Preparing for a merged /usr in Debian

Posted Jan 20, 2016 9:00 UTC (Wed) by anselm (subscriber, #2796)
In reply to: Preparing for a merged /usr in Debian by walex
Parent article: Preparing for a merged /usr in Debian

Linux kernel is booted mounting /dev/sda1 as /, which contains a fully functional but "vanilla" / filesystem.

This is essentially what happens with initramfs, except that the initramfs is loaded using the boot loader/system firmware, and can in principle come from anywhere (including a remote server). Your approach forces you to have the first-stage “/” available locally as an actual file system on a storage medium, which sucks if you want to have a diskless system.

You still need to ensure that whatever is on the first-stage “/” matches the rest of the system, just like with an initramfs. The difference is that the process of making initramfses is fairly well-understood and there are good tools for it already.

Anyhow in the current practice GRUB's root (first-stage root) /boot is inside an unencrypted partition distinct from that containing / (second/third stage root) and someone could replace anyhow its contents with suitably "improved" kernel images or "initramfs" snapshot images. I know people who understand boot processes and who keep /boot (only) on a USB storage device they carry with them at all times because they reckon that an encrypted / with an unencrypted /boot is not giving them peace of mind.

Two points:

Your approach doesn't help these people because your first-stage “/” can't be encrypted either, since the Linux kernel has no way of getting at a pass phrase to decrypt the first-stage “/”. They will have to put their first-stage “/” on a removable storage device just like they do now with “/boot”.
It is quite possible for GRUB to use an encrypted “/boot” (see, e.g., here), although it is not what distributions do by default.