--- keywords: - IT - filesystem integritiy - authentic filesystem --- # secureboot Most of the distributions are delievered with a microsoft-signed SHIM bootloader, which should allow the boot with active secureboot without deleting OEM keys. the SHIM bootloader gets controlled with mokutil. - systemctl reboot --firmware - bootctl - efibootmgr -v - mokutil --sb-state - mokutil --list-enrolled - mokutil --enable-validation ## ubuntu ubuntu provides a update-secureboot-policy script to generate and enroll a secureboot mok, but this needs an already active secureboot. # cryptsetup luks crypsetup luksDump /dev/sdaX cryptsetup luksChangeKey /dev/sdaX cryptsetup luksErase ressource: http://jk.ozlabs.org/docs/sbkeysync-maintaing-uefi-key-databases/ ## data integrity aka bitrot General kernel awareness: https://github.com/torvalds/linux/blob/master/Documentation/block/data-integrity.rst the solution so far to omit endusers hardware limitations (like ECC RAM *grml*) https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/device-mapper/dm-integrity.rst So it should be more or less equal to use integrity with or without encryption: - RAID1 preferred - heavily perfomance issues caused by the journal ( none or bitmap as dangerous alternative) https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/device-mapper/dm-crypt.rst the used strcuture to get this done: block device -> dm-integrity -> mdadm/lvm2 (RAID1) -> btrfs block device -> dm-integrity -> cryptsetup(mdadm/lvm2 (RAID1)) -> btrfs - [ ] cryptsetup benchmark - [ ] GPT formatted block devices to get recognized properly under windows - [ ] complete header backup - [ ] block device sector size - [ ] blcok device support for SCT/ERC #### related issues - https://gitlab.com/cryptsetup/cryptsetup/-/issues/632 xxHASH64 support, needs separate `--tag-size 8` - https://gitlab.com/cryptsetup/cryptsetup/-/issues/668 dm-integrity documentation with setting recommendation - https://gitlab.com/cryptsetup/cryptsetup/-/issues/620 systemd LUKS key mgmnt integration - https://gitlab.com/cryptsetup/cryptsetup/-/issues/573 issues with caching the flag "recalculating" - https://raid.wiki.kernel.org/index.php/Drive_Data_Sheets#Non-Raid_drives