ugrd

[zen_desu]

I have a question, when trying to use ugrd to generate the initramfs on an initial system install it errors out with the following

Code: Select all

ERROR    | [btrfs] Failed to get modinfo for init kernel module: [btrfs] Modinfo returned no output.
ERROR    | [crc32c] Failed to get modinfo for init kernel module: [crc32c] Modinfo returned no output.
ERROR    | [dm_crypt] Failed to get modinfo for init kernel module: [dm_crypt] Modinfo returned no output.
WARNING  | [dm_mod] Failed to process autodetected kernel module dependencies: [dm_mod] Modinfo returned no output.
WARNING  | [nvme] Failed to process autodetected kernel module dependencies: [nvme] Modinfo returned no output.
WARNING  | [xts] Failed to process autodetected kernel module dependencies: [xts] Modinfo returned no output.
WARNING  | [aesni_intel] Failed to process autodetected kernel module dependencies: [aesni_intel] Modinfo returned no output.
CRITICAL | Required module cannot be imported and is not builtin: btrfs
 * Failed to generate initramfs for kernel 6.12.41-gentoo

the kernel I'm building has no modules so I've added the following to the config file, I've also definitely built in btrfs to the kernel and have btrfs-progs installed

Code: Select all

[ugrd.kmod.kmod]
no_kmod = true

Now I think this is because I'm using a linux mint iso to install gentoo and its wrongly reading the kernel stuff from there and not reading it from the new kernel configuration I'm trying to build, help appreciated

To set that config, you simply need to add "no_kmod = true" to the top level of the config (not under a section)

This happens because ugrd expects kmods exist, especially when a specific kernel version is specified. If you've got no modules at all, the "no_kmod" option is required



I think it may help if a check is added here to check that there are modinfo files for that kernel, and it can warn you to set that config if you're using a kernel without modules
https://github.com/desultory/ugrd/blob/ ... od.py#L227

[Cheesyjuggler64]

Thanks it works as expected now, yes I agree that would be useful, does it currently support lz4 compression?

[zen_desu]

Thanks it works as expected now, yes I agree that would be useful, does it currently support lz4 compression?

not currently, but all compression support is really handled by pycpio:

https://github.com/desultory/pycpio/blo ... py#L54-L86

I'm trying to lean towards stuff that is in the python standard library if at all possible.

there is nothing "special" about the cpio files ugrd makes, so they can easily be compressed manually (but sometimes the kernel will only decompress stuff with particular compression parameters)

[Sebastien P.]

I have others issues/questions with modules.

Complete logs:

Code: Select all

# ugrd --kver 6.12.41-gentoo --no-kmod

INFO     | Processing module: ugrd.base.base
INFO     | Processing module: ugrd.base.core
INFO     | Processing module: ugrd.fs.mounts
INFO     | Adding library path: /usr/lib64
INFO     | Processing module: ugrd.base.cmdline
INFO     | Processing module: ugrd.base.banner
INFO     | Processing module: ugrd.kmod.kmod
INFO     | Processing module: ugrd.kmod.standard_mask
INFO     | Processing module: ugrd.kmod.input
INFO     | Processing module: ugrd.fs.cpio
INFO     | Processing module: ugrd.base.checks
INFO     | [kernel_version] Setting from arguments: 6.12.41-gentoo
INFO     | [no_kmod] Setting from arguments: True
INFO     | Loading config file: /etc/ugrd/config.toml
ERROR    | kernel_version is set, but no_kmod is enabled.
INFO     | -- | Running ugrd v2.0.2
INFO     | -- | Running build tasks
INFO     | Detected init at: /usr/bin/init
INFO     | Source path for libgcc_s: /usr/lib/gcc/x86_64-pc-linux-gnu/14/libgcc_s.so.1
INFO     | Using default shell: /bin/sh
INFO     | Found virtual block devices: dm-1, dm-2, dm-0
INFO     | [/dev/mapper/root] Auto-enabling kernel modules for device: dm_mod
INFO     | [/dev/mapper/root] Autodetected mount type from device: xfs
INFO     | [root] Autodetected mount source: uuid=xxx
INFO     | [mounts] Updating mount: root
INFO     | [/] Detected virtual block device: /dev/mapper/root
INFO     | [/dev/sda2] Auto-enabling kernel modules for device: sd_mod
INFO     | Autodetected LUKS mount, enabling the cryptsetup module: root
INFO     | Processing module: ugrd.crypto.cryptsetup
INFO     | [root] LUKS volume uuid:xxx
INFO     | [root] Configuring cryptsetup for LUKS mount (root) on: dm-0
root:
  uuid: xxx

