My project is to encrypt whole rootfs partition (/boot included). In this case /boot partition need to be elsewhere or not used (prefered). I can boot kernel from another location but my last step is to manage INITRD /boot/initrd ? Actually I am blocking here.
Question 1 : If I remove LINUX entry from extlinux.conf kernel image will be loaded form kernel partition because CBoot scan and read extlinux.conf file and I can use secure Boot ? I am right ?
Question 2 :
If I want to use Secure Boot can I delete extlinux.conf file from /boot (rootfs) folder instead of just remove LINUX entry from this file ? Like that extlinux.conf can’t be read and booting from special kernel / dtbs partitions occur ? But INITRD /boot/initrd will be missing ? Do I have to keep /boot in /dev/mmcblk0p1 because Cboot use the first partition to boot I need to move my rootfs elsewere ?
Question 3 :
In case of secure Boot, booting from special partition, how to manage initrd present in /boot ? We need to keep initrd.img in /boot ? and It will be not signed and encrypted ? In fact, can I remove entire /boot folder because It will be not used in SecureBoot due to loading from special partitions ? (in my case /boot will be encrypted by my own with dm-crypt so /boot can’t be used anymore)
Question 4 :
I read a lot of docs and I see that Kernel-dtb need to be signed to be used with secureBoot (and I see sig file in the same folder) but I can’t read anywere that kernel, dtb is also encrypted by flash.sh script like you explain me ? Do you have references (doc etc ) ? Others partitions when encrypted have encrypted file extension. If is it encrypted on the fly by flash.sh I can’t see that on the script ?
Thank you so much.