When I moved to Coreboot, I also elected to encrypt my /boot partition, which is decrypted by the GRUB payload of Coreboot. I mostly worked on this by trial-and-error, which resulted in the workflow:
- GRUB unlocks
/boot - Keyfile in
/bootopens/ - Partition for
/bootis listed in/etc/crypttab, with another keyfile to unlock/bootagain from within Linux /bootis mounted via/etc/fstab
Steps 3 and 4 always seemed inelegant to me, but after doing systemd-analyze, I realized how much those steps consume when booting (9 sec).
My questions:
- After GRUB unlocks
/bootand boots into Linux proper, is there any way to access/bootwithout unlocking again? - Are the keys discarded when initramfs hands off to the main Linux system?
- If GRUB supports encrypted
/boot, was there a ‘correct’ way to set it up? - Or am I left with mounting
/bootmanually for kernel updates if I want to avoid steps 3 and 4?
Thanks for the explanation. And you’re right - it’s was a nice learning exercise and a “satisfying” stopgap while I figure out how to compile either Libreboot, which has a variant of GRUB patched with proper LUKS2 and Argon2 support, or TianoCore, which is rather involved and scantily documented for the old X230 hardware.