This critically depends on the initrd being non-manipulated. Of course, you cannot use the initrd to verify a signature on the initrd securely ... Regards, Arno On Sat, Jun 20, 2020 at 19:26:32 CEST, JT Morée wrote: > I'm working through a setup right now and documenting at > https://sites.google.com/site/jtmoree/knowledge-base/smart-cards-and-linux/kubuntu-20-04 > > I am using the smartcard to unlock root during the boot process. this is > done by the kernel and initrd using out of the box tools and processes. > > in this setup /boot is in the clear and I have some ideas for signing the > kernel+initrd with the smart card, then verifying on boot. will update > the link if I get that working. > -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
