User:M0p/Root on ZFS Native Encryption with Boot Environment/Multi-ESP

From ArchWiki

If you are using mirror or RAID-Z, here's the procedure to set up redundant EFI system partitions.

Seems that currently there isn't any elegant solution for keeping EFI system partitions in sync. The following is a proposal:

For each disk except the one already configured, do 

mkfs.vfat -n EFI2 /dev/disk/by-id/target_disk2-part1
mkfs.vfat -n EFI3 /dev/disk/by-id/target_disk3-part1
...

Create mountpoints 

mkdir /boot/efis
mkdir /boot/efis/{2,3}
...

Mount the alternative efi partitions 

mount -o umask=0022,fmask=0022,dmask=0022 /dev/disk/by-id/target_disk2-part1 /boot/efis/2
mount -o umask=0022,fmask=0022,dmask=0022 /dev/disk/by-id/target_disk3-part1 /boot/efis/3
...

Add fstab entries 

genfstab / | grep efis >> /etc/fstab

Copy contents of current /boot/efi to the backups. Don't use dd! 

for i in /boot/efis/*; do /usr/bin/cp -r /boot/efi/* /boot/efis/$i; done

Add boot entries in NVRAM, replace ${distro} with actual names 

efibootmgr -c -g -d /dev/disk/by-id/target_disk2-part1 \
   -p 2 -L "archlinux-2" -l "\EFI\${distro}\grubx64.efi"
efibootmgr -c -g -d /dev/disk/by-id/target_disk3-part1 \
   -p 3 -L "archlinux-3" -l "\EFI\${distro}\grubx64.efi"
...

Create a systemd service automatically sync /boot/efi when changed. Based on grub-btrfs. 

tee /usr/lib/systemd/system/boot/efis-sync.path << EOF
[Unit]
Description=Monitor changes in EFI system partition

[Path]
PathModified=/boot/efi

[Install]
WantedBy=multi-user.target
EOF

tee /usr/lib/systemd/system/boot/efis-sync.service << EOF
[Unit]
Description=Sync EFI system partition contents to backups

[Service]
Type=oneshot
ExecStart=/usr/bin/bash -c 'for i in /boot/efis/*; do /usr/bin/cp -r /boot/efi/* /boot/efis/$i; done'
EOF

systemctl enable efis-sync.path

After a failure of /boot/efi, edit fstab again to promote one backup as the main efi partition.

  • Remove fstab line for the failed /boot/efi
  • Change the mountpoint of one backup to /boot/efi, such as changing /boot/efis/3 to /boot/efi
  • umount /boot/efi && umount /boot/efis/3 && rmdir /boot/efis/3 && mount /boot/efi

Failure to mount primary efi halts boot

Note: System will not be able to boot if /boot/efi can not be mounted. How to workaround this when the main /boot/efi is missing due to hardware failure? Only solution seems to be edit fstab to point /boot/efi to a functional device when the system is still running. Otherwise we need to change the fstab inside chroot in Live environment if the root account is locked (no password). 

Mounting /boot/efi...
[ FAILED ] Failed to mount /boot/efi.
See 'systemctl status efi.mount' for details.
[ DEPEND ] Dependency failed for Local File Systems.
Dropping to emergency shell...
Cannot open access to console, the root account is locked.
Retrieved from "https://wiki.archlinux.org/index.php?title=User:M0p/Root_on_ZFS_Native_Encryption_with_Boot_Environment/Multi-ESP&oldid=648682"