You are not logged in.
I'm using efibootmgr and want to pass some kernel parameters but I can't get my cmdline.conf to change.
I'm new to Arch Linux and am trying to migrate from Ubuntu.
I created a UKI by having dracut hook into pacman:
/etc/pacman.d/hooks/90-dracut-install.hook
[Trigger]
Type = Path
Operation = Install
Operation = Upgrade
Target = usr/lib/modules/*/pkgbase
[Action]
Description = Updating linux EFI image...
When = PostTransaction
Exec = /usr/local/bin/dracut-install.sh
Depends = dracut
NeedsTargets
With the following install script:
/usr/local/bin/dracut-install.sh
#!/usr/bin/env bash
mkdir -p /boot/efi/EFI/Linux
while read -r line; do
if [[ "$line" == 'usr/lib/modules/'+([^/])'/pkgbase' ]]; then
kver="${line#'usr/lib/modules/'}"
kver="${kver%'/pkgbase'}"
dracut --force --uefi --kver "$kver" /boot/efi/EFI/Linux/bootx64.efi
fi
done
I set my kernel parameters afterwards
/etc/dracut.conf.d/cmdline.conf
kernel_cmdline="rd.luks.uuid=luks-{Hash of my uuid} rd.lvm.lv=vg/root root=/dev/mapper/vg-root rootfstype=ext4 rootflags=rw,relatime"
Afterwards installed Linux again to make sure my hooks worked
pacman -S linux
Everything worked out but now I'm stuck. I want to add different kernel parameters to make certain things enable or disable on boot, however, every time I try to pass kernel parameters to my cmdline.conf they aren't executed on boot. What am I doing wrong?
Last edited by Moonveil (2025-09-20 21:21:06)
Offline
AFAIK the command line parameters are actually build into the UKI image - after changing options you have to rebuild the image.
Offline
This would mean I have to run
pacman -S linux
again after changing parameters to reinstall Linux and cause the scripts to rebuild the image?
Currently my config looks like this
/etc/dracut.conf.d/cmdline.conf
kernel_cmdline="rd.luks.uuid=luks-{my uuid} rd.lvm.lv=vg/root root=/dev/mapper/vg-root rootfstype=ext4 rootflags=rw,relatime"
I want to add
lsm=landlock,lockdown,yama,integrity,apparmor,bpf
and
ipv6.disable=1
.
I'm unsure about the cmdline.conf structure I would have to use to make it work without breaking the UKI image when generating it again.
Offline
No. There's no need to re-install the linux package.
You have to rebuild the image by executing dracut as in the install script after appending the parameters and check if it's working.
Offline
I don't know if this is correct because I don't know the correct structure of the cmdline.conf and and am unable to find it in man or on the wiki but I did some searching online and this is what I could find. Do i edit the cmdline.conf into something like this
/etc/dracut.conf.d/cmdline.conf
kernel_cmdline="rd.luks.uuid=luks-{my uuid} rd.lvm.lv=vg/root root=/dev/mapper/vg-root rootfstype=ext4 ipv6.disable=1 security=apparmor lsm=landlock,lockdown,yama,integrity,apparmor,bpf rootflags=rw,relatime"
Then run
./dracut-install.sh
from /usr/local/bin/ ?
Offline
Depends on what /usr/local/bin/dracut-install.sh is - i don't think it's in the repos (and should™ not b/c "/usr/local")
In doubt see https://wiki.archlinux.org/title/Dracut#Usage
Offline
Depends on what /usr/local/bin/dracut-install.sh is - i don't think it's in the repos (and should™ not b/c "/usr/local")
In doubt see https://wiki.archlinux.org/title/Dracut#Usage
I wrote what my /usr/local/bin/dracut-install.sh is in my first post
/usr/local/bin/dracut-install.sh
#!/usr/bin/env bash
mkdir -p /boot/efi/EFI/Linux
while read -r line; do
if [[ "$line" == 'usr/lib/modules/'+([^/])'/pkgbase' ]]; then
kver="${line#'usr/lib/modules/'}"
kver="${kver%'/pkgbase'}"
dracut --force --uefi --kver "$kver" /boot/efi/EFI/Linux/bootx64.efi
fi
done
I'm not sure if the cmdline.conf kernel parameters I wrote in the previous post are set in the right way. It is a guess because I could not find the right order in the man or on the wiki.
Offline
Got me - I just skipped to the last post
Looks like "yes", but only from an arch-chroot into the system.
