Hello, thank you very much for this excellent system, it fulfills its mission of delivering the most up-to-date and stable KDE Plasma.

I have an encrypted partition and I would like the system to decrypt it during boot, so I added the following informationkernel_cmdline=" usbcore.autosuspend=-1 hpet=disable i8042.nopnp root=UUID=f991cf2a-3f77-4e3f-bc69-36f98097ba3f rd.luks.uuid=35837360-fc11-4ac9-ba91-4f4626150e5b luks.options=tpm2-device=auto rw quiet rootfstype=ext4 rd.auto=1 " in /etc/dracut.d/meus.conf and in /boot/loader/entries/meu.conf that I use for boot. I also added the following modules add_dracutmodules+=" tpm2-tss " in Dracut, and later I ran the commands # systemd-cryptenroll /dev/sda2 --wipe-slot=empty --tpm2-device=auto to add the keys to the tpm2 chip. The settings added in Dracut have worked on all the distros I have tested, namely Debian, Kubuntu and Manjaro, without systemd-boot but with #uefi="yes" on Dracut, and use .efi directly and the system does in fact decrypt the partition during boot, but this does not happen with KaOS. For this reason, I was thinking about doing a reinstallation without encryption, but because I have a lot of information on the disk, I would like some help before I make the decision.

  • demm

  • Post #2
  • Edited

First of, I have no experience with encryption, but it would be nice to get this working with systemd-boot & dracut too.
Have you looked into systemd-boot specific recommendations for this?
https://systemd.io/BOOT_LOADER_INTERFACE/
Also one thing to consider is that KaOS uses /boot for the EFI partition, afaik, the distro's you mention above use /boot/efi or some variations of that.

  • tauca

    • Post #3

    Hi demm, thank you very much for your reply.

    systemd-boot validates /boot as a mount point for boot files. And the systems above use both /boot/efi and /boot. I don't know what I'm doing wrong to make it not work, but I'll keep investigating until I find the solution.

    Hi, again!!

    Tried to change from dracut to mkinitcpio and added this hooks: (base systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck) but running mkinitcpio -P says
    ....
    -> Running build hook: [systemd]
    ==> ERROR: file not found: ``@/usr/lib/systemd/system-generators/systemd-fstab-generator'
    ==> ERROR: file not found: ``/usr/lib/libnss_files.so'
    -> Running build hook: [autodetect]
    -> Running build hook: [modconf]
    ==> ERROR: Hook 'kms' cannot be found
    -> Running build hook: [keyboard]
    ....
    ==> Creating gzip-compressed initcpio image: /boot/initramfs-linux.img
    ==> WARNING: errors were encountered during the build. The image may not be complete.

    • demm

    • Post #5
    • Edited

    KaOS has not done the /usr move (that is why it will stay with systemd 253, the last version to support the split /usr setup). libnss_files.so is in /lib. Not clear how you added the hooks, but they point to the wrong location.
    What is the output of pacman Qi mkintcpio?

      demm

      how you added the hooks

      Just added to /etc/mkinitcpio.conf

      demm that is why it will stay with systemd 253

      Oh now i see that was something i was asking mysef. Any ETA for recent releases?

      demm pacman Qi mkintcpio

      Nome                 : mkinitcpio
Versão               : 26-8
Descrição            : Modular initramfs image creation utility
Arquitetura          : x86_64
URL                  : https://github.com/archlinux/mkinitcpio
Licenças             : GPL
Grupos               : Nenhum
Provê                : initrd
Depende de           : awk  mkinitcpio-busybox  kmod  util-linux  libarchive  coreutils  bash  findutils  grep  filesystem>=2016.11  gzip  systemd
Depend. opcionais    : xz: Use lzma or xz compression for the initramfs image [instalado]
                       bzip2: Use bzip2 compression for the initramfs image [instalado]
                       mkinitcpio-nfs-utils: Support for root filesystem on NFS
Necessário para      : linux
Opcional para        : Nenhum
Conflita com         : Nenhum
Substitui            : Nenhum
Tamanho instalado    : 97,85 KiB
Empacotador          : Anke Boersma <demm@kaosx.us>
Data da compilação   : dom 15 set 2024 15:42:51
Data de instalação   : sex 03 jan 2025 19:06:57
Motivo da instalação : Instalado explicitamente
Script de instalação : Sim
Validado por         : Soma SHA-256

            • demm

            • Post #7

            There are no plans to move KaOS to thousands of symlinks (which you will need when you use the all /usr setup, so no plans to move to systemd beyond 253.
            Not clear yet which hook (or where in dracut for that matter) the reference to /usr/lib/libnss_files.so comes from, that needs to be set to /lib/libnss_files.so

              demm which you will need when you use the all /usr setup, so no plans to move to systemd beyond 253

              It's a bit offtopic, but systemd it's not only related to symlinks, how other new features will be added (currently I don't see any solution)

                  • tauca

                    • Post #9
                    • Edited

                    bvbfan we all interested in this topic, I suggest a new post to discuss it.

                      20 days later

                      Hello.

                      I am also concerned about system security.

                      But I have a slightly different boot format. I disable everything related to the network, smb, virtualization. My neighbor somehow gained access, and as I understand it, synchronizes its data with mine, and destroys my data. Through zpool. I did not even configure it. As soon as I disabled msr, sg modules that load various instructions, as I understand, that it is possible to intercept control during boot, exploit them, and commit various other machinations. A message appeared that my zpool was not found and booting further is not possible. Cool.
                      https://imgur.com/a/Z2tvB0O