Skip to content

Instantly share code, notes, and snippets.

@Neurognostic

Neurognostic/create-uefi-unified-image.sh

Last active June 18, 2023 09:29
Show Gist options
  • Star 10 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Neurognostic/259f1ba1e568b31f0732a4a18f399f9e to your computer and use it in GitHub Desktop.
Save Neurognostic/259f1ba1e568b31f0732a4a18f399f9e to your computer and use it in GitHub Desktop.
Download ZIP
Dracut UEFI Unified Kernel Image with Secure Boot Signing
Raw
create-uefi-unified-image.sh
esp=/efi
distro=archlinux
mkdir -p $esp/EFI/$distro
# Generate UEFI Unified Image
dracut --force --verbose --kver $(uname -r) $esp/EFI/$distro/linux+initramfs.efi.signed
# Create UEFI boot manager entry
efibootmgr --quiet --create --disk /dev/disk/by-label/EFI --label 'Arch Linux' --loader /EFI/$distro/linux+initramfs.efi.signed
Raw
dracut-defaults.conf
# /etc/dracut.conf.d/dracut-defaults.conf
hostonly=yes
hostonly_cmdline=no
use_fstab=yes
compress=lz4
show_modules=yes
add_drivers+='lz4 lz4_compress'
uefi=yes
early_microcode=yes
uefi_splash_image=/usr/share/systemd/bootctl/splash-arch.bmp
uefi_stub=/usr/lib/systemd/boot/efi/linuxx64.efi.stub
uefi_secureboot_cert=/etc/efi-keys/db.crt
uefi_secureboot_key=/etc/efi-keys/db.key
CMDLINE=(
rw
rd.luks.timeout=60
rd.luks.crypttab=no
rd.luks.name=$(cryptsetup luksUUID /dev/disk/by-partlabel/cryptsystem)=system
root=LABEL=system
rootflags=subvol=@
zswap.enabled=1
zswap.compressor=lz4
zswap.zpool=z3fold
)
kernel_cmdline="${CMDLINE[*]}"
unset CMDLINE
@Neurognostic
Copy link
Author

uefi_splash_image currently only works with my fork.

@Neurognostic
Copy link
Author

Must use latest commit from dracut project. Important new features for secure boot signing and embedding microcode.

@emansom
Copy link

emansom commented Apr 14, 2023

Please consider contributing this to the Arch wiki

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment