I've set up a self-signed refind and linux kernel. The problem is that intel-ucode and initramfs resides on /boot, which is an unencrypted fat32 ESP filesytem - UEFI specific.
How can I secure my initramfs and intel-ucode?
One option is to make the kernel check them against the key or load them from the luks-encrypted root filesystem (ext4), which I don't know if is possible.
The other option is to make the kernel check the signature of them - which as well don't know if is possible.
