Hi Andrei, Lennart
@Andrei: Do you think, then, that the same private key used for
SecureBoot could be used for GPG signing the initramfs? That would be
cool, as the whole boot signing infrastructure would still depend on a
single entity.
@Lennart: I was thinking in using a private key for which I'd enroll the
certificate in MOK (I mean, just following the standard use case for
MOK).
Without having much idea about the code base of systemd-boot, I am
willing to give it a try (to a GPG with private key from SB) provided
you think is something the community might benefit from. What are your
thoughts?
Regards,
--
Felix Rubio
"Don't believe what you're told. Double check."
On 2023-05-24 14:35, Lennart Poettering wrote:
On Mi, 24.05.23 12:22, Felix Rubio (felix@xxxxxxxxx) wrote:
I agree that having a measured boot, that decrypts the system is a
better
solution... but this is, correct me if wrong, still very green: There
are
some approaches supported, but none of them seems to be structural:
they
rely on the existence of a TPM, introduce additional dependencies on
the
update process (when the kernel/initramfs changes the previous
measurement
will not be correct anymore and needs to be updated), etc. On the
other hand
UKI comes with its own challenges, and also forces the admin to
rebuild the
UKI any time there is an update.
I feel there should be some middle point in which we do not have to
rely on
a TPM and a fully measured system, but we can still make sure that the
initramfs is trusted. The question, then, is: Is this something that
could
be supported in systemd-boot, or this is something that is considered
to be
just out of scope?
As in the other mail: Which key do you intend to use for validation?
Note that in systemd git main there's already support for generating
UKIs dynamically when a kernel RPM/DEB is installed (as long as the
"kernel-install" infra is in use). It can be signed with a local key,
that can be enrolled with MOK.
With that we make it reasonably easy to run a setup with a locally
signed initrd – but it means that you'll get a MOK prompt during at
least one boot.
Lennart
--
Lennart Poettering, Berlin
