|
|
|
|
|
|
by jcgl
100 days ago
|
|
|
> 3. use clevis to enable automatic unlocking of the root fs only when secure boot check passes; Can also use systemd-cryptsetup/systemd-cryptenroll for this. I've not used clevis myself, but I'd imagine you have to do somewhat more rolling-your-own compared to the systemd tools. > The unified kernel image doesn't accept additional kernel parameters, so only parameters that are set during generation of the initram are used. The secure boot makes sure no one else has tampered with the boot chain. And TPM stores the disk key securely. FYI, multi-profile UKIs are a thing. You can have one UKI with multiple different command lines, e.g. one for regular boot, one for emergency mode, etc. https://uapi-group.org/specifications/specs/unified_kernel_i... |
|
|