system picks up the /root UUID. This leads me to believe I did something wrong w/r/t partition decryption, as I mentioned earlier.

And does cryptsetup run on startup or does mkinitcpio require a HOOK to decrypt the root partition?

/etc/mkinitcpio.conf contains

 HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck) 

I had intended to wait until installation was finalized to turn on SecureBoot in the UEFI interface, and then store the root partition encryption key in the TPM, but if there's no prompt for password to decrypt the drive anyway, maybe setting it up to automatically decrypt would fix the hangup on initial boot?

Scimmia

Fellow

Registered: 2012-09-01

Posts: 12,604

Re: cmdline.d missing? [SOLVED]

The first config file under /etc/cmdline.d/root.conf that stores root=UUID=[/dev/mapper/root UUID].

You need more than that. https://wiki.archlinux.org/title/Dm-cry … -generator

dootfs

Member

Registered: 2024-01-27

Posts: 32

Re: cmdline.d missing? [SOLVED]

The first config file under /etc/cmdline.d/root.conf that stores root=UUID=[/dev/mapper/root UUID].

You need more than that. https://wiki.archlinux.org/title/Dm-cry … -generator

Ok, is it that I'm missing a file under /etc/crypttab.initramfs and simply write rd.luks.uuid=[/dev/mapper/root UUID] for the systemd-cryptsetup-generator to pick up?

Still wondering why automount doesn't handle this whole process.

Because the root partition is GPT formatted, the GUIDs for every partition is labeled. Why do I have to drop in a .conf file when the root partition is labeled?

Maybe more like: 'Because the drive is GPT formatted, the GUIDs for each partition is labeled. Why do I have to drop in a .initramfs file when the root partition is labeled?'

Last edited by dootfs (2025-04-17 23:43:56)

dootfs

Member

Registered: 2024-01-27

Posts: 32

Re: cmdline.d missing? [SOLVED]

Ok, is it that I'm missing a file under /etc/crypttab.initramfs and simply write rd.luks.uuid=[/dev/mapper/root UUID] for the systemd-cryptsetup-generator to pick up?

After creating the file and double-checking that I copied the UUID correctly, subsequent reboot fails at the same point where the root volume fails to mount on initial boot.

What if I swapped out

sd-encrypt

for

encrypt

under /etc/mkinitcpio.conf HOOKS and tried configuring the cryptdevice by name?

Scimmia

Fellow

Registered: 2012-09-01

Posts: 12,604

Re: cmdline.d missing? [SOLVED]

Ok, is it that I'm missing a file under /etc/crypttab.initramfs and simply write rd.luks.uuid=[/dev/mapper/root UUID] for the systemd-cryptsetup-generator to pick up?

It's one or the other. Either way, you need the UUID of the container, NOT of the filesystem inside the container.

encrypt is for busybox based initramfs, you're using a systemd based one. Either way you need the correct UUID.

dootfs

Member

Registered: 2024-01-27

Posts: 32

Re: cmdline.d missing? [SOLVED]

Ok, I didn't see an entry for the physical device in /etc/fstab, just a UUID for /dev/mapper/root. I'll change the config file entries to the /dev/nvme0n1p2 UUID, see how that goes.

dootfs

Member

Registered: 2024-01-27

Posts: 32

Re: cmdline.d missing? [SOLVED]

The problem remains, but the original question is answered, so maybe I mark this threat [SOLVED] and make another thread about the emerging problem.

The problem persists after dropping in UUID pointers under /etc/cmdline.d/root.conf and /etc/crypttab.initramfs corresponding to logical volume physical device, respectively, remaking mkinitcpio, and copying arch-linux.efi to /boot/EFI/Linux/.

I had assumed that /etc/crypttab.initramfs contained the UUID pointer that would select the device that contains /dev/mapper/root. The readout on boot shows "waiting" for /dev/device/by-uuid that corresponds to /dev/mapper/root.

Is the problem simply that the root device cannot be detected due to the encrypted format? Does it make sense to simply enable SecureBoot and TPM to allow the volume to automount?

Last edited by dootfs (2025-04-18 03:46:51)

seth

Member

Registered: 2012-09-03

Posts: 63,021

Re: cmdline.d missing? [SOLVED]

I didn't see an entry for the physical device in /etc/fstab

lsblk -f

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

qu@rk

Member

Registered: 2021-07-28

Posts: 149

Re: cmdline.d missing? [SOLVED]

Ok, is it that I'm missing a file under /etc/crypttab.initramfs and simply write rd.luks.uuid=[/dev/mapper/root UUID] for the systemd-cryptsetup-generator to pick up?

After creating the file and double-checking that I copied the UUID correctly, subsequent reboot fails at the same point where the root volume fails to mount on initial boot.

What if I swapped out

sd-encrypt

for

encrypt

under /etc/mkinitcpio.conf HOOKS and tried configuring the cryptdevice by name?

I'll just post my setup.

/etc/mkinitcpio.conf

MODULES=(ext4 dm_crypt hid_generic usbhid nvme xhci_pci)
BINARIES=()
FILES=()
HOOKS=(base autodetect microcode encrypt fsck)
COMPRESSION="cat"

/etc/mkinitcpio.d/linux.preset

ALL_kver="/boot/vmlinuz-linux"
PRESETS=('default')
default_uki="/efi/linux.efi"
default_options="-S block,mdadm_udev,filesystems,keyboard,fsck,consolefont"

And in fstab you should have a line with whatever comes out of this command:

echo "UUID=$(blkid | grep "/dev/mapper/root" | awk -F'"|"' '{print $2}') /         ext4      rw,relatime 0 1"

And in /etc/kernel/cmdline whatever comes out of this (replace root_partition with your actual one)

echo "cryptdevice=UUID=$(blkid | grep "/dev/root_partition" | awk -F'"|"' '{print $2}'):root root=/dev/mapper/root ro rootfstype=ext4 quiet splash loglevel=3"

edit: are you using a systemd based initramfs or busybox?

Last edited by qu@rk (2025-04-18 22:16:10)

dootfs

Member

Registered: 2024-01-27

Posts: 32

Re: cmdline.d missing? [SOLVED]

I'm extatic! Finally got the system working. For whatever reason I hadn't added sd-encrypt to the mkinitcpio HOOKS list, and that prevented the partition containing the root filesystem from decrypting. The comments above also helped a lot w/r/t pointing me to the right location to write the cmdline file. After all that, it's good to go! Thanks!