INFO     | [root] Autodetected device mapper container: sda2
WARNING  | [get_kernel_version] Kernel version is already set, skipping.
WARNING  | [autodetect_modules] no_kmod is enabled, skipping.
INFO     | [Mitsumi Electric Mitsumi USB Multimedia Keyboard / Mouse (Wireless)] Detected driver: hid-generic
INFO     | Build directory does not exist, skipping cleaning: /tmp/initramfs_build
INFO     | Processing module: ugrd.kmod.novideo
INFO     | Processing module: ugrd.kmod.nosound
INFO     | Processing module: ugrd.kmod.nonetwork
INFO     | Detected cryptsetup backend: openssl
INFO     | Setting shebang to: #!/bin/sh -l
WARNING  | [process_modules] no_kmod is enabled, skipping.
WARNING  | [process_module_metadata] no_kmod is enabled, skipping.
WARNING  | [xfs] Kernel module info for firmware detection does not exist, but no_kmod is set.
WARNING  | [dm_crypt] Kernel module info for firmware detection does not exist, but no_kmod is set.
WARNING  | [sha256_generic] Kernel module info for firmware detection does not exist, but no_kmod is set.
INFO     | [deploy_nodes] Skipping real device node creation with mknod, as make_nodes is not specified.
INFO     | Regenerating ld.so.cache
INFO     | Wrote file: /tmp/initramfs_build/etc/ld.so.conf
WARNING  | [regen_kmod_metadata] no_kmod is enabled, skipping.
INFO     | -- | Generating init functions
WARNING  | no_kmod is enabled, but kernel modules are set, ensure the following kernel modules are built into the kernel:
WARNING  | Init kernel modules: xfs, dm_crypt
WARNING  | Included kernel modules: sha256_generic
INFO     | No initramfs fstab found, skipping mount_fstab. If non-root storage devices are not needed at boot, this is fine.
INFO     | Wrote file: /tmp/initramfs_build/etc/profile
INFO     | Included functions: check_var, setvar, readvar, wait_for_space, prompt_user, retry, klog, edebug, einfo, ewarn, eerror, rd_fail, rd_restart, _find_init, mount_default_root, parse_cmdline_bool, parse_cmdline_str, get_crypt_dev, open_crypt_dev, mount_base, export_exports, parse_cmdline, print_banner, crypt_init, mount_root, do_switch_root
INFO     | Wrote file: /tmp/initramfs_build/init
INFO     | -- | Packing build
INFO     | [XZ] Compressing the CPIO data, original size: 17.58 MiB
INFO     | Wrote 5.79 MiB to: /tmp/initramfs_out/ugrd-6.12.41-gentoo.cpio.xz
INFO     | -- | Running checks

I do not understand some things:

Code: Select all

ERROR    | kernel_version is set, but no_kmod is enabled.

Why is it an error?

Code: Select all

INFO     | [/dev/mapper/root] Auto-enabling kernel modules for device: dm_mod
INFO     | [/dev/mapper/root] Autodetected mount type from device: xfs

Why a module?! Is it mandatory to have a module for dm_crypt?

Code: Select all

WARNING  | no_kmod is enabled, but kernel modules are set, ensure the following kernel modules are built into the kernel:
WARNING  | Init kernel modules: xfs, dm_crypt
WARNING  | Included kernel modules: sha256_generic

No! I do not have any module:

Code: Select all

usr/src/linux # grep -c '=m' .config
0

Why ugrd wants some modules?

