On So, 19.06.22 20:54, Fedora Development ML (devel@xxxxxxxxxxxxxxxxxxxxxxx) wrote: > Use unified kernel images by default for new releases. This can > allow for the local installation to sign the kernel and the initrd, > so the boot chain can be verified until after the uefi. Currently, > the initrd can be modified by attackers, so even if the / partition > is encrypted, the systems data can be read on the next boot. If the > kernel image, which includes the command line, and the initrd, is > signed then it is harder to comprimise the system. The system can > still be comprimised if the uefi is modified. > > If this was used, then the kernel could no longer be signed in the > package by the fedora infrastructure. To still support secure boot, > the kernel image would have to be signed be key stored on disk on > every update. If the disk is encrypted, the private key can still be > protected from attackers. On installation, or update for existing > installs, a public/private keypair would be generated, and trusted > by the shim. > > This has a few problems, if the root user is hacked, then the kernel > can be tampered with. But this is not a very big problem because if > the root user is hacked, then for example systemd can be changed, > secure boot will not protect you. It will also mean that if the user > want to modify the kernel command line or initrd, they have to > regenerate the entire kernel image. This can also break some users > install, if they use a non-default boot process, or have a buggy > uefi implementation. For non-uefi architectures, this change could > be ignored. I do think it would make a lot of sense for Fedora to adopt unified kernels. However I think the initrd should be built on fedora infra and signed with fedora keys by default. We have been working on building tools and filling gaps to make that workable reasonably in systemd upstream, and with a focus on Fedora. The difficulty is in both being able to prebuild everything but also keeping things somewhat modular and parameterizable. Because right now those are the primary reasons initrds are built on the installed host instead of Fedora: they contain local configuration and drivers. If we prebuild everything we must have model to replace these parts, without compromising security, and that's not rivial. Zbigniew and I intend to present our ideas and tools about that at Linux Plumbers this year. Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure