top | item 35612688

(no title)

struanr | 2 years ago

It's a pain to set up, but you can use the EFISTUB[1] capabilities of the Linux kernel to make it boot itself. Initramfs is then capable of decrypting argon2id LUKS2 partitions.

Since it requires keeping the kernel and other boot files on an unencrypted /boot partition, secure boot is a must to ensure the kernel hasn't been tampered with. Unfortunately, UEFI secure boot only supports signing one file, and so systemd-stub[2] can be used (doesn't require SystemD) to combine boot resources in a single PE binary, allowing them to be signed.

I haven't followed it personally, but this[3] tutorial seems to go over the points I covered.

[1]https://wiki.archlinux.org/title/EFISTUB [2]https://www.freedesktop.org/software/systemd/man/systemd-stu... [3]https://nwildner.com/posts/2020-07-04-secure-your-boot-proce...

discuss

aaronmdjones|2 years ago

No need to pull any systemd utilities into this; the kernel can embed its initramfs within the kernel image when you build it -- just point it to either a directory containing the files that should be inside it, or a .cpio archive containing them. You can then sign that kernel image as normal and boot it directly as an EFI application.

xx_ns|2 years ago

Well, the downside to this is that you have to compile your own kernel. Totally speculative, but I think most people (who update their kernel frequently) don't do that.

jeroenhd|2 years ago

I think an unencrypted boot should also work fine with GRUB, as that too will let initramfs do the volume unlocking. I was hoping to get encrypted /boot to work.

I still need to get secure boot to work but dealing with it seems like such a pain, especially since I use various DKMS modules.