UPDATE: See my comment below. There is no issue – it is as easy as editing /etc/default/grub and regenerating the grub config, and then re-signing things when Heads pops up with it’s ZOMG warning.
I recently got a certified laptop with Heads, and everything is great, I’m very happy with it. However, I need help with how to change the [dom0] cmdline parameters used during bootup, because I would like to roughly follow this guide:
LUKS with Yubikey 2FA (chal-resp) on Qubes 4.2.0
and implement requiring both a password and my yubikey to unlock the rootfs, (after having successfully used another separate hardware key for the Heads anti-tampering / change detection).
I have extensive experience with changing boot, using grub, dracut, and Arch’s mkinitcpio, and have had many custom boot setups on other systems, and I understand how to setup the cmdline params and what to do with crypttab and fstab.
However, with this Heads computer, I’m not clear what/where the bootloader even is. By all appearances, it looks like Heads is acting both as the bios firmware and the bootloader. I can see all the Heads files in /boot/, but I am scared to modify anything, because I don’t want to get into a state where I can’t boot. (I have all my qubes backed up – getting in a non-boot state isn’t world ending, just very very annoying.)
My goal is to modify the cmdline params so that I can implement the “require yubikey+password for rootfs luks decryption” outlined in the link above, and sign this new setup with my non-yubikey hardware dingy that does the Heads validation, and have that cmdline change persist across dom0 kernel updates.
The laptop does not appear to have grub installed, although it does have dracut, but the dracut conf is completely empty. (The empty conf may be fine and normal and not indicative that dracut isn’t being used, I don’t know.)
So, TLDR: does anybody have enough knowledge about how Heads works to help me make a change to the bootup kernel cmdline?