Without “--no-kmod”, ugrd crash:

Code: Select all

ugrd --kver 6.12.41-gentoo
[…]
WARNING  | [get_kernel_version] Kernel version is already set, skipping.
INFO     | Autodetected kernel modules: dm_mod, sd_mod, 8250_mid, mei_me, virtio_pci, intel_lpss_pci, i2c_designware_pci, 8250_pci, shpchp, intel_uncore, ehci_pci, 8250_pci1xxxx, 8250_pericom, ahci, platform_pci, intel_agp, dw_dmac_pci, ohci_pci, ata_piix, pci_stub, iosf_mbi, radeon, snd_hda_intel, r8169, amdgpu, pcieportdrv, sis_agp, uhci_hcd, ccp, lpc_ich, xhci_pci, xhci_pci_renesas, intel_scu_pcidrv, via_agp
[…]
ERROR    | [xfs] Failed to get modinfo for init kernel module: [xfs] Modinfo returned no output.
ERROR    | [dm_crypt] Failed to get modinfo for init kernel module: [dm_crypt] Modinfo returned no output.
[…]
CRITICAL | Required module cannot be imported and is not builtin: xfs

I do not understand why it crashes. Lots of strange things with modules.


Context:
This is a new Gentoo install. I used gentoo-kernel. then swith to gentoo-sources with the .config of gentoo-kernel. I have a full rootfs encrypted.
Tonight, I tried to boot and it crashed due to previously populate /lib/modules/6.12.41-gentoo/. initramfs wanted to load kernel but did not find it (probably because there is no modules on my kernel).
I have removed the old lib/modules/6.12.41-gentoo/ folder and get the above strange behaviour. I will try tomorrow to boot again.

[zen_desu]

I have others issues/questions with modules.

I do not understand some things:

Code: Select all

ERROR    | kernel_version is set, but no_kmod is enabled.

Why is it an error?

This should maybe be a warning, but is kinda an artifact of using installkernel on a kernel with no modules

Code: Select all

INFO     | [/dev/mapper/root] Auto-enabling kernel modules for device: dm_mod
INFO     | [/dev/mapper/root] Autodetected mount type from device: xfs

Why a module?! Is it mandatory to have a module for dm_crypt?

Code: Select all

WARNING  | no_kmod is enabled, but kernel modules are set, ensure the following kernel modules are built into the kernel:
WARNING  | Init kernel modules: xfs, dm_crypt
WARNING  | Included kernel modules: sha256_generic

ugrd modules (components) try to figure out if certain parts require kmods, and tries to include those. If you're not using a kernel with modules, it will use this info to let you know what modules it wants, so you can figure out the rest.

No! I do not have any module:

Code: Select all

usr/src/linux # grep -c '=m' .config
0

Why ugrd wants some modules?

Without “--no-kmod”, ugrd crash:

Code: Select all

ugrd --kver 6.12.41-gentoo
[…]
WARNING  | [get_kernel_version] Kernel version is already set, skipping.
INFO     | Autodetected kernel modules: dm_mod, sd_mod, 8250_mid, mei_me, virtio_pci, intel_lpss_pci, i2c_designware_pci, 8250_pci, shpchp, intel_uncore, ehci_pci, 8250_pci1xxxx, 8250_pericom, ahci, platform_pci, intel_agp, dw_dmac_pci, ohci_pci, ata_piix, pci_stub, iosf_mbi, radeon, snd_hda_intel, r8169, amdgpu, pcieportdrv, sis_agp, uhci_hcd, ccp, lpc_ich, xhci_pci, xhci_pci_renesas, intel_scu_pcidrv, via_agp
[…]
ERROR    | [xfs] Failed to get modinfo for init kernel module: [xfs] Modinfo returned no output.
ERROR    | [dm_crypt] Failed to get modinfo for init kernel module: [dm_crypt] Modinfo returned no output.
[…]
CRITICAL | Required module cannot be imported and is not builtin: xfs

I do not understand why it crashes. Lots of strange things with modules.


Context:
This is a new Gentoo install. I used gentoo-kernel. then swith to gentoo-sources with the .config of gentoo-kernel. I have a full rootfs encrypted.
Tonight, I tried to boot and it crashed due to previously populate /lib/modules/6.12.41-gentoo/. initramfs wanted to load kernel but did not find it (probably because there is no modules on my kernel).
I have removed the old lib/modules/6.12.41-gentoo/ folder and get the above strange behaviour. I will try tomorrow to boot again.

I've considered making ugrd try to read kernel config directly, but this would have to be a gentoo feature or at least somewhat distro specific because where the .config is installed can differ.

Basically the summary of what is happening here is that there is an error which should probably be a warning, and a lot of what ugrd does is try to figure out what kmods and userspace stuff is needed for the initramfs. If you aren't using kmods, it lets you know what it wants because it can't check if those exist based on module info the kernel installs. It can't distinguish between missing kmods and a kernel without kmods so you have to tell it with --no-kmod

one thing to consider is that even if kmods aren't used heavily, the kernel stores info about what modules exist (and what is builtin) in the module info (modules.builtin and so on)

[Zucca]

I've considered making ugrd try to read kernel config directly, but this would have to be a gentoo feature or at least somewhat distro specific because where the .config is installed can differ.

One such semi-standard location is actually /proc/config.gz. There's also an KCONFIG for embedding the config values into kernel. I've not researched if those config values can be retrived via syscall, however...

[Sebastien P.]

Hi,

One such semi-standard location is actually /proc/config.gz.

It depends of kernel config: https://www.man7.org/linux/man-pages/ma ... .gz.5.html (personally, I deactive this option).

Code: Select all

WARNING  | no_kmod is enabled, but kernel modules are set, ensure the following kernel modules are built into the kernel:
WARNING  | Init kernel modules: xfs, dm_crypt
WARNING  | Included kernel modules: sha256_generic

ugrd modules (components) try to figure out if certain parts require kmods, and tries to include those. If you're not using a kernel with modules, it will use this info to let you know what modules it wants, so you can figure out the rest.

Thanks for the anwser. It also help to reread ugrd WARNING during the day.
I should take a look if I have sha256_generic. But I think probably.


My second attempt is a bit better. No module load errors anymore.
But initrd is stuck to passphrase input. The keyboard on LDE is ok. But I can type anything, the system is stuck (even Ctrl+Alt+Del does nothing). The keyboard LED for caps/num are off. And I can not change the state of them.

I notice that USB detection look incomplete (I have only the first line “usb-1-3”).
(stuck boot with my .config and gentoo-sources)


On working boot, I can see more lines about the keyboard.
(boot of gentoo-sources kernel + .config of gentoo-kernel + modules installation)

I have probably miss an option. But it is not clear right now. Something to do with mei_me, pc_pch or intel_uncore? I am not sure to have these options set. I can not check right now but will do.

[pietinger]

[...] But initrd is stuck to passphrase input. The keyboard on LDE is ok. But I can type anything, the system is stuck (even Ctrl+Alt+Del does nothing). The keyboard LED for caps/num are off. And I can not change the state of them.

[...]

I have probably miss an option. But it is not clear right now. Something to do with mei_me, pc_pch or intel_uncore? I am not sure to have these options set. I can not check right now but will do.

I dont think it is mei_me, pc_pch or intel_uncore. Please verify the option (should be built-in): CONFIG_KEYBOARD_ATKBD

(A long time ago I got a report that there is no key input possible (when in an initramfs) without this enabled; I have never verified this so please dont be sad if this is not the problem).

[zen_desu]

I've considered making ugrd try to read kernel config directly, but this would have to be a gentoo feature or at least somewhat distro specific because where the .config is installed can differ.

One such semi-standard location is actually /proc/config.gz. There's also an KCONFIG for embedding the config values into kernel. I've not researched if those config values can be retrived via syscall, however...

the issue is targeting a kernel which is not running, so you won't be able to verify the config of a new kernel without the .config file. This is mostly an issue on arch iirc.

[Sebastien P.]

I dont think it is mei_me, pc_pch or intel_uncore. Please verify the option (should be built-in): CONFIG_KEYBOARD_ATKBD

(A long time ago I got a report that there is no key input possible (when in an initramfs) without this enabled; I have never verified this so please dont be sad if this is not the problem).

CONFIG_KEYBOARD_ATKBD is for PS2 and my keyboard is USB. It did not solve my issue .

I also tried to add:

Code: Select all

1299c1299,1301
< # CONFIG_INTEL_MEI is not set
---
> CONFIG_INTEL_MEI=y
> CONFIG_INTEL_MEI_ME=y
> # CONFIG_INTEL_MEI_TXE is not set
2029a2032
> CONFIG_MFD_CORE=y
2047c2050
< # CONFIG_LPC_ICH is not set
---
> CONFIG_LPC_ICH=y

But load seems stuck/no keyboard input possible.

These two options are listed on:

Code: Select all

# lspci -vv | grep Kernel
        Kernel driver in use: hsw_uncore
        Kernel driver in use: pcieport
        Kernel driver in use: xhci_hcd
        Kernel driver in use: mei_me
        Kernel modules: mei_me
        Kernel driver in use: ehci-pci
        Kernel driver in use: snd_hda_intel
        Kernel modules: snd_hda_intel
        Kernel driver in use: pcieport
        Kernel driver in use: pcieport
        Kernel driver in use: ehci-pci
        Kernel driver in use: lpc_ich
        Kernel modules: lpc_ich
        Kernel driver in use: ahci
        Kernel driver in use: i801_smbus
        Kernel modules: i2c_i801
        Kernel driver in use: radeon
        Kernel modules: radeon, amdgpu
        Kernel driver in use: snd_hda_intel
        Kernel modules: snd_hda_intel
        Kernel driver in use: r8169
        Kernel modules: r8169

But I did not have them inside my kernel (Y/m) before. My config should contains what is needed for the other options.

I will check lsmod (with started gentoo-kernel config): https://pastebin.com/REMmtJDd to see if I may have loaded module that may be useful.
My current .config: https://pastebin.com/Wd1MK9Br

I will try to look a bit tomorrow and create another subject on kernel topics.

[pietinger]

CONFIG_KEYBOARD_ATKBD is for PS2 and my keyboard is USB. It did not solve my issue

Yes ... and no ... some BIOS have the option to present an USB keyboard VERY early as a PS/2 keyboard to the system ...maybe look into your UEFI-BIOS settings for that (dont worry, this has no influence for later when the kernel initializes USB and evdev) ... and for this you need this option as built-in. (You surely already know that the kernel starts the /init of the initramfs after initalizing built-in modules and BEFORE all <M>odules).

[Sebastien P.]

I am pretty sure that I do not have any keyboard option into BIOS.

But more important, I took a look at ugrd output:

Code: Select all

INFO     | [Mitsumi Electric Mitsumi USB Multimedia Keyboard / Mouse (Wireless)] Detected driver: hid-generic

Add CONFIG_HID_GENERIC solves the issue!
Even it shows: “hid-generic HEXA_CODE device gas no listeners, quitting”

[Zucca]

the issue is targeting a kernel which is not running

... ah course. (D'oh!)

Anyway, this might interest you:

Code: Select all

┌── Kernel .config support ──────────────────────────────────────────┐
│                                                                    │
│ CONFIG_IKCONFIG:                                                   │
│                                                                    │
│ This option enables the complete Linux kernel ".config" file       │
│ contents to be saved in the kernel. It provides documentation      │
│ of which kernel options are used in a running kernel or in an      │
│ on-disk kernel.  This information can be extracted from the kernel │
│ image file with the script scripts/extract-ikconfig and used as    │
│ input to rebuild the current kernel or to build another kernel.    │
│ It can also be extracted from a running kernel by reading          │
│ /proc/config.gz if enabled (below).                                │
│                                                                    │
│ Symbol: IKCONFIG [=y]                                              │
│ Type  : tristate                                                   │
│ Defined at init/Kconfig:704                                        │
│   Prompt: Kernel .config support                                   │
│   Location:                                                        │
│     -> General setup                                               │
│       -> Kernel .config support (IKCONFIG [=y])                    │
│                                                                    │
│                                                                    │
│                                                                    │
│                               <OK>                                 │
└────────────────────────────────────────────────────────────────────┘

... now if Arch kernel has been configured with CONFIG_IKCONFIG, you might have ways...

[WizNut]

Does uGRD support Secure Boot without Shim using user-generated Secure Boot keys?

Also, the new (Feb 12th) 2.14 version of Grub2 has support for LUKS containers using Argon2 (the docs say PBKDF2 only, but it does support Argon2 - there’s a documentation patch that’s been. Submittted…). Also, it supports using the TPM2 key protector to secure the encryption key for a LUKS container. Any possibilities of support for this? I can imagine a 3 partition setup. First Partition is 1 GiB VFAT ESP. Second is 1 GiB Argon2 LUKS container with /boot which Grub2 decrypts using a key sealed in the TPM2. Third is a an Argon2 LUKS container secured with a Yubikey, uses the rest of the drive, and contains everything else.

Also, does uGRD support LVM over LUKS?

What about hibernation together with LUKS?

Finally, there’s a patch that’s been submitted to allow Argon2 hashing of Grub2 authentication passwords (plus a new “mkpasswd-argon2” utility). Any possibility of supporting this when it comes out (does uGRD even support PBKDF2-based grub authentication)? IIRC, it does support Grub2 detached GnuPG signatures and kernel kernel module signatures, right?…

https://www.gnu.org/software/grub/manua ... index.html

https://lists.gnu.org/archive/html/grub ... 00071.html

https://lists.gnu.org/archive/html/grub ... 00032.html

Edit: added links to revenant posts in the grub-devel archive.

[zen_desu]

Does uGRD support Secure Boot without Shim using user-generated Secure Boot keys?

yes but not because it "supports" this but because the initrd generator is not really involved

Also, the new (Feb 12th) 2.14 version of Grub2 has support for LUKS containers using Argon2 (the docs say PBKDF2 only, but it does support Argon2 - there’s a documentation patch that’s been. Submittted…). Also, it supports using the TPM2 key protector to secure the encryption key for a LUKS container. Any possibilities of support for this? I can imagine a 3 partition setup. First Partition is 1 GiB VFAT ESP. Second is 1 GiB Argon2 LUKS container with /boot which Grub2 decrypts using a key sealed in the TPM2. Third is a an Argon2 LUKS container secured with a Yubikey, uses the rest of the drive, and contains everything else.

Yes, but tbh i would not bother with encrypting boot stuff (especially if using secure boot)
You can use a passphrase and a yubikey protected keyfile for the same device by using multiple luks keyslots.

I would only let grub handle encryption if you want something fancy like btrfs subvol support for kernel stuff, and happen to use encryption

Also, does uGRD support LVM over LUKS?

yes

What about hibernation together with LUKS?

only on the latest git version right now (9999)

Finally, there’s a patch that’s been submitted to allow Argon2 hashing of Grub2 authentication passwords (plus a new “mkpasswd-argon2” utility). Any possibility of supporting this when it comes out (does uGRD even support PBKDF2-based grub authentication)? IIRC, it does support Grub2 detached GnuPG signatures and kernel kernel module signatures, right?…

https://www.gnu.org/software/grub/manua ... index.html

ugrd's image runs after grub finishes, so I'm not sure what support between the two would look like.

[WizNut]

Thanks! I’ve edited my post to include more references.

Also, is there any specific reason to use Btrfs?

[zen_desu]

Thanks! I’ve edited my post to include more references.

Also, is there any specific reason to use Btrfs?

nope, there is no requirement, it was just an example


if you want to keep things simple with secure boot, ukis are probably the best option. ugrd isn't involved in making them, and something like ukify will pack any kernel + initramfs into a single uki. That means there is only a single file that needs to be signed and booted

[WizNut]

Ok.

Also, the purpose of using separate encrypted LUKS containers for /boot and for everything else, securing the /boot with the TPM2, and securing everything else with a Ubikey, is so that the OS will only load in a machine with that particular TPM2 chip, firmware (UEFI, etc.), and CMOS configuration, and also that the user possesses the correct Yubikey and knows it’s pin.

