SystemD boot + secure boot + TPM2 unlocking + UKI + Dual boot (windows) + Dracut + BTRFS + LUKS2 + boot from Snapshots

linuxislife · November 28, 2023, 1:11pm

Well…

Long story short, maybe the title is kind of self explainatory…

Would
SystemD boot + secure boot + TPM2 unlocking + Unified Kernel Image (UKI mandatory for secure boot?) + Dual boot (windows) + BTRFS + LUKS2 + Dracut + boot from Snapshots
be possible ?

I mean, I guess nothing is impossible, right ?

In fact, would it worth the pain to explore the hows and whys of such an installation ? !Would it be “doable” ?

From what I understood, the “worst” part would be to boot from Snapshots (compare to GRUB) ?
Would such an install be possible with EndeavourOS ?

Of course, if anybody has already achieve such an install and would be kind enough to share some thoughts…

CHEERS !

Zesko · November 28, 2023, 1:19pm

My short answer: SystemD boot + boot from snapshots is currently “impossible” for newbies/beginners in year 2023.

dalto · November 28, 2023, 3:35pm

UKI is not mandatory for secure boot.

However, both systemd-boot and/or UKI will block reliably booting from snapshots. This is because to reliably boot a snapshot, you need to have the kernels and boot images be inside the snapshot. With both systemd-boot and UKI’s those move to the EFI partition and are not contained in snapshots.

Svartis · November 28, 2023, 7:11pm

Why? I’m running systemd boot and I can boot snapshots. It isn’t as comfortable as with grub, but possible.

But I have to admit, you have to tinker with some scripts and config files to automate things.

dalto · November 28, 2023, 7:17pm

How are you dealing with the mismatched kernel and modules issue? Did you build automation where you copy the old modules or something?

Svartis · November 28, 2023, 7:25pm

The script takes a snapshot and I’ve to use a larger boot partition. When the snapshot is taken, the recent kernel.img, etc. gets copied, renamed and the script changes the /etc/fstab inside the snapshot and changes the loader entries to reflect the date of the snapshot taken.

Well guess it’s a lot of tinkering

If you just want to have it running, grub would be the better choice.

DISCLAIMER: You should understand the Script, and perhaps you have to modify it to fit your needs, to make it work on your system. Don‘t use it blindly, Grub + btrfs is the easier and perhaps better alternative.

#!/bin/bash

# Create btrfs snapshot in .snapshots/STABLE and move kernel,ramfs to bootloader
# triggered by 00-autosnap.hook for pacman

BTRFS=/usr/bin/btrfs
SED=/usr/bin/sed
CP=/usr/bin/cp
MV=/usr/bin/mv



# Move snapshot 4 to Position 5
$BTRFS sub delete /.snapshots/STABLE5
$BTRFS sub snap /.snapshots/STABLE4 /.snapshots/STABLE5

$SED -i 's|subvol=@snapshots/STABLE4\t|subvol=@snapshots/STABLE5 |' /.snapshots/STABLE5/etc/fstab
$SED -i 's|subvol=@snapshots/STABLE4 |subvol=@snapshots/STABLE5 |' /.snapshots/STABLE5/etc/fstab

$MV /boot/vmlinuz-linux-stable4 /boot/vmlinuz-linux-stable5
$MV /boot/amd-ucode-stable4.img /boot/amd-ucode-stable5.img
$MV /boot/initramfs-linux-stable4.img /boot/initramfs-linux-stable5.img

$CP /boot/loader/entries/stable4.conf /boot/loader/entries/stable5.conf
$SED -i 's|stable4|stable5|' /boot/loader/entries/stable5.conf
$SED -i 's|STABLE4|STABLE5|' /boot/loader/entries/stable5.conf



# Move snapshot 3 to Position 4
$BTRFS sub delete /.snapshots/STABLE4
$BTRFS sub snap /.snapshots/STABLE3 /.snapshots/STABLE4

$SED -i 's|subvol=@snapshots/STABLE3\t|subvol=@snapshots/STABLE4 |' /.snapshots/STABLE4/etc/fstab
$SED -i 's|subvol=@snapshots/STABLE3 |subvol=@snapshots/STABLE4 |' /.snapshots/STABLE4/etc/fstab

$MV /boot/vmlinuz-linux-stable3 /boot/vmlinuz-linux-stable4
$MV /boot/amd-ucode-stable3.img /boot/amd-ucode-stable4.img
$MV /boot/initramfs-linux-stable3.img /boot/initramfs-linux-stable4.img

$CP /boot/loader/entries/stable3.conf /boot/loader/entries/stable4.conf
$SED -i 's|stable3|stable4|' /boot/loader/entries/stable4.conf
$SED -i 's|STABLE3|STABLE4|' /boot/loader/entries/stable4.conf



# Move snapshot 2 to Position 3
$BTRFS sub delete /.snapshots/STABLE3
$BTRFS sub snap /.snapshots/STABLE2 /.snapshots/STABLE3

$SED -i 's|subvol=@snapshots/STABLE2\t|subvol=@snapshots/STABLE3 |' /.snapshots/STABLE3/etc/fstab
$SED -i 's|subvol=@snapshots/STABLE2 |subvol=@snapshots/STABLE3 |' /.snapshots/STABLE3/etc/fstab

$MV /boot/vmlinuz-linux-stable2 /boot/vmlinuz-linux-stable3
$MV /boot/amd-ucode-stable2.img /boot/amd-ucode-stable3.img
$MV /boot/initramfs-linux-stable2.img /boot/initramfs-linux-stable3.img

$CP /boot/loader/entries/stable2.conf /boot/loader/entries/stable3.conf
$SED -i 's|stable2|stable3|' /boot/loader/entries/stable3.conf
$SED -i 's|STABLE2|STABLE3|' /boot/loader/entries/stable3.conf



# Move snapshot 1 to Position 2
$BTRFS sub delete /.snapshots/STABLE2
$BTRFS sub snap /.snapshots/STABLE1 /.snapshots/STABLE2

$SED -i 's|subvol=@snapshots/STABLE1\t|subvol=@snapshots/STABLE2 |' /.snapshots/STABLE2/etc/fstab
$SED -i 's|subvol=@snapshots/STABLE1 |subvol=@snapshots/STABLE2 |' /.snapshots/STABLE2/etc/fstab

$MV /boot/vmlinuz-linux-stable1 /boot/vmlinuz-linux-stable2
$MV /boot/amd-ucode-stable1.img /boot/amd-ucode-stable2.img
$MV /boot/initramfs-linux-stable1.img /boot/initramfs-linux-stable2.img

$CP /boot/loader/entries/stable1.conf /boot/loader/entries/stable2.conf
$SED -i 's|stable1|stable2|' /boot/loader/entries/stable2.conf
$SED -i 's|STABLE1|STABLE2|' /boot/loader/entries/stable2.conf



# Take new snapshot on Position 1
$BTRFS sub delete /.snapshots/STABLE1
$BTRFS sub snap / /.snapshots/STABLE1

$SED -i 's|subvol=@\t|subvol=@snapshots/STABLE1 |' /.snapshots/STABLE1/etc/fstab
$SED -i 's|subvol=@ |subvol=@snapshots/STABLE1 |' /.snapshots/STABLE1/etc/fstab

$CP /boot/vmlinuz-linux /boot/vmlinuz-linux-stable1
$CP /boot/amd-ucode.img /boot/amd-ucode-stable1.img
$CP /boot/initramfs-linux.img /boot/initramfs-linux-stable1.img

$SED -i '/title/a title\tArch Linux - Snapshot - '"`date`"' -' /boot/loader/entries/stable1.conf 
$SED -i '1d' /boot/loader/entries/stable1.conf

I’ve extended the script for snapshot resorting and boot entry with dates in it, the original basic version I’ve found in an arch install tutorial.

dalto · November 28, 2023, 7:28pm

Oh, I see. You basically built the snapshot process around that.

I think it would be tricky to make that approach work for someone who wants to use timeshift or snapper.

Svartis · November 28, 2023, 7:36pm

Perhaps it isn’t thought through to the end. But til now it seemed to work.

dalto · November 28, 2023, 7:42pm

No, I think it is good.

It is just made to serve your specific needs as opposed to being a general purpose solution.

Stephane · November 29, 2023, 7:28pm

about the UKI

https://wiki.archlinux.org/title/Unified_kernel_image#kernel-install

better by foxboron

Zesko · November 29, 2023, 8:52pm

Many months ago I had thought about a new feature for systemd-boot:

Update:

github.com/archlinux/archinstall

Support for systemd-boot reading common filesystems and EFI drivers

opened 03:49PM - 13 Jan 22 UTC

closed 10:15PM - 16 Jul 23 UTC

Torxed

feature

systemd-boot is able to read common filesystems (ext4, btrfs etc.) (since 250). … * https://github.com/systemd/systemd/blob/main/NEWS * https://github.com/systemd/systemd/issues/15617 * https://efi.akeo.ie/ * https://github.com/systemd/systemd/pull/20789 Support for preloading EFI drivers that are in /EFI/systemd/drivers/ *(such as filesystem EFI drivers https://efi.akeo.ie/)* (https://archlinux.org/packages/community/any/efifs/)

It looks like the feature is done.