Apparmor Kernel Parameters with systemd-boot NOT grub

SystemdReaper · 2025-08-22 22:56:47

Hello,

New to the forum. Have scoured the web for answers on how to do this but cannot seem to find any answers. All the answers point to setting up apparmor with GRUB, which I am not using.

I just did a fresh install today (Fri Aug 22 2025) which is as follows:

Kernel: linux-hardened.
Bootloader: systemd-boot.
Secure boot: Enabled.
UKI: Yes.
DE: KDE Plasma Wayland.

I am not a developer or a CS major / minor, but this has not worked for me or rather I have no clue how to go about this with the current system I have:

https://wiki.archlinux.org/title/AppArmor

To enable AppArmor as default security model on every boot, set the following kernel parameter:

lsm=landlock,lockdown,yama,integrity,apparmor,bpf

I can run:

zgrep CONFIG_LSM= /proc/config.gz

and

cat /sys/kernel/security/lsm

Please advise.

Last edited by SystemdReaper (2025-08-22 23:04:25)

loqs · 2025-08-22 23:03:49

https://wiki.archlinux.org/title/Kernel … stemd-boot

SystemdReaper · 2025-08-22 23:06:31

loqs wrote:

https://wiki.archlinux.org/title/Kernel … stemd-boot

Tried that. Does not work with SecureBoot enabled, and when I disable SecureBoot, it boots but drops me into an emergency shell and I have to shutdown, enable SecureBoot, to get back to my desktop.

loqs · 2025-08-22 23:18:51

SystemdReaper wrote:

Tried that. Does not work with SecureBoot enabled, and when I disable SecureBoot, it boots but drops me into an emergency shell and I have to shutdown, enable SecureBoot, to get back to my desktop.

As SecureBoot is enabled the options would need to be set when the UKI is built with the details depending on which method you use for that https://wiki.archlinux.org/title/Unifie … rnel_image.

Last edited by loqs (2025-08-22 23:19:13)

SystemdReaper · 2025-08-22 23:21:02

loqs wrote:

SystemdReaper wrote:
Tried that. Does not work with SecureBoot enabled, and when I disable SecureBoot, it boots but drops me into an emergency shell and I have to shutdown, enable SecureBoot, to get back to my desktop.
As SecureBoot is enabled the options would need to be set when the UKI is built with the details depending on which method you use for that https://wiki.archlinux.org/title/Unifie … rnel_image.

The UKI was set up during install with the install script on the ISO.

SystemdReaper · 2025-08-22 23:30:37

loqs wrote:

SystemdReaper wrote:
Tried that. Does not work with SecureBoot enabled, and when I disable SecureBoot, it boots but drops me into an emergency shell and I have to shutdown, enable SecureBoot, to get back to my desktop.
As SecureBoot is enabled the options would need to be set when the UKI is built with the details depending on which method you use for that https://wiki.archlinux.org/title/Unifie … rnel_image.

Looking into this:

/etc/cmdline.d/security.conf

# enable apparmor

lsm=landlock,lockdown,yama,integrity,apparmor,bpf audit=1 audit_backlog_limit=256

from

https://wiki.archlinux.org/title/Unifie … rnel_image

and will let you know if it takes.

SystemdReaper · 2025-08-31 03:28:13

loqs wrote:

SystemdReaper wrote:
Tried that. Does not work with SecureBoot enabled, and when I disable SecureBoot, it boots but drops me into an emergency shell and I have to shutdown, enable SecureBoot, to get back to my desktop.
As SecureBoot is enabled the options would need to be set when the UKI is built with the details depending on which method you use for that https://wiki.archlinux.org/title/Unifie … rnel_image.

That's a bit complex. I selected the option to use UKI when installing and all that was done by the installer. I have a .conf in /boot/loader/entries, with the lsm=...........apparmor, bpf, but that does not appear to be used because cat /sys/kernel/security/lsm does not list apparmor.

sekret · 2025-08-31 08:34:58

SystemdReaper wrote:

loqs wrote:
SystemdReaper wrote:
Tried that. Does not work with SecureBoot enabled, and when I disable SecureBoot, it boots but drops me into an emergency shell and I have to shutdown, enable SecureBoot, to get back to my desktop.
As SecureBoot is enabled the options would need to be set when the UKI is built with the details depending on which method you use for that https://wiki.archlinux.org/title/Unifie … rnel_image.

Looking into this:
/etc/cmdline.d/security.conf
# enable apparmor
lsm=landlock,lockdown,yama,integrity,apparmor,bpf audit=1 audit_backlog_limit=256
from
https://wiki.archlinux.org/title/Unifie … rnel_image
and will let you know if it takes.

That's how I do it and it works perfectly. Don't forget to run mkinitcpio -P after each change you make.

Arch Linux

#1 2025-08-22 22:56:47

Apparmor Kernel Parameters with systemd-boot NOT grub

#2 2025-08-22 23:03:49

Re: Apparmor Kernel Parameters with systemd-boot NOT grub

#3 2025-08-22 23:06:31

Re: Apparmor Kernel Parameters with systemd-boot NOT grub

#4 2025-08-22 23:18:51

Re: Apparmor Kernel Parameters with systemd-boot NOT grub

#5 2025-08-22 23:21:02

Re: Apparmor Kernel Parameters with systemd-boot NOT grub

#6 2025-08-22 23:30:37

Re: Apparmor Kernel Parameters with systemd-boot NOT grub

#7 2025-08-31 03:28:13

Re: Apparmor Kernel Parameters with systemd-boot NOT grub

#8 2025-08-31 08:34:58

Re: Apparmor Kernel Parameters with systemd-boot NOT grub

Board footer