When I moved to Coreboot, I also elected to encrypt my /boot partition, which is decrypted by the GRUB payload of Coreboot. I mostly worked on this by trial-and-error, which resulted in the workflow:
- GRUB unlocks
/boot - Keyfile in
/bootopens/ - Partition for
/bootis listed in/etc/crypttab, with another keyfile to unlock/bootagain from within Linux /bootis mounted via/etc/fstab
Steps 3 and 4 always seemed inelegant to me, but after doing systemd-analyze, I realized how much those steps consume when booting (9 sec).
My questions:
- After GRUB unlocks
/bootand boots into Linux proper, is there any way to access/bootwithout unlocking again? - Are the keys discarded when initramfs hands off to the main Linux system?
- If GRUB supports encrypted
/boot, was there a ‘correct’ way to set it up? - Or am I left with mounting
/bootmanually for kernel updates if I want to avoid steps 3 and 4?
Is there a reason UEFI Secure Boot with custom keys can’t be used?
This was the way on my UEFI desktop, but I gave up getting UEFI to work with Coreboot on the X230, so I settled for the next best thing.