nosignal/win-omarchy
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Initial commit: Win-Omarchy dual-boot installer

Browse source 
Patches the Omarchy ISO to install alongside Windows with a firmware-proof
Limine-first boot (bootmgfw spoof), LUKS2 encryption, and btrfs snapshots.
Includes repair mode for re-applying Limine after a Windows feature update.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
28allday 2026-05-23 19:16:14 +01:00
commit 3dc211a7a1
3 changed files with 1532 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
.gitignore vendored Normal file
View file

@ -0,0 +1,16 @@
# Built/source ISOs (too large for git; rebuild with patch-win-omarchy.sh)
*.iso
# VM test runtime state
vm/
# Patcher work dirs (auto-created/removed during a build)
.omarchy-patch-*/
# Backups / archives
*.bak
# Local dev-only files — not part of the user-facing repo
vm-test.sh
NOTES.md
VIDEO-NOTES.md

145
README.md Normal file
View file

@ -0,0 +1,145 @@
# Win-Omarchy
Patch the [Omarchy](https://omarchy.com) installer ISO to install Omarchy alongside an
existing Windows 11 system, with LUKS2 encryption and btrfs snapshots. After install the
machine boots the **Limine menu first on every power-on** — no F12, no firmware boot-menu
interaction — and Windows is offered as a menu entry alongside Omarchy and bootable
snapshots.
Forked from [Dual-Boot-Omarchy](https://git.no-signal.uk/nosignal/Dual-Boot-Omarchy).
## How Limine-first boot is guaranteed
Many consumer firmwares ignore the UEFI boot order and always boot
`\EFI\Microsoft\Boot\bootmgfw.efi` (the Windows Boot Manager), so a normal Linux
bootloader never appears. Rather than rely on boot order, the installer **replaces
`bootmgfw.efi` with Limine** and preserves the genuine Windows loader alongside it as
`bootmgfwbackup.efi`. When the firmware boots "Windows Boot Manager" it launches Limine,
which then offers Omarchy and chainloads the real Windows loader on demand. An
`efibootmgr` BootOrder lock is also set as best-effort for firmware that honours it.
## Requirements
- **OS to run the patcher**: Arch Linux or Omarchy
- **Omarchy ISO**: from [omarchy.com](https://omarchy.com) — version-agnostic (tested through 3.8)
- **UEFI** firmware (no legacy BIOS)
- **20GB+ unallocated space** on the target drive
- **USB drive** for booting the patched ISO
- **Secure Boot OFF** — Limine is unsigned; with Secure Boot on the firmware silently
rejects it and falls through to Windows. The installer detects this and stops by default.
## Before installing — BitLocker / Device Encryption
Changing the bootloader changes the TPM PCR 4/7 measurements, so Windows may demand the
48-digit BitLocker recovery key on its next boot. Before booting the installer USB, in
Windows:
1. **Back up your recovery key** (`https://account.microsoft.com/devices/recoverykey` or
Settings → Privacy & security → Device encryption → Back up your recovery key).
2. **Suspend BitLocker** in an admin PowerShell:
```powershell
manage-bde -protectors -disable C: -RebootCount 0
```
3. **Shut down fully** (not "Restart" — Fast Startup leaves the NTFS dirty):
`shutdown /s /f /t 0`
The installer will not proceed past Windows detection until you confirm you have the key.
## Quick start
```bash
# With the Omarchy ISO in this directory:
sudo ./patch-win-omarchy.sh
# Or point it at the ISO directly:
sudo ./patch-win-omarchy.sh /path/to/omarchy-3.8.0.iso
```
This produces `win-omarchy-YYYY.MM.DD.iso`. It's a hybrid ISO — write it to USB with
`dd` (or Ventoy) and boot the target machine from it.
## Installer menu
| # | Option | Action |
|---|--------|--------|
| 1 | Dual Boot (Heaven and Hell mode) | Install Omarchy alongside Windows (dual-boot) |
| 2 | Consider that a divorce | Remove a failed/old install; restores the genuine Windows bootloader |
| 3 | Nuke the site from orbit | Standard install — wipes the whole drive (no dual-boot) |
| 4 | Exit to Ghost in the… | Drop to a terminal |
| 5 | I'll be back | Repair: re-apply Limine after a Windows update overwrote it |
### Option 1 — Dual-boot install
1. Drive selection (auto-detects a single non-USB drive; detects Windows)
2. Free-space check (20GB+)
3. LUKS2 encryption password
4. Partitioning in free space: 1GB `LINUXEFI` (FAT32) + LUKS2 root
5. Btrfs subvolumes: `@`, `@home`, `@log`, `@pkg`
6. Omarchy configurator (username, hostname, timezone, keyboard)
7. `archinstall` base system + full Omarchy desktop (offline, from the ISO)
8. Limine + unified kernel image (encrypt hook), snapper, Plymouth
9. **bootmgfw spoof** + Windows chainload entry (by GPT PARTUUID) + BootOrder lock
Windows partitions are untouched apart from the single `bootmgfw.efi` swap (original
preserved as `bootmgfwbackup.efi`).
### Option 5 — Repair after a Windows update
A Windows **feature update** can reinstall `bootmgfw.efi`, overwriting Limine; the
machine then boots straight to Windows and the Limine menu disappears. Option 5 re-applies
the spoof — refreshing the backup with the current Windows loader and re-installing
Limine. It is idempotent (does nothing if the spoof is already intact).
## Target drive layout
```
Drive:
├── Windows partitions (preserved)
│ └── EFI System Partition
│ ├── EFI/Microsoft/Boot/bootmgfw.efi ← replaced with Limine
│ └── EFI/Microsoft/Boot/bootmgfwbackup.efi ← original Windows loader (chainloaded)
├── LINUXEFI (1GB FAT32) ← Limine, EFI/Linux/omarchy_linux.efi (UKI), limine.conf
└── Linux root (LUKS2 → btrfs) ← @ / @home / @log / @pkg
```
## How the patcher works
Extracts the ISO and its squashfs, injects a dual-boot setup script into the live
environment, re-points the boot sequence to run it on tty1, then repacks the squashfs and
rebuilds the ISO via `xorriso` boot-image replay — preserving the original MBR/GPT/El
Torito layout byte-for-byte, so it works across Omarchy versions without per-version
tweaks. Build dependencies (`xorriso`, `squashfs-tools`, `cdrtools`) are installed
automatically if missing.
## Troubleshooting
**Boots straight to Windows, no Limine menu.** A Windows feature update likely reinstalled
its bootloader over the spoof — boot the USB and run **option 5**. On a fresh install that
never showed Limine, confirm **Secure Boot is OFF**.
**No LUKS prompt / won't unlock.** Check the encrypt hook:
`lsinitcpio /boot/EFI/Linux/omarchy_linux.efi | grep encrypt`, then `sudo mkinitcpio -P`.
**Windows missing from the Limine menu.** The entry chainloads `bootmgfwbackup.efi` on the
Windows ESP by GPT PARTUUID — verify it's present in `/boot/limine.conf` and on the ESP.
(`FIND_BOOTLOADERS` does **not** detect Windows; the entry is written explicitly.)
**Failed install left orphan partitions.** Boot the USB and pick **option 2** — it removes
the Linux partitions and restores the genuine Windows bootloader.
## Uninstalling (keeping Windows)
Boot the USB and choose **option 2**: restores the real `bootmgfw.efi`, removes the Linux
EFI + LUKS partitions, cleans up UEFI entries. Reclaim the free space from Windows Disk
Management.
## Credits
- [Omarchy](https://omarchy.com) — Arch-based distribution
- [archinstall](https://github.com/archlinux/archinstall) — Arch installer framework
- [Limine](https://limine-bootloader.org/) — bootloader
- [Snapper](http://snapper.io/) — btrfs snapshot management
## License
Provided as-is for the Omarchy community.

1371
patch-win-omarchy.sh Executable file
View file

File diff suppressed because it is too large Load diff