User:Neitsab

From ArchWiki

Computer enthusiast from France, proud ArchWiki Maintainer. You can contact via wiki e-mail or on my talk page for any comments or questions. You can also interact with me on GitHub.

Languages:

  • French
  • English
  • Spanish

Interests

From my contributions, you can see I am pretty interested in:

Highlights

Things I think deserve to be more publicized:

2020

"Stateless" boot with systemd-gpt-generator

It is surprisingly easy to get a basic fully encrypted config to boot without /etc/fstab nor kernel parameters using Systemd#GPT_partition_automounting; the drawback is that we cannot easily specify mount options, be it for the LUKS container or root fs: see my post on systemd mailing list.

Secure Boot easiness

Secure Boot is actually pretty easy to implement in the Secure Boot#Using your own keys configuration. Once the firmware put in "Setup mode", all I had to do was (as root):

mkdir /etc/efi-keys
cd !$
curl -L -O https://www.rodsbooks.com/efi-bootloaders/mkkeys.sh
chmod +x 
./mkkeys.sh
# install sbupdate-git from AUR
cat << EOF >> /etc/sbupdate.conf
ESP_DIR="/efi"
OUT_DIR="EFI/Linux"
EXTRA_SIGN=('/efi/EFI/BOOT/BOOTX64.EFI' '/efi/EFI/systemd/systemd-bootx64.efi')  # only needed if using systemd-boot
CMDLINE_DEFAULT="<your kernel cmdline here>"
EOF
sbupdate
mkdir -p /etc/secureboot/keys/{db,PK,KEK}
cp /etc/efi-keys/DB.auth /etc/secureboot/keys/db/
cp /etc/efi-keys/PK.auth /etc/secureboot/keys/PK/
cp /etc/efi-keys/KEK.auth /etc/secureboot/keys/KEK/
sbkeysync --verbose
sbkeysync --verbose --pk

And reboot. Note that this setup uses systemd-boot with the ESP mounted on /efi, but direct UEFI loading would only require another step to create the correct UEFI boot entry with efibootmgr. Pretty neat!

old

Todo

2020

  • Btrfs: add more details about filesystem creation options and mount options: hash algorithm, compression options and levels, async discard, autodefrag...
  • XFS: follow a more standard article structure (like adding a "Creation" section!!) and clean up the "wiki style" non-compliant bits: done
  • TPM: flesh out the TPM#Using TPM 2.0 section. WIP
  • LVM: incorporate LVM thin instructions... Maybe.