57 lines
2.4 KiB
Markdown
57 lines
2.4 KiB
Markdown
---
|
|
keywords:
|
|
- IT
|
|
- filesystem integritiy
|
|
- authentic filesystem
|
|
---
|
|
# secureboot
|
|
|
|
Most of the distributions are delievered with a microsoft-signed SHIM bootloader, which should allow the boot with active secureboot without deleting OEM keys. the SHIM bootloader gets controlled with mokutil.
|
|
|
|
- systemctl reboot --firmware
|
|
- bootctl
|
|
- efibootmgr -v
|
|
- mokutil --sb-state
|
|
- mokutil --list-enrolled
|
|
- mokutil --enable-validation
|
|
|
|
## ubuntu
|
|
ubuntu provides a update-secureboot-policy script to generate and enroll a secureboot mok, but this needs an already active secureboot with MS keys and this needs to be active through booting the installer
|
|
# cryptsetup luks
|
|
crypsetup luksDump /dev/sdaX
|
|
cryptsetup luksChangeKey /dev/sdaX
|
|
cryptsetup luksErase
|
|
|
|
ressource:
|
|
http://jk.ozlabs.org/docs/sbkeysync-maintaing-uefi-key-databases/
|
|
|
|
## lkrg - linux kernel runtime guard
|
|
archlinux can build with AUR, debian/ubuntu can use the *.deb precompiled package. It should be available for x64, arm64 and arm
|
|
|
|
## data integrity aka bitrot
|
|
General kernel awareness:
|
|
https://github.com/torvalds/linux/blob/master/Documentation/block/data-integrity.rst
|
|
the solution so far to omit endusers hardware limitations (like ECC RAM *grml*)
|
|
https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/device-mapper/dm-integrity.rst
|
|
So it should be more or less equal to use integrity with or without encryption:
|
|
- RAID1 preferred
|
|
- heavily perfomance issues caused by the journal ( none or bitmap as dangerous alternative)
|
|
https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/device-mapper/dm-crypt.rst
|
|
|
|
the used strcuture to get this done:
|
|
block device -> dm-integrity -> mdadm/lvm2 (RAID1) -> btrfs
|
|
block device -> dm-integrity -> cryptsetup(mdadm/lvm2 (RAID1)) -> btrfs
|
|
|
|
- [ ] cryptsetup benchmark
|
|
- [ ] GPT formatted block devices to get recognized properly under windows
|
|
- [ ] complete header backup
|
|
- [ ] block device sector size
|
|
- [ ] blcok device support for SCT/ERC
|
|
|
|
#### related issues
|
|
- https://gitlab.com/cryptsetup/cryptsetup/-/issues/632 xxHASH64 support, needs separate `--tag-size 8`
|
|
- https://gitlab.com/cryptsetup/cryptsetup/-/issues/668 dm-integrity documentation with setting recommendation
|
|
- https://gitlab.com/cryptsetup/cryptsetup/-/issues/620 systemd LUKS key mgmnt integration
|
|
- https://gitlab.com/cryptsetup/cryptsetup/-/issues/573 issues with caching the flag "recalculating"
|
|
- https://raid.wiki.kernel.org/index.php/Drive_Data_Sheets#Non-Raid_drives
|