On Mo, 04.07.22 19:18, Fedora Development ML (devel@xxxxxxxxxxxxxxxxxxxxxxx) wrote: > Even if initrds are (somehow) signed, the kernel command line can > still be modified, like adding `init=/usr/bin/bash`. Hmm? sd-stub refused any kernel cmdline passed in manually if SecureBoot is on. The kernel cmdline allows you to do pretty much anything you like with your system, hence in a locked down environment we cannot allow uncontrolled access to that. > Also, if everything is signed by fedora, then the user can not > modify the command line. There is a lot of hardware that needs > command line modifications to boot. Like what? > Also, fedora would have to revoke signatures for every vulnerable > kernel, or there is no real security. If those kernels signatures > are revoked, then they wont boot even when they are the currently > installed kernel and should be able to boot. I think as long as we get rollback protection we should be fine. i.e. after a kernel has been deemed good and working for a bit, we can automatically cut off older kernels via TPM logic after a while. (this requires implementing a TPM policy against a counter stored in the TPM. This is not implemented yet in the TPM policies systemd supports, but can be expression in TPM2 policy language.) > If there is a way for a fedora signed kernel image to > load a locally signed command line, then this would work much > better. Well, we could add that, but this would mean doing more complex TPM interactions from UEFI environment, and I'd rather not do that too much. > > However I think the initrd should be built on fedora infra > > and signed with fedora keys by default. > > What about when the user has a custom kernel module, would there be > a way for the user to use it. You can enroll multiple certificates for validation, if you like. i.e. if you want to sign your own modules, then enroll both the fedora and your own cert. You could use shim for that if you like. Or alternatively, turn off secureboot if you don't want to set up your certs, and want to load hacky modules. Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure