I am trying to install OpenSuSE Tumbleweed on a system with encrypted root partition. At first i tried to set up GRUB, but it refused to recognize a LUKS-encrypted partition.
Currently I am trying to use a unified kernel image which signes both the kernel and the initrd with a Secure Boot key to prevent tampering. Debian has sicherboot for that purpose, Arch has sbupdate.
Dracut, the initrd used in SUSE, also seems to have this functionality built-in. Unfortunately, the dracut postinstall script (present in /usr/lib/module-init-tools/regenerate-initrd-posttrans and reproduced below) seems to hardcode the dracut commandline. Is there any other way to automate generation of unified kernel images after RPM updates?
#!/bin/sh
#
# Packages that install kernels or kernel-modules create a flag
#
# /run/regenerate-initrd/<kernel image>
#
# to have the initrd for <kernel image> generated, or
#
# /run/regenerate-initrd/all
#
# to have all initrds generated. This script is called from posttrans
# and takes care of generating the initrds
: ${DRACUT:=/usr/bin/dracut}
if [ ! -x "$DRACUT" ]; then
echo "${0##*/}: dracut is not installed, not rebuilding the initrd" >&2
exit 0
fi
dir=/run/regenerate-initrd
if ! test -d "$dir"; then
exit 0
fi
for f in "$dir"/; do
case $f in
"$dir/")
[ -e "$f" ] || break;;
esac
# check if we are in a build chroot
if ! [ -f /etc/fstab -a ! -e /.buildenv -a -x "$DRACUT" ] ; then
echo "Please run "$DRACUT -f --regenerate-all" as soon as your system is complete." >&2
rm "$dir"/*
exit 0
fi
break
done
if test -e "$dir/all"; then
rm "$dir"/*
"$DRACUT" -f --regenerate-all
exit
fi
err=0
for f in "$dir"/; do
case $f in
"$dir/")
[ -e "$f" ] || break;;
esac
rm "$f"
image=${f##/}
kver=${image#-}
if ! test -e "/boot/$image"; then
echo "$0: /boot/$image does not exist, initrd won't be generated"
continue
fi
if ! "$DRACUT" -f "/boot/initrd-$kver" "$kver"; then
err=$?
fi
done
exit $err
