Installation Note.


1) NORMAL USE

The shell script "/usr/lib/secureboot/secureboot2" will be started automatically 
through systemd. The terminal 8 is being used to ask for the password,
any getty process on this terminal must be disabled. To disable the 
getty process on terminal 8 check, that the symbolic link in the directory
/etc/systemd/system/getty.target.wants is removed.

On Ubuntu, where scripts are scheduled by upstart, the script 
"/etc/init.d/secureboot2 start" must be added to "/etc/rc.local"
and to free the terminal 8 for password entry the exec line in
"/etc/init/tty8.conf" has to be deactivated (#).

When the user enters a false password on boot, it depends on the
existence of the file "/usr/lib/secureboot/.rebootonfailure"
whether or not the system will reboot.

To make things easier for inexperienced users the default is to
continue the boot process even though an incorrect password is 
being entered.

To switch to strict mode issue the following commands (as root)
to enable the reboot feature on failure.

     touch /usr/lib/secureboot/.rebootonfailure
     chmod 600 /usr/lib/secureboot/.rebootonfailure

The strict mode is useful when user's home directories are stored
on the encrypted file system and the system relies on the proper
decryption of the secure file system to function correctly. In this
case a default reboot on failure is advisable.


2) SHUTDOWN

With systemd the secure filesystem is removed automatically when shutdown
or reboot starts by secureboot2-halt.service.

On Ubuntu, the script "/usr/lib/secureboot/secureboot2" must be called via symbolic
links in the directories /etc/rc0.d and /etc/rc6.d like this:

   #> cd /etc/rc6.d; ln -s /usr/lib/secureboot/secureboot2 S32secureboot2
   #> cd /etc/rc0.d; ln -s /etc/lib/secureboot/secureboot2 S32secureboot2



For more information see: https://senderek.ie/opensource/secureboot2


3) ADMINISTRATION

For instructions to create new encrypted file systems, replacement and backups
see the README file.


Senderek Web Security, Ireland.

