2.4 KiB
keywords | |||
---|---|---|---|
|
secureboot
Most of the distributions are delievered with a microsoft-signed SHIM bootloader, which should allow the boot with active secureboot without deleting OEM keys. the SHIM bootloader gets controlled with mokutil.
- systemctl reboot --firmware
- bootctl
- efibootmgr -v
- mokutil --sb-state
- mokutil --list-enrolled
- mokutil --enable-validation
ubuntu
ubuntu provides a update-secureboot-policy script to generate and enroll a secureboot mok, but this needs an already active secureboot with MS keys and this needs to be active through booting the installer
cryptsetup luks
crypsetup luksDump /dev/sdaX cryptsetup luksChangeKey /dev/sdaX cryptsetup luksErase
ressource: http://jk.ozlabs.org/docs/sbkeysync-maintaing-uefi-key-databases/
lkrg - linux kernel runtime guard
archlinux can build with AUR, debian/ubuntu can use the *.deb precompiled package. It should be available for x64, arm64 and arm
data integrity aka bitrot
General kernel awareness: https://github.com/torvalds/linux/blob/master/Documentation/block/data-integrity.rst the solution so far to omit endusers hardware limitations (like ECC RAM grml) https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/device-mapper/dm-integrity.rst So it should be more or less equal to use integrity with or without encryption:
- RAID1 preferred
- heavily perfomance issues caused by the journal ( none or bitmap as dangerous alternative) https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/device-mapper/dm-crypt.rst
the used strcuture to get this done: block device -> dm-integrity -> mdadm/lvm2 (RAID1) -> btrfs block device -> dm-integrity -> cryptsetup(mdadm/lvm2 (RAID1)) -> btrfs
- cryptsetup benchmark
- GPT formatted block devices to get recognized properly under windows
- complete header backup
- block device sector size
- blcok device support for SCT/ERC
related issues
- https://gitlab.com/cryptsetup/cryptsetup/-/issues/632 xxHASH64 support, needs separate
--tag-size 8
- https://gitlab.com/cryptsetup/cryptsetup/-/issues/668 dm-integrity documentation with setting recommendation
- https://gitlab.com/cryptsetup/cryptsetup/-/issues/620 systemd LUKS key mgmnt integration
- https://gitlab.com/cryptsetup/cryptsetup/-/issues/573 issues with caching the flag "recalculating"
- https://raid.wiki.kernel.org/index.php/Drive_Data_Sheets#Non-Raid_drives