Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?

[Lennart Poettering <lennart@xxxxxxxxxxxxxx>]

On Mi, 24.05.23 12:22, Felix Rubio (felix@xxxxxxxxx) wrote:

> I agree that having a measured boot, that decrypts the system is a better
> solution... but this is, correct me if wrong, still very green: There are
> some approaches supported, but none of them seems to be structural: they
> rely on the existence of a TPM, introduce additional dependencies on the
> update process (when the kernel/initramfs changes the previous measurement
> will not be correct anymore and needs to be updated), etc. On the other hand
> UKI comes with its own challenges, and also forces the admin to rebuild the
> UKI any time there is an update.
>
> I feel there should be some middle point in which we do not have to rely on
> a TPM and a fully measured system, but we can still make sure that the
> initramfs is trusted. The question, then, is: Is this something that could
> be supported in systemd-boot, or this is something that is considered to be
> just out of scope?

As in the other mail: Which key do you intend to use for validation?

Note that in systemd git main there's already support for generating
UKIs dynamically when a kernel RPM/DEB is installed (as long as the
"kernel-install" infra is in use). It can be signed with a local key,
that can be enrolled with MOK.

With that we make it reasonably easy to run a setup with a locally
signed initrd – but it means that you'll get a MOK prompt during at
least one boot.

Lennart

--
Lennart Poettering, Berlin