Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

EFI stub+disk encryption: is initramfs really needed?
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
NP_complete
Tux's lil' helper
Tux's lil' helper


Joined: 21 Mar 2009
Posts: 133
PostPosted: Sun Oct 06, 2024 6:41 am    Post subject: EFI stub+disk encryption: is initramfs really needed? Reply with quote
I am following this guide to set up disk encryption, and I would like to boot from an EFI stub.

1. My main question is whether initramfs is really necessary here? As I am thinking this through, I could, simply, put the kernel (with a name ending in .efi) into the ESP partition which will be mounted by the BIOS. The kernel would have all the requisites built in and can therefore decrypt the LUKS volume and mount the btrs root file system. After this, we are basically done. Is there a gap in my logic?

2. As a closely related question, do I need a separate /boot partition containing initramfs, as described in the linked article? Assuming that I do need such a partition, how would the boot sequence proceed? First, the kernel stub is read by the BIOS, then /boot is mounted and initramfs loaded into memory to give the kernel the ability to decrypt and mount the root file system. Do we need to go back and forth between the kernel and initramfs like that?

Many thanks.
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 4927
Location: Bavaria
PostPosted: Sun Oct 06, 2024 9:37 am    Post subject: Reply with quote
Before answering your questions I would like to tell you a few things ... you maybe already know:

1. You can have an external initramfs (as a CPIO archive) or you can embedd it "into" the kernel image.
2. As soon as the kernel knows it has an initramfs, the kernel will no longer do the job of mounting the root partition, because now it is the job of the initramfs.
3. If the kernel has an initramfs the kernel will only start all statically configured modules itself and THEN switch to the intiramfs, BUT there is NO RETURN from the initramfs back to the kernel. This means: the initramfs has to do everything else what is necessary for a correct systemstart (at least: mounting the root partition and loading some kernel modules which has been configured as <M>odule and not statically).
4. The kernel would NOT be able to mount an encrypted root device ... for this you will need always (-> *) an initramfs.
5. UEFI (BIOS) is not able to start a program from an encrypted partition (because UEFI can only do SecureBoot=booting a signed image; but no decryption of an image). This means if you want start your kernel directly via UEFI (a good choice) this kernel must not be encrypted; it must reside inside the ESP and the name must have the suffix *.efi

Now to your questions:

1. Usually you will always need an initramfs when using an encrypted root partition ... (* ->) but it is not entirely true: There is a very rare solution where you need no intramfs for an encrypted root partition ... a complicated one:
https://forums.gentoo.org/viewtopic-t-1110764-highlight-.html
(I would never recommend this to a new user)

Keep in mind you have two choices to build an initramfs: You use an automated routine like dracut (or ugrd), or you create it by yourself. Maybe you want read: https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Initramfs_Overview

2. No, you dont need a seperate /boot partition; you need an ESP (EfiSystemPartition) ... and you must mount this parition into your root directory to access it. Last year was a change of the mountpoint of this ESP: See more here:
https://forums.gentoo.org/viewtopic-t-1165115-highlight-.html

Maybe you want read this to get an idea of booting a (stub) kernel directly via UEFI:
https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Boot_kernel_via_UEFI

Now your boot process for an encrypted root partition would look like this:
1. UEFI gets the information from its own UEFI boot entries list which image.efi it must start. If this is a (stub) kernel THEN ->
2. Kernel starts and knows it has an initramfs. So after a little bit of initializing kernel handover to this initramfs.
3. The init script inside the initramfs does more work and starts at last /sbin/init from your root directory (this would do a kernel without an initramfs at last). Yes, this init will NOT return to the kernel.
4. /sbin/init is your initsystem (either OpenRC or systemd)

Keep in mind: IF you use a kernel with an external CPIO initramfs, THEN this initramfs MUST be ALSO in the ESP (best in the same directory as the kernel) AND you must have an UEFI boot entry of this kernel whith the parameter "initrd=..." (See more:https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Kernel_Commandline_Parameter#Parameter:_initrd.3D )
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy