User:Neitsab
Computer enthusiast from France, proud ArchWiki Maintainer. You can contact via wiki e-mail or on my talk page for any comments or questions. You can also interact with me on GitHub.
Languages:
- French
- English
- Spanish
Interests
From my contributions, you can see I am pretty interested in:
- security and cryptography in general: device encryption, SSH, Secure Boot...
- filesystems and storage. In the past: LVM, ext4; currently: Btrfs and XFS.
- SSD and NVMe optimizations like discard/TRIM and memory cell clearing.
Highlights
Things I think deserve to be more publicized:
2020
"Stateless" boot with systemd-gpt-generator
It is surprisingly easy to get a basic fully encrypted config to boot without /etc/fstab
nor kernel parameters using Systemd#GPT_partition_automounting; the drawback is that we cannot easily specify mount options, be it for the LUKS container or root fs: see my post on systemd mailing list.
Secure Boot easiness
Secure Boot is actually pretty easy to implement in the Secure Boot#Using your own keys configuration. Once the firmware put in "Setup mode", all I had to do was (as root):
mkdir /etc/efi-keys cd !$ curl -L -O https://www.rodsbooks.com/efi-bootloaders/mkkeys.sh chmod +x ./mkkeys.sh # install sbupdate-git from AUR cat << EOF >> /etc/sbupdate.conf ESP_DIR="/efi" OUT_DIR="EFI/Linux" EXTRA_SIGN=('/efi/EFI/BOOT/BOOTX64.EFI' '/efi/EFI/systemd/systemd-bootx64.efi') # only needed if using systemd-boot CMDLINE_DEFAULT="<your kernel cmdline here>" EOF sbupdate mkdir -p /etc/secureboot/keys/{db,PK,KEK} cp /etc/efi-keys/DB.auth /etc/secureboot/keys/db/ cp /etc/efi-keys/PK.auth /etc/secureboot/keys/PK/ cp /etc/efi-keys/KEK.auth /etc/secureboot/keys/KEK/ sbkeysync --verbose sbkeysync --verbose --pk
And reboot. Note that this setup uses systemd-boot with the ESP mounted on /efi
, but direct UEFI loading would only require another step to create the correct UEFI boot entry with efibootmgr
. Pretty neat!
old
/boot
encryption is now possible for machines you locally access if you use GRUB- encrypt your servers/headless machines too: you can remotely unlock them via SSH!
- LVM: how to resize logical volumes and their filesytems in one step
- ext4's bytes-per-inode ratio helps saving space on large file systems
- TRIM: stop using the discard mount option!!
Todo
2020
- Btrfs: add more details about filesystem creation options and mount options: hash algorithm, compression options and levels, async discard, autodefrag...
XFS: follow a more standard article structure (like adding a "Creation" section!!) and clean up the "wiki style" non-compliant bits: done- TPM: flesh out the TPM#Using TPM 2.0 section. WIP
- LVM: incorporate LVM thin instructions... Maybe.