Exec, 10 months ago (edited 10 months ago)

Follow the Arch wiki. Just make sure that your distro has a hook for the package manager for signing the kernel. Eg. for Arch there’s the systemd-boot-pacman-hook aur package.
It’s not hard to set it up with a LUKS-enabled system, just put the relevant kernel parameters in your /esp/loader/entries/entry.conf file.
For example, here’s my arch.conf entry (with LVM on LUKS):

<span style="color:#323232;">title    Arch Linux
</span><span style="color:#323232;">linux   /vmlinuz-linux
</span><span style="color:#323232;">initrd  /intel-ucode.img
</span><span style="color:#323232;">initrd  /initramfs-linux.img
</span><span style="color:#323232;">options loglevel=2 quiet splash cryptdevice=PARTLABEL=partlabel-from-blkid:pvname root=/dev/mapper/rootlvname rw  
</span>

If your keys are already enrolled, you can just use sbctl sign-all once, your package manager hook should do the rest.

Overall, the general directory structure should look like this in the end (files omitted):

<span style="color:#323232;">/boot
</span><span style="color:#323232;">├── initramfs-linux-fallback.img
</span><span style="color:#323232;">├── initramfs-linux.img
</span><span style="color:#323232;">├── intel-ucode.img
</span><span style="color:#323232;">├── loader
</span><span style="color:#323232;">│   ├── entries
</span><span style="color:#323232;">│   │   ├── arch.conf
</span><span style="color:#323232;">│   │   └── arch-fallback.conf
</span><span style="color:#323232;">│   ├── entries.srel
</span><span style="color:#323232;">│   ├── loader.conf
</span><span style="color:#323232;">│   └── random-seed
</span><span style="color:#323232;">└── vmlinuz-linux
</span>