On Mi, 24.05.23 16:20, Felix Rubio (felix@xxxxxxxxx) wrote: > Hi Andrei, Lennart > > @Andrei: Do you think, then, that the same private key used for SecureBoot > could be used for GPG signing the initramfs? That would be cool, as the > whole boot signing infrastructure would still depend on a single entity. > > @Lennart: I was thinking in using a private key for which I'd enroll the > certificate in MOK (I mean, just following the standard use case for MOK). > > Without having much idea about the code base of systemd-boot, I am willing > to give it a try (to a GPG with private key from SB) provided you think is > something the community might benefit from. What are your thoughts? Sorry, but GPG is a no-go. Not in 2023. But also I am not sure I understand what are you trying to do? Note that shim only authenticates PE binaries, hence you'd have to wrap your initrd in a PE binary anyway to validate an initrd against MOK. And we really don#t want to add another layer of authentication in sd-boot, let's leave that in uefi sb firmware + shim. i.e. we expressly don#t want to embedd a crypto stack like grub. And even if we could we don't get access to MOK iirc, shim makes that impossible for later boot components. If you wrap your initrd in a PE envelope this is pretty much exactly what UKIs are. – Also note that there's currently a PR pending that allows wrapping kernel command lines in separate PE files which can be read by a UKI, a concept we call "add-on", which would we could extend to initrds too i guess, see https://github.com/systemd/systemd/pull/27358 Lennart -- Lennart Poettering, Berlin
Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- From: Lennart Poettering <lennart@xxxxxxxxxxxxxx>
- Date: Wed, 24 May 2023 18:11:29 +0200
- Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <7feef1e1d6ed0d8699e158d047cf5ac3@kngnt.org>
- References: <f7ae22d92170ecbec85fad95453e3e74@kngnt.org> <5cd240d7-d843-abed-f175-729d765efadb@gmail.com> <5628da3bebb61926448c4cae80c7b693@kngnt.org> <ZG4Eedbmya2AlFnw@gardel-login> <7feef1e1d6ed0d8699e158d047cf5ac3@kngnt.org>
- Follow-Ups:
- References:
- why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- From: Felix Rubio
- Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- From: Andrei Borzenkov
- Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- From: Felix Rubio
- Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- From: Lennart Poettering
- Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- From: Felix Rubio
- why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- Prev by Date: Re: Monotonic time went backwards, rotating log
- Next by Date: Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- Previous by thread: Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- Next by thread: Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- Index(es):
 |