xmikos / cryptboot Goto Github PK

Is it possible to use this with a single partition containing both root and boot, with an esp partition?

The GRUB wiki here claims that, when using an encrypted boot:

/boot is not required to be kept in a separate partition; it may also stay under the system's root / directory tree.

I would like to use this configuration (512M EFI and single root partition containing boot) to simplify the encryption setup. That way I don't have to worry about mounting boot, but I still don't want to manually handle all the key signing by myself.

It would be great of this supported having the boot partition with the root partition. Thoughts?

Using systemd hooks and sd-encrypt uses /etc/crypttab.initramfs as the configuration file, and systemd converts that to the /crypttab file that is loaded in to the initramfs image for encrypted boot.

I'd PR you the changes, but I'm in the middle of rebuilding from scratch a new secure installation.

Hey @ljfranklin @jugalgalaxyz

I just enabled Secure Boot on my device. The cryptboot scripts helped to understand and implement the whole thing. Unfortunately, it seems @xmikos can't/won't maintain the software anymore. I want to discuss some points with you:

1. As this is project is unmaintained and some improvements are outstanding: Let's find a new maintainer. We need to update the Arch Wiki and the AUR package. Are you interested? I can do it if you don't mind.

2. My /etc/crypttab does not contain my crypt device. I don't know why... So find_crypt_dev fails. Does this fail on your site (even if it's not super important)?
   

   cryptboot/cryptboot

   Line 4 in 16117e1

   find_crypt_dev() {

3. Regarding the PR #5 :
   I like the idea, but I have a different proposal: Instead of exiting /usr/local/bin/grub-install with an error, let's just call /usr/bin/grub-install with the parameters of /usr/local/bin/grub-install and then call cryptboot-efikeys sign $efi. What do you think about?

4. After upgrading GRUB from 2.04 to 2.06 I had to modify the script:

-    grub-install --target=x86_64-efi --boot-directory="$BOOT_DIR" --efi-directory="$EFI_DIR" --bootloader-id="$EFI_ID_GRUB"
+    grub-install --target=x86_64-efi --boot-directory="$BOOT_DIR" --efi-directory="$EFI_DIR" --bootloader-id="$EFI_ID_GRUB" --modules="tpm" --disable-shim-lock

The error I got was "error: verification requested but nobody cares: (cryptouuid/myUUID/grub/x86_64-efi/normal.mod.". Have you run into the same issue? Have you used the same workaround? The thing here is: I don't exactly understand the workaround. Maybe you know a little bit more about it.
Some resources for a better understanding:

• https://www.mail-archive.com/[email protected]/msg17008.html
• https://bugs.archlinux.org/task/71382
• https://bbs.archlinux.org/viewtopic.php?id=267944
• archlinux/svntogit-packages@4144617#diff-3e341d2d9c67be01819b25b25d5e53ea3cdf3a38d28846cda85a195eb9b7203a

If you like we can chat on IRC and post a summary here.

I haven't figured out yet whether this is a problem with my laptop's UEFI firmware, grub, cryptboot, or (more likely) a combination of them. Any insight on this would be highly appreciated.

My laptop is a Lenogo Yoga 920, and I'm using cryptboot with a USB stick that has an unencrypted FAT32 EFI partition and an encrypted boot partition that contains the kernel, initramfs, etc. Everything works fine as long as I keep the USB stick plugged in. However, if I remove the stick and try to boot the laptop later, UEFI does not recognize the stick as a bootable device. It doesn't seem to matter whether the laptop is powered on or off while the stick is unplugged and plugged back in.

I am still able to boot an ArchLinux live USB, which does not use grub. Running efibootmgr shows that the EFI boot entry for the cryptboot stick is apparently being removed from the NVRAM. From what I understand, this is actually a feature on a lot of UEFI systems. By manually adding the boot entry with efibootmgr I am able to make the cryptboot stick bootable again, and everything works fine; until I unplug it again, of course.

Given that other boot managers are able to be recognized by UEFI as bootable, I wonder if we are missing something in grub and/or cryptboot to make this work properly.

after enrolling the keys using the script my motherboard no longer posts, gigabyte b450m ds3h bios f61(?)

I'm trying to set cryptboot up on Archlinux with a Thinkpad x1 Yoga.

Key enrollment and signing seemed to have completed successfully, but when I run mkinitcpio -p linux outside of cryptboot and reboot, I still can boot successfully without any errors. This shouldn't happen, should it?