Skip to main content
Topic: Problem with unified kernel image (Read 432 times) previous topic - next topic
0 Members and 2 Guests are viewing this topic.

Problem with unified kernel image

Hello,

I have been trying to setup booting to a unified kernel image (UKI) so I could enable a true secure boot then.
I first encountered some problems with sbctl, even if I give him the ESP path, it does not find it. I may have to write a config file, but I went with a more manual key creation and setup, so it was not that much a problem.

Then I had a problem with mkinitcpio not finding the UEFI stub. I saw in its script that it looks for /usr/lib/systemd/boot/efi/linuxx64.efi.stub and there is no such file on Artix Linux. I found my older post when I tried to do the same, nearly bricked my computer and succeeded to recover it at the cost of permanently rendering the secure boot non functional, so I did not try until I got my new laptop.
So to work around the missing stub, I copied /boot/vmlinuz-linux in the directory with the expected name. I hoped that it could be used as such because zgrepping /proc/config.gz showed me CONFIG_EFI_STUB=y, which I understood as the Linux kernel image being OK to be used as a UEFI stub. Here is where I may have fucked up, but mkninitcpio succeeded in producing an efi file without showing any error.

I then signed the UKI and changed the db, KEK and PK keys, but I could not boot, it stayed on the UEFI logo. I retried with the UKI after disabling secure boot and I got the same result. So I believe the problem is the UKI and not secure boot which I disabled.
I have not tried with an unsigned UKI yet.
Edit : I forgot to add that my setup is with LVM on LUKS, so there may be a problem with this too.

I also tried by following the manual creation of UKI from ArchWiki with objcopy command, but I got the same result: it was blocked on UEFI logo.

Has anyone succeeded in booting with a UKI?

My laptop model is a NovaCustom V56 with coreboot, Meteor Lake CPU and integrated graphic card.

Thanks in advance!

Re: Problem with unified kernel image

Reply #1
Hello,
Sorry this reply is coming a few weeks after you posted, I only just saw this. And in fact, just created an account here to respond ;)

I have UKI working and ran into the same problems, so I'll try to help.

First, with sbctl I had the same issue, this is due to lsblk not returning the proper pttype and/or parttype (see https://github.com/Foxboron/sbctl/issues/368). I didn't fix this issue because it only affects the verify command (where sbctl iterates through the ESP and checks if everything is signed), all other sbctl commands work properly for me. I don't find the verify command useful since I only have one file in my ESP and I automatically sign it with a mkinitcpio post hook any time it changes.

Second, in order to get the efi stub that mkinitcpio uses to generate a UKI, I booted to an Arch iso, mounted my Artix root filesystem, and copied Arch's linuxx64.efi.stub over (from /usr/lib/systemd/boot/efi). After this, mkinitcpio created the UKI, and I followed: https://wiki.archlinux.org/title/EFI_boot_stub (where loader points to the UKI instead) to tell the UEFI what to boot.

I don't think LVM on LUKS will give you any issues with this setup as long as you followed this: https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS (specifically setting the mkinitcpio hooks and kernel parameters). I use btrfs on LUKS and the setup was similar. I think your main problem is just not having the linuxx64.efi.stub, which vmlinuz-linux is not a replacement for. Also, I would recommend just using sbctl, and not messing with those keys manually.

Hope this helps!