You are not logged in.
SOLVED: I found my answer, see the post below.
Original post for posterity:
If systemd-boot presents the boot menu listing kernels to launch, is the user able to edit the kernel cmdline of a signed unified kernel image, e.g. to get to single user mode? I can't find the answer anywhere. I know there's systemd-boot-password in the AUR, but this package is five years old, and it seems like it'd be defeated if an attacker is able to boot from removable media and edit the password hash in the systemd-boot configuration on the esp. My plan would be to set a supervisor password in the UEFI BIOS, so you'd have to know that password in order boot from removable media. I'm getting a ThinkPad, and the UEFI BIOS for at least one model can be defeated with a screwdriver.
I'm mainly wanting to use systemd-boot with kernel-install to build, sign, and install the UKI, as that seems the most straightforward method to me available on the Wiki. I'm also planning on using this on a LUKS2 volume with the main key slot populated from a TPM2.0 cryptoprocessor (as this Wiki article suggests). At this time I'm not planning to set up a systemd-boot configuration, just going to boot the UKIs on the esp.
I am still several weeks away from installing a signed UKI with Secure Boot for the first time, a new experience for me. My new laptop is arriving next week, but I'm not going to be able to install Arch on it until the end of the year (it's a Christmas gift from my wife, and she wants me to unwrap it on Christmas morning).
Last edited by ectospasm (2023-09-26 02:17:40)
Offline
I found my answer, it's in the first note on this Wiki section: Systemd-boot#Adding_loaders (however, this section is targeted for removal). If Secure Boot is enabled, the kernel cmdline is not editable. So there's no direct way to modify the cmdline to get into single user mode. Which sounds quite secure.
So, it looks like if I need to do something that would normally require single user mode, I'd need to boot off the Arch ISO, decrypt and mount the root filesystem, and chroot into it with arch-chroot, then fix whatever problem I'm trying to fix.
Offline