Getting LUKS, Btrfs, Hibernation and Swap file working in tandem

• sbctl

  94 1,302 7.8 Go

  :computer: :lock: :key: Secure Boot key manager

For secureboot you may want to took a look at this project [0]. Don't think it has ever gotten easier to sign UKIs than that though systemd should have a new project (systemd-ukify) that aims to make it more integrated.

Hiberation is not supported in lockdown mode because I'm assuming the kernel (maintainers) expect most people to have an unencrypted swap partition. If you have secured your swap, you can patch [1] the kernel to allow hibernation.

[0] https://github.com/Foxboron/sbctl

[1] https://gist.github.com/kelvie/917d456cb572325aae8e3bd94a9c1...

• yubikey-full-disk-encryption

  16 775 0.0 Shell

  Use YubiKey to unlock a LUKS partition

> Hibernate is less interesting, and apparently unsupported using secure boot anyway.

That's not the case. I have a similar setup to yours (/ on ext4 with separate swap, on LVM on LUKS, separate /efi) and my box hibernates just fine with secure boot and auto-unlock via TPM.

The difference with your setup is I don't use grub, but have the UEFI load a signed unified kernel image directly. Since this works so well, I never had a reason to mess around with yet another moving piece (grub or other bootloader).

As another commenter said, I haven't attempted to mess around with the MOK. I just replaced all the secure boot keys with my own, and I've also signed MS's Windows key (but not the 3rd party one) for my dual-boot needs.

---

For specifics: This is an up-to-date Arch Linux install, running on an HP EliteBook 840 G8 (11th gen intel). I know Debian may have older components than arch, but this setup has been working for more than a year now.

IIRC, the most significant change was brought by systemd 251 which started supporting auto-unlocking LUKS with the TPM. Before that, on an older computer with the same general setup, hibernation worked well, too. I just needed to input the unlock password (which I was too lazy to do, so I just used my yubikey - see https://github.com/agherzan/yubikey-full-disk-encryption).

• InfluxDB

  www.influxdata.com featured

  Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  

• heads

  31 1,380 9.5 Makefile

  A minimal Linux that runs as a coreboot or LinuxBoot ROM payload to provide a secure, flexible boot environment for laptops, workstations and servers.

  

You don't need to encrypt anything to verify those images, you just need to sign them. See how Heads does this.

https://github.com/osresearch/heads

• sbupdate

  9 223 0.0 Shell

  Discontinued Generate and sign kernel images for UEFI Secure Boot on Arch Linux

I use sbupdate [0] to build the unified kernel image and to sign it with my keys. It's run by a hook in the arch's package manager whenever the kernel, the initrd or the firmware images change. I saw the other day that systemd recently got an utility to do this, but I've never looked into that. sbupdate has been working fine for me for several years now.

It doesn't store a new key in the uefi, it signs the new image with the key that uefi already knows about.

See [1] for the whole setup and [2] for the signing part specifically.

[0] https://github.com/andreyv/sbupdate

[1] https://wiki.archlinux.org/title/Unified_Extensible_Firmware...

[2] https://wiki.archlinux.org/title/Unified_Extensible_Firmware...

Suggest a related project