systemd-boot is a great simplification over grub for those who can use it. When using systemd-boot, support for a fancy boot menu would benefit various use cases. Even without populating the random number quality related files with bootctl, systemd will make them on next boot. When using systemd-boot I can run bootctl though I can also deploy with systemd-boot without using bootctl.
With uki directly loaded by UEFI the only boot menu is UEFI itself. The uki is built with an sysemd-stub and works similarly to sd-boot. The uki being signed myself allows me to choose kernel paramaters and the contents of the initrd at will. Managing a certificate infrastructure and enrolling the keys in UEFI is a normal part of the solution.
The additional protection from actual full disk encryption is real. The storage device is purely ciphertext, no luks headers, no partitioning metadata in the clear. The detatched luks headers are stored on the sdcard.
Right now I feel like in the future I should be careful to not present anything this “advanced” on the fedora discussion forums. The few times I have have resulted in takedown efforts like this one seems to be and that is not helpful to anyone. What is your recomendation?
I say ditch bootctl for installation… It is just a matter of cp…
The UEFI isn’t always a great boot menu… and can’t automatically detect UKIs in a certain directory [you use the default path, so…].
Your approach doesn’t permit having multiple kernels etc… and definitely not dualbooting with windows [yes, it a requirement for many, atleast initially]
systemd-boot is a no-frills simple bootloader with all the needed features and none of the unneeded.
That’s not a really common feat a normal average basic user can achieve.
Such a protection is fine if the system contains critical information of the next missile, but for the average user even LUKS is overkill…
It’s not like anyone will be sanely able to do a detached LUKS header setup in the 1st place.
You can present it; No issues.
Just put a disclaimer the next time that this setup is not for everyone… it’s overkill.
Quite a few months ago even I used to do this on gentoo… overkill setups
Just a tip: Like I did, just try to copy the header onto the encrypted disk somewhere in /etc, configure the initrd to include it, and then configure the system to use the header exclusively from the initrd [and the rootfs] rather than the ESP… [You may want to remove the header from the SDcard, or even back it up to some other safe retrievable place] You can unplug the card earlier in the boot process… and more overkill security