[systemd-devel] why systemd-boot (seems as everyone else) does not check the signatures of initramfs?
Lennart Poettering
lennart at poettering.net
Thu May 25 08:26:49 UTC 2023
On Mi, 24.05.23 19:01, Felix Rubio (felix at kngnt.org) wrote:
> Hi Lennart,
>
> "Sorry, but GPG is a no-go. Not in 2023."
>
> Yes, I understand that. What I am trying to get is a simple way to verify
> that the initramfs has not been tampered with. UKI comes with its own
> challenges, using encryption tied to a measured boot looks overkill, and I
> fully agree in which adding an authentication layer is not
> desirable.
I am not sure what "challenges" you specifically have in mind, but a
UKI with an initrd in a PE envelope (i.e. the "add-on" concept I
mentioned), then you should be pretty close to current behaviour, no?
> Then... what alternatives are available for just performing verification of
> the initramfs? I was giving a look at IMA now, so this could be sorted with
> a policy... but I think this is not supported in sd-boot.
IMA verifies files after the kernel is up, not before. It's not
suitable for validating initrds.
Anway, you should really ask yourself what cryptographic key you want
to authenticate against. Local or vendor one, and where shall it be
stored. That dictates your choices more than anything else.
> In the case I wrap the initramfs on a PE envelope, as you suggested, when
> then its signature be validated automatically? when it gets loaded? Because,
> if so... this would work enough for this use case.
In the "add-on" module for UKIs I mentioned the validation of both the
UKI and the add-ons are done via regular UEFI SecureBoot or via
shim. Both UKIs and add-ons are just PE files after all that thus can
be verified that way. Because the files can be authenticated via shim
you get MOK and so on.
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list