Not sure if this is the correct location to post this—I’d be grateful if someone could direct me to the right place if it’s not!
I’m looking for a way to get an unbroken chain of trust from EFI to the LUKS2-encrypted booted system, on Silverblue/Kinoite. I’ve looked over the options available to me and I’m not sure it’s possible right now:
- Using the default setup with a separate
/boot
partition leaves the initramfs unencrypted and unsigned, breaking the chain of trust. - Grub 2.06 theoretically supports booting from a LUKS1 encrypted
/boot
, leaving the chain of trust intact, but Anaconda doesn’t support encrypted/boot
. Besides, it doesn’t look like it’s possible to reliably upgrade a LUKS1 container to LUKS2. - Generating a unified kernel image (that I can sign myself) doesn’t appear to be supported by ostree.
Going over the options available, it appears that the path of least resistance would be 3. Is there a way to get ostree and dracut to deploy and sign a unified image that I can boot from? I’ve found the kernel-install scripts in /usr/lib/kernel/install.d
, and they seem to be “short-circuited” by 00-rpmostree-skip.install
. Could I put my own script in there that generates a unified image, without messing with the ostree deployment process?
(Also posted here.)