[systemd-devel] why systemd-boot (seems as everyone else) does not check the signatures of initramfs?

[Felix Rubio]

Hi everybody,

I am trying to understand something, and after looking around I have not 
found any explicit answer. Maybe somebody in this list can shed some 
light on the matter? I have a laptop in which I am setting up the boot 
process through systemd-boot, and this works. Now, I'd like to give a 
try to enable Secure Boot so that the whole boot sequence is protected 
against tampering. As I am still learning about the technology, I prefer 
to land on the use of shim/MOK. For what I have read, the sequence 
should be:

1. Install a version of shim signed with MS keys.
2. On that same folder copy systemd-bootx64.efi, renamed to grubx64.efi 
(as shim seems to work only with Grub as 2nd stage loader).
3. Sign the kernel with the key for which the certificate has been 
enrolled in MOK.
4. Reboot, enroll the keys and... voila.

So far, so good... until we hit the initramfs wall: the efi's and kernel 
signatures are verified, but not that of the initramfs. I have seen that 
grub2 does not do it (it relies in GPG signatures, in which seems to be 
a workaround), and I have not found any place stating that systemd-boot 
does it. I have seen however, some steering towards the use of UKI... 
but this comes with its own problems about out-of-tree kernel modules 
and so.

So, the question is: why the kernel image gets verified but not the 
initramfs? Is this mandated by some standard, or is an engineering 
decision?

Thank you very much!

-- 
Felix Rubio
"Don't believe what you're told. Double check."