Kasatkin, Dmitry <dmitry.kasatkin@xxxxxxxxx> wrote: > What about the case when running from integrity protected initramfs? > Either embedded into the signed kernel, or verified by the boot loader. > In such case it is possible to assume that all keys which are added by > user space are implicitly trusted. > Later on, before continuing booting normal rootfs, set the key > subsystem state (trust-lock), > so that trusted keyrings accept only explicitly trusted keys... > > Does it make sense? I'm not sure it does. Initramfs is (re-)fabricated on the machine on which it runs any time you update one of a set of rpms (such as the kernel rpm) because it has machine-specific data and drivers in it. David -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
