Not sure if this is the correct location to post this—I’d be grateful if someone could direct me to the right place if it’s not!
I’m looking for a way to get an unbroken chain of trust from EFI to the LUKS2-encrypted booted system, on Silverblue/Kinoite. I’ve looked over the options available to me and I’m not sure it’s possible right now:
- Using the default setup with a separate
/bootpartition leaves the initramfs unencrypted and unsigned, breaking the chain of trust.
- Grub 2.06 theoretically supports booting from a LUKS1 encrypted
/boot, leaving the chain of trust intact, but Anaconda doesn’t support encrypted
/boot. Besides, it doesn’t look like it’s possible to reliably upgrade a LUKS1 container to LUKS2.
- Generating a unified kernel image (that I can sign myself) doesn’t appear to be supported by ostree.
Going over the options available, it appears that the path of least resistance would be 3. Is there a way to get ostree and dracut to deploy and sign a unified image that I can boot from? I’ve found the kernel-install scripts in
/usr/lib/kernel/install.d, and they seem to be “short-circuited” by
00-rpmostree-skip.install. Could I put my own script in there that generates a unified image, without messing with the ostree deployment process?
(Also posted here.)