This isn't systemd-specific, but I know that at least some systemd developers recommend using UEFI secure boot + dm-verity, which leads to this problem. I also don't know a better place to ask for help on this.
How do OSs using dm-verity and UKIs find the user data partition? On some systems it is trivial, as the storage device it must be on is known ahead of time. However, desktops and servers can have many storage devices or even use RAID, making this very nontrivial. Non-immutable OSs generally store this information in either the initramfs, root filesystem, or kernel command line. However, with signed UKIs and dm-verity both the initramfs and root filesystem are provided by the OS vendor and can't be changed. This means that one must load the user data partition to be able to read any data one has stored on disk, but one must read data stored by the installer to find the user data partition. Circular dependency, whoops. What is the standard solution to this problem, if any? The only one I have come up with is UEFI variable storage, but I'm curious if there are others. -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
