:: limine / FAQ.md 2.1 KB raw

# Frequently Asked Questions

### Why not support filesystem X or feature Y? (eg: LUKS, LVM)

The idea with Limine is to remove the responsibility of parsing filesystems and
formats, aside from the bare minimum necessities (eg: FAT*, ISO9660), from the
bootloader itself. It is a needless duplication of efforts to have bootloaders
support all possible filesystems and formats, and it leads to massive, bloated
bootloaders as a result (eg: GRUB2).

What is needed is to simply make sure the bootloader is capable of reading its
own files, configuration, and be able to load kernel/module files from disk.
The kernel should be responsible for parsing everything else as it sees fit.

### What about LUKS? What about security? Encrypt the kernel!

Simply put, this is unnecessary. Putting the kernel/modules in a readable FAT32
partition and letting Limine know about their BLAKE2B checksums in the config
file provides as much security as encrypting the kernel does.

### What if a malicious actor modifies the config file?

While this is a pointless effort on legacy x86 BIOS, it is a reasonable
expectation to secure the boot sequence on UEFI systems with Secure Boot.
Limine provides a way to modify its own EFI executable to bake in the BLAKE2B
checksum of the config file itself. The EFI executable can then get signed with
a key added to the firmware's keychain. This prevents modifications to the
config file (and in turn the checksums contained there) from going unnoticed.

Additionally, when UEFI Secure Boot is active **and** a config checksum has
been enrolled, Limine enforces that all loaded files have BLAKE2B hashes in
their paths, and disables the config editor. Enrolling a checksum is the
explicit opt-in to this hardening; without one, Secure Boot enforcement is
not applied. See [USAGE.md](USAGE.md) for details.

### I do not want to have a separate FAT boot partition! What can I do?

It is `$year_following_2012` now and most PCs are equipped with UEFI and simply
won't boot without a FAT EFI system partition anyways.
It is not unreasonable to share the EFI system partition with the OS's /boot
and store kernels, initramfses, and any other files needed for boot there.


tab: 2 4 8 wrap: off on

1	# Frequently Asked Questions
2
3	### Why not support filesystem X or feature Y? (eg: LUKS, LVM)
4
5	The idea with Limine is to remove the responsibility of parsing filesystems and
6	formats, aside from the bare minimum necessities (eg: FAT*, ISO9660), from the
7	bootloader itself. It is a needless duplication of efforts to have bootloaders
8	support all possible filesystems and formats, and it leads to massive, bloated
9	bootloaders as a result (eg: GRUB2).
10
11	What is needed is to simply make sure the bootloader is capable of reading its
12	own files, configuration, and be able to load kernel/module files from disk.
13	The kernel should be responsible for parsing everything else as it sees fit.
14
15	### What about LUKS? What about security? Encrypt the kernel!
16
17	Simply put, this is unnecessary. Putting the kernel/modules in a readable FAT32
18	partition and letting Limine know about their BLAKE2B checksums in the config
19	file provides as much security as encrypting the kernel does.
20
21	### What if a malicious actor modifies the config file?
22
23	While this is a pointless effort on legacy x86 BIOS, it is a reasonable
24	expectation to secure the boot sequence on UEFI systems with Secure Boot.
25	Limine provides a way to modify its own EFI executable to bake in the BLAKE2B
26	checksum of the config file itself. The EFI executable can then get signed with
27	a key added to the firmware's keychain. This prevents modifications to the
28	config file (and in turn the checksums contained there) from going unnoticed.
29
30	Additionally, when UEFI Secure Boot is active and a config checksum has
31	been enrolled, Limine enforces that all loaded files have BLAKE2B hashes in
32	their paths, and disables the config editor. Enrolling a checksum is the
33	explicit opt-in to this hardening; without one, Secure Boot enforcement is
34	not applied. See [USAGE.md](USAGE.md) for details.
35
36	### I do not want to have a separate FAT boot partition! What can I do?
37
38	It is `$year_following_2012` now and most PCs are equipped with UEFI and simply
39	won't boot without a FAT EFI system partition anyways.
40	It is not unreasonable to share the EFI system partition with the OS's /boot
41	and store kernels, initramfses, and any other files needed for boot there.
42