> On Di, 05.04.22 17:38, Chris Murphy (lists(a)colorremedies.com) wrote: > > > Let me stress one thing though: Fedora *has* *no* working SecureBoot > implementation. The initrd is not authenticated. It has no signatures, > nothing. > > By disabling SecureBoot you effectively lose exactly nothing in terms > of security right now. > > What good is a trusted boot loader or kernel if it then goes on > loading an initrd that is not authenticated, super easy to modify (I > mean, seriously, any idiot script kiddie can unpack a cpio, add some > shell script and pack it up again, replacing the original one) – and > it's the component that actually reads your FDE LUKS password. > > I mean, let's not pretend unsigned drivers were a big issue for > security right now. They are now, we have much much much wider gaping > holes in our stack. > > Lennart > > -- > Lennart Poettering, Berlin To achieve such feature(SecureBoot signer Unified Images) I've had to make some hack'ish scripts to run dracut a second time glueing all together and signing it, after generating the initrd inside /boot: - https://nwildner.com/posts/2021-04-10-secureboot-fedora/ Not proud of it, but it works(and I have cmdline + initrd + kernel + modules all signed as a bundle). This could be the spark of a package idea for Unified images nwildner _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure