Closed dyindude closed 4 years ago
now that I have real hardware running this, this is a real-er issue for me. have a few thoughts on how I want to approach this, probably use multiple variants in tandem
https://github.com/gasparch/ubuntu-luks-autounlock has some examples we could pull from
https://askubuntu.com/questions/101801/set-up-eth0-network-interface-using-dhcp-in-initramfs example of bringing up networking in initrd
https://help.ubuntu.com/community/DisklessUbuntuHowto example here on how the ip=
parameter could be configured for a static ip
https://unix.stackexchange.com/questions/92853/adding-a-file-to-etc-of-initramfs-in-debian-wheezy
http://manpages.ubuntu.com/manpages/xenial/man8/initramfs-tools.8.html copy-exec
for adding binaries (e.g. arp
) to initramfs
https://askubuntu.com/questions/59487/how-to-configure-lvm-luks-to-autodecrypt-partition some okay examples here
https://askubuntu.com/questions/906870/luks-keyscript-being-ignored-asks-for-password seems it may be more straightforward nowadays
another place I would be interested to retrieve a key from is hashicorp vault. The current plan is to stabilize building a vagrant box, then build a project that uses the box as a base for testing different key source implementations (probably starting with an "insecure" script like shown in the last comment's url)
as far as PXE booting goes - I've been wayyy overcomplicating things. The devices that I want to PXE boot, it should be fine to use MBR/legacy boot - as no GPT device will be used as the boot device. I'll chase this down with some examples in vagrant/virtualbox to get a simple, MBR-capable pxe setup, then test it with the M700 on our unifi network when it comes in next week
initial test of pxe with undionly.kpxe is successful. 32bit for this is probably fine, but I might look into a 64bit build may also still test chainloading efi via the same method (snp.efi/snponly.efi via tftp) since every device should support this - but one of the cons of efi is that I can't test the boot cycle in vbox (may still be able to in qemu, see https://boot.alpinelinux.org/) some examples here: https://wiki.fogproject.org/wiki/index.php/IPXE
the 32-luks branch has some work we did last year on this, so don't forget to reference that nevermind, I remember going down this road and I think some of the other links I've found more recently provide a more straightforward method
insecure boot method has been tested https://askubuntu.com/questions/101801/set-up-eth0-network-interface-using-dhcp-in-initramfs looks like a good place to start for network-aware booting
have a working example (have to copy some files from rootfs, since it relies on arp
, ping
, and head
) in a vagrant box that I will commit soon
two examples implemented in 2fa342e3ea44528e336ace1fd1c6bcbbe282ecf0