As long as the parameters don't conflict w/ each other the order doesn't matter.
Offline
Got me - I just skipped to the last post
Looks like "yes", but only from an arch-chroot into the system.As long as the parameters don't conflict w/ each other the order doesn't matter.
I do the same all the time
I don't think the parameters conflict. I see mixed reports of users adding the security=apparmor parameter while the wiki only mentions the lsm= parameters. The other parameter I would add disables ipv6, I do not think that conflicts with anything. The parameters I want to add that are not in the current cmd.conf are
ipv6.disable=1 security=apparmor lsm=landlock,lockdown,yama,integrity,apparmor,bpf
Offline
I don't think the parameters conflict. I see mixed reports of users adding the security=apparmor parameter while the wiki only mentions the lsm= parameters.
They may conflict. The current version of https://docs.kernel.org/admin-guide/ker … eters.html says that lsm= overrides security=, but it used to be the opposite in the past. This caused issues when people followed ancient guides that instructed to use the deprecated security= parameter.
Offline
Moonveil wrote:I don't think the parameters conflict. I see mixed reports of users adding the security=apparmor parameter while the wiki only mentions the lsm= parameters.
They may conflict. The current version of https://docs.kernel.org/admin-guide/ker … eters.html says that lsm= overrides security=, but it used to be the opposite in the past. This caused issues when people followed ancient guides that instructed to use the deprecated security= parameter.
Thank you for clarifying that the security= parameter is deprecated. I couldn't find it and read mixed opinions about it.
The correct parameters I should add are
ipv6.disable=1 lsm=landlock,lockdown,yama,integrity,apparmor,bpf
My cmdline.conf would look like this
/etc/dracut.conf.d/cmdline.conf
kernel_cmdline="rd.luks.uuid=luks-{my uuid} rd.lvm.lv=vg/root root=/dev/mapper/vg-root rootfstype=ext4 ipv6.disable=1 lsm=landlock,lockdown,yama,integrity,apparmor,bpf rootflags=rw,relatime"
Then I should run the ./dracut-install.sh script and cross my fingers that the parameters get passed, apparmor is activated and ipv6 is blocked
Last edited by Moonveil (2025-08-26 14:55:01)
Offline
I booted into archiso, mounted my drives and changed into chroot. I edited dracut.conf.d/cmdline.conf to add the parameters. I went into /usr/local/bin/ and executed the ./dracut-install.sh but nothing happens. It went to the next line and the cursor is blinking but it doesn't finish the task.
I tried to use the dracut-remove.sh. This worked and removed the file
/usr/local/bin/dracut-remove.sh
#!/usr/bin/env bash
rm -f /boot/efi/EFI/Linux/bootx64.efi
However dracut-install.sh never finishes.
I'm stuck and I don't know what to do next
Last edited by Moonveil (2025-08-26 16:43:00)
Offline
In your chroot check the installed kernel:
ls /usr/lib/modules
6.16.3-arch1-1
Execute dracut inside the chroot with that version string:
dracut --force --uefi --kver "6.16.3-arch1-1" /boot/efi/EFI/Linux/bootx64.efi
Offline
Does not work.
ls /usr/lib/modules
6.16.3-arch1-1
I edited the dracut-install.sh like you said and executed it. It moves down one line and the cursor flashes but it never finishes the task
I don't understand why it does not work because with the pacman hook
/etc/pacman.d/hooks/90-dracut-install.hook
[Trigger]
Type = Path
Operation = Install
Operation = Upgrade
Target = usr/lib/modules/*/pkgbase
[Action]
Description = Updating linux EFI image
When = PostTransaction
Exec = /usr/local/bin/dracut-install.sh
Depends = dracut
NeedsTargets
It did install the kernel last time I used
pacman -S linux
Last edited by Moonveil (2025-08-26 17:11:40)
Offline
Don't use the shell script - execute dracut as shown on a chroot command line.
It looks like the hook passes a parameter ("$line") to the shell script - so it will never work on it's own.
Last edited by -thc (2025-08-26 17:30:53)
Offline
Don't use the shell script - execute dracut as shown on a chroot command line.
It looks like the hook passes a parameter ("$line") to the shell script - so it will never work on it's own.
That was a mistake from me, I changed it in the script. I reversed it and did as you asked by executing the dracut command as chroot.
