@dalto Im trying this out, how are the kernel command line options discovered? It seems to have properly added all the ones i want but is there a specific conf file for it? Is it using the one from the old sdboot-manage? Ive been looking through the git trying to find it
edit: found it in /etc/kernel/cmdline
It first looks for /etc/kernel/cmdline, if it doesnāt exist, it takes the parameters from the running kernel. In this case, it took your running parameters and then the hook wrote /etc/kernel/cmdline. The reason I am writing that file is so that if you need to rescue your system in a chroot, you donāt usually want the kernel options currently in-use.
This tutorial using the ākernel-installā worked perfectly for me on a fresh EndeavourOS installation!
But this is what confuses meā¦
I enabled whole partition encryption during installation. So initially I had to enter my encryption passphrase into grub during bootup. This makes sense to me, since grub needs to decrypt /root to get to the login screen.
But, now that I followed this tutorial, a computer boot goes straight to my login screen (GDM). Checking disk-utility shows my disk is still encrypted. How is this possible? Iām worried this somehow stored the disk decryption key on the EFI partition.
Thank you
It did. By default there is a keyfile in the initramfs. With systemd-boot, the initramfs is now in the ESP.
Someone else noticed this in the last couple of days and I was planning to put a disclaimer in the instructions but havenāt had a chance to do that. For now, here is how you can remove the keyfile from your initramfs.
Carefully follow the following steps:
/etc/mkinitcpio.conf and remove /crypto_keyfile.bin from the files section.sudo mkinitcpio -PIf you no longer need the keyfile at all, you can remove it completely. Be aware, if you have more than one luks partition, removing this keyfile may cause you to be asked for your password more than once.
cryptsetup to delete the key from the luks partitionsudo cryptsetup luksRemoveKey /dev/sdxy /crypto_keyfile.bin
/dev/sdxy with the partition you have luks installed on.sudo rm /crypto_keyfile.binWhile I have done this a couple of times without issue, keep in mind that whenever you mess around with your luks partition you run the risk of locking yourself out so it is wise to have a backup.
Thanks it worked!
So another LUKS related question. I was hoping to enable TRIM on my NVMe SSD, which is apparently disabled by default on LUKS partitions.
https://confluence.jaytaala.com/display/TKB/Enable+periodic+TRIM+-+including+on+a+LUKS+partition
How would I go about adding the below using the kernel-install methodā¦
:allow-discards to the end of the cryptdevice argument?
rd.luks.options=discard as a kernel parameter?
My guess is have the following in /etc/kernel/cmdline? But I was hoping to ask first before bricking my laptop. Thanks!
cryptdevice=UUID=:allow-discards
rd.luks.options=discard
I have a couple of appointments this morning and I will write a more thorough response later which includes how to test a change like that but the short answer is, āyesā, modifying /etc/kernel/cmdline will work.
Great, Iām seeing that I can add persistent flags to my cryptdevice (which is what I would prefer). So trying to go down that route to add āallow-discardsā. So at this point my issue is pretty for off topicā¦ But I would still love some help either here or on another thread.
Iām trying cryptsetup --allow-discards --persistent refresh root which is documented here. But am getting the error Device root is not active.
I assume rd.luks.options=discard will just work as expected in /etc/kernel/cmdline.
You need to use the name of the luksdevice. root was just an example.
I think I figured that part out, lol. Now my issue isā¦
This operation is supported only for LUKS2 device. Device activated but cannot make flags persistent.
Those sentences are on different lines. Iām not sure if the first line is just a general statement or is saying my device is LUKS1? Also not sure if the two lines are related.
You might want to post a separate topic for this. I am not really a luks expert and I am not sure the people who are would be reading this topic.
I updated the first post with a description of how kenrel-install works and specific guidance on how to change the kernel options.
Thanks, I gave up for now on trying to make my changes persistent to the LUKS partition (since I believe it is LUKS1). I just edited my entries files, rebooted, and āfstrimā is working as expected now.
My understanding, based on what you wrote is any future kernel installs will pickup the running parameters so in a way my edits are persistent.
If you used the manual method that is true. If you used the kernel-install method you should also delete /etc/kernel/cmdline and let it be regenerated.
If one wanted to turn off the CPU mitigations, would mitigations=off go in the options line?
Yes.
Keep in mind, that is meant to be an example, you shouldnāt copy it verbatim unless through some bizarre cosmic coincidence you happen to have the same UUID for your root volume as I do. 
I probably missed this but is there an easy way to declare or establish a default kernel by either use or selection? I seem to recall reading that precedence is established by kernel install sequence (not last use as you can do in grub).
I donāt know that there is a perfect solution but there are couple of things you can do to get close
d key.*lts.confI think precedence is set via an alpha sort of the entry files with Windows and the Firmware options at the bottom.
@dalto Thank youā¦ the ādā did the trick for me. 
By the way, would this method also work with other Arch-based distros, or is this tutorial only for EndeavourOS?