On 12/21/23 07:47, aplanas wrote:
Hi,
Some months ago we announced the support of systemd-boot in MicroOS and in Tumbleweed, using a new tool named sdbootutil, that help us to synchronize the boot loader entries with available snapshots in the system.
Today we announce that we supporting the full disk encryption (FDE) tools that systemd bring us via systemd-cryptenroll or cryptsetup. We extended the pcr-oracle to support new PCRs and the generation of authorized policies in JSON format for systemd
With this we also propose a new architecture in the distribution that allows the enrollment of the TPM2 (with full measured boot attestation) and the FIDO2 key, using the already available systemd user tools.
The MicroOS image[0] was also extended to show all this nice features working together.
The long (sorry, maybe too long) explanation is in the news-o-o blog post[1], and the technical details are in the openSUSE Systemd-fde wiki page[2].
Feedback is more than welcome!
... also happy holidays, end of the year and beginning of 2024!
[0] http://download.opensuse.org/tumbleweed/appliances/openSUSE-MicroOS.x86_64-k... [1] https://news.opensuse.org/2023/12/20/systemd-fde/ [2] https://en.opensuse.org/Systemd-fde
Hi aplanas and Ludwig, I have been testing out systemd-boot and overall it seems to be working fine. The test system is UFEI with secure boot enabled but I do NOT use FDE. I followed these instructions here for switching to systemd-boot https://en.opensuse.org/Systemd-boot As part of my testing I wanted to also test switching back from systemd-boot to grub2. I also got that to work, however, there is one thing I cannot seem to figure out. When TW is initially installed using grub2 the /etc/default/grub file created during installation contains the following lines: SUSE_BTRFS_SNAPSHOT_BOOTING="true" GRUB_USE_LINUXEFI="true" GRUB_DISABLE_OS_PROBER="false" GRUB_ENABLE_CRYPTODISK="n" GRUB_CMDLINE_XEN_DEFAULT="vga=gfx-1024x768x16" After installing systemd-boot and getting that working and then switching back to grub2 by reinstalling grub2 the /etc/default/grub file does NOT contain those lines. How is the initial TW install creating /etc/default/grub with those lines in it and a reinstall of grub2 does NOT contain those lines ? Obviously I worked around the issue by using the original /etc/default/grub file which I had saved but I would really like to know how the initial TW install creates the file with those lines in it. Thanks! Joe