Running GRUB alongside a UKI

deanderdog · 2025-08-02 16:40:04

So, I had my laptop setup with LUKS on the btrfs root partition and an unencrypted ESP, alongside the AUR package snap-pac-grub. I used this setup for a long time without issues.

To up the security on the device, I decided to add secureboot with tpm integration and apparmor. Again, everything went smooth following the instructions on the wiki.

Then, I decided i got tired of the Kernel messages from GRUB and decided I wanted to give UKI a try. My idea was to mainly rely on the UKI to boot, and if SHTF, I can boot into GRUB and use the snapshots by snap-pac-grub.
Generated the file with mkinitcpio, added it to the efivars with efibootmgr, and again, everything went smooth.

Here's the issue: When I boot into GRUB now, I get prompted for my TPM2 PIN, I enter it like I used to on GRUB. But now, I get the following error:

[FAILED] Failed to start Cryptography Setup for cryptroot.
See 'systemctl status systemd-cryptsetup@cryptroot.service' for details.
[DEPEND] Dependency failed for /dev/mapper/cryptroot
[DEPEND] Dependency failed for /sysroot
[DEPEND] Dependency failed for Initrd Root File System
[DEPEND] Dependency failed for Mountpoints Configured in the Real Root.
[DEPEND] Dependency failed for Initrd Root Device.
[DEPEND] Dependency failed for File System Check on /dev/mapper/cryptroot.
[DEPEND] Dependency failed for Local Encrypted Volumes.

Again, this only happens on GRUB, not when booting with the UKI. Both use the exact same Kernel Parameters and initramfs.

Anyone have an idea what it might be?

Last edited by deanderdog (2025-08-02 18:52:07)

deanderdog · 2025-08-02 18:09:22

I have an update: If i remove the UKI from /boot/EFI/Linux/, I don't get the errors and can boot with GRUB again.

Update Nr.2: I believe it's some sort of bug with the TPM, or somewhere along the chain, I have no Idea tbh.

The last systemd log message
sysinit.target: starting held back, waiting for: cryptsetup.target

Because sometimes, (I have the feeling if I wait long enough in the early userpace), I can enter the TPM Pin, and then I get asked for the actual password and I Can decrypt the rootfs. Really weird.

Update Nr. 3: Okay, it's not only sometimes. If I wait long enough in early userspace, i get asked the pin and then the password.

Last edited by deanderdog (2025-08-02 20:26:30)

Arch Linux

#1 2025-08-02 16:40:04

Running GRUB alongside a UKI

#2 2025-08-02 18:09:22

Re: Running GRUB alongside a UKI

Board footer