You are not logged in.

#1 2023-06-23 00:52:14

TheFurryWhoBroilsFood
Member
Registered: 2023-06-23
Posts: 3

Setup a boot process where the kernel is stored on encrypted root.

I'm not really sure how to configure this setup.
Here's what I would like to happen:
1) Computer powers up
2) BIOS/UEFI launches a signed GRUB 2 bootloader
3) GRUB asks the user for a password
4) GRUB uses that password to decrypt root partition formatted as EXT4 under LUKS1 which contains the directory /boot
5) GRUB now displays the menu in which the user can select the boot option
6) The user selects (or it autoselects) the default option which loads the kernel at /boot/vmlinuz-linux and the initramfs at /boot/initramfs-linux.img
7) The kernel mounts the same root partition as the one containing the kernel
8) OS boots
9) Profit

Essentially, I want an encrypted /boot but without an extra /boot partition.
How can I configure this (assuming /boot is located on root partition and I have a new directory /efi which contains the unencrypted boot partition WITHOUT a kernel)

Offline

#2 2023-06-23 00:54:07

TheFurryWhoBroilsFood
Member
Registered: 2023-06-23
Posts: 3

Re: Setup a boot process where the kernel is stored on encrypted root.

I already have an encrypted root but /boot is a separate, unencrypted partition with the kernel on it.
For some reason, AMD microcode and initramfs aren't signed and could be tampered with on my machine. Thanks Shim.

Offline

#3 2023-06-23 13:48:23

-thc
Member
Registered: 2017-03-15
Posts: 766

Re: Setup a boot process where the kernel is stored on encrypted root.

6a) The kernel asks for the password again before mounting "root". Can be mitigated by establishing a second LUKS key slot with a shared secret...

If you aim for protecting the files loaded by grub - may I suggest configuring grub to load only files with a valid detached signature that matches it's contained key?

Offline

#4 2023-07-08 20:19:46

TheFurryWhoBroilsFood
Member
Registered: 2023-06-23
Posts: 3

Re: Setup a boot process where the kernel is stored on encrypted root.

Hello, to provide a solution for any on lookers (as I sort of forgot about this thread).

My issue was that initramfs and microcode weren't signed and thus vulnerable to malicious modification.

Instead of encrypting them, I found a better solution:
-using a Unified Kernel Image
-sign it with secure boot
-manually register it with UEFI with efibootmgr (No bootloader like grub).

This ensures that the initramfs, kernel, parameters, and splash screen (very important no one tampers with my splashscreen) aren't tampered with.
Although it isn't encrypted, it cannot be tampered with unless someone steals your secure boot key.
https://wiki.archlinux.org/title/Unified_kernel_image
https://wiki.archlinux.org/title/Unifie … ecure_Boot

Offline

Board footer

Powered by FluxBB