[meta-intel] [PATCH RFC 0/4] Super simple secure boot implementation not requiring combo app
Cal Sullivan
california.l.sullivan at intel.com
Tue Jul 18 13:32:38 PDT 2017
On 07/16/2017 11:26 PM, Patrick Ohly wrote:
> On Fri, 2017-07-14 at 19:11 -0700, California Sullivan wrote:
>> I'm not sure why I never tried just signing the kernel and systemd-boot,
>> but it works. If either one is not signed, it causes gives a security
>> violation error.
>>
>> A con of this implementation is that unlike the combo app, we don't
>> inherently validate the initrd. In the future we could require that
>> an initrd is not used with secure boot unless the combo app is chosen.
> A lot of functionality in refkit (and elsewhere) depends on an an
> initramfs, like setting up dm-verity, dm-crypt/LUKS and OSTree. I
> consider not supporting an initramfs a deal breaker. It might be good
> enough for some systems, but I'm not sure about that.
>
I misspoke a bit in my message here. The combo app essentially uses an
initramfs built into the kernel rather than an initrd, and such a thing
should still work with this method (via INITRAMFS_IMAGE_BUNDLE and
INITRAMFS_IMAGE variables). A separate initrd (like what you see when
using an hddimg with a normal bootloader) would not be secure, and might
be something to not allow when secure boot is enabled.
---
Cal
More information about the meta-intel
mailing list