Skip to content

Switch from busybox to systemd initramfs hooks #4237

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
h8d13 wants to merge 1 commit into from
Closed

Switch from busybox to systemd initramfs hooks #4237

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 10 additions & 36 deletions archinstall/lib/installer.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,8 +98,7 @@ def __init__(
self._binaries: list[str] = []
self._files: list[str] = []

# systemd, sd-vconsole and sd-encrypt will be replaced by udev, keymap and encrypt
# if HSM is not used to encrypt the root volume. Check mkinitcpio() function for that override.
# sd-encrypt is inserted by _prepare_encrypt() when disk encryption is configured
self._hooks: list[str] = [
'base',
'systemd',
Expand Down Expand Up @@ -818,14 +817,6 @@ def mkinitcpio(self, flags: list[str]) -> bool:
content = re.sub('\nBINARIES=(.*)', f'\nBINARIES=({" ".join(self._binaries)})', content)
content = re.sub('\nFILES=(.*)', f'\nFILES=({" ".join(self._files)})', content)

if not self._disk_encryption.hsm_device:
# For now, if we don't use HSM we revert to the old
# way of setting up encryption hooks for mkinitcpio.
# This is purely for stability reasons, we're going away from this.
# * systemd -> udev
# * sd-vconsole -> keymap
self._hooks = [hook.replace('systemd', 'udev').replace('sd-vconsole', 'keymap consolefont') for hook in self._hooks]

content = re.sub('\nHOOKS=(.*)', f'\nHOOKS=({" ".join(self._hooks)})', content)
mkinit.seek(0)
mkinit.truncate()
Expand Down Expand Up @@ -867,11 +858,8 @@ def _prepare_encrypt(self, before: str = 'filesystems') -> None:
# Required by mkinitcpio to add support for fido2-device options
self.pacman.strap('libfido2')

if 'sd-encrypt' not in self._hooks:
self._hooks.insert(self._hooks.index(before), 'sd-encrypt')
else:
if 'encrypt' not in self._hooks:
self._hooks.insert(self._hooks.index(before), 'encrypt')
if 'sd-encrypt' not in self._hooks:
self._hooks.insert(self._hooks.index(before), 'sd-encrypt')

def minimal_installation(
self,
Expand Down Expand Up @@ -1103,19 +1091,13 @@ def _get_kernel_params_partition(
# TODO: We need to detect if the encrypted device is a whole disk encryption,
# or simply a partition encryption. Right now we assume it's a partition (and we always have)

debug(f'Root partition is an encrypted device, identifying by UUID: {root_partition.uuid}')
kernel_parameters.append(f'rd.luks.name={root_partition.uuid}=root')

if self._disk_encryption.hsm_device:
debug(f'Root partition is an encrypted device, identifying by UUID: {root_partition.uuid}')
# Note: UUID must be used, not PARTUUID for sd-encrypt to work
kernel_parameters.append(f'rd.luks.name={root_partition.uuid}=root')
# Note: tpm2-device and fido2-device don't play along very well:
# https://github.com/archlinux/archinstall/pull/1196#issuecomment-1129715645
kernel_parameters.append('rd.luks.options=fido2-device=auto,password-echo=no')
elif partuuid:
debug(f'Root partition is an encrypted device, identifying by PARTUUID: {root_partition.partuuid}')
kernel_parameters.append(f'cryptdevice=PARTUUID={root_partition.partuuid}:root')
else:
debug(f'Root partition is an encrypted device, identifying by UUID: {root_partition.uuid}')
kernel_parameters.append(f'cryptdevice=UUID={root_partition.uuid}:root')

if id_root:
kernel_parameters.append('root=/dev/mapper/root')
Expand Down Expand Up @@ -1147,21 +1129,13 @@ def _get_kernel_params_lvm(

uuid = self._get_luks_uuid_from_mapper_dev(pv_seg_info.pv_name)

if self._disk_encryption.hsm_device:
debug(f'LvmOnLuks, encrypted root partition, HSM, identifying by UUID: {uuid}')
kernel_parameters.append(f'rd.luks.name={uuid}=cryptlvm root={lvm.safe_dev_path}')
else:
debug(f'LvmOnLuks, encrypted root partition, identifying by UUID: {uuid}')
kernel_parameters.append(f'cryptdevice=UUID={uuid}:cryptlvm root={lvm.safe_dev_path}')
debug(f'LvmOnLuks, encrypted root partition, identifying by UUID: {uuid}')
kernel_parameters.append(f'rd.luks.name={uuid}=cryptlvm root={lvm.safe_dev_path}')
case EncryptionType.LuksOnLvm:
uuid = self._get_luks_uuid_from_mapper_dev(lvm.mapper_path)

if self._disk_encryption.hsm_device:
debug(f'LuksOnLvm, encrypted root partition, HSM, identifying by UUID: {uuid}')
kernel_parameters.append(f'rd.luks.name={uuid}=root root=/dev/mapper/root')
else:
debug(f'LuksOnLvm, encrypted root partition, identifying by UUID: {uuid}')
kernel_parameters.append(f'cryptdevice=UUID={uuid}:root root=/dev/mapper/root')
debug(f'LuksOnLvm, encrypted root partition, identifying by UUID: {uuid}')
kernel_parameters.append(f'rd.luks.name={uuid}=root root=/dev/mapper/root')
case EncryptionType.NoEncryption:
debug(f'Identifying root lvm by mapper device: {lvm.dev_path}')
kernel_parameters.append(f'root={lvm.safe_dev_path}')
Expand Down