I’m putting together a Gentoo system on my Librem 14, and I want to use the Librem Key to unlock the LUKS volume on boot. That part I think I have the details on, as I poked around for docs. It’s the architectural angle I’m struggling with.
Given that this is Gentoo, I’m experienced enough to know how to get out of technical problems when I have them, but it’s not totally clear to me what my boot process needs to look like, versus what the Librem 14’s PureBoot setup is like.
The way I understand it is:
PureBoot is forked coreboot, therefore it is the BIOS
PureBoot loads payloads, of which Heads is their chosen
Heads supports all sorts of things like scdaemon, gpg, cryptsetup, and I think maybe LVM?
Heads reads GRUB configs to generate its menus, bypassing it due to kexec?
Is all of that correct? Does this process require an initramfs, or is Heads functioning as BIOS and initramfs here? This distinction is important for me because there’s a tool called genkernel in Gentoo that can generate the kernel, initramfs, and/or EFI, etc in one script and don’t want to build anything that’s not needed.
Given that I’m in a Gentoo LiveUSB environment (that took recovery shell in Heads because apparently /dev/sdb alone wasn’t detected) and it took some finagling to get here, I’m averse to tweaking things and rebooting in the dark and am hoping someone can clarify the boot process the Librem 14 uses out of the box with default Heads.
PureBoot is our branded combination of coreboot and Heads. coreboot does the hardware initialization, then hands off to the Heads payload. (coreboot can be used with other payloads as well, like SeaBIOS and EDK II (UEFI).)
Close, coreboot loads payloads, and Heads is the payload in PureBoot.
Yes, Heads includes those tools and more.
Yes, that’s right. Heads reads the GRUB configs to identify boot options, including the kernel, initrd, and command line, then kexecs into that kernel without invoking GRUB.
Your OS should still provide an initramfs. Heads loads it when kexec’ing into the OS kernel, and that initramfs needs to do its usual job of mounting root and continuing to boot from it.
Heads requires a separate, unecrypted partition for /boot; it should be able to find /boot automatically in that case. If it can’t, please let me know how your partitions are set up.
Thanks a lot for the clarifications, from both of you! I’ve managed to get the Heads and Librem Key portion of my install cooperating! All that’s left for me is the initramfs, which is more from the Gentoo side of things and it’s most of the way there. This had been driving me nuts for a while!
