Post
I've updated my blog post about setting up SecureBoot with shim & GRUB on Gentoo to reflect some recent changes to the kernel installation scripts. I've also added information and scripts to automate updating and removing kernels.
https://www.setphaserstostun.org/posts/secure-boot-on-gentoo-with-shim-grub/
It's worth noting that Gentoo''s GRUB package already creates a signed EFI module that loads an external grub configuration file (grub.cfg) and which can be used out-of-the-box with shim. In this setup however the GRUB configuration file is not verified during boot. In my setup the GRUB configuration file is bundled in the GRUB EFI image and so is covered by the Secure Boot verification process. The downside is that changing the configuration forces me to regenerate the bootloader.
@gabrielesvelto I've been meaning to ask - in this Secure Boot -> Grub -> Encrypted drive process, is there a reasonable way to set this up so it's roughly comparable to MacOS "just type in the password once" level of convenience?
@mhoye yes but only using the onboard TPM or an external FIDO/UDF key. GRUB can be instructed to pull the encryption key from there to unlock a LUKS-encrypted partition. It will bring you all the way to the login screen and only ask your password there. It is not a trivial setup in terms of complexity.
@gabrielesvelto @mhoye I set up TPM decryption via systemd-cryptenroll on a Fedora system this week and it was surprisingly straightforward, and with a little work (30 minutes to figure out how to set the grub boot successful flag after resume) even hibernation to a swapfile on the encrypted partition works reliably. The only annoyance is being asked for the decryption password after upgrading the kernel or the bootloader and then having to refresh the TPM key, but it's literally one command
@gabrielesvelto That's... interesting, though. As long as I can have a duplicate backup key. Do you know of uBoot can also be configured that way?
@mhoye I don't know but I have very little knowledge of uBoot
@gabrielesvelto Well, I've gotta start somewhere; I'll look into it.
Thank you.
@mhoye alternatively you can have a disk encryption password which GRUB will ask at boot and then your user password later. This is much simpler and you can setup your system for auto-login in case you want to skip the second password.
A space for Bonfire maintainers and contributors to communicate