The result is not a success
[root@archiso modules]# dracut --force --uefi --kver "6.16.3-arch1-1" /boot/efi/EFI/Linux/bootx64.efi
dracut[F]: The provided directory where to look for kernel modules (ver)
dracut[F]: does not match the kernel version set for the initramfs (/boot/efi/EFI/Linux/bootx64.efi).
dracut[F]: Set DRACUT_KMODDIR_OVERRIDE=1 to ignore this check
I did run the /usr/local/bin/dracut-remove.sh script before to test if that did work so I do not know if this could cause the failure
Last edited by Moonveil (2025-08-26 17:53:41)
Offline
This dracut command seems broken and I have no further hints - sorry.
Offline
I don't understand why it gives an error. Hopeful that someone else knows how to fix it.
I could pacman -S Linux that should trigger building a new kernel
Offline
I used pacman -S Linux.
I had one package that was required to install 6.16.3-arch1-1.
It executed dracut --force --uefi --kver "6.16.3-arch1-1" /boot/efi/EFI/Linux/bootx64.efi during the installation and dracut finished without any error.
Afterwards it created the image file /boot/efi/EFI/Linux/bootx64.efi without any error.
It says
Using UEFI kernel cmdline: rd.luks.uuid=luks-{my uuid} rd.lvm.lv=vg/root root=/dev/mapper/vg-root rootfstype=ext4 ipv6.disable=1 lsm=landlock,lockdown,yama,integrity,apparmor,bpf rootflags=rw,relatime"
I don't know if it worked but I think the parameters passed because cat /etc/dracut conf.d/cmdline.conf shows the same parameters
It did not work. I tested aa-enabled after reboot and it says No - disabled at boot.
Systemctl status apparmor.service says enabled but start condition unmet. Unmet condition check (ConditionSecurity=apparmor)
Last edited by Moonveil (2025-08-26 19:16:31)
Offline
lsblk -f
Make sure /boot partition and ESP are correctly mounted in place (if you use such)
Also check
cat /proc/cmdline
to see what the kernel commandline actually looks like.
Offline
Lsblk -f
nvme0n1p1 mount point /boot/efi
nvme0n1p2
Luks partition
vg-root mount point /
Both are loaded and I have no other Arch Linux partition
cat /proc/cmdline
rd.luks.uuid=luks-{my uuid} rd.lvm.lv=vg/root root=/dev/mapper/vg-root rootfstype=ext4 rootflags=rw,relatime
Parameters have not been passed
cat /etc/dracut.conf.d/cmdline.conf
kernel_cmdline="rd.luks.uuid=luks-{my uuid} rd.lvm.lv=vg/root root=/dev/mapper/vg-root rootfstype=ext4 ipv6.disable=1 lsm=landlock,lockdown,yama,integrity,apparmor,bpf rootflags=rw,relatime"
dracut.conf.d/cmdline.conf says parameters have been passed
Offline
ls -lR /boot
Offline
/boot:
total 43720
-rw-r--r-- 1 root root 184320 amd-ucode.img
drwxr-r-x 4 root root 1970 efi
-rw------ 1 root root 28652979 initramfs-linux.img
-rw-r--r-- root root 15921664 vmlinuz-linux
/boot/efi:
total 8
drwxr-xr-x 3 root root 4096 EFI
drwxr-xr-x 2 root root 4096 Loader
/boot/efi/EFI:
total 4
drwxr-xr-x 2 root root 4096 Linux
/boot/efi/EFI/Linux:
total 62816
-rwxr-xr-x 1 root root 64323192 bootx64.efi
/boot/efi/loader:
total 4
-rwxr-xr-x 1 root root 32 random-seed
Last edited by Moonveil (2025-08-26 20:19:16)
Offline
Do you manually copy those? Don't.
ls -lR /boot | curl -F 'file=@-' 0x0.st
I especially wanted to see the timestamps.
Offline
I can't do it another way at the moment. I am typing it by hand.
I can list the timestamps for the above in order
Aug 8 15:06 amd-unicode.img
Jan 1 1970 efi
Aug 24 23:12 initramfs-linux.img
Aug 24 23:12 vmlinuz-linux
Aug 25 11:19 EFI
Aug 26 20:56 Loader
Aug 25 11:19 Linux
Aug 25 12:15 bootx64.efi
Aug 26 20:56 random-seed
1970 for efi is the right number.
ls -lR /boot | curl -F 'file=@-' 0x0.st
http://0x0.st/KomW.txt
Last edited by Moonveil (2025-08-26 20:44:12)
Offline