Hi everyone,
I downloaded Rocky Linux 10 minimal version and installed it both in a VM and on a real pc to dabble a bit in Unified kernel images (UKI) and TPM2 disk encryption.
In a proper setup I would need to sign the UKI to make sure the full disk encryption has a real benefit, but in a first step I decided to try full disk encryption with cryptenroll and crypttab and the onboard tpm2 first.
So in my first step I kept grub and the existing vmlinuz and initrd and only added the key for the luks encrypted / to the tpm2 and it seems to work.
The next step would be to replace grub with systemd-boot and vmlinuz and initrd with a UKI. I have found systemd-ukify in some tutorials and when I manually rerun dracut and the run ukify, I can somehow get it to boot, but it keeps on asking me for the luks password at every boot. So adding tpm2-tss to the UKI does not yet really seem to work.
I have been dabbling with this for two days now and wanted to ask you:
Is the systemd-boot + dracut + systemd-ukify route really the best option for Rocky Linux right now? If not: what other route would be better / what am I missing?
And second question: I am currently doing all the image building and settings manually, what happens at a kernel update? How can I automate that?
I would appreciate any ideas.
kind regards,
Johannes