refind-btrfs
refind-btrfs copied to clipboard
Venom1991
Using refind-btrfs with an unified kernel image
I am experimenting with Secure Boot, rEFInd, encrypted LUKS root partition formatted with BTRFS and an unified kernel image signed with my own keys. Since the kernel parameters are contained inside the image, rEFInd is just instructed to launch the .efi binary, so refind-btrfs can't find a boot stanza to match with the root partition. Is there a way to manually configure refind-btrfs to hook it to sbupdate to generate unified kernel images with snapshot support? Thanks for any help.
No, sorry - this use case is not currently supported. My setup isn't nearly as fancy (no encryption either) so I don't even have all the prerequisites needed to design and develop this feature. I'm not sure it's even possible.
Does grub-btrfs support this?
Aw, shucks. I was hoping I was missing some configuration, but I guess I'll have to manually launch the snapshots. Thanks for the prompt response!
Hi I recently migrated to a similar setup and found myself dealing with this as well. I tried to have a look at the issue and by the looks of it it might require some work to get it working due to how efi stubs are built.
First of all as OP mentioned, in this scenario refind.conf would look like this at the bare minimum:
menuentry Arch {
loader /EFI/arch/arch-linux.efi
}
where we have an "all-included" efi image in the /efi partition, everything else resides in the encrypted root volume (including /boot).
In my particular case, arch-linux.efi is built directly by mkninitcpio and signed with sbctl. Correct me if I'm wrong, but refind-btrfs gets the root UUID from refind conf itself, whereas in this scenario parameters are pre-built into the efi image, taken from /etc/kernel/cmdline as a default.
So for this to work refind-btrfs would need to:
- retrieve the root UUID by other means, possibly looking into
/etc/kernel/cmdlinealthough that could be configured so I'm not sure that's the right place to fetch them from - create the usual rw snapshot in the target location
- generate an efi image with a custom mkinitpcio preset, that is, a preset must be generated on-the-fly matching the location of the target rw snapshot, something like:
ALL_config="/root/.refind-btrfs/rwsnap_2000-01-01_01-01-01_ID001/etc/mkinitcpio.conf"
ALL_kver="/root/.refind-btrfs/rwsnap_2000-01-01_01-01-01_ID001/boot/vmlinuz-linux"
ALL_microcode=(/root/.refind-btrfs/rwsnap_2000-01-01_01-01-01_ID001/boot/*-ucode.img)
PRESETS=('default')
default_image="/root/.refind-btrfs/rwsnap_2000-01-01_01-01-01_ID001/boot/initramfs-linux.img"
default_efi_image="/efi/EFI/arch/arch-linux-rwsnap_ID001.efi"
- sign the efi image for secure boot, using
sbctlorsbupdate
At this point the generated stanza should look something similar to this:
menuentry Arch {
loader /EFI/arch/arch-linux-rwsnap_ID001.efi"
}
One thing to note though: after this is all setup, you'll be able to boot your system into the snapshot, but rolling back to it (as in: taking a new fresh ro snapshot), would probably require rebuilding and signing the "normal" efi image again.
I understand this is quite a feat, especially so if you don't have a secure boot setup to start with. I'll try to have a look at the code and cobble something together, although I know very little about python so I doubt I'll be able to make anything remotely "production ready" or even functioning.
Correct me if I'm wrong, but refind-btrfs gets the root UUID from refind conf itself
The currently mounted root partitions's UUID is retrieved by using the findmnt CLI tool. Manual boot stanzas (found in the refind.conf file) are parsed but are not necessarily matched with the root partition solely by its UUID - other properties are usable, as well. It depends on how you like to describe your own system, i.e. its partitions, subvolumes and such.
This feature looks like a pretty damn huge effort, at the moment. Thank you for this exhaustive implementation requirements description.
If you want to start playing around with it, sure - I don't mind at all. :+1: