You are not logged in.
I'm trying to to set up a system that has the following elements, which is something I feel is needed for an efficient and secure arch system:
- secure boot, verified initramfs
- ability choose various btrfs snapshots for the root file system
It's a pretty simple common sense idea but after looking at the capabilities of the existing software, it just doesn't seem possible.
Naturally the first thing I tried was to boot a signed efi executable from sd-boot, which went something like this:
title Arch Linux
efi linux-5.18.14-arch1-1-270ed0eeacde47dfbd4ca610e522ed26-rolling.efi
options cryptdevice=UUID=10101010101010100101010010101:luks:allow-discards root=/dev/mapper/volume rootflags=subvol=/system/Arch/@,$o_btrfs rd.luks.options=discard rw My hope was that I could just write a pacman hook that would create new entries for every snapshot, modifying the subvol parameter as needed. Well, apparently it's impossible to pass the cmdline to an efi executable. PLEASE correct me if I am wrong! I got dropped into dracut emergency shell and the kernel command line was an empty string. Now of course I could tell dracut to generate a separae efi executable for every snapshot with its own embedded cmdline, and it will boot just fine but this would mean many gigs of wasted space on my efi partition, and many wasted CPU cycles regenerating the efi bundle on every pacman transaction. Again please correct me if I am wrong about having to have dracut regenerate the entire efi bundle from scratch if I simply want to change the embedded cmdline.
My next idea is to use another bootloader to boot from an unencrypted btrfs partition. I could flood this parition with efi bundles, each of them having its own cmdline parameters, but this is contingent on being able to modify the embedded cmdline these these things quickly. Having to rebuild the efi bundle every time I make a root snapshot isn't viable.
So if there is no existing bootloader that can help me do this efficeintly, what can I do? Is there literally no way I can pass parameters to an efi executable? Is there any way I can have dracut modify the embedded cmdline in an efi without having to regenerate it from scratch? Can I verify the initramfs without bundling it with the kernel?
Just looking for ideas, I'm stumped.
Offline