Christopher Prevoe

Why Unified Kernel Images Matter for Modernizing Boot Security

To prepare for redoing my main desktop machine, I decided to look into how to automatically (and safely) decrypt LUKS2 with a TPM in Ubuntu. My research and experimentation showed that it is doable, it just requires a sizable delve down a rabbit hole involving the linux boot process.

A complicated deep dive offering to teach me more about systems I've lived in for years? Count me in. Suit up. Let's Go! I did the research, experimented in a VM, and came up with something that works. In combination with my normal non-standard installation, I called the result Ubuntu The Hard Way and turned it into a technical demo and tutorial.

The resulting video is dense. I highly recommend keeping a finger on pause if the desire to follow along takes you.

The video shows a lot of the details, but here are some highlights.

The Linux Boot Process

GRUB has been the dominant Linux bootloader for years. When I was first experimenting with Ubuntu, it was there and provided this wonderful menu where you could choose your OS. Eventually GRUB stopped enabling os-prober by default. Recently, GRUB is present, but isn't even shown most of the time.

UEFI came out, and new booting techniques were available. Secureboot and Trusted Platform Modules changed the security guarantees the hardware could provide. GRUB remained the de facto standard but I haven't seen any motion to support those new guarantees. I know that secureboot and TPMs have gotten a bad rap due to the way some companies have pushed them, and I'm sure this caused some reluctance to move on them. Adoption is a human activity after all.

UEFI feeds what it reads to secureboot and to the TPM. Secureboot validates that the binary was not modified using cryptographic signatures who's public certs are stored in a firmware keystore. Some of these keys will expire in June 2026 and for devices which are not receiving new firmware updates due to age and/or dropped support, Windows will no longer be an easy option for them.

The TPM "measures" things it is provided. I visualize this as the TPM using the results like the combination to a lock, and only when the combination is correct will it "open" and allow secrets registered with that combination to be revealed.

Together secureboot and the TPM create a great guard against swapping out the EFI binary, and modifying it.

With bootloaders though, the EFI only contains the bootloader. The bootloader then reads a configuration from the ESP which is not signed, and cannot be encrypted. As-is, an attacker can simply modify that configuration and hijack the boot process.

Unified Kernel Images solve this issue by taking all of the components, a bootloader shim like systemd-boot, the Initial Ram Disk (initrd), and a kernel (vmlinuz) and combining them into a single EFI binary. A single EFI binary allows secureboot (with a Platform Key installed by a user) to validate that the EFI binary is trusted. The single EFI also allows the TPM to have a complete view, including the configurations, for use as it's combination.

Bootloaders might be able to find ways to sign all of the components they load but it would be very complicated. There's always a first-mover's issue of who's registering what and when. I think Unified Kernel Images are a very elegant solution to this. Now we just need to make platform keys easy to install, and we'd have it all.

© 2026 Christopher Prevoe.
All rights reserved.
prevoe.com