rdmitry0911
commented
1 year ago I've just found ZFSBootMenu project It is a small footprint bootloader, OS agnostic, capable to boot any zfsroot based (encrypted or not) systems. As far as ZFSBootMenu is independent of the system it is booting, it just needs a passphrase to unlock the volume, IMHO it would be quite elegant to use your emb system against ZFSBootMenu itself. It will be 1 stage process, very straight forward. No need for resealing in case of initramfs or kernel modifications of the target system as far as they are located on encrypted zfs volume. Only updating of ZFSBootMenu or the passphrase (both are not too often events) will require resealing. ZFSBootMenu has a small hooks system available for injections of user scripts in different places, so your unsealing script might be executed in such a way inside of ZFSBootMenu. What you think?
Zfs has many advantages over lvm and it would be extremely helpful to have measured efi boot for linux on encrypted ZFS root. Is that hard to implement based on the current state of emb?