[systemd-devel] why systemd-boot (seems as everyone else) does not check the signatures of initramfs?

Lennart Poettering lennart at poettering.net
Wed May 24 16:11:29 UTC 2023


On Mi, 24.05.23 16:20, Felix Rubio (felix at kngnt.org) wrote:

> Hi Andrei, Lennart
>
> @Andrei: Do you think, then, that the same private key used for SecureBoot
> could be used for GPG signing the initramfs? That would be cool, as the
> whole boot signing infrastructure would still depend on a single entity.
>
> @Lennart: I was thinking in using a private key for which I'd enroll the
> certificate in MOK (I mean, just following the standard use case for MOK).
>
> Without having much idea about the code base of systemd-boot, I am willing
> to give it a try (to a GPG with private key from SB) provided you think is
> something the community might benefit from. What are your thoughts?

Sorry, but GPG is a no-go. Not in 2023.

But also I am not sure I understand what are you trying to do?

Note that shim only authenticates PE binaries, hence you'd have to
wrap your initrd in a PE binary anyway to validate an initrd against
MOK.

And we really don#t want to add another layer of authentication in
sd-boot, let's leave that in uefi sb firmware + shim. i.e. we
expressly don#t want to embedd a crypto stack like grub. And even if
we could we don't get access to MOK iirc, shim makes that impossible
for later boot components.

If you wrap your initrd in a PE envelope this is pretty much exactly
what UKIs are. – Also note that there's currently a PR pending that
allows wrapping kernel command lines in separate PE files which can be
read by a UKI, a concept we call "add-on", which would we could extend
to initrds too i guess, see
https://github.com/systemd/systemd/pull/27358

Lennart

--
Lennart Poettering, Berlin


More information about the systemd-devel mailing list