> On Di, 05.04.22 17:38, Chris Murphy (lists(a)colorremedies.com) wrote:
>
>
> Let me stress one thing though: Fedora *has* *no* working SecureBoot
> implementation. The initrd is not authenticated. It has no signatures,
> nothing.
>
> By disabling SecureBoot you effectively lose exactly nothing in terms
> of security right now.
>
> What good is a trusted boot loader or kernel if it then goes on
> loading an initrd that is not authenticated, super easy to modify (I
> mean, seriously, any idiot script kiddie can unpack a cpio, add some
> shell script and pack it up again, replacing the original one) – and
> it's the component that actually reads your FDE LUKS password.
>
> I mean, let's not pretend unsigned drivers were a big issue for
> security right now. They are now, we have much much much wider gaping
> holes in our stack.
>
> Lennart
>
> --
> Lennart Poettering, Berlin
To achieve such feature(SecureBoot signer Unified Images) I've had to make some hack'ish scripts to run dracut a second time glueing all together and signing it, after generating the initrd inside /boot:
- https://nwildner.com/posts/2021-04-10-secureboot-fedora/
Not proud of it, but it works(and I have cmdline + initrd + kernel + modules all signed as a bundle).
This could be the spark of a package idea for Unified images
nwildner
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
