man.sr.ht tag signing #anchor changed
Successful boot on ARM64 QEMU (https://101010.pl/@nabijaczleweli/112944227909905848)
Version-sort instead of lexicographic-sort entries' versions (=> try 6.9.8-amd64 after 6.10.3-amd64)
EFI boot manager; or, well, an EFI bootorder compiler.
You need to boot Linux somehow, but you don't really need any EFI-side code to do it if you configure your kernel right and have something tell the firmware about it. This is that something.
klapki stores neither code nor data (well, except the kernel and initrds) on the ESP, making it SecureBoot-compatible out-of-box, and instead generates entries for the host's kernels and manages them during their lifetime from the host itself.
Because of this, entries for each host can be trivially placed anywhere in the boot order (in the screenshot they're at {bootpos 1}
, preceded by the "zoot" entry).
As seen in the screenshot, additional boot variants (just "graphical" in that case) are also supported, generating another entry for each kernel;
OVMF doesn't show it, but the difference can be seen from this listing of /etc/klapki/cmdline
used to generate those entries
(the description is a tad verbose to match convention):
#!/bin/sh
echo root=ZFS=zoot/root
[ "$2" = "graphical" ] || echo console=ttyS0
The second screenshot goes for the radical
#!/bin/sh
echo root=zfs:AUTO intel_iommu=on zfs.zfs_arc_max=85899345920 "$2"
You'll need libmd-dev
, libefi{var,boot}-dev
, doctest-dev
, libfmt-dev
, zlib1g-dev
, and make
should hopefully Just Work™ if you have a C++20-capable compiler.
These are searched for with pkgconf
if available. zlib is optional but, if it's beneficial, can thin out the state variable 12%-50%.
mandoc
is required for HTML manpages. Set MANDOC=:
when building to remove this dependency.
Note that klapki
uses Linux-specific sendfile()
, and as such building it will fail on other systems.
Upstream libefivar only supports Linux anyway
(and FreeBSD carries a port, though the usefulness of this within any classic UNIX distribution is doubtful).
Copy out/klapki
to /sbin
and write a /etc/klapki/{description,cmdline}
, as seen in the manual.
The following line in /etc/apt/sources.list
or equivalent:
deb [signed-by=/etc/apt/keyrings/nabijaczleweli.asc] https://debian.nabijaczleweli.xyz sid main
With my PGP key (the two URLs are interchangeable, or pull with WKD):
sudo wget -O/etc/apt/keyrings/nabijaczleweli.asc https://debian.nabijaczleweli.xyz/nabijaczleweli.gpg.key
sudo wget -O/etc/apt/keyrings/nabijaczleweli.asc https://nabijaczleweli.xyz/pgp.txt
(you may need to create /etc/apt/keyrings on apt <2.4.0 (<=bullseye) manually).
Then the usual
sudo apt update
sudo apt install klapki
will work on amd64, x32, and i386.
See the repository README for more information.
Release tarballs are signed with nabijaczleweli@nabijaczleweli.xyz (pull with WKD, but 7D69 474E 8402 8C5C C0C4 4163 BCFD 0B01 8D26 58F1
).
аnd stored in git notes as-if via the example program
and are thus available on the refs listing/tag page as .tar.gz.asc.
Remove the variable corresponding to the host under the klapki GUID (a8a9ad3a-f831-11ea-946d-674ccd7415cc
).
For example, on Linux, with host "zoot":
chattr -i /sys/firmware/efi/efivars/zoot-a8a9ad3a-f831-11ea-946d-674ccd7415cc
rm /sys/firmware/efi/efivars/zoot-a8a9ad3a-f831-11ea-946d-674ccd7415cc
This will abandon any previously-managed entries by removing all state, so either run {delkernel ver}
for all versions you had registered beforehand,
or remove the entries and files later with efibootmgr(8)
/EFI shell/the firmware UI.
There's the tracker (submit by mail to ~nabijaczleweli/klapki@todo.sr.ht), but also see the list below.
Send a patch inline, as an attachment, or a git link and a ref to pull from to the list (~nabijaczleweli/klapki@lists.sr.ht) or me directly. I'm not picky, just please include the repo name in the subject prefix.
Please use the tracker, the list, or mastussy (formerly Twitter).
To all who support further development on Patreon, in particular: