Re: [PATCH 0/3] pre-generated initrd and unified kernels

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hey Gerd,

Thanks for this changeset.

On 8/31/22 08:46, Gerd Hoffmann wrote:

   Hi,

Here is a little patch series to kick off a discussion on pre-generated
initrd images and unified kernels.  Lets start with a description of the
patches:

   Patch #1 adds a dracut config file, targeting virtual machines.  Given
   that most physical machines have either sata or nvme disks these days
   it probably boots most physical systems too.
No critical objections from me, however, just a few long-term questions about this approach.
How are you going to prevent feature-creep in the initrd? What happens when someone asks us to include "driver X" in this general initrd? How do we determine whether or "driver X" is or is not appropriate for inclusion? 



   Patch #2 adds a sub-package with an initrd image.

   Patch #3 adds a sub-package with an unified kernel.
These will be built all the time. I'm worried about storage, etc., when adding new sub-packages. Having said that, I do really like the idea ;) and would definitely argue that it is worth it. 



The goal is to move away from initrd images being generated on the
installed machine.  They are generated while building the kernel package
instead.  Main motivation for this move is to make the distro more
robust and more secure.



Completely agreed and a great goal.


When shipping the initrd as rpm it is possible to check it with the
usual tools ('rpm --verify' for example).  TPM measurements are much
more useful because it is possible to pre-calculate the PCR values for a
given kernel version.

When shipping a unified kernel image (containing kernel, initrd, cmdline
and signature) we get the additional benefit that the initrd is covered
by the signature so secure boot will actually be secure.


Thanks again,

P.
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [USB]     [Asterisk PBX]

  Powered by Linux