fix: add boot=live to UKI kernel command line

The UKI (Unified Kernel Image) embeds its own kernel command line, which was missing boot=live. Without this parameter, the initramfs cannot find the squashfs root filesystem and the boot hangs with "No root device specified." Also added boot=live to lb config --bootappend-live for consistency. Root cause: The Secure Boot UKI hook creates an independent cmdline that overrides GRUB's boot parameters. The hook was only setting lockdown/splash/console params but not the live boot parameter. Found via QEMU serial console boot test - kernel booted but hung at "No root device specified. Boot arguments must include a root= parameter." 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>
2026-05-07 11:04:58 -05:00
parent 938182fc9f
commit 0eea7305d3
1 changed files with 3 additions and 3 deletions
--- a/run.sh
+++ b/run.sh
@@ -1032,7 +1032,7 @@ lb config \
    --mode debian \
    --chroot-filesystem squashfs \
    --binary-images iso-hybrid \
-    --bootappend-live "console=ttyS0,115200 console=tty0" \
+    --bootappend-live "boot=live console=ttyS0,115200 console=tty0" \
    --iso-application "KNEL-Football Secure OS" \
    --iso-publisher "KNEL-Football Security Team" \
    --iso-volume "KNEL-Football Secure" \
@@ -1172,9 +1172,9 @@ CMDLINE_FILE="/tmp/cmdline.txt"

 # Kernel command line with lockdown mode
 if [ "${KNEL_BUILD_MODE}" = "demo" ]; then
-    echo "console=ttyS0,115200 console=tty0 lockdown=confidentiality module.sig_enforce=1" > "$CMDLINE_FILE"
+    echo "boot=live console=ttyS0,115200 console=tty0 lockdown=confidentiality module.sig_enforce=1" > "$CMDLINE_FILE"
 else
-    echo "quiet splash lockdown=confidentiality module.sig_enforce=1" > "$CMDLINE_FILE"
+    echo "boot=live quiet splash lockdown=confidentiality module.sig_enforce=1" > "$CMDLINE_FILE"
 fi

 # Build UKI using objcopy