On Mi, 24.05.23 19:01, Felix Rubio (felix@xxxxxxxxx) wrote: > Hi Lennart, > > "Sorry, but GPG is a no-go. Not in 2023." > > Yes, I understand that. What I am trying to get is a simple way to verify > that the initramfs has not been tampered with. UKI comes with its own > challenges, using encryption tied to a measured boot looks overkill, and I > fully agree in which adding an authentication layer is not > desirable. I am not sure what "challenges" you specifically have in mind, but a UKI with an initrd in a PE envelope (i.e. the "add-on" concept I mentioned), then you should be pretty close to current behaviour, no? > Then... what alternatives are available for just performing verification of > the initramfs? I was giving a look at IMA now, so this could be sorted with > a policy... but I think this is not supported in sd-boot. IMA verifies files after the kernel is up, not before. It's not suitable for validating initrds. Anway, you should really ask yourself what cryptographic key you want to authenticate against. Local or vendor one, and where shall it be stored. That dictates your choices more than anything else. > In the case I wrap the initramfs on a PE envelope, as you suggested, when > then its signature be validated automatically? when it gets loaded? Because, > if so... this would work enough for this use case. In the "add-on" module for UKIs I mentioned the validation of both the UKI and the add-ons are done via regular UEFI SecureBoot or via shim. Both UKIs and add-ons are just PE files after all that thus can be verified that way. Because the files can be authenticated via shim you get MOK and so on. Lennart -- Lennart Poettering, Berlin
Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- From: Lennart Poettering <lennart@xxxxxxxxxxxxxx>
- Date: Thu, 25 May 2023 10:26:49 +0200
- Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <cefcf40c5edf497c08146857135d4356@kngnt.org>
- References: <f7ae22d92170ecbec85fad95453e3e74@kngnt.org> <5cd240d7-d843-abed-f175-729d765efadb@gmail.com> <5628da3bebb61926448c4cae80c7b693@kngnt.org> <ZG4Eedbmya2AlFnw@gardel-login> <7feef1e1d6ed0d8699e158d047cf5ac3@kngnt.org> <ZG43MTxLHP2hLsaI@gardel-login> <cefcf40c5edf497c08146857135d4356@kngnt.org>
- Follow-Ups:
- References:
- why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- From: Felix Rubio
- Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- From: Andrei Borzenkov
- Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- From: Felix Rubio
- Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- From: Lennart Poettering
- Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- From: Felix Rubio
- Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- From: Lennart Poettering
- Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- From: Felix Rubio
- why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- Prev by Date: Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- Next by Date: Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- Previous by thread: Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- Next by thread: Re: why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
- Index(es):
 |