Hi everyone,
I recently started playing with GNU/Linux and installed Libreboot and Parabola on a few machines. I would like to try a fully- encrypted Parabola GNU/Linux installation on my Librebooted ThinkPad x200, and came to
this page. At the very beginning, it says:
Quote:
On most systems, it is necessary to have at least an unencrypted /boot partition (while the others, including root, may be encrypted). This is so that GRUB, and therefore the kernel, can be loaded and executed, because the boot firmware itself can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly in the boot flash even /boot can be encrypted. This protects its contents from tampering by someone with physical access to the system.
|
I don't think I fully understand whether or not a /boot partition is needed in a system which is supposed to run on a machine with Libreboot: since the bootloader is already included in the chip ROM (along with the GRUB config file), wouldn't it be superfluous to also generate a /boot partition with GRUB? And in that scenario, which GRUB configuration would be loaded? The one in the chip or the one in /boot/grub/grub.cfg? Or maybe I misunderstood, and the two "boot partitions" (both /boot and the one in the chip ROM) are both needed in order for the system to boot properly?
Also, in the guide I linked, it says that in order to effectively boot a fully encrypted system from GRUB (without the need to type a bunch of commands from the GRUB command prompt each time) one needs to "Edit grubtest.cfg. Inside the 'Load Operating System' menu entry, change the contents to something like this:"
Quote:
cryptomount -a
set root='lvm/matrix-rootvol'
linux /boot/vmlinuz-linux-libre root=/dev/matrix/rootvol cryptdevice=/dev/sda1:root
initrd /boot/initramfs-linux-libre.img
|
Does it mean I have to replace the WHOLE content of the section with those 4 lines? Wouldn't that prevent from booting into "normal" (i.e. non encrypted) filesystems? Do you have any suggestion on where exactly to include those lines in crub.cfg, and what to remove, assuming I want to preserve the possibility of booting into other media (i.e. a live ISO)? I found instructions provided by the wiki to be quite unclear on this.
Thanks in advance!