diff options
| -rwxr-xr-x | archsetup | 81 |
1 files changed, 79 insertions, 2 deletions
@@ -493,6 +493,14 @@ is_btrfs_root() { [ "$(findmnt -n -o FSTYPE /)" = "btrfs" ] } +# CPU Detection +is_amd_zen5() { + # Returns 0 (true) if CPU is AMD Zen 5 (family 26/0x1a) + # Used to detect CPUs affected by RDSEED32 bug (CVE-2025-62626) + grep -q "AuthenticAMD" /proc/cpuinfo && \ + grep -E "^cpu family" /proc/cpuinfo | head -1 | grep -q ": 26$" +} + # Encryption Detection is_encrypted_root() { # Returns 0 (true) if root filesystem is on an encrypted volume @@ -1230,7 +1238,51 @@ EOF display "task" "zfs-replicate timer created (enable after SSH key setup to TrueNAS)" elif is_btrfs_root; then - display "task" "btrfs filesystem detected" + # Btrfs: Install snapper for snapshot management + display "task" "btrfs detected - installing snapper and grub-btrfs" + pacman_install snapper + pacman_install grub-btrfs + # inotify-tools is an optional dep of grub-btrfs but required for grub-btrfsd daemon + pacman_install inotify-tools + + action="creating snapper configuration for root" && display "task" "$action" + # snapper requires the .snapshots subvolume to not exist when creating config + # If it already exists (from manual btrfs setup), umount and remove it first + if mountpoint -q /.snapshots 2>/dev/null; then + umount /.snapshots >> "$logfile" 2>&1 + fi + if [ -d /.snapshots ]; then + rmdir /.snapshots >> "$logfile" 2>&1 || true + fi + + # Create snapper config (this creates /.snapshots subvolume) + if [ ! -f /etc/snapper/configs/root ]; then + snapper -c root create-config / >> "$logfile" 2>&1 || error_warn "$action" "$?" + else + display "task" "snapper root config already exists" + fi + + action="configuring snapper retention policy" && display "task" "$action" + # Conservative retention - local snapshots for quick rollback + snapper -c root set-config "TIMELINE_CREATE=yes" >> "$logfile" 2>&1 + snapper -c root set-config "TIMELINE_CLEANUP=yes" >> "$logfile" 2>&1 + snapper -c root set-config "TIMELINE_LIMIT_HOURLY=5" >> "$logfile" 2>&1 + snapper -c root set-config "TIMELINE_LIMIT_DAILY=7" >> "$logfile" 2>&1 + snapper -c root set-config "TIMELINE_LIMIT_WEEKLY=2" >> "$logfile" 2>&1 + snapper -c root set-config "TIMELINE_LIMIT_MONTHLY=1" >> "$logfile" 2>&1 + snapper -c root set-config "TIMELINE_LIMIT_YEARLY=0" >> "$logfile" 2>&1 + + action="enabling snapper timeline timer" && display "task" "$action" + systemctl enable snapper-timeline.timer >> "$logfile" 2>&1 || error_warn "$action" "$?" + systemctl enable snapper-cleanup.timer >> "$logfile" 2>&1 || error_warn "$action" "$?" + + action="enabling grub-btrfsd for boot menu snapshots" && display "task" "$action" + systemctl enable grub-btrfsd >> "$logfile" 2>&1 || error_warn "$action" "$?" + + # Allow user to use snapper without root + action="allowing wheel group to use snapper" && display "task" "$action" + snapper -c root set-config "ALLOW_GROUPS=wheel" >> "$logfile" 2>&1 || error_warn "$action" "$?" + else display "task" "ext4/other filesystem detected" fi @@ -1890,7 +1942,32 @@ EOF sed -i 's/.*GRUB_GFXMODE=auto/GRUB_GFXMODE=1024x768/' /etc/default/grub sed -i "s/.*GRUB_RECORDFAIL_TIMEOUT=.*/GRUB_RECORDFAIL_TIMEOUT=2/g" /etc/default/grub sed -i "s/.*GRUB_CMDLINE_LINUX_DEFAULT=.*/GRUB_CMDLINE_LINUX_DEFAULT=\"rw loglevel=2 rd.systemd.show_status=auto rd.udev.log_level=2 nvme.noacpi=1 mem_sleep_default=deep nowatchdog random.trust_cpu=off quiet splash\"/g" /etc/default/grub - grub-mkconfig -o /boot/grub/grub.cfg >> "$logfile" 2>&1 || error_warn "generating grub config" "$?" + fi + + # Hardware-specific workarounds + display "subtitle" "Hardware Workarounds" + + # AMD Zen 5 RDSEED32 bug (CVE-2025-62626) + # Zen 5 CPUs have a broken RDSEED instruction that causes kernel warnings at boot. + # Adding clearcpuid=rdseed disables the instruction via CPUID masking, suppressing + # the "RDSEED32 is broken. Disabling the corresponding CPUID bit." message. + # This is cosmetic - the kernel already disables RDSEED when it detects the bug. + if is_amd_zen5; then + action="applying AMD Zen 5 RDSEED32 workaround (CVE-2025-62626)" && display "task" "$action" + if [ -f /etc/default/grub ]; then + # Add clearcpuid=rdseed if not already present + if ! grep -q "clearcpuid=rdseed" /etc/default/grub; then + sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="\(.*\)"/GRUB_CMDLINE_LINUX_DEFAULT="\1 clearcpuid=rdseed"/' /etc/default/grub + fi + fi + else + display "task" "no hardware workarounds needed" + fi + + # Regenerate GRUB config after all modifications + if [ -f /etc/default/grub ]; then + action="generating grub configuration" && display "task" "$action" + grub-mkconfig -o /boot/grub/grub.cfg >> "$logfile" 2>&1 || error_warn "$action" "$?" fi } |