Re: Producing verifiable initramfs images
This is not a disagreement with anything you write.
I've noticed that there is a lot more configuration that gets encoded in
the initramfs than I thought.
The most surprising for me is that if you want to control the names of
network devices or anything else set by the .link file,
that ends up needing to go on the initramfs, because udevd will set up
network devices even if they are not needed to find the root.
Unfortunately, that means that initramfs udev configuration (including
/etc/systemd/network/*.link) tends to need to be on the initramfs.
I realize you only gave crypttab as an example, but the set of initramfs
configuration is larger than I at least expected.