xmikos / cryptboot

Encrypted boot partition manager with UEFI Secure Boot support
GNU General Public License v3.0
204 stars 24 forks source link

No error with modified initramfs #1

Open The-Compiler opened 7 years ago

The-Compiler commented 7 years ago

I'm trying to set cryptboot up on Archlinux with a Thinkpad x1 Yoga.

Key enrollment and signing seemed to have completed successfully, but when I run mkinitcpio -p linux outside of cryptboot and reboot, I still can boot successfully without any errors. This shouldn't happen, should it?

rndmc12 commented 7 years ago

Not a bug, but a feature in this case. This script does not sign either the kernel or initramfs you boot. What it does sign is the bootloader. It is meant as protection of the bootloader .efi code which unlocks an encrypted /boot partition (where kernel/initramfs reside; using it without an encrypted /boot makes no big sense).

It is meant as "feature" because it leaves you the freedom to boot different kernels/initramfs, modify the kernel boot line, update the system kernels, etc. without having to worry about boot breakage due to failing secureboot verification.

If you are looking for a script that helps automating signing the kernel/initramfs with Arch, have a look at

https://github.com/andreyv/sbupdate https://bentley.link/secureboot/ (disclaimer: I have not used either yet)