Is it possible to have the ESP on an sdcard?

Using luks to do fde where even the partitioning is encrypted is attractive. The sdcard reader in my laptop allows for easy removal. So putting the ESP on the sdcard as well as the luks headers for the nvme drives and the bootloader, kernel and initrd would be nice.

The problem with the laptop in question is that grub does not get loaded and it fails to boot. Works fine in a qemu+kvm VM. It make me think that the UEFI does not have good support for the sdcard storage. Bringing up an efi shell (tianocore) allows me to read the sdcard fine though.

Is sdcard support required in UEFI? Would a faster sdcard be a possible fix?

https://www.intel.com/content/dam/doc/product-specification/efi-v1-10-specification.pdf

The setup has only a single ESP. That ESP is on the removable sdcard.

The Realtek RTS5260 in this laptop is SD 6 / UHD-III. It is hard to tell if the UEFI reading shim is the problem or if shim reading grub or grub reading configuration is the problem. Do shim and grub use the host’s uefi to read other files?

From the spec I would guess it is up to the UEFI implementation as to what kind of support for sdcard there is. Are there examples of UEFI implementations where there is good support for sdcard?

Everything is done via kickstart. I do not see any way to get the bootloader, kernel, initrd and config files on the ESP otherwise. In other words, this is a custom install and support in the fedora installer is not being asked for.

I would like to know if anyone has had success with using an sdcard for the ESP with or without any other of my customizations.

This is how researchers do it. . . Especially when traveling. I think you can find some Kali Linux tutorials on how to achieve just this. I “had” a script for this for a Fedora Security spin, but I am not on that machine at the moment.

1 Like

To my knowledge, grub does not support being installed on a single ESP. It requires three partitions – BIOSBOOT, /boot, and /boot/efi. Can you use sd-boot? sd-boot will work happily on a single partiton.

1 Like

To get to two factor authentication the first factor is something I have (the laptop and the sdcard are something I have). The second factor is something I know (the luks passphrase). If a bad actor gets both the laptop and sdcard there is still less protection than there could be. There are some self encrypting usb drives with keypads which are a step better.

A tpm with a pin would be two factor. A tpm with a yubikey would not. A yubikey with a pin would. But those all leave plenty in plaintext which would be nice to eliminate. Fun stuff.

I should have mentioned that. . . I’m on systemd-boot

@glb

sd-boot works as well but I like it that grub’s shim is signed by a third party. I have not gone the route of adding certs to mok to date. But doing so and removing all other certs has advantages. Making sure uefi still loads and can be updated are my current concerns with going that route. Since keeping the shipped by the manufacturer certs is in play, using the fedora signed shim seems easier without any loss of protection.

For grub the key is that it supports the bootloader specification so the directory layout has to be to the bls.

@vekruse

This reply of yours on another post seems better addressed here as it seems to be tangent to the OP question.

Not too many fedora versions ago there were more symlinks in /boot beyond symvers. It was at that time that I played around with the XBOOTLDR partition. vfat does not support symlinks and I was attempting to have fedora utilities all still work. Having XBOOTLDR as an ext2 allowed for symlinks. To get UEFI to use it required adding an ext2 efi driver in the ESP. All worked using kickstart, custom configuration and custom scripts.

The grub2-efi-x64 package does not have many files and they are all that is needed in ESP and XBOOTLOADER. systemd-boot-unsigned is similar in what gets places in the ESP and XBOOTLOADER.

sd-boot works just fine in this scenario with secure boot turned off. Once sd-boot ships signed I’d like to switch to it. Currently I am not willing to manage my own certs for this. sd-boot with uki and measured boot seems to be just around the corner.

I am ordering a new technology sdcard so I can make another attempt. I would be happy to share the work if there is any interest.