View previous topic :: View next topic |
Author |
Message |
NP_complete Tux's lil' helper
Joined: 21 Mar 2009 Posts: 133
|
Posted: Sun Oct 06, 2024 6:41 am Post subject: EFI stub+disk encryption: is initramfs really needed? |
|
|
I am following this guide to set up disk encryption, and I would like to boot from an EFI stub.
1. My main question is whether initramfs is really necessary here? As I am thinking this through, I could, simply, put the kernel (with a name ending in .efi) into the ESP partition which will be mounted by the BIOS. The kernel would have all the requisites built in and can therefore decrypt the LUKS volume and mount the btrs root file system. After this, we are basically done. Is there a gap in my logic?
2. As a closely related question, do I need a separate /boot partition containing initramfs, as described in the linked article? Assuming that I do need such a partition, how would the boot sequence proceed? First, the kernel stub is read by the BIOS, then /boot is mounted and initramfs loaded into memory to give the kernel the ability to decrypt and mount the root file system. Do we need to go back and forth between the kernel and initramfs like that?
Many thanks. |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4927 Location: Bavaria
|
Posted: Sun Oct 06, 2024 9:37 am Post subject: |
|
|
Before answering your questions I would like to tell you a few things ... you maybe already know:
1. You can have an external initramfs (as a CPIO archive) or you can embedd it "into" the kernel image.
2. As soon as the kernel knows it has an initramfs, the kernel will no longer do the job of mounting the root partition, because now it is the job of the initramfs.
3. If the kernel has an initramfs the kernel will only start all statically configured modules itself and THEN switch to the intiramfs, BUT there is NO RETURN from the initramfs back to the kernel. This means: the initramfs has to do everything else what is necessary for a correct systemstart (at least: mounting the root partition and loading some kernel modules which has been configured as <M>odule and not statically).
4. The kernel would NOT be able to mount an encrypted root device ... for this you will need always (-> *) an initramfs.
5. UEFI (BIOS) is not able to start a program from an encrypted partition (because UEFI can only do SecureBoot=booting a signed image; but no decryption of an image). This means if you want start your kernel directly via UEFI (a good choice) this kernel must not be encrypted; it must reside inside the ESP and the name must have the suffix *.efi
Now to your questions:
1. Usually you will always need an initramfs when using an encrypted root partition ... (* ->) but it is not entirely true: There is a very rare solution where you need no intramfs for an encrypted root partition ... a complicated one:
https://forums.gentoo.org/viewtopic-t-1110764-highlight-.html
(I would never recommend this to a new user)
Keep in mind you have two choices to build an initramfs: You use an automated routine like dracut (or ugrd), or you create it by yourself. Maybe you want read: https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Initramfs_Overview
2. No, you dont need a seperate /boot partition; you need an ESP (EfiSystemPartition) ... and you must mount this parition into your root directory to access it. Last year was a change of the mountpoint of this ESP: See more here:
https://forums.gentoo.org/viewtopic-t-1165115-highlight-.html
Maybe you want read this to get an idea of booting a (stub) kernel directly via UEFI:
https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Boot_kernel_via_UEFI
Now your boot process for an encrypted root partition would look like this:
1. UEFI gets the information from its own UEFI boot entries list which image.efi it must start. If this is a (stub) kernel THEN ->
2. Kernel starts and knows it has an initramfs. So after a little bit of initializing kernel handover to this initramfs.
3. The init script inside the initramfs does more work and starts at last /sbin/init from your root directory (this would do a kernel without an initramfs at last). Yes, this init will NOT return to the kernel.
4. /sbin/init is your initsystem (either OpenRC or systemd)
Keep in mind: IF you use a kernel with an external CPIO initramfs, THEN this initramfs MUST be ALSO in the ESP (best in the same directory as the kernel) AND you must have an UEFI boot entry of this kernel whith the parameter "initrd=..." (See more:https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Kernel_Commandline_Parameter#Parameter:_initrd.3D ) _________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|