On Sun, May 12, 2019 at 05:05:48PM +0000, Rob Landley wrote: > On 5/12/19 7:52 AM, Mimi Zohar wrote: > > On Sun, 2019-05-12 at 11:17 +0200, Dominik Brodowski wrote: > >> On Thu, May 09, 2019 at 01:24:17PM +0200, Roberto Sassu wrote: > >>> This proposal consists in marshaling pathnames and xattrs in a file called > >>> .xattr-list. They are unmarshaled by the CPIO parser after all files have > >>> been extracted. > >> > >> Couldn't this parsing of the .xattr-list file and the setting of the xattrs > >> be done equivalently by the initramfs' /init? Why is kernel involvement > >> actually required here? > > > > It's too late. The /init itself should be signed and verified. > > If the initramfs cpio.gz image was signed and verified by the extractor, how is > the init in it _not_ verified? > > Ro Wouldn't the below work even before enforcing signatures on external initramfs: 1. Create an embedded initramfs with an /init that does the xattr parsing/setting. This will be verified as part of the kernel image signature, so no new code required. 2. Add a config option/boot parameter to panic the kernel if an external initramfs attempts to overwrite anything in the embedded initramfs. This prevents overwriting the embedded /init even if the external initramfs is unverified.