Using a single partition with the TPM2-sealed key and the Yubikey-protected key in separate keyslots would allow either to be used to unlock the LUKS container (and, seeing as unsealing the TPM2-sealed key only requires that the drive be installed in the proper machine with the proper firmware, and doesn’t require a passphrase or password, it would completely defeat the entire purpose of the encryption).

Also, any plans for support for Nitrokeys?

[zen_desu]

Ok.

Also, the purpose of using separate encrypted LUKS containers for /boot and for everything else, securing the /boot with the TPM2, and securing everything else with a Ubikey, is so that the OS will only load in a machine with that particular TPM2 chip, firmware (UEFI, etc.), and CMOS configuration, and also that the user possesses the correct Yubikey and knows it’s pin.

Using a single partition with the TPM2-sealed key and the Yubikey-protected key in separate keyslots would allow either to be used to unlock the LUKS container (and, seeing as unsealing the TPM2-sealed key only requires that the drive be installed in the proper machine with the proper firmware, and doesn’t require a passphrase or password, it would completely defeat the entire purpose of the encryption).

Also, any plans for support for Nitrokeys?

i have only tested with a yubikey but the "yubikey" support in ugrd is really just gpg smartcard support. it uses gpg and should be pretty generic


ugrd does not support tpm backed keyfiles, but secure boot would be verifying the kernel that runs regardless of whether or not it's on encrypted storage.
I think it's easiest to keep it simple and directly boot a kernel/uki and not worry about encrypting it because it just means you have to enter keys more times and verification of early boot stuff is more important than encryption imo

[WizNut]

Is my understanding correct that uGRD doesn’t provide any plugins to installkernel for making UKIs? Am I, also, correct that, in order to create a UKI on an OpenRC system, I will need to use Dracut to both generate the initramfs and create the UKI?

I’m confused…

[nicop]

I use embebbed-initramfs in kernel: https://wiki.gentoo.org/wiki/EFI_stub#O ... _initramfs
Is it what you want ?

[WizNut]

I use embebbed-initramfs in kernel: https://wiki.gentoo.org/wiki/EFI_stub#O ... _initramfs
Is it what you want ?

Yeah, but I was hoping for it to be automated using installkernel hooks. Dracut uses hooks to build an initramfs and, also, to create and install an UKI. Ukify uses hooks to create and install an UKI based off of a previously built initramfs and kernel, but requires systemd. And uGRD appears to only uses hooks to create an initramfs.

[GDH-gentoo]

Yeah, but I was hoping for it to be automated using installkernel hooks. Dracut uses hooks to build an initramfs and, also, to create and install an UKI. Ukify uses hooks to create and install an UKI based off of a previously built initramfs and kernel, but requires systemd. And uGRD appears to only uses hooks to create an initramfs.

If you want to use µgRD, but you also want a UKI with µgRD's initramfs (and Gentoo's automation), you need ukify for creating it.

But, ukify or no ukify, you need sys-apps/systemd-utils anyway if you want a UKI (for systemd-stub).

[WizNut]

If you want to use µgRD, but you also want a UKI with µgRD's initramfs (and Gentoo's automation), you need ukify for creating it.

But, ukify or no ukify, you need sys-apps/systemd-utils anyway if you want a UKI (for systemd-stub).

So, there’s no way to get an UKI with OpenRC? I’m forced to use systemd as my init system…

[pietinger]

So, there’s no way to get an UKI with OpenRC? I’m forced to use systemd as my init system…

No! You can have an OpenRC system AND a UKI ... you only need the package "sys-apps/systemd-utils" because this package contains the systemd-stub. Using this package does NOT mean you must have a systemd system.

If you want use the kernel's own efi-stub and dont want the systemd-stub, then you must create an UKI manually (I did).

(See more in:
https://wiki.gentoo.org/wiki/User:Pieti ... _Beginners
https://wiki.gentoo.org/wiki/User:Pieti ... figuration
https://wiki.gentoo.org/wiki/User:Pieti ... l_via_UEFI
https://wiki.gentoo.org/wiki/User:Pieti ... IO_archive
manually change to SecureBoot:
https://forums.gentoo.org/viewtopic-p-8 ... ml#8492354 )