Dualboot (multiboot) with isolated partitions by encryption

Hi. Strong encryption is very neat form of protection - it protects from data leaks (confidentiality) and data also data manipulation (integrity).

PureOS uses “full disk encryption” by default which protects the operating system. However, the encryption is not applied to /boot partition.

To protect the /boot partition, PureBoot (Coreboot firmware with Heads) can be flashed and the integrity of the /boot partition can be verified with Librem Key.

The problem is that in dualboot (multiboot) setup, both (all) systems can modify the shared /boot partition. If one system is compromised then all systems can be compromised by malware in the shared /boot partition.

PureBoot can verify integrity of the shared /boot partition, however it is not so good as to have encrypted /boot partition.

AFAIK PureBoot does not support separate integrity verification for dualboot (multiboot) operating systems.

There are multiple theoretical setups how to implement dualboot (multiboot) with safe /boot, all of them assume that OS is encrypted with different passphrase:

  1. Install first non-encrypted /boot partition on first USB key and second non-encrypted /boot partition on second USB device. To start OS, just insert the right USB key with Librem Key. The OS can not access /boot of the other OS because it is not plugged in.
  2. Install first encrypted /boot partition on first disk and second encrypted /boot partition on second disk. To start OS, just select default disk in CoreBoot.
  3. Is there another setup?

The question is, could be PureBoot modified to support dualboot (multiboot) in any setup mentioned above?


A boot partition is a volume of the computer that contains the system files used to start the operating system . Once the boot files on the system partition have been accessed and have started the computer, the system files on the boot partition are accessed to start the operating system.
Source: https://www.sciencedirect.com/topics/computer-science/boot-partition

coreboot is a Free Software project aimed at replacing the proprietary BIOS (firmware) found in most computers. coreboot performs a little bit of hardware initialization and then executes additional boot logic, called a payload.
Source: https://github.com/coreboot/coreboot

Heads - A minimal Linux that runs as a coreboot or LinuxBoot ROM payload to provide a secure, flexible boot environment for laptops and servers.
Source: https://github.com/osresearch/heads