| View previous topic :: View next topic |
| Author |
Message |
neuroretransmit
n00b
Joined: 26 Jan 2025
Posts: 4
|
 Posted: Sun Jan 26, 2025 10:04 pm Post subject: [RESOLVED] Complex FDE/secure-boot revocation error |
 |
|
Greetings. It has been many a year since I've posted in these forums. I recently migrated back to old faithful from GUIX after doing a distro shuffle for the first time in about a decade. I have a fairly complex full-disk encryption/secure boot setup and am wondering if anyone can provide insight on what may be causing my boot issue. For the record, Gentoo has been able to get to desktop but I have been turning it into a fortress as is the Gentoo way.
Setup details:
* All keys are derived from my custom certificate authority *
* x86_64-gentoo-dist-hardened on 6.6.67 that's been trimmed down to my hardware/has some crypto changes and malignant modifications
* Installed to a btrfs volume with my /boot and /efi on a USB with extended boot
* Grub2 with symmetric GPG key as defined in the full-disk encryption article
* UGRD
* Custom secure boot keys using RSA 4096
* No shim/Microsoft CAs to be found (will in fact be added to dbx after things are set in stone)
* Module signing key is P-521
* Generating .sig files from GPG pubkey for /boot as described in Secure-Boot/GRUB article
* Depending on the day I'll flipflop between installkernel and genkernel
I'll detail configurations that are likely relevant at the end of this post. This error pops up before mounts past GRUB are made so I don't exactly have logs for you, but there are two error lines in the TTY. They are detailing that there is an issue with X509 certificate's revocation. Has anyone experienced this? I searched around a bit and haven't been able to find much on the forums or otherwise. Did I miss adding an extension to one of my certs that is firing? I'd be happy to grab a screenie but I'd need to reboot out of SysRescueCD.
My scripts for generating .sig files are nearly identical to Secure-Boot/GRUB with some modifications for kernel/initramfs naming.
Great to be back 
/etc/ugrd/config.toml
| Code: |
# This config will decrypt the LUKS volume with uuid "fdf442da-0574-4531-98c7-55227a041f1d", mapping it to "/dev/mapper/root"
# It will attempt to mount the btrfs volume with label "rootfs" to /target_rootfs
# It will pull all current kernel modules from lspci -k results
# It will try to process the cmdline and mount the rootfs based on the root= parameter
modules = [
# "ugrd.crypto.cryptsetup", # This is included by the gpg module
"ugrd.kmod.usb",
"ugrd.crypto.gpg", # This is included by the smartcard module
"ugrd.fs.btrfs"
# "ugrd.crypto.smartcard",
]
root_subvol=""
# Mask the parse_cmdline function to prevent it from running
#mask.init_pre = 'parse_cmdline'
# By default, all kmod categories are ignored. This can be disabled by category
#kmod_ignore_video = true
#kmod_ignore_sound = true
#kmod_ignore_network = true
# The initramfs will be built in /tmp/initramfs if "build_dir" is not specified not specified
#out_dir = "/usr/src/initramfs"
# Optionally supply a kernel version, uses the current kernel version if not specified
kernel_version = "6.6.67-gentoo-dist-hardened"
# lspci based detection is usually helpful
kmod_autodetect_lspci = true
# lsmod detection can be helpful, but can bring in unnecessary modules
kmod_autodetect_lsmod = true
# By default, ugrd will keep retrying to mount base mounts and the rootfs, unless enter is pressed
# The default timeout between attempts is 1s, and the default number of retries is infinite
#mount_timeout = 0.25 # Wait 0.25 seconds between mount attempts, instead of 1s.
#mount_retries = 5 # Retry mounting the rootfs 5 times, if unset, it will retry indefinitely
# The location of the gpg public key, if using a smartcard and gpg encrypted keyfile
#sc_public_key = "/etc/ugrd/pubkey.gpg"
auto_mounts = ['/boot', '/efi'] # Automatically create mount config for /boot on the host
# Optionally specify the root mountpoint information manually
#[mounts.root]
# The label of the root filesystem, a uuid or partuuid could be used instead
#label = "rootfs"
# This is necessary if the keyfile is on another device.
# The keyfile could be added as a dependency. if it's on the same device.
#[mounts.boot]
#type = "vfat"
#uuid = "4886-A631"
# If the root is a LUKS volume, specify the LUKS volume information
[cryptsetup.root]
# The UUID of the encrypted volume, mounted at /dev/mapper/root
#uuid = "fdf442da-0574-4531-98c7-55227a041f1d"
# If a GPG encrypted key file is used, the key_type must be set to gpg.
key_type = "gpg"
# The key file must either be included as a dependency, or it must be under an external mountpoint.
key_file = "/boot/crypt_key.luks.gpg"
|
| Code: |
# Configuration file for genkernel
# This file is sourced by genkernel at startup and determines which options
# we will be using to compile our kernel. The order of precidence is simple,
# with the internal settings being least important, configuration file
# settings next, and command line options being most important.
# =========COMMON COMMAND LINE OPTION DEFAULTS=========
# Install to $BOOTDIR
INSTALL="yes"
# Run 'make oldconfig' before compiling this kernel
OLDCONFIG="yes"
# Run 'make menuconfig' before compiling this kernel
MENUCONFIG="no"
# Run 'make gconfig' before compiling this kernel
#GCONFIG="no"
# Run 'make nconfig' (ncurses 'menuconfig') before compiling this kernel
#NCONFIG="yes"
# Run 'make xconfig' before compiling this kernel
#XCONFIG="yes"
# Run 'make mrproper' before compiling this kernel
MRPROPER="yes"
# Run 'make clean' before compiling this kernel
# Only needed if MRPROPER is set to NO because
# MRPROPER implies 'make clean'.
CLEAN="yes"
# Mount BOOTDIR automatically if it isn't mounted
MOUNTBOOT="yes"
# Make symlinks in BOOTDIR automatically
SYMLINK="no"
# Save the new configuration in /etc/kernels upon
# successful compilation
SAVE_CONFIG="yes"
# Enable color output in genkernel
NOCOLOR="false"
# Clear build cache dir on gernkernel start
CLEAR_CACHEDIR="yes"
# Clear all tmp files and caches after genkernel has run
POSTCLEAR="yes"
# Check for x MB free disk space in BOOTDIR
#CHECK_FREE_DISK_SPACE_BOOTDIR=0
# Check for x MB free disk space in kernel outputdir
#CHECK_FREE_DISK_SPACE_KERNELOUTPUTDIR=0
# Genkernel uses an independent configuration for MAKEOPTS, and does not source
# /etc/portage/make.conf . You can override the default setting by uncommenting
# and tweaking the following line. Default setting is set up by
# ${GK_SHARE}/${ARCH_OVERRIDE}/config.sh . The recommended value for -j
# argument is: <number of processors>*<number of cores per processor>+1
MAKEOPTS="$(portageq envvar MAKEOPTS)"
# Run the kernel make at the following NICE level
#NICE=10
# Add bcache support
#BCACHE="no"
# Add LVM support
LVM="yes"
# Add LUKS support
LUKS="yes"
# Add GnuPG support
GPG="yes"
# Add UDEV support
UDEV="yes"
# Add keyctl support for loading LUKS passphrase into a keyring
#KEYCTL="no"
# Add in early microcode support: this sets the kernel options for early microcode loading
# Possible values: empty/"no", "all", "intel", "amd"
MICROCODE="intel"
# Include early microcode in generated initramfs.
# Only needed if system cannot load multiple initramfs.
# NOTE: >=sys-boot/grub-2 will detect and auto-load {amd,intel}-uc.img file
# provided by sys-firmware/intel-microcode[initramfs] or
# sys-kernel/linux-firmware[initramfs].
#MICROCODE_INITRAMFS="no"
# Add NFS support
#NFS="no"
# Add DMRAID support
#DMRAID="no"
# Add SSH support
#SSH="no"
# Add b2sum support
#B2SUM="no"
# Include busybox in the initramfs. If included, busybox is rebuilt
# if the cached copy is out of date.
#BUSYBOX="yes"
# Add MDRAID support
#MDADM="no"
# Specify a custom mdadm.conf.
# By default the initramfs will be built *without* an mdadm.conf and will auto-detect
# arrays during bootup. Usually, this should not be needed.
#MDADM_CONFIG="/etc/mdadm.conf"
# Add Multipath support
#MULTIPATH="no"
# Add iSCSI support
#ISCSI="no"
# Add e2fsprogs support
E2FSPROGS="yes"
# Include support for unionfs
#UNIONFS="no"
# Include support for zfs volume management. If unset, genkernel will attempt
# to autodetect and enable this when rootfs is on zfs.
#ZFS="no"
# Add BTRFS support
BTRFS="yes"
# Add xfsprogs support
#XFSPROGS="no"
# Install firmware onto root filesystem
# Will conflict with sys-kernel/linux-firmware package
#FIRMWARE_INSTALL="no"
# Include full contents of FIRMWARE_DIR
# (if FIRMWARE option below is set to YES).
#ALLFIRMWARE="no"
# Add firmware(s) to initramfs required by copied modules
#FIRMWARE="no"
# Specify directory to pull from
#FIRMWARE_DIR="/lib/firmware"
# Specify a comma-separated list of firmware files or directories to include,
# relative to FIRMWARE_DIR (if FIRMWARE option above is set to YES
# and ALLFIRMWARE is set to NO).
#FIRMWARE_FILES=""
# Add new kernel to grub
# Possible values: empty/"no", "grub", "grub2"
BOOTLOADER="grub2"
# Use sandbox when building initramfs
SANDBOX="yes"
# Embed and set font early on boot
# Possible values: empty/"none", "current", <PSF file>
#BOOTFONT="none"
# Add boot splash using splashutils
#SPLASH="no"
# Use this splash theme. If commented out - the "default" name theme is used.
# Also, SPLASH="yes" needs to be enabled for this one to work.
# This supersedes the "SPLASH_THEME" option in '/etc/conf.d/splash'.
#SPLASH_THEME="gentoo"
# Includes or excludes Plymouth from the initramfs. If "splash" is
# passed at boot, Plymouth will be activated.
#PLYMOUTH="no"
# Embeds the given plymouth theme in the initramfs.
#PLYMOUTH_THEME="text"
# Run "emerge @module-rebuild" automatically when possible and necessary
# after kernel and modules have been compiled
#MODULEREBUILD="yes"
# Run the specified command in the current environment after the kernel and
# modules have been compiled, useful to rebuild external kernel module
# (see MODULEREBUILD above) or installing additional
# files (use 'copy_image_with_preserve dtb path/to/dtb dtb <kernelname>')
#CMD_CALLBACK=""
# =========KEYMAP SETTINGS=========
#
# Force keymap selection at boot
#DOKEYMAPAUTO="no"
# Enables keymap selection support
#KEYMAP="yes"
# =========LOW LEVEL COMPILE SETTINGS=========
#
# Assembler to use for the kernel. See also the --kernel-as command line
# option.
#KERNEL_AS="as"
# Archiver to use for the kernel. See also the --kernel-ar command line
# option.
#KERNEL_AR="ar"
# Compiler to use for the kernel (e.g. distcc). See also the --kernel-cc
# command line option.
#KERNEL_CC="gcc"
# Linker to use for the kernel. See also the --kernel-ld command line option.
#KERNEL_LD="ld"
# NM utility to use for the kernel. See also the --kernel-nm command line option.
#KERNEL_NM="nm"
# GNU Make to use for kernel. See also the --kernel-make command line option.
#KERNEL_MAKE="make"
# objcopy utility to use for the kernel. See also the --kernel-objcopy command
# line option.
#KERNEL_OBJCOPY="objcopy"
# objdump utility to use for the kernel. See also the --kernel-objdump command
# line option.
#KERNEL_OBJDUMP="objdump"
# ranlib utility to use for the kernel. See also the --kernel-ranlib command
# line option.
#KERNEL_RANLIB="ranlib"
# readelf utility to use for the kernel. See also the --kernel-readelf command
# line option.
#KERNEL_READELF="readelf"
# strip utility to use for the kernel. See also the --kernel-strip command line
# option.
#KERNEL_STRIP="strip"
# Assembler to use for the utilities. See also the --utils-as command line
# option.
#UTILS_AS="as"
# Archiver to use for the utilities. See also the --utils-ar command line
# option.
#UTILS_AR="ar"
# C Compiler to use for the utilities (e.g. distcc). See also the --utils-cc
# command line option.
#UTILS_CC="gcc"
# C++ Compiler to use for the utilities (e.g. distcc). See also the --utils-cxx
# command line option.
#UTILS_CXX="g++"
# Linker to use for the utilities. See also the --utils-ld command line
# option.
#UTILS_LD="ld"
# NM utility to use for the utilities. See also the --utils-nm command line option.
#UTILS_NM="nm"
# GNU Make to use for the utilities. See also the --utils-make command line
# option.
#UTILS_MAKE="make"
# Target triple (i.e. aarch64-linux-gnu) to build for. If you do not
# cross-compile, leave blank for auto detection.
#CROSS_COMPILE=""
# Target triple (i.e. aarch64-linux-gnu) to build kernel for. Utilities will be
# built for the native target, not this target. If you do not cross-compile,
# leave blank.
#KERNEL_CROSS_COMPILE=""
# Override default make target (bzImage). See also the --kernel-target
# command line option. Useful to build a uImage on arm.
#KERNEL_MAKE_DIRECTIVE_OVERRIDE="fooImage"
# Override default kernel binary path. See also the --kernel-binary
# command line option. Useful to install a uImage on arm.
#KERNEL_BINARY_OVERRIDE="arch/foo/boot/bar"
# =========GENKERNEL LOCATION CONFIGURATION=========
#
# Variables:
# %%ARCH%% - Final determined architecture
# %%CACHE%% - Final determined cache location
# Set genkernel's temporary work directory
#TMPDIR="/var/tmp/genkernel"
# Set the boot directory, default is /boot
BOOTDIR="/boot"
# Default share directory location
GK_SHARE="${GK_SHARE:-/usr/share/genkernel}"
# Location of the default cache
CACHE_DIR="/var/cache/genkernel"
# Location of DISTDIR, where our source tarballs are stored
DISTDIR="${GK_SHARE}/distfiles"
# Log output file
LOGFILE="/var/log/genkernel.log"
# Debug Level
LOGLEVEL=1
# =========COMPILED UTILS CONFIGURATION=========
#
# Default location of kernel source
DEFAULT_KERNEL_SOURCE="/usr/src/linux"
# Default kernel config (only use to override using
# arch/%%ARCH%%/kernel-config-${VER}.${PAT} !)
DEFAULT_KERNEL_CONFIG="${GK_SHARE}/arch/%%ARCH%%/kernel-config"
# Specifies a user created busybox config
#BUSYBOX_CONFIG="/path/to/file"
# NOTE: Since genkernel 3.4.41 the version of
# busybox, lvm, mdadm, ... have been moved to
# /usr/share/genkernel/defaults/software.sh in order to
# reduce the merging you have to do during etc-update.
# You can still override these settings in here.
# =========MISC KERNEL CONFIGURATION=========
#
# Set kernel filename which will be used when kernel will be installed
# into BOOTDIR. See man page to learn more about available placeholders.
#KERNEL_FILENAME="vmlinuz-%%KV%%"
# Set kernel symlink name which will be used when kernel will be installed
# into BOOTDIR and SYMLINK option is enabled
#KERNEL_SYMLINK_NAME="kernel"
# This option will set kernel option CONFIG_LOCALVERSION.
# Use special value "UNSET" to unset already set CONFIG_LOCALVERSION.
#KERNEL_LOCALVERSION="-%%ARCH%%"
# This option is only valid if kerncache is
# defined. If there is a valid kerncache no checks
# will be made against a kernel source tree.
#KERNEL_SOURCES="yes"
# Build a static (monolithic kernel)
#BUILD_STATIC="no"
# Make and install kernelz image (PowerPC)
#GENZIMAGE="no"
# Archive file created using tar containing kernel binary, content
# of /lib/modules and the kernel config.
# NOTE: Archive is created before the callbacks are run!
#KERNCACHE="/path/to/file.tar.xz"
# Prefix to kernel module destination, modules
# will be installed in <prefix>/lib/modules
#KERNEL_MODULES_PREFIX=""
# =========MISC INITRAMFS CONFIGURATION=========
#
# Set initramfs filename which will be used when initramfs will be
# installed into BOOTDIR. See man page to learn more about available
# placeholders.
#INITRAMFS_FILENAME="initramfs-%%KV%%.img"
# Set initramfs symlink name which will be used when initramfs will be
# installed into BOOTDIR and SYMLINK option is enabled
#INITRAMFS_SYMLINK_NAME="initramfs"
# Copy all compiled kernel modules to the initramfs
#ALLRAMDISKMODULES="no"
# Copy selected modules to the initramfs based on arch-specific modules_load file
#RAMDISKMODULES="yes"
# Archive file created using tar containing kernel and initramfs.
# NOTE: No modules outside of the initramfs will be included!
#MINKERNPACKAGE="/path/to/file.tar.xz"
# Add additional modules to the initramfs using the module groups defined
# in /usr/share/genkernel/defaults/modules_load (see this file for
# more details). This would be used if, for example, you
# required an additional crypto module or network device at boot
# time and did not want to statically compile these in the kernel.
# Options take the form AMODULES_{group} where {group} is one of
# the groups in modules_load (which are in the form MODULES_{group}).
# Use this with caution.
#AMODULES_group="module-to-include another-module"
# Override the default modules in the initramfs, for a given group, as defined by
# /usr/share/genkernel/defaults/modules_load and the per-arch modules_load
# files. You PROBABLY want to use AMODULES_* above, and NOT MODULES_* here.
# If you use MODULES_* here, the default and per-arch modules will NOT be used.
#MODULES_group1="some-module"
#MODULES_group2="" # Load no modules for this group
# Override the default used linuxrc script.
#LINUXRC="/path/to/custom/linuxrc"
# Archive file created using tar containing modules after
# the callbacks have run
#MODULESPACKAGE="/path/to/file.tar.xz"
# Directory structure to include in the initramfs,
# only available on >=2.6 kernels
#INITRAMFS_OVERLAY=""
# Build the generated initramfs into the kernel instead of
# keeping it as a separate file
#INTEGRATED_INITRAMFS="no"
# Compress generated initramfs
#COMPRESS_INITRD="yes"
# Types of compression: best, xz, lzma, bzip2, gzip, lzop, lz4, zstd, fastest
# "best" selects the best available compression method
# "fastest" selects the fastest available compression method
#COMPRESS_INITRD_TYPE="best"
# wrap initramfs using mkimage for u-boot bootloader
# WRAP_INITRD=no
# Create a self-contained env in the initramfs
#NETBOOT="no"
# =========MISC BOOT CONFIGURATION=========
#
# Specify a default for real_root=
#REAL_ROOT="/dev/one/two/gentoo"
|
/etc/default/grub
| Code: |
# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
#
# To populate all changes in this file you need to regenerate your
# grub configuration file afterwards:
# 'grub-mkconfig -o /boot/grub/grub.cfg'
#
# See the grub info page for documentation on possible variables and
# their associated values.
GRUB_DISTRIBUTOR="Gentoo"
# Default menu entry
#GRUB_DEFAULT=0
# Boot the default entry this many seconds after the menu is displayed
#GRUB_TIMEOUT=5
#GRUB_TIMEOUT_STYLE=menu
# Append parameters to the linux kernel command line
GRUB_EARLY_INITRD_LINUX_CUSTOM="ucode.cpio"
GRUB_CMDLINE_LINUX="root_trim=yes rootdelay=3 lsm=landlock,lockdown,yama,integrity,apparmor UUID=e5a19d91-f2c4-417e-acef-a110bb6ae2bf"
#
# Examples:
#
# Boot with network interface renaming disabled
# GRUB_CMDLINE_LINUX="net.ifnames=0"
#
# Boot with systemd instead of sysvinit (openrc)
# GRUB_CMDLINE_LINUX="init=/usr/lib/systemd/systemd"
# Append parameters to the linux kernel command line for non-recovery entries
#GRUB_CMDLINE_LINUX_DEFAULT=""
# Uncomment to disable graphical terminal (grub-pc only)
#GRUB_TERMINAL=console
# Resolution used on graphical terminal.
# The list of valid modes may be obtained using the 'vbeinfo' (PC BIOS) or
# 'videoinfo' (EFI) command from a GRUB boot prompt.
#GRUB_GFXMODE=640x480
# Set to 'text' to force the Linux kernel to boot in normal text
# mode, 'keep' to preserve the graphics mode set using
# 'GRUB_GFXMODE', 'WIDTHxHEIGHT'['xDEPTH'] to set a particular
# graphics mode, or a sequence of these separated by commas or
# semicolons to try several modes in sequence.
#GRUB_GFXPAYLOAD_LINUX=
# Path to theme spec txt file.
# The starfield is by default provided with use truetype.
# NOTE: when enabling custom theme, ensure you have required font/etc.
#GRUB_THEME="/boot/grub/themes/starfield/theme.txt"
# Background image used on graphical terminal.
# Can be in various bitmap formats.
#GRUB_BACKGROUND="/boot/grub/mybackground.png"
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to kernel
#GRUB_DISABLE_LINUX_UUID=true
# Comment if you don't want GRUB to pass "root=PARTUUID=xxx" parameter to kernel
GRUB_DISABLE_LINUX_PARTUUID=false
# Uncomment to disable generation of recovery mode menu entries
#GRUB_DISABLE_RECOVERY=true
# Uncomment to disable generation of the submenu and put all choices on
# the top-level menu.
# Besides the visual affect of no sub menu, this makes navigation of the
# menu easier for a user who can't see the screen.
#GRUB_DISABLE_SUBMENU=y
# Uncomment to play a tone when the main menu is displayed.
# This is useful, for example, to allow users who can't see the screen
# to know when they can make a choice on the menu.
#GRUB_INIT_TUNE="60 800 1"
|
Last edited by neuroretransmit on Sun Jan 26, 2025 11:02 pm; edited 1 time in total |
|
| Back to top |
|
 |
neuroretransmit
n00b
Joined: 26 Jan 2025
Posts: 4
|
| Posted: Sun Jan 26, 2025 10:47 pm Post subject: Update |
|
|
| Decided to goof around on the grub CLI a bit and was able to get the system to mostly init up to the GPG decryption for LUKS where the kernel panicked shortly after (likely just forgot to insert some required modules). Going to figure out what config isn't generating properly. It would appear I have files split between /efi and /boot for my initrd and vmlinuz binaries, so I need to find some consistency there. |
|
| Back to top |
|
|
neuroretransmit
n00b
Joined: 26 Jan 2025
Posts: 4
|
| Posted: Sun Jan 26, 2025 11:02 pm Post subject: Resolved! |
|
|
| If you look at my /etc/default/grub I borked the root=UUID= portion. Sorry for the long post and self-resolution. Back in sway Have a wonderful day. |
|
| Back to top |
|
|
zen_desu
Tux's lil' helper
Joined: 25 Oct 2024
Posts: 108
|
| Posted: Sun Jan 26, 2025 11:43 pm Post subject: |
|
|
if /efi is not needed during the initramfs, it likely doesn't need to be added to auto_mounts, fwiw.
I'm a bit interested in how that kernel panic happened, ugrd should check that an init exists in the target rootfs, then switch_root there.
If the target root has an init, but is missing kmods for the running kernel version, that could explain issues, but I would expect some kind of init failure instead of a panic.
You enabled the lsmod autodetection, which should make ugrd pull and activate a lot of the module which were in use at build time, I'd imagine this could mitigate some issues caused by missing kmods in the target root
_________________
µgRD dev
Wiki writer |
|
| Back to top |
|
|
neuroretransmit
n00b
Joined: 26 Jan 2025
Posts: 4
|
| Posted: Mon Jan 27, 2025 3:30 am Post subject: |
|
|
| zen_desu wrote: | if /efi is not needed during the initramfs, it likely doesn't need to be added to auto_mounts, fwiw.
I pulled /efi out during this and actually moved it into /boot/efi as I am more used to on previous distros.
I'm a bit interested in how that kernel panic happened, ugrd should check that an init exists in the target rootfs, then switch_root there.
If the target root has an init, but is missing kmods for the running kernel version, that could explain issues, but I would expect some kind of init failure instead of a panic.
You enabled the lsmod autodetection, which should make ugrd pull and activate a lot of the module which were in use at build time, I'd imagine this could mitigate some issues caused by missing kmods in the target root |
While I don't have my system in that exact state anymore, the lsmod autodetection was a newer addition. Also, super stoked to see a replacement for dracut. Thanks for being a dev on it. The panic happened from grub shell so I may have not set my initrd properly and just booted a kernel without a suite of modules to go along.
Down the road (no idea if the project still exists - kernel seeds), I hope to be initramfs-less. Back in my Gentoo hayday about 10 years ago I would pull .config's from the kernel seeds project and statically compile in the bare minimum for an initramfs-less system. Definitely some drawbacks but for the paranoid you disable even more and be made pretty aware if something is tampering.
Anyways, I appreciate the response. Let me know if you guys need another dev |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Installing Gentoo
