Cassini release question about systemd-boot LUKS fulldisk encryption for BTRFS

Hello,
since systemd-boot is default selected on latest EndeavourOS Cassini version. I would like to ask if systemd-boot is ready for the setup I use:

I use BTRFS on a whole main SSD drive with swapfile. This whole drive is put in LUKS fulldisk encryption container. It is only one physical SSD drive, no dualboot. Last time I checked, only GRUB is able to support this setup (but systemd-boot looks more appealing). I also use Timeshift snapshots with BTRFS. Grub timeout is set to 0s; if I need Grub menu, I hold Shift after typing LUKS password; on this Grub menu I can select different kernels and Timeshift snapshots, in cases where newer kernel is not booting anymore (I always have Mainline and LTS kernels ready) or if I corrupted other userland services last boot.

Does systemd-boot support my use case, or should I still stick with GRUB?

What’s your experience? Thanks.

systemd-boot works with luks. The only thing that won’t be encrypted is the UEFI partition.

As long as you don’t require snapshot booting, systemd-boot works perfectly with btrfs.

1 Like

For real full disk encryption, meaning including an encrypted boot partition, grub is still the only way to go.

Reading your post, it seems you’ve got a pretty good working setup. Unless you need the thrill of tinkering :wink: , I’d recommend you stick to grub. It’s well documented and proven and will work for years to come. There’s a reason it’s still default for most distributions.

3 Likes

For real full disk encryption, hardware encryption is the only way to achieve that on a single disk UEFI system. No matter what you UEFI partition will always be unencrypted.

There is the option to create a standalone GRUB EFI binary, sign it with your own keys, and enroll those keys in your UEFI firmware. Now there is only the unencrypted bootloader on the EFI partition which can be verified by Secure Boot. That is a pretty nice setup.

I will admit (from my own experience) it is tricky to set up. But once working, it is very nice.
https://wiki.archlinux.org/title/GRUB#Encrypted_/boot

2 Likes

Interesting. What happens when GRUB update are released? Do you need to do all that again, or can you setup post-update hooks to update GRUB single-file binary automatically ?

You can fully automate the process.

Once you have everything up and running, you can deal with GRUB updates by creating a pacman hook:
https://wiki.archlinux.org/title/pacman#Hooks

The hook would contain the command to build your specific EFI GRUB, sign it with your key and then copy it to the ESP (to EFI/endeavouros/grubx64.efi for example).

This is a description of how to sign EFI binaries:
https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Signing_EFI_binaries

This is the hook that I use for signing the Linux kernel which will be verified by GRUB if Secure Boot is supported and enabled. Please note that <PATH_TO_YOUR_KEYS> should be adapted to the system where the hook is used:

999-sign_kernel_for_secureboot.hook
[Trigger]
Operation = Install
Operation = Upgrade
Type = Package
Target = linux
Target = linux-lts
Target = linux-hardened
Target = linux-zen

[Action]
Description = Sign kernel with Signature Database Key for Secure Boot
When = PostTransaction
Exec = /usr/bin/find /boot/ -maxdepth 1 -name 'vmlinuz-*' -exec /usr/bin/sh -c 'if ! /usr/bin/sbverify --list {} 2>/dev/null | /usr/bin/grep -q "signature certificates"; then /usr/bin/sbsign --key <PATH_TO_YOUR_KEYS>/db.key --cert <PATH_TO_YOUR_KEYS>/db.crt --output {} {}; fi' ;
Depends = sbsigntools
Depends = findutils
Depends = grep

I don’t have an example for a GRUB hook since I am very cautious about (automatic) changes to my boot loader.

1 Like

Is it possible to boot on a specific btrfs snapshot with systemd-boot ? Or is it only possible with GRUB currently ?
Indeed, i have the same interrogations as the OP and i am about to install EndeavousOS (coming from another arch based distro).
Thanks

No, if you want that functionality you should choose grub from the bootloader selection screen during the install.

2 Likes