Arch UKI build with grub-btrfs snapshot menu in grub

Operating Systems & Open Source Linux
,
1

hi :slight_smile: i’m trying to get arch working with UKI and grub-btrfs snapshots menu… but no matter what i try i can’t get it to boot…

to install grub i have to set cryptodisk=y but that results in grub tries to unlock my luks partitions even if i remove it after…

This is a function in my script where i try to get around it:

Script Function

setup_grub_bootloader() {
section_header “GRUB Bootloader Installation and Theme Setup”

local theme_dir=“$GRUB_THEME_DIR”
local gfx_mode=“$GRUB_GFXMODE”
local theme_url=“$GRUB_THEME_URL”
local grub_cfg_file=“/mnt/etc/default/grub”
local grub_efi=“/efi/EFI/GRUB/grubx64.efi”
local fallback_efi=“/mnt/efi/EFI/Boot/BOOTX64.EFI”
local early_config=“/mnt/boot/grub/user.cfg”
local custom_cfg=“/mnt/boot/grub/custom.cfg”

Download and extract GRUB theme

info_print “Downloading and installing GRUB theme: $theme_dir”
mkdir -p “/mnt/boot/grub/themes/$theme_dir”
if curl -sS “$theme_url” -o /tmp/theme.zip >> “$LOGFILE” 2>&1; then
bsdtar -xf /tmp/theme.zip -C “/mnt/boot/grub/themes/$theme_dir” >> “$LOGFILE” 2>&1
startup_ok “GRUB theme extracted to /boot/grub/themes/$theme_dir”
else
warning_print “Failed to download GRUB theme. Skipping theme installation.”
fi

Configure grub

info_print “Configuring /etc/default/grub…”
sed -i “s|^GRUB_GFXMODE=.|GRUB_GFXMODE=$gfx_mode|" “$grub_cfg_file”
sed -i "s|^GRUB_GFXPAYLOAD_LINUX=.|GRUB_GFXPAYLOAD_LINUX=keep|” “$grub_cfg_file”
sed -i “s|^GRUB_THEME=.|GRUB_THEME="/boot/grub/themes/$theme_dir/theme.txt"|" “$grub_cfg_file”
sed -i "s|^GRUB_TERMINAL_OUTPUT=.|GRUB_TERMINAL_OUTPUT=gfxterm|” “$grub_cfg_file”
sed -i “s|^GRUB_TIMEOUT=.|GRUB_TIMEOUT=5|" “$grub_cfg_file”
sed -i "s|^GRUB_TIMEOUT_STYLE=.|GRUB_TIMEOUT_STYLE=menu|” “$grub_cfg_file”

grep -q “^GRUB_GFXMODE=” “$grub_cfg_file” || echo “GRUB_GFXMODE=$gfx_mode” >> “$grub_cfg_file”
grep -q “^GRUB_GFXPAYLOAD_LINUX=” “$grub_cfg_file” || echo “GRUB_GFXPAYLOAD_LINUX=keep” >> “$grub_cfg_file”
grep -q “^GRUB_THEME=” “$grub_cfg_file” || echo “GRUB_THEME="/boot/grub/themes/$theme_dir/theme.txt"” >> “$grub_cfg_file”
grep -q “^GRUB_TERMINAL_OUTPUT=” “$grub_cfg_file” || echo “GRUB_TERMINAL_OUTPUT=gfxterm” >> “$grub_cfg_file”
grep -q “^GRUB_TIMEOUT=” “$grub_cfg_file” || echo “GRUB_TIMEOUT=5” >> “$grub_cfg_file”
grep -q “^GRUB_TIMEOUT_STYLE=” “$grub_cfg_file” || echo “GRUB_TIMEOUT_STYLE=menu” >> “$grub_cfg_file”

Add ‘quiet splash’

if grep -q ‘^GRUB_CMDLINE_LINUX="’ “$grub_cfg_file”; then
sed -i ‘s|^GRUB_CMDLINE_LINUX="([^"]*)"|GRUB_CMDLINE_LINUX="quiet splash \1"|’ “$grub_cfg_file”
else
echo ‘GRUB_CMDLINE_LINUX=“quiet splash”’ >> “$grub_cfg_file”
fi

echo ‘GRUB_SPLASH=“/boot/plymouth/arch-logo.png”’ >> “$grub_cfg_file”

Create GRUB user config to disable cryptodisk

info_print “Creating GRUB early user config to disable cryptodisk…”
mkdir -p “$(dirname “$early_config”)”
echo “set disable_cryptodisk=true” > “$early_config”
echo “GRUB_DISABLE_CRYPTODISK=y” >> “$grub_cfg_file”
startup_ok “Early GRUB config created to disable cryptodisk.”

Enable cryptodisk for install step only

echo ‘GRUB_ENABLE_CRYPTODISK=y’ >> “$grub_cfg_file”

Install GRUB bootloader

info_print “Installing GRUB bootloader with cryptodisk enabled (temporary)…”
local grub_nvram_flag
grub_nvram_flag=$(arch-chroot /mnt systemd-detect-virt --quiet && echo “–no-nvram” || echo “”)

if arch-chroot /mnt grub-install
–target=x86_64-efi
–efi-directory=/efi
–bootloader-id=GRUB
$grub_nvram_flag
–modules=“part_gpt part_msdos fat ext2 normal efi_gop efi_uga gfxterm gfxmenu all_video boot linux configfile search search_fs_uuid search_label search_fs_file”
–recheck >> “$LOGFILE” 2>&1; then
startup_ok “GRUB bootloader installed successfully.”
else
error_print “GRUB install failed!”
exit 1
fi

Remove cryptodisk again

sed -i ‘/^GRUB_ENABLE_CRYPTODISK/d’ “$grub_cfg_file”

Remove luks-related grub modules to prevent luks-unlock

rm -f /mnt/boot/grub/luks.mod /mnt/boot/grub/cryptodisk.mod

Sign grubx64.efi (inside chroot)

if arch-chroot /mnt sbsign
–key /etc/secureboot/keys/db.key
–cert /etc/secureboot/keys/db.crt
–output /efi/EFI/GRUB/grubx64.efi
/efi/EFI/GRUB/grubx64.efi >> “$LOGFILE” 2>&1; then
startup_ok “grubx64.efi signed.”
else
warning_print “Failed to sign grubx64.efi”
fi

Copy to fallback

mkdir -p /mnt/efi/EFI/Boot
cp /mnt/efi/EFI/GRUB/grubx64.efi /mnt/efi/EFI/Boot/BOOTX64.EFI
[[ -f “$fallback_efi” ]] && startup_ok “Fallback BOOTX64.EFI updated.” || warning_print “Fallback BOOTX64.EFI was not created.”

Write custom.cfg with chainloader entry

info_print “Adding custom GRUB entry to chainload signed UKI…”
local efi_uuid=$(blkid -s UUID -o value “$EFI_PARTITION”)
cat < “$custom_cfg”
menuentry “Arch Linux (UKI chainload)” {
insmod fat
insmod chain
search --no-floppy --set=root --fs-uuid $efi_uuid
chainloader /EFI/Linux/arch.efi
}
EOF
startup_ok “Custom GRUB chainloader entry created.”

Generate grub.cfg

info_print “Generating grub.cfg…”
if arch-chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg >> “$LOGFILE” 2>&1; then
startup_ok “grub.cfg generated.”
else
error_print “Failed to generate grub.cfg!”
exit 1
fi

startup_ok “GRUB setup complete. Using UKI for LUKS unlock via chainloader.”
}

it’s from at arch install script im trying to write :slight_smile:

2

Any help or hints is deeply appreciated :slight_smile: