UKI with kernel-install-for-dracut

Hello everyone!

I have troubles configuring kernel-install-for-dracut to generate UKIs (instead of separate kernel/initramfs/cmdline) and to automate enrollment of kernel updates.

I tried everything it on a native installation as well as a fresh install in VMWare Workstation (with UEFI) with identical results, so the system environment does not seem to matter. Even on the VM without any manual dracut configuration, the error was reproducable in the same way.

The reason for having an UKI is that I sign it to enable secure boot and TPM2 + PIN based unlock of my encrypted drive.

Generating UKIs for all installed kernels with dracut directly works without issues (dracut --uefi --regenerate-all or manually via dracut --uefi --kver ). However, neither is dracut called by pacman nor does it delete older versions of the kernel or handle the cmdline arguments in a convenient way.

How I tried to configure UKIs (as described in https://wiki.archlinux.org/title/Kernel-install):
/etc/kernel/install.conf

layout=uki
uki_generator=dracut
#uki_generator=ukify (alternative systemd-ukify)
initrd_generator=dracut

Using dracut as UKI generator results in the error:

“Error: /usr/lib/modules/6.9.3-arch1-1/vmlinuz is missing .efi suffix.”

This error was already discussed in this forum https://github.com/systemd/systemd/issues/26477. However, the solution offered there, simply pointing the pacman hook to nowhere doesn’t solve the issue for me it just prevents the .efi to be copied to the /efi partition.

Using systemd-ukify as generator (without manually configuring /etc/ukify.conf for further options), a .efi file is generated. However, it only has 1/10th the size of the dracut image and results in a kernel panic upon boot. I suspect that the initramfs is not packaged correctly as the message during failed boot is the a kernel panic about not being able to mount the rootfs.

Alternatively, are there experiences using the dracut-ukify (https://aur.archlinux.org/packages/dracut-ukify) packages instead of kernel install and removing kernel-install from the system? Does it break anything? This package also contains pacman hooks for automated rebuilding of the kernel after updates and changes.

I know that this is a lot of explanation and text but maybe someone has a similar setup and can point me in the right direction where to configure what.
Thanks!

I have on my todo list to figure out how to make UKIs work with kernel-install-for-dracut but I have not yet gotten to it.

It is possible it will require some minor tweaks to the package to make it work but I have never actually tried.

Thank you for the fast response!
Alright if I have time I might dive deeper into the actual scripts or hook files to see what everything does. If I manage to make it work I will share it here.

1 Like

Here is what worked for me: I edited the dracut command in /etc/kernel/install.d/50-dracut.install (previously in line 61) as follows:


      if [ "$KERNEL_INSTALL_LAYOUT" = "uki" ] && [ "$KERNEL_INSTALL_UKI_GENERATOR" = "dracut" ] || [ -z "$KERNEL_INSTALL_UKI_GENERATOR" ] ; then
          [ "$KERNEL_INSTALL_VERBOSE" -gt 0 ] && echo "generating UKI in $KERNEL_INSTALL_STAGING_AREA/uki.efi"
          dracut --uefi --hostonly --no-hostonly-cmdline -f${DRACUT_EXTRA_PARAMS} ${noimageifnotneeded:+--noimageifnotneeded} "$KERNEL_INSTALL_STAGING_AREA/uki.efi" "$KERNEL_VERSION"
      else
          dracut --hostonly --no-hostonly-cmdline -f${DRACUT_EXTRA_PARAMS} ${noimageifnotneeded:+--noimageifnotneeded} "$BOOT_DIR_ABS/$INITRD" "$KERNEL_VERSION"
      fi

Drawbacks/issues:

  • not extensively tested
  • It only works by directly creating a UKI with dracut; so no systemd-ukify
  • Not sure about the loader entries or configuration that kernel-install usually handles, but since systemd-boot searches in /efi/EFI/Linux for .efi bootable files, boot works
  • UKIs are fairly large and depending on the size of the /efi partition, not many different images might fit at the same time. Mine have approx. 170 Mb.
  • the UKI option is set in /etc/kernel/install.conf and not in /etc/kernel-install-for-dracut.conf