On 2016-04-08, Matthew Garrett <mjg59@xxxxxxxxxxxxx> wrote: > Doing this well involves knowing what the expected values are to begin > with. Some of these values come from the firmware, and so we can't do > much about them without the assistance of the system vendors. But these > values don't tend to change over the course of a system's lifetime > (unless you update the firmware), so it's much easier to do something > about that. Other components *do* change over time as we update grub or > the kernel, and it's immensely helpful to be able to identify these > ahead of time. > > In CoreOS we've started shipping bundles of the expected PCR values with > each release. I'd like to start exploring how to do the same in Fedora. > Things are much easier in CoreOS since we don't ship individual OS > components, and so the values are very much tied to OS releases - in > Fedora they'd mostly be associated with individual packages. It'd be > easy to bundle the values in with the packages themselves, but that's > harder for admins to extract. A central location to publish this kind of > metadata would be ideal. > I'm curious how you would predict hash of initramfs because it is generated on the host and depends on dracut configuration and presence of various optionally installed packages. -- Petr -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
