You are not logged in.

#1 2025-08-26 10:08:51

Moonveil
Member
Registered: 2025-08-26
Posts: 35

[SOLVED] did I lock myself out of passing kernel parameters??

I'm using efibootmgr and want to pass some kernel parameters but I can't get my cmdline.conf to change.
I'm new to Arch Linux and am trying to migrate from Ubuntu.

I created a UKI by having dracut hook into pacman:

 /etc/pacman.d/hooks/90-dracut-install.hook

	[Trigger]
	Type = Path
	Operation = Install
	Operation = Upgrade
	Target = usr/lib/modules/*/pkgbase
	
	[Action]
	Description = Updating linux EFI image...
	When = PostTransaction
	Exec = /usr/local/bin/dracut-install.sh
	Depends = dracut
	NeedsTargets

With the following install script:

/usr/local/bin/dracut-install.sh

	#!/usr/bin/env bash

	mkdir -p /boot/efi/EFI/Linux

	while read -r line; do
		if [[ "$line" == 'usr/lib/modules/'+([^/])'/pkgbase' ]]; then
			kver="${line#'usr/lib/modules/'}"
			kver="${kver%'/pkgbase'}"
	
			dracut --force --uefi --kver "$kver" /boot/efi/EFI/Linux/bootx64.efi
		fi
	done

I set my kernel parameters afterwards

/etc/dracut.conf.d/cmdline.conf
	kernel_cmdline="rd.luks.uuid=luks-{Hash of my uuid} rd.lvm.lv=vg/root root=/dev/mapper/vg-root rootfstype=ext4 rootflags=rw,relatime"

Afterwards installed Linux again to make sure my hooks worked

 pacman -S linux

Everything worked out but now I'm stuck. I want to add different kernel parameters to make certain things enable or disable on boot, however, every time I try to pass kernel parameters to my cmdline.conf they aren't executed on boot. What am I doing wrong?

Last edited by Moonveil (2025-09-20 21:21:06)

Offline

#2 2025-08-26 11:15:54

-thc
Member
Registered: 2017-03-15
Posts: 998

Re: [SOLVED] did I lock myself out of passing kernel parameters??

AFAIK the command line parameters are actually build into the UKI image - after changing options you have to rebuild the image.

Offline

#3 2025-08-26 11:54:49

Moonveil
Member
Registered: 2025-08-26
Posts: 35

Re: [SOLVED] did I lock myself out of passing kernel parameters??

This would mean I have to run

pacman -S linux

again after changing parameters to reinstall Linux and cause the scripts to rebuild the image?

Currently my config looks like this

/etc/dracut.conf.d/cmdline.conf
	kernel_cmdline="rd.luks.uuid=luks-{my uuid} rd.lvm.lv=vg/root root=/dev/mapper/vg-root rootfstype=ext4 rootflags=rw,relatime"

I want to add

 lsm=landlock,lockdown,yama,integrity,apparmor,bpf

and

ipv6.disable=1

.

I'm unsure about the cmdline.conf structure I would have to use to make it work without breaking the UKI image when generating it again.

Offline

#4 2025-08-26 12:09:10

-thc
Member
Registered: 2017-03-15
Posts: 998

Re: [SOLVED] did I lock myself out of passing kernel parameters??

No. There's no need to re-install the linux package.

You have to rebuild the image by executing dracut as in the install script after appending the parameters and check if it's working.

Offline

#5 2025-08-26 12:26:15

Moonveil
Member
Registered: 2025-08-26
Posts: 35

Re: [SOLVED] did I lock myself out of passing kernel parameters??

I don't know if this is correct because I don't know the correct structure of the cmdline.conf and and am unable to find it in man or on the wiki but I did some searching online and this is what I could find. Do i edit the cmdline.conf into something like this

/etc/dracut.conf.d/cmdline.conf
	kernel_cmdline="rd.luks.uuid=luks-{my uuid} rd.lvm.lv=vg/root root=/dev/mapper/vg-root rootfstype=ext4 ipv6.disable=1 security=apparmor lsm=landlock,lockdown,yama,integrity,apparmor,bpf  rootflags=rw,relatime"

Then run

./dracut-install.sh

from /usr/local/bin/ ?

Offline

#6 2025-08-26 13:44:53

seth
Member
From: Don't DM me only for attention
Registered: 2012-09-03
Posts: 69,177

Re: [SOLVED] did I lock myself out of passing kernel parameters??

Depends on what /usr/local/bin/dracut-install.sh is - i don't think it's in the repos (and should™ not b/c "/usr/local")
In doubt see https://wiki.archlinux.org/title/Dracut#Usage

Offline

#7 2025-08-26 13:58:24

Moonveil
Member
Registered: 2025-08-26
Posts: 35

Re: [SOLVED] did I lock myself out of passing kernel parameters??

seth wrote:

Depends on what /usr/local/bin/dracut-install.sh is - i don't think it's in the repos (and should™ not b/c "/usr/local")
In doubt see https://wiki.archlinux.org/title/Dracut#Usage

I wrote what my /usr/local/bin/dracut-install.sh is in my first post big_smile

 /usr/local/bin/dracut-install.sh

	#!/usr/bin/env bash

	mkdir -p /boot/efi/EFI/Linux

	while read -r line; do
		if [[ "$line" == 'usr/lib/modules/'+([^/])'/pkgbase' ]]; then
			kver="${line#'usr/lib/modules/'}"
			kver="${kver%'/pkgbase'}"
	
			dracut --force --uefi --kver "$kver" /boot/efi/EFI/Linux/bootx64.efi
		fi
	done

I'm not sure if the cmdline.conf kernel parameters I wrote in the previous post are set in the right way. It is a guess because I could not find the right order in the man or on the wiki.

Offline

#8 2025-08-26 14:02:05

seth
Member
From: Don't DM me only for attention
Registered: 2012-09-03
Posts: 69,177

Re: [SOLVED] did I lock myself out of passing kernel parameters??

Got me - I just skipped to the last post tongue
Looks like "yes", but only from an arch-chroot into the system.

As long as the parameters don't conflict w/ each other the order doesn't matter.

Offline

#9 2025-08-26 14:19:25

Moonveil
Member
Registered: 2025-08-26
Posts: 35

Re: [SOLVED] did I lock myself out of passing kernel parameters??

seth wrote:

Got me - I just skipped to the last post tongue
Looks like "yes", but only from an arch-chroot into the system.

As long as the parameters don't conflict w/ each other the order doesn't matter.

I do the same all the time tongue

I don't think the parameters conflict. I see mixed reports of users adding the security=apparmor parameter while the wiki only mentions the lsm= parameters. The other parameter I would add disables ipv6, I do not think that conflicts with anything. The parameters I want to add that are not in the current cmd.conf are

 ipv6.disable=1 security=apparmor lsm=landlock,lockdown,yama,integrity,apparmor,bpf 

Offline

#10 2025-08-26 14:28:55

nl6720
The Evil Wiki Admin
Registered: 2016-07-02
Posts: 707

Re: [SOLVED] did I lock myself out of passing kernel parameters??

Moonveil wrote:

I don't think the parameters conflict. I see mixed reports of users adding the security=apparmor parameter while the wiki only mentions the lsm= parameters.

They may conflict. The current version of https://docs.kernel.org/admin-guide/ker … eters.html says that lsm= overrides security=, but it used to be the opposite in the past. This caused issues when people followed ancient guides that instructed to use the deprecated security= parameter.

Offline

#11 2025-08-26 14:48:54

Moonveil
Member
Registered: 2025-08-26
Posts: 35

Re: [SOLVED] did I lock myself out of passing kernel parameters??

nl6720 wrote:
Moonveil wrote:

I don't think the parameters conflict. I see mixed reports of users adding the security=apparmor parameter while the wiki only mentions the lsm= parameters.

They may conflict. The current version of https://docs.kernel.org/admin-guide/ker … eters.html says that lsm= overrides security=, but it used to be the opposite in the past. This caused issues when people followed ancient guides that instructed to use the deprecated security= parameter.

Thank you for clarifying that the security= parameter is deprecated. I couldn't find it and read mixed opinions about it.

The correct parameters I should add are

 ipv6.disable=1 lsm=landlock,lockdown,yama,integrity,apparmor,bpf 

My cmdline.conf would look like this

/etc/dracut.conf.d/cmdline.conf
	kernel_cmdline="rd.luks.uuid=luks-{my uuid} rd.lvm.lv=vg/root root=/dev/mapper/vg-root rootfstype=ext4 ipv6.disable=1 lsm=landlock,lockdown,yama,integrity,apparmor,bpf rootflags=rw,relatime"

Then I should run the ./dracut-install.sh script and cross my fingers that the parameters get passed, apparmor is activated and ipv6 is blocked

Last edited by Moonveil (2025-08-26 14:55:01)

Offline

#12 2025-08-26 16:36:23

Moonveil
Member
Registered: 2025-08-26
Posts: 35

Re: [SOLVED] did I lock myself out of passing kernel parameters??

I booted into archiso, mounted my drives and changed into chroot. I edited dracut.conf.d/cmdline.conf to add the parameters. I went into /usr/local/bin/ and executed the ./dracut-install.sh but nothing happens. It went to the next line and the cursor is blinking but it doesn't finish the task.


I tried to use the dracut-remove.sh. This worked and removed the file

/usr/local/bin/dracut-remove.sh

	#!/usr/bin/env bash
 	rm -f /boot/efi/EFI/Linux/bootx64.efi

However dracut-install.sh never finishes.
I'm stuck and I don't know what to do next sad

Last edited by Moonveil (2025-08-26 16:43:00)

Offline

#13 2025-08-26 16:53:05

-thc
Member
Registered: 2017-03-15
Posts: 998

Re: [SOLVED] did I lock myself out of passing kernel parameters??

In your chroot check the installed kernel:

ls /usr/lib/modules
6.16.3-arch1-1

Execute dracut inside the chroot with that version string:

dracut --force --uefi --kver "6.16.3-arch1-1" /boot/efi/EFI/Linux/bootx64.efi

Offline

#14 2025-08-26 17:05:47

Moonveil
Member
Registered: 2025-08-26
Posts: 35

Re: [SOLVED] did I lock myself out of passing kernel parameters??

Does not work.

ls /usr/lib/modules
6.16.3-arch1-1

I edited the dracut-install.sh like you said and executed it. It moves down one line and the cursor flashes but it never finishes the task sad

I don't understand why it does not work because with the pacman hook

/etc/pacman.d/hooks/90-dracut-install.hook

	[Trigger]
	Type = Path
	Operation = Install
	Operation = Upgrade
	Target = usr/lib/modules/*/pkgbase
	
	[Action]
	Description = Updating linux EFI image
	When = PostTransaction
	Exec = /usr/local/bin/dracut-install.sh
	Depends = dracut
	NeedsTargets

It did install the kernel last time I used

pacman -S linux

Last edited by Moonveil (2025-08-26 17:11:40)

Offline

#15 2025-08-26 17:28:26

-thc
Member
Registered: 2017-03-15
Posts: 998

Re: [SOLVED] did I lock myself out of passing kernel parameters??

Don't use the shell script - execute dracut as shown on a chroot command line.

It looks like the hook passes a parameter ("$line") to the shell script - so it will never work on it's own.

Last edited by -thc (2025-08-26 17:30:53)

Offline

#16 2025-08-26 17:49:47

Moonveil
Member
Registered: 2025-08-26
Posts: 35

Re: [SOLVED] did I lock myself out of passing kernel parameters??

-thc wrote:

Don't use the shell script - execute dracut as shown on a chroot command line.

It looks like the hook passes a parameter ("$line") to the shell script - so it will never work on it's own.

That was a mistake from me, I changed it in the script. I reversed it and did as you asked by executing the dracut command as chroot.

The result is not a success

[root@archiso modules]# dracut --force --uefi --kver "6.16.3-arch1-1" /boot/efi/EFI/Linux/bootx64.efi
dracut[F]: The provided directory where to look for kernel modules (ver)
dracut[F]: does not match the kernel version set for the initramfs (/boot/efi/EFI/Linux/bootx64.efi).
dracut[F]: Set DRACUT_KMODDIR_OVERRIDE=1 to ignore this check

I did run the /usr/local/bin/dracut-remove.sh script before to test if that did work so I do not know if this could cause the failure

Last edited by Moonveil (2025-08-26 17:53:41)

Offline

#17 2025-08-26 18:11:14

-thc
Member
Registered: 2017-03-15
Posts: 998

Re: [SOLVED] did I lock myself out of passing kernel parameters??

This dracut command seems broken and I have no further hints - sorry.

Offline

#18 2025-08-26 18:24:19

Moonveil
Member
Registered: 2025-08-26
Posts: 35

Re: [SOLVED] did I lock myself out of passing kernel parameters??

I don't understand why it gives an error. Hopeful that someone else knows how to fix it.
I could pacman -S Linux that should trigger building a new kernel

Offline

#19 2025-08-26 18:44:51

Moonveil
Member
Registered: 2025-08-26
Posts: 35

Re: [SOLVED] did I lock myself out of passing kernel parameters??

I used pacman -S Linux.
I had one package that was required to install 6.16.3-arch1-1.
It executed dracut --force --uefi --kver "6.16.3-arch1-1" /boot/efi/EFI/Linux/bootx64.efi during the installation and dracut finished without any error.
Afterwards it created the image file /boot/efi/EFI/Linux/bootx64.efi without any error.

It says

 Using UEFI kernel cmdline: rd.luks.uuid=luks-{my uuid} rd.lvm.lv=vg/root root=/dev/mapper/vg-root rootfstype=ext4 ipv6.disable=1 lsm=landlock,lockdown,yama,integrity,apparmor,bpf rootflags=rw,relatime" 

I don't know if it worked but I think the parameters passed because cat /etc/dracut conf.d/cmdline.conf shows the same parameters

It did not work. I tested aa-enabled after reboot and it says No - disabled at boot.
Systemctl status apparmor.service says enabled but start condition unmet. Unmet condition check (ConditionSecurity=apparmor)  sad

Last edited by Moonveil (2025-08-26 19:16:31)

Offline

#20 2025-08-26 19:19:21

seth
Member
From: Don't DM me only for attention
Registered: 2012-09-03
Posts: 69,177

Re: [SOLVED] did I lock myself out of passing kernel parameters??

lsblk -f

Make sure /boot partition and ESP are correctly mounted in place (if you use such)
Also check

cat /proc/cmdline

to see what the kernel commandline actually looks like.

Offline

#21 2025-08-26 19:38:28

Moonveil
Member
Registered: 2025-08-26
Posts: 35

Re: [SOLVED] did I lock myself out of passing kernel parameters??

Lsblk -f
nvme0n1p1 mount point /boot/efi
nvme0n1p2 
   Luks partition
       vg-root mount point /

Both are loaded and I have no other Arch Linux partition

cat /proc/cmdline 
rd.luks.uuid=luks-{my uuid} rd.lvm.lv=vg/root root=/dev/mapper/vg-root rootfstype=ext4 rootflags=rw,relatime

Parameters have not been passed

cat /etc/dracut.conf.d/cmdline.conf
kernel_cmdline="rd.luks.uuid=luks-{my uuid} rd.lvm.lv=vg/root root=/dev/mapper/vg-root rootfstype=ext4 ipv6.disable=1 lsm=landlock,lockdown,yama,integrity,apparmor,bpf rootflags=rw,relatime" 

dracut.conf.d/cmdline.conf says parameters have been passed neutral

Offline

#22 2025-08-26 19:44:16

seth
Member
From: Don't DM me only for attention
Registered: 2012-09-03
Posts: 69,177

Re: [SOLVED] did I lock myself out of passing kernel parameters??

ls -lR /boot

Offline

#23 2025-08-26 20:13:16

Moonveil
Member
Registered: 2025-08-26
Posts: 35

Re: [SOLVED] did I lock myself out of passing kernel parameters??

 
/boot:
total 43720
-rw-r--r-- 1 root root 184320    amd-ucode.img
drwxr-r-x 4 root root 1970       efi
-rw------ 1 root root 28652979 initramfs-linux.img
-rw-r--r-- root root 15921664   vmlinuz-linux

/boot/efi:
total 8
drwxr-xr-x 3 root root 4096 EFI
drwxr-xr-x 2 root root 4096 Loader

/boot/efi/EFI:
total 4
drwxr-xr-x 2 root root 4096 Linux

/boot/efi/EFI/Linux:
total 62816
-rwxr-xr-x 1 root root 64323192 bootx64.efi

/boot/efi/loader:
total 4
-rwxr-xr-x 1 root root 32 random-seed 

Last edited by Moonveil (2025-08-26 20:19:16)

Offline

#24 2025-08-26 20:20:28

seth
Member
From: Don't DM me only for attention
Registered: 2012-09-03
Posts: 69,177

Re: [SOLVED] did I lock myself out of passing kernel parameters??

Do you manually copy those? Don't.

ls -lR /boot | curl -F 'file=@-' 0x0.st

I especially wanted to see the timestamps.

Offline

#25 2025-08-26 20:39:57

Moonveil
Member
Registered: 2025-08-26
Posts: 35

Re: [SOLVED] did I lock myself out of passing kernel parameters??

I can't do it another way at the moment. I am typing it by hand.

I can list the timestamps for the above in order

Aug 8 15:06 amd-unicode.img
Jan 1 1970 efi 
Aug 24 23:12 initramfs-linux.img
Aug 24 23:12 vmlinuz-linux

Aug 25 11:19 EFI
Aug 26 20:56 Loader

Aug 25 11:19 Linux

Aug 25 12:15 bootx64.efi

Aug 26 20:56 random-seed

1970 for efi is the right number.

 ls -lR /boot | curl -F 'file=@-' 0x0.st
http://0x0.st/KomW.txt

Last edited by Moonveil (2025-08-26 20:44:12)

Offline

Board footer

Powered by FluxBB