On Tue, 2009-06-16 at 13:22 -0500, Victor Lowther wrote: > > OLPC have a security client that runs pre-root-mount in the initramfs > > which is quite complex. It is written in Python. As such, we need > > python > > in the initramfs. > > /me boggles. > > Why can't it run after switching to the real root? heh.. here we go :) It's part of an antitheft system. The users of the machine have root access by design, so they could trivially disable any security system that runs on the root filesystem. Thieves included. However, our initramfs is secure. It's signed with OLPC's master key. Our special BIOS will not boot an unsigned initramfs. So effectively, we can trust that the code we put in the initramfs cannot be modified/crippled/disabled. It's certainly a strange requirement and I figure from your responses there is no obvious "good" answer. I agree. I just thought I'd ask anyway. cheers, Daniel -- To unsubscribe from this list: send the line "unsubscribe initramfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
