On Mo, 04.07.22 04:19, Demi Marie Obenour (demiobenour@xxxxxxxxx) wrote: > On 7/4/22 04:13, Lennart Poettering wrote: > > On Fr, 01.07.22 08:30, Gerd Hoffmann (kraxel@xxxxxxxxxx) wrote: > > > >>> I do wonder if it's possible to use multiple initrds, and maybe have > >>> the firmware in a separate initrd shared between all installed kernels > >>> if we go down this route. > >> > >> grub supports multiple initrds just fine. According to > >> https://fedoraproject.org/wiki/Changes/BootLoaderSpecByDefault grub > >> supports multiple initrd files also with bls. That seems to be a > >> derivation from the original boot loader spec though, so not sure this > >> works with systemd-boot too. > >> > >> When going for multiple initrds the best approach is probably to simply > >> split out the kernel modules into a version-specific initrd and store > >> everything else in another, shared initrd. > > > > In the approach Zbginiew and I are working on we intend to build a > > basic initrd into the kernel itself (i.e. in a unified kernel logic) > > and then optionally load additional initrd images that can be > > placed next to the kernel image and are picked up by the EFI stub > > (i.e. by the EFI code that runs as part of the kernel when it runs in > > EFI mode still, before we transition to Linux mode, i.e. where all the > > EFI file systems are still accessible), and are passed to kernel, > > measured and then very early on overlayed on top of the basic initrd > > image (i.e. in an immutable overlayfs stack). > > > > In such an approach the basic initrd would be able to just boot 90% of > > the systems, and for the other 10% we'd just add a couple of extension > > images next to the kernel image, and that's it. > > > > (the extension images would be signed dm-verity squashfs, to ensure > > everything is authenticated) > > Would the extension images also be measured into the TPM? Yes, precisely. Sorted alphabetically, and then measured. (And in fact, picked up by IMA too, because dm-verity is nowadays picked up by it, iirc). Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
