github gitlab mastodon email rss
Linux - UEFI boot manager configuration with encrypted root and swap

This article is more a memo to keep the details regarding the encrypted install of my Arch Linux distribution.

I’m using systemd, sd-vconsole, sd-encrypt and sd-plymouth mkinitcpio hooks. This is important for what comes after.

Now this is the layout of my SSD disk being identified as /dev/sda.

lsblk -o NAME,UUID
NAME                                          UUID
sda                                           
├─sda1                                        7244-DD77
├─sda2                                        
├─sda7                                        f92638e9-21ba-4ee2-82d1-3bfc2ac8f6e8
├─sda8                                        b7c05834-a995-412f-bb0e-63069778d21a
│ └─luks-b7c05834-a995-412f-bb0e-63069778d21a cd9d2579-f4dc-4aaa-878f-d54e9ea9bb83
└─sda9                                        44739df0-7605-45e1-ab30-eb2e7d4f00c8
  └─luks-44739df0-7605-45e1-ab30-eb2e7d4f00c8 1aea47d1-1bb3-4a90-b1bc-e9354cca1417
  • /dev/sda1 is the efi partition
  • /dev/sda7 is a partition I created for /boot, but I’m not using it anymore. I now mount /dev/sda1 on /mnt/efi and then mount bind /mnt/efi/EFI/arch on /boot.
  • /dev/sda8 is a swap partition
  • /dev/sda9 is the partition used for the system and my home, I use BTRFS subvolumes. /dev/sda8and/dev/sda9` are encrypted using Luks.

So basically /dev/sda8 has an UUID as device (b7c05834-a995-412f-bb0e-63069778d21a) and gets another UUID when decrypted through Luks (cd9d2579-f4dc-4aaa-878f-d54e9ea9bb83). This is the same for the swap partition.

  • /dev/sda8 - (decryption makes it available as) -> /dev/dm-1 (or /dev/mapper/luks-44739df0-7605-45e1-ab30-eb2e7d4f00c8)
  • /dev/sda9 - (decryption makes it available as) -> /dev/dm-0 (or /dev/mapper/luks-b7c05834-a995-412f-bb0e-63069778d21a) This is configured in /etc/crypttab.

Kernel boot parameters

Once this is understood it’s possible to create the kernel arguments line that is required to boot this system. root=UUID=1aea47d1-1bb3-4a90-b1bc-e9354cca1417 rw rootflags=subvol=root luks.uuid=44739df0-7605-45e1-ab30-eb2e7d4f00c8 luks.uuid=b7c05834-a995-412f-bb0e-63069778d21a resume=/dev/mapper/luks-b7c05834-a995-412f-bb0e-63069778d21a initrd=\EFI\arch\intel-ucode.img initrd=\EFI\arch\initramfs-linux.img

This can be split as the following units

  • root=UUID=1aea47d1-1bb3-4a90-b1bc-e9354cca1417 tells the kernel that this UUID is the root partition (this needs to be the UUID of unencrypted partition)
  • rw instructs the kernel to mount the root partition read/write
  • rootflags=subvol=root is a BTRFS specific setting, that specifies the subvolume to use for root partition
  • luks.uuid=44739df0-7605-45e1-ab30-eb2e7d4f00c8 this tells the kernel that this uuid needs to be decrypted, and if specified in /etc/crypttab, use the settings there
  • luks.uuid=b7c05834-a995-412f-bb0e-63069778d21a same thing for another partition
  • resume=/dev/mapper/luks-b7c05834-a995-412f-bb0e-63069778d21a this is the partition used for resume from suspend, this is the unencrypted swap
  • initrd=\EFI\arch\intel-ucode.img this is the initrd
  • initrd=\EFI\arch\initramfs-linux.img this is the initramfs

UEFI boot manager entry

Now I can add en entry to the UEFI boot manager using efibootmgr. I’ve added a few more arguments to pass to the kernel, but they’re not mandatory. We can finally check the result with the second command.

sudo efibootmgr --disk /dev/sda --part 0 --create --gpt --label "Arch Linux" --loader /EFI/arch/vmlinuz-linux --unicode "root=UUID=1aea47d1-1bb3-4a90-b1bc-e9354cca1417 rw rootflags=subvol=root luks.uuid=44739df0-7605-45e1-ab30-eb2e7d4f00c8 luks.uuid=b7c05834-a995-412f-bb0e-63069778d21a resume=/dev/mapper/luks-b7c05834-a995-412f-bb0e-63069778d21a intel_iommu=on initrd=\EFI\arch\intel-ucode.img initrd=\EFI\arch\initramfs-linux.img quiet splash"

sudo efibootmgr -v
BootCurrent: 0011
Timeout: 0 seconds
BootOrder: 000D,0011,0012,000E,000B,000C,0012,0000,0001,0002,0003,0004,0005,0006,0007,0008,0009,000F,000A
Boot0000  Startup Menu	FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)....ISPH
[...]
Boot0011* Arch Linux	HD(1,GPT,be65cb5c-c9ba-4aae-aaa6-ab8670046434,0x800,0xb4000)/File(\EFI\arch\vmlinuz-linux)r.o.o.t.=.U.U.I.D.=.1.a.e.a.4.7.d.1.-.1.b.b.3.-.4.a.9.0.-.b.1.b.c.-.e.9.3.5.4.c.c.a.1.4.1.7. .r.w. .r.o.o.t.f.l.a.g.s.=.s.u.b.v.o.l.=.r.o.o.t. .l.u.k.s...u.u.i.d.=.4.4.7.3.9.d.f.0.-.7.6.0.5.-.4.5.e.1.-.a.b.3.0.-.e.b.2.e.7.d.4.f.0.0.c.8. .l.u.k.s...u.u.i.d.=.b.7.c.0.5.8.3.4.-.a.9.9.5.-.4.1.2.f.-.b.b.0.e.-.6.3.0.6.9.7.7.8.d.2.1.a. .r.e.s.u.m.e.=./.d.e.v./.m.a.p.p.e.r./.l.u.k.s.-.b.7.c.0.5.8.3.4.-.a.9.9.5.-.4.1.2.f.-.b.b.0.e.-.6.3.0.6.9.7.7.8.d.2.1.a. .i.n.t.e.l._.i.o.m.m.u.=.o.n. .i.n.i.t.r.d.=.\.E.F.I.\.a.r.c.h.\.i.n.t.e.l.-.u.c.o.d.e...i.m.g. .i.n.i.t.r.d.=.\.E.F.I.\.a.r.c.h.\.i.n.i.t.r.a.m.f.s.-.l.i.n.u.x...i.m.g. .q.u.i.e.t. .s.p.l.a.s.h.

After that you should be able to boot on next reboot from the entry labelled “Arch Linux” in you UEFI boot manager.