Matthew Garrett: > [...] > > The second is a different problem, but still seems achievable. Each > package that potentially adds content to the initramfs could provide a > pre-build CPIO containing its code, and based on local configuration > we can ask grub to load those as well. > > This would result in something that's roughly equivalent to our > current situation, but would allow us to verify that the initramfs > images containing code hadn't been tampered with. [...] > > A minimal proof of concept here would presumably be a patch to the > kernel package to build an initramfs binary package, and then some > additional tooling to copy appropriate config to the boot partition > and have grub pick that up. Does anybody have any strong feelings on > the topic? If not, I'll try to mock this up. > Hi Matthew, Thanks for working on making initramfs verifiable. :) Let me know if/when there are any changes need to dh_installinitramfs and I will happy to review them. At the moment, it is just an easy way to inject "update-initramfs -u" in the relevant maintscripts if the package has a /usr/share/initramfs-tools/hooks. If we can solve this without using maintscripts, I would be even happier and am ready to do my part in that if you need any help there! I know it is not the main goal of what you are trying to here and nor should it be a blocker for it - this is just me hoping for the best! :) ~Niels
