On Fri, Jul 01, 2022 at 08:30:21AM +0200, Gerd Hoffmann wrote: > On Fri, Jul 01, 2022 at 06:39:41AM +1000, David Airlie wrote: > > I do wonder if it's possible to use multiple initrds, and maybe have > > the firmware in a separate initrd shared between all installed kernels > > if we go down this route. > > grub supports multiple initrds just fine. According to > https://fedoraproject.org/wiki/Changes/BootLoaderSpecByDefault grub > supports multiple initrd files also with bls. That seems to be a > derivation from the original boot loader spec though, so not sure this > works with systemd-boot too. > > When going for multiple initrds the best approach is probably to simply > split out the kernel modules into a version-specific initrd and store > everything else in another, shared initrd. That doesn't help much though if we want have a unified kernel image (aka single efi binary with kernel + initrd) to get the initrd signed that way. Hmm. Are there any existing approaches to sign initrds? grub seems to support detached gpg signatures. Doesn't look that attractive given that the whole secure boot process uses x509 instead so using gpg would require maintaining yet another key ... take care, Gerd _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure