[systemd-devel] How to factory reset?
David Herrmann
dh.herrmann at gmail.com
Thu Mar 12 03:30:43 PDT 2015
Hi
On Thu, Mar 12, 2015 at 4:57 AM, Andrei Borzenkov <arvidjaar at gmail.com> wrote:
> В Wed, 11 Mar 2015 18:50:23 +0100
> Kay Sievers <kay at vrfy.org> пишет:
>
>> On Wed, Mar 11, 2015 at 6:32 PM, Chris Murphy <lists at colorremedies.com> wrote:
>> > On Wed, Mar 11, 2015 at 2:22 AM, Tobias Hunger <tobias.hunger at gmail.com> wrote:
>> >>> If you're concerned about bootloader configuration modification as a
>> >>> threat vector, then it needs to go on an encrypted volume. This
>> >>> suggests an initial bootloader configuration that only enables the
>> >>> user to supply a passphrase/key file to unlock that volume, and then
>> >>> load a new bootloader configuration file.
>> >>
>> >> I am still hoping secure boot and sd-boot will solve this issue
>> >> mid-term by making sure all the early boot components are signed
>> >> properly.
>> >
>> > The bootloader configuration files aren't signed. Maybe the should be.
>>
>> With systemd-boot, there will be no config to sign:
>> https://harald.hoyer.xyz/2015/02/25/single-uefi-executable-for-kernelinitrdcmdline/
>>
>
> How exactly putting files in a container solves the problem that they
> are not signed? This is not quite obvious from blog post.
The config/etc. snippets are now part of the _signed_ EFI binary,
which is always verified by the firmware. Therefore, we don't need to
verify the other snippets separately.
Thanks
David
More information about the systemd-devel
mailing list