#UKI, LVM on LUKS on Striped LVM, SOLVED and DOCUMENTED

Partitions: NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS loop0 7:0 0 982.3M 1 loop sda 8:0 0 119.2G 0 disk ├─sda1 8:1 0 4G 0 part /efi ├─sda2 8:2 0 111.8G 0 part │ └─vg0-lv0 253:0 0 335.4G 0 lvm │ └─luks1 253:1 0 335.3G 0 crypt │ ├─vg1-root 253:2 0 160G 0 lvm / │ ├─vg1-home 253:3 0 160G 0 lvm /home │ └─vg1-swap 253:4 0 15.3G 0 lvm [SWAP] └─sda3 8:3 0 3.5G 0 part /shared sdb 8:16 0 111.8G 0 disk └─sdb1 8:17 0 111.8G 0 part └─vg0-lv0 253:0 0 335.4G 0 lvm └─luks1 253:1 0 335.3G 0 crypt ├─vg1-root 253:2 0 160G 0 lvm / ├─vg1-home 253:3 0 160G 0 lvm /home └─vg1-swap 253:4 0 15.3G 0 lvm [SWAP] sdc 8:32 0 111.8G 0 disk └─sdc1 8:33 0 111.8G 0 part └─vg0-lv0 253:0 0 335.4G 0 lvm └─luks1 253:1 0 335.3G 0 crypt ├─vg1-root 253:2 0 160G 0 lvm / ├─vg1-home 253:3 0 160G 0 lvm /home └─vg1-swap 253:4 0 15.3G 0 lvm [SWAP] sr0 11:0 1 1.4G 0 rom
/etc/mkinitcpio ... HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt lvm2 filesystems fsck) ...
/etc/cmdline.d/root.conf rd.luks.name=1edcFc-gVTJ-U82E-8h44-S2rx-nVVo-jHMURJ=luks1 root=/dev/mapper/vg1-root rw rootfstype=ext4
/etc/mkinitcpio.d/linux.preset ALL_kver="/boot/vmlinuz-linux" PRESETS=('default' 'fallback') default_uki="/efi/EFI/Linux/arch-linux.efi" default_options="--splash /usr/share/systemd/bootctl/splash-arch.bmp" fallback_uki="/efi/EFI/Linux/arch-linux-fallback.efi" fallback_options="-S autodetect"

While I realize the partitioning seems overly excessive, I have my reasons for setting it up this way.

why do you have three root partitions

it's within a striped lvm partition

yeah but my question still stands

why do you need three root partitions

it's only one. it just appears that way because of the striping

why is the kernel param in /etc/cmdline.d/root.conf

ive never seen this thats why im asking

Because I am trying to generate a Unified Kernal Image

lemme get to my comp to share the reference I used. justa min

https://wiki.archlinux.org/title/Unified_kernel_image

Now that I'm on comp, and looking at the guide, I am gonna see if using the UUID for the root partition will do anything. Pretty sure I've already tried it.

dont know man, ive never made an UKI

if i may ask, why do you need an UKI

AFAIK, it should work very similar to a systemd boot, at least the way I've set it up. Ideally I wanna sign the UKI and run it with secure boot.

I was having a similar issue with the systemd boot as well. Forgot how I solved it.

...just talking it out with you, I just realized I should look at the arch systemd reference, cause the kernel parameters should be almost the same just in a different file, and without the 'options' part.

Yeah, that reference shows using the uuid as well. Trying it.

I think I am going to try and alter my setup. Instead of LVM on LUKS on LVM, there is only a very small benefit to partitioning my home and swap. Allowing me to just do LUKS on LVM.

ive done uki + lvm + luks before

when im on pc o can help you

you should do lvm on luks

That would be much appreciated. I have done the simplification I talked about, but same issue.

ok yeah i cant really read the partition setup on mobile

word wrapping

mind sending an image

but what i reccomend is

I have thought about LVM on LUKS, but in addition to striping ontop of encryption, which I have been told shouldn't be done, I have tried multiple LUKS decrypt on startup and found it really headache inducing. Image incoming.

root disk
- efi part 512mb/1gb
- luks
- - lvm
- - - swap
- - - root
- - - whatever else

@frank elbow this is what id reccomend

Ah, yeah, that's what I had as the LVM on LUKS part of the LVM on LUKS on LVM.

but i dont know why youd opt for lvm under the luks

it doesnt serve any purpose

Striped over 3 drives

oh

ngl id put different luks on separate drives

and put the root on only one drive

and then decrypt the other 2 from the root

That would be worst case, if I can't figure current setup out. And technically.... I could stripe across 3 luks partitions, but that's also not ideal to say the least.

lemme finish mounting and chrooting in to get that image for ya

why is it not ideal

I read some articles on encrypting and striping, or stacking lvm partitions, and the 2 or 3 that were applicable to my use advised against it. I barely understood the reason to the point I can't even remember it. But also, I have tried before, and it's a fair hassle. I also fear for the complexity in enrolling all the encryptions in my tpm.

you dont need to use tpm

type your own good password

I understand the downsides of my approach. I also understand the upsides of changing it. But considering that there is documentation for each part of what I am trying to do, part of what I am trying to do is learn all of these systems.

I wouldn't bother with a UKI, which has limited documentation, if I didn't plan on using secure boot and my tpm eventually to lock down my system with minimal friction on startup.

and whats /shared?

That's a NTFS volume for easy file transfer to/from windows as I make the transition.

That can be removed/changed at will.

It just makes use of the bit of space that can't be striped because the first hard drive is bigger.

4G efi part is nuts though

ok i see your setup

True

is lvm configured to stripe?

Yes

That's been done properly as far as I can tell

unless

can you mount the root

yes

I can chroot in fine

I just can't get boot to ask me for the password on boot

can you show the kernel cmdline, mkinitcpio and the uki config?

try put lvm2 before sd-encrypt

OK

and the kernel cmdline

that root is wrong

and also doesnt need rw

can you show blkid

I will need time, just tried the first change with no success. But yes

the kernel cmdline is very wrong

I'm going to change the other one back so I am only making one change at a time

so I should prolly go root=UUID={the Luks UUID}
?

hmm, I thought I read somewhere that when using basic mkinitcpio, the default is set ro.

this should be rd.luks.name=08cb…=luks1

Oh wow. That seems obvious now.

I've made that change, but I'm leaving in the other parts. Generating and testing.

OK, it failed trying to mount the NTFS partition, and stopped because of that, but I will remove it from fstab. I think the main issue is fixed.

I'll treat mounting that as a completely seperate issue and just make the change and test again

did you install ntfs 3g

nope

Ill pacstrap it in and test

well thats your issue

pacstrap should read all my stuff I've done and regen without me having to chroot in?

also, do I need to add that to my hooks?

chroot into your root and use pacman

Well... other than me forgetting to set a root password

I'd say that's success

So, all of this has been inside hyper-v... but after I set a root password, technically all I need to do is create an efi boot entry on my machine, and then I should be able to run it on bare metal.

this has been inside a vm

Kinda...

wdym kinda

I hooked the hard drives directly to the vm

its using real disks

Oh ok

cool

you should redo it to use lvm inside the luks as well

I think so too

I got tired of looking stuff up on my phone when I have 4 monitors.

and then I got tired of not having copypaste, so I also SSH into the VM on my own comp.

nice

anyways

use lvm inside to get
home dir separate and stuff like that

Thank you very much for your help

Ya, that's how I had it before.

it should work fine

I think so too.

only need to change cmdline to have root=/dev/luksvg/root

or whatever

prolly will look like... root=/dev/mapper/vg1-root

cause I will set the base vg to vg0 and the lv to lv0

In my mind, is like, 0 is the layer I should rarely have to care about again. And 1 is where I really start.

Thanks again. Sleep time.

UKI With LVM and LUKS, won't ask for password. SOLVED (Will document soon somehow)

no

root= in the kernel cmdline used

uses

UKI, LVM on LUKS on Striped LVM, won't ask for password. SOLVED (Will document soon somehow)

/dev/volumegroup/lv

I will have to look into that.

but yeah I'm familiar with that format, so /dev/lv1/root

also install sbctl

and use it to sign everything in the efi part

Once I start with secure boot. I wanna sink my teeth into the GUI part as soon as I can. This process has been exhausting and I need some eyecandy to improve morale.

wdym gui part

also secureboot is really easy to do with sbctl

its just install it

true enough.

then sbctl create-keys

sbctl enroll-keys

and mkinitcpio -P

Well, I gotta worry about a windows dual boot

ah

ok

I wish I could just convert, but it's gonna be a massive headache getting everything I need to work in linux

I'm an online artist with a NVIDIA GPU.

So... Nvidia, tablet that isn't wacom, streaming, gaming....

It's gonna be a journey.

nvidia will be fine

idk bout tablet

obs works flawlessly

And art software!

steam with proton is great

Ya, I don't think OBS is gonna give me too much trouble.

Only game I worry about is Helldivers, which relies on kl-anticheat

check protondb

they both work well apparently

Gold apparently

helldivers and helldivers2

Still, I kinda am diving in the deep end. I'm thinking of using a window manager instead of a desktop environment too.

Not kinda... I have extremely specific and niche usecases and preferences.

But that's why I chose Arch after not touching linux for a decade and that was Ubuntu.

OK, did a writeup/guide/thing of my install from scratch. I'll prolly need to edit it from the story formatting and figure out a proper place to put it.