When I moved to Coreboot, I also elected to encrypt my /boot partition, which is decrypted by the GRUB payload of Coreboot. I mostly worked on this by trial-and-error, which resulted in the workflow:

  1. GRUB unlocks /boot
  2. Keyfile in /boot opens /
  3. Partition for /boot is listed in /etc/crypttab, with another keyfile to unlock /boot again from within Linux
  4. /boot is mounted via /etc/fstab

Steps 3 and 4 always seemed inelegant to me, but after doing systemd-analyze, I realized how much those steps consume when booting (9 sec).

My questions:

  • After GRUB unlocks /boot and boots into Linux proper, is there any way to access /boot without unlocking again?
  • Are the keys discarded when initramfs hands off to the main Linux system?
  • If GRUB supports encrypted /boot, was there a ‘correct’ way to set it up?
  • Or am I left with mounting /boot manually for kernel updates if I want to avoid steps 3 and 4?
  • monovergent@lemmy.mlOP
    link
    fedilink
    arrow-up
    1
    ·
    29 days ago

    Thanks for the explanation. And you’re right - it’s was a nice learning exercise and a “satisfying” stopgap while I figure out how to compile either Libreboot, which has a variant of GRUB patched with proper LUKS2 and Argon2 support, or TianoCore, which is rather involved and scantily documented for the old X230 hardware.