Details
-
Story
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-9.0.0
-
Assignee, Qa Contact, Doc Contact, Pool Team, Watchers, Developer
-
sst_desktop_firmware_bootloaders
-
ssg_desktop
-
False
-
-
Unspecified
-
If docs needed, set a value
-
Unspecified
Description
Description of problem:
The installer of RHEL9 prevents installing /boot to a encrypted partition.
Version-Release number of selected component (if applicable):
RHEL 9.0
How reproducible: always
Steps to Reproduce:
1. Go to custom partitioning during a manual install of RHEL9
2. Check "Encrypt" for the /boot partition. LUKS Version 1 or 2 doesn't matter
3. Click Update Settings
Actual results:
The error "/boot cannot be encrypted" appears
Expected results:
No error messages, installing works without issue.
Additional info:
------------------
Why is an encrypted /boot important?
UEFI Secure Boot protects shim, grub, the kernel and any kernel modules.
Encrypting the local partitions protects the data of the rest of the system.
The EFI System Partition has obviously to be left unencrypted, also /boot
unless the changes discussed here are applied.
Since initramfs is on /boot, it is left unprotected.
Anyone with physical access to a machine can modify initramfs
to make it store the password for disk encryption and later send it to the
attacker through a covert channel. This then allows to decrypt the whole
disks.
Encypting /boot protects against this.
------------------
Implementation details:
Removing the block of encrypted /boot from anaconda is one thing, making
encrypted /boot work is another. To test this I removed the check from
anaconda with a patch and tested it on an UEFI system.
Since RHEL 9 grub.cfg is written to the common location /boot/grub2/grub.cfg.
On UEFI a small config loader is written to /boot/efi/EFI/redhat/grub.cfg:
—
search --no-floppy --fs-uuid --set=dev 1f5d833e-ebeb-4756-ae80-52def7dc4cb5
set prefix=($dev)/boot/grub2
export $prefix
configfile $prefix/grub.cfg
—
This config loader is missing the required bits to decrypt the /boot partition.
I extended the file like this:
—
insmod part_gpt
insmod diskfilter
insmod mdraid1x
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_sha256
insmod lvm
insmod ext2
cryptomount -u df102f5b7442417a88628de1d31225e0
search --no-floppy --fs-uuid --set=dev 1f5d833e-ebeb-4756-ae80-52def7dc4cb5
set prefix=($dev)/boot/grub2
export $prefix
configfile $prefix/grub.cfg
—
Then I was able to boot with the encrypted /boot. The UUID given to the
cryptomount command is the same as it is already written to the
/boot/grub2/grub.cfg file when setting GRUB_ENABLE_CRYPTODISK=y.
Since the necessary additions to /boot/efi/EFI/redhat/grub.cfg don't look
too complicated to me, I think it is reasonable to add support for this to
get the additional protection for the initramfs files.
Attachments
Issue Links
- external trackers
