Skip to content

Releases: rdmitry0911/zfsbootmenu

All-in-one package

17 Jul 16:50
@rdmitry0911 rdmitry0911
0.1.0
6f3003a
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
All-in-one package Pre-release
Pre-release

ZBM based on latest arch linux with embedded clevis and dropbear support. Set it and forget it kind of build. Independent of target system and host hardware.
Requirements:

  • A system installed on an encrypted zfs volume on a host with tpm2 support (all modern systems provide support of it)

  • latchset.clevis:decrypt=yes user property has to be added in advance to the encrypted dataset for automatic decryption

  • latchset.clevis:netconf user property has to be added in advance to the encrypted dataset. The value of this property should be like this: "if:ip/mask:def. route:dns" Valid example: "eth0:10.7.6.22/24:10.7.6.1:8.8.8.8" This property is used to configure network for ssh accsess to ZBM. I use this way of passing net config params to a script to avoid rebuilding of ZBM for running on another host. In case there is no need to access ZBM via ssh this property is not needed

  • latchset.clevis:dropbear user property has to be added in advance to the encrypted dataset. The value of this property should be authorized key for ssh login to zfsbootmenu as a root. Valid example: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEhw5gGy/g9CM8PlB23Ag1RMgPfUoXu2tKELP9FIOcK4 somename@local" This property is used to configure root ssh accsess to ZBM. I use this way of passing dropbear config to avoid rebuilding of ZBM for running on another host. In case there is no need to access ZBM via ssh this property is not needed

  • /boot folder should reside inside the encrypted dataset of the target system

  • keylocation of the encrypted dataset should be set to file:///some/file Valid example: file:///etc/zfs/rpool.key and this file should be embedded to initramfs of the target system. It is safe as initramfs is located in encrypted /boot directory

Setup is easy - just copy vmlinuz-linux.EFI to /EFI/ZBM folder and point uefi boot manager to boot it. First time it will ask you the passphrase, and from now on all the boots will be done automatically unless you change your hardware or ZBM itself. Any intusion attempts will be tracked and will interrupt automatic booting.

Assets 3
Loading