Hello everyone!
I have troubles configuring kernel-install-for-dracut to generate UKIs (instead of separate kernel/initramfs/cmdline) and to automate enrollment of kernel updates.
I tried everything it on a native installation as well as a fresh install in VMWare Workstation (with UEFI) with identical results, so the system environment does not seem to matter. Even on the VM without any manual dracut configuration, the error was reproducable in the same way.
The reason for having an UKI is that I sign it to enable secure boot and TPM2 + PIN based unlock of my encrypted drive.
Generating UKIs for all installed kernels with dracut directly works without issues (dracut --uefi --regenerate-all or manually via dracut --uefi --kver ). However, neither is dracut called by pacman nor does it delete older versions of the kernel or handle the cmdline arguments in a convenient way.
How I tried to configure UKIs (as described in https://wiki.archlinux.org/title/Kernel-install):
/etc/kernel/install.conf
layout=uki
uki_generator=dracut
#uki_generator=ukify (alternative systemd-ukify)
initrd_generator=dracut
Using dracut as UKI generator results in the error:
“Error: /usr/lib/modules/6.9.3-arch1-1/vmlinuz is missing .efi suffix.”
This error was already discussed in this forum https://github.com/systemd/systemd/issues/26477. However, the solution offered there, simply pointing the pacman hook to nowhere doesn’t solve the issue for me it just prevents the .efi to be copied to the /efi partition.
Using systemd-ukify as generator (without manually configuring /etc/ukify.conf for further options), a .efi file is generated. However, it only has 1/10th the size of the dracut image and results in a kernel panic upon boot. I suspect that the initramfs is not packaged correctly as the message during failed boot is the a kernel panic about not being able to mount the rootfs.
Alternatively, are there experiences using the dracut-ukify (https://aur.archlinux.org/packages/dracut-ukify) packages instead of kernel install and removing kernel-install from the system? Does it break anything? This package also contains pacman hooks for automated rebuilding of the kernel after updates and changes.
I know that this is a lot of explanation and text but maybe someone has a similar setup and can point me in the right direction where to configure what.
Thanks!