Unified EFI images on Silverblue?

Not sure if this is the correct location to post this—I’d be grateful if someone could direct me to the right place if it’s not!

I’m looking for a way to get an unbroken chain of trust from EFI to the LUKS2-encrypted booted system, on Silverblue/Kinoite. I’ve looked over the options available to me and I’m not sure it’s possible right now:

  1. Using the default setup with a separate /boot partition leaves the initramfs unencrypted and unsigned, breaking the chain of trust.
  2. Grub 2.06 theoretically supports booting from a LUKS1 encrypted /boot, leaving the chain of trust intact, but Anaconda doesn’t support encrypted /boot. Besides, it doesn’t look like it’s possible to reliably upgrade a LUKS1 container to LUKS2.
  3. Generating a unified kernel image (that I can sign myself) doesn’t appear to be supported by ostree.

Going over the options available, it appears that the path of least resistance would be 3. Is there a way to get ostree and dracut to deploy and sign a unified image that I can boot from? I’ve found the kernel-install scripts in /usr/lib/kernel/install.d, and they seem to be “short-circuited” by 00-rpmostree-skip.install. Could I put my own script in there that generates a unified image, without messing with the ostree deployment process?

(Also posted here.)

1 Like