[systemd-devel] why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
Lennart Poettering
lennart at poettering.net
Mon Jun 5 08:19:19 UTC 2023
On Mo, 29.05.23 11:42, Felix Rubio (felix at kngnt.org) wrote:
> Hi everybody,
>
> Continuing the work/learning path I started last week, I have had a
> development: Still with shim loading systemd-boot, which can read the kernel
> and initramfs from XBOOTLDR partition, I have introduced LUKS to encrypt the
> root partition (XBOOTLDR is not encrypted).
>
> Originally I was planning to move from this to UKI so that I can make sure
> that both kernel and initramfs are checked before booting, but today I have
> considered a different course of action: Should I use the TPM to store a key
> to decrypt the disk like this:
>
> systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+1+7+9
>
> Then, by using PCR9 the initrd would be checked before allowing the boot
> sequence to continue. By doing this, then, I do not have to switch to UKI
> until I have learned more about it.
>
> Do you guys think this reasoning is flawed?
So, fixing things to literal PCR values is problematic during updates,
since you need to reseal with expected PCR versions befor you allow
the updates to happen.
With UKIs and the signed PCR logic you can instead sign PCR values and
then bind disk encryption to the public key used for that signing, and
include the signature matching a kernel in the UKI. That means
updating becomes trivial, as every UKI comes with all data needed to
unlock the disk safely.
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list