[systemd-devel] why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
Lennart Poettering
lennart at poettering.net
Wed May 24 12:30:10 UTC 2023
On Di, 23.05.23 20:54, Felix Rubio (felix at kngnt.org) wrote:
> Hi everybody,
>
> I am trying to understand something, and after looking around I have not
> found any explicit answer. Maybe somebody in this list can shed some light
> on the matter? I have a laptop in which I am setting up the boot process
> through systemd-boot, and this works. Now, I'd like to give a try to enable
> Secure Boot so that the whole boot sequence is protected against tampering.
> As I am still learning about the technology, I prefer to land on the use of
> shim/MOK. For what I have read, the sequence should be:
>
> 1. Install a version of shim signed with MS keys.
> 2. On that same folder copy systemd-bootx64.efi, renamed to grubx64.efi (as
> shim seems to work only with Grub as 2nd stage loader).
> 3. Sign the kernel with the key for which the certificate has been enrolled
> in MOK.
> 4. Reboot, enroll the keys and... voila.
>
> So far, so good... until we hit the initramfs wall: the efi's and kernel
> signatures are verified, but not that of the initramfs. I have seen that
> grub2 does not do it (it relies in GPG signatures, in which seems to be a
> workaround), and I have not found any place stating that systemd-boot does
> it. I have seen however, some steering towards the use of UKI... but this
> comes with its own problems about out-of-tree kernel modules and so.
>
> So, the question is: why the kernel image gets verified but not the
> initramfs? Is this mandated by some standard, or is an engineering decision?
What key do you want to verify it with?
The OS vendor key? this is what we are building with UKI. But this
means no locally build initrds, which is what distros so far were all
doing.
A local key? Where is that stored? In the ESP? That would be
pointless, as you could swap it out. You could use a MOK key, but that
means intraction at at least one boot, which generic distros don't like.